As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Ahmed Belhadjadji
Windows Forensics: Examine Windows Files and Metadata - David Spreadborough at Amped
- Andrew Skatoff at ‘DFIR TNT’
GoToForensics - Avanan
The Replier Attack - Al Carchrie at Cado Security
IPC YOU: How the Cado Platform Reveals Attacker Command Outputs - Dr. Ali Hadi at ‘Binary Zone’
- Elcomsoft
- Forensafe
- Michael Bedard and Keegan Thomas at ‘The Leahy Center for Digital Forensics & Cybersecurity’
Having Fun doing Mobile Forensics - Troy Schnack
Try to Be More Sensitive
THREAT INTELLIGENCE/HUNTING
- 3cx supply chain compromise information – some of this is original, some is collating information and IOCs from other sources. I haven’t gone through it to rationalise it.
- Technical Advisory: Software Supply Chain Attack Against 3CX Desktop App
- Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
- Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
- 3CXDesktop App Trojanizes in A Supply Chain Attack: Check Point Customers Remain Protected
- Threat Advisory: 3CX Softphone Supply Chain Compromise
- Cybereason Detects and Prevents 3CXDesktopApp Supply Chain Attack
- A Comprehensive Analysis of the 3CX Attack
- Understanding the magnitude of the 3CXDesktopApp phenomenon
- 3CX Desktop App Compromised (CVE-2023-29059)
- 3CX VoIP Software Compromise & Supply Chain Threats
- Contextualizing Events & Enabling Defense: What 3CX Means
- 3CX Supply-chain attack
- 3CX VOIP Compromised & Supply Chain Threat
- Detecting and Responding to Trojanized 3CX Desktop Applications
- Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise
- 3CX Supply Chain Attack
- Threat Brief: 3CXDesktopApp Supply Chain Attack
- Ironing out (the macOS details) of a Smooth Operator
- Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
- 3CX Desktop Client Trojanized for Supply-Chain Attacks
- Red flags flew over software supply chain-compromised 3CX update
- 3CX : une attaque par supplychain
- SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
- SmoothOperator Supply Chain Attack Targeting 3CX VOIP Desktop Client
- What Do You Need to Know About SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client and What Can You Do?
- 3CX users under DLL-sideloading attack: What you need to know
- 3CX Desktop Attack: Sophos Customer Information
- Windows Vulnerable 3CX Software
- 3CX Supply Chain Attack Network Indicators
- Hunting 3CXDesktopApp Software
- Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
- 3CX: Supply Chain Attack Affects Thousands of Users Worldwide
- 3CX Desktop App for Windows and macOS Reportedly Compromised in Supply Chain Attack
- Threat Advisory: 3CX Softphone Telephony Campaign
- Developing Story: Information on Attacks Involving 3CX Desktop App
- Preventing and Detecting Attacks Involving 3CX Desktop App
- Security Bulletin – Active Exploitation of 3CX Desktop Application
- Trustwave Action Response: Supply Chain Attack Using 3CX PBAX Software
- Investigating 3CX Desktop Application Attacks: What You Need to Know
- 3CX Supply Chain Compromise Leads to ICONIC Incident
- Supply Chain Attack ai danni di 3CX – Client desktop App
- Coverage Advisory for 3CX Supply Chain Attack
- 3CX Supply Chain Attack Campaign
- Anomali
Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities - Antonio Formato
Microsoft Sentinel — Azure OpenAI Incident Response Playbook - Arch Cloud Labs
Responding to a LogMeIn Phishing Scam - AT&T Cybersecurity
Dridex malware, the banking trojan - Avertium
BianLian Ransomware Changes Faces - Brad Duncan at Malware Traffic Analysis
- CERT-AGID
- Check Point Research
27th March – Threat Intelligence Report - Cisco’s Talos
- Greg Darwin at Cobalt Strike Research and Development
Cobalt Strike 2023 Roadmap and Strategy Update - CTF导航
APT-C-23(双尾蝎)组织最新攻击活动分析 - Cyber Threat Intelligence Training Center
