As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Bruno Fischer
- Amr Ashraf at Cyber 5W
Hard disk structure and analysis - Deagler’s 4n6 Blog
Hexordia Weekly CTF Challenge 2024 – Week 1 Writeup - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
- Oleg Afonin at Elcomsoft
All You Wanted To Know About iOS Backups - Forensafe
Investigating Apple Notes - Joshua Hickman at ‘The Binary Hick’
Road Trippin’ – Exploring Bluetooth Call Routes on Samsung Phones - Justin De Luna at ‘The DFIR Spot’
Respond and Investigate a Compromised Google Workspace User - Aurora4n6
What’s the Buz: Forensic Analysis of Buz for iOS
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Shall we say… Good bye, phishing queue? Part 2 - Adam Goss
The Diamond Model: Simple Intelligence-Driven Intrusion Analysis - Any.Run
Malware Trends Report: Q1, 2024 - AttackIQ
- Axelarator
The A in CTI Stands for Actionable - Binary Defense
Diving into Hidden Scheduled Tasks - Bishop Fox
PAN-OS CVE-2024-3400: Patch Your Palo Alto Firewalls - Blackberry
Threat Group FIN7 Targets the U.S. Automotive Industry - Brad Duncan at Malware Traffic Analysis
- CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 Aprile 2024 - Chainalysis
London’s Metropolitan Police Lead Disruption of Phishing-as-a-Service Provider LabHost - Check Point
- CISA
#StopRansomware: Akira Ransomware - Vanja Svajcer at Cisco’s Talos
OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal - Permiso
- Coveware
RaaS devs hurt their credibility by cheating affiliates in Q1 2024 - CyberArms
“Mastering Command & Control” Author’s Book Review - Shani Touitou at CyberProof
Detecting malicious use of NAS devices: Insights from a threat hunter - Cyble
Threat Actor Profile: TransparentTribe - Cyfirma
Weekly Intelligence Report – 19 Apr 2024 - Kali Fencl at DomainTools
The DomainTools Report, Spring 2024 - Esentire
Building an Effective Threat Hunting Program for Proactive Cyber Defense - Expel
- Expel Quarterly Threat Report volume I: Q1 by the numbers
- Expel Quarterly Threat Report volume II: attackers and AI
- Expel Quarterly Threat Report volume III: high-risk malware
- Expel Quarterly Threat Report volume IV: suspicious authentication sources
- Expel Quarterly Threat Report volume V: authentication bypass vulnerabilities
- g0njxa
From Vietnam to United States: Malware, Fraud and Dropshipping - Gabby Roncone, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton Prokopenkov, Luke Jenkins, Dan Perez, Lexie Aytes, and Alden Wahlstrom at Google Cloud Threat Intelligence
Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm - GreyNoise
- Harfanglab
ANALYSIS OF THE APT31 INDICTMENT - Denis Nagayuk & Francisco Dominguez at Hunt & Hackett
Reconstructing Executables Part 1: Between Files and Memory - KELA Cyber Threat Intelligence
Sharing is Caring: Ransomware and Extortion Actors Increase Threat Levels through Cooperation - Kijo Girardi
Cloud-Based Identity to Exfiltration Attack - Kroll
- Lazaro Rivera at CyberSleuth Chronicles
Securing the Inbox - MISP
Using your MISP IoCs in Kunai (the open source EDR for Linux) - Amy L. Robertson at MITRE ATT&CK
ATT&CK 2024 Roadmap - MITRE-Engenuity
- Shuyang Wang And Farah Iyer at Obsidian Security
Rethinking Identity Threat Detection: Don’t Rely on IP Geolocation - Palo Alto Networks
- Phylum
Q1 2024 Evolution of Software Supply Chain Security Report - Prodaft
Ransomware: A Major Threat in Today’s Cybersecurity Landscape - Proofpoint
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering - Recorded Future
“Mobile NotPetya”: Spyware Zero-Click Exploit Development Increases Threat of Wormable Mobile Malware - Red Canary
Intelligence Insights: April 2024 - Shmuel Cohen at Safebreach
The Dark Side of EDR: Repurpose EDR as an Offensive Tool - SANS
Following the Trail of Threat Actors in Google Workspace Audit Logs - SANS Internet Storm Center
- Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th)
- Malicious PDF File Used As Delivery Mechanism, (Wed, Apr 17th)
- Palo Alto Networks GlobalProtect exploit public and widely exploited CVE-2024-3400, (Tue, Apr 16th)
- A Vuln is a Vuln, unless the CVE for it is after Feb 12, 2024, (Wed, Apr 17th)
- The CVE’s They are A-Changing!, (Wed, Apr 17th)
- Secured IAM
Entra ID monitoring – are you doing the basics? (Part 3) - Guillaume C., Erwan Chevalier at Sekoia
AWS Detection Engineering - Simone Kraus
- SOCRadar
- Sophos
‘Junk gun’ ransomware: Peashooters can still pack a punch - Splunk
- Joe at Stranded on Pylos
The CTI Mindset & The CTI Function - System Weakness
- Telsy
Black Basta Team e gli attacchi ransomware a doppia estorsione - watchTowr Labs
Palo Alto – Putting The Protecc In GlobalProtect (CVE-2024-3400)
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2024-04-22 - Cyborg Security
Left of boom: hunting for ransomware before encryption & exfiltration - Dr Josh Stroschein – The Cyber Yeti
🔴 Malware Mondays Episode 02 – Investigating Processes with Process Explorer and System Informer - Magnet Forensics
Automate’ing your lab
PRESENTATIONS/PODCASTS
- Black Hills Information Security
