As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Amr Ashraf
- Troy Wojewoda at Black Hills Information Security
Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark - Cado Security
Decoding the NIST Cloud Computing Forensics Reference Architecture - Oleg Afonin at Elcomsoft
Apple iCloud Acquisition: A Lifeline for Forensic Experts - Forensafe
Investigating Android Twitter - Salvation DATA
What is DVR and How DVR recorders Work in Video Forensics? - Jason Roslewicz at Sumuri
Drone Forensics – What data can be recovered? - Shane Hartman at TrustedSec
Prefetch: The Little Snitch That Tells on You
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures
Counting Connections With tshark - Akamai
- Nitzan Yaakov at Aqua
Tomcat Under Attack: Exploring Mirai Malware and Beyond - Steven Campbell, Akshay Suthar, and Connor Belfiore at Arctic Wolf
Conti and Akira: Chained Together - Dylan Pindur and Shubham Shah at Assetnote
Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway (Part 2) - Francis Guibernau and Andrew Costis at AttackIQ
Emulating the Highly Elusive Chinese Adversary Gallium - Avertium
Evolution of Russian APT29 – New Attacks and Techniques Uncovered - Blackberry
Decoding RomCom: Behaviors and Opportunities for Detection - BleepingComputer
- Brad Duncan at Malware Traffic Analysis
2023-07-25 – IcedID (Bokbot) from wave of malspam on 2023-07-24 - CERT EU
Threat Landscape Report for Q2 2023 – Executive Summary – Public Release - CERT Ukraine
Рівень загрози для бухгалтерів зростає: угрупуванням UAC-0006 проведено третю за 10 діб кібератаку (CERT-UA#7065, CERT-UA#7076) - Check Point Research
24th July – Threat Intelligence Report - Chris Long
Leveraging Osquery To Examine The Xprotect Behavioral Service Db - CISA
Preventing Web Application Access Control Abuse - Nicole Hoffman at Cisco’s Talos
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical - Cofense
2023 Cofense Phishing Intelligence Trends Review: Q2 - Reza Rafati at Cyberwarzone
The Best Guide to Cyber Threat Intelligence Training for Technical Experts - Cyble
- Cyborg Security
- Cyfirma
Weekly Intelligence Report – 28 July 2023 - Cyjax
Cryptocurrency Threat Landscape Report – Q2 2023 - Delivr
SVG Smuggling: A picture worth a thousand words - Devon Ackerman, Steven Coffey, Josh Mitchell, and Dan Cox at Kroll
MOVEit Vulnerability Investigations Uncover Additional Exfiltration Method - Kirti Sodhi and Sourin Paul at Elastic
Identifying malicious Remote Desktop Protocol (RDP) connections with Elastic Security - Emanuele De Lucia
Rhysida: An old / new threat in the ransomware landscape - Eric Clay at Flare
Over 400,000 corporate credentials stolen by info-stealing malware - Ray Pugh at Expel
Threat hunting basics: understanding key principles - Huntress
Business Email Compromise via Azure Administrative Privileges - Infoblox
Decoy Dog is No Ordinary Pupy: Separating a Sly DNS Malware from the Pack - InfoSec Write-ups
- Jacob Baines at VulnCheck
Exploiting MikroTik RouterOS Hardware with CVE-2023-30799 - Kaido Järvemets
Tracking Windows LAPS Activity with Sentinel through Event ID 4662 - Victoria Kivilevich at KELA
The Stormous Extortion Group Strikes Back - Kevin Beaumont at DoublePulsar
MobileIrony backdoor allows complete takeover of mobile security product and endpoints. - Louai Abboud at Lares Labs
- Swachchhanda Shrawan Poudel at Logpoint
Understanding the Menace: Unraveling the Sophistication and Nefarious Nature of LockBit Ransomware - Malware Hell
Skid OSINT Investigation - Mandiant
- Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519)
- North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
- Pro-PRC HaiEnergy Campaign Exploits U.S. News Outlets via Newswire Services to Target U.S. Audiences; Evidence of Commissioned Protests in Washington, D.C.
