Triaging the Week 015

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.

This week, we saw new developments in the ransomware world. Phobos ransomware was used against US critical infrastructure, and the cybercriminals behind BlackCat performed an exit scam after getting in hot water for attacking a major healthcare provider. 

We also saw hackers use novel techniques to tunnel traffic through the QEMU virtualization software, the NSA provided guidance on achieving zero-trust network architecture, and a US court ordered the NSO group to turn over the source code for their Pegasus spyware to Meta.

As always, we have our top tips, a featured article, and some great learning resources to take a look at over the weekend (I especially enjoyed the talk on clustering ransomware behavior). Let’s jump in!


Top 5 News Stories

Triaging the Week News Stories

Story #1: Phobos Ransomware Targets US Critical Infrastructure

Threat actors using the Phobos ransomware have launched a series of attacks targeting the U.S. government and critical infrastructure entities. They deployed their ransomware using phishing, RDP brute-forcing, and privilege escalation techniques.

Phobos is a ransomware as a service (RaaS) model that is a good case study for the shifting trends in ransomware. Ransomware is moving to a service-based model that threat actors use; there is no data recovery guarantee; gangs use double extortion to increase profit; the same victims are targeted multiple times; and no victim is off limits.

CISA

Story #2: Court Orders NSO Group to Hand Over Pegasus Code to Meta

A US court order has been passed that demands the NSO Group to hand over its source code for Pegasus and other spyware to Meta, which sued the Israeli company for using WhatsApp to distribute the spyware to about 1,400 devices in 2019. 

Pegasus exploited a critical vulnerability in WhatsApp’s voice call function to infect the devices of activists, journalists, and others. They are now required to produce information on the full functionality of this spyware to Meta.

This is a step forward in safeguarding consumers’ privacy and data. However, the NSO group has been spared from sharing the identities of people who brought and used the spyware. 

Amnesty International

Story #3: BlackCat Ransomware Triggers Exit Scheme After Targeting Healthcare Company

A BlackCat ransomware gang affiliate claims they scammed them out of a $22 million ransom paid by Optum, a healthcare company that operates the Change Healthcare platform. 

The affiliate says they breached Optum and stole 4TB of critical data from various insurance companies and healthcare providers. They claim Optum paid 350 bitcoins ($23 million) to delete the data and get a decryptor, but the ransomware gang took the money and banned them. 

This is not the first time the ransomware gang has been in scandal, shut down its servers, and re-emerged a few months later under a different name. They originally started as DarkSide, but when the heat was put on by law enforcement after they attacked critical US infrastructure (Colonial Pipeline), they rebranded to BlackMatter, then ALPHV/BlackCat. 

Bleeping Computer

Story #4: NSA Guidance on Creating a Zero-Trust Network

The US National Security Agency (NSA) has shared guidance on adopting zero-trust principles to limit an adversary’s movement within networks. It includes seven pillars required for a zero-trust architecture and steps to achieving them.

A zero-trust architecture requires strict network access controls, unlike traditional IT security models, and the intelligence organization sheds light on various components that could be exploited in an attack.

Achieving a zero-trust architecture is not easy. Organizations must reach certain maturity levels in data flow mapping, macro and micro-segmentation, and software-defined networking to build a zero-trust environment effectively. 

NSA

Story #5: Hackers Abuse QEMU to Tunnel Network Traffic

Malicious actors were seen using the QEMU hypervisor platform to create a network tunnel in a cyber attack against a large company. The attackers leveraged QEMU’s capabilities to remain undetected, opting for a less conventional tool that wouldn’t raise alarms.

The attackers allocated only 1MB of RAM to a virtual machine to avoid detection and started it without a LiveCD or disk image. They then routed their malicious traffic through this virtual machine to attack internal hosts and bypass security measures.

Kaspersky suggests adopting multi-level protection, including 24/7 network and endpoint monitoring, to detect the use of legitimate tools for malicious purposes. 

Securelist 


Top Tips of the Week

Triaging the Week Top Tips of the Week

Threat Intelligence

  • Learn from historical threat intelligence incidents. Analyzing past events provides insights for improving intelligence and incident response.
  • Monitor critical infrastructure for threat indicators. Enhance resilience by proactively identifying and mitigating potential risks.

Threat Hunting

  • Monitor supply chain risks. Assess and address vulnerabilities to mitigate potential threats.
  • Monitor the dark web for potential threats targeting your organization. Gain insights into emerging risks.
  • Share threat hunting experiences at industry events. Learn from peers and contribute to the community’s knowledge.

