As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Aditya Pratap
Acquisition & Analysis for Apple Devices - Amanda Berlin at Blumira
What Are Event Logs and Why Do They Matter - Cado Security and Invictus Incident Response
Case Study Continued: Responding to an Attack in AWS - Digital Forensics Myanmar
- John G. Asmussen at Everything DFIR…
Case_Notes.py – A simple “how to” guide… - Forensafe
Investigating Windows BoxDrive - InfoSec Write-ups
SANS 2022 Holiday Hack Challenge & KringleCon - Joseph Naghdi at Computer Forensics Lab
- Megan O’Neil, Kyle Dickinson, and Karthik Ram at AWS Security
The anatomy of ransomware event targeting data residing in Amazon S3 - Megan Roddie at SANS
AWS Cloud Log Extraction - Raj Upadhyay
DFIR : Zero To Hero Series : Case-0 - System Weakness
Phishing - The DFIR Report
Collect, Exfiltrate, Sleep, Repeat - Uzair Afzal
Analyzing Spear Phishing Email
THREAT INTELLIGENCE/HUNTING
- Aaron Goldstein at Todyl
How to Conduct Cyber Threat Hunts - Andrea Bocchetti at System Weakness
Discover malicious network activity with ZEEK and RITA - Anomali
- Antoine Cailliau
- AttackIQ
Emulating the Shared Cybercrime Loader BumbleBee - Avast Threat Labs
Avast Q4/2022 Threat Report - Avertium
Flash Notice: Beware – QakBot Group Infects Microsoft’s OneNote with QakNote Malware - Blackberry
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool - Brad Duncan at Malware Traffic Analysis
2023-02-07 – OneNote file pushes unidentified malware - Carly Battaile at Aon
Bypassing MFA: A Forensic Look at Evilginx2 Phishing Kit - Censys
- CERT Ukraine
Кібератака UAC-0050 у відношенні державних органів України із застосуванням програми для віддаленого контролю та спостереження Remcos (CERT-UA#5926) - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 04 – 10 febbraio 2023 - Check Point Research
6th February – Threat Intelligence Report - CISA
- Cisco’s Talos
- CTF导航
yara匹配引擎进阶语法指南 - Reza Rafati at Cyberwarzone
How to work with VirusTotal - Cyble
- Daniel Chronlund
Microsoft 365 Data Exfiltration – Attack and Defend - Darktrace
A Surge of Vidar: Network-Based Details of a Prolific Info-Stealer - Dragos
- Edward Hawkins at VMware Security
VMware Security Response Center (vSRC) Response to ‘ESXiArgs’ Ransomware Attacks - Erik Hjelmvik at Netresec
CapLoader 1.9.5 Alerts on Malicious Traffic - Esentire
OneNote Payload Smuggling: Multiple Threats Leverage OneNote to Deliver Malware - Flashpoint
DPRK Advisory: How to Better Protect Your Organization From State-Sponsored Ransomware - GreyNoise
- Haircutfish
TryHackMe Brim — Task 4 Default Queries & Task 5 Use Cases - Joe Slowik at Huntress
Investigating Intrusions From Intriguing Exploits - Intel471
An Analysis of the VMware ESXi Ransomware Blitz - Jason Hill at Varonis
VMware ESXi in the Line of Ransomware Fire - Jeremy Wiedner at Cybersecurity Tid-Bytes
- Kaitlin McIntyre at Lumen
5 Observations from Lumen on 2022 Attack Trends - Keith McCammon at Red Canary
Atomic Habits, atomic tests - Lab52
Cyber Threat Intelligence Report – Trends Q4 2022 - Louis Mastelinck
Detect security policy changes - Malwarebytes Labs
Ransomware review: February 2023 - Merav Bar at Wiz
Ransomware attacks targeting VMware ESXi servers: everything you need to know - Microsoft Security
Solving one of NOBELIUM’s most novel attacks: Cyberattack Series - Microsoft’s ‘Security, Compliance, and Identity’ Blog