- Andrey Pozhogin at CyberArk
LTT Attack Targets Session Cookies to Push Crypto Scam - CyberCX
Cyber Adviser Newsletter – March 2023 - Cyberwarzone
- LNK Quantum Builder – A Dangerous Malware Tool Available For Download
- What is an Incident Response Retainer Service? A Detailed Guide
- Top 20 Incident Response Retainer Providers Besides Microsoft
- How VboxCloak can help malware analysts hide their VirtualBox Windows VM’s from malware detection
- Revolutionize Threat Intelligence with Microsoft’s LLM and Closed-Loop Learning System
- Cyble
- Cyfirma
Weekly Intelligence Report – 31 Mar 2023 - Steven Hallman at DomainTools
How the Failure of Silicon Valley Bank Inspires Malicious Actors - Stacey Cook at Dragos
LockBit Ransomware Continued to Impact Operational Technology (OT) in 2022 - Flashpoint
The (Possible) Return of 2easy and What It Means for the Fraud Ecosystem - Clement Lecigne at Google Threat Analysis Group
Spyware vendors use 0-days and n-days against popular platforms - Daniel Grant at GreyNoise
How we built IP Similarity - Intel471
The Demise of the Breached Cybercrime Forum - IronNet
Building a better detection ecosystem - Jamf
MacStealer malware: A growing threat to macOS users - Yael Kishon at Kela
Attacks on MSPs: How Threat Actors Kill Two Birds (and More) With One Stone - Nilaa Maharjan at Logpoint
Logpoint’s Top Ten MITRE ATT&CK Techniques - Mandiant
- Mark Mo
Windows Defender Exclusion Persistence with Registry.pol - Menlo Security
The many faces of the IcedID attack kill chain - Ingrid Skoog at MITRE-Engenuity
Next Stop for TRAM - Alvin Gitonga at Moran Cybersecurity Group
KOADIC: For your Windows Post-Exploitation zombies & Botnets needs - Ohad Zaidenberg
Ransomware Gangs Exploit Regulations for Financial Gain: A Deep Dive into the Growing Trend and Its - OpenText
Dissecting IcedID behavior on an infected endpoint - Aurélien Chalot and Thomas Seigneuret at Orange Cyberdefense
Protected Users: you thought you were safe uh? - Stan at Outflank
Attacking Visual Studio for Initial Access - Palo Alto Networks
- Joseph Henry at Praetorian
Dynamic Linking Injection and LOLBAS Fun - Proofpoint
- Travis Smith at Qualys
Risk Fact #3: Initial Access Brokers Attack What Organizations Ignore - Recorded Future
- Red Alert
Monthly Threat Actor Group Intelligence Report, February 2023 (KOR) - Stefano De Blasi at ReliaQuest
2022 FBI IC3 Report: Crime-Scene Hot Tips - S-RM Insights
Cyber Intelligence Briefing: 31 March 2023 - SANS Internet Storm Center
- Another Malicious HTA File Analysis – Part 1, (Mon, Mar 27th)
- Network Data Collector Placement Makes a Difference, (Tue, Mar 28th)
- Extracting Multiple Streams From OLE Files, (Wed, Mar 29th)
- Bypassing PowerShell Strong Obfuscation, (Thu, Mar 30th)
- Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains, (Fri, Mar 31st)
- Using Linux grep and Windows findstr to Manipulate Files, (Fri, Mar 31st)
- Update: oledump & MSI Files, (Sun, Apr 2nd)
- YARA v4.3.0 Release, (Sun, Apr 2nd)
- Kristen Cotten at Scythe
Ngrok - Roman Dedenok at Securelist
How scammers employ IPFS for email phishing - Security Intelligence
- Security Investigation
- D. Iuzvyk, T. Peck, and O. Kolesnikov at Securonix
New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents - Sekoia
SEKOIA.IO analysis of the #VulkanFiles leak - SOC Fortress
Wazuh and Chainsaw integration for near real time SIGMA detection - SOCRadar
- SpecterOps
I’d TAP That Pass - Sucuri
- Sysdig
- System Weakness
- Threatmon
Anonymous Russia: Analysis of Threat Actors in Ukraine-Russia War - Christopher Paschen at TrustedSec
Using RPC in BOFs - Trustwave SpiderLabs
UPCOMING EVENTS
- Gerald Auger at Simply Cyber
Hack-Along w/Me! (Instructor Led Free Lab/Course on Threat Actor Workflow) - Logpoint
