Weekly Newsletter

Share

Triaging the Week 027

Triaging the Week

Adam Goss

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!

Top 5 News Stories

Triaging the Week News Stories

Story #1: Hackers Target Check Point VPN for Initial Access

Check Point has issued an advisory about ongoing attacks targeting their Remote Access VPN devices.

Top 5 takeaways:

  • Threat actors are exploiting old local accounts with insecure password-only authentication.
  • Check Point observed a small number of login attempts using outdated VPN local accounts and has identified this as a trend.
  • Customers are advised to secure their accounts by changing authentication methods or deleting vulnerable accounts, guided by a support document.
  • A Security Gateway hotfix has been deployed to block local accounts from authenticating with a password.
  • This incident is part of a larger pattern of attacks on VPN devices, including those from Cisco and other vendors, involving credential brute-forcing and exploitation of zero-day vulnerabilities.

Check Point

Story #2: Hackers Exploit Cloudflare Workers for Phishing

Cyber security researchers have identified phishing campaigns that exploit Cloudflare Workers to create phishing sites targeting Microsoft, Gmail, Yahoo!, and cPanel Webmail users.

Top 3 takeaways:

  • The attacks use Cloudflare Workers as a reverse proxy to intercept credentials, cookies, and tokens by posing as legitimate login pages.
  • They also use HTML smuggling, which assembles a malicious payload on the client side to bypass security measures. This technique displays fraudulent HTML pages and delivers malware.
  • Once access is gained, attackers harvest credentials and MFA codes to access victims’ accounts and monitor subsequent activities.

Netskope

Story #3: New FakePenny Ransomware Linked to North Korea

Microsoft has identified a North Korean hacking group known as Moonstone Sleet (formerly Storm-17) as responsible for the recent FakePenny ransomware attacks.

Top 5 takeaways:

  • This group has demanded ransoms up to $6.6 million in BTC, a significant increase from its previous demand of $100,000.
  • Moonstone Sleet’s activities include deploying trojanized software, malicious games, npm packages, and establishing fake companies to engage with victims through social media and professional networks.
  • Initially, Moonstone Sleet shared similarities with another group called Diamond Sleet, but it has since developed its own unique infrastructure and attack methods. Microsoft has observed both groups conducting simultaneous operations, with Diamond Sleet maintaining its established techniques.
  • The primary goal of Moonstone Sleet appears to be financial gain, although they have also been involved in cyber espionage. They have targeted various sectors, including software, IT, education, and defense.
  • This group’s evolution and the addition of ransomware to its arsenal indicate an expansion of capabilities and a focus on disruptive operations.

Microsoft Security

Story #4: Cybercriminals Use Stack Overflow to Push Malware

Cybercriminals are using Stack Overflow to spread malware by answering questions with a malicious PyPi package named ‘pytoileur’.

Top 5 takeaways:

  • Sonatype researcher Ax Sharma uncovered the activity, noting that the package is part of the ‘Cool package’ campaign targeting Windows users.
  • The threat actors answer Stack Overflow queries, promoting ‘pytoileur’ as a solution, which is actually malware designed to steal information from Windows systems.
  • The package contains a ‘setup.py’ file with an obfuscated command that downloads and executes ‘runtime.exe’, a Python program converted into an executable that functions as information-stealing malware.
  • The malware harvests sensitive data like cookies, passwords, browser history, and credit cards, and searches documents for specific phrases to steal data.
  • Developers are cautioned to verify the source of all packages, check the code for unusual commands, and not to trust online shared content blindly.

Sonatype

Story #5: Rogue VMs Used to Hack MITRE in Recent Cyber Attack

The MITRE Corporation experienced a cyber attack in late December 2023, where hackers exploited zero-day flaws in Ivanti Connect Secure (ICS) and created rogue virtual machines (VMs) within MITRE’s VMware environment to evade detection.

Top 3 takeaways:

  • The attackers deployed a web shell named BEEFLUSH and a Python-based tunneling tool to facilitate SSH connections, maintain persistent access, and obscure their activities from management interfaces like vCenter.
  • MITRE has recommended enabling secure boot to prevent unauthorized modifications and released two PowerShell scripts, Invoke-HiddenVMQuery and VirtualGHOST, to help identify and mitigate threats within VMware environments.
  • Organizations are advised to remain vigilant and adaptive to defend against evolving cyber threats, as adversaries continue to refine their tactics and techniques.

