As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Forensafe
Investigating Android WhatsApp - Lionel Notari
iOS Unified Logs – WiFi and AirPlane Mode - Stephan Berger
AWS Ransomware - Teri Radichel
Investigating, Containing, and Removing Malware on a Mac - The Sleuth Sheet
How to Transition From OSINT Practitioner to Intelligence Analyst - Tyler Hudak at TrustedSec
MailItemsAccessed Woes: M365 Investigation Challenges
THREAT INTELLIGENCE/HUNTING
- Allan Liska at ‘Ransomware Sommelier’
LockBit Down! - Jinghua Bai at APNIC
Deep dive into China’s NXDOMAIN data - Nitzan Yaakov at Aqua
Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack - Arctic Wolf
Arctic Wolf Labs 2024 Threat Report - Bitdefender
- Brad Duncan at Malware Traffic Analysis
- BushidoToken
Lessons from the iSOON Leaks - Cado Security
Migo – a Redis Miner with Novel System Weakening Techniques - Himaja Motheram at Censys
Ivanti Connect (in)Secure – Revisited - CERT Ukraine
- CERT-AGID
- Chainalysis
The On-chain Footprint of Southeast Asia’s ‘Pig Butchering’ Compounds: Human Trafficking, Ransoms, and Hundreds of Millions Scammed - Check Point
- Cisco’s Talos
- Dylan Duncan at Cofense
New MaaS InfoStealer Malware Campaign Targeting Oil & Gas Sector - Confiant
Breaking the Malvertising Supply Chain - Greg Day at Cybereason
Ransomware: True Cost to Business 2024 - Cyfirma
Weekly Intelligence Report – 23 Feb 2024 - Daniel Miessler
Analyzing Threat Reports with Fabric - Alex Teixeira at Detect FYI – Medium
Unsupervised Machine Learning with Splunk: the cluster command - Joe St Sauver at DomainTools
Automatically Chasing CNAMEs in Farsight DNSDB Scout - Dragos
- EclecticIQ
10 Steps to Building a Comprehensive CTI Practice - Elastic Security Labs
- Elliptic
LockBit’s day of reckoning: NCA and OFAC lead the charge - Esentire
- Rhysida Ransomware Group, Which Crippled the British Library Racking Up £6 to £7 Million in Recovery Costs, Turns Its Wrath on Hospitals, Power Plants, and Schools in the UK, Europe, and the Middle East, Warns eSentire
- Blind Eagle’s North American Journey
- 2024 Cybersecurity Predictions: Navigating the Evolving Threat Landscape
- Flashpoint
- Fortra’s PhishLabs
O365 Volume Up in Q4 as Cybercriminals Target Brands in Credential Theft Attacks - Neil Matani and Ahmed Khanji at Gridware
Leak Reveals Spyware Created by Chinese Government Contractor - Huntress
- Detection Guidance for ConnectWise CWE-288
- Critical Vulnerability Disclosure: ConnectWise/R1Soft Server Backup Manager Remote Code Execution & Supply Chain Risks
- Guide: How to Know if your ScreenConnect Server is Hacked | Huntress
- SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)
- Brent Eskridge at Infoblox
Ivanti Connect Secure VPN Exploitation – Correctly Interpreting DNS IoCs - InfoSec Write-ups
DLL Side Loading Technique #Threat Hunting & #Adversary Emulation - Pedram Amini at InQuest
100 Days of YARA 2024: Halfway Point - Jeffrey Appel
Automatic attack disruption in Microsoft Defender XDR and containing users during Human-operated Attacks - Jouni Mikkola at “Threat hunting with hints of incident response”
Hunting for signs of SEO poisoning - Kaspersky Lab
- Laurie Iacono, Keith Wojcieszek, and George Glass at Kroll
Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits - Lab52
Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor) - Mandiant
- Michalis Michalos
- Morphisec
Cracking Akira Ransomware: Prevention and Analysis by TTPs - Zaid Baksh at NCC Group
Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures - Netskope
Netskope Threat Labs Stats for January 2024 - Palo Alto Networks
- 2024 Unit 42 Incident Response Report: Navigating the Shift in Cybersecurity Threat Tactics
- Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
- Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
- Intruders in the Library: Exploring DLL Hijacking
- Penetration Testing Lab
AS-REP Roasting - Prodaft
Understanding Eavesdropping Attacks in Network Security - Red Alert
Monthly Threat Actor Group Intelligence Report, December 2023 (KOR) - Red Canary
Intelligence Insights: February 2024 - ReliaQuest
- Carolynn van Arsdale at ReversingLabs
Operation Cronos and the LockBit takedown: What we know - S2W Lab
- SANS Internet Storm Center
- Mirai-Mirai On The Wall… [Guest Diary], (Sun, Feb 18th)
- YARA 4.5.0 Release, (Sun, Feb 18th)
- Wireshark 4.2.3 Released, (Sun, Feb 18th)
- Python InfoStealer With Dynamic Sandbox Detection, (Tue, Feb 20th)
- Phishing pages hosted on archive.org, (Wed, Feb 21st)
- Simple Anti-Sandbox Technique: Where’s The Mouse?, (Fri, Feb 23rd)
- 
Large AT&T Wireless Network Outage #att #outage, (Thu, Feb 22nd)
- Update: MGLNDD_* Scans, (Sat, Feb 24th)
- Pierre-Antoine D., Quentin Bourgue, and Livia Tibirna at Sekoia
Scattered Spider laying new eggs - Daniel Petri at Semperis
How to Defend Against an Overpass the Hash Attack - SentinelOne
- SOCRadar
- Importance of Indicators of Compromise (IoCs) in CTI for Actionable Intelligence
- Dark Web Profile: Hunters International
- Sales of bfBot Stealer & Knight Ransomware Source Code, Dior Vulnerabilities, Passport Leaks, and More
- Using Jupyter Notebook for CTI using PyMISP
- Shadow Ops Exposed: Inside the Leak of China’s i-Soon Cyber Espionage Empire
- Sophos
- Splunk
Add to Chrome? – Part 2: How We Did Our Research - Spur
CloudRouter: 911 Proxy Resurrected - Denis Sinegubko at Sucuri
Web3 Crypto Malware: Angel Drainer – From Phishing Sites to Malicious Injections - Sysdig
- Trend Micro
- Trustwave SpiderLabs
- Alexandra Martin at VirusTotal
Following in Mitre’s footsteps and malware behavior - WeLiveSecurity
- Scott Piper at Wiz
Proof of storage crypto miners - Yelisey Bohuslavskiy and Marley Smith at RedSense
LockBit Story: A Three-Year Investigative Journey
UPCOMING EVENTS
- Cyborg Security
Threat Hunting Workshop 10: Hunting for Initial Access - Invictus Incident Response
Training schedule 2024 - Magnet Forensics
- SANS
Ransomware Kingpins LockBit Disrupted
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
A Human at the Keyboard: CrowdStrike Reports 60% Jump in Interactive Intrusions - Black Hat
- Black Hills Information Security
- BlueMonkey 4n6
hidden files in Linux – are they really that evil? - Breaking Badness
Breaking Badness Cybersecurity Podcast – 179. Scamily Matters - Cellebrite
- Cyber from the Frontlines
E4 Operation Cronos : Lockbit Takedown - CYBERWOX
Splunk SIEM Basics for Cybersecurity – TryHackMe Splunk 101 - Desi at Hardly Adequate
The Future of Cybersecurity: Trends and Challenges in 2024 - Digital Forensic Survival Podcast
DFSP # 418 – Core Insights: Navigating MFT in Forensics - Hardly Adequate
Hardly a Week 7 February 19, 2024 - InfoSec_Bret
Challenge – Adobe ColdFusion RCE - Intel471
Building Capable Threat Intelligence Programs - Jai Minton
Is this MALWARE? Using static and dynamic MALWARE ANALYSIS to examine Agent Tesla from an AutoIT EXE - John Hammond