- Nozomi Networks
The Importance of Reverse Engineering in Network Analysis - Rintaro Koike at NTT Security Japan
SteelCloverによるGoogle広告経由でマルウェアを配布する攻撃の活発化について - OALABS Research
Yara Megaprimer - Olaf Hartong at Falcon Force
Microsoft Defender for Endpoint Internals 0x04 — Timeline - Rajaram Sivasankar at IronNet
Detecting maliciously used Cobalt Strike infrastructure - Christiaan Beek at Rapid7
Evasion Techniques Uncovered: An Analysis of APT Methods - Red Alert
- Safebreach
- SANS Internet Storm Center
- Video: Analyzing Malicious OneNote Documents, (Sun, Feb 5th)
- Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams, (Mon, Feb 6th)
- APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th)
- Packet Tuesday Episode 12: DNS Query IDs and DNS Notify Messages https://t.co/XpKzlAxLuH #sec503 #packetlife, (Tue, Feb 7th)
- A Backdoor with Smart Screenshot Capability, (Thu, Feb 9th)
- Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th)
- Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th)
- PCAP Data Analysis with Zeek, (Sun, Feb 12th)
- Sansec
Sansec analysis: 12% of online stores leak private backups - Security Art Work
Cyber Threat Intelligence Report – Tendencias Q4 2022 - Securonix
Securonix Threat Research Knowledge Sharing Series: Hoaxshell/Villain Powershell Backdoor Generator Payloads in the Wild, and How to Detect in Your Environment - Tom Hegel at SentinelOne
Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins - SOCRadar
- Jonathan Johnson at SpecterOps
Telemetry Layering - Splunk
Fantastic IIS Modules and How to Find Them - Symantec
Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine - Threatmon
SwiftSlicer Wiper Malware Analysis Report - Trend Micro
Ransomware Revolution: 4 Types of Cyber Risks in 2023 - TrustedSec
- Karthickkumar Kathiresan at Uptycs
Understanding Stealerium Malware and Its Evasion Techniques - Roman Kovac at WeLiveSecurity
ESET Threat Report T3 2022
UPCOMING EVENTS
- Peter Sosic at Amped
Get Ahead With Our Upcoming Video Evidence Webinars! - Cellebrite
Collecting Custodian Data to Prepare for Review - Censys
Think Like an Attacker - Cyborg Security
- Kristian Lars Larsen at Data Narro
- Magnet Forensics
- Microsoft Security Response Center
BlueHat 2023: Connecting the security research community with Microsoft
PRESENTATIONS/PODCASTS
- ArcPoint Forensics
- Black Hills Information Security
- BHIS – Talkin’ Bout [infosec] News 2023-02-06
- Part 2—Things NOT to Do in Pentest Reports: Tips, Tricks, & Traps in Report Writing | Bronwen Aker
- Part 3—Things NOT to Do in Pentest Reports: Tips, Tricks, & Traps in Report Writing | Bronwen Aker
- Who’s Bootin’? Dissecting the Master Boot Record
- Exploit Development – A Sincere Form of Flattery
- Breaking Badness
147. DOUBLEBACK in Black - c3rb3ru5d3d53c
- Cellebrite
- Cisco’s Talos
Talos Takes 128: Year in Review – Ransomeware and Commodity Loaders Edition - Cloud Security Podcast by Google
EP 107 How Google Secures It’s Google Cloud Usage at Massive Scale - Cyber Secrets
Booting the external CSI Linux Triage Drive - Didier Stevens
Analyzing Malicious OneNote Documents - Digital Forensic Survival Podcast
DFSP # 364 – Network Triage - Down the Security Rabbithole Podcast
DtSR Episode 537 – Sergio Talks Threat Intelligence - InfoSec_Bret
DFIR Challenge – Email Analysis - James Spiteri at ‘Oh My Malware!’