MITRE Engenuity

Top Tips of the Week

Triaging the Week Top Tips of the Week

Threat Intelligence

  • Establish a threat intelligence sharing community. Collaborate with peers to enhance collective defense against evolving threats.
  • Foster cross-industry collaboration in cyber threat intelligence. Learn from practices in other sectors to enhance your defenses.
  • Use STIX/TAXII standards for CTI sharing. Standardization enhances interoperability and information exchange.

Threat Hunting

  • Validate threat intelligence in cyber threat hunting. Ensure the accuracy and relevance of information for informed cybersecurity decisions.
  • Foster cross-industry collaboration. Learn from threat hunting practices in other sectors to enhance your defenses.
  • Educate your team. A knowledgeable team is your first line of defense. Train regularly for threat awareness.

Custom Tooling

  • Implement continuous integration and continuous deployment (CI/CD) for custom tools. Streamline the development and update process.  

Feature Article

Intrusion Analysis

Intrusion analysis is a fundamental skill that all cyber security and threat intelligence analysts must have. It requires detecting, triaging, investigating, and responding effectively to an incident – the bread and butter of cyber defense.

This guide will teach you how to do just that. You will learn what intrusion analysis is and how to perform it using a four-step process. You will also see some tools and technologies that will aid you. Also included are some cheat sheets to help you know what to look for, where to find it, and how to use it during your analysis.

Let’s jump in and start exploring intrusion analysis!

Read Now

Learning Resources

Triaging the Week Learning Resources

New ChatGPT 4o Offers Killer Features

ChatGPT just released its new language model, 4o, which has many new capabilities. Check out how you can use it to translate conversations, create interactive data visualizations, solve math problems from photos, and even generate code for games based on screenshots.

You can try out this new model completely for free now! How will you use it?

Be More Productive in Your Downtime

We all have chunks of time during our day where we do nothing or waste it by scrolling social media. Learn how to make this time more effective, intentional, and enjoyable in this excellent video from productivity guru Ali Abdaal.

He shares five things you can do whenever you have a spare 5 minutes to be more productive.

Microsoft Announces a Scary New Feature

Microsoft just announced a new feature called “Recall,” which captures snapshots of user activity for easy data retrieval. However, this feature could potentially be a privacy and security nightmare!

This comedic video from Fireship breaks down what you need to know.

Start Writing Online Now!

Writing online and showcasing my learning has been a game changer for my personal and professional development. In this video, Nicholas Cole highlights five reasons to start writing online to build your skills, attract new opportunities, and scale your presence.

I believe everyone should be writing online and sharing their unique insights!

Personal Notes

Triaging the Week Personal Notes

🤔 Another week down at Kraven. This one was focused on how we can better use AI to help our clients, students, and business. The release of ChatGPT 4o and its awesome capabilities renewed our efforts to integrate AI with our business processes so we can deliver more value more of the time.

From an operational perspective, this involved mapping out all our current business processes, their inputs, and outputs and determining if we could save time or add more value at any stage. For instance, could we use AI to transform our long-form content into social media posts, or could we use it to help brainstorm unique solutions for our client’s cyber threat intelligence requirements?

There is always great value in playing around with new tools and technologies to explore how they can help you scale your operations or be more productive. I highly recommend exploring how AI and automation can help you at work and in your personal life!

Back to top arrow

Interesting in Learning More?

Learn the dark arts of red teaming

Check out these courses offered by Zero-Point Security. They will teach you all things red teaming from creating exploits, writing your own C2 framework, and emulating real-world threat actors.

If you want more of a challenge, take on one of their certification exams and land your next job in cyber:

Learn more cyber security skills

Check out The All-Access Membership Pass by TCM Academy. for courses on hacking/pentesting, malware analysis, digital forensics, programming/scripting, GRC, and more!

If you’re looking to level up your skills even more, have a go at one of their certifications: