As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
What is cacheV0.db and why are there only images in it? - Bullsh*t Hunting
Bullshit Hunting: Digital Forensics Edition - Django Faiola at ‘Appunti di Informatica Forense’
iOS WAZE - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
COPA v Wright – The Identity Question Takes Centre Stage - Oleg Afonin at Elcomsoft
Bootloader-Level Extraction for Apple Hardware - Forensafe
Investigating Android SMS - Invictus Incident Response
What DFIR experts need to know about the current state of the Unified Audit Log - Mattia Epifani at Zena Forensics
Dissecting the Android WiFiConfigStore.xml for forensic analysis - Scott Koenig at ‘The Forensic Scooter’
Device Setup – Transferring data to new iPhone & Effects to Photos.sqlite - Maxence Fossat at Synacktiv
Using Veeam metadata for efficient extraction of Backup artefacts (1/3) - System Weakness
Alternate Data Streams – Good or Bad? - Mari DeGrazia at ZeroFox
Remote Desktop Application vs MSTSC Forensics: The RDP Artifacts You Might Be Missing
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Top 5 Cyber Threat Intelligence Lifecycle Challenges - Akamai
The AnyDesk Breach: Overview and Recommendations - Alex Verboon at ‘Anything about IT’
Monitoring Windows built-in local security Groups with Microsoft Defender XDR or Sentinel - Anton Chuvakin
- Jilong Wang and Changqing An at APNIC
BGPWatch — A comprehensive platform for detecting and diagnosing hijacking incidents - Arctic Wolf
Exploitation of Confluence Server Vulnerability CVE-2023-22527 Leading to C3RB3R Ransomware - AttackIQ
- Australian Cyber Security Centre
- Avast Threat Labs
Avast Q4/2023 Threat Report - Bank Security
Cyber criminals exploit Formcrafts to craft phishing pages - Kim Brown at Blumira
Uncover Threats in Your Windows Environment with Sysmon - Brad Duncan at Malware Traffic Analysis
- Censys
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 3 – 9 Febbraio 2024 - Chainalysis
Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline - Check Point
- Yehuda Gelb at Checkmarx Security
The Hidden Dangers of Abandoned Digital Assets in Open-Source Ecosystems - CISA
MAR-10448362-1.v1 Volt Typhoon - Cisco’s Talos
- Fabian Bader at Cloudbrothers
Anonymous IP address involving Apple iCloud Private Relay - Andy Thompson at CyberArk
APT29’s Attack on Microsoft: Tracking Cozy Bear’s Footprints - Cybereason
THREAT ALERT: Ivanti Connect Secure VPN Zero-Day Exploitation - Cyfirma
Weekly Intelligence Report – 09 Feb 2024 - Adam Price at Cyjax
STOP ransomware spamming in Usenet - Robert M. Lee at Dragos
Testimony on Securing Operational Technology: A Deep Dive on the Water Sector - Elastic Security Labs
STIXy Situations: ECSaping your threat data - Esentire
- Fortinet
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities - GreyNoise
Battling Ransomware One Tag At A Time - HarfangLab
- Michael Zuckerman at Infoblox
DNS for Early Detection – Global Postal Services Phishing Campaign - Jessica Ryan at Agari
Record Number of Phishing Sites Impersonate Social Media to Target Victims in Q4 - Jouni Mikkola at “Threat hunting with hints of incident response”
Rare process launch as a service - Justin Ibarra
- K7 Labs
- Karma-X
The Problem With YARA: Evading Elastic Security EDR with a NOP instruction - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – January Update - Lumen
KV-Botnet: Don’t call it a Comeback - Malwarebytes
- Maggie MacAlpine at MITRE-Engenuity – Medium
How to Win Friends and Influence Your (Less Technical) Decision Makers - David Brown and Mungomba Mulenga at NCC Group
Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin - NCSC
TLP:CLEAR MIVD AIVD Advisory Coathanger - Rakesh Krishnan at Netenrich
Identity Behind Hunters International Ransomware Group’s DLS Exposed - Robert Derby at Netscout
What and Why: Threat Hunting - Obsidian Security
Behind The Breach: Microsoft Breach by Russian Hackers - Doel Santos at Palo Alto Networks
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis - Paolo Luise
Threat Hunting: DNS C2 - Penetration Testing Lab
Persistence – Windows Setup Script - Recorded Future
Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023 - SANS Internet Storm Center
- Computer viruses are celebrating their 40th birthday (well, 54th, really), (Tue, Feb 6th)
- Public Information and Email Spam, (Mon, Feb 5th)
- A Python MP3 Player with Builtin Keylogger Capability, (Thu, Feb 8th)
- Anybody knows that this URL is about? Maybe Balena API request?, (Wed, Feb 7th)
- MSIX With Heavily Obfuscated PowerShell Script, (Fri, Feb 9th)
