Weekly News Roundup — October 4 to October 17

Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!

Industry Reports, News, and Miscellany

• MS-ISAC: Activity Alert: Emotet Malware
• Agari: The Global Reach of Business Email Compromise (BEC)
• Google: Identifying and protecting against the largest DDoS attacks
• Accenture: Network Access Sellers and Ransomware Groups
• Symantec: Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
• Crowdstrike: Wizard Spider Modifies and Expands Toolset [Adversary Update]
• CISA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
• Europol: INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2020
• Juniper Networks: New pastebin-like service used in multiple malware campaigns

Threat Research 

• ClearSky: Operation Quicksand
• Checkpoint: Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
• Recorded Future: Banking Web Injects Are Top Cyber Threat for Financial Sector
• Fortinet: Deep Analysis – The EKING Variant of Phobos Ransomware
• Kaspersky: MontysThree: Industrial espionage with steganography and a Russian accent on both sides
• Malwarebytes: Silent Librarian APT right on schedule for 20/21 academic year
• Proofpoint: Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet
• Proofpoint:  Agile Threat Actors Pivot from COVID-19 to Voter Registration Themes in Phishing Lures
• Proofpoint: Employer21: Targeting Teachers with Ransomware Disguised as Class Assignments
• Fireeye: FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft
• GroupIB: Lock Like a Pro: Dive in Recent ProLock’s Big Game Hunting
• Sentinel Labs: The FONIX RaaS | New Low-Key Threat with Unnecessary Complexities
• Palo Unit42: Unit 42 Cloud Threat Report: Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads
• The DFIR Report: Ryuk’s Return
• Vishal Thakur: Grinju Downloader: Anti-analysis (on steroids)
• Paul Melson: Paul Melson’s Blog: Analysis of MaliciousMacroMSBuild & Cobalt Strike Stager
• Telekom: Eager Beaver: A Short Overview of the Restless Threat Actor TA505
• Microsoft: Sophisticated new Android malware marks the latest evolution of mobile ransomware
• Fox-IT: In-depth analysis of the new Team9 malware family

Tools and Tips

• Crowdstrike: Duck Hunting w/Falcon Complete Pt. 3: QakBot Countermeasures
• SANS: SANS Installing the REMnux Virtual Appliance for Malware Analysis
• SANS ISC: Traffic Analysis Quiz
• Bromium: Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks
• Red canary: Catching Taurus malware with behavioral analytics and Microsoft alerts
• PhishLabs: How to Detect Look-alike Domain Registrations
• Inquest: Cerbero Suite: The Hacker’s Multitool
• Secureworks: https://www.secureworks.com/blog/tools-and-techniques-for-threat-hunting-and-threat-research
• Compass Security: Evading Static Machine Learning Malware Detection Models – Part 1: The Black-Box Approach
• Sentinel Labs: Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique
• Bitdefender: There’s a New a Golang-written RAT in Town
• Open Source DFIR:  Plaso 20201007 released
• FalconForce: FalconFriday — Evasive LOLBINs and burning the CACTUSTORCH — 0xFF04
• F-Secure: Operationalising Calendar Alerts: Persistence on macOS
• DFIR Blog: Exporting registry hives from a live system
• Recon: Recon Launches Network Defense Range (NDR) Live Online
• Marco Ramilli: How To Unpack Malware: Personal Notes – Marco Ramilli Web Corner
• Nasreddine Bencherchali: A Deep Dive Into RUNDLL32.EXE
• Cujo: Reverse Engineering Go Binaries with Ghidra
• MISP: Event Report – A convenient mechanism to edit, visualize and share reports

Breaches, Government, and Law Enforcement 

• US DOJ: Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
• ZDNet: German tech giant Software AG down after ransomware attack
• US DOJ: Report of the Attorney General’s Cyber Digital Task Force: Cryptocurrency Enforcement Framework
• US DOJ: United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps
• Threatpost: Dickey’s BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker’s Stash

Vulnerabilities and Exploits

• CIS: Multiple Vulnerabilities in Magento CMS Could Allow for Remote Code Execution
• Tripwire: SonicWall VPN Portal Critical Flaw (CVE-2020-5135)
• Cisco Talos: Microsoft Patch Tuesday for Oct. 2020 — Snort rules and prominent vulnerabilities
• SANS ISC: Microsoft October 2020 Patch Tuesday
• McAfee: CVE-2020-16898: “Bad Neighbor”
• CISA: Vulnerability Summary for the Week of October 5, 2020
• Unit42: CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
• NVISO Labs: MITRE ATT&CK turned purple – Part 1: Hijack execution flow
• Dtmsecurity: Code execution via the Windows Update client (wuauclt)

Read More

The post Weekly News Roundup — October 4 to October 17 appeared first on Malware Devil.

https://malwaredevil.com/2020/10/17/weekly-news-roundup-october-4-to-october-17/?utm_source=rss&utm_medium=rss&utm_campaign=weekly-news-roundup-october-4-to-october-17