本周聚焦：Salesloft-Drift入侵事件深度剖析

在本次会议中，Permiso的首席技术官将深入探讨：

• 攻击者如何利用被盗的OAuth令牌，从GitHub横向移动到AWS，再渗透至Salesforce。
• 此次“全自动化”攻击为何为SaaS供应链和NHI（非人类身份）安全敲响了警钟。
• 如何在您的环境中检测并遏制类似威胁的实用步骤。 观看视频播客 赞助商：Permiso

一如既往，感谢所有支持者！

取证分析

• Brian Maloney：OneDrive. Let’s take this offline
• Chainalysis：DPRK IT Workers: Inside North Korea’s Crypto Laundering Network
• Christopher Eng at Ogmini：Lifecycle of a Digital Photo on a Android Pixel 7 – Part 2
• Android Forensics – Filesystem Timestamps ADB Script：
• Elcomsoft：
  • iPhone 17: the End of PWM Flickering?
  • Breaking into Password Managers: from Bitwarden to Zoho Vault
  • AI in Digital Forensics: a Tool, not an Oracle
• Forensafe：iOS AllTrails
• Iram Jack：Memory Analysis Introduction
• Memory Acquisition：
• Magnet Forensics：
  • Making media authentication easier to understand with automated analysis
  • Magnet Forensics support for iOS 26
  • That One Artifact: The search history that spoke volumes
• Maltego：Exposing Pig Butchering Operations with Maltego
• Matthew Plascencia：iOS 26 is On Location With More AI Goodness iOS 26 New Artifacts II
• Mattia Epifani at Zena Forensics：Exploring Data Extraction from iOS Devices: What Data You Can Access and How
• OSINT Team：Volatility3: Navigating the SAM registry hive from memory image
• The DFIR Report：From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