- Internet Storm Center Podcast (“Stormcast”) 15th Birthday, (Fri, Feb 9th)
- Dheeraj Kumar and Ella Dragun at Securonix
Securonix Threat Labs Monthly Intelligence Insights – January 2024 - Sekoia
Adversary infrastructures tracked in 2023 - SOCRadar
- Cody Thomas at SpecterOps
Spinning Webs — Unveiling Arachne for Web Shell C2 - Splunk
Another Year of RATs and Trojan Stealer: Detection Commonalities and Summary - Trustwave SpiderLabs
Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising - Raimundo Alcázar at VirusTotal
VT Livehunt Cheat Sheet - WithSecure
Living Off The LandLeaked Certificates (LoLCerts) - Wiz
UPCOMING EVENTS
- Black Hills Information Security
- Huntress
Financial Impact of a Threat - Magnet Forensics
Investigate Malware & Ransomware with Speed and Efficiency - SANS
SANS OSINT SUMMIT DAY 2 TRACK 2
PRESENTATIONS/PODCASTS
- Black Hat
- BlueMonkey 4n6
Day in the Life of DFIR – interview with Professor Ali Hadi, Ph.D., Senior Cybersecurity Specialist. - Breaking Badness
[Special Report] Ransomware and Mortgage Brokers - CYBERWOX
Malicious Cryptominer SIEM Investigation - Digital Forensic Survival Podcast
DFSP # 416 – Persistence Mechanisms on Windows - Hardly Adequate
- Insane Forensics
Industrial Cybersecurity Terms Defined: OT, SCADA and RTUs Oh My! - Intel471
Cybercrime Exposed Podcast: Botnet Breakup - Jai Minton
SECRETS of Scheduled Tasks – How TARRASK MALWARE hides Scheduled Tasks from security teams - John Hammond
- Lee Whitfield at MacAdemia
- Magnet Forensics
Using AWS Config to Compliment IR Investigations - Microsoft Threat Intelligence Podcast
Mobile Threat Landscape Update - MSAB
Extraction Log Files in XRY - Paraben Corporation
E3 Forensic Platform Importing iLeap and aLeap Data
MALWARE
- Ahmet Göker
Binary Analysis With Python GDB API - Any.Run
- ASEC
- Andrei Lapusneanu at Bitdefender
New MacOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group - Cryptax
- Fatih Yilmaz
- Fortinet
Python Info-stealer Distributed by Malicious Excel Document - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #174: IDA database (IDB)details - Swachchhanda Shrawan Poudel at Logpoint
Pikabot: A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques - Dexter Shin at McAfee Labs
MoqHao evolution: New variants start automatically right after installation - Daniela Shalev and Josh Grunzweig at Palo Alto Networks
Exploring the Latest Mispadu Stealer Variant - Anna Širokova at Rapid7
Exploring the (Not So) Secret Code of BlackHunt Ransomware - S2W Lab
- Securelist
Coyote: A multi-stage banking Trojan abusing the Squirrel installer - Ayush Anand at Securityinbits
Unpack RedLine stealer to extract config using pe-sieve -Part 2 - Stefan Grimminck
JSON Smuggling: A far-fetched intrusion detection evasion technique - System Weakness
Unlocking Malware Mysteries: The Power of SEMA - Alberto Fittarelli at The Citizen Lab
PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content - Ian Smith at Trail of Bits
Binary type inference in Ghidra - Mark Lester Dampios at White Knight Labs
A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 02/09/2024 - Belkasoft
[ON-DEMAND COURSE] Android Forensics with Belkasoft - Cado Security
- Vladimir Katalov at Elcomsoft
EU: Apple to Allow Alternative App Marketplaces - F-Response
Back in the day… - Forensic Focus
- Ghennadii Konev, Technical Sales Engineer, MSAB
- Eilay Yosfan, Threat Researcher, Security Joes
- Unpacking The SEC’s Cybersecurity Disclosure For Incident Response Teams
- Digital Forensics Education, Certification And Training Guide
- Digital Forensics Round-Up, February 07 2024
- 2023 Recap On MD-Series Release Note Highlights
- Nextron Systems
End-of-Life ASGARD Analysis Cockpit Version 3 - Sleuth Kit Labs
Tabletop Exercises: Reasons to Work with Sleuth Kit Labs
SOFTWARE UPDATES
- Acelab
- ANSSI
DFIR-ORC v10.2.4 - Belkasoft
Belkasoft released an add-on module to break mobile passcodes—Mobile Passcode Brute-Force! - Costas K
LNK & Jumplist Browser - GCHQ
CyberChef v10.7.0 - Datadog Security Labs
GuardDog v1.5.4 - Digital Sleuth
- dnSpyEx
v6.5.0 - Google
timesketch 20240207 - MALCAT
0.9.5 is out: InnoSetup, new GUI dialogs, threat intel and more - MasterParser
MasterParser-v2.3 - MISP
MISP 2.4.184 released with performance improvements, security and bugs fixes. - Paraben Corporation
Customer experience improvements and new features in E3 3.8 - Passmark Software
OSForensics – V11.0 build 1003 7th February 2024 - PuffyCid
Artemis 0.7.0 – Released! - Xways
- Yamato Security
Hayabusa v2.13.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 