Webinar: Speed up incident response with enhanced observability - Trey Amick at Magnet Forensics
Respond to Security Events Faster with the Magnet Forensics Product Ecosystem - MSAB
XRY 10.5 & XAMN 7.5 - Keith McCammon at Red Canary
Live from New York, it’s Threat Detection Series Live! - SANS Institute
- ChatGPT with Dave Hoelzer | Neurodiversity with Jen Santiago | Host Rob Lee | April 4, 2023
- Live from RSAC with Ed Skoudis | Host, Stephen A. Hart | April 24, 2023
- SANS Expert Line Up Live from RSAC Conference | April 25, 2023
- SANS Expert Line Up Live from RSAC Conference | April 26, 2023
- Live from RSAC with Melissa Bischoping, RSA Scholar | April 24, 2023
- Threatray
Join us Botconf 2023 on the 11th of April in Strasbourg - Vishal Thakur
What Part of JMP RSP Don’t You Understand
PRESENTATIONS/PODCASTS
- ArcPoint Forensics
- Black Hat
Black Hat Europe 2022 - Black Hills Information Security
- Breaking Badness
152. Good Will Threat Hunting - Chris Sienko at the Cyber Work podcast
Set up your cybersecurity practice lab | Cyber Work Hacks - CQURE Academy
Hacks Weekly #50 Network Traffic Analysis - Cyber Triage
ResponderCon 2022 Ransomware Videos (Batch 3) - Cyborg Security
Episode 8 - Detections by SpectreOps
DCP Live: Session 5 - Digital Forensic Survival Podcast
DFSP # 371 – AI with SUMURI - Gerald Auger at Simply Cyber
- James Spiteri at ‘Oh My Malware!’
- Steve Gemperle at Magnet Forensics
Internal Investigations – Get the Evidence You Need to Safeguard Your Business - MSAB
How to Capture Screenshots with XRY? - Paraben Corporation
E3 Forensic Platform OSINT – Instagram - Susannah Clark Matt at Red Canary
Threat Detection Series: Watch the PowerShell power hour - RickCenOT
I pwn your Beckhoff CX9001 ICS with open Source Tools in 68 seconds! - SANS
- SANS Neurodiversity in Cybersecurity Summit 2023
- Why should you take the FOR308: Digital Forensics Essentials?
- Memory Forensics: How we used to do it & how we use it to respond to large-scale breaches today
- 意外と簡単なランサムウェア運用ツールの検出と駆逐
- Detecting & Hunting Ransomware Operator Tools: It Is Easier Than You Think!
- The Defender’s Advantage Podcast
Threat Trends: How APT43 Targets Security Policy Experts Focused on North Korea - Jon Clay at Trend Micro
3 Shifts in the Cyber Threat Landscape - WeLiveSecurity
ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine
MALWARE
- 0x70RVS
SikoMode - Amr Ashraf
- Any.Run
LimeRAT Malware Analysis: Extracting the Config - ASEC
- Emotet Being Distributed via OneNote
- Tracking the CHM Malware Using EDR
- New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks
- Warning for MagicLine4NX (Certificate Solution) Vulnerability and Update Recommended
- Overview of AhnLab’s Response to “Korea-Germany Joint Cyber Security Advice”
- Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub)
- Kimsuky Group Uses ADS to Conceal Malware
- Microsoft Office Outlook Vulnerability (CVE-2023-23397) Appearance and Manual Measure Guide
- ASEC Weekly Phishing Email Threat Trends (March 12th, 2023 – March 18th, 2023)
- EDR Product Analysis of an Infostealer
- ASEC Weekly Malware Statistics (March 20th, 2023 – March 26th, 2023)
- Erik Pistelli at Cerbero
Reversing Complex PowerShell Malware - Check Point Research
Rhadamanthys: The “Everything Bagel” Infostealer - Dr Josh Stroschein
- ExaTrack
Mélofée: a new alien malware in the Panda’s toolset targeting Linux hosts - Fortinet
- Hasherezade’s 1001 nights
Magniber ransomware analysis: Tiny Tracer in action - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #134: ARM BL jumps - Asher Langton at Juniper Networks
Using ChatGPT to Generate Native Code Malware - Lathashree K at K7 Labs
GoatRAT Attacks Automated Payment Systems - L M
Updates from the MaaS: new threats delivered through NullMixer - Anandeshwar Unnikrishnan,Sakshi Jaiswal, and Anuradha M at McAfee Labs
