As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Andrew Malec
Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887 - Belkasoft
How to Acquire Digital Evidence with Android Screen Capturer in Belkasoft X - Amanda Berlin at Blumira
Masked Application Attack Incident Report - CCL Solutions
An expert deep-dive on data formats - Felix Aeppli at Compass Security
Device Code Phishing – Add Your Own Sign-In Methods on Entra ID - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Shaking the Cobwebs CTF Part Four – Exploring the Blockchain and “The End” - Oleg Afonin at Elcomsoft
iOS Forensic Toolkit: Mounting HFS Images in Windows - Forensafe
Investigating iOS Snapchat - Salvation DATA
Full Stack Developer Road-map: Navigating Surveillance TF Card Video File Recovery - Sleuth Kit Labs
Exercising Your Incident Response Muscles - The DFIR Report
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - James McGee at The Metadata Perspective
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Malware Configuration Parsers: An Essential Hunting Tool - Aqua
HeadCrab 2.0: Evolving Threat in Redis Malware Landscape - Arctic Wolf
Understanding Indicators of Compromise and Their Role in Cybersecurity - Peter Boyle at AT&T CyberSecurity
DarkGate malware delivered via Microsoft Teams – detection and response - Avertium
A Look into NoEscape Ransomware - BI.Zone
Scaly Wolf uses White Snake stealer against Russian industry - Nate Bill & Matt Muir at Cado Security
The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 27 Gennaio – 2 Febbraio 2024 - Cert-UA
UAC-0027: DIRTYMOE (PURPLEFOX) уражено більше 2000 комп’ютерів в Україні - Check Point
29th January – Threat Intelligence Report - Matthew Prince, John Graham-Cumming, and Grant Bourzikas at Cloudflare
Thanksgiving 2023 security incident - Cluster25
The Bear and The Shell: New Campaign Against Russian Opposition - Cofense
Most Common Phishing Email Themes of 2023 - CTF导航
- Cyberdom
Proactive Response: Any Breach (AnyDesk Incident) - Cybereason
THREAT ALERT: DarkGate Loader - Cyfirma
Weekly Intelligence Report – 02 Feb 2024 - Frederic Baguelin, Andy Giron, Zack Allen, and Christophe Tafani-Dereeper at Datadog
An analysis of a TeamTNT doppelgänger - DCSO CyTec
Reporting on Volt Typhoon’s “JDY” Botnet Administration Via Tor Sparks Questions - Detectioneering
What is Detection Engineering? - Doug Metz at Baker Street Forensics
Growing Your Malware Corpus - dr3ad_0X1
Malice in kernel land — Part 2 - Elastic Security Labs
Unmasking a Financial Services Intrusion: REF0657 - Flashpoint
- GreyNoise
Decoding Mass Exploitation in 2023: A GreyNoise Perspective - Oleg Zaytsev and Nati Tal at Guardio
“Scammers Paradise” —Exploring Telegram’s Dark Markets, Breeding Ground for Modern Phishing… - Haircutfish
TryHackMe Osquery: The Basics Room — Task 1 Introduction, Task 2 Connect with the Lab, and Task 3… - Harfanglab
Compromised Routers Are Still Leveraged As Malicious Infrastructure To Target Government Organizations In Europe And Caucasus - InfoSec Write-ups
- Darren Spruell at InQuest
Shortcut To Malice: URL Files - Invictus Incident Response
The curious case of DangerDev@protonmail.me - Jani Vleurinck
Graph Activity Logs and the Art of Reconnaissance Detection - Jeffrey Appel
Pivot via OAuth applications across tenants and how to protect/detect with Microsoft technology? (Midnight blizzard) - Juniper Networks
Real-Time Defense: Analyzing Emerging Cyber Threats - Mandiant
- Marcus Edmonson at ‘Data Analytics & Security’
Don’t Let Scheduled Tasks Compromise Your Security: 4 Ways to Detect and Prevent Them - Mario Rufisanto at MII Cyber Security
Windows File Transfer Methods - Nasreddine Bencherchali
SigmaHQ Rules Release Highlights — r2024–01–29 - Rakesh Krishnan at Netenrich
Unveiling Alpha Ransomware: A Deep Dive into Its Operations - Nik Alleyne
Knock! Knock!! Anyone There? – Reconnaissance and Defense - Shehroze Farooqi, Howard Tong, Alex Starov, Nabeel Mohamed, Royce Lu and Zhanhao Chen at Palo Alto Networks
ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery Campaign - Penetration Testing Lab
Persistence – Disk Clean-up - PhishLabs
How Threat Actors will Leverage Domain Impersonation in 2024 | PhishLabs - Plainbit
OpenCTI – 효과적인 사이버 위협 인텔리전스 - Tommy Madjar and Selena Larson at Proofpoint
Security Brief: ‘Tis the Season for Tax Hax - Grace Chi at Pulsedive
CTI Networking Report 2024 - QiAnXin
QiAnXin 2023 APT Annual Report - Red Alert
Monthly Threat Actor Group Intelligence Report, November 2023 (JPN) - Susannah Clark Matt at Red Canary
Why adversaries have their heads in the cloud – Red Canary - Reliaquest
Ransomware and Cyber-extortion Trends in Q4 2023 – ReliaQuest - Resecurity
Following the AnyDesk Incident: Customer Credentials Leaked and Published for Sale on the Dark Web - Jeroen Vandeleur at SANS
Continuous Purple Teaming: A Practical Approach for Strengthening Your Offensive Capabilities - SANS Internet Storm Center
- Evgeny Goncharov at Securelist
ICS and OT threat predictions for 2024 - Ben Wagner at Security Intelligence
Ermac malware: The other side of the code - Securonix
Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor - Sensepost
SensePost | Sensecon 23: from windows drivers to an almost fully working edr - SentinelOne
Customer Guidance on Emerging AnyDesk Cybersecurity Incident - Simone Kraus
Part 2 Sensor Mapping — Reverse Engineering NTDS - Sean Gallagher at Sophos
Cryptocurrency scams metastasize into new forms – Sophos News - Stephen Hinck at SpecterOps
Microsoft Breach — How Can I See This In BloodHound? - Stairwell
- Stephen Berger
[s|l]trace – Linux Malware Analysis - Krasimir Konov at Sucuri
Detecting and Mitigating a Phishing Threat: “Greatness” - Sysdig
- Clément Notin at Tenable
Exploiting Entra ID for Stealthier Persistence and Privilege Escalation using the Federated Authentication’s Secondary Token-signing Certificate - The Citizen Lab
Confirming Large-Scale Pegasus Surveillance of Jordan-based Civil Society - Jacob Torrey at Thinkst Thoughts
Defending against the Attack of the Clone[d website]s! - Feike Hacquebord and Fernando Merces at Trend Micro
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets - Truesec
Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259 - Scott Nusbaum at TrustedSec
Burrowing a Hollow in a DLL to Hide - Kevin Adriano at Trustwave SpiderLabs
Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks - Andrew Case and Michael Hale Ligh at Volexity
How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities - Javier Vicente at ZScaler
Tracking 15 Years of Qakbot Development
UPCOMING EVENTS
- Blackhills Information Security
BHIS – Talkin’ Bout [infosec] News 2024-02-05 - Cellebrite
Unveiling Cellebrite Inseyets: The Digital Forensics Game Changer - Censys
Threat Hunting 101: Your Guide to Outsmarting Adversaries - CYBERWOX
Incident Response with Splunk 3: Investigating anomalies - Magnet Forensics
Using AWS Config to Compliment IR Investigations - Microsoft Security
Join us at InfoSec Jupyterthon 2024
PRESENTATIONS/PODCASTS
- CrowdStrike
Demystifying North Korea: Why the “Hermit Kingdom” Is a Cyber Threat to Watch - Alexis Brignoni
Digital Forensics Now Podcast – Episode 11 - Anuj Soni
I Tried Ghidra’s BSim Feature - Black Hat
- BlueMonkey 4n6
terminal vs shell vs console – why this is important for linux forensics - Breaking Badness
Breaking Badness Book Club #3 - CactusCon
- Cellebrite
Sextortion Investigations – Suspect’s Device - Digital Forensic Survival Podcast
DFSP # 415 – Dealing with Third-Party Incidents - Hardly Adequate
Hardly a Week 4 January 29, 2024 - InfoSec_Bret
SA -SOC251-214 – Quishing Detected (QR Code Phishing) - Jai Minton
Running MALWARE that STEALS my clipboard – PowerShell Webhook Clipper Malware Analysis - John Hammond
- Magnet Forensics
Ep.13 // Unlocking iOS 17’s Secrets – Exploring the Full File System - MSAB
Partial Artefact Redaction in XAMN Pro - SANS
- SANS Cloud Security
