As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• David Spreadborough at Amped
  CCTV Device Removal and Replacement
  
  
• Belkasoft
  Automation with Belkasoft: Orchestrating Belkasoft X and Griffeye DI Pro
  
  
• Forensic Science International: Digital Investigation
  Volume 45, June 2023
  
  
• Mark Spencer at Arsenal Recon
  Forensic Analysis of the NetWire Stack
  
  
• Jacob Torrey at Thinkst Thoughts
  Meet “ZipPy”, a fast AI LLM text detector
  

THREAT INTELLIGENCE/HUNTING

• MoveIT
  • Attack Graph Response to CISA Advisory AA23-158A: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
  • #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability
  • CL0P likes to MOVEit MOVEit
  • Decoding CVE-2023-34362: Unmasking the MOVEit Transfer Vulnerability and Its Exploitation
  • Security alert: MOVEit Transfer exploited vulnerability
  • Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021 
  • Cl0p ransomware gang claims first victims of the MOVEit vulnerability
  • Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft
  • CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief
  • MOVEit Transfer Exploited to Drop File-Stealing SQL Shell
  • MOVEit Hunting Cl0p
  • Information on MOVEit Transfer and MOVEit Cloud Vulnerability CVE-2023-34362
    
    
• Adam at Hexacorn
  This LOLBIN doesn’t exist…
  
  
• Adam Goss
  • Python Threat Hunting Tools: Part 6 — Creating EXEs from Python Files
  • 3 Things KFC and Good Threat Intelligence Have in Common
    
    
• Anomali
  Anomali Cyber Watch: LEMURLOOT on Exploited MOVEit Transfers, Zero-Click iOS Exploit Targeted Kaspersky, Qakbot Turns Bots into Proxies
  
  
• Jeremy Fuchs at Avanan
  Surging to Inboxes
  
  
• Avertium
  Volt Typhoon: Targeted Attacks on U.S. Critical Infrastructure
  
  
• Blackberry
  RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine
  
  
• Lawrence Abrams at BleepingComputer
  Royal ransomware gang adds BlackSuit encryptor to their arsenal
  
  
• Bohops
  No Alloc, No Problem: Leveraging Program Entry Points for Process Injection
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-06-05 – 30 days of Formbook: Day 1, Monday 2023-06-05
  • 2023-06-06 – 30 days of Formbook: Day 2, Tuesday 2023-06-06 – “CG62”
  • 2023-06-07 – 30 days of Formbook: Day 3, Wednesday 2023-06-07 – “AE30”
  • 2023-06-08 – 30 days of Formbook: Day 4, Wednesday 2023-06-08 – “T30K”
  • 2023-06-09 – 30 days of Formbook: Day 5, Friday 2023-06-09 – GuLoader Formbook “V16R”
    
    
• CERT Ukraine
  UAC-0099: кібершпигунство у відношенні державних організацій та представників ЗМІ України (CERT-UA#6710)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 03 – 09 giugno 2023
  
  
• Check Point
  • 5th June – Threat Intelligence Report
  • Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa
  • CISA and Partners Release Joint Guide to Securing Remote Access Software
    
    
• Cisco’s Talos
  • Adversaries increasingly using vendor and contractor accounts to infiltrate networks
  • Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
  • Threat Roundup for June 2 to June 9
    
    
• Cyberwarzone
  • Understanding LockBit 3.0 Ransomware Threat
  • Getting MISP Back on Track: When It’s Unable to Fetch Feeds
  • The Art of Keeping Threat Intelligence Feeds Clean
  • Quick Fix for MISP: When It Stops Updating Events
    
    
• Cyble
  • Evasive NoEscape Ransomware Uses Reflective DLL Injection
  • LockBit Ransomware 2.0 Resurfaces
  • HelloTeacher: New Android Malware Targeting Banking Users In Vietnam
  • Anonymous Sudan Launches Fresh Wave of DDoS Attacks on American Organizations Including Microsoft
  • Unmasking the Darkrace Ransomware Gang
  • Over 45 thousand Users Fell Victim to Malicious PyPI Packages
    
