Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Story #1: New Attack Targeting Cloud-Hosted AI Models Discovered
Cybersecurity researchers have identified a new attack targeting cloud-hosted large language models (LLMs) using stolen cloud credentials to sell access to other threat actors.
Top 3 takeaways:
- The attack, named LLMjacking, involves exploiting vulnerabilities in the Laravel Framework to gain AWS credentials and access LLM services.
- Attackers use a reverse proxy server for LLM APIs to monetize access to compromised accounts, potentially costing the victim over $46,000 in LLM consumption costs daily.
- To prevent such attacks, organizations are advised to enable detailed logging, monitor for unauthorized activity, and maintain effective vulnerability management.
Story #2: Hackers Use DNS Tunneling to Track Phishing Emails
Hackers are exploiting DNS tunneling to track phishing email interactions and scan networks for vulnerabilities.
Top 4 takeaways:
- They use various encoding methods, such as Base16 or Base64, or custom algorithms, to hide data within DNS queries.
- The first campaign tracked by researchers (“TrkCdn”) focused on tracking victim interactions with phishing emails by encoding content within DNS queries.
- The second campaign spotted (“SecShow”) used DNS tunneling to perform network scanning and identify potential security weaknesses.
- Organizations should implement DNS monitoring and analysis tools to detect unusual traffic patterns and anomalies, such as atypical or high-volume requests.
Story #3: MITRE Release a Threat Modeling Framework for Embedded Devices
EMB3D is a new threat-modeling framework for embedded devices. It aims to improve cybersecurity in critical infrastructure.
Top 4 takeaways:
- Developed by MITRE in collaboration with experts, EMB3D provides a knowledge base of cyber threats and security mechanisms.
- The framework encourages manufacturers to integrate security early in the design process, reducing the need for later adjustments.
- It addresses the increasing cyber attacks on industrial environments, offering tailored threat models and technical mitigations for device vendors.
Story #4: GCHQ Protects UK Election Candidates From Phone Hacking
The UK’s National Cyber Security Centre (NCSC) has launched the Personal Internet Protection (PIP) service to safeguard individuals’ mobile phones at high risk of cyber attacks.
Top 4 takeaways:
- The service is aimed at those in political life, academia, journalism, and the legal sector, especially in light of the upcoming general election.
- PIP will use a DNS server to block connections to suspect domains and alert users about malicious sites, like the existing Protective Domain Name Service (PDNS).
- The initiative is part of efforts to defend against espionage by cyber actors who target the personal and official accounts of political figures and election officials.
- This service is a proactive measure to enhance the cyber security of influential individuals during a critical election period.
National Cyber Security Centre (NCSC)
Story #5: Windows Quick Assist Is Being Used to Spread Black Basta Ransomware
Financially motivated cybercriminals abuse the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims’ networks.
Top 4 takeaways:
- Cybercriminals are impersonating Microsoft support in social engineering attacks to gain remote access to devices and install malicious tools using Windows Quick Assist.
- Once they can access a machine, the criminals deploy Black Basta ransomware, which has been used to breach over 500 organizations, target multiple sectors, and collect significant ransom payments.
- Microsoft advises uninstalling Quick Assist if not used and training employees to recognize tech support scams.
Top Tips of the Week
Threat Intelligence
- Validate threat intelligence regularly. Ensure the accuracy and relevance of information for informed cybersecurity decisions.
- Integrate CTI into incident response processes. Proactive threat intelligence enhances swift and effective incident handling.
- Collaborate with external CTI experts for threat assessments. Leverage their specialized knowledge to enhance your organization’s threat intelligence capabilities.
Threat Hunting
- Understand the tactics, techniques, and procedures of threat actors. Identify and respond effectively.
- Embrace a threat-centric mindset in cyber threat hunting. Infuse threat intelligence into your organization’s DNA for a proactive cybersecurity culture.
- Learn from historical incidents in cyber threat hunting. Analyzing past events provides insights for improving threat intelligence and incident response.
Custom Tooling
- Collaborate with threat intelligence teams in custom tool development. Leverage real-time insights to enhance threat detection capabilities.
Feature Article
The Traffic Light Protocol (TLP) is a framework for classifying information’s sensitivity and providing guidance on how to handle it. It is a designation system widely used in cyber security, particularly cyber threat intelligence.
This quick guide will teach you everything you need to know about the framework, from the four colors it uses to classify information to how to use it in the real world and implement it at your organization using a five-step process. You will learn the benefits of TLP and best practices that will fast-track your success, and you will be ready to use the framework today!
Let’s jump straight in and explore this classification system.
Learning Resources
Kerberos Golden Ticket Attack Explained
Learn what a golden ticket attack is in this comprehensive guide. You’ll discover its mechanics, the tools to perform one, and the dangers involved.
Take Your Team’s Productivity to the Next Level!
Microsoft have released Loop and it could be a real benefit for your team’s productivity, collaboration, and efficiency. Watch this guide to learn more!
I use Loop for meeting notes and coordinating ad-hoc projects.
5 Steps to Improve at Anything
- Pick something simple you want to get better at.
- Create or do the thing.
- Review similar things other top creators/performers have done.
- Apply what you learn from comparison.
- Repeat!
A simple but effective process. Watch this video to learn more!
The Ladder to Financial Freedom…
- Time for money (employment)
- Owning a service business
- Productized services
- Selling products
Climb this ladder to achieve your financial goals faster!
Personal Notes
🤔 Last week, we made a big switch at Kraven by moving our IT systems to Microsoft. This meant shifting our business processes and data to new applications, storage solutions, and project management tools—quite a task.
Not to outdo ourselves, we also shifted our Coaching and Mentorship booking system to TidyCal to make it easier for clients to book, schedule, and pay for sessions. This was a bit easier than completely switching to a Microsoft shop, but it is a more significant change to what our clients see (you may have noticed it on our new Services pages).
Hopefully, this investment in new software and workflows will make our clients’ (and our) lives easier going forward. These investments have taught me that sometimes you must spend to free up resources for revenue-generating activities and provide clients with a more consistent experience.
We hope to keep exploring and making the most of these new technologies over the coming weeks.
