Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- NIST: NVD – CVSS Severity Distribution Over Time
- Group-IB: Hi-Tech Crime Trends Reports 2021/2022
- Zscaler: The 2021 State of Cloud (In)Security
- Kaspersky: The story of the year: ransomware in the headlines
- CISA: APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
- Digital Shadows: Latin American Financial Services: Sunny Climes And Cybercrimes
- Data Breach Today: Report Dissects Conti Ransomware Attack on Ireland’s HSE
- VICE: We Need to Stop Saying ‘Blacklist’ and ‘Whitelist’
- Chris Sanders: A Cognitive Skills Assessment of Digital Forensic Analysts – My Doctoral Dissertation
Threat Research
- CrowdStrike: How DopplePaymer Hunts & Kills Windows Processes
- Proofpoint: That Holiday Feelin’: TA575 Brings the Warm and Fuzzies with Year-end, Festive Lures
- Proofpoint: Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
- JFrog: Malicious packages in npm enable theft of Discord tokens, other data
- Mandiant: Suspected Russian Activity Targeting Government and Business Entities Around the Globe
- Mandiant: FIN13: A Cybercriminal Threat Actor Focused on Mexico
- IBM: X-Force Threat Intelligence: Monthly Malware Roundup
- ESET: Jumping the air gap: 15 years of nation‑state effort
- Fortinet: Phishing Campaign Targeting Korean to Deliver Agent Tesla New Variant
- Kaspersky: An analysis of the life cycle of phishing and scam pages
- Check Point: When old friends meet again: why Emotet chose Trickbot for rebirth
- Cybereason: THREAT ALERT: The Return of Emotet
- Intel471: How the new Emotet differs from previous versions
- Red Canary: ProxyShell exploitation leads to BlackByte ransomware
- HP: Emotet’s Return: What’s Different?
- Blackberry: Threat Thursday: Babuk Ransomware Shifts Attack Methods to Double Extortion
- Deep Instinct: [Down]loaded by GuLoader Malware | DeepInstinct
- ACSC: Ransomware Profile: Conti
- Accenture: Karakurt Rises from Its Lair
- Trend Micro: New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes
- Microsoft: A closer look at Qakbot’s latest building blocks (and how to knock them down)
- Microsoft: NICKEL targeting government organizations across Latin America and Europe
- Volexity: XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit
- DFIR Report: CONTInuing the Bazar Ransomware Story
- Malwarebytes: https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/
- PWC: Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
Tools and Tips
- SpecterOps: 3 Foundational Pillars for Attack Path Management: Pillar 1 — Continuous & Comprehensive Mapping
- Netskope: Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud
- Dragos: Detecting PLC Switch Position Changes Through the Network
- Red Canary: Better know a data source: Process integrity levels
- Red Canary: KMSPico and Cryptbot: A spicy combo
- Blackberry: Reverse Engineering Ebpfkit Rootkit With BlackBerry’s Enhanced IDA Processor Tool
- Binary Defense: Threat Hunting AWS CloudTrail with Sentinel: Part 3
- CyberArk: Hook Heaps and Live Free
- PAN Unit42: Detecting Patient Zero Web Threats With Advanced URL Filtering
- Sucuri: E-commerce Website Security Strategy for Holiday Shopping Season
- Curated Intelligence: ATT&CK Lookup for MITRE developed by Curated Intelligence
- Sandfly: Detecting CronRAT Crontab Malware on Linux Instantly
- GreyPiper: Hunting For C2: Emotet in HM0.5. “Certainly there is no hunting like the…
- Google: Use Site Reliability Engineering (SRE) practices to improve your Security Operations Center (SOC)
- m365Internals: Lateral Movement with Managed Identities of Azure Virtual Machines
- THEEVILBIT: Beyond the good ol’ LaunchAgents – 23 – emond, The Event Monitor Daemon
- The Mitten Mac: What does APT Activity Look Like on macOS?
- deepinstinct: DeMotet: Unpacking and decryption tools for the Emotet malware
- Splunk: Staff Picks for Splunk Security Reading November 2021
- Splunk: Log Jammin’- Detecting Log4j 2 RCE Using Splunk
- nccgroup: Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
- Joe Agler: Scouring for unsecured cloud buckets
- Leo Pitt: How to Quickly Setup an ELK Stack and Elastic Agent to Monitor macOS Event Data
- Exploit Reversing: Malware Analysis Series (MAS) – Article 1
- TrustedSec (video): Common Active Directory Attacks: Back to the Basics of Security Practices
- Canadian Centre for Cyber Security: Ransomware playbook ITSM.00.099 – Canadian Centre for Cyber Security
- PC’s Xcetra: Peeling away the layers of obfuscation from Excel VBA to dll
- Dump-GUY: Full malware analysis work-flow of AgentTesla Malware
- MENA SEC: Detecting Token Stealing using Sysmon v13.30 and EQL
Breaches, Government, and Law Enforcement
- US DOJ: Russian National Sentenced for Providing Crypting Service for Kelihos Botnet
- US DOJ: Canadian Man Charged in Scheme to Commit Cyberattacks
- US DOJ: International Hacking Group Members Sentenced for SIM Hijacking Conspiracy That Resulted in the Theft of Millions in Cryptocurrency
- US DOJ: Russian Man Sentenced for Providing ‘Bulletproof Hosting’ for Cybercriminals
- Krebs: Canada Charges Its “Most Prolific Cybercriminal”
- The Record: Google disrupts Glupteba malware botnet, files lawsuit against two Russians
- The Record: FIN7 hacker trialed in Russia gets no prison time
- The Record: Former Ubiquiti employee charged with hacking and extorting company
- CATO Institute: The Military Is Not the Solution to the Challenge of Ransomware
- Flashpoint: Illicit Communities Vs. Deep and Dark Web: Why the Full Intelligence Picture Depends on Both
- Recorded Future: Chinese Cyber Espionage Activity Supports Expansion of Regional Power and Influence
- Reuters: U.S. State Department phones hacked with Israeli company spyware
- Trustwave: Law Enforcement Collaboration Has Eastern-European Cybercriminals Questioning Whether There Is A Safe Haven Anymore
- Lawfare: How the President Can Shape the Role and Oversight of the National Cyber Director
- ArsTechnica: Emails show what happened before Missouri gov. falsely called journalist a “hacker”
- Global News: Canadian spy agency targeted foreign hackers to ‘impose a cost’ for cybercrime
Vulnerabilities and Exploits
- CIS: A Vulnerability in Apache Log4j Could Allow for Arbitrary Code Execution
- Apache: Log4j – Apache Log4j Security Vulnerabilities
- CrowdStrike: Log4j2 Vulnerability: How to Mitigate CVE-2021-44228
- Cisco Talos: Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
- SwitHak: BlueTeam CheatSheet * Log4Shell*
- Positive: Windows 10 RCE: The exploit is in the link
- CISA: Vulnerability Summary for the Week of November 29, 2021
SentinelLabs: USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services
Article Link: Weekly News Roundup — November 28 to December 11 – Security Soup