    
• Cyborg Security
  • Threat Hunting: Shifting Gears in Query Tuning
  • Unmasking RedLine Stealer: A Deep Dive into its Threat Landscape and Technical Exploitation
  • Detection Engineering vs Threat Hunting: Distinguishing the Differences
    
    
• Cyfirma
  Weekly Intelligence Report – 09 June 2023
  
  
• Tim Helming at DomainTools
  The DomainTools Report, Spring 2023
  
  
• Dragos
  COSMICENERGY Malware Is Not an Immediate Threat to Industrial Control Systems
  
  
• Arda Büyükkaya and Ippolito Forni at EclecticIQ
  FIN7 delivering Clop ransomware; ChatGPT and Midjourney imposter apps deliver BatLoader
  
  
• Matthew at Embee Research
  Threat Intel Queries
  
  
• Yuzuka Akasaka at Flare
  • Exploit Forum, Initial Access Brokers, and Cybercrime on the Dark Web
  • Malware as a Service: An Emerging Threat in 2023
  • Babuk Ransomware Group: What You Need to Know
  • Grief Ransomware Group: What You Need to Know
  • Threat Intelligence & Cybersecurity: Quick Wins for 2023
  • Dark Web Leaks: Stolen Credentials on the Dark Web
    
    
• Flashpoint
  Killnet: Inside the World’s Most Prominent Pro-Kremlin Hacktivist Collective
  
  
• Huntress
  • Beware of Traitorware: Using Splunk for Persistence
  • Calm In The Storm: Reviewing Volt Typhoon
    
    
• Intel471
  How Gray Market Cryptocurrency Exchanges Fuel Cybercrime
  
  
• Koos Goossens
  Unlimited Advanced Hunting for Microsoft 365 Defender with Azure Data Explorer
  
  
• Malwarebytes Labs
  • Vice Society: The #1 cyberthreat to schools, colleges, and universities
  • Information stealer compromises legitimate sites to attack other sites
  • Ransomware review: June 2023
    
    
• John Doyle at Mandiant
  A Peek Behind the Curtain: Examining the Dimensions of a National-level Cyber Program
  
  
• Microsoft Security
  • Why a proactive detection and incident response plan is crucial for your organization
  • Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
    
    
• Microsoft Security Response Center
  Hey Yara, find some vulnerabilities
  
  
• Nathaniel Raymond at Cofense
  “Caffeine” Phishing Service Domains, Patterns Still Heavily Used After Store Seemingly Defunct
  
  
• Obsidian Security
  SaaS Ransomware Observed in the Wild for Sharepoint in Microsoft 365
  
  
• Orange Cyber Defense
  Ransomware map, version 22 (may 2023)
  
  
• Raymond Roethof
  Microsoft Defender for Identity Recommended Actions: Resolve Unsecure Domain Configurations
  
  
• Recorded Future
  North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US
  
  
• Red Alert
  • Monthly Threat Actor Group Intelligence Report, April 2023 (KOR)
  • Monthly Threat Actor Group Intelligence Report, March 2023 (KOR)
    
    
• Justin Schoenfeld at Red Canary
  The curious case of BAV2ROPC
  
  
• Colin Ferris at ReliaQuest
  The Scent of Stealth: Cyber-espionage Intrusion Analysis
  
  
• Miles Arkwright and James Tytler at S-RM Insights
  Cyber Intelligence Briefing: 9 June 2023
  
  
• SANS
  Parsing the 2023 VZ DBIR for the Human Element
  
  
• SANS Internet Storm Center
  • Brute Forcing Simple Archive Passwords, (Mon, Jun 5th)
  • Github Copilot vs. Google: Which code is more secure, (Tue, Jun 6th)
  • Management of DMARC control for email impersonation of domains in the .co TLD – part 2, (Wed, Jun 7th)
  • Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th)
  • Ongoing scans for Geoserver, (Thu, Jun 8th)
    
