As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Amped
- Belkasoft
Ins and Outs of Hashing and Hashset Analysis in Belkasoft X - Manuel Winkel at Deyda
Checklist for NetScaler (Citrix ADC) CVE-2023-3519 - Elcomsoft
- Howard Oakley at ‘The Eclectic Light Company’
iCloud Drive changes extended attributes - Jaspreet Singh at Mail Xaminer
Message-id Forensics: Make Analysis Easy With Message Id Analyzer - Kostas
Ursnif VS Italy: Il PDF del Destino - Megan Roddie at SANS
- Joachim Metz at Open Source DFIR
What’s in a (file) path? - Salvation DATA
[Case Study]Analysis Of Forensics Methods For Android Emulator NoxPlayer - The Sleuth Sheet – Medium
OSINT: Crypto Drainer Investigation
THREAT INTELLIGENCE/HUNTING
- Roi Kol at Aqua
Detecting eBPF Malware with Tracee - Assetnote
Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway - Avertium
An Update on the Pro-Russia Threat Actor, Killnet - Oleg Skulkin and Andrey Chizhov at BI Zone
New hacker group Quartz Wolf leverages legitimate software to attack the hospitality industry - BushidoToken
Investigating SMS phishing text messages from scratch - Censys
Managed File Transfer (MFT) Exposure - CERT Ukraine
Цільові атаки Turla (UAC-0024, UAC-0003) з використанням шкідливих програм CAPIBAR та KAZUAR (CERT-UA#6981) - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 luglio 2023 - Check Point
- 17th July – Threat Intelligence Report
- Microsoft Dominates as the Most Impersonated Brand for Phishing Scams in Q2 2023
- BYOS – Bundle Your Own Stealer
- Facebook Flooded with Ads and Pages for Fake ChatGPT, Google Bard and other AI services, Tricking Users into Downloading Malware
- CDN Service Exposes Users to Malicious Packages for Phishing Attacks Invisible to Security Tools
- Docker Images: Why are Many Cyber Attacks Originating Here?
- CISA
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells - Cisco’s Talos
- Cloudbrothers
Sync Defender for Cloud Alerts with Sentinel Incidents - Omer Yoachimik and Jorge Pacheco at Cloudflare
DDoS threat report for 2023 Q2 - William Burgess at Cobalt Strike Research and Development
Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places - Coveware
Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments - CrowdStrike
Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft - Cyberknow
Update 24. 2023 Russia-Ukraine War — Cybertracker. 20 JULY. - Shani Touitou at CyberProof
From the desk of a threat hunter: Shielding exposed user IDs & passwords - Cyble
- Cyborg Security
Moving Beyond Trust: The Crucial Role of Emulation and Validation in Threat Hunting - Cyfirma
Weekly Intelligence Report – 21 July 2023 - Nicole Wong at Darktrace
How Darktrace’s SOC Helped to Thwart a BEC Attack in its Early Stages - Vinaya Sheshadri at DomainTools
Leveraging Domain Intelligence for Threat Hunting - Doug Metz at Baker Street Forensics
Hunting for Indicators with PowerShell: New Files - EclecticIQ
- Elastic
- Anshu Bansal and Ashutosh Venkatrao More at Falco
Blog: Crafting Falco Rules With MITRE ATT&CK - Yuzuka Akasaka at Flare
Threat Intelligence & The Cyber Kill Chain: The Complete Guide - Flashpoint
- Fortinet
- Alexis Wales at GitHub
Security alert: social engineering campaign targets technology industry employees - GuidePoint Security
Quarterly GRIT Ransomware Report – Q2 2023 - InfoSec Write-ups
- Enhancing Malware Detection: Endpoint Detection and Response Solutions with Elastic SIEM
- Decoding Threat Actors:Exposing Architecture Secrets with Open Source Tools
- FalconEye: Splunk Threat Hunting
- Persistence Techniques (Beginner to Advanced) For Windows
- Solving the JavaScript Deobfuscation HTB CTF Challenge
- Alison Rusk at INKY
Fresh Phish: HTML Smuggling Made Easy, Thanks to a New Dark Web Phish Kit - IronNet
::ffff’ only…Tips for identifying unusual network activity - Jonathan Johnson
