Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.
This week, two fascinating threat intelligence reports were released, one from Kaspersky on the current mobile malware threat landscape and another from Dragos, all about threats to operational technology (OT). We also learned of Russia’s shift in tactics to target cloud environments and a massive spam campaign hijacking popular brands.
This week’s Learning Resources include videos on how to write better CTI reports, track down cyber criminals on Telegram, and demonstrate an exciting new terminal emulator. There are also updates to the NIST framework to read about and a fun text-based game to help you learn the Linux command line. Let’s jump in!
Top 5 News Stories
Story #1: The Mobile Malware Threat Landscape
Kaspersky has released its 2023 report on the statistics and trends of malware targeting Android devices. It lists the most common malware families and their characteristics, which countries are targeted the most, and the most prevalent banking and ransomware Trojans.
The report found that Android malware and riskware activity surged in 2023 with attackers continuing to use official app marketplaces and malicious mods of popular apps to spread malware.
Story #2: Russian Hackers Move Onto Cloud Attacks
A joint advisory by the U.K., the U.S., Australia, Canada, and New Zealand, warns that a Russian-based threat actor, APT29, is now targeting the cloud services of various organizations, especially government and critical entities. The advisory details how APT29 gains access to cloud environments and evades detection.
Recommendations for organizations to protect their cloud infrastructure from APT29’s attacks include enabling MFA, reducing session lifetimes, and monitoring for indicators of compromise.
Cybersecurity & Infrastructure Security Agency (CISA)
Story #3: Over 8000 Domains of Trusted Brands Hijacked in Spam Campaign
A massive spam campaign, SubdoMailing, has hijacked over 8000 domains and subdomains of trusted brands and institutions to send malicious emails and monetize clicks. The group behind the campaign, ResurrecAds, has a history of exploiting the digital advertising ecosystem for nefarious gains and has an extensive infrastructure of compromised hosts, servers, and IP addresses.
The attackers compromised these domains by taking control of subdomains with dangling CNAME records of abandoned domains. This allowed them to bypass email authentication checks and leverage the trust associated with the original domains.
You can check if you are vulnerable to this attack by using Guardio’s SubdoMailing Checker. This website allows domain administrators and site owners to look for signs of compromise and prevent their domains from being used for spam distribution.
Story #4: Dragos Drops Annual OT Cyber Security Review
The industrial OT cyber security company Dragos has released its annual report on the threats, vulnerabilities, and incidents that impacted industrial systems in 2023. It highlights three new threat groups targeting critical infrastructure, the impact of geopolitical issues, and a 49.5% rise in ransomware incidents involving OT.
It also includes some recommendations to manage risk for OT environments. It is definitely worth a read if you are interested in defending Operational Technology.
Story #5: NIST Updates Its Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has released version 2.0 of their Cybersecurity Framework (CSF), which provides best practices and recommendations for improving cybersecurity posture and risk management.
The new version of the CSF is designed to be relevant and useful for organizations of any sector and size, incorporating feedback from stakeholders and the lessons learned from a decade of security challenges. It also offers new resources such as quick-start guides, implementation examples, a mapping catalog, and reference tools.
It also adds a new function called “govern” that aims to establish, communicate, and monitor an organization’s cybersecurity strategy, expectations, and policy. This allows cybersecurity to integrate into the broader enterprise risk management strategy, complementing the other five functions of identify, protect, detect, respond, and recover.
NIST views the CSF as a dynamic and evolving framework that can be customized and adapted to different needs and contexts. It encourages users to share their experiences and to contact NIST for further guidance and improvement.
National Institute of Standards and Technology (NIST)
Top Tips of the Week
Threat Intelligence
- Validate and verify threat intelligence. Ensure accuracy before taking action to avoid false positives and wasted resources.
- Educate your team on effective CTI utilization. Empower them to leverage threat intelligence for proactive defense.
Threat Hunting
- Stay agile. The threat landscape evolves; so should your threat hunting strategy. Adaptability is key to effective cybersecurity.
- Monitor the dark web for potential cyber threats targeting your organization. Gain insights into emerging risks.
- Integrate threat intelligence into threat modeling. Enhance your security posture by identifying potential threats early in the development process.
Custom Tooling
- Conduct thorough testing of custom tools in realistic scenarios. Simulate real-world conditions to identify and address potential issues.
- Regularly revisit and update custom tools. Evolving threats and changing requirements necessitate ongoing refinement.
Feature Article
Kubernetes is a magical technology that can provide your applications scalability, high availability, and resource efficiency across cloud and local environments. In this article, you will learn how to deploy your own local Kubernetes cluster using Terraform and Ansible, mastering some common DevOps practices along the way.
But why learn about Kubernetes if you are in security? Beyond needing to secure containerized workloads and cloud infrastructure, learning the basics of Kubernetes empowers you to deploy your own custom tooling at scale, whether to the public or your local team. It also acts as a gateway to learning powerful automation technologies like Terraform and Ansible that will completely change how you deploy and configure infrastructure.
Let’s begin exploring the mystical arts of DevOps and Infrastructure as Code to create our local Kubernetes cluster!
Learning Resources
Learn to Write Better CTI Reports
Watch this great talk from the 2021 SANS CTI Summit, describing how you can take lessons from journalism to write clear, concise, and actionable threat intelligence reports. Following the methodology described in this presentation will help anyone become more effective at writing and reporting so everyone at your organization can benefit from CTI.
Track down Cyber Criminals on Telegram
Discover how to reverse engineer malware and track down where data is being exfiltrated on Telegram. The excellent John Hammond demonstrates a new tool developed by Kostas called TeleTracker. This tool allows you to turn the tables on an attacker and analyze their Telegram command and control (C2) infrastructure. A great demo and a fantastic tool to add to your threat hunting arsenal!
Learn the Linux Terminal in a Fun Text-Based Game
Linux is a valuable skill for anyone performing technical work, especially if you work in cyber security. This simple text adventure lets you learn the basics of Linux on your local machine completely for FREE. It is a great project I recommend playing with!
bashcrawl (Gitlab)
Discover a New Terminal Emulator
Warp is a modern terminal app built in Rust that aims to improve developers’ productivity and efficiency using smart completions, chat-based guidance, shared terminal knowledge, and theme customization. It also uses the power of AI to suggest commands or chat to get answers to any programming question and keeps these private and secure. They are never used to train public models.
In this video, Christian Lempa walks you through how to use Warp, from customization options to simplifying your IT workflows. Check it out!
Personal Notes
🤔 At Kraven this week, we have been focused on progressing our Definitions & Key Concepts series. This series aims to teach you the basic components of cyber threat intelligence, provide you with definitions of key industry concepts, and ensure you can “speak the language” of threat intelligence. We enjoy writing this series because it puts students on a level playing field and allows effective collaboration.
We are also focused on building out our library of technical content, particularly around creating testing environments. Our series, Creating a Testing Environment, describes building your own environments to perform malware analysis, threat hunting, and security testing using technologies like Terraform, Ansible, and Proxmox.
Creating environments like this is a key technical skill to master. It teaches you about architecture, design, and combining technologies. We love this series because it empowers students to experiment, tinker, and explore new technologies.
