As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Ahmed Belhadjadji
Windows Forensics: Event Logs Analysis - David Spreadborough at Amped
Public Submissions of CCTV and Video Evidence - Elcomsoft
- Eric Capuano
Capturing & Parsing Forensic Triage Acquisitions for Investigation Timelining - Forensafe
Investigating pCloud - Invictus Incident Response
Ransomware in the cloud
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Beyond good ol’ Run key, Part 142 - Adam Goss
Lock & Load: Arming Yourself with Custom Sigma Rules - Stiv Kupchik at Akamai
Investigating the resurgence of the Mexals campaign - Alican Kiraz
Threat Hunting with Windows Event Logs - Anomali
Anomali Cyber Watch: Aggressively-Mutating Mantis Backdoors Target Palestine, Fake Cracked Packages Flood NPM, Rorschach Ransomware Is Significantly Faster Than LockBit v.3 - Anton Chuvakin
Google Cybersecurity Action Team Threat Horizons Report #6 Is Out! - Any.Run
Malware Trends Report: Q1, 2023 - Francis Guibernau at AttackIQ
Response to Lazarus’ 3CX Supply Chain Compromise - Jeremy Fuchs at Avanan
Zelle Phishing - Avertium
- Rodrigo Ferroni and Eduardo Ortiz Pineda at AWS Security
Investigate security events by using AWS CloudTrail Lake advanced queries - Aziz Farghly
Medusa Dectection via Yara - Belkasoft
YARA Rules in Belkasoft X - BI.Zone
Watch Wolf weaponizes SEO against accountants - Martin Zugec at Bitdefender
Technical Advisory: Unauthorized RCE Vulnerability in MSMQ Service CVE-2023-21554 aka QueueJumper - Ionut Ilascu at BleepingComputer
Hackers start abusing Action1 RMM in ransomware attacks - Brad Duncan at Malware Traffic Analysis
- Censys
CVE-2023-21554: MSMQ - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 8 – 14 aprile 2023 - Yehuda Gelb at Checkmarx Security
Why We Need to Collect Everything: Unveiling the Power of Retro-Hunting in Open Source - Cisco’s Talos
- Cofense
Top Malware Trends of March Cofense Phishing Defense Center (PDC) - 360 Threat Intelligence Center
Analysis of APT-C-28 (ScarCruft) organization’s attack activities in South Korea - Cyfirma
Weekly Intelligence Report – 14 Apr 2023 - Darktrace
Social Engineering: Detecting Malicious Email Activity from Both Known and Unknown Senders - Dragos
2022 ICS/OT Threat Landscape Recap & What to Watch for This Year - EclecticIQ
CISA Warns of Telerik Vulnerability; Kimsuky Steal Gmail Emails - Devon Kerr at Elastic
Elastic Global Threat Report Breakdown: Credential Access - Esentire
GuLoader Targeting the Financial Sector Using a Tax-themed Phishing Lure - Bob Rudis at GreyNoise
Duo Tags For Identifying Microsoft Message Queue Scanners Live Now – QueueJumper (CVE-2023-21554) - Adam Rice at Huntress
Traitorware and Living Off the Land: Using Splunk to Exfiltrate Data - Bukar Alibe at INKY
Fresh Phish: Notorious Crime Ringleader’s Company Takes Center Stage in this MEGA Tax-Time Phishing Scheme - Intel471
Countering the Problem of Credential Theft - Kijo Niimura
Day 2 – APT29 Overview - Luis Francisco Monge Martinez
- Malwarebytes Labs
Ransomware review: April 2023 - Jérôme Segura at Malwarebytes Labs
Massive malvertising campaign targets seniors via fake Weebly sites - Matt Edmondson at SANS
Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations - Microsoft Security
- Microsoft Security Insights Show
Logs, logs and more logs - Microsoft Security Response Center
Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access - Microsoft’s ‘Security, Compliance, and Identity’ Blog
Multi-Geo Exchange Online Admin Audit Logs - Gustavo Palazolo at Netskope
Threat Labs News Roundup: March 2023 - Ryan Chapman at Palo Alto Networks
Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land - Jessica Ellis at PhishLabs
Emotet Returns from Hiatus, Trails QBot in Q1 Volume - Pierre Jourdan at 3CX
Security Update Mandiant Initial Results - Red Alert
Monthly Threat Actor Group Intelligence Report, February 2023 (ENG) - Miles Arkwright and James Tytler at S-RM Insights
Cyber Intelligence Briefing: 14 April 2023 - SANS Internet Storm Center
- SEC Consult
BumbleBee hunting with a Velociraptor - Securelist
- Security Intelligence
- BalaGanesh at Security Investigation
CVE-2023-21554 – Hunt For MSMQ QueueJumper In The Environment - Sekoia
Overview of the Russian-speaking infostealer ecosystem: the distribution - SentinelOne
- Jagadeesh Chandraiah at Sophos
Tax-time smishing campaign targets Indian account holders - Splunk
These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers - Oren Biderman, Amnon Kushnir, Gopal Purohit, Dan Saunders, and Etai Livne at Sygnia
Threat Actor Spotlight: RagnarLocker Ransomware - Threatmon
The Rise of Dark Power: A Close Look at the Group and their Ransomware - Max Kersten at Trellix
Read The Manual Locker: A Private RaaS Provider - Trend Micro
- TrustedSec
- Megan Garza at Varonis
