As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Ariel Szarf and Or Aspir at Mitiga
Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive - Forensafe
Investigating qBittorrent - Mailxaminer
OLK File Forensics – Examine OLK14 File and Export Evidence - Plainbit
(IR-CASE) 신용카드 결제 피싱 페이지 스크립트 삽입 사고 - Arslan Sabir at System Weakness
Windows RDP Event Logs: Identification, Tracking and Investigation Part-1
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Python Threat Hunting Tools: Part 5 — Command Line Arguments - Roman Lvovsky at Akamai
New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others - Amr Ashraf
- Anomali
Anomali Cyber Watch: Shadow Force Targets Korean Servers, Volt Typhoon Abuses Built-in Tools, CosmicEnergy Tests Electric Distribution Disruption - Jeremy Fuchs at Avanan
The Picture in Picture Attack - Avast
- Avertium
An In-Depth Look at Cuba Ransomware - BleepingComputer
- Brad Duncan at Malware Traffic Analysis
2023-05-29 – Pcap and malware for ISC Diary (ModiLoader/Remcos RAT) - Censys
MOVEit Transfer Vulnerability - CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 27 maggio – 01 giugno 2023 - Check Point Research
- Cisco’s Talos
- Cleafy
Uncovering drIBAN fraud operations. Chapter 2: From sLoad to Ramnit - Cyble
- Bl00dy Ransomware Targets Indian University: Actively Exploiting PaperCut Vulnerability
- PixBankBot: New ATS-Based Malware Poses Threat to the Brazilian Banking Sector
- Evolving Threat Landscape of Hacktivism in Colombia
- SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations
- ‘NoEscape’ Ransomware-as-a-Service (RaaS)
- MOVEit Transfer Vulnerability Actively Exploited
- Cyfirma
Weekly Intelligence Report – 02 June 2023 - EclecticIQ
- Esentire
GuLoader VBScript Variant Returns with PowerShell Updates - Jon Hencinski and Ben Brigida at Expel
Top three findings from Q1 2023 Quarterly Threat Report - Flashpoint
SEO Poisoning: How Threat Actors Are Using Search Engines to Compromise Organizations - Shane Huntley at Google Threat Analysis Group
TAG Bulletin: Q2 2023 - Matthew Remacle at GreyNoise
Progress’ MOVEit Transfer Critical Vulnerability - Huntress
- Paritosh at InfoSec Write-ups
Discovering C2 IPs Through Shodan? - Jeffrey Appel
Microsoft Defender Threat Intelligence (Defender TI) integrations with Microsoft Sentinel - KELA
- Lumen
Qakbot: retool, reinfect, recycle - Magnet Forensics
- Nextron Systems
Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite - Nik Alleyne at ‘Security Nik’
Beginning Machine and Deep Learning with Zeek logs - Nikolaos Samartzopoulos at NVISO Labs
Transforming search sentences to query Elastic SIEM with OpenAI API - Brad Duncan at Palo Alto Networks
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID - PrimeHarbor Technologies
Public Cloud Security Breaches - Recorded Future
Private Eyes: China’s Embrace of Open-Source Military Intelligence - Miles Arkwright and James Tytler at S-RM Insights
Cyber Intelligence Briefing: 2 June 2023 - SANS Internet Storm Center
- Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th)
- Wireshark 4.0.6 Released, (Mon, May 29th)
- We Can no Longer Ignore the Cost of Cybersecurity, (Sun, May 28th)
- Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th)
- After 28 years, SSLv2 is still not gone from the internet… but we’re getting there, (Thu, Jun 1st)
- Security Intelligence
- SOCRadar
- Jared Atkinson at SpecterOps
On Detection: From Tactical to Functional - Splunk
Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis - Stairwell
Security alert enrichment: Terminator endpoint defense evasion tool - Tanium
CTI Roundup: Russia, Iran, & North Korea Target Global SMBs - Todyl
Threat Advisory: spyboy and The Vulnerable Driver TTP - Trend Micro