Custom Tooling

  • Optimize custom tools for usability. Create interfaces that are intuitive, user-friendly, and align with user expectations.

Feature Article

Top 5 Challenges With Intelligence Requirements

All cyber threat intelligence teams need three things: a threat intelligence lifecycle, a threat model, and intelligence requirements. One of the hardest to get right is intelligence requirements. They usually lack focus, fail to define a timeframe, or do not answer a single question to support an informed decision. But what are the challenges when creating intelligence requirements, and how do you overcome them?

This article dives into the top five challenges you will face when creating your own intelligence requirements so you can avoid these pitfalls and produce actionable intelligence that is valuable to your organization. You will learn about common real-world problems that come with implementing intelligence requirements and solutions to navigate past these issues. 

Read Now


Learning Resources

Triaging the Week Learning Resources

Discover the Power of the C2 Frameworks

Have you ever wondered “what is a C2 framework” or “C2 server”?

If you’ve been in the hacking game for long enough, you’ve likely come across these terms, heard advanced penetration testers or red teamers talk about them, and may even know that C2 stands for Command and Control.

Now is the time to unmask C2 frameworks and learn everything about them.

In this guide, you’ll learn what is a C2 server and framework, why you’d want to use one, and the key benefits they can provide you and your team.

You’ll discover some of the most popular C2 frameworks available today and get hands-on experience using the popular open-source C2 framework Havoc.

StationX

How to Cluster Ransomware Attack Behavior

Ransomware-as-a-service (RaaS) is a major threat to nearly all organizations, and attackers will often swap out what ransomware they use. This excellent presentation by Morgan Demboski from Sophos sheds light on how to effectively cluster the behavior seen in ransomware attacks to track threat actors and build better defenses. 

Definitely worth watching if you work in cyber threat intelligence or want to learn more about the ransomware threat landscape.

The Intelligence Handbook by Recorded Future

This guide for building an intelligence-led security program is an excellent FREE resource that all cyber security leaders should read. It covers the application of intelligence across various enterprise areas, including chapters on fraud, identity, and attack surface intelligence.

The book provides insights on developing a security program that anticipates adversaries and enhances all security functions. Add it to your reading list now!

Recorded Future

Debunking Cyber Security Myths With the National Cyber Director

Check out this entertaining and enlightening video by Forbes featuring the National Cyber Director Harry Coker, Jr.. He debunks common cyber security myths and discusses how cyber affects politics, voting, and government.

To say this man’s background is impressive is an understatement! Watch this video to gain valuable insights from his time in the CIA, NSA, US Navy, and White House. 

Building a Serverless AWS Application

Watch this fascinating deep dive into creating a serverless cloud application using AWS services like SES, S3, IAM, Lambda, and EventBridge. It showcases how you can get hands-on with AWS, build a project incorporating multiple cloud technologies, and gain a real-world understanding of serverless cloud architecture.

The Tiny Technical Tutorials YouTube channel is awesome for hands-on tutorials with AWS. I highly recommend checking it out after you watch this video.


Personal Notes

Triaging the Week Personal Notes

🤔 Have you ever had that euphoric feeling after finishing a piece of technical work, got something to finally work after banging your head against a wall for hours on end, or had an epiphany while bending over to pick up your dog’s poo? I was fortunate enough to have all three happen to me this week.

At Kraven, we have been working on our Creating a Testing Environment series, which explores ways to develop testing environments for malware analysis, threat hunting, and adversary emulation. This exciting series incorporates various skills, from cloud to DevOps to server management. 

This week, we built out a new environment that combines Terraform, Apache Guacamole, and Proxmox to automate the deployment of an ephemeral malware analysis environment. It is a beautiful piece of week I am very proud of, but man, it was a pain to build! 

There were issues with getting Terraform to interact with Proxmox, problems with building machine templates in Proxmox, and even issues configuring Apache Guacamole (damn SSH). But thankfully, we managed to get it working.

It was a lesson that this technology stuff is hard, and things don’t always work as you expect them to. However, you can always get things to work through perseverance and sheer will. If you feel like you’re banging your head against a wall to get something to work, take a step back, go for a walk, clear your mind, and go again. You got this. I believe in you!

Enjoy the learning resources, go out there, and build awesome things this weekend!