ThreadSleeper: Suspending Threads via GMER64 Driver - Jouni Mikkola at “Threat hunting with hints of incident response”
Threat Intelligence Platform – OpenCTI - Yuma Masubuchi at JPCERT/CC
DangerousPassword attacks targeting developers’ Windows, macOS, and Linux environments - Korstiaan Stam at ‘Invictus Incident Response’
Automated First-Response in AWS using Sigma and Athena - Kristina Balaam and Justin Albrecht at Lookout
Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41 - Mandiant
- Vasu Jakkal at Microsoft Security
Expanding cloud logging to give customers deeper security visibility - MikeCyberSec
Hunting for potentially vulnerable Citrix servers with Shodan — CVE-2023–3519 - Phylum
June’s Sophisticated npm Attack Attributed to North Korea - Proofpoint
Job Scams Using Bioscience Lures Target Universities - Ramesh Ramachandran at Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition) - Red Canary
- Resecurity
How Dark Web research can aid in combating cybercrime leveraging an Infinite Game - Miles Arkwright and James Tytler at S-RM Insights
Cyber Intelligence Briefing: 21 July 2023 - SANS Internet Storm Center
- Brute-Force ZIP Password Cracking with zipdump.py: FP Fix, (Sun, Jul 16th)
- Wireshark 4.0.7 Released, (Sat, Jul 15th)
- Exploit Attempts for “Stagil navigation for Jira Menus & Themes” CVE-2023-26255 and CVE-2023-26256, (Tue, Jul 18th)
- Citrix ADC Vulnerability CVE-2023-3519, 3466 and 3467 – Patch Now!, (Wed, Jul 19th)
- Deobfuscation of Malware Delivered Through a .bat File, (Thu, Jul 20th)
- Shodan’s API For The (Recon) Win!, (Fri, Jul 21st)
- YARA Error Codes, (Sat, Jul 22nd)
- John Dwyer at Security Intelligence
X-Force certified containment: Responding to AD CS attacks - SentinelOne
JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity - SOCRadar
Threat Landscape in the Aviation Industry for H1 of 2023 - Sophos
- Sucuri
- Symantec Enterprise
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware - Pierre Noujeim at System Weakness
- Third Eye intelligence
Australian Ransomware Threat Landscape 2023 – January to July 2023 – A Look into Cybersecurity’s Persistent Nemesis - Threatmon
Unraveling the Complex Infection Chain: Analysis of the SideCopy APT’s Attack - Daniel Lunghi at Trend Micro
Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad - Jason Hill at Varonis
Taking Microsoft Office by “Storm” - White Knight Labs
Ransomware Payments - Shir Tamari at Wiz
Compromised Microsoft Key: More Impactful Than We Thought
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-07-24 - Doug Burks at Security Onion
Registration Now Open for Augusta Cyber Week 2023! - Magnet Forensics
- SANS
Should Countries Ban Ransomware Payments? | Host: Ryan Chapman | July 25, 2023 - X1
X1 Social Discovery v7.1 Product Tour
PRESENTATIONS/PODCASTS
- Black Hills Information Security
- Breaking Badness
161. The Early Bird Gets the WormGPT - Cellebrite
The Dig For Episode 2 – Guest Ed Wagrowski - cloudyforensics
EKS Forensics & Incident Response - Cyber Social Hub
- Digital Forensic Survival Podcast
DFSP # 387 – Network Share Modifications - Hacker Valley Blue
SANS Difference Makers Awards 2022 Highlights - InfoSec_Bret
InfoSec Tools – AppGuard Solo – Round 2 - John Hammond
- John Hubbard at ‘The Blueprint podcast’
Strategy 11: Turn up the Volume by Expanding SOC Functionality - Karsten Hahn at Malware Analysis For Hedgehogs
Why you can’t trust timestamps of Windows system files - Magnet Forensics
- How to Combine Magnet IGNITE and AXIOM Cyber to Streamline your Investigations
- How to Bring Mobile Device Data from VeraKey into Magnet AXIOM Cyber
- How to Set Up an Automated End-to-End iOS Workflow With GrayKey and Magnet AUTOMATE
- Customer Story | Brett Shavers – Digital Forensics Consultant, DFIR Training
- Oculus Quest “Meta” Forensics – Can It Be Done?
