Welcome back to the Kraven Security weekly newsletter, triaging the week. In it, we round up the week’s top news stories, highlight our featured article, provide some learning resources, and finish with a few personal notes about what’s happening at the company.
The big news this week came from the open-source world. Unfortunately, a major backdoor in a widely distributed compression tool generated panic, curiosity, and mystery. On the positive side, Google announced a feature that will make cookies harder to steal, 250 Indian citizens were saved from cyber slavery in Cambodia, and researchers released guidance on defending against a new clickjacking technique.
This week’s learning resources feature insightful interviews with industry pros and content creators, a course on no-code automation, and a lecture on the Analysis of Competing Hypotheses method. Let’s jump in!
Top 5 News Stories
Story #1: Backdoor Found in Popular XZ Open Source Tool
Andres Freund discovered a backdoor in the popular open-source XZ tool while analyzing a Postgres performance problem on a Linux box running Debian Sid (the rolling development version of Debian). Over the last month, malicious code was added to XZ versions 5.6.0 and 5.6.1, and it has been assigned a 10/10 critical severity score.
Tracked as CVE-2024-3094, the malicious build interferes with authentication in sshd via systemd, potentially allowing unauthorized remote access to the entire system. Users are advised to stop using affected versions immediately and downgrade to an uncompromised version (i.e., XZ 5.4.6 Stable).
Hunting for any malicious or suspicious activity on their systems is also recommended. Run the following command to check if the malicious xz version is installed on your systems:
for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done
Story #2: Google Announces New Chrome Feature to Protect Your Cookies
Google announced ‘Device Bound Session Credentials’ (DBSC), a Chrome security feature that binds cookies to a specific device and prevents user account hijacking via MFA bypass.
DBSC uses a public/private key pair generated by the device’s TPM chip, making stolen cookies useless to attackers. In the prototype phase, users can test DBSC by enabling a dedicated flag in Chrome’s settings on supported operating systems.
The feature is expected to enhance security for Google accounts and Google Workspace and Cloud customers, aligning with the phase-out of third-party cookies.
Story #3: India Rescues 250 People From Cybercrime Gang
The Indian government has repatriated 250 citizens from Cambodia who were deceived into cybercrime jobs. Victims were lured with job offers and then forced to commit cybercrimes under harsh conditions and threats. Scammers impersonated law enforcement to blackmail victims, leading to an investigation that uncovered a large syndicate.
The case highlights the need for global cooperation to address cybersecurity challenges and combat cybercrime. It also shows the lengths cybercriminals will go to! Despite these efforts, India Today reports more than 5,000 Indians in Cambodia are being forced to scam fellow Indians.
India Ministry of External Affairs
Story #4: Microsoft Slammed Over Breach by China-Based Hackers
The U.S. Cyber Safety Review Board (CSRB) criticized Microsoft for security lapses that led to breaches by Storm-0558, a China-based hacker group. The breach affected nearly two dozen companies and was deemed preventable, resulting from Microsoft’s “cascade of avoidable errors.”
Microsoft’s investigation into the hack continues. The company admits to operational errors and the need for a new culture of engineering security. CSRB recommended cloud service providers adopt modern control mechanisms, baseline practices, and transparency in incident reporting to safeguard against state-sponsored threats.
Cyber Safety Review Board (CSRB)
Story #5: New Variation of Clickjacking Emerges Called “Gesture Jacking”
While many web developers still struggle to defend against clickjacking, a new attack technique has emerged: gesture jacking (cross-window forgery). This technique is more reliable and less reliant on user settings.
Clickjacking is an attack in which web page elements are manipulated to deceive users into clicking something other than what they intend. Gesture jacking is similar to clickjacking but involves attackers enticing users to perform certain actions, like holding down a key, which can lead to unauthorized operations on a victim’s website.
