Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company.
As we head into Easter weekend, we see a rise in Phishing-as-a-Service (PhaaS) with two new platforms emerging (Tycoon 2FA and Dracula), the US government scorn tech companies for not mitigating SQL injection vulnerabilities, and how cybercriminals are pushing free VPN apps to unsuspecting consumers to use for fraud. We also learned that there has been a massive 64% rise in enterprise-specific zero-days in 2023!
This week’s learning resources are very varied – everything from social engineering and cyber threat intelligence to AI in programming and productivity techniques. Hopefully, you will find as much value in these as I did!
Top 5 News Stories
Story #1: New MFA-Bypassing Phishing Kit Targets Microsoft 365 and Gmail
A new phishing-as-a-service (PhaaS) platform targeting Microsoft 365 and Gmail accounts has been discovered. Named “Tycoon 2FA,” this phishing kit is capable of bypassing two-factor authentication (2FA) on Microsoft 365 and Gmail accounts.
Tycoon 2FA was discovered in October 2023 and has been active since at least August 2023. To bypass MFA, the phishing kit uses a multi-stage process involving a reverse proxy server to steal session cookies and bypass MFA mechanisms.
The latest version of Tycoon 2FA includes updates that enhance phishing and evasion capabilities. This is not the only PhaaS platform that can bypass 2FA protection; others include LabHost, Greatness, and Robin Banks.
Story #2: US Release Advisory on “Unforgivable” SQL Injection Flaws
The US is pushing for formal code reviews to eliminate “unforgivable” SQL injection vulnerabilities. The FBI & CISA have released an advisory that cites the MOVEit supply chain attacks as an example of the damage caused by SQL injection flaws.
The advisory emphasizes security by design by building it into software from the beginning of the development process to protect against exploitation, such as using parameterized queries with prepared statements to mitigate SQL injection risks.
Security by design is not new. Unfortunately, software vendors often see it as a waste of resources that drains the budget and increases development time, particularly with the move to agile development practices. Further government incentives will likely be needed to prevent this.
Internet Crime Complaint Center (IC3)
Story #3: Free VPN Apps on Google Play Used as Proxies for Cybercrime
Over 15 free VPN apps on Google Play were found using a malicious SDK that turned Android devices into residential proxies for cybercrime. These proxies route traffic through home devices, making it seem legitimate, but can be used for ad fraud, phishing, and more.
The SDK from LumiApps was identified as the source, with 28 apps listed as using it to secretly convert devices into proxies. Google removed the apps from the Play Store, and it’s advised to use paid VPN services to avoid such risks.
Story #4: Dracula Phishing Service Targets iPhone Users
Darcula is a new phishing-as-a-service (PhaaS) platform that uses over 20,000 domains to spoof brands and steal credentials globally.
It employs RCS for Google messages and iMessage for iPhone messages instead of SMS, making phishing messages seem more legitimate and harder to block. Darcula also utilizes modern technologies like JavaScript, React, Docker, and Harbor for continuous updates and feature additions.
Users should be wary of unsolicited messages with URLs and be mindful of grammar errors, urgent calls to action, or too-good-to-be-true offers.
Story #5: Zero-Day Exploit in Enterprise Technology Surge 64%
Google’s latest research report shows an increase in zero-day exploits, particularly targeting enterprise-specific software. In 2023, there were 97 zero-day vulnerabilities!
The number of enterprise-specific zero-days grew by 64% in 2023, indicating a shift in the types of products targeted for exploitation. While end-user product vulnerabilities are still prevalent, zero-day exploits in enterprise-focused software and appliances are increasing more rapidly.
Government cyberspies and commercial surveillance vendors are the main exploiters of these vulnerabilities, with a notable increase in sophisticated attacks on enterprise technology.
Top Tips of the Week
Threat Intelligence
- Educate stakeholders on the value of threat intelligence. Awareness promotes collaboration and enhances overall security.
Threat Hunting
- Share cyber threat hunting experiences at industry events. Learn from peers and contribute to the community’s knowledge.
Custom Tooling
- Collaborate with the cybersecurity community. Share insights and contribute to open-source projects related to custom tooling.
- Implement secure communication channels for custom tools. Protect data in transit and minimize the risk of interception.
- Implement secure coding practices for custom tools. Address vulnerabilities and ensure robust protection against potential exploits.
- Create custom tools with flexibility in mind. Design solutions that can adapt to changing requirements and evolving cybersecurity landscapes.
- Secure sensitive data in custom tools. Follow best practices for encryption and access controls to protect critical information.
Feature Article
Threat modeling is a key component of any successful cyber security program. It allows you to identify and assess your organization’s threats, what risks to prioritize, and mitigation strategies that will significantly improve your security posture.
This guide will teach you what threat modeling is, why it is important, and five methodologies and techniques you can use to elevate your threat modeling skills. It will also walk you through how to start with threat modeling by demonstrating the methods described in a case study. The article wraps up with practical recommendations for applying threat modeling in the real world.
Let’s get started exploring this cornerstone of effective cyber threat intelligence and cyber security programs!
Learning Resources
Phishing and Offensive Security Engineering
Learn about phishing, social engineering, hacking, and offensive security engineering in this enlightening discussion between Heath Adams and Aaron Wilson. It was interesting to discover what goes into creating a convincing social engineering campaign and how this is turned into a repeatable process.
They also dive into the new Practical Phishing Campaigns course, which was recently released on TCM Academy. It looks like a course worth checking out!
Dive Into the Diamond Model With Its Co-creator
Check out this great introduction to the Diamond Model of Intrusion Analysis by Sergio Caltagirone, its co-creator. The Diamond Model is a conceptual framework for better understanding the relationships between threat actors, their targets, infrastructure, and tactics used during a cyber attack. If you are in cyber threat intelligence, this is a must-watch!
Is Devin AI Going to Take Your Job?
Recently, a new AI platform called Devin was released. Many people have claimed this represents the end of programmers, with AI becoming sophisticated enough to tackle enterprise-scale development projects. The Primeagen, an outspoken (and entertaining) programming expert, has other ideas.
Check out this great take from an industry pro about AI’s effects on programming and what you need to do to stay ahead.
Learn How to Beat Distraction and Get More Done
Explore the 5 common mistakes students, employees, entrepreneurs, and content creators make that cause them to lose focus and fall behind. I have made many of these mistakes in the past, and Ali’s novel solutions to overcome them are something I wish I had known years ago. Give it a watch!
Personal Notes
🤔 At Kraven, we have continued our work on learning C#, test-driven development (TTD), and the nuances of using Visual Studio as an IDE. These technologies and techniques should allow us to deliver more security tools and content on creating custom tooling to help you be more efficient at your job.
We have also been focusing on creating more content on structured analytical techniques and continuing our ongoing series. This week, we just wrapped up an article on the Diamond Model and are in the midst of planning one on the Analysis of Competing Hypotheses. These will be released soon to help you improve your cyber threat intelligence skills.