Oh My Malware – Episode 4 – QBot - Magnet Forensics
Cyber Regulations and the Effects on Financial Services - OALabs
ESXiArgs Ransomware Analysis with @fwosar - RickCenOT
Bad USB HID Injection Attack against a Beckhoff Industrial Control System CX9001 PLC - SANS Cloud Security
Introduction to the NEW 5-day SEC549: Enterprise Cloud Security Architecture - SANS Cyber Defense
Packet Tuesday – Most Frequent DNS Query ID - SANS Institute
The What and Why of MGT433: Managing Human Risk - The Defender’s Advantage Podcast
Threat Trends: An Episode (Mostly) About Non-Ransomware Cyber Crime
MALWARE
- Tarek Mostafa
Silly Putty - Andrew Brandt at Sophos
Qakbot mechanizes distribution of malicious OneNote notebooks - ASEC
- Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations
- DarkSide Ransomware With Self-Propagating Feature in AD Environments
- ASEC Weekly Phishing Email Threat Trends (January 22nd, 2023 – January 28th, 2023)
- Redistribution of Magniber Ransomware in Korea (January 28th)
- Quasar RAT Being Distributed by Private HTS Program
- ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023)
- Jossef Harush at Checkmarx Security
17 Malicious Python Packages Targeting Selenium users to Steal Crypto - Cofense
Top Malware Trends of January: Cofense Phishing Defense Center (PDC) - Eliya Stein at Confiant
Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign - CTF导航
GooberBot—Scar租赁僵尸网络新成员样本演进分析 - DCSO CyTec
#ShortAndMalicious — PikaBot and the Matanbuchus connection - dr4k0nia
Analysing A Sample Of Arechclient2 - Gameel Ali
The Approach of TA413 for Tibetan Targets - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #127: Changing function bounds - Baran S at K7 Labs
Play Store App Serves Coper Via GitHub - Kamran Saifullah
Dissecting 17 Malicious Selenium Packages Observed On PyPi - Lucija Valentić at ReversingLabs
Open-source repository malware sows Havoc - Malware Hell
Hunting Opaque Predicates with YARA - Muhammad Hasan Ali at muha2xmad
Technical analysis of Godfather android malware - Pham Duy Phuc and Max Kersten at Trellix
No More Macros? Better Watch Your Search Results! - Phylum
Phylum Discovers Revived Crypto Wallet Address Replacement Attack - Axel F at Proofpoint
Screentime: Sometimes It Feels Like Somebody’s Watching Me - Jennifer Gregory at Security Intelligence
Six Common Ways That Malware Strains Get Their Names - Antonis Terefos at SentinelLabs
Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available - Sonatype
- Aliakbar Zahravi and Peter Girnus at Trend Micro
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs - Uriel Kosayev
Agent Tesla Loader – Malware Analysis - Jason Reaves at Walmart
MalVirt / KoiVM Downloader Variant - Zhassulan Zhussupov
Malware analysis: part 8. Yara rule example for MurmurHash2. MurmurHash2 in Conti ransomware
MISCELLANEOUS
- Megan O’Neil and Merritt Baer at AWS Security
Updated ebook: Protecting your AWS environment from ransomware - Belkasoft
Automation with Belkasoft X: Installation and Licensing - Cellebrite
2023 – The Latest Industry Trends Survey
for Enterprise Solutions - Danny Norris at Magnet Forensics
Reducing Time to Competency: A Trainer’s Look at Different Learning Approaches - Ryan at DefaultCredentials
GIAC Certified Forensic Analyst Certification (GCFA) Study Guide for Procrastinators - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Eleven Years of FotoForensics - Forensic Focus
- InfoSec Write-ups
- Kevin Beaumont at DoublePulsar
UK government declares ransomware a “tier 1” national security threat — on par with terrorism and… - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (2/1/2023) - NVISO Labs
Cortex XSOAR Tips & Tricks – Leveraging dynamic sections – text - Paul Stamp at Cado Security
Cloud Applications and Incident Reporting Requirements: A Perfect Storm for CISOs - Eric Capuano at Recon Infosec
Recon was at CactusCon 11! - The Security Noob
Cybersecurity, Threats, Malware Trends & Strategies by Tim Rains 2nd Edition REVIEW - Trend Micro
Hijacking Your Bandwidth: How Proxyware Apps Open You Up to Risk
SOFTWARE UPDATES
- Atola
Search cryptocurrency artifacts and wipe NVMe drives with Insight Forensic 5.3 - Alexis Brignoni
- Capa
v5.0.0 - Cellebrite
Now Available: Cellebrite Physical Analyzer, Logical Analyzer, Reader, and UFED Cloud v7.60 - Crowdstrike
Falconpy Version 1.2.11 - Dan Saunders
ESXiTri - Datadog Security Labs
GuardDog v1.0.2 - Doug Burks at Security Onion
Security Onion 2.3.210 now available including Elastic 8.6.1, Suricata 6.0.10, Zeek 5.0.6, and more! - Oleg Afonin at Elcomsoft
iOS Forensic Toolkit Maintenance: Following Apple iOS Updates - Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.12 adds checkm8 extraction support for iOS 16.2, 15.7.3, and 12.5.7 - ExifTool
ExifTool 12.56 - Falco
Blog: Falco 0.34.0 a.k.a. “The Honeybee 🍯” - Grayshift
ArtifactIQ by Grayshift Delivers Powerful New Capabilities and Exclusive Mobile Device Support - Metaspike
Forensic Email Intelligence 2.1.7 Release Notes - OpenCTI
5.5.4 - Oxygen Forensics
Oxygen Forensic® Detective v.15.3 - SpecterOps
Ghostwriter v3.2 Release - Xways
X-Ways Forensics 20.8 Preview 1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 