To defend against these techniques, web developers should not use predictable ID tags for sensitive buttons, drop URL fragments to prevent scrolling to specific webpage parts, the force-load-at-top document policy, and implement activation cooldown periods.
Despite browser efforts to mitigate these risks, this is a continuous battle, with not all abusable behaviors considered vulnerabilities by browser vendors. It is a cat-and-mouse game between developers and hackers.
Top Tips of the Week
Threat Intelligence
- Stay agile in CTI. Adapt strategies and tactics based on the evolving threat landscape for effective cybersecurity.
- Monitor third-party risks with threat intelligence. Assess and manage cybersecurity risks associated with vendors and partners.
- Regularly review CTI sharing agreements. Ensure that partnerships align with organizational goals and requirements.
Threat Hunting
- Collaborate with threat intelligence researchers. Tap into their expertise to enhance your understanding of specific threats and tactics.
Custom Tooling
- Incorporate user training in custom tool deployment. Empower users with the knowledge to effectively utilize and maximize the benefits of the tool.
- Conduct threat modeling in custom tool design. Identify potential risks and vulnerabilities during the development phase.
- Consider the geographical dispersion of users in custom tool design. Ensure accessibility and optimal performance for users across locations.
Feature Article
Malware analysis is an essential skill for any cyber security professional performing technical work. To become good at it, you need a safe, secure, and controlled malware analysis environment to detonate your malware. This comprehensive guide will show you how to create one.
You will discover why being able to analyze malware is so important and how to create an environment where you can practice this skill using virtualization, infrastructure as code (IaC), and freely available malware analysis tool suites. The hands-on demonstration will show you how to use Terraform, Proxmox, and Apache Guacamole to create the ultimate malware analysis environment from the comfort of your own home.
Let’s start by answering the following questions: Why bother learning malware analysis?
Learning Resources
What It’s Like to Be a CISO?
Have you ever wondered what it’s like to be the head honcho and run cyber for a major company? Check out this great interview between Gerald Auger and Accidental CISO. The pair discuss the trials and tribulations of becoming a CISO, advice on navigating the cyber security industry, and tips on running a successful podcast.
A very insightful discussion I recommend listening to anyone who wants to move up the cyber ranks or get into management.
Discover the Power of No-Code Automation
This fantastic course from freeCodeCamp will teach you everything you need to get started automating routine business tasks and streamlining your workflow.
Automation is key for any knowledge worker, and cyber security professionals are no exception. Learn to get started automating your emails, ticketing, and even AI-driven tasks right now. You’ll be amazed at the time you can get back!
Hack the YouTube Algorithm Right Now!
If you are a fan of high-quality cyber security and networking content, you have probably heard of David Bombal and NetworkCheck. In this insightful interview, the pair discusses becoming a content creator, gaining traction on YouTube, and finding your passion for technology.
It’s an excellent discussion that centers around NetworkChuck’s journey to becoming a YouTube star and is packed with valuable advice.
Learn About the Analysis of Competing Hypotheses
Analysis of Competing Hypotheses (ACH) is a structured analytical technique that all cyber threat intelligence analysts should learn and use to improve their analysis skills. This video lecture by Brian Urlacher beautifully explains ACH and is a great starting point for this fundamental intelligence analysis technique.
We will have an article on this technique as it applies to cyber security, which will teach you everything you need to know.
Personal Notes
🤔 This week, we have focused on our structured analytical techniques series at Kraven with articles on the Diamond Model and Analysis of Competing Hypotheses (see the learning resource above for a sneak peek). These analysis methods are fundamental for all cyber threat intelligence analysts. Our aim is to produce comprehensive guides that will help you incorporate them into your daily work and elevate your analysis skills.
In less serious news, the team has been voting for their favorite Easter egg this year. Cadbury’s “Ultimate Egg” collection with Crunchie and Marble eggs were strong contenders. However, surprisingly, Toblerone took the first spot with their “Edgy Egg.” Now, I just need to try to burn off all the excess sugar!