- Vallabh Chole and Yerko Grbic at McAfee Labs
Scammers Follow the Rebranding of Twitter to X, to Distribute Malware - Microsoft
MDTI-Solutions - Microsoft Security
Cryptojacking: Understanding and defending against cloud compute resource abuse - Rohit Sadgune at Netenrich
Detecting Beaconing Attacks by Advanced Threat Hunting - Nextron Systems
How to scan NetScaler / Citrix ADC appliances using THOR - Nisos
- Nabeel Mohamed, Fang Liu, Sophia Yao, Lee Wei Yeong, Song Yang and Shan Huang at Palo Alto Networks
Ransomware Delivery URLs: Top Campaigns and Trends - PhishLabs
Q2 Payload Report - Phylum
Q2 2023: Research Report - Mohammad Amr Khan at Pulsedive
Identifying Mystic Stealer Control Panels - Ivan Righi at ReliaQuest
Q2 2023 Ransomware Report: Victim Count Hits New Heights - Ori Amiga at Rezonate
Okta Logs Decoded: Unveiling Identity Threats Through Threat Hunting - Riley Kilmer at Spur
Christmas In July: A Finely Wrapped Malware Proxy Service - SANS Internet Storm Center
- Install & Configure Filebeat on Raspberry Pi ARM64 to Parse DShield Sensor Logs, (Sun, Jul 23rd)
- JQ: Another Tool We Thought We Knew, (Mon, Jul 24th)
- Suspicious IP Addresses Avoided by Malware Samples, (Wed, Jul 26th)
- ShellCode Hidden with Steganography, (Fri, Jul 28th)
- Do Attackers Pay More Attention to IPv6?, (Sat, Jul 29th)
- Kristen Cotten at Scythe
Threat Emulation: APT36 (Poseidon malware) - Securelist
- Securonix
Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures - SentinelOne
- SOCRadar
- Will Schroeder at SpecterOps
On (Structured) Data - Ben Martin at Sucuri
Abandoned US Congressional Website Used in Asian Gambling Spam Infection - Amir Sadon, Ohad Amar, Dor Nizar, and Shani Adir at Sygnia
Breaking Down the Casbaneiro Infection Chain – Part II - Nigel Douglas at Sysdig
Fileless Malware Detection with Sysdig Secure - Enes Adışen at System Weakness
- Team Cymru
Inside the IcedID BackConnect Protocol (Part 2) - David French at Threat Punter
- Serhii Melnyk and Greg Monson at Trustwave SpiderLabs
Healthcare Threat Landscape 2022-2023: Common TTPs Used by Top Ransomware Groups Targeting the Healthcare Sector - VirusTotal
- Zori Bennett at Walmart
State of the Remote Access Tools, Part 2 - Meghraj Nandanwar, Satyam Singh, and Pradeep Mahato at ZScaler
Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis
UPCOMING EVENTS
- Black Hills Information Security
- Trellix
Ransomware Detection & Response Virtual Summit
PRESENTATIONS/PODCASTS
- Black Hills Information Security
- BlueMonkey 4n6
secure shell (ssh) tutorial – installing and using ssh. setting up ssh keys on the server - Breaking Badness
162. Animal Bot Farm - Computer Crime Chronicles
Episode 8: SQL Injection - Digital Forensic Survival Podcast
DFSP # 388 – Web 3.0 Talk with SUMURI - Huntress
Episode 1: What Is Threat Hunting? - InfoSec_Bret
SA – SOC192-142 – Suspicious BITS Usage Detected - John Hammond
- Mostafa Yahia
DFIR (Windows Forensics) Course: Exploring offline Registry hives using the “Registry Explorer” tool - MSAB
- OALabs
AV Emulation Detection Tricks Used by Malware - Paraben Corporation
Acquisition of a Meta Oculus Device - SAN
- Sofia Marin
Incident Response Series: Chapter #4 Incident Response Books and Practices
MALWARE
- 0x70RVS
IcedId - Amit Tambe at F-Secure
Android Güncelleme – dissecting a malicious update installer - Any.Run
Release Notes: Digital Signatures, Evidence Archives, and More - ASEC
CHM Impersonates Korean Financial Institutes and Insurance Companies- c3rb3ru5d3d53c
[69] Livestream – Destroying GuLoader Series Part 2 - Chuan-lun (Johnson) Chou
Almanahe Virus Analysis - CISA
- Doug Metz at Baker Street Forensics
Designing Internet Access for Compromised Systems - Dr. Web
Fruity trojan downloader performs multi-stage infection of Windows computers - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #150: Extract function - Vigneshwaran P at K7 Labs
Akira’s Play with Linux - Steve S at Malicious Group
Inline Assembly - Malvuln
RansomLord v1 – Total Ransomware Destruction - Austin Peavy at NCC Group
Tool Release: Cartographer - OALABS Research
Glubteba - Paul Roberts at ReversingLabs
More malicious npm packages found in wake of JumpCloud supply chain hack - Pankaj Kohli at Sophos
Uncovering an Iranian mobile malware campaign - Tony Lambert
Malware via VHD Files, an Excellent Choice - Trend Micro
Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns - Zhassulan Zhussupov
Malware development trick – part 35: Store payload in alternate data streams. Simple C++ example. - بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Android.Fakecalls.Banker
MISCELLANEOUS
- Devon Ackerman
Diving In – An Incident Responder’s Journey: A Guide for Executives, Lawyers, Insurance, Brokers & Audiences Eager to Learn - Forensic Focus
- Christa Miller at Forensic Horizons
Can Certainty in Digital Forensics Be Automated? - Chris Cochran at Huntress
The Power of Cyber Insurance: What Every MSP Should Know - Ken Pryor at ‘No Pryor Knowledge’
WinFE Course Review - Magnet Forensics
- SANS
- John Patzakis at X1
Court Decision in Lubrizol vs. IBM Provides Important Guidance on MS Teams Discovery
SOFTWARE UPDATES
- Brim
v1.2.0 - DFIR labs
bookmarkparser - Doug Burks at Security Onion
- Drew Alleman
DataSurgeon 1.2.0 - Eric Zimmerman
ChangeLog - Sandfly Security
Sandfly 4.6.0 – Advanced Whitelisting and Free SSH Hunter - Stratosphere Lab
Introducing Collectress: Consistent Threat Intelligence Feed Collection and Storage - Rapid7
Velociraptor 0.7.0 Release - Xways
X-Ways Forensics 20.9
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 