Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.
This week was all about the web with a new malware campaign using fake Google sites and HTML smuggling, cybercriminals shifting to attack APIs, and Kimusky using Microsoft Compiled HTML Help (CHM) files to execute malicious commands. CISA also released guidance on how to defend critical infrastructure, and GitHub used AI to help developers fix vulnerabilities.
The learning resources this week focus on programming, software development, and career progression. Of note is one on technical writing, a sorely overlooked topic from which all security teams can benefit.
Top 5 News Stories
Story #1: Hackers Use Fake Google Sites to Deliver Malware
A new malware campaign uses fake Google Sites and HTML smuggling to distribute AZORult malware for information theft. The campaign employs an unusual technique where the payload is embedded in a separate JSON file, bypassing typical security controls.
First detected in 2016, AZORult can gather various sensitive data, including credentials, cookies, browser history, and cryptocurrency wallet information. The attackers create counterfeit Google Docs pages that trick visitors into downloading a Windows shortcut file, which initiates the malware download and execution.
This is a reminder to always verify the legitimacy of the sites you download files from. If you are unsure if a site is legitimate, run it against online CTI search engines like VirusTotal, urlscan.io, and GreyNoise.
Story #2: CISA Shares Tips for Defending Critical Infrastructure
In response to the recent Chinese hacking group Volt Typhoon, which targeted US critical infrastructure, CISA and other agencies have released guidance on protecting your systems from these attacks.
Recommendations include robust logging, securing the supply chain, and aligning performance management with cyber goals. Being vigilant and implementing proactive defensive measures will play a critical role in defending operational technology and safeguarding any nation’s infrastructure, especially given the turbulent political times we are currently experiencing.
Cybersecurity & Infrastructure Security Agency (CISA)
Story #3: Cybercriminals Shift to Target APIs
Imperva has just released its 2024 State of API Security report. The main takeaway is that APIs account for around 71% of Internet traffic, and cybercriminals are shifting their focus to target APIs, with Account takeover (ATO) being a prevalent method.
Mismanaged APIs pose significant security threats, with shadow, deprecated, and unauthenticated APIs being common issues. Defending against these attacks requires regular audits, continuous monitoring, and robust security measures like WAF and Bot Protection.
Story #4: GitHub Adds New AI-Powered Feature to Fix Your Vulnerabilities
GitHub has introduced an AI-powered feature called Code Scanning Autofix, which is in public beta and automatically enabled for GitHub Advanced Security customers.
This feature helps fix over 90% of alert types in JavaScript, Typescript, Java, and Python, offering potential fixes with explanations and code previews. Developers can accept, edit, or dismiss the provided fix suggestions, but they should verify that the security issues are fully resolved.
GitHub aims to add support for more languages (C# and Go will follow next) and emphasizes the importance of preventing the accidental exposure of sensitive secrets in public repositories. This is a great step forward in tackling the low-hanging fruit and a perfect use case for AI.
Story #5: North Korea’s Kimusky Group Exploits Windows Help Files
North Korea’s Kimsuky group, known for cyber espionage, has launched a new campaign using Microsoft Compiled HTML Help (CHM) files to execute malicious commands on Windows machines.
The attack involves spear phishing and social engineering, with payloads that can harvest information about the victim’s machine and modify the Windows registry to ensure persistence. While Kimsuky has traditionally targeted Asia, there are indications that their activities may be expanding to other regions, including Germany.
The use of CHM files in cyber attacks is not new, but some organizations’ defenses may overlook it, highlighting the need for vigilance and updated security measures.
Top Tips of the Week
Threat Intelligence
- Consider the human factor in CTI analysis. Recognize the role of human behavior in cyber threats for more effective defenses.
- Collaborate with law enforcement for CTI investigations. Strengthen efforts against cybercrime through information sharing.
- Use threat intelligence in threat modeling. Identify potential threats early in the development process to enhance security measures.
Threat Hunting
- Monitor emerging technologies in cyber threat hunting. Evaluate and incorporate new tools and methodologies to stay ahead of evolving threats.
- Encourage diversity in cyber threat hunting teams. Different perspectives enhance problem-solving and threat identification.
- Use CTI to inform incident response playbooks. Enhance the effectiveness and efficiency of response efforts and threat hunts.
Custom Tooling
- Regularly assess custom tool dependencies. Keep libraries and frameworks up to date to benefit from the latest features and security patches.
Feature Article
What if I told you there was a system that allowed you to structure your intelligence gathering, manage your data sources, and guide your team to answers during investigations… would you believe me? Well, let me introduce you to the idea of a Collection Management Framework – a structured approach to organizing your data.
This article details what a Collection Management Framework is and the major benefits it can provide your entire security team, from incident responders to threat intelligence analysts. You will then learn how to create your own using a five-phase process. This process will allow you to develop a Collection Management Framework, comprehensively assess it, and continuously improve it.
Let’s get started building a system to optimize how you use your data sources!
Learning Resources
How to Find a Cyber Security Mentor in 2024
Cyber security mentorship will be a game-changer for your career.
Whether you’re looking to break into the industry or rise up the ranks, a high-quality mentor will accelerate your growth and development. Mentorship empowers you to unlock your full potential, giving you an advantage over other potential candidates.
This article will explain the value of a cyber security mentor, what you should expect from a good one, how to find them, and tips for making the most of the process. It also provides actionable advice for getting started on your cyber security mentorship journey today.
Discover the Power Of TDD
Test-driven development (TDD) is a different way of thinking about software engineering. In this approach, you write tests for your code before actually writing any code. This unique approach allows you to improve code quality, get feedback faster, and facilitate good software design.
I have been implementing this approach in recent projects, and this excellent guide by Dave Farely will show you how!
Find an API to Use in Your Next Project
This excellent demo showcases 40 APIs you should know about and use in your projects. From social media to finance to weather, these APIs will help you create awesome projects that can deliver real value! Let me know if you found any of these useful for your cyber security projects.
The Value of Open Source Projects
Check out this great interview between Dorian Develops and Eddie Jaoude on learning to code, being a digital nomad, and the value of contributing to open-source projects. It is an insightful interview if you want to know how to escape the 9-5 lifestyle and grow as a software developer.
The Importance of Technical Writers
Learn why technical writers are so important to security developments and consulting in this eye-opening presentation by Elliot Grey at Black Hat. The presentation highlights why technical writers are needed in your security team, the value they deliver, and where to start hiring them.
Personal Notes
🤔 We have been following on from last week’s deep dive into C# development at Kraven this week. Broadening our investigation and development practices into Test Driven Development (TTD), hence the inclusion in our learning resources.
TTD (and its big brother, BDD) are unique approaches to software development. They use testing to drive the development process and offer countless benefits regarding code quality and software design. The team is currently trying out this approach to see if we want to adopt it at Kraven to create our custom tooling – more news to come.