As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  KnowledgeC Database Forensics with Belkasoft X
  
  
• Blake Regan
  Mount Up
  
  
• Cloudyforensics
  Google Cloud Forensics and Incident Response
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Indictment Documents
  
  
• Haider at HK_Dig4nsics
  Forensic Analysis of Windows Subsystem for Android (WSA)
  
  
• Maxime Chouquet at Lexfo
  CVE-2023-27997 – Forensics short notice for XORtigate
  
  
• Md. Abdullah Al Mamun
  Email Incident Response
  
  
• NCC Group
  New Sources of Microsoft Office Metadata – Tool Release MetadataPlus
  
  
• The DFIR Report
  A Truly Graceful Wipe Out
  

THREAT INTELLIGENCE/HUNTING

• MOVEit
  • Are you ready for MOVEit?
  • MOVEit: an Industry Analysis
  • MOVEit Vulnerability Weaponized in Ransomware Attack
  • Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
  • The Latest on Clop Ransomware and the MOVEit Vulnerability
  • The MOVEit  Zero-Day Vulnerability and the Importance of Cross Domain Solutions in Data Transfer
  • MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise
  • INSIGHT – MOVEit Zero-Day Reminds Us Yet Again to Be Diligent in Monitoring Our IT Infrastructure
  • MOVEit discloses THIRD critical vulnerability
  • The MOVEit Transfer Vulnerability: What You Need to Know
  • MOVEit Vulnerabilities: What You Need to Know
    
    
• Adam at Hexacorn
  Mitre Att&ck – from JSON to CSV
  
  
• Adam Goss
  Python Threat Hunting Tools: Part 7 — Parsing CSV
  
  
• Anomali
  Anomali Cyber Watch: Fractureiser Attempted Clipboard-Poisoning VM Escape, Asylum Ambuscade Spies as a Side Job, Stealth Soldier Connected with The Eye on The Nile Campaign, and More.
  
  
• Piotr Kijewski at APNIC
  Threat activity and vulnerabilities in Indonesia, Malaysia, Philippines, and Thailand
  
  
• Samad Khawaja at AT&T Cybersecurity
  Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py
  
  
• Francis Guibernau and Giovanni López at AttackIQ
  Attack Graph Response to CISA Advisory AA23-165A: Understanding Ransomware Threat Actors: LockBit
  
  
• Jeremy Fuchs at Avanan
  Using Legitimate PDFs for BEC 3.0 Attacks
  
  
• Black Hills Information Security
  Evasive File Smuggling with Skyhook 
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-06-12 – 30 days of Formbook: Day 8, Monday 2023-06-12 – “EE2Q”
  • 2023-06-11 – 30 days of Formbook: Day 7, Sunday 2023-06-11 – GuLoader Formbook “XCHU”
  • 2023-06-10 – 30 days of Formbook: Day 6, Saturday 2023-06-10 – “SN84”
  • 2023-06-13 – 30 days of Formbook: Day 9, Tuesday 2023-06-13 – XLoader “MD8S”
  • 2023-06-14 – 30 days of Formbook: Day 10, Wednesday 2023-06-14 – “J0C7”
  • 2023-06-15 – 30 days of Formbook: Day 11, Thursday 2023-06-14 – “GA94”
  • 2023-06-16 – 30 days of Formbook: Day 12, Friday 2023-06-16 – “TFGP” (ISC diary)
    
    
• Cado Security
  Tracking Diicot: an emerging Romanian threat actor
  
  
• CERT Ukraine
  Кібератака групи UAC-0057 (GhostWriter) у відношенні державної організації України з використанням PicassoLoader та Cobalt Strike Beacon (CERT-UA#6852)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 10 – 16 giugno 2023
  
  
• Check Point
  • 12th June – Threat Intelligence Report
  • Massive global scale phishing campaign using malicious PDFs, identified and blocked by new ThreatCloud AI engine
    
