Triaging the Week 011

Triaging the Week

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!

This week, we saw a new scary Docker container escape drop that impacted many modern app deployments and malware-laced Facebook ads. We also had a couple of “no shit” news stories with Google TAG reporting that spyware vendors are behind most zero-days and Chinese hackers are inside US critical infrastructure. 

Then we ended on a wholesome story of your smart toothbrush ganging together with a few mates to launch a mass DDoS attack… or was that fake news 🤷 I also have a few gems for you regarding learning resources. We have lots of Linux stuff, from utilities to interviews, and an excellent free reverse engineering and binary exploitation course. Let’s jump in.

Top 5 News Stories

Triaging the Week: News Stories

Story #1: New Docker Container Escape

A set of four vulnerabilities have been discovered that allow hackers to escape containers and access data on the host operating system, collectively named “Leaky Vessels.” These vulnerabilities impact the runc and Buildkit container infrastructure and build tools used by popular software like Docker and Kubernetes3. 

Given how much modern infrastructure has become containerized and reliant on tools like Docker and Kubernetes, this vulnerability will have a wide impact. It is recommended that the available security updates be applied as soon as possible. 


Story #2: Spyware Vendors Behind Most Zero-Days

Google’s Threat Analysis Group (TAG) revealed that most of the unknown vulnerabilities exploited in the wild were used by commercial spyware vendors (CSVs) to target journalists, activists, and politicians. Spyware vendors were responsible for 80% of the zero-day vulnerabilities discovered in 2023, with five CSVs responsible for 33 zero-days in the last four years (Cy4Gate, Intellexa, Negg Group, NSO Group, and Variston).

Google urged for more collaboration among governments, stricter guidelines for the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors. This could soon be coming with the US State Department imposing visa restrictions on those involved in illegal spyware surveillance.

Google Blog

Story #3: Fake Facebook Job Ads Spread ov3r_stealer Malware

A new Windows-based stealer malware called Ov3r_Stealer is spreading through fake Facebook job advertisements for digital advertising positions. The malware is installed via a weaponized PDF file and goes onto your credentials and crypto wallets, sending the pilfered information to a monitored Telegram channel.

The Ov3r_Stealer malware shares code and infrastructure with another stealer malware called Phemedrone. It is currently believed they are the same threat actor as they look to build a malware-as-a-service (MaaS) business. 


Story #4: Chinese Hackers Lurk in US Infrastructure for 5 Years

It was recently discovered that Chinese hackers had infiltrated a critical infrastructure network in the US and managed to remain undetected for five years. A joint advisory from CISA, NSA, FBI, and partner Five Eyes agencies detailed these cyber-espionage activities, revealing the persistence and stealth of the Volt Typhoon cyber-espionage group.

The group aimed to pre-position itself within networks that provide access to operational technology assets, aiming to disrupt critical infrastructure in the event of a major crisis or conflict with the US. This was made possible, in part, by a lack of security in SOHO routers. 

National Security Agency (NSA)

Story #5: No, the Toothbrushes Have Not Taken Over Just Yet

A widely reported claim that 3 million electric toothbrushes have been hacked and are being used in a mass DDoS attack against a Swiss company is likely untrue. Instead, it appears the Swiss news site Aargauer Zeitung, who published the story based on a report from a Fortinet employee, likely misinterpreted the hypothetical scenario as an actual attack. 

Electric toothbrushes do not connect directly to the internet but use Bluetooth to connect to mobile apps that upload data to web platforms. It is unlikely that 3 million electric toothbrushes would be exposed to the internet or infected with malware.

Bleeping Computer

Top Tips of the Week

Triaging the Week: Top Tips of the Week

Threat Intelligence

  • Regularly update threat intelligence feeds. Timely information is crucial for identifying and mitigating new threats.
  • Implement threat intelligence in vulnerability management. Prioritize patches based on real-time threat information.