威胁情报/狩猎

• Faan Rossouw at Active Countermeasures：Malware of the Day – Agent-to-Agent Communication via SMB (AdaptixC2)
• Adam at Hexacorn：Using .LNK files as lolbins
• ASEC：XiebroC2 Identified in MS-SQL Server Attack Cases
• Ayelen Torello at AttackIQ：Ransom Tales: Volume IV – Emulating Rhysida, Charon and Dire Wolf Ransomware
• Chi Tran, Charlie Bacon, and Nirali Desai at AWS Security：Defending against supply chain attacks like Chalk/Debug and the Shai-Hulud worm
• BI.Zone：Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks
• c-APT-ure：Using NetBIOS names for pivoting and threat clustering
• CERT Ukraine：Бекдор CABINETRAT використовується UAC-0245 для цільових кібератак у відношенні СОУ (CERT-UA#17479)
• CERT-AGID：Sintesi riepilogativa delle campagne malevole nella settimana del 27 settembre – 3 ottobre
• Check Point：29th September – Threat Intelligence Report
• Joey Chen at Cisco’s Talos：UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
• codetodeploy：Inside the VMware CVE Cluster: Enumeration, Escalation, and Exposure
• Ben Reardon at Corelight：Hunting GTPDOOR at Black Hat USA 2025 | Corelight
• CyberBoo：Microsoft Defender for Identity Deep Dive: Part 1
• Cyberdom：Unlocking Microsoft Sentinel MCP
• Cyfirma：Weekly Intelligence Report – 3 October 2025
• Dark Atlas：Threat Profile: Conti Ransomware Group
• Darktrace：Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace
• Detect FYI：
  • The missing link in MDR. Spoiler, it starts with a Detection Engineering framework.
  • Threat Hunting sessions via AuthenticationProcessingDetails on AADSignInEventsBeta
  • Use KQL to Surface Non-Recommended TLS Parameters (IANA-based)
• Disconinja：Weekly Threat Infrastructure Investigation(Week39)
• DomainTools Investigations：SecuritySnack: 18+E-Crime
• Paul Asadoorian at Eclypsium：The Hunt for RedNovember: A Depth Charge Against Network Edge Devices
• Elastic Security Labs：
  • FlipSwitch: a Novel Syscall Hooking Technique
  • WARMCOOKIE One Year Later: New Features and Fresh Insights
• FalconFeeds：
  • Digital Fault Lines: The Weaponization of Ethnic and Religious Tensions in Regional Cyber Conflicts
  • Proxy Wars in Cyberspace: Tracking Nation-State Influence Through Threat Actor Alliances
• Guillaume Valadon and Carole Winqwist at GitGuardian：Red Hat GitLab Breach: The Crimson Collective’s Attack
• Omar ElAhdan, Matthew McWhirt, Michael Rudden, Aswad Robinson, Bhavesh Dhake, and Laith Al at Google Cloud Threat Intelligence：Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations
• GreyNoise：
  • Coordinated Grafana Exploitation Attempts on 28 September
  • Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
• HackTheBox：Sandworm unleashed: Inside APT44’s Dune-inspired cyber destruction
• Hunt IO：Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia
• Huntress：
  • Don’t Sweat the ClickFix Techniques: Variants & Detection Evolution
  • Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
• Infoblox：Detour Dog: DNS Malware Powers Strela Stealer Campaigns
• Kijo Ninja at Kijo Ninja：Rclone C2 data exfiltration technique
• Adam Goss at Kraven Security：Stop Drowning in Data: Build Your Own CTI Aggregator for Free
• Doug Olenick at LevelBlue：SpiderLabs Ransomware Tracker Update September 2025: Qilin, Akira Top Ransomware Attackers
• Idan Cohen at Mitiga：ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches
• Netscout：Keymous+ Threat Actor Profile
• NVISO Labs：
  • You name it, VMware elevates it (CVE-2025-41244)
  • Lunar Spider Expands their Web via FakeCaptcha
  • What Did the Attacker Read? MailItemAccessed Tells You
• Oleg Skulkin at ‘Know Your Adversary’：
  • 271. Does an Adversary Need to Install an RMM?
  • 272. Here’s Another Interesting Staging Folder You Can Use for Hunting
  • 273. That’s How PDB Paths Help to Uncover Malicious Files
  • 274. That’s How Phantom Taurus Abuses Exchange Management Shell
  • 275. Hunting for Suspicious URLs
  • 276. Hunting for Suspicious IIS Modules
  • 277. Adversaries Abuse a Free Request Logging Service as C2
  • 278. Hunting for Suspicious XLL Files
• Palo Alto Networks：
  • Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
  • The Case for Multidomain Visibility
• Art Ukshini at Permiso：P0LR Espresso – Pulling Shots of Cloud Live Response & Advanced Analysis
• Picus Security：
  • Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact
  • Blue Report 2025: How to Act on 16M Attack Simulation Findings
  • RomCom Threat Actor Evolution (2023–2025)
• Resecurity：ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
• Ashlee Benge at ReversingLabs：Hunting SharpHounds with Spectra Analyze
• Sandfly Security：Sandfly 5.5.4 – Chinese Rootkit Decloaking
• SANS：
  • Hunting SaaS Threats: Insights from the FOR589 Course on Cybercriminal Campaigns
  • Log for Normal to Find Evil: Lessons from Real Crimes and Cyberattacks
• SANS Internet Storm Center：
  • Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400), (Mon, Sep 29th)
  • [Guest Diary] Comparing Honeypot Passwords with HIBP, (Wed, Oct 1st)
  • “user=admin”. Sometimes you don’t even need to log in., (Tue, Sep 30th)
  • More .well-known Scans, (Thu, Oct 2nd)
• Cristian Souza at Securelist：Forensic journey: hunting evil within AmCache
• Ayush Anand at Securityinbits：Discovery using nltest, net and whoami
• Jeremy Scion and Marc N. at Sekoia：Silent Smishing : The Hidden Abuse of Cellular Router APIs
• Seqrite：Exploiting Legitimate Remote Access Tools in Ransomware Campaigns
• Shantaciak：Investigating Email Threats: Why the Inbox Is Still the Front Door
• Siddhant Mishra：Kimsuky/APT43 Phishing Infrastructure: A Technical Evolution
• SOCRadar：Dark Web Profile: Scattered Lapsus$ Hunters
• Claudia Preciado at Stairwell：Building on CISA’s Salt Typhoon YARA Rules: Stairwell finds 637 New Variants
• Brandon Webster and Bryan Campbell at Sublime Security：Impersonated Evite and Punchbowl invitations used for credential phishing and malware distribution
• Kyle Knight at Sucuri：Enhancing File Transfer Security with SSH Key Authentication
• System Weakness：
  • Windows Credential Theft Detection
  • Logs Fundamentals | TryHackMe Write-Up
  • Introduction to SIEM | TryHackMe Write-Up
  • Reverse Engineering Session 2 by KK TAN ~ Real-world study CVE-2025–8088 [Experience Sharing]
  • HTB Holmes CTF Writeup: The Card
  • SOC127 — SQL Injection Detected — LetsDefend — Solution
• THOR Collective Dispatch：
  • Ask-a-Thrunt3r: September 2025 Recap
  • Agentic Threat Hunting, Part 2: Starting a Hunt Repo
• Niranjan Hegde and Sijo Jacob at Trellix：XWorm V6: Exploring Pivotal Plugins
• Richard Grainger at Triskele Labs：Qilin on the rise: what Australian organisations need to know
• Jean-Francois Gobin at Truesec：She Sells Web Shells by the Seashore (Part I)
• Elliot Roe at Valdin：Introducing YARA Rules: Search and Monitor the Internet’s Infrastructure with YARA
• Joseliyo Sánchez at VirusTotal：Advanced Threat Hunting: Automating Large-Scale Operations with LLMs
• Vishal Thakur：Introducing TLP:Black — A New Layer of Confidentiality