- Establishing Connections: Illuminating Remote Access Artifacts in Windows
- Mostafa Yahia
- DFIR (Windows Forensics) Course: Image Mounting (FTK Imager)
- DFIR (Windows Forensics) Course: NTFS File System
- DFIR (Windows Forensics) Course: MFT Recap
- DFIR (Windows Forensics) Course: Master File Table $MFT
- DFIR (Windows Forensics) Course: Introduction to Windows Registry
- DFIR (Windows Forensics) Course: Data Recovery
- DFIR (Windows Forensics) Course: Alternate data streams (ADS)
- DFIR (Windows Forensics) Course: Windows NTFS Timestamps
- MSAB
How to Perform XRY File Validation? - SANS
- SANS Cloud Security
- The Cyber Mentor
The Cyber Journey (Live with Markus Schober & Zach Hill) - The Defender’s Advantage Podcast
Threat Trends: The Implications of the MOVEit Compromise
MALWARE
- Any.Run
- Martin a Milánek at Avast Threat Labs
HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within - Ayedaemon
- Tom Hudson at Bishop Fox
- c3rb3ru5d3d53c
- Cleafy
Uncovering drIBAN fraud operations. Chapter 3: Exploring the drIBAN web inject kit - Arnab Mandal at K7 Labs
CVE-2023-34362 : MOVEit Transfer Exploitation Analysis - Kyle Cucci at SecurityLiterate
Analysis of the NATO Summit 2023 Lure: A Step-by-Step Approach - Jérôme Segura at Malwarebytes Labs
FakeSG enters the ‘FakeUpdates’ arena to deliver NetSupport RAT - Yukihiro Okutomi at McAfee Labs
Android SpyNote attacks electric and water public utility users in Japan - NVISO Labs
- OALABS Research
- Palo Alto Networks
- Francesco Figurelli and Eduardo Ovalle at Securelist
Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability - SentinelOne
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2 - Ax Sharma at Sonatype
“Quoi…? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer - Jason Reaves, Jonathan McCay and Joshua Platt at Walmart
NemesisProject - Zhassulan Zhussupov
Malware development: persistence – part 22. Windows Setup. Simple C++ example.
MISCELLANEOUS
- Forensic Focus
- How To Get The Upper Hand In A Constantly Evolving Digital World Through Mobile Forensic Training (That Actually Makes A Difference)
- Combating Cyberterrorism: How Crypto Forensics Can Help
- Addressing The Cybersecurity Talent Shortage: Focus On The Right Solution
- UPCOMING WEBINAR – Next-Level Digital Investigations: Unveiling Detego Analyse AI+ And Its Groundbreaking Features
- Digital Forensics Round-Up, July 20 2023
- Highlights Of The MD-Series Release Notes For Q2 2023
- UPCOMING WEBINAR – Uncovering Hidden Data: How To Collect The Mobile Data Your Investigation Is Missing
- Forensic Focus Digest, July 21 2023
- Christa Miller at Forensic Horizons
5 Things to Know About Digital Forensics in Space - Ken Pryor at ‘No Pryor Knowledge’
Learning and Research Ideas - MSAB
Interim report Q2, April – June 2023 - Raj Upadhyay
Linux Directory Structure - SANS
Cybersecurity Jobs: Media Exploitation Analyst (Japanese) - SentinelOne
Strengthening Cyber Defenses | A Guide to Enhancing Modern Tabletop Exercises - Simone Kraus
Collaboration & Sharing — Why do we do the job we do? - Andrew Case at Volatility Labs
The 11th Annual Volatility Plugin Contest! - John Patzakis at X1
X1 Social Discovery Integration with Relativity Proves to Be Game Changing in Several High Stakes Matters
SOFTWARE UPDATES
- Angelina Tsuboi
DroneXtract - Mandiant
Capa v6.0.0 - Didier Stevens
Update: zipdump.py Version 0.0.27 - Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.32 receives a maintenance update - Erki Suurjaak
Skyperious v5.5 - Manabu Niseki
- Metaspike
Forensic Email Collector (FEC) Changelog – 3.88.0.15 - OpenCTI
5.9.6 - Passmark Software
OSForensics – V10.0 Build 1015 19th July 2023
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!