Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.
This week, security researchers discovered how Microsoft’s Configuration Manager (MCM), formerly SCCM, could be used to attack systems and how Google’s Gemini AI was vulnerable to various cyber threats. Meanwhile, Magnet Goblin (a pretty cool threat actor name) exploited 1-day vulnerabilities, the Tor project released a new feature allowing you to masquerade Tor traffic as HTTPS traffic, and Securelist released a report on the state of Stalkerware.
This week’s learning resources include a wide range of things. There is an OSCP exam guide, a great presentation on cyber security entrepreneurship given at Blackhat, a guide to building your own private AI, and more. Let’s get started!
Top 5 News Stories
Story #1: Magnet Goblin Hackers Drop Custom One-Day Malware
A hacking group named Magnet Goblin is exploiting one-day vulnerabilities to infiltrate servers and deploy custom malware on Windows and Linux systems. The group uses malware like NerbianRAT, a Linux variant, and MiniNerbian for command execution and communication with its command and control (C2) server.
Quick patching of disclosed vulnerabilities is crucial. Additional security measures like network segmentation, endpoint protection, and multi-factor authentication are also recommended.
Story #2: Microsoft SCCM Misconfigurations Useable in Cyber Attacks
Security researchers have highlighted the dangers of improperly setting up Microsoft’s Configuration Manager (MCM), formerly SCCM, which could allow attackers to execute payloads or gain domain control.
A repository called Misconfiguration Manager has been released. It details attack techniques based on faulty MCM configurations and offers defensive resources. The most prevalent and harmful misconfiguration involves network access accounts (NAAs) with excessive privileges, leading to significant security breaches.
The repository provides preventive, detection, and deceptive strategies (CANARY) to protect against the attack techniques described.
Story #3: Tor Releases New Feature to Mimic HTTPS Traffic and Evade Censorship
The Tor Project has officially introduced WebTunnel, a new bridge type designed to help bypass censorship targeting the Tor network by disguising connections as regular HTTPS traffic.
WebTunnel bridges mimic HTTPS traffic, making it difficult for oppressive regimes to block them without blocking most web server connections. Users can manually add WebTunnel bridge addresses to the Tor Browser on desktop and Android platforms.
With 60 WebTunnel bridges worldwide and over 700 daily active users, the Tor Project aims to ensure Tor works for everyone, despite challenges in some regions like Iran. This is a significant leap forward for online privacy but may make it more difficult to track cybercriminals.
Story #4: Securelist Highlights the State of Stalkerware
SecureList has released a report discussing the global issue of stalkerware, software installed on smartphones that monitors individuals without their consent.
While stalkerware use is not banned in most countries, installing surveillance apps without consent is illegal and punishable. In 2023, over 31,000 unique users were affected by stalkerware, with the highest numbers in Russia, Brazil, and India.
The article provides tips for protecting oneself from stalkerware, such as using strong passwords and installing reliable security solutions. Read the full report to learn more.
Story #5: Google Gemini AI Susceptible to LLM Threats
Researchers have found that Google’s Gemini large language model (LLM) is susceptible to various cyber threats, including the potential to leak system prompts and generate harmful content.
HiddenLayer identified vulnerabilities in Gemini Advanced and LLM API that could affect consumers and companies using these services. They then demonstrated “crafty jailbreaking” techniques that could make LLMs output misinformation or illegal information.
Google has responded to these claims by stating it implements ongoing ed-teaming exercises and safeguards against adversarial behaviors to continuously improve Gemini’s defenses.
Top Tips of the Week
Threat Intelligence
- Engage in threat intelligence forums. Participate in discussions to share insights and learn from others in the field.
- Collaborate across security teams for a holistic CTI approach. Break down silos and share insights for better threat awareness.
- Diversify your threat intelligence team. Different perspectives enhance analysis and interpretation of intelligence data.
Threat Hunting
- Conduct threat hunting simulations. Practice scenarios to improve skills and readiness for real-world threats.
- Implement threat intelligence metrics in cyber threat hunting. Track and measure the effectiveness of your efforts.
Custom Tooling
- Consider user experience in custom tool design. Intuitive interfaces enhance usability and encourage adoption.
- Integrate threat intelligence with SIEM tools. Enhance the capabilities of Security Information and Event Management for improved threat detection.
Feature Article
The Cyber Kill Chain is a framework for understanding cyber attacks, analyzing intrusions, and planning cyber defenses. It is used throughout the industry by cyber security professionals in security operations, incident response, and cyber threat intelligence to investigate and report how a cyber attack happened.
This article will provide you with an overview of the Cyber Kill Chain, why it is useful, and how to use it. You will see the kill chain in action as we go through a real-world case study focusing on Trigona ransomware. This will provide you with the knowledge and skills to use the Cyber Kill Chain in your work and analyze intrusions better.
Let’s get started learning this structured analytical technique!
Learning Resources
Complete OSCP Exam Guide
This OSCP exam guide will teach you everything you need to know about the exam, what key areas to focus on, and how to get certified on your journey to becoming a professional penetration tester.
The OSCP is widely renowned as the golden standard of entry-level penetration testing certifications, and adding it to your resume will set you apart from the competition.
Passing this exam has become something of a legend. It’s notoriously difficult, tests your hands-on hacking skills to the extreme, and is filled with rabbit holes that could derail you.
Fear not. This comprehensive exam guide will teach you how to pass this and get certified. Let’s go!
The Path of Cyber Security Entrepreneurship
Discover the entrepreneurial journey all cyber security founders must go through to start and grow a company in this insightful presentation by Duo Security co-founder Jon Oberheide.
He discusses the three main stages of growth, common challenges you will encounter during these stages, and how to overcome the struggles of building your own cyber security company based on the trials and tribulations of Duo. A must-watch for any cyber security professional with an interest in entrepreneurship
How Cybercriminals Use the Dark Web for Initial Access
Check out this great dicsussion between Heath Adams and Jason Haddix on how cybercriminals and hackers use the dark web to find leaked credentials. They walk through how platforms like Flare can help you use cyber threat intelligence to defend against credential leaks and prevent account breaches.
Learn C# Through Mini-Projects
This complete C# tutorial from freeCodeCamp will take you from the basics of C# programming to advanced concepts. It uses mini-projects that allow you to use your hands-on keyboard problem-solving skills and accelerate your learning.
C# is a great first (or second) programming language to learn. It includes all the fundamental programming concepts you need to learn and presents them in a much more approachable way compared to C++ or Rust. It also has great interoperability with the Windows Operating System, making it perfect for hackers, threat hunters, and automation builders. Get started today!
Build Your Own Private AI
Learn how to set up your own AI model and unlock the power of a self-hosted AI model for your own devices!
This excellent guide from NetworkChuck shows you how to build and tune a personal AI that you can host at home using technologies like Ollama and PrivateGPT. If you want to boost your AI learning, give this video a watch.
Personal Notes
🤔 This week has been focused on building our development skills, specifically learning the ins and outs of the C# programming language.
C# is a simple, modern, and versatile programming language that focuses heavily on creating Object-Oriented Programming (OOP) applications. It is generally used to build software applications on the Windows platform, although it is cross-platform compatible through the .NET Core platform.
C# is ideal for people working in the Windows world. It is interoperable with the native Windows API, can interact with PowerShell, and supports the main cloud services like Azure, GCP, and AWS. For these reasons, we chose to develop custom tooling using this language and hope to release some new threat hunting tools soon that take advantage of its powerful features—along with some guides on how you can get started.
As always, have a fantastic weekend, and make the most of the learning resources provided!