- TrustedSec
- Wladimir Palant at ‘Almost Secure’
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-06-05 - Magnet Forensics
- SANS
SANS Ransomware Summit 2023
PRESENTATIONS/PODCASTS
- ArcPoint Forensics
Recovering files with ATRIO - Black Hills Information Security
On The Hunt – PROMPT# Zine | Chris Brenton & More | 1-Hour - Cyber Social Hub
How can the new FTK help your digital investigation??? - Digital Forensic Survival Podcast
DFSP # 380 – Ransomware Talk with SUMURI - InfoSec_Bret
IR – SOC183-133 – Suspicious WMI Activity Detected - John Hammond
- Magnet Forensics
- MSAB
- RickCenOT
BREAKING DOWN “I pwn your Beckhoff CX9001 ICS with a Bad USB HID Injection Attack” - SANS
MALWARE
- Adam at Hexacorn
- Any.Run
How to Create a Task in ANY.RUN: a Step-by-Step Guide - ASEC
- Alejandro Prada and Ofer Caspi at AT&T Cybersecurity
SeroXen RAT for sale - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #143: Fixing wrong address references in the decompiler - Supraja Baskaran at InfoSec Write-ups
Detecting DLL Injection in Windows - Nicole Fishbein at Intezer
CryptoClippy is Evolving to Pilfer Even More Financial Data - Yuma Masubuchi at JPCERT/CC
GobRAT malware written in Go language targeting Linux routers - Rahul R at K7 Labs
Encrypted Chaos: Analysis of Crytox Ransomware - Mohitrajai
Aukill An Silent EDR Killer Malware - NTCore
Hybrid Analysis Intelligence - Shogo Hayashi, Fumio Ozawa and Rintaro Koike at NTT Security Japan
FlowCloud malware infection via USB Flash Drive - OALABS Research
AMSI Bypass In The Wild - Igor Kuznetsov, Valentin Pashkov, Leonid Bezvershenko, Georgy Kucherin at Securelist
- Threatmon
Reverse Engineering RokRAT: A Closer Look at APT37’s Onedrive-Based Attack Vector - Vlad Pasca at Security Scorecard
Reverse-Engineering Java and JavaScript Malware - Mallikarjun Piddannavar at ZScaler
Technical Analysis of Bandit Stealer
MISCELLANEOUS
- Jeremy Ware, Luis Pastor, and Megan O’Neil at AWS Security
Announcing the AWS Blueprint for Ransomware Defense - Belkasoft
[ON-DEMAND COURSE] Maximizing DFIR Results with YARA, Sigma, and Belkasoft X - Chris Doman at Cado Security
Breach Notifications in the Cloud - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update – 06/03/2023 - Oleg Afonin at Elcomsoft
Breaking Wi-Fi Passwords with Intel Arc Graphics Cards - Leonardo M. Falcon at Falcon Guard
The Importance of Avoiding Rabbit Holes in DFIR - Forensic Focus
- Christa Miller at Forensic Horizons
May 2023: Speculating on the Role of Forensic Evidence in Diversion - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (6/1/2023) - MaverisLabs
I took Google’s Cybersecurity Certification Course and Here’s What I Learned. - Rogan Dawes at Orange Cyberdefense
Investigating the Wink Hub 2 - Paolo
Portable SIEM for incident response with Elastic - Jonathan Echavarria at ReliaQuest
A Ransomware Defense Guide: Strategies Against the Modern Attack Group - Salvation DATA
- SANS
- Paolo Dal Checco at Studio d’Informatica Forense
Convegno su Digital Forensics presso l’Università di Padova
SOFTWARE UPDATES
- Cellebrite
Now Available: Cellebrite UFED and Responder v7.65 - Digital Sleuth
WIN-FOR v7.0.0 - dnSpyEx
v6.4.0-rc1 - Doug Burks at Security Onion
Security Onion 2.4 Beta 3 Release Now Available Including our First ISO Image for 2.4! - Elcomsoft
Elcomsoft Wireless Security Auditor adds support for Intel Arc graphics cards - Eric Zimmerman
ChangeLog - Hashlookup Forensic Analyser
hashlookup-forensic-analyser version 1.2 – bug fix release - IntelOwl
v5.0.0 - Kevin Pagano
SQLiteWalker – v0.0.4 - Mandiant
- Thiago Canozzo Lahr
uac-2.6.0 - WithSecure Labs
Chainsaw v2.6.2 - Xways
X-Ways Forensics 20.9 Preview 4
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 