    
• Checkmarx Security
  • Malicious Packages Linked Across Languages and the Dangers of Abandoned Open-Source Dependencies
  • Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers
    
    
• CISA
  Understanding Ransomware Threat Actors: LockBit
  
  
• Cisco’s Talos
  • “.Zip” top-level domains draw potential for information leaks
  • What does it mean when ransomware actors use “double extortion” tactics?
  • URLs have always been a great hiding place for threat actors
  • Threat Roundup for June 9 to June 16
    
    
• Cofense
  • Top Malware Trends of May: Cofense Phishing Defense Center (PDC)
  • Xneelo Users Targeted in a Multi-stage Phishing Attack 
    
    
• Maya Rotenstreich at CyberProof
  How APTs Maintain a Silent Grip on Enterprise Networks
  
  
• Cyberwarzone
  • Guide: YARA Detection for Sliced Strings
  • YARA Rules 101: Quickly craft YARA rules
  • Hunting With URLscan: Part 2
  • Hunting With URLscan: Part 3
  • Hunting With URLscan: Part 1
  • What is BlackCat (Alphv) Ransomware?
    
    
• Cyble
  • Threat Actor Targets Russian Gaming Community With WannaCry-Imitator
  • Cloud Mining Scam Distributes Roamer Banking Trojan
  • New Malware Campaign Targets LetsVPN Users
  • Malicious Tools in the Underground: Investigating their Propagation
    
    
• Cyfirma
  Weekly Intelligence Report – 16 June 2023
  
  
• Terry Mayer at Cyjax
  Cyjax White Paper – Strategic Intelligence Report on Latin America and the Caribbean: Synopsis
  
  
• Dirk-jan Mollema
  Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
  
  
• Eric Conrad
  Leave Only Footprints: When Prevention Fails
  
  
• Esentire
  • OnlyDcRatFans: Malware Distributed Using Explicit Lures of OnlyFans Pages and Other Adult Content
  • eSentire Threat Intelligence Malware Analysis: Resident Campaign
  • eSentire Threat Intelligence Malware Analysis: Aurora Stealer
    
    
• Yuzuka Akasaka at Flare
  • 11 Free Threat Intelligence Tools for 2023
  • Ransomware Gangs: 5 Tips for Defending Against Organized Cybercrime Groups
  • Detecting Phishing Domains: A Quick Guide
  • What is the Lifecycle of a Ransomware Attack?
  • Cyber Threat Detection: The Definitive Guide
  • Dark Web Investigations: 5 Best Practices
  • Domain Takedown: Removing Spear Phishing Domains for Free
  • Threat Spotlight: Incident Response & Cybercrime in 2023
    
    
• Flashpoint
  • Cyber Threat Intelligence Index: May 2023
  • COURT DOC: Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses
    
    
• Grayson North, Jason Baker, and Nic Finn at GuidePoint Security
  GRIT Ransomware Report: May 2023
  
  
• HP Wolf Security
  • Shampoo: A New ChromeLoader Campaign
  • HP Wolf Security Threat Insights Report Q1 2023
    
    
• InfoSec Write-ups
  • Hackthebox Meow Red Team,Purple Team and Blue Team Perspectives
  • Decoding Log4j : What You Need to Know
  • Mastering the Art of Threat Hunting !
  • TryHackMe: Digital Forensics Case B4DM755
    
    
• Jacob Baines at VulnCheck
  Fake Security Researcher GitHub Repositories Deliver Malicious Implant
  
  
• Jonathan Johnson
  Understanding Telemetry: Kernel Callbacks
  
  
• Kaido Järvemets
  • Monitor Windows LAPS Events with Microsoft Sentinel
  • Windows LAPS EventIDs and XPath Queries
  • Optimizing Incident Response through State-of-the-Art Datacenter Management: A Microsoft Azure Perspective
  • KQL Queries for Windows LAPS Migration
    
    
• Mandiant
  • VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors
  • Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
    
