Inside the Salesloft-Drift Breach: What It Means for SaaS & Identity Security 在本期节目中，Permiso的首席技术官将探讨：

• 攻击者如何利用窃取的OAuth令牌从GitHub移动到AWS再到Salesforce。
• 为何这种“全自动”攻击是对SaaS供应链和NHI的警钟。
• 在您的环境中检测和遏制类似威胁的实用步骤。 观看视频播客 由Permiso赞助

一如既往，感谢那些给予支持的回馈者！

FORENSIC ANALYSIS

Adam at Hexacorn Forensics of the past Akash Patel

Remote Execution and Kansa — Still One of the Most Underrated IR Tools Log Analysis — It’s Not About Knowing, It’s About Correlating Tracking Kerberos & NTLM Authentication Failures and Investigation

Lucy Carey-Shields at Amped Forensic Video Workflow with Amped FIVE – Part Two: Analysis of Video Evidence Erik Pistelli at Cerbero Memory Challenge 3: Invisible Christopher Eng at Ogmini

Gmail App – IMAP Account Artifacts (Message Logging) – Part 2 Forensic ADB Scripts – adb-pull-stat.py BSides NYC 0x05 – Contribute to Learn-Building DFIR Expertise Through Open Source

Elcomsoft

Extracting Apple Unified Logs Cheat Sheet: Perfect Acquisition (32-bit) Effective Disk Imaging: Ports, Hubs, and Power All USB Cables Are Equal, But Some Are More Equal Than Others

Elliptic

$15 billion seized by US originates from Iran/China bitcoin miner “theft” Prince Group targeted with $15B crypto seizure and sanctions for pig butchering operations

Forensafe Solving Magnet Virtual Summit 2025 CTF (Windows) Hussam Shbib at Cyber Dose Be a Better Detective #6 Parsing Linux Memory Dump Ian Whiffin at DoubleBlak Safari Walkthrough Iram Jack

Supplemental Memory Linux Memory Analysis

Matthew Plascencia The Wonderful World of Windows Forensics Md. Abdullah Al Mamun Exposed Commands History of Moscow Hackers OSINT Team $UsnJrnl: Exploring the NTFS USN journal to track file system activity Kirill Magaskin at Securelist The king is dead, long live the king! Windows 10 EOL and Windows 11 forensic artifacts Studio d’Informatica Forense Verifica di email originali o contraffatte per Le Iene

THREAT INTELLIGENCE/HUNTING

Abdul Mhanni Becoming the Machine, A Virtual Account’s Guide to Total Control Faan Rossouw at Active Countermeasures Threat Hunting and the Philosophy of Assumed Breach Adam at Hexacorn

1 little known secret of help.exe 1 little known secret of nslookup.exe, part 2 1 little known secret of wsreset.exe

ASEC

Larva-25010 – Analysis on the APT Down Threat Actor’s PC Analysis on the Qilin Ransomware Using Selective Encryption Algorithm Statistics Report of Malware Targeting Linux SSH Servers in Q3 2025 Statistics Report on Malware Targeting Windows Database Servers in Q3 2025

AttackIQ Response to Oracle Security Alert Advisory: Oracle E-Business Suite Pre-Auth RCE (CVE-2025-61882) Deerendra Prasad at Barracuda Threat Spotlight: Unpacking a stealthy new phishing kit targeting Microsoft 365 Jade Brown at Bitdefender Bitdefender Threat Debrief | October 2025 Brian Krebs at ‘Krebs on Security’

Patch Tuesday, October 2025 ‘End of 10’ Edition Email Bombs Exploit Lax Authentication in Zendesk

BushidoToken Lessons from the BlackBasta Ransomware Attack on Capita CERT Ukraine “Протидія російським ДРГ”: UAC-0239 здійснює кібератаки з використанням фреймворку OrcaC2 та стілеру FILEMESS (CERT-UA#17691) CERT-AGID

Phishing sulla verifica del permesso di soggiorno prende di mira i cittadini stranieri in Italia Phishing contro PagoPA abusa di open redirect Google Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 ottobre

Check Point

13th October – Threat Intelligence Report Microsoft Dominates Phishing Impersonations in Q3 2025

CISA ED 26-01: Mitigate Vulnerabilities in F5 Devices Vanja Svajcer and Michael Kelley at Cisco’s Talos BeaverTail and OtterCookie evolve with a new Javascript module CloudSEK An Insider Look At The IRGC-linked APT35 Operations: Ep3 – Malware Arsenal & Tooling Cofense

