As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Oleg Afonin at Elcomsoft
When Speed Matters: Imaging Fast NVMe Drives - Forensafe
Investigating Android Gboard - Magnet Forensics
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
Malware of the Day – Specula - Adam Goss
Collection Management Framework Template (+FREE Download) - Assaf Morag at Aqua
Threat Alert: TeamTNT’s Docker Gatling Gun Campaign - Rajesh Sharma at AttackIQ
Breaking Down Silos with Human-Assisted Intelligent Agents - CJ Moses at AWS Security
Amazon identified internet domains abused by APT29 - Vlad Constantinescu at Bitdefender
US Detective Charged After Allegedly Buying Compromised Credentials - Brad Duncan at Malware Traffic Analysis
- CERT Ukraine
- Файли конфігурацій RDP як засіб отримання віддаленого доступу до комп’ютера або “Rogue RDP” (CERT-UA#11690)
- Тематика рахунків на озброєнні UAC-0218: викрадення файлів за допомогою HOMESTEEL (CERT-UA#11717)
- Кібератака UAC-0001 (APT28): PowerShell-команда в буфері обміну як “точка входу” (CERT-UA#11689)
- CERT-AGID
- Chainalysis
Anatomy of an Address Poisoning Scam - Check Point
21st October – Threat Intelligence Report - Cisco’s Talos
- Akira ransomware continues to evolve
- Threat actor abuses Gophish to deliver new PowerRAT and DCRAT
- Threat Spotlight: WarmCookie/BadSpace
- Highlighting TA866/Asylum Ambuscade Activity Since 2021
- Talos IR trends Q3 2024: Identity-based operations loom large
- How LLMs could help defenders write better and faster detection
- Omer Yoachimik and Jorge Pacheco at Cloudflare
4.2 Tbps of bad packets and a whole lot more: Cloudflare’s Q3 DDoS report - CrowdStrike
- CTF导航
- Cyberdom
Integrating PowerShell Logging into Microsoft Sentinel - Cyble
- Cyfirma
Weekly Intelligence Report – 25 Oct 2024 - Datadog Security Labs
Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview - Detect FYI
- Disconinja
日本におけるC2サーバ調査(Week 42 2024) - Paul Asadoorian at Eclypsium
The Rise of Chinese APT Campaigns: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant - Malcolm Heath at F5 Labs
Continued Intense Scanning From One IP in Lithuania - Fortra’s PhishLabs
Active Phishing Campaign: Twilio SendGrid Abuse - Kevin Stubbings at GitHub
Attacking browser extensions - Google Cloud Security Community
- Google Cloud Threat Intelligence
Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) - Hunt IO
Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users - Inde
- InfoSec Write-ups
- Jason Ostrom
Sentinel for Purple Teaming - Patryk Zajdel at Jumpsec Labs
Breaking into Libraries – DLL Hijacking - Kevin Beaumont at DoublePulsar
Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs - Brian Krebs at Krebs on Security
The Global Surveillance Free-for-All in Mobile Ad Data - Daniel Jeremiah
Analysing PCAP Files in a Modern Way: Investigating AsyncRAT Infection Traffic with SELKS - Remi Seguy at MISP
MISP ioC retrosearch with misp42 Splunk app. - Natto Thoughts
The Red Dragon Searches for Pearls Through Quantum Tunneling – But You’ve Got the Wrong Paper - Netskope
- Stef Collart at NVISO Labs
Hunting for Remote Management Tools: Detecting RMMs - Ovi Liber
UCID902: Uncovering nation state watering hole credential harvesting campaigns targeting human rights activists by APT threat group UCID902 (2023) - pat_h/to/file
Investigating realtime detections on iOS using Unified Logging - Darya Lavrova at Positive Technologies
- Push Security
- Raymond Roethof
Microsoft Defender for Identity Recommended Actions: Accounts with non-default Primary Group ID - Red Canary
Intelligence Insights: October 2024 - ReliaQuest
- Rick Martin
EDRSilencer — Red Team Tool - SafeBreach
An Update on Windows Downdate - SANS Internet Storm Center
- Securelist
- SentinelOne
- Silent Push
Triad Nexus: Silent Push exposes FUNNULL CDN’s ongoing corruption efforts, hosting DGA bulk domains for suspect Chinese gambling sites, investment scams, a retail phishing campaign, and a supply chain attack impacting 110,000+ sites - Simone Kraus
RDP configuration files as a means of obtaining remote access to a computer or “Rogue RDP”… - SOCRadar
- IntelBroker’s Alleged Cisco Breach: A Deep Dive into the Claims and Responses
- Dark Web Market: Exodus Marketplace
- LockBit, Conti, and BlackCat: 166 Ransomware Attacks Put Brazil in the Crosshairs in 2024
- Lazarus Exploits Google Chrome Zero-Day to Steal Cryptocurrency in ‘DeTankZone’ Campaign (CVE-2024-4947)
- Ekaterina Makhinova at StrangeBee
How Thales CERT fights typo-squatting with TheHive - Sysdig
- System Weakness
- Trend Micro
- Katrina Udquin at Trustwave SpiderLabs
Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails
UPCOMING EVENTS