    
• Ryan Hausknecht at Microsoft’s ‘Security, Compliance, and Identity’ Blog
  Detection Engineering in Azure & Introducing AzDetectSuite
  
  
• Jeffry Gunawan at MII Cyber Security
  Microsoft Sentinel Article Series: Integrate IBM X-Force Threat Intelligence Feed Into Microsoft…
  
  
• MITRE-Engenuity
  • Elevate your threat intel reports with CTI Blueprints
  • Discovering Malicious Activity: A Blue Teamer’s Quick-Use Guide
    
    
• Ray Canzanese at Netskope
  Netskope Threat Labs Stats for May 2023
  
  
• Nikos Mantas at Falcon Force
  FalconFriday — Automating acquisition for incident response!
  
  
• Ryan Kalember at Proofpoint
  The 2023 Human Factor Report Analyzes Threats in the Cyber Attack Chain
  
  
• Chad Knipschild at Recorded Future
  Ransomware Is Changing: Why Threat Intelligence is Essential
  
  
• Red Canary
  • eBPFmon: A new tool for exploring and interacting with eBPF applications
  • When MFA isn’t an option: The legacy of ROPC
    
    
• Riam Kim-McLeod at ReliaQuest
  Clop Leaks: First Wave of Victims Named
  
  
• S-RM Insights
  • Strategic intelligence in action
  • S-RM – cyber incident response team of the year 2023
  • Cyber Intelligence Briefing: 16 June 2023
    
    
• SANS Internet Storm Center
  • Geoserver Attack Details: More Cryptominers against Unconfigured WebApps, (Mon, Jun 12th)
  • DShield Honeypot Activity for May 2023 , (Sun, Jun 11th)
  • Deobfuscating a VBS Script With Custom Encoding, (Wed, Jun 14th)
  • Another RAT Delivered Through VBS, (Fri, Jun 16th)
  • Formbook from Possible ModiLoader (DBatLoader) , (Sat, Jun 17th)
  • Brute-Force ZIP Password Cracking with zipdump.py, (Sun, Jun 18th)
    
    
• Rick Bosworth at SentinelOne
  Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware
  
  
• SOCRadar
  Real-Life Examples of Successful Threat Intelligence Operations
  
  
• Sophos
  • Deep dive into the Pikabot cyber threat
  • Analyze suspicious files and URLs with the free SophosLabs Intelix portal
    
    
• Rianna MacLeod at Sucuri
  Demystifying Website Hacktools: Types, Threats, and Detection
  
  
• Sygnia
  Case Study: cracking a global Adversary-In-The-Middle campaign using a threat intelligence toolkit
  
  
• Symantec Enterprise
  Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine
  
  
• Miguel Hernández at Sysdig
  KeePass CVE-2023-32784: Detection of Processes Memory Dump
  
  
• Team Cymru
  Darth Vidar: The Aesir Strike Back
  
  
• Threatmon
  Cyber Threat Report: Analyzing Ransomware and Apt Attacks Targeting Türkiye – May 2023
  
  
• Trellix
  The Anatomy of HTML Attachment Phishing: One Code, Many Variants
  
  
• Trend Micro
  • SeroXen Incorporates Latest BatCloak Engine Iteration
  • To Fight Cyber Extortion and Ransomware, Shift Left
    
    
• TrustedSec
  • The Nightmare of Proc Hollow’s Exe
  • Obfuscation Using Python Bytecode
    
    
• Trustwave SpiderLabs
  • Honeypot Recon: Global Database Threat Landscape
  • KillNet, Anonymous Sudan, and REvil Unveil Plans for Attacks on US and European Banking Systems
    
    
• Mark Rasch at Unit 221B
  The Importance of “Effective” Threat Intelligence
  
  
• VirusTotal
  • AI boosts Code Language and File Format identification on VirusTotal
  • Actionable Threat Intel (II) – IoC Stream
    
    
• Wladimir Palant at ‘Almost Secure’
  Why browser extension games need access to all websites
  