REKAST – Talkin’ Bout [infosec] News 2024-04-15 #infosecnews #cybersecurity #podcast #podcastclips - BlueMonkey 4n6
Hidden files using Alternative Data Streams – this is what the cops look for - Breaking Badness
Breaking Badness Cybersecurity Podcast – 187. Harriet the Spyware - Cellebrite
- Tip Tuesdays – Folder View
- Cellebrite Inseyets: A look at Quickview with the Cellebrite Dream Team
- Cellebrite Inseyets: Explore PA New Capabilities with the Cellebrite Dream Team
- Cellebrite Inseyets: Access & Extraction with the Cellebrite Dream Team
- Cellebrite Inseyets: An Introduction with the Cellebrite Dream Team
- Join Us For The Cellebrite Case-To-Closure Summit
- Cellebrite Case-To-Closure Summit
- Check Point
2024 Security Report: Podcast Edition - Cyber Social Hub
🌟5 Must-Know Benefits of Industry Conferences🎉 - Forensic 4cast
Hymn of the Forensicator - Hardly Adequate
Hardly a Week 15 April 15, 2024 - Huntress
April Community Fireside Chat: FifthWall Solutions Cyber Insurance Office Hours - InfoSec_Bret
Challenge – Agniane Stealer - Insane Forensics
Stuxnet: Would We Catch a Similar Attack Today? - Jai Minton
ANTIVIRUS runs MALWARE! – How IDAT Loader uses DLL Side-Loading and DLL Search Order Hijacking pt1 - John Hammond
Government Unveils Malware Analysis Tool, But… - Karsten Hahn at Malware Analysis For Hedgehogs
Triaging Files on VirusTotal - LaurieWired
Can iPhones get Viruses? - LetsDefend
Incident Responder Interview Questions and Answers - Magnet Forensics
- MSAB
XAMN Viewer Essentials – Part 4 - MyDFIR
Cybersecurity SOC Analyst Lab – Email Analysis (Phishing) - SalvationData
Database Forensic Analysis System (DBF) | SalvationDATA - SANS Cyber Defense
- Relentless Defense – Rules for Security Operations That Keep Attackers Off Your Network
- Cracking the Code: The Role of Programming in Information Security
- Simplifying SSH Key Management: Leveraging ssh config for Security and Efficiency
- Detecting Command and Control Frameworks via Sysmon and Windows Event Logging
- The DFIR Report podcast
DFIR Discussions: From OneNote to RansomNote: An Ice Cold Intrusion – Part 2
MALWARE
- AK1001
- Amit Tambe at F-Secure
Android malware disguised as wedding invitation sent to senior citizens - ASEC
- Luigino Camastra at Avast Threat Labs
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams - Cyber 5W
Analyzing Macro enabled Office Documents - DD
Unveiling CloudChat macOS InfoStealer - Fortinet
- G Data Security
Android: Banking trojan masquerading as Chrome - Mohansundaram M and Neil Tyagi
Redline Stealer: A Novel Approach - Ghanashyam Satpathy and Jan Michael Alcantara at Netskope
Netskope Threat Coverage: Evil Ant Ransomware - Nithin Chenthur Prabhu
Malware Development, Analysis and DFIR Series – Part I - Securelist
- Stephan Berger
Sysrv Infection (Linux Edition) - Denis Sinegubko at Sucuri
JavaScript Malware Switches to Server-Side Redirects & DNS TXT Records as TDS - Quentin Roland at Synacktiv
OUned.py: exploiting hidden Organizational Units ACL attack vectors in Active Directory - System Weakness
- Lukas Stefanko at WeLiveSecurity
eXotic Visit campaign: Tracing the footprints of Virtual Invaders - ZScaler
MISCELLANEOUS
- Kushalveer Singh Bachchas at AT&T Cybersecurity
The Lifecycle of a Digital File - CCL Solutions
Incident investigation – Part 1: Recognising and responding to a cyber incident - Forensic Focus
- Filip Kachnic, Business Development Manager, Eyedea Recognition Ltd
- Forensic Focus Podcast Ep. 83 Recap: Kickstarting Your Digital Forensics Cybersecurity Career
- UPCOMING WEBINAR – Fireside Chat: Navigating The Cloud – Expert Insights On Emerging Cloud Threats And Complexities
- Maltego Acquires PublicSonar And Social Network Harvester To Propel Vision Of An All-in-One Investigation Platform
- Magnet Forensics Announces Magnet One, A Revolutionary Platform For The Pursuit Of Justice
- Digital Forensics Round-Up, April 17 2024
- Alex Beddard, Investigator, Chainalysis
- Magnet Forensics
- Arish Ojaswi at Microsoft’s ‘Security, Compliance, and Identity’ Blog
Introducing the Microsoft Purview Audit Search Graph API - Marius Sandbu
How does Copilot for Security work? and is it worth it? - Thomas Chopitea and Wajih Yassine at Open Source DFIR
Welcoming Yeti to the OSDFIR Infrastructure family - Oxygen Forensics
Advantages of targeted remote collection - Salvation DATA
Exploring Careers in Digital Forensics Jobs
SOFTWARE UPDATES
- Amped
Amped FIVE Update 33279: Many More Formats, Nested History Folders, Frame Analysis Data Calculations, Timing Macros, Add Log File and Much More - Binary Ninja
Sidekick 1.0 Release - Digital Sleuth
winfor-salt v2024.7.0 - Manabu Niseki
Mihari v7.6.1 - Mandiant
flare-floss v3.1.0 - Martin Korman
Regipy 4.2.0 - OpenCTI
6.0.10 - OpenText
Transforming digital forensic investigations - Phil Harvey
ExifTool 12.83 - Securizame
Wintriage: Publicada la versión 30032024 / Released version 30032024 - WithSecure Labs
Chainsaw v2.9.0 - Xways
- Yamato Security
Hayabusa v2.15.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 