Weaponized Trust: Microsoft’s Logo as a Gateway to Tech Support Scams “Privacy” and “Prizes”: Rewards from a Malicious Browser Extension

Ash Leslie, Doug Brown, and Mitch Datka at CrowdStrike Falcon Defends Against Git Vulnerability CVE-2025-48384 Curated Intelligence Curated Intel Diary: Researching ASNs for CTI Cyfirma Weekly Intelligence Report – 10 October 2025 Dark Atlas Suspicious ScreenConnect Abuse by Threat Actors Detect FYI

Re-Writing the Playbook — A detection-driven approach to Incident Response Identifying File Exfiltration via RDP Sessions with KQL Queries (Dia de los Muertos Special) Hunting WMI Event Subscription Persistence Critical Asset Analysis for Detection Engineering

Disconinja Weekly Threat Infrastructure Investigation(Week41) DomainTools Investigations SecuritySnack: Repo The Repo – NPM Phishing Dreadnode LOLMIL: Living Off the Land Models and Inference Libraries Magdalena Karwat at EclecticIQ Extending STIX: How Custom objects empower your intelligence work Paul Asadoorian at Eclypsium BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices Sai Molige at Forescout A Year Later, Interlock Ransomware Keeps Leveling Up Pei Han Liao at Fortinet Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia Google Cloud Threat Intelligence

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

GreyNoise GreyNoise’s Recent Observations Around F5 Group-IB

A new weapon against payment fraud: Unique threat intelligence for anti-fraud teams East-west tension: Are NDR vendors monitoring the wrong traffic?

Hunt IO Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools Harlan Carvey and Lindsey O’Donnell-Welch at Huntress Dispelling Ransomware Deployment Myths Jeffrey Bellny at CatchingPhish

Data Exfiltration via ChatGPT Agent Mode The Tale of the Obfuscated Hospital

Kasada Q3 2025 Threat Intelligence Report Adam Goss at Kraven Security So You Want to Be a CTI Analyst? The Ultimate Career Guide Cris Tomboc at LevelBlue SocGholish: Turning Application Updates into Vexing Infections Amy Hogan-Burney at Microsoft Security Extortion and ransomware drive over half of cyberattacks Oleg Skulkin at ‘Know Your Adversary’

286. That’s How Astaroth Abusing GitHub
287. Adversaries Abuse Dpaste to Store Malicious Files
288. ClickFix, FileFix… So What?
289. Hunting for Masquerading
290. That’s How Adversaries Use PowerShell for Mutex Detection
291. Adversaries Keep Abusing Microsoft Console Debugger
292. Hunting for PhantomVAI Loader’s Behaviors

OSINT Team Mapping Cyber Adversaries: How MITRE ATT&CK Helps You See Attacks Before They Happen Marcelo Ruano at Outpost24 Carding ecosystem: The fall of traditional financial cybercrime Palo Alto Networks

PhantomVAI Loader Delivers a Range of Infostealers Anatomy of an Attack: The “BlackSuit Blitz” at a Global Equipment Manufacturer Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

Picus Security

Scattered LAPSUS$ Hunters: 2025’s Most Dangerous Cybercrime Supergroup Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks

Proofpoint When the monster bytes: tracking TA585 and its arsenal Qi’anxin X Lab StealthServer: A Dual-Platform Backdoor from a South Asian APT Group Recorded Future How to Mitigate Supply Chain Attacks Jesse Griggs at Red Canary Commanding attention: How adversaries are abusing AI CLI tools Resecurity Qilin Ransomware and the Ghost Bulletproof Hosting Conglomerate Rexor Vc0CTI The Dark Cloak SANS Internet Storm Center

Heads Up: Scans for ESAFENET CDG V5 , (Mon, Oct 13th) Clipboard Pictures Exfiltration in Python Infostealer, (Wed, Oct 15th) TikTok Videos Promoting Malware Installation, (Fri, Oct 17th) New DShield Support Slack, (Thu, Oct 16th)

Securelist

Mysterious Elephant: a growing threat Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution Post-exploitation framework now also delivered via npm

Seqrite

Judicial Notification Phish Targets Colombian Users – .SVG Attachment Deploys Info-stealer Malware Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT) Operation MotorBeacon : Threat Actor targets Russian Automotive Sector using .NET Implant

Shantaciak

Where Blue Teams Stop Reacting and Start Designing Sparking Curiosity: The Detection Engineering Life Cycle