Threat Hunting

  • Regularly review and update your threat hunting tools in cyber threat hunting. Ensure they are aligned with the latest threat intelligence and methodologies.
  • Integrate threat intelligence into security awareness programs in cyber threat hunting. Educate employees to recognize and report potential threats.
  • Foster a cyber threat hunting community. Collaborate with peers, share experiences, and learn from one another.

Custom Tooling

  • Implement versioning for custom tools. Track changes, facilitate updates, and maintain compatibility with existing systems.
  • Regularly assess the performance of custom tools. Optimize code, address bottlenecks, and ensure efficient operation.

Feature Article

Top 5 Challenges With Intelligence Requirements

The cyber threat intelligence lifecycle is a fundamental model for structuring intelligence work. Implementing it is difficult. 

This article discusses the top five challenges you will face when using the threat intelligence lifecycle in the real world. You will discover the issues that can arise with the people, processes, and technology when trying to structure and organize your cyber threat intelligence, from having too much data to too little feedback. After each problem, I will detail solutions you can use to navigate around them and build the perfect intelligence lifecycle. 

Before we jump into the challenges, here is a quick recap of the threat intelligence lifecycle to get you up to speed. 

Read Now

Learning Resources

Triaging the Week: Learning Resources

Discover the Power of jq

Learn about how you can use the awesome command line utility called jq. This tool lets you filter and parse JSON data within a terminal or your favorite text editor (vim). The Primeagen demos this in a fun video. There is also yq for manipulating YAML files.

How to use Mimikatz for Hacking in 2024: The Definitive Guide

This comprehensive guide will show you how to use Mimikatz for hacking so you can dump credentials and perform lateral movement like a pro.

Mimikatz is one of the most popular hacking tools you’ll use and is an industry standard for penetration testing and red team engagements. 

It is featured on many of the top hacking certifications like the Offensive Security Certified Professional (OSCP), Practical Network Penetration Tester (PNPT), and Certified Red Team Operator (CRTO), making it a tool you need to know how to use. This guide will show you how.

You will learn to extract passwords, dump credentials, create golden tickets, and perform attacks like pass-the-hash and over-pass-the-hash. 


Want to Learn How to Manage Your Dotfiles?

Check out this great demo from Dreams of Autonomy on GNU stow. Managing dotfiles can be challenging, especially if you work on multiple systems and want to carry your configuration settings between machines. Stow can make it much easier! 

What’s Happening at System76?

Great interview between Brodie Robertson (Tech Over Tea)  and Carl Richell (CEO and co-founder of System76) on the company’s history, how we got here, and some of the cool stuff they’ve got in store. If you’re a fan of open-source software, Linux, or System76, check it out. 

Curious About Reverse Engineering or Binary Exploitation?

Check out this series called “Pwn Zero To Hero.” It covers assembly, stack-based buffer overflows, format strings, return-oriented programming, and heap exploitation. It’s completely  FREE on YouTube and a great resource to get started on your reverse engineering and binary exploitation journey.

Personal Notes

Triaging the Week: Personal Notes

🤔 This week at Kraven, we have been testing our DevOps skills, working on Kubernetes deployments using Terraform and Ansible, with an article just around the corner. We have also been improving our Search Engine Optimization (SEO). It’s a very important area to cover when you run an online business, but part of me feels like it’s just a huge cash grab. Anyways, there is no escaping the dreaded Google search algorithms.

There have also been behind-the-scenes improvements with investments in productivity and project-tracking tools to optimize our content creation workflow. The team is heavily invested in Notion, a freemium productivity and note-taking web application, which I have previously written about in 7 of the Best Notetaking Apps for Cyber Security Professionals.

I highly recommend checking it out and exploring some of its unique features. It’s a game-changer!

Back to top arrow

Interesting in Learning More?

Learn the dark arts of red teaming

If you want more of a challenge, take on one of their certification exams and land your next job in cyber:

Learn more cyber security skills

If you’re looking to level up your skills even more, have a go at one of their certifications: