- Jobs – old entries cleaned up, new entries added – Arete, Contact Discovery Services LLC, Huntress, Mandiant (now part of Google Cloud), Palo Alto Networks Unit 42, Surefire Cyber, Thames Valley Police, UCLA Health
- Tools & Artifacts – AWS – new entry added – AWS Incident Response – How to be IR Prepared in AWS
- Tools & Artifacts – Google Cloud – new entry added – Google Cloud Incident Response – Google Cloud Incident Response Cheat Sheet
- Tools & Artifacts – Microsoft Azure – new entry added – Azure Incident Response – How to be IR prepared in Azure
- Tools & Artifacts – iOS – new entry added – TikTok – Investigating iOS TikTok
- Tools & Artifacts – Linux – new entry added – Ivanti Evidence Acquisition – Overview: Evidence Collection of Ivanti Connected Secure Appliances
Of course I would be remiss if I did not mention the very active week we had in the world of cyber.
First there was the takedown and disruption of arguably the most prolific ransomware gang in recent memory – LockBit 3.0. The U.K. National Crime Agency (NCA) Cyber Division, in conjunction with the US Justice Department, Federal Bureau of Investigation (FBI), and other international law enforcement partners, disrupted LockBit’s operations by seizing numerous public facing websites which were used by LockBit to connect to their internal infrastructure. The joint coalition also seized servers (including servers that hosted their data leak sites) used by LockBit admins, released decryptors, and arrested a few group members. Check out the full press release from the US Department of Justice here!
Then there was the data leak of I-Soon – a company founded in Shanghai, China that contracts for many PRC agencies (including the Ministry of Public Security), which revealed China’s cyberespionage plans including hacking contracts with public agencies, a repository of targets, and years worth of chats of its employees. SentinelOne posted a great blog on this leak which you can find here!
Lastly, there was also the ConnectWise ScreenConnect vulnerabilities. ConnectWise had published a security advisory for ScreenConnect version 23.9.8, which referenced two vulnerabilities. CISA assigned both CVE-2024-1708 and CVE-2024-1709 for these recent vulnerabilities which essentially allows an attacker to bypass authentication using an alternate path or channel and improper limitation of a pathname to a restricted directory. The CVSS scores given were 8.4 for CVE-2024-1708 and 10 for CVE-2024-1709 which demonstrates the severity of these vulnerabilities. Huntress posted a blog which goes into full detail about these new CVEs and provided a proof of concept. Check out the blog here!
Don’t forget to submit any missing forensicators to our Forensicators of DFIR page! Also, please consider submitting any DFIR or InfoSec related job openings via our form!
Fabian (@DFIRDominican)