Hello there 👋
Welcome back to the Kraven Security weekly newsletter. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
This week we saw a lot of assumptions proven wrong. Mercedes-Benz assumed they had cleaned up their public code repositories (turns out they hadn’t), a hacker assumed the Monero cryptocurrency was untraceable (the Finnish police had other ideas), and we all thought Microsoft Teams attachments couldn’t be malicious phishing attachments (turns out that that they were).
We also learned the NSA is securely buying your Internet data (probably more of a shock that they are buying it), and the Police in Germany hit the jackpot by seizing 50,000 bitcoins! Let’s jump into it.
Top 5 News Stories
Story #1: NSA Admits to Secretly Buying Your Data
US Senator Ron Wyden has released a press release claiming the US National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order. This metadata about users’ browsing habits can pose a serious privacy risk, being used to glean personal details about an individual based on the websites they frequent.
Data collected could include websites that offer resources related to mental health, assistance for survivors of sexual assault or domestic abuse, and telehealth providers who focus on birth control or abortion medication. This issue has, once again, raised concerns over national legislation around data privacy in the US. Something that is sorely missing.
Story #2: Mishandled GitHub Token Exposes Mercedes-Benz Source Code
The mishandling of GitHub tokens has led to the exposure of Mercedes-Benz source code, with researchers at RedHunt Labs discovering “unrestricted” and “unmonitored ” access to an Internal GitHub Enterprise Server. The token providing this access was exposed via a public GitHub repository.
This exposure provided access to a wealth of information, including intellectual property, access keys, connection strings, SSO passwords, API keys, and other critical internal details. It highlights the need for all organizations to secure their code repos and model this attack vector.
Story #3: Hacker Traced via “Untraceable” Monero Transactions
The suspected hacker behind one of the cyber attacks against Vastaamo, one of Finland’s largest psychotherapy clinics, was allegedly identified by tracing what has been believed to be untraceable Monero transactions. Vastaamo was breached in October 2020, but failing to extort the clinic, the hacker turned to asking individual patients to pay up Bitcoin.
Monero is a privacy-oriented decentralized cryptocurrency that many believe to be untraceable. However, after paying the hacker and employing heuristic analysis to infer the most likely path of the funds, Finnish investigators could track the hacker down. The exact mechanism for this has not been disclosed for obvious reasons.
MTV VAALIT (Finnish News)
Story #4: Police Seize Record 50,000 Bitcoins
The police in Saxony, Germany, have made record-breaking strides in the fight against piracy! They’ve recently seized an astonishing 50,000 Bitcoin from the former operator of the pirate site movie2k[.] as part of an investigation into a piracy website and money laundering. This unprecedented move involved a voluntary deposit to a state-controlled wallet and support from the Federal Criminal Police Office (BKA), the FBI, and a forensic IT expert firm from Munich.
Story #5: Phishing Campaign Pushed Darkgate Malware on Microsoft Teams
A new phishing campaign exploited Microsoft Teams group chat requests to deliver DarkGate malware payloads hidden in an attachment. A compromised Teams user sent over 1,000 malicious Teams group chat invites using a double extension to disguise a Windows installer file.
This phishing attack is possible because Microsoft allows external Teams users to message other tenants’ users by default. Good for business, but not so good for security. It is recommended that most companies turn off this feature.
Top Tips of the Week
- Collaborate with CTI vendors for specialized expertise. Leverage external partnerships to enhance threat intelligence capabilities.
- Diversify your cyber threat intelligence sources. A variety ensures a comprehensive understanding of potential threats.
- Prioritize threat intelligence based on relevance. Focus on data that directly impacts your organization’s security posture.
- Conduct threat intelligence exercises in cyber threat hunting. Simulate real-world scenarios to test and enhance your team’s readiness.
- Incorporate threat intelligence into your risk management strategy. Enhance resilience by identifying and mitigating potential risks.
- Stay informed on emerging threats in cyber threat hunting. Regularly update your threat intelligence sources for accurate and relevant insights.
- Regularly update and patch custom tool dependencies. Stay current with the latest libraries and frameworks for improved functionality.
The majority of threat actors buy and use commodity malware. To tailor this malicious software to their needs, they use malware configuration settings that dictate how it behaves. Parsing this data is an essential skill for any threat hunter or detection engineer.
Malware configuration parsing allows you to correlate intrusions, track campaigns, enrich threat hunts, improve incident response, and write better detection rules. It is a skill often overlooked due to its technical requirements, but with malware configuration parsing tools, you can add this game-changing anal skill to your arsenal.
This article will show you how. You will learn why malware configuration parsing is vital for defenders, the different parsing options available, and the challenges you will face. You will also see a practical example of how to parse PowerShell malware. Let’s jump in and get started!
Build a Custom Threat Intelligence Feed
Will Deepfakes Make Biometric Security Pointless?
The rise of deepfake threats has brought into question the adequacy of biometric security measures. In the face of increasing sophistication, cyber attacks using AI-generated deepfakes to bypass facial biometrics security are leading organizations to reconsider their identity verification and authentication tools as standalone protections. This insightful post from The Register sheds light on the need to rethink our defense strategies.
Interview With Legendary Tool Master
Check out this awesome interview between TomNomNom on the Simply Cyber show. I loved the talk about having a repository for quick scripts you throw together, his unique approach to building tools to avoid being influenced by others, and his take on challenging conventional wisdom in cyber security.
Top Web Hacking and Bug Bounty Tools
Discover the top web hacking and bug bounty tools to use right now in this quick guide by NahamSec. My favorites are Burp for its extensibility and Caido as the cool new kid on the block. What are yours?
🤔 Kubernetes, Kubernetes, Kubernetes. This week that has been the focus at Kraven as we explore options for hosting our threat hunting labs in the cloud so you can get your hands dirty and try out some of the concepts we teach in our articles. The timeline for achieving this is a little way out at the minute, but is on the horizon as a training tool we are invested in implementing!
We also got stuck writing a new series on cyber threat intelligence analytical techniques. This includes frameworks, models, and methodologies you can use to effectively analyze data and deliver actionable intelligence, such as the Cyber Kill Chain, Diamond Model, and Analysis of Competing Hypotheses. These are fundamental analysis techniques in threat intelligence, and we are excited to release a series that will teach you how to use them.
Until next week, remember to dive into the learning resources, and have a great weekend!