即将举行的活动

• Cellebrite：Exploited Online, Trapped Offline: Scam Compounds and Human Trafficking in APAC
• Cyber Social Hub：What is Changing at Cyber Social Hub
• Magnet Forensics：
  • Learn tips and best practices for reviewing and analyzing media evidence from leading media forensics experts
  • Cyber Unpacked S2:E4 // Voices from the field: Trends, challenges, and what’s next in DFIR
• Simply Defensive：Hands-On Defense: Markus Schober on DFIR, Labs, and Building Better Blue Teamers | S5 E1

演示文稿/播客

• Alexis Brignoni：DIgital Forensics Now Podcast S3 – E0
• Behind the Binary by Google Cloud Security：EP16 The Machine Learning Revolution in Reverse Engineering with Hahna Kane Latonick
• Patterson Cake at Black Hills Information Security：Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2)
• Cellebrite：Tip Tuesday: Final Call for Papers for the C2C User Summit
• Erik Pistelli at Cerbero：Memory Challenge 1: Reveal
• Cyber Social Hub：The FTK Imager Pro Game-Changer
• InfoSec_BretSA：– SOC211-161 – Utilman.exe Winlogon Exploit Attempt
• John Hammond：reverse engineering for beginners
• Magnet Forensics：Legal Unpacked E1: Search warrants for digital evidence: The data-driven approach
• Monolith Forensics：
  • Sharing Files & Reports with Relay Users
  • Case Details in Monolith
• MSAB：XAMN Early Access
• MyDFIR：SOC Automation Project 2.0: How To Use AI in Your SOC Workflow
• Parsing the Truth: One Byte at a Time：Business Email Compromise
• The Cyber Mentor：Intro to PowerShell: Investigating Windows Processes
• Three Buddy Problem：Oracle cl0p ransomware crisis, EU drone sightings, Cisco bootkit fallout

