Triaging the Week 004

Hello there 👋

Welcome back to the Kraven Security weekly newsletter. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!

This week has seen a lot of carnage in the news. New vulnerabilities were found in DNS, new exploitation techniques abused process injection, and a cloud engineer went on a data-destroying rampage. To put a ribbon on it, a parliamentary inquiry found the UK was at risk of a catastrophic ransomware attack! 

It wasn’t all bad news. Some great researchers have been sharing how criminals hide malicious URLs, rounding up the cyber threats we saw in 2023, and a couple of fun challenges popped up to help you develop your cyber security skills (SANS Holiday Hack Challenge and The EKS Cluster Games). At Kraven, we started a new series on important cyber threat intelligence (CTI) concepts and definitions you need to know. We encourage you to use the series as a reference guide whenever you encounter a term or concept you don’t know.

Let’s jump into this week’s top news stories.


Top 5 News Stories

5f0rF5TPackxaX EiOKQeS7Zz7oSzIRU4ikLfHg4uVR49DHq222xM57rQTiG7yThoYaN1FXpjQbFbHj4GKxKLGc5b8SjQU1O5yH9R2JHHs7VENkJtgFEsdlqbyG uNaKfct

Story #1: Google Shares a Fix for Deleted Google Drive Files

Google has identified and addressed a bug causing customer files added to Google Drive after April-May 2023 to disappear. However, it’s important to note that the fix isn’t working for all affected users. If you’ve been affected, give this article a read.

Source: Bleeping Computer

Story #2: New Vulnerability Found in DHCP DNS Dynamics Updates

Research has found that attackers can overwrite DNS records without authentication. This allows them to perform man-in-the-middle attacks and compromise domain-joined hosts. The research team provides a comprehensive breakdown of how this vulnerability works and mitigation advice in their write-up. 

Source: Akamai

Story #3: APTs Join the Developer Trend and Use Memory Safe Languages

The Lazarus Group has embraced the use of memory-safe languages, specifically DLang, as it deploys its latest malware strains. DLang is a newer memory-safe language that was recently endorsed by Five Eyes agencies as being a more secure alternative to develop compared to C or C++. It looks like APTs also read that press release!

Source: The Register

Story #4: Cloud Engineer Gets 2 Years in Prison After Going on Code Wiping Rampage

A cloud engineer has received a two-year prison sentence and a restitution of $529,000 for wiping the code repositories of his ex-employer. The engineer, Miklos Daniel Brody, took this extreme action in retaliation for being terminated and performed the following:

  • Ran a malicious script named “dar.sh” to wipe company servers
  • Deleted git logs and git commit history for the particular script
  • Accessed the company’s GitHub repository and deleted the hosted code
  • Inserted ‘taunts’ in the code, including references to “grok”
  • Impersonated another cloud engineer at the company to access the firm’s network and make configuration changes.

Safe to say he’s probably off the Christmas card list this year.

Source: Bleeping Computer

Story #5: UK Government at Risk of a “Catastrophic Ransomware Attack.”

 parliamentary report published by the Joint Committee on the National Security Strategy (JCNSS) found that the UK is at “high risk” of a “catastrophic ransomware attack at any moment.” This is due to the British government’s failure to tackle ransomware regarding budget, resources, and strategy.

 The report calls for the Home Office to be stripped of its ransomware responsibility and given to the Cabinet Office, in partnership with the National Cyber Security Centre (NCSS) and National Crime Agency (NCA).

Not ideal if you live in the UK.

Source: The Record


Feature Article

The importance of definitions in CTI

Cyber threat intelligence (CTI) can be hard. There are hundreds of terms flying around that, to the untrained, could mean almost anything. If you want to jump into this area of cyber security or gain more value from it, you need a clear understanding of what CTI analysts mean when they share threat intelligence with you.

This is the first article in a whole series on CTI definitions and key concepts. The series is designed to be a reference guide for encountering a word or term you are unfamiliar with or trying to better understand where someone is coming from. 

In this installment, you will learn why clear definitions are vital in the threat intelligence world and enable the process of gathering, analyzing, and disseminating intelligence to run smoothly. Let’s begin!

Read Now


Learning Resources

k3f8Rlj5L7am5V4 t aBhuEknQjDsjk0lv6mmD wANojABMf73bwjB4Oh46ruW21u7BtEet S3VqRZQL9zSbV26l4CvubVwQg6MoVter0E 9bz 4MVHK oveWR5MsXAM9N3wnZAf6XRUly0PPCu2FE

GitLab Releases Article on Automating C2 Testing

The article details how you can use DevOps practices to automate your Command and Control (C2) testing. It is definitely worth a read if you are on the red side and want to begin automating your work or on the blue side and want to find some inspiration for your detection engineering efforts.

Source: How GitLab’s Red Team automates C2 testing

Roundup of the Top Cyber Threats in 2023

BushidoToken published a great article this week that details the top 10 cyber threats we saw in 2023. It is worth checking out to recap on all the major trends we saw in the cyber security community and even includes some future predicts for 2024.

Source: Top 10 Cyber Threats of 2023

How to Hack AWS and Kubernetes Clusters

The legendary John Hammond released a great video detailing how to hack AWS and Kubernetes clusters this week. The video showcased the EKS Cluster Games, a free-to-play cloud-hacking challenge.

A Complete Incident Response Plan for You

Discover a complete, ready-made cyber security incident response plan that you can use for your company. Simply fill out a few details, and you are ready to go. The incident response plan template has been packaged and is ready to use now as a PDF or Google Doc. Download and enjoy!

Source: StationX

Learn How Cybercriminals Disguise URLs

Kaspersky dropped a great article on how cybercriminals disguise their malicious URLs and trick users into downloading malware. It was a great read to learn about the various techniques (and lengths) a threat actor uses to get you to click on a link in a phishing email.

Source: Kaspersky


Personal Notes

Personal Notes

🤔 Another week goes by at Kraven Security, and with it, a lot of learning about the cloud. We are looking more into providing threat hunting labs through a cloud environment (probably AWS) to help you get hands-on experience with the latest tools and technologies. We are looking to offer this in a controlled environment through our one-to-one coaching sessions and mentorship, but we will hopefully expand this to on-demand. 

We also released a new series, Definitions & Key Concepts. This series aims to cover key terminology and models used in the CTI industry so you can quickly get to grips with the conversation. It will be your reference guide throughout your CTI journey, and more content will be added soon. 

It is the last big push to Christmas now. Then hopefully, everyone gets some downtime catching up with the family, enjoying some festivities, and mainly overeating delicious food!