Cloud Flight Simulator Part 1: GitLab CI, Workflows, and Secrets - Semantics 21
BelkaS21 – X marks the spot - SpecterOps
Microsoft Breach: What Happened? What Should Azure Admins Do? - The Cyber Mentor
Infostealer Malware is WICKED - The Digital Forensics Files Podcast
MALWARE
- Any.Run
- Arctic Wolf
Cherryloader | Arctic Wolf - Ari Novick at CyberArk
Ransomware’s PLAYing a Broken Game - ASEC
- Trigona Ransomware Threat Actor Uses Mimic Ransomware
- Account Credential-Stealing Malware Detected by AhnLab MDS (Web Browsers, Email, FTP)
- Distribution of Qshing Emails Disguised as Payslips
- Analysis of Phishing Case Impersonating a Famous Korean Portal Login Page
- Distribution of Zephyr CoinMiner Using Autoit
- Threat Actors Installing Linux Backdoor Accounts
- g0njxa
PrivateLoader: InstallsKey Rewind 2023 - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #173: Navigating to types from pseudocode – Hex Rays - Deepa B at K7 Labs
Python’s Byte: The Rise of Scripted Ransomware - Nextron Systems
Analysis of FalseFont Backdoor used by Peach-Sandstorm Threat Actor - Ayush Anand at Securityinbits
🔍 Dive into the RedLine Stealer Infection Chain – Part 1 - Sekoia
Unveiling the intricacies of DiceLoader – Sekoia.io Blog - Phil Stokes at SentinelOne
Backdoor Activator Malware Running Rife Through Torrents of macOS Apps - Théo Letailleur at Synaktiv
KrustyLoader – Rust malware linked to Ivanti ConnectSecure compromises - Lukas Stefanko at WeLiveSecurity
VajraSpy: A Patchwork of espionage apps
MISCELLANEOUS
- Chris Brenton at Active Countermeasures
TShark Display Filter Examples – Active Countermeasures - Gergő Gyebnár at Black Cell
MITRE ATT&CK Usecases Infographic - Brett Shavers
- Cado Security
The Future of Cloud Security: Cado Security’s Top Predictions for 2024 - Checkmarx Security
How We Were Able to Infiltrate Attacker Telegram Bots - Joseph Naghdi
Inside the World of a Hacking Forensic Investigator -Computer Hacking - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Shaking the Cobwebs CTF Part Three – Death Dates, Geolocation and an Article of Interest… - Elan Alvey at Dragos
OT Cybersecurity Best Practices for SMBs: Should You Use a USB to Transfer Files to an OT Environment? - Elan at DFIR Diva
Free & Affordable Training News Monthly: Jan – Feb 2024 - Oleg Afonin at Elcomsoft
Navigating NVIDIA’s Super 40-Series GPU Update: A Guide for IT Professionals - Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 02/02/2024 - Lee Whitfield at Forensic 4cast
All Good Things… - Forensic Focus
- Empowering Law Enforcement With Nick Harvey From Cellebrite
- Podcast #79 Recap: Oxygen Forensics Training And Digital Forensics Solutions With Keith Lockhart
- OSAC And Standards In The Digital Evidence World
- Digital Forensics Round-Up, February 01 2024 – Forensic Focus
- Forensic Focus Digest, February 02 2024 – Forensic Focus
- Kevin Pagano at Stark4n6
Forensics StartMe Updates (2/1/2024) - Luke Bradley
The Crucial Role of Digital Forensic Investigations in Intellectual Property Theft Cases - Oxygen Forensics
- Grace Chi at Pulsedive
MFA Now Available for All Community Users - Salvation Data
Expert Guide to Repair MySQL Database Efficiently - System Weakness
- Uriel Kosayev
50% off for the Malware Analyst Professional – Level 1 – TrainSec.net - nekochanSecurity555
【資格試験】Blue Team Level 1(Junior Security Operations Certification)に合格しました
SOFTWARE UPDATES
- Brim
v1.6.0 - Costas K
- Crowdstrike
Falconpy Version 1.4.1 - CyberChef
10.6.0 - Digital Sleuth
- Elcomsoft
Enhanced support for legacy devices | Elcomsoft Co.Ltd. - ExifTool
- Magnet Forensics
- Mandiant
CAPA v7.0.1 - MasterParser
MasterParser-v2.2 - Florian Roth at Nextron Systems
Announcing the Launch of Analysis Cockpit v4.0 – Nextron Systems - OpenCTI
5.12.29 - Passmark Software
OSForensics V11.0 build 1002 2nd February 2024 - Sigma
- Volatility Foundation
Volatility 3 v2.5.2 - Xorhex
Mlget README – Custom Tools, Reverse Engineering, and Threat Research
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!