Josh LemonJan 14, 2025

#Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

🕵 Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c

#CloudForensics #FOR509 #AWS

Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C

The Halcyon RISE Team has identified a unique ransomware technique that encrypts Amazon S3 buckets with no known method to recover unless a ransom is paid...

13reak Feb 27, 2024

Yay, passed my #SANS #FOR509 #GIAC Cloud Forensic Responder (GCFR).

I'd definitely recommend the course if one is interested in cloud and incident response (but finish the "basic" FOR508 before this course).

Josh LemonFeb 18, 2024

If you're in, or near #Singapore, and need to level up your #CloudForeniscs skills, I'll be teaching the SANS Institute #FOR509 #CloudForensics class from the 11th March.

📝 Registration: https://www.sans.org/cyber-security-training-events/secure-singapore-2024/
🧐 Course Info: https://sans.org/for509

#DFIR #IncidentResponse

SANS Secure Singapore 2024 | SANS Institute

SANS Secure Singapore 2024 (4-16 March) offers hands-on cybersecurity training taught by top industry practitioners. Attend Live Online or in Singapore.

13reak Jan 30, 2024

Yay! Finished the course content and labs of #SANS #FOR509.

Shout-out to @hecfblog who is a great teacher.

Now only the exam is left... 

Josh LemonOct 25, 2023

Join me for the updated version of the SANS Institute #FOR509 #CloudForensics class in #Canberra Australia next month.

📝 Registration: https://www.sans.org/cyber-security-training-events/offensive-ops-australia-2023/
🤔 What's New: https://m.youtube.com/watch?v=6Xkwt3YzquE&feature=youtu.be

#DFIR #IncidentResponse

SANS Offensive Operations Australia 2023 - Cybersecurity training courses

Obtain hands-on, practical skills from the world's best instructors by taking a SANS course at SANS Offensive Operations Australia 2023. View event details and courses.

Josh LemonOct 19, 2023

If you're using any Enterprise licence with #M365 your log retention should now be 180 days by default, at a minimum, plus you now get the "MailItemsAccessed" events to track individual email access.

No news on those using the Business Standard licence types 🙄

#DFIR #CloudForensics #FOR509
https://www.microsoft.com/en-us/security/blog/2023/10/18/expanding-audit-logging-and-retention-within-microsoft-purview-for-increased-security-visibility/

Expanding audit logging and retention within Microsoft Purview for increased security visibility | Microsoft Security Blog

Since our announcement in July 2023, we have made significant efforts to enhance the access of Microsoft Purview's audit logging. This ongoing work expands accessibility and flexibility to cloud security logs. Read about the additional updates coming to Microsoft Purview Audit in the coming weeks.

Microsoft Security Blog
Josh LemonSep 20, 2023

Looks like Pizza Hut Australia have started to notify impacted customers of their recent cyber breach.
The threat actor's initial compromise was via an AWS account, are you ready to investigate an AWS Breach?
#CloudForensics #DFIR #FOR509

https://www.databreaches.net/pizza-hut-australia-customer-data-hacked-shinyhunters-claims-to-have-more-than-1-million-customers-information/

Pizza Hut Australia customer data hacked; ShinyHunters claims to have more than 1 million customers’ information

This has not been a great year for Australian citizens whose personal information has been compromised in a number of cyberattacks. Although DataBreaches...

Josh LemonSep 18, 2023

The #BlackCat / #ALPHV #ransomware group have been observed using their #Sphynx loader to target Azure Storage accounts once they steal access keys.
#CloudForensics #DFIR #FOR509

https://infosec.exchange/@SophosXOps/111059621025525782

Sophos X-Ops (@[email protected])

Attached: 1 image The threat actors were able to gain access to the customer's Azure portal, where they obtained the Azure key required to access the storage account programmatically. The adversary encoded the keys using base-64 and inserted them into the ransomware binary with execution command lines as shown. The “-o” argument targets an Azure Storage account name and access key, and the same binary was executed multiple times to target 39 unique Azure Storage Accounts, resulting in successful encryption.

Infosec Exchange
Josh LemonAug 26, 2023
Congratulations to our #FOR509 Day 6 Capstone winners in #Singapore last week.
It was one of the closest challenges between the competing teams I've seen.

#CloudForensics
#DFIR @sansapac
Josh LemonApr 11, 2023

I'm running the #FOR509 #CloudForensics course in 🇦🇺Sydney this May, both in-person and virtual.
The new class version includes a #GCFR certification and our Day 6 Capstone Challenge with a multi-cloud #DFIR incident to investigate.

To Register: sans.org/u/1prs
FOR509 Course Info: for509.com/course