We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Triaging the Week

Triaging the Week 016

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.

This week, security researchers discovered how Microsoft’s Configuration Manager (MCM), formerly SCCM, could be used to attack systems and how Google’s Gemini AI was vulnerable to various cyber threats. Meanwhile, Magnet Goblin (a pretty cool threat actor name) exploited 1-day vulnerabilities, the Tor project released a new feature allowing you to masquerade Tor traffic as HTTPS traffic, and Securelist released a report on the state of Stalkerware.

This week’s learning resources include a wide range of things. There is an OSCP exam guide, a great presentation on cyber security entrepreneurship given at Blackhat, a guide to building your own private AI, and more. Let’s get started!

Top 5 News Stories

C39cpLK8RpSVeKb dBYrQCW9kAZaMR18cYM ACzCIgFUKXb19v3XCWNtplSoXi1aF TJlEwxQQetbFNXBHd48997jroQzR p5O eXtaso2iZyviK5XVRjGaXW6gnRrK49a

Story #1: Magnet Goblin Hackers Drop Custom One-Day Malware

A hacking group named Magnet Goblin is exploiting one-day vulnerabilities to infiltrate servers and deploy custom malware on Windows and Linux systems. The group uses malware like NerbianRAT, a Linux variant, and MiniNerbian for command execution and communication with its command and control (C2) server.

Quick patching of disclosed vulnerabilities is crucial. Additional security measures like network segmentation, endpoint protection, and multi-factor authentication are also recommended. 

Checkpoint

Story #2: Microsoft SCCM Misconfigurations Useable in Cyber Attacks

Security researchers have highlighted the dangers of improperly setting up Microsoft’s Configuration Manager (MCM), formerly SCCM, which could allow attackers to execute payloads or gain domain control. 

A repository called Misconfiguration Manager has been released. It details attack techniques based on faulty MCM configurations and offers defensive resources. The most prevalent and harmful misconfiguration involves network access accounts (NAAs) with excessive privileges, leading to significant security breaches.

The repository provides preventive, detection, and deceptive strategies (CANARY) to protect against the attack techniques described.

Specter Ops

Story #3: Tor Releases New Feature to Mimic HTTPS Traffic and Evade Censorship

The Tor Project has officially introduced WebTunnel, a new bridge type designed to help bypass censorship targeting the Tor network by disguising connections as regular HTTPS traffic.

WebTunnel bridges mimic HTTPS traffic, making it difficult for oppressive regimes to block them without blocking most web server connections. Users can manually add WebTunnel bridge addresses to the Tor Browser on desktop and Android platforms.

With 60 WebTunnel bridges worldwide and over 700 daily active users, the Tor Project aims to ensure Tor works for everyone, despite challenges in some regions like Iran. This is a significant leap forward for online privacy but may make it more difficult to track cybercriminals. 

Tor Project

Story #4: Securelist Highlights the State of Stalkerware

SecureList has released a report discussing the global issue of stalkerware, software installed on smartphones that monitors individuals without their consent. 

While stalkerware use is not banned in most countries, installing surveillance apps without consent is illegal and punishable. In 2023, over 31,000 unique users were affected by stalkerware, with the highest numbers in Russia, Brazil, and India.

The article provides tips for protecting oneself from stalkerware, such as using strong passwords and installing reliable security solutions. Read the full report to learn more.

Securelist

Story #5: Google Gemini AI Susceptible to LLM Threats

Researchers have found that Google’s Gemini large language model (LLM) is susceptible to various cyber threats, including the potential to leak system prompts and generate harmful content.

HiddenLayer identified vulnerabilities in Gemini Advanced and LLM API that could affect consumers and companies using these services. They then demonstrated “crafty jailbreaking” techniques that could make LLMs output misinformation or illegal information.

Google has responded to these claims by stating it implements ongoing ed-teaming exercises and safeguards against adversarial behaviors to continuously improve Gemini’s defenses.

Hidden Layer

Top Tips of the Week

Triaging the Week Top Tips of the Week

Threat Intelligence

  • Engage in threat intelligence forums. Participate in discussions to share insights and learn from others in the field.
  • Collaborate across security teams for a holistic CTI approach. Break down silos and share insights for better threat awareness.
  • Diversify your threat intelligence team. Different perspectives enhance analysis and interpretation of intelligence data.