Malware Analysis Made Easy: Cloud Investigations - Karsten Hahn at Malware Analysis For Hedgehogs
Binary Ninja – Fix unresolved stack pointer - Koen Van Impe
Presentation of MISP playbooks at the Jupyterthon - Lee Whitfield at MacAdemia
- Magnet Forensics
- Elisa Lippincott at ‘Microsoft Security Experts’
Welcome to the Microsoft Defender Experts Ninja Hub - MSAB
- MyDFIR
- Paraben Corporation
MOBILE CART VIDEO - Sandfly Security
Drift detection for incident response on Linux. IR teams can instantly find compromised hosts. - SANS
Cyber Threat Intelligence Summit 2024 - The CyberWire
Throwing Darts in the Dark With Microsoft Incident Response
MALWARE
- Any.Run
- ASEC
- Avast Threat Labs
Decrypted: HomuWitch Ransomware - Cryptax
Android/SpyNote bypasses Restricted Settings + breaks many RE tools - CTF导航
- Cyber Geeks
A technical analysis of the BackMyData ransomware used to attack hospitals in Romania - DCSO CyTec
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer - Dr Josh Stroschein – The Cyber Yeti
From Word document to Ransomware? Investigate How Template Injection is Used to Execute Macros. - ElementalX
BiBiWiper: Back with negligible code-refactoring. - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #176: Handling stack reuse in the decompiler - Phylum
- Petar Kirhmajer at ReversingLabs
Attackers leverage PyPI to sideload malicious DLLs - Robert Giczewski
From Tweet to Threat: Exposing NetSupport RAT embedded in a PDF - Tomas Nieponice at Stratosphere IPS
Analysis and understanding of malware of the PyRation family - System Weakness
Unlocking the Secrets of RATs: The Power of SEMA and Symbolic Execution - Uptycs
8220 Gang Cyber Threats: Cloud Infrastructure & Cryptomining Tactics - Zhassulan Zhussupov
Malware and cryptography 25: encrypt/decrypt payload via RC6. Simple C/C++ example.
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 02/23/2024 - Amped
- Binary Defense
Incident Response – IR Planning & MDR Coordination - Cado Security
Forensics or Fauxrensics? 5 Core Capabilities for Cloud Forensics and Incident Response - Oleg Afonin at Elcomsoft
Resource Management in Distributed Password Attacks - Forensic Focus
- A Former Detective’s Perspective On Detego Field Triage’s Transformative Impact On ICAC, CSAM And IIOC Investigations
- Digital Forensics Round-Up, February 21 2024
- Sources Of Error In Digital Forensics – A New Paper By Dr Graeme Horsman
- How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing
- Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite
- Magnet Forensics
First Generation CSAM Detector in Magnet OUTRIDER - Namit Ranjan
The SOC Automation Project - Salvation DATA
- SANS
SOFTWARE UPDATES
- Amped
Amped DVRConv and Amped Engine Update 32367: Many More Formats and Hardware Accelerated Transcoding - Canadian Centre for Cyber Security
Assemblyline Release 4.5.0.4 - Costas K
LNK & Jumplist Browser - CyberChef
v10.8.2 - Digital Sleuth
winfor-salt v2024.3.4 - Doug Burks at Security Onion
Security Onion 2.4.50 now available including some new features and lots of bug fixes! - Elcomsoft
Elcomsoft Distributed Password Recovery introduces resource management capabilities - Yosfan Eilay
MasterParser-v2.3.3 - MISP
MISP 2.4.185 released with sighting performance improvements, security and bugs fixes - OpenCTI
5.12.33 - Rizin Organization
cutter 2.3.3 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!