Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Fake Errors Used to Trick Users into Executing Malware
A new campaign uses fake errors from Google Chrome, Word, and OneDrive to trick users into running malicious PowerShell scripts that install malware.
Top 5 takeaways:
😈 Multiple actors, including ClearFake, ClickFix, and TA571, are involved, with TA571 known for large-scale spam leading to infections.
🥸 The campaign relies on social engineering, presenting fake problems and solutions to prompt user action without considering the risks.
🧑💻 Users are misled by fake error messages to copy and paste scripts into PowerShell or the Run dialog box. The scripts perform various malicious activities, including downloading additional malware.
⚡ Three main attack chains have been observed, differing in their initial stages. Methods range from compromised websites to email-based HTML attachments.
🛡️ Organizations should train users to recognize and report suspicious activity.
UK Hacker With Ties to Scattered Spider Gets Arrested
A 22-year-old UK hacker, associated with the notorious cybercrime group Scattered Spider group, was arrested in Spain.
Top 4 takeaways:
😈 Scattered Spider is known for sophisticated social engineering, SIM swapping, ransomware, and data theft extortion.
⚡ The group has targeted finance and insurance industries, using methods like phishing and Okta permissions abuse.
👮 The FBI and Spanish Police collaborated on the arrest, with charges for related hackers forthcoming.
👤 The individual arrested is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the name “tylerb” on Telegram channels related to SIM-swapping.
Hackers Target Exposed Docker APIs
Cyber security researchers have discovered new malware targeting Docker API endpoints for cryptocurrency mining.
Top 5 takeaways:
😈 The campaign shares tactics with the previous Spinning YARN activity (March 2024), which also focused on cryptojacking and targeted misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services.
⚡ Attackers scan for open Docker port 2375, confirm the host’s availability, and then exploit it by spawning an Alpine Linux container to gain privileged access.
🪲 The malware uses a base64-encoded shell script and a Go-compiled binary named vurl to retrieve payloads from C2 servers, requiring a specific user agent to avoid detection.
🎯 The campaign aims to hijack Docker host resources to mine cryptocurrency and ensures persistent access to victim machines via SSH for potential additional objectives.
🥷 The attackers have shifted some functionalities from shell scripts to Go code, likely to hinder analysis efforts.
New Phishing-as-a-Service Platform Targets Microsoft 365 Accounts
ONNX Store is a new PhaaS platform targeting Microsoft 365 accounts of financial firm employees using QR codes in PDF attachments.
Top 5 takeaways:
⚡ It operates via Telegram bots, features 2FA bypass mechanisms, and uses malicious QR codes to direct victims to phishing pages. It also has a strong resemblance to the Caffeine phishing kit.
🥷 ONNX Store provides improved OPSEC for threat actors, with services controlled through Telegram bots and support channels.
🪪 The stolen credentials enable account hijacking, sensitive information exfiltration, or resale for further attacks.
😈 ONNX Store offers subscription tiers, customizable phishing templates, encrypted JavaScript for obfuscation, and uses Cloudflare services for domain protection.
🛡️ Recommended defenses include blocking certain attachments and setting up FIDO2 hardware security keys.
Crypto Exchange Loses $3 Million in Zero-Day Attack
The Kraken crypto exchange reported a zero-day website bug was exploited by an alleged security researcher to steal $3 million in cryptocurrency.
Top 5 takeaways:
🪲 The bug, which allowed artificial balance inflation in Kraken wallets, was discovered following a vague bug report on June 9th.
💸 After discovering the zero-day bug, a security researcher and two associates used it to artificially inflate the balance on their Kraven wallets and withdrew about $3 million. They then demanded payment for the bug’s disclosure.
🛡️ Kraken swiftly fixed the issue, ensuring no user funds were affected, and refused to pay the bounty as the researchers did not follow the proper protocol.
🤚 Blockchain security firm CertiK admitted to the breach, claiming it was part of testing and accused Kraken of threatening actions.
👮 Evidence suggests probing began earlier than CertiK’s claim, and Kraken is treating the incident as a criminal case with law enforcement involved. They also refused to disclose the researchers’ identities.
Top Tips of the Week
Threat Intelligence
- Implement CTI in threat intelligence awareness sessions. Educate the broader organization on the value and application of threat intelligence.
- Consider the legal and ethical aspects of CTI. Ensure that intelligence gathering and sharing align with regulations and best practices.
- Develop threat intelligence guidelines. Establish best practices for the collection, analysis, and dissemination of intelligence.
Threat Hunting
- Conduct threat hunting exercises. Simulate scenarios to test readiness and identify areas for improvement.
Custom Tooling
- Collaborate with cybersecurity experts in custom tool development. Benefit from diverse perspectives and specialized knowledge.
- Document your custom tools comprehensively. Clear documentation aids in maintenance, troubleshooting, and knowledge transfer.
- Implement a feedback loop with end-users for custom tools. Gather insights on user experiences to drive continuous improvement.
Feature Article
Cyber threat intelligence (CTI) is difficult. It requires meticulous data collection, thorough investigation, and critical thinking skills. A difficulty people often forget about is CTI analysis bias and how it can entrap new analysts.
All analysts have bias. It is what makes us human. However, in CTI, you must eliminate bias to avoid inaccurate and misleading intelligence assessments that fail to accurately inform key stakeholders. This guide will show you how to avoid those biases.
You will learn what CTI analysis bias is, the different types of bias, and how to overcome bias using various strategies. This will empower you to avoid the common pitfalls many new CTI analysts fall into and produce actionable intelligence backed by evidence.
Let’s get started!
Learning Resources
The Power of Journaling
Journaling can help you solve problems, achieve mental clarity, and capture insights and memories. This excellent video shares evidence-based strategies for journaling effectively and the tangible benefits, such as reducing stress, making strategic decisions, and asking life-changing questions.
You Can Now Write C, Go, and Rust Scripts!
A tool called Scriptisto now lets you write scripts for popular compiled languages like C, Go, and Rust. But do the benefits outweigh the challenges when you could just use Bash or Python?
This excellent demo explores these questions and answers whether sticking with a scripting language might be worthwhile.
Unleash the Power of a Project Management Tool
ClickUp is an all-in-one project management tool suitable for individuals or teams with its awesome task management and collaboration features. We use it at Kraven to manage projects, boost our productivity, and ensure our cyber threat intelligence workflow remains efficient.
I highly recommend using project management to improve your workflow or manage a team. This great guide will show you how to do this with ClickUp.
Learn From a Productivity Wizard
Ali Abdaal is a former doctor turned entrepreneur who has spent his entire career studying productivity. This insightful interview discusses his journey, the importance of overcoming fear, and the power of identity in shaping our lives.
I recommend it to anyone making a career shift or wanting to become an entrepreneur. It highlights how to adopt healthy habits, remain consistent, and follow your passion.
Personal Notes
🤔 Another busy week at Kraven has come to an end. This week, we focused on two main objectives. Firstly, improving our project management and taking advantage of the many features offered by ClickUp (our chosen project management tool), including automation, integrated email, and various customization options.
Secondly, we started creating video content! It’s been a long time coming, but we have finally begun capturing content so you can learn cyber threat intelligence, threat hunting, and custom tooling in a different form. We hope our video content will make our content more accessible to a wider audience while remaining entertaining and easily digestible.
The first piece of video content we are working on is a revision of our MISP series that covers how to build your own MISP instance from the ground up so you can start collecting, analyzing, and sharing threat intelligence more efficiently.
As always, have a fantastic weekend and enjoy the sun (if you are in the UK)!