    
• Securelist
  • IT threat evolution Q1 2023
  • IT threat evolution Q1 2023. Mobile statistics
  • IT threat evolution in Q1 2023. Non-mobile statistics
    
    
• Joshua Chung, Melissa Frydrych, Claire Zaboeva and Agnes Ramos-Beauchamp at Security Intelligence
  ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)
  
  
• Sekoia
  Iran Cyber Threat Overview
  
  
• Aleksandar Milenkoski at SentinelOne
  Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence
  
  
• Nick Powers at SpecterOps
  Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution
  
  
• Splunk
  Don’t Get a PaperCut: Analyzing CVE-2023-27350
  
  
• Sysdig
  • Stop Cloud Breaches in Real Time and Accelerate Investigation and Response with Sysdig CDR
  • Look both ways: Preventing suspicious behavior with end-to-end detections
    
    
• Threatmon
  Threat Analysis: SharpPanda APT’s Attack Chain Targeting G20 Nations
  
  
• Tiffany Bergeron at ‘The Center for Threat-Informed Defense’
  Case Study: NIST 800 53 Mappings
  
  
• Trend Micro
  • Xollam, the Latest Face of TargetCompany
  • Impulse Team’s Massive Years-Long Mostly-Undetected Cryptocurrency Scam
    
    
• TrustedSec
  OneDrive to Enum Them All
  
  
• Uptycs
  Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat
  
  
• Fae Carlisle at VMware Security
  Carbon Black’s TrueBot Detection
  
  
• Matthieu Faou at WeLiveSecurity
  Asylum Ambuscade: crimeware or cyberespionage?
  
  
• Jiong Liu and Amir Lande Blau at Wiz
  Ta-da! Wiz launches Runtime Sensor to provide real-time detection and response
  

UPCOMING EVENTS

• Richard T. Frawley at ADF Solutions
  From Backlog to Breakthrough: Maximizing the Potential of Digital Forensic Evidence
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2023-06-12
  • BHIS – Talkin’ Bout [infosec] News 2023-06-09
    
    
• Cellebrite
  • Cellebrite Endpoint Inspector’s New Features Improves Incident Response
  • The Latest in Remote Collection with Endpoint Inspector
    
    
• Cyacomb
  Cyacomb Examiner 2.7 Webinar
  
  
• Magnet Forensics
  Putting Your DFIR Lab in the Cloud: Lessons Learned
  
  
• SANS
  • SANS Ransomware Summit 2023
  • The Dark Knight of OSINT, Matt Edmondson | Host: Rob Lee | June 13, 2023
  • Protecting the Cloud from Ransomware | Host: Ryan Chapman | June 20, 2023
    
    
• Andrew Case at Volatility Labs
  Malware and Memory Forensics Training Headed to Amsterdam in October 2023!
  

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  • F250 vs ATRIO case. I ran it over.
  • 256G acquired in 7:14
  • 3 steps to properly connecting a USB device 😁
    
    
• Black Hills Information Security
  Talkin’ About Infosec News – 6/9/2023
  
  
• Breaking Badness
  156. Romancing the Scam
  
  
• Jonathan Munshaw at Cisco’s Talos
  How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
  
  
• Cyber Social Hub
  • Live with Grayshift from Techno Security
  • Let’s fix an iPhone that won’t’ boot for a forensic recovery
  • This Is Why You Need MSAB in Your DFIR Lab
  • Let’s talk to Ronen from Cellebrite
  • Let’s talk Digital Forensic Training with Jessica Hyde
  • What New at Magnet Forensics with Kim Bradley
  • What is new at Techno Security & Digital Forensic Conference
  • One Forensic Tool To Rule Them All
    
    
• CySecK
  Digital Defenders CTF 2023 Webinar on “Network Analysis and Tools” | CySecK | K-tech | IISc | KSCST
  