Threat Hunting

  • Conduct threat hunting simulations. Practice scenarios to improve skills and readiness for real-world threats.
  • Implement threat intelligence metrics in cyber threat hunting. Track and measure the effectiveness of your efforts.

Custom Tooling

  • Consider user experience in custom tool design. Intuitive interfaces enhance usability and encourage adoption. 
  • Integrate threat intelligence with SIEM tools. Enhance the capabilities of Security Information and Event Management for improved threat detection. 

Feature Article

The Cyber Kill Chain

The Cyber Kill Chain is a framework for understanding cyber attacks, analyzing intrusions, and planning cyber defenses. It is used throughout the industry by cyber security professionals in security operations, incident response, and cyber threat intelligence to investigate and report how a cyber attack happened. 

This article will provide you with an overview of the Cyber Kill Chain, why it is useful, and how to use it. You will see the kill chain in action as we go through a real-world case study focusing on Trigona ransomware. This will provide you with the knowledge and skills to use the Cyber Kill Chain in your work and analyze intrusions better.

Let’s get started learning this structured analytical technique! 

Read Now

Learning Resources

Triaging the Week Learning Resources

Complete OSCP Exam Guide

This OSCP exam guide will teach you everything you need to know about the exam, what key areas to focus on, and how to get certified on your journey to becoming a professional penetration tester. 

The OSCP is widely renowned as the golden standard of entry-level penetration testing certifications, and adding it to your resume will set you apart from the competition. 

Passing this exam has become something of a legend. It’s notoriously difficult, tests your hands-on hacking skills to the extreme, and is filled with rabbit holes that could derail you.

Fear not. This comprehensive exam guide will teach you how to pass this and get certified. Let’s go! 

StationX

The Path of Cyber Security Entrepreneurship

Discover the entrepreneurial journey all cyber security founders must go through to start and grow a company in this insightful presentation by Duo Security co-founder Jon Oberheide. 

He discusses the three main stages of growth, common challenges you will encounter during these stages, and how to overcome the struggles of building your own cyber security company based on the trials and tribulations of Duo. A must-watch for any cyber security professional with an interest in entrepreneurship

How Cybercriminals Use the Dark Web for Initial Access

Check out this great dicsussion between Heath Adams and Jason Haddix on how cybercriminals and hackers use the dark web to find leaked credentials. They walk through how platforms like Flare can help you use cyber threat intelligence to defend against credential leaks and prevent account breaches.

Learn C# Through Mini-Projects

This complete C# tutorial from freeCodeCamp will take you from the basics of C# programming to advanced concepts. It uses mini-projects that allow you to use your hands-on keyboard problem-solving skills and accelerate your learning.

C# is a great first (or second) programming language to learn. It includes all the fundamental programming concepts you need to learn and presents them in a much more approachable way compared to C++ or Rust. It also has great interoperability with the Windows Operating System, making it perfect for hackers, threat hunters, and automation builders. Get started today!

Build Your Own Private AI

Learn how to set up your own AI model and unlock the power of a self-hosted AI model for your own devices! 

This excellent guide from NetworkChuck shows you how to build and tune a personal AI that you can host at home using technologies like Ollama and PrivateGPT. If you want to boost your AI learning, give this video a watch.

Personal Notes

Triaging the Week Personal Notes

🤔 This week has been focused on building our development skills, specifically learning the ins and outs of the C# programming language.

C# is a simple, modern, and versatile programming language that focuses heavily on creating Object-Oriented Programming (OOP) applications. It is generally used to build software applications on the Windows platform, although it is cross-platform compatible through the .NET Core platform.

C# is ideal for people working in the Windows world. It is interoperable with the native Windows API, can interact with PowerShell, and supports the main cloud services like Azure, GCP, and AWS. For these reasons, we chose to develop custom tooling using this language and hope to release some new threat hunting tools soon that take advantage of its powerful features—along with some guides on how you can get started. 

As always, have a fantastic weekend, and make the most of the learning resources provided!

Related Posts