UPCOMING EVENTS

• Cyacomb Forensics
  Rapid Digital Triage Tools Drop-In Session
  
  
• Gerald Auger at Simply Cyber
  • Fireside Chat with John Hammond 🔥 | Security Researching Like A Boss
  • I’m The Captain Now! – Building Cyber Ranges in World of Haiku 😲
    
    
• Justin Tolman at The Cyber Social Hub
  Breaking Down SQLite Databases
  
  
• Magnet Forensics
  • The Magnet Digital Investigation Suite: Envisioning the Future of Digital Forensics
  • Overview of Magnet AUTOMATE Enterprise
    

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  Talkin’ About Infosec News – 6/15/2023
  
  
• Breaking Badness
  157. They Ransomware
  
  
• Cellebrite
  Automating Remote Mobile Collections for eDiscovery and Investigations
  
  
• Cloud Security Podcast by Google
  EP125 Will SIEM Ever Die: SIEM Lessons from the Past for the Future
  
  
• CrowdStrike
  Cloud Threat Summit
  
  
• CySecK
  Webinar on “Network Attacks and Defence”
  
  
• Dark Mode
  Defending Against Digital Extortion & Ransomware – Recorded Future
  
  
• Day Cyberwox
  Initial Thoughts on Certified CyberDefender (CCD): Blue Team Certification For SOC Analysts
  
  
• Detections by SpectreOps
  DCP Live – Session 9
  
  
• Digital Forensic Survival Podcast
  DFSP # 382 – Protocol Buffers
  
  
• John Hammond
  How Hackers Evade Program Allowlists with DLLs
  
  
• John Hubbard at ‘The Blueprint podcast’
  Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence
  
  
• Swachchhanda Shrawan Poudel at Logpoint
  On Demand: Vice Society’s Double Extortion – Demanding Ransom and Threatening Data Leaks
  
  
• Magnet Forensics
  • Magnet OUTRIDER Overview
  • Optimize Your GrayKey Loading Into Magnet AXIOM and AXIOM Cyber
  • Putting Your DFIR Lab in the Cloud: Lessons Learned
    
    
• MSAB
  How to Use Areas of Interest in XAMN Pro?
  
  
• RickCenOT
  BREAKING DOWN “I will pwn your  Veeder-Root TLS 350 gas station inventory system”
  
  
• SANS
  • A Visual Summary of SANS Blue Team Summit 2023
  • Handling Ransomware Incidents: What YOU Need to Know!
  • Securing the Pipelines DevSecOps and Cloud Security
  • Blueprint Live at the SANS Blue Team Summit 2023
    
    
• SentinelOne
  LABScon Replay | Star-Gazing: Using a Full Galaxy of YARA Methods to Pursue an Apex Actor
  
  
• The Defender’s Advantage Podcast
  Threat Trends: A Requirements-Driven Approach to Cyber Threat Intelligence
  

MALWARE

• Abdallah Elshinbary
  Dotnet String Decryptor
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (May 28th, 2023 – June 3rd, 2023)
  • ASEC Weekly Malware Statistics (June 5th, 2023 – June 11th, 2023)
  • Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution
    
    
• c3rb3ru5d3d53c
  [66] LiveStream – Reversing The DUMBEST HACK I’ve Ever Seen (Redline Stealer Part 9)
  
  
• Hex Rays
  • IDA 8.3: Qt 5.15.2 sources & build scripts
  • Plugin focus: Heimdallr
  • Igor’s Tip of the Week #144: Macros and simplified instructions
    
    
• InfoSec Write-ups
  • LetsDefend Dynamic Malware Analysis Part 2
  • LetsDefend: Dynamic Malware Analysis Part 1
  • Elementary static malware analysis approaches
    
    
• Darren Spruell, Chase Sims, and Brett Stone-Gross at InQuest
  Mystic Stealer: The New Kid on the Block
  
  
• Kyle Cucci at SecurityLiterate
  How Malware Abuses the Zone Identifier to Circumvent Detection and Analysis
  