  
• Digital Forensic Survival Podcast
  DFSP # 381 – Spoliation
  
  
• Digital Forensics Future (DFF)
  S4:E3 The Dom and Jerry Show, Part I
  
  
• InfoSec_Bret
  X_x It Came From Reddit x_X – Maritas Game Beta
  
  
• John Hammond
  • Hands-on Ransomware: Exploring Cybercrime
  • FAKE Microsoft Login to Hacked Charity Scam
  • Now Scammers Can RENT Email Addresses for Cybercrime
    
    
• John Hubbard at ‘The Blueprint podcast’
  Strategy 5: Prioritize Incident Response
  
  
• Magnet Forensics
  • Unravel Cyberattacks With Magnet AXIOM Cyber
  • Manage Case Assignment in Magnet REVIEW
  • How to Manage Tags in Magnet REVIEW
  • How to make helpful case descriptions in Magnet REVIEW
  • How to Navigate Digital Evidence in Magnet REVIEW
  • What Are Comments?
  • How to Edit Evidence Source Information
  • Getting Started with a Digital Case
  • Reviewing Complex Evidence Items
  • What Are Tags?
  • Leveraging AXIOM Cyber in Microsoft Azure
  • Does Slicing Onions Make You Cry – Forensics Analysis of TAILS
    
    
• OALabs
  N00bs Night Malware RE Workshop with @c3rb3ru5d3d53c
  
  
• RickCenOT
  I will pwn your  Veeder-Root TLS 350 gas station inventory system in less than 60 seconds
  
  
• Ryan Chapman at SANS
  What is the FOR528: Ransomware for Incident Responders course all about?
  
  
• SANS Cloud Security
  Hands On Workshop: Container Security 101
  
  
• The Defender’s Advantage Podcast
  Frontline Stories: Crisis Communications During a Breach
  

MALWARE

• Any.Run
  Malware Analysis News: May 2023  
  
  
• ASEC
  • Tracking and Responding to AgentTesla Using EDR
  • ASEC Weekly Malware Statistics (May 22nd, 2023 – May 28th, 2023)
  • Similar AhnLab Response Cases Regarding Korea-US Joint Cyber Security Advice
  • Malware Being Distributed Disguised as a Job Application Letter
  • Threat Trend Report on APT Groups – April 2023
  • Deep Web & Dark Web Threat Trend Report – April 2023
  • Threat Trend Report on Ransomware – April 2023
  • CVE Trend Report – April 2023 Vulnerability Statistics and Major Issues
  • Threat Trend Report on Kimsuky – April 2023
  • ASEC Weekly Malware Statistics (May 29th, 2023 – June 4th, 2023)
  • ASEC Weekly Phishing Email Threat Trends (May 21st, 2023 – May 27th, 2023)
    
    
• Ben Herzog Check Point
  Rust Binary Analysis, Feature by Feature
  
  
• CTF导航
  • CobaltStrike分析-beacon 解析
  • 起底GoldenJackal APT组织
  • 红队工具研究篇 – SliverC2 Stager研究（上）
  • APT-C-55（Kimsuky）组织假借“生日祝福”为诱饵分发Quasar RAT的攻击活动分析
  • Sliver C2についての調査
  • AgentTesla – Full Loader Analysis – Resolving API Hashes Using Conditional Breakpoints
  • APT-C-63（沙鹰）组织攻击检测工具发布
    
    
• Debugactiveprocess
  [UPDATE] FantasyMW(v2) Android Banking Trojan ressurge com novos alvos
  
  
• Gi7w0rm
  DynamicRAT — A full-fledged Java Rat
  
  
• Yuma Masubuchi at JPCERT/CC
  How to Create F.L.I.R.T Signature Using Yara Rules for Static Analysis of ELF Malware
  
  
• Łukasz
  Dismantling spyware disinformation campaigns
  
  
• Haim Zigel and Oleg Kupreev at Securelist
  Satacom delivers browser extension that steals cryptocurrency
  
  
• Priyadharshini Balaji at Security Investigation
  Pestudio: Initial Malware Assessment Made Simple
  
  
• Squiblydoo
  Understanding PE Bloat with Malcat
  
  
• Peter Girnus and Aliakbar Zahravi at Trend Micro
  Analyzing the FUD Malware Obfuscation Engine BatCloak
  
  
• Wladimir Palant at ‘Almost Secure’
  • Introducing PCVARK and their malicious ad blockers
  • Another cluster of potentially malicious Chrome extensions
    
    
• Zhassulan Zhussupov
  • Malware development trick – part 31: Run shellcode via SetTimer. Simple C++ example.
  • Malware development trick – part 32. Syscalls – part 1. Simple C++ example.
  • Malware development trick – part 33. Syscalls – part 2. Simple C++ example.
    