Global Threat Trends and the Future of Incident Response - Viktor Hedberg at Truesec
Exporting Conditional Access Policies As an End User - Zain ul Abidin
Boosting Your Security Operations: Finding MTTD and MTTR in QRadar and Creating PULSE Visualization
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-04-17 - Emmy Gamble at Cellebrite
Streamline Investigations with Remote Collection of Androids and Workplace Apps - Dragos
How to Secure Your OT Environments from Ransomware - X1 Social Disocvery
X1 Social Discovery v7.0 Product Tour
PRESENTATIONS/PODCASTS
- Kevin Ripa at SANS
FOR498 – New Course Name, New Content & A Whole Lot of Actionable Intelligence in 90 min or less - ArcPoint Forensics
- Black Hills Information Security
- Botconf
Botconf 2023 - Chris Sienko at the Cyber Work podcast
Optimizing your digital forensics profile while job searching | Cyber Work Hacks - cloudyforensics
AWS Forensics & Incident Response Training - Day Cyberwox
Becoming A Detection Architect at 21 with CharlesQ | CYBER STORIES EP 7 #cybersecurity - Digital Forensic Survival Podcast
DFSP # 373 – Linux File Poisoning - Horangi Cyber Security
Threat Modeling (Ask A CISO SE03EP10) - InfoSec_Bret
DFIR Challenge – AWS CloudTrail Part 2 [FINAL] - Magnet Forensics
- Markus Schober at Blue Cape Security
Tactical Ransomware Preparation Exercise - MSAB
How to validate data with XAMN? - Neil Fox
How to Install & Use the NimPlant c2 Framework - OALabs
PE File Unmapping Explained aka Lazy Process Dumping - SANS Cloud Security
Breaking the Cloud Kill Chain - SANS Institute
SANS Small Business Cyber Summit 2023 - Stephen Hasford
Static Malware Analysis - X-Ways Software Technology
X-Ways Forensics Configuration 01: Paths and Setup
MALWARE
- 0x70RVS
PuTTY - Alexandre Borges at ‘Exploit Reversing’
Exploiting Reversing (ER) series: article 01 - Apophis
Medusa Ransomware technical analysis report - ASEC
- 3CX DesktopApp Supply Chain Attack Also Detected in Korea
- ASEC Weekly Phishing Email Threat Trends (March 26th, 2023 – April 1st, 2023)
- ASEC Weekly Malware Statistics (April 3rd, 2023 – April 9th, 2023)
- Qakbot Being Distributed in Korea Through Email Hijacking
- Bitter Group Distributes CHM Malware to Chinese Organizations
- Axelarator
Mozi - Matt Muir at Cado Security
Legion: an AWS Credential Harvester and SMTP Hijacker - CQURE Academy
Hacks Weekly #52 Malware Analysis with AnyRun - Cyble
Chameleon: A New Android Malware Spotted In The Wild - Matthew at Embee Research
- Fortinet
- Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #136: Changing assembler syntax - SaiKrishna K at InfoSec Write-ups
WalkThrough of Wanna Cry Ransomware - Ori Hollander at JFrog
Analyzing Impala Stealer – Payload of the first NuGet attack campaign - John Hammond
- SangRyol Ryu at McAfee Labs
Goldoson: Privacy-invasive and Clicker Android Adware found in popular apps in South Korea - Mohamed Adel
Aurora Stealer - Rintaro Koike at NTT Security Japan
Attack Campaign that Uses Fake Google Chrome Error to Distribute Malware from Compromised Websites - OALABS Research
Quasar Chaos - Matthew Green at Rapid7
Automating Qakbot decode at scale - Sonatype
Malware Monthly – March 2023 - Bill Marczak, John Scott-Railton, Astrid Perry, Noura Al-Jizawi, Siena Anstis, Zoe Panday, Emma Lyon1, Bahr Abdul Razzak, and Ron Deibert at The Citizen Lab
Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers - Uptycs
Zaraza Bot Credential Stealer Targets Browser Passwords – Uptycs - Yoroi
Money Ransomware: The Latest Double Extortion Group - Zhassulan Zhussupov
Malware AV/VM evasion – part 15: WinAPI GetModuleHandle implementation. Simple C++ example. - Brett Stone-Gross at ZScaler
Technical Analysis of Trigona Ransomware
MISCELLANEOUS
- Kevin Ripa at SANS
- AT&T Cybersecurity
- Forensic Focus
- Magnet Forensics
Meet the Recipients of the 2022 Magnet Forensics Scholarship Award! - SANS
Cybersecurity Jobs: CISO (Japanese) - Security Investigation
What Is A Compromise Assessment And When Do You Need One?
SOFTWARE UPDATES
- Cellebrite
Industry First: Explore the Latest Features in Forensic Imaging Solutions - Crowdstrike
Falconpy Version 1.2.13 - Didier Stevens
New Tool: myjson-transform.py - Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.21 add auto-DFU and automated screen shot capture - F-Response
F-Response 8.5.1.14 – Updates and improvements - Metaspike
Forensic Email Intelligence 2.1.8 Release Notes - MISP
MISP 2.4.170 released with new features, workflow improvements and bugs fixed - MobilEdit
New MOBILedit Forensic ver. 9.1 and MOBILedit Forensic Pro+ is here! - Nir Sofer
Favorites list in NirLauncher package - Brandon Dalton at Red Canary
Introducing: Red Canary Mac Monitor - Volatility Foundation
Volatility 3 2.4.1 - Mark Baggett
Srum-Dump Version 2.5 Bloodsport
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 