Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Android Malware Used for Everything From Espionage to Ransomware
An open-source Android malware, Ratel RAT, is being used by cybercriminals to attack outdated devices, with some campaigns deploying ransomware demanding payment via Telegram.
Top 3 takeaways:
🌍 Over 120 campaigns using Ratel RAT have been detected, targeting high-profile organizations, including government and military sectors, primarily in the US, China, and Indonesia.
📱 The majority of infected devices are running Android versions 11 and older, which are no longer receiving security updates and are vulnerable to known flaws.
🛡️ To defend against these attacks, it’s advised to avoid downloading APKs from dubious sources, refrain from clicking on URLs in emails or SMS, and scan apps with Play Protect before launching them.
GrimResource Exploits the MSC Files and an Unpatched XSS Flaw
A new command execution method using Microsoft Saved Console (MSC) files and an unpatched Windows XSS flaw to execute code via Microsoft Management Console (MMC).
Top 4 takeaways:
📁 This new infection method using MSC files, named GrimResource, allows attackers to execute code with mmc.exe context after a user clicks a crafted MSC file.
🪲 It exploits an old XSS flaw in apds.dll to execute arbitrary JavaScript, combined with DotNetToJScript for code execution. It is being actively exploited to deploy Cobalt Strike using a vulnerable APDS resource in MSC files.
⚡ The technique uses obfuscation, PASTALOADER, and DirtyCLR to inject Cobalt Strike into dllhost.exe without detection.
🛡️ Elastic Security researchers have provided behavior detections, EQL rules, and a YARA rule to identify and defend against this new threat.
WikiLeaks Founder Julian Assange Has Been Released
WikiLeaks founder Julian Assange has been released from a UK prison and is heading to Australia after a 14-year legal battle after agreeing to a plea deal.
Top 4 takeaways:
⚖️ Assange pleaded guilty to one count of conspiring to obtain and disclose classified US defense documents, with a sentencing due in Saipan (a remote US island off the coast of Australia).
📰 WikiLeaks, founded in 2006, has published over 10 million documents on war, spying, and corruption, including the notable Vault 7 and Vault 8 releases.
🌏 Following his plea and sentencing, Assange plans to return to Australia. He has already served five years in a British prison while contesting extradition to the US.
🤝 The deal acknowledges WikiLeaks’ role in exposing government corruption and human rights abuses, while Assange’s actions have been both celebrated for press freedom and criticized for national security risks.
100K Sites Hit by Polyfill Supply Chain Attack
Over 110,000 websites have been affected by a hijacked supply chain attack involving the Polyfill[.]io service. A Chinese company acquired the domain and altered the JavaScript library to redirect users to malicious sites.
Top 4 takeaways:
🌐 Google has started blocking ads for eCommerce sites using polyfill[.]io after the domain was bought by a Chinese company and used to inject malware.
⚡ The cdn[.]polyfill[.]io domain, embedded in over 100K+ sites, was found injecting malware on mobile devices, redirecting users to a fake sports betting site.
🔗 This incident is an example of a supply chain attack, where attackers target less-secure elements in the supply chain to distribute malware.
🛡️ The original Polyfill author advises against using it, suggesting modern browsers don’t need it, while Cloudflare and Fastly provided alternative endpoints.
The Majority of Critical Open Source Projects Don’t Use Memory Safe Code
The US Cybersecurity and Infrastructure Security Agency (CISA) has analyzed 172 open-source projects for memory flaws and found many critical open-source projects fail to use memory-safe languages.
Top 3 takeaways:
🧑💻 In a follow-up to “Case for Memory Safe Roadmaps,” CISA emphasizes the importance of memory-safe languages like Rust, Golang, Java, C#, and Python to prevent common memory errors.
📉 They found over half of the open-source projects they examined contained memory-unsafe code, with examples like Linux, Tor, and Chromium.
🛡️ CISA advises writing new code in memory-safe languages and transitioning critical components alongside safe coding practices and continuous testing.
US Cybersecurity & Infrastructure Security Agency
Top Tips of the Week
Threat Intelligence
- Incorporate geopolitical intelligence. Understand global events that may impact cyber threats to enhance strategic decision-making.
- Monitor supply chain risks with threat intelligence. Assess and address vulnerabilities to mitigate potential threats.
- Consider geopolitical factors in CTI analysis. Understand global events’ impact on cyber threats for more informed decision-making.
Threat Hunting
- Conduct threat intelligence awareness sessions in cyber threat hunting. Ensure that all team members understand the value and application of threat intel.
- Validate threat intelligence. Ensure the accuracy and relevance of information for informed cybersecurity decisions.
- Diversify your threat intelligence sources. A variety ensures a comprehensive understanding of potential threats.
Custom Tooling
- Validate threat intelligence. Ensure accuracy and relevance for informed cybersecurity decisions. Building tools to automate this will save you time.
Feature Article
Data collection is integral to cyber threat intelligence, making your threat intelligence collection sources one of your program’s most important components. Failure to have strong intelligence collection sources will cloud your visibility of threats and prevent you from generating accurate intelligence that bolsters your organization’s cyber defenses.
This guide will teach you what intelligence collection sources are by breaking down the differences between closed and open, technical and human, and internal and external sources. It will then showcase what you can use as a collection source and the potential benefits and drawbacks.
It is vital that you define your intelligence collection sources and streamline the collection process so you and your team can effectively collect, analyze, and disseminate actionable intelligence. Let’s get started learning how!
Learning Resources
LOLBins (Complete Guide to Living Off the Land Binaries)
LOLBins, also known as “Living Off the Land Binaries,” are programs that come pre-installed on your system and are abused by attackers to perform malicious activities while remaining undetected.
They were originally built as helpful command-line utilities, scripts, and executables that aid system administrators with management and configuration. However, hackers have turned them into powerful post-exploitation tools.
This guide will teach you everything you need to know about LOLBins, from why they’re used to real-world examples. You’ll learn when to use them, how they’re abused, and examples of using them to download files and perform domain reconnaissance.
What Game of Thrones Can Teach Us About Cybersecurity
This excellent presentation compares and contrasts cyber security with the popular TV show Game of Thrones. Dr. Gerald Auger draws parallels between the show’s characters, events, and themes to various aspects of cybersecurity, such as roles in the industry, processes, capabilities, and career arcs.
A key point is the power of storytelling in retaining complex information and lessons that might not be obvious in traditional learning settings!
Discover IRIS for DFIR
IRIS is an open-source case management and incident response platform that will make your DFIR work a lot easier. It can be used to enhance your collaboration, automatically enrich, manage assets, create timelines, and much more! This great demonstration from Taylor Walton showcases how you can get up and running with IRIS today.
Harness the Power of Microsoft Loop for Teams
Microsoft Loop is a gamechanger for Teams meetings. It can be used to create agendas, take notes, and assign follow-up tasks that are automatically shared and synced with Microsoft Planner. This great demonstration from Jonathan Edwards shows how you can use Loop to enhance meeting organization and collaboration.
Personal Notes
🤔 This week at Kraven, we have revamped our efforts to launch a YouTube channel and bring more dynamic content to you (our audience). Practically, this involved the team learning the ins and outs of video creation, editing, and animation to produce the highest-quality videos we can with our limited resources. We hope this evolution into video content will help us reach a wider audience and make threat intelligence, threat hunting, and custom tooling content more digestible.
If there are any articles, tutorials, or demonstrations you would like to see in video form, please let us know. If there is a demand for a certain topic to be covered, we will make sure it is prioritized!
PS If you are a fan of the written articles, don’t worry, they are not going away.