MISCELLANEOUS

• Adam at Hexacorn
  Perl and Python Scripting Templates…
  
  
• Seth Land at ADF Solutions
  The Benefits of Digital Forensic Software in Homeland Security Investigations
  
  
• Chris Doman at Cado Security
  Forensic Readiness in the Cloud
  
  
• Monica Harris at Cellebrite
  Key eDiscovery and Compliance Takeaways and Highlights from Relativity Fest London 2023
  
  
• Decrypting a Defense
  FBI Botch an iPhone Search, ShotSpotter Rebrands, Surveillance Policy, & More
  
  
• Dragos
  Dragos CEO’s Email to Employees on Layoff
  
  
• Oleg Afonin at Elcomsoft
  • Volume Encryption in Synology DSM 7.2: LUKS with Questionable Key Management
  • Elcomsoft Lab: Benchmarking Password Recovery Speeds
    
    
• Forensic Focus
  • Why DFIR Is The New Frontier Of Cybersecurity
  • ADF Solutions Announces Sponsorship And Speaking Session At Techno Security East
  • Cellebrite’s Solutions To Current eDiscovery Challenges
  • Presentation On Video Evidence Principles At The European Parliament
  • Digital Forensics Round-Up, June 08 2023
    
    
• GreyNoise
  Labs API: It’s Playtime
  
  
• Intezer
  • 📈 Introducing the Weekly Autonomous SOC Report: Enhance Transparency and Reduce Noise
  • Introducing Automated, Context-Rich Alert Triage
    
    
• Owen Walsh at ParaFlare
  Practical guidance for executives navigating a cyber incident
  
  
• Joakim Schicht at ‘Plain Binary’
  Walk through of a bug in the Volume Shadow Copy driver – volsnap.sys
  
  
• Grace Chi at Pulsedive
  Better Together: The Best Cyber Threat Intelligence Events
  
  
• Lisa Forte at Red Goat
  • How to write an effective ransomware playbook
  • Get started with crisis communication planning
    
    
• Salvation DATA
  • How to Empower Your Investigations with Digital Forensics Services?
  • How Can Forensic Advantage Revolutionize Investigations, Litigation, and Cybersecurity?
    
    
• SANS
  Cybersecurity Jobs: Intrusion Detection/SOC Analyst (Japanese)
  
  
• Security Investigation
  Digital stores for legally challenging products – How are they handled?
  

SOFTWARE UPDATES

• Acelab
  New PC-3000 Ver. 7.3.6, Data Extractor Ver. 6.3.6 / PC-3000 SSD Ver. 3.3.3 has been released
  
  
• Digital Detective
  NetAnalysis v3.5
  
  
• dnSpyEx
  v6.4.0-rc2
  
  
• ExifTool
  ExifTool 12.63
  
  
• F-Response
  F-Response 8.6.1.4 – Apple and Linux for F-Response Collect
  
  
• Hasherezade pe-bear
  Repository moved
  
  
• Hex Rays
  IDA 8.3 released
  
  
• IntelOwl
  v5.0.1
  
  
• k1nd0ne
  VolWeb 1.3.0-beta
  
  
• Mandiant
  flare-floss QUANTUMSTRAND preview 5
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 3.88.0.5
  
  
• Olaf Schwarz
  gMetaDataParse Version 0.0502
  
  
• radare2
  5.8.8
  
  
• Smart Projects
  IsoBuster 5.2 beta released
  
  
• Xways
  X-Ways Forensics 20.9 Beta 1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!