Kirill Boychenko at Socket 131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store Sophos Threat Intelligence Executive Report – Volume 2025, Number 5 Soumyadeep Basu at Soumyadeep Basu Detecting AWS X-Ray C2 Abuse Michael Haag at Splunk The Lost Payload: MSIX Resurrection Squiblydoo DeceptionPro: getting ahead of cybercrime Sublime Security

Google Careers impersonation credential phishing scam with endless variation Facebook credential phishing with job scams impersonating well-known companies

Gabriel Barbosa at Sucuri Contact Form Spam Attack: An Innocent Feature Caused a Massive Problem SuspectFile

The Alliance That Wasn’t: A Critical Analysis of ReliaQuest’s Q3 2025 Ransomware Report Allardyce Bower Consulting data breach: cyber insurance not activated, reasons remain unclear Why Allardyce Bower Consulting’s Ransomware Insurance Didn’t Work as Expected

Symantec Enterprise Jewelbug: Chinese APT Group Widens Reach to Russia Synacktiv LinkPro: eBPF rootkit analysis System Weakness

LetsDefend — SOC Simulator — EventID: 44/ EN version CyberTalents Digital Forensics: “Just Smile” write-up CyberTalents Digital Forensics: “Hack a nice day” write-up CyberTalents Digital Forensics: “XMEN-Files” write-up

THOR Collective Dispatch

Sliver BOFs in Action: Bringing Sliver Armory BOFs to Purple Teaming Aligning Risk Management and Threat-Informed Defense Practices (Part 1)

Maulik Maheta at Trellix The Silent Threat in Active Directory: How AS-REP Roasting Steals Passwords Without a Trace and Trellix NDR’s Rapid Detection Junestherry Dela Cruz at Trend Micro Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing Stephen Kowski at Varonis Inbox Infiltration: The File Type You’re Overlooking Vasilis Orlof at Cyber Intelligence Insights

Mapping latest Lumma infrastructure Intel Drops #3

Vectra AI

Qilin’s 2025 playbook, and the security gap it exposes by Lucie Cardiet From Conti to Black Basta to DevMan: The Endless Ransomware Rebrand by Lucie Cardiet

Rami McCarthy at Wiz Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces Darshit Ashara, Pratik Kadam, and Michael Wylie at ZScaler Search, Click, Steal: The Hidden Threat of Spoofed Ivanti VPN Client Sites

UPCOMING EVENTS

Black Hills Information Security Talkin’ Bout [infosec] News 2025-10-20 #livestream #infosec #news Dragos CAPTURE THE FLAG 2025 Magnet Forensics Overcoming mobile forensics challenges in workplace investigations Simply Cyber From Help Desk to SOC: How KevTech Broke Into Cybersecurity Without Certs | Simply Defensive S5 E3 Spur From Pyongyang to your SaaS: Spotting DPRK Tactics in Zoom & Slack

PRESENTATIONS/PODCASTS

Adversary Universe Podcast A Brief History of Ransomware Black Hills Information Security Talkin’ Bout [infosec] News 2025-10-13 #livestream #infosec #infosecnews Brett Shavers Every Seat But the Judge’s Cellebrite

Tip Tuesday: Cellebrite Autumn 2025 Release Special Tip Tuesday: Registering for the Cellebrite CTF Registration is OPEN for Cellebrite’s CTF 2025

Amy Ciminnisi at Cisco’s Talos Laura Faria: Empathy on the front lines Cloud Security Podcast by Google EP247 The Evolving CISO: From Security Cop to Cloud & AI Champion Cyber from the Frontlines E18 The AI Threat Equation : From Models to Malware InfoSec_Bret SA – SOC235 EventID: 197 (Atlassian Confluence Broken Access Control 0-Day CVE-2023-22515) John Hammond

Script-Based Malware Analysis! stealing passwords

Magnet Forensics

Cloud or on-prem? Why not both — discover the new Nexus hybrid agent Banish your mobile device backlogs and bottlenecks with Magnet Graykey Fastrak and Magnet Automate

Monolith Forensics Evidence Details in Monolith MSAB

#MSABMonday – Hash Tree Builder update (Selection) in XRY 11.2.0 Forensic Fix Episode 23

MyDFIR Turning Your Labs Into Real SOC Experience (That Gets You Noticed) Parsing the Truth: One Byte at a Time The Thing about Pam Hupp & Russ Faria’s Retrial (Part 2) Three Buddy Problem JAGS LABScon 2025 keynote: Steps to an ecology of cyber

MALWARE

Any.Run New Malware Tactics: Cases & Detection Tips for SOCs and MSSPs Erik Pistelli at Cerbero MSI Format Package Cyble GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware Jeroen Beckers at NVISO Labs Patching Android ARM64 library initializers for easy Frida instrumentation and debugging Sekoia Defrosting PolarEdge’s Backdoor Shubho57 Analysis of a malicious APK file Alan Sguigna at White Knight Labs Microsoft WinDbg Time Travel Debugging versus Intel Processor Trace Zhassulan Zhussupov MacOS hacking part 12: reverse shell for ARM (M1). Simple Assembly (M1) example بانک اطلاعات تهدیدات بدافزاری پادویش ShrinkLocker

MISCELLANEOUS

Anton Chuvakin SIEM, Startups, and the Myth (Reality?) of IT Inertia: A Reformed Analyst Reflects on SIEM MQ 2025 Brett Shavers When the Investigation Gets Lost in the Machine Brett Shavers at DFIR.Training If Your Case Fell Apart, It Probably Wasn’t the Tool’s Fault Josibel Mendoza at DFIR Dominican DFIR Jobs Update – 10/13/25 Michael Karsyan at Event Log Explorer blog Windows Event Log API Bug Ruins Most Event Log Software F-Response Know your F-Response versions… Forensic Focus

Oxygen Forensics Releases Oxygen Remote Explorer v1.9.1 Forensic Imaging Of A Third-Party’s Cellphone Denied In FMLA Suit Digital Forensics Jobs Round-Up, October 13 2025 Matthew Plascencia, Digital Forensic Investigator, Exhibit A Cyber Passware Kit 2025v4 Released: Unlock Transcend Portable SSDs Digital Forensics Round-Up, October 15 2025 Amped Software Launches New Three-Part Blog Series: A Real Case-Based Forensic Video Workflow With Amped FIVE Oxygen Forensics Training – Extraction in a Box (XiB) Detego Global And Raven Enter Strategic Partnership To Tackle Child Exploitation Through Technology

Hornet Security Was das britische Ransomware-Zahlungsverbot für Ihr Unternehmen bedeutet Howard Oakley at ‘The Eclectic Light Company’

Inside the Unified Log 5: Navigation Inside the Unified Log 6: Difficult times

Mahmoud Soheem

Getting Started with The DFiR Galaxy Workstation DFiR Galaxy Workstation: A Swiss army knife for DFIR Investigations Available Tools in DFiR Galaxy Workstation

MISP MISP performance tuning Oxygen Forensics

Add The Best Possible Translation to Your Digital Investigations How to Extract and Parse Data from ChatGPT

Ryan G. Cox at The Cybersec Café How to Improve Your Security Posture After a Security Incident

SOFTWARE UPDATES

Amped Amped FIVE Update 38827: New Filter Presets, Project Snapshots, and Advancements to Convert DVR, Annotate, Compression Analysis, Advanced File Info, and Much More Belkasoft What’s new in Belkasoft X v.2.9 Cellebrite Autumn 2025 Release: Entering the Next Frontier in Digital Investigations and Mobile Cybersecurity Doug Metz at Baker Street Forensics Streamline Digital Evidence Collection with CyberPipe 5.2 Elcomsoft iOS Forensic Toolkit 8.80 enhances logical acquisition, adds support for Apple Unified Logs F-Response F-Response 8.7.1.36 Now Available Logisek ThreatHunting – Windows Event Log Threat Hunting Toolkit Manabu Niseki Mihari v8.2.1 MISP MISP 2.5.23 Released with Enhanced Benchmarking, Many Bug Fixes, and Documentation Updates North Loop Consulting KeyProgrammerParser v4.1 OpenCTI 6.8.6 Passware Passware Kit 2025 v4 Now Available Xways

X-Ways User Forum: X-Ways Forensics 21.2 SR-13 X-Ways User Forum: X-Ways Forensics 21.3 SR-12 X-Ways User Forum: X-Ways Forensics 21.4 SR-8 X-Ways User Forum: X-Ways Forensics 21.5 SR-9 X-Ways User Forum: X-Ways Forensics 21.6 Beta 7

本周的内容就是这些！如果您认为我遗漏了什么，或者希望我专门报道某个内容，请通过联系页面或社交渠道与我联系！ 参加我的课程！使用折扣码 thisweekin4n6，可在 Cyber5w 的任何课程中享受 85 折优惠。使用代码 PM15 或点击此链接，在您的下一堂 Hexordia 课程中享受 85 折优惠。