- CybeReady
Ransomware on the Rise: Arm your business with the tools to face the next ransomware attack - Gerald Auger at Simply Cyber
Incident Response, Career Evolution, and the Importance of Soft Skills - Huntress
Huntress CTF – Live Stream Finale
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
The Latest in China-Taiwan Cyber Tensions - Ali Hadi
ShadowMe #1 – Intro to Static Malware Analysis - Black Hills Information Security
- Breaking Badness
Rogue Hackers and the Internet Archive Breach: 31 Million Accounts Exposed! - Cellebrite
- Cloud Security Podcast by Google
EP195 Containers vs. VMs: The Security Showdown! - Cyber Secrets
Introduction into Reverse Engineering – Stu Gentry - Cybereason
Malicious Life Podcast: Operation Snow White, Part 2 - Cyberwox
- DEFCON
DEF CON 32 – Counter Deception: Defending Yourself in a World Full of Lies – Tom Cross, Greg Conti - Eclypsium
BTS #40 – Backdoors in Backdoors – Matt Johansen - Gerald Auger at Simply Cyber
State of Simply Cyber Q4 2024 - InfoSec_Bret
Challenge – TeamViewer Forensics - Intel471
Will Processing CTI Become Legally Risky? - John Hammond
- Sherrod DeGrippo at Microsoft Security
Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action - Microsoft Threat Intelligence Podcast
Vanilla Tempest: The Threat Actor Behind Recent Hospital Ransomware Attacks - MSAB
XRY FFS Logical - MyDFIR
- RST Cloud
RST CTI Assistant - SANS
- SANS Cloud Security
SANS CloudSecNext Summit 2024 - SANS Cyber Defense
- Security Conversations
Fortinet 0days, Appin hack-for-hire exposé, crypto heists, Russians booted from Linux kernel - Sumuri
Master Mac Forensics: Learn from the Pioneers with SUMURI’s Vendor-Neutral Training - Threat Forest
CyberWalk: Introduction & trends in Incident Response - WeLiveSecurity
ESET Research Podcast: CosmicBeetle - Denis Sinegubko at GoDaddy
Threat Actors Push ClickFix Fake Browser Updates Using Stolen Credentials
MALWARE
- Any.Run
- ASEC
WrnRAT Distributed Under the Guise of Gambling Games - Kahng An at Cofense
How Virtual Hard Drive Files are Bypassing your Secure Email Gateway & AntiVirus Scanners - Dr Josh Stroschein
- Gary at ‘o_0 wtf?’
- Adam Kohler & Christopher Lopez at Kandji
It’s About The Journey: Fake Cloudflare Authenticator - Swachchhanda Shrawan Poudel at Logpoint
Latrodectus: The Wrath of Black Widow - Nikhil “Kaido” Hegde
Turla Backdoor Bypasses ETW, EventLog and AMSI But It’s Buggy - Paul Melson
Check out this thread by Paul Melson - Vishwajeet Kumar at Qualys
Unmasking Lumma Stealer : Analyzing Deceptive Tactics with Fake CAPTCHA - SonicWall
New Iranian-based Ransomware Group Charges $2000 for File Retrieval - Splunk
ValleyRAT Insights: Tactics, Techniques, and Detection Methods - VMRay
Latrodectus: A year in the making - Jan Holman and Tomáš Zvara at WeLiveSecurity
Embargo ransomware: Rock’n’Rust - Zhassulan Zhussupov
Malware and cryptography 33: encrypt payload via Lucifer algorithm. Simple C example.
MISCELLANEOUS
- Adam at Hexacorn
- Martino Jerian at Amped
How Does the AI Act Impact Image and Video Forensics? - Antoine Cailliau
- Dave Blandford at Black Hills Information Security
QEMU, MSYS2, and Emacs: Open-Source Solutions to Run Virtual Machines on Windows - Cellebrite
- Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 10/21/24 - Forensic Focus
- Howard Poston at HackTheBox
Strong IR capabilities are key to meeting new incident reporting deadlines - Howard Oakley at ‘The Eclectic Light Company’
- Magnet Forensics
- Gary Bushey at Microsoft Sentinel Blog
Deploy Microsoft Sentinel using Bicep - Marius Sandbu
NTLM Deprecation – What does it actually mean? - Oxygen Forensics
- Doug Miller at Panther
- Salvation DATA
- Sophos
Sophos to Acquire Secureworks to Accelerate Cybersecurity Services and Technology for Organizations Worldwide - Eliza-May Austin at Th4ts3cur1ty Company
Effective Threat Investigation for SOC Analysts – Eliza’s Cyber Security Book Club
SOFTWARE UPDATES
- Arsenal Recon
- Belkasoft
What’s new in Belkasoft X v.2.6 - Christopher E.
Notepad State Library – Initial Release - Digital Sleuth
winfor-salt v2024.15.6 - Django Faiola at ‘Appunti di Informatica Forense’
Happy 3rd Birthday to dfAPKdngrader - Doomdie
FAT12-16-Image-Disk-Reader - GCHQ
CyberChef v10.19.4 - Kevin Pagano at Stark 4N6
Introducing ZipWalker - Magnet Forensics
- Metaspike
Forensic Email Collector 4.0.238.274 - Microsoft
msticpy – User Session Management, MaxMind Geolit fix, Extract nested dicts from Pandas - Permiso
- SigmaHQ
pySigma v0.11.18 - Thiago Canozzo Lahr
uac-3.0.0 - Xways
X-Ways Forensics 21.3 v21.3 - Yamato Security
Hayabusa v2.18.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 