Rising Trend of OneNote Documents for Malware delivery - Alvin Gitonga at Moran Cybersecurity Group
BlackHats☠️ — Let’s build a Ransomware - Nicholas Dhaeyer at NVISO Labs
OneNote Embedded URL Abuse - Phylum
Phylum Discovers NPM Package mathjs-min Contains Credential Stealer - Vaibhav Billade at Quick Heal
Deep Dive into Royal Ransomware - Robert Giczewski
TrueBot Analysis Part III – Capabilities - Pedro Tavares at Segurança Informática
- Alex Delamotte at SentinelLabs
Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife - Splunk
AsyncRAT Crusade: Detections and Defense - Threatmon
Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon - Trend Micro
- Joshua St. Hilaire at Vectra AI
Command and Control (C2) Evasion Techniques, Part 2 - ZScaler
MISCELLANEOUS
- Kevin Ripa at SANS
How Are You So Smart With Computers? - Adam at Hexacorn
Converting questionable questions into unquestionable opportunities… - Alican Kiraz
Cyber Security – Incident Response Part 3.3: Recovery | EN - Anton Chuvakin
Debating SIEM in 2023, Part 2 - Belkasoft
How Good of a DFIR Investigator Are You? - Carrie Roberts at Black Hills Information Security
Got Enough Monitors? - Adam Cohen Hillel at Cado Security
Introducing Masked-AI, An Open Source Library That Enables the Usage of LLM APIs More Securely - Brad Garnett at Cisco’s Talos
How an incident response retainer can drive proactive security - David Okeyode
State of the Multi-Cloud Global Infrastructure (March 2023) - Bhabesh at ‘defend your networks…’
Breaking Barriers: Building Zeek for Windows - EclecticIQ
Achieving Operational Excellence in a Cybersecurity Program - Forensic Focus
- Detego Global Teams Up With MH Service To Deliver Free Access To Cutting-Edge DFIR Tools
- 18th International Conference On Cyber Warfare And Security (ICCWS 2023)
- File Analysis And DVR Conversion Training From Amped Software
- Detego Global & Hi2 Consulting Host 7th Annual SWE Digital Forensics Conference
- Digital Forensics Round-Up, March 30 2023
- Christa Miller at Forensic Horizons
Between the CSI Effect and Science Denialism: Making Digital Forensics Sexy(ish) - Tom Kopchak at Hurricane Labs
NECCDC 2023: Red Team Adventures - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (4/1/2023) - Salvation DATA
Revolutionizing Digital Forensic Investigations with SalvationDATA’s Integrated Digital Forensic Lab Solution - SANS
- Unlock Your Cybersecurity Potential: A Look at What’s New in the Updated New to Cyber Field Manual
- Cybersecurity Jobs: Threat Hunter (Japanese)
- Cybersecurity Jobs: Digital Forensic Analyst (Japanese)
- Cybersecurity Jobs: Red Teamer (Japanese)
- Digital Forensics Salary, Skills, and Career Path
- Cybersecurity Jobs: Purple Teamer (Japanese)
- Mani Keerthi Nagothu at SentinelOne
The First Line of Defense | Crafting an Impactful Incident Response Plan - SUMURI
- Terryn at chocolatecoat4n6
What’s in my DFIR toolbox? | 2023 - Larry Gill and John Patzakis at X1
Three Major Observations and Developments from the Legalweek Conference
SOFTWARE UPDATES
- Belkasoft
Belkasoft X v.1.17: Extended Agent-Based iOS Acquisition, More Drones, 2FA Support for Office 365 Cloud Acquisition, Sigma Improvements, and Other Significant Updates. - Berla
iVe Software v4.3 Release - Brim
v1.0.1 - Datadog Security Labs
GuardDog v1.1.4 - DFIRTrack
v2.5.0 - Didier Stevens
- Simson Garfinkel at Digital Corpora
Compiled bulk_extractor 2.0 ready for download - Doug Burks at Security Onion
Security Onion 2.4 Beta Release Now Available! - Elcomsoft
iOS Forensic Toolkit 8.20 and 7.80 add partial file system extraction for iOS 16.1.2 and older - ExifTool
ExifTool 12.59 - Ryan Benson
Hindsight v2023.03 - Manabu Niseki
Mihari v5.2.0 - Paraben Corporation
E3 Forensic Platform 3.5 Spring Release - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 