Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Agari: Report: New BEC Scam 7X More Costly Than Average
- Atlantic Council: Countering cyber proliferation: Zeroing in on Access-as-a-Service
- Group iB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150%
- Microsoft: New nation-state cyberattacks – Microsoft On the Issues
- Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
- CISA: CISA Issues Emergency Directive and Alert on Microsoft Exchange Vulnerabilities
- CISA: Mitigate Microsoft Exchange Server Vulnerabilities
- DHS: Emergency Directive 21-02 Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- CrowdStrike: How Falcon Complete Stops Microsoft Exchange Server Exploits
- FireEye: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
- Palo Unit 42: Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
Threat Research
- Microsoft: GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
- Sucuri: Trojan Spyware and BEC Attacks
- Zscaler: Microsoft-Themed Phishing Attack
- Intel471: Here’s who is powering the bulletproof hosting market
- Recorded Future: Chinese Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
- Dragos: New ICS Threat Activity Group
- Talos: ObliqueRAT returns with new campaign using hijacked websites
- Blackberry: ZeroLogon to Ransomware
- Intezer: When Viruses Mutate: SunCrypt Ransomware Evolves from QNAPCrypt
- FireEye: New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
- F5 Labs: IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
- DFIR Report: Laravel Apps Leaking Secrets
- WMC Global: The Compact Campaign
- Bushido Token: The next evolution in Office365 phishing campaigns
- Trend Micro: New in Ransomware AlumniLocker Humble Feature Different Extortion Techniques
- Sophos: “Gootloader” expands its payload delivery options
Tools and Tips
- Microsoft: Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post.
- nccgroup: KilledProcessCanary: A canary designed to minimize the impact from certain Ransomware actors
- SANS ISC: Spotting the Red Team on VirusTotal!
- SANS ISC: Adversary Simulation with Sim
- Red Canary: Identifying suspicious code with Process Memory Integrity
- Expel: How to create (and share) good cybersecurity metrics
- FireEye: Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory
- Sentinel Labs: A Guide to Ghidra Scripting Development for Malware Researchers
- CyberArk: The Strange Case of How We Escaped the Docker Default Container
- NVISO Labs: Tap tap… is this thing on? Creating a notification-service for Cobalt-Strike
- Inquest: Cracking Password Protected Payloads
- Michael Henriksen: Finding Evil Go Packages
- Mehmet Ergene: Hunting for the Behavior: Scheduled Tasks
- Splunk: Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
- Outflank: Catching red teams with honeypots part 1: local recon
- Wes Lambert: Zero Dollar Detection and Response Orchestration with n8n, Security Onion, TheHive, and Velociraptor
- Matt Graeber: Basic dynamic malware analysis with AMSI events
- Nextron: Scan for HAFNIUM Exploitation Evidence with THOR Lite
Breaches, Government, and Law Enforcement
- FTC: FTC, 38 States, and D.C. Act to Shut Down Massive Charity Fraud Telefunding Operation
- Qualys: Qualys Update on Accellion FTA Security Incident | Qualys Security Blog
- Flashpoint: Breaking: Elite Cybercrime Forum “Maza” Suffers Breach
- Malwarebytes: 21 million free VPN users’ data exposed
- ZDNet: SolarWinds security fiasco may have started with simple password blunders
- Forbes: Exclusive: Hackers Break Into ‘Biochemical Systems’ At Oxford University Lab Studying Covid-19
- Krebs: At Least 30,000 US Organizations Newly Hacked Via Holes in Microsoft’s Email Software
- CISA: Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS
- Digital shadows: Cybercriminal Law Enforcement Crackdowns in 2021
- Bleeping Computer: US indicts John McAfee for cryptocurrency fraud, money laundering
- Threat post: Sprawling Cyberattack Breaches Several Airlines
- AP: Report: Russian hackers exploit Lithuanian infrastructure
Vulnerabilities and Exploits
- Malwarebytes: Update now! Chrome fix patches in-the-wild zero-day
- SANS ISC: Microsoft Releases Exchange Emergency Patch to Fix Activity Exploited Vulnerability
- CISA: Vulnerability Summary for the Week of February 22, 2021
- Palo Unit 42: CVE-2020-17049 AKA Bronze Bit Kerberos Vulnerability: Threat Brief
Article Link: https://security-soup.net/weekly-news-roundup-february-28-to-march-6/