恶意软件

• Mauro Eldritch at Any.Run：FunkSec’s FunkLocker: How AI Is Powering the Next Wave of Ransomware
• hasherezade at Check Point：Rhadamanthys 0.9.x – walk through the updates
• Cleafy：Klopatra: exposing a new Android banking trojan operation with roots in Turkey
• Dr Josh Stroschein：IDA Pro Basics – Collapsing Function Folders, the Easy Way
• Dr. Web：
  • Doctor Web’s Q3 2025 virus activity review
  • Doctor Web’s Q3 2025 review of virus activity on mobile devices
• Cara Lin at Fortinet：Confucius Espionage: From Stealer to Backdoor
• Nicole Fishbein at Intezer：Beginner’s guide to malware analysis and reverse engineering
• Uma Madasamy at K7 Labs：Breakingdown of Patchwork APT
• Marc Messer and Dave Truman at Kroll：FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook
• OSINT Team：Opened a Can of XWorms
• Shubho57：Analysis of a javascript file leads to Koi Loader Stealer
• Puja Srivastava at Sucuri：Malvertising Campaign Hides in Plain Sight on WordPress Websites
• ThreatFabric：Datzbro: RAT Hiding Behind Senior Travel Scams
• Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon at Trend Micro：Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
• Daniel Kelley at Varonis：MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments
• Шифровальщики-вымогатели The Digest “Crypto-Ransomware”：Lamia

其他

• CyberCX：A case for expeditious investigations
• Belkasoft：[ON-DEMAND COURSE] BelkaGPT: Effective Artificial Intelligence in DFIR
• Djordje Lukic at Binalyze：Why Detecting Browser-Stored Passwords Strengthens Cyber Resilience
• Cyber Codex：A Deep Dive into the Ransomware Timeline and Its Shadow Empire | Cyber Codex
• Dr. Brian Carrier at Cyber Triage：AI Principles for Digital Forensics and Investigations (DFIR)
• Josibel Mendoza at DFIR Dominican：DFIR Jobs Update – 09/29/25
• Elan at DFIR Diva：Techno Security & Digital Forensics Conference: October 27-29, 2025
• Forensic Focus：
  • Oxygen Analytic Center v.1.6: Smarter, Faster, More Secure Investigations
  • Digital Forensics Jobs Round-Up, September 29 2025
  • Inside The Fight Against Child Exploitation – Leadership And Wellness Lessons From Debbie Garner
• Howard Oakley at ‘The Eclectic Light Company’：
  • Inside the Unified Log 3: Log storage and attrition
  • Explainer: inodes and inode numbers
• Kenneth G. Hartman at Lucid Truth Technologies：Defending Criminals: Are Defense Attorneys, Investigators, and Experts Working for the Dark Side?
• Magnet Forensics：What does the State of Enterprise DFIR look like today? Share your insights in our survey!
• Passware：All About PDF Decryption
• Sandfly Security：Sandfly Now Available On Microsoft Azure Marketplace

软件更新

• Datadog Security Labs：GuardDog v2.7.0
• Digital Sleuth：winfor-salt v2025.11.0
• Elcomsoft：Elcomsoft Distributed Password Recovery adds support for 8 password management apps
• Google：Timesketch 20250929
• MALCAT：0.9.11 is out: ARM and MachO analysis
• Metaspike：
  • Forensic Email Collector (FEC) Changelog – 4.2.579.104
  • Forensic Email Intelligence – 2.2.579
• Microsoft：msticpy – OAuth v2.0 fix for Defender
• MISP：MISP 2.5.22 released with improvements and bugs fixes
• MSAB：Q3 2025 Major Release is now available
• OpenCTI：6.8.2
• Phil Harvey：ExifTool 13.38
• radare2：6.0.4
• Sigma：Release r2025-10-01
• WithSecure Labs：Chainsaw v2.13.0

以上就是本周的全部内容！如果您认为我遗漏了什么，或者希望我特别关注某些内容，请通过联系页面或社交媒体渠道与我联系！ 使用代码 PM15 或点击此链接，享受您下一个Hexordia课程15% 的折扣。参加我的课程！ 使用折扣码 thisweekin4n6，在Cyber5w的任何课程中享受15% 的折扣。