  
• Malvuln
  Clop Ransomware Crypto Logic Flaw
  
  
• Rintaro Koike at NTT Security Japan
  SteelCloverが使用する新たなマルウェアPowerHarborについて
  
  
• OALABS Research
  RisePro Triage
  
  
• Lee Wei Yeong, Xingjiali Zhang, Yang Ji, Wenjun Hu and Royce Lu at Palo Alto Networks
  Android Malware Impersonates ChatGPT-Themed Applications
  
  
• Securelist
  • Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency
  • Understanding Malware-as-a-Service
    
    
• Todyl
  Threat Advisory: XWorm 4, Part 1 – File Deobfuscation
  
  
• Trellix
  • Skuld: The Infostealer that Speaks Golang
    
    
• VMRay
  From a OneNote Document to the Execution of Emotet
  
  
• Lukas Stefanko at WeLiveSecurity
  Android GravityRAT goes after WhatsApp backups
  

MISCELLANEOUS

• Elcomsoft
  • What Forensic Vendors Don’t Like To Tell Their Customers. Part 1
  • What Forensic Vendors Don’t Like To Tell Their Customers. Part 2
  • Safeguarding Digital Evidence: Don’t Shut It Down!
    
    
• Forensic Focus
  • Digital Evidence Admissibility – Exploring Best Practice And Compliance Frameworks
  • The Power Of Auto Asset Tagging In DFIR
  • Amped Replay Explained: A Detective’s Review Of The Enhanced Video Player For Forensic Investigations
    
    
• Christa Miller at Forensic Horizons
  A Juror’s Perspective of Digital Evidence
  
  
• Magnet Forensics
  • A Guide to Peak Hardware Performance for Magnet AXIOM
  • How To Get the Most Out of Your GrayKey Extractions
    
    
• Mirror review
  Heather Mahalik: Leading The Way In Digital Forensics
  
  
• Salvation DATA
  Unlock Hidden Data with Forensic Data Recovery Services
  
  
• SANS
  Cybersecurity Jobs: Security Awareness Officer (Japanese)
  
  
• Wessel Hissink
  Velocideploy – o – Matic, The Story
  

SOFTWARE UPDATES

• Andrew Rathbun
  KAPE-EZToolsAncillaryUpdater 4.1
  
  
• Belkasoft
  Belkasoft X v.2.0: Large-Scale Cases and Enterprise-Level Performance, More Drones and Clouds, YARA, Sigma and Hashset Analysis Improvements, and Other Significant Updates.
  
  
• Crowdstrike
  Falconpy Version 1.2.16
  
  
• Didier Stevens
  Update: zipdump.py Version 0.0.26
  
  
• dnSpyEx
  v6.4.0
  
  
• Elcomsoft
  Supporting Sage 50 Accounting 2023 and Sage 50 Accounts 2023
  
  
• Magnet Forensics
  • Magnet AXIOM 7.2 Now Available
  • Magnet AXIOM Cyber 7.2 Is Now Available
    
    
• Manabu Niseki
  Mihari v5.2.4
  
  
• MISP
  MISP 2.4.172 released with new TOTP/HTOP authentication, many improvements and bugs fixed
  
  
• Passmark Software
  OSForensics V10.0 Build 1014 14th June 2023
  
  
• Sandfly Security
  Sandfly 4.5.0 – Powerful New Expression Syntax
  
  
• Xways
  • X-Ways Forensics 20.5 SR-8
  • X-Ways Forensics 20.6 SR-9
  • X-Ways Forensics 20.7 SR-10
  • X-Ways Forensics 20.8 SR-2
  • X-Ways Forensics 20.9 Beta 2
    
    
• Yamato Security
  Hayabusa v2.6.0 🦅
  
  
• YARA
  v4.3.2
  
  
• Yogesh Khatri
  • mac_apt 20230617
  • spotlight_parser 1.0.2
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!