Welcome back to the Kraven Security weekly newsletter, triaging the week. In it, we round up the week’s top news stories, highlight our featured article, provide some learning resources, and finish with a few personal notes about what’s happening at the company.
This week, we saw scams everywhere. Fake AI Facebook ads tricked users into downloading info-stealer malware, fake popularity scams tricked developers into cloning malware-riddled GitHub repositories, and hospital IT help desk employees were warned about being scammed into revealing compromising data.
We also learned about an Israeli spy chief’s embarrassingly revealing his secret identity in a book he authored and vulnerabilities in Sharepoint that let hackers evade detection while exfiltrating data.
The learning resources this week are a mix of career advice on getting into ethical hacking and avoiding burnout, along with technical demonstrations on creating honeypots, honey tokens, and testing your skills in attack ranges. Let’s just jump in!
Top 5 News Stories
Story #1: Fake Facebook AI Page Pushed Malware to 1.2 Million People
Hackers are using fake AI service ads on Facebook to distribute password-stealing malware, a practice known as “malvertising.” The bad guys hijack legitimate profiles to create fraudulent communities, impersonating popular AI services like MidJourney and OpenAI’s SORA. The malware, such as Rilide, Vidar, IceRAT, and Nova, steals sensitive data from browsers.
The campaign’s success underscores the need for caution with online ads and the challenges of social media moderation.
Story #2: Hospitals Warned That Their It Help Desks Are Being Targeted by Hackers
The U.S. Department of Health and Human Services (HHS) has warned that hackers are using social engineering to target IT help desks in the Healthcare and Public Health sectors, enrolling their own devices for multi-factor authentication to gain access.
They call organizations with local area codes, pretending to be employees, and use stolen ID details to convince IT helpdesks to enroll new devices under their control. This allows attackers to access corporate resources, redirect bank transactions, and transfer funds to overseas accounts.
The health sector is advised to implement specific measures to block these attacks targeting IT help desks. These include callbacks to verify password requests and new MFA devices, monitoring for suspicious account changes, and training help desk staff on common social engineering techniques.
U.S. Department of Health and Human Services (HHS)
Story #3: Israeli Spy Chief Accidentally Reveals His True Identity
Yossi Sariel, head of Israel’s Unit 8200, inadvertently revealed his identity online through a book published under a pen name. Sariel authored a book offering a vision for AI in warfare, which aligns with the IDF’s use of AI systems during the Gaza war.
Unit 8200 faced criticism for not preventing a deadly attack by Hamas, with some attributing the failure to an overreliance on technology. The IDF has adopted AI-powered systems for target recommendations, reflecting Sariel’s ideas on integrating AI with military operations.
This case highlights how difficult it can be to hide your online identity and how hubris is often many people’s downfall. Maybe if you are a spy chief and don’t want to reveal your identity, don’t publish a book.
Story #4: Flaw in Sharepoint Helps Hackers Evade Detection When Stealing Files
Researchers at Varonis Threat Labs have found two methods that could allow attackers to bypass or lessen the severity of audit logs when downloading files from SharePoint.
- Open in App Exploit: The “Open in App” feature, which opens documents in applications like Microsoft Word, creates an “Access” event instead of a “FileDownloaded” event, potentially going unnoticed by administrators.
- User-Agent Spoofing: By spoofing the User-Agent string to resemble Microsoft SkyDriveSync, file downloads can appear as data syncing events, reducing the chance of detection by security teams.
Varonis recommends monitoring for unusual access activity and scrutinizing sync events for anomalies until Microsoft addresses these moderate severity issues.
Story #5: GitHub’s Fake Popularity Scam Tricks Developers Into Downloading Malware
Threat actors exploit GitHub’s search functionality to trick users into downloading malware-laden repositories. Fake popularity is created using automated updates and fake stars, making the repositories appear trustworthy. However, malicious code is hidden within Microsoft Visual Code project files, downloading harmful payloads from remote URLs when opened.
This report by Checkmarx emphasizes the importance of due diligence when downloading source code and the risks of relying on reputation alone.
Top Tips of the Week
Threat Intelligence
- Integrate threat intelligence into endpoint protection. Enhance the detection and response capabilities of your endpoint security.
- Follow intelligence-driven practices. Let CTI insights guide security decisions and responses.
- Develop a threat intelligence roadmap. A well-defined strategy guides efforts in integrating and optimizing processes.
Threat Hunting
- Implement threat intelligence metrics. Track and measure the effectiveness of your threat hunting efforts.
- Automate routine tasks in cyber threat hunting to focus on in-depth analysis. Leverage automation for efficiency in threat hunting processes.
- Collaborate with law enforcement. Sharing threat intelligence strengthens overall efforts against cybercrime.
Custom Tooling
- Document custom tools thoroughly. Clear documentation aids in maintenance, troubleshooting, and knowledge transfer.
Feature Article
There are a lot of challenges with indicators. The sheer quantity can be overwhelming, collecting good ones can be difficult, and knowing how to use them effectively is confusing.
This article explores the challenges you will face when using indicators during your cyber security operations and how you can overcome them through planning, foresight, and cyber threat intelligence best practices. Challenges will be highlighted, solutions will be explained, and you will discover how to use indicators productively to improve your organization’s cyber security posture.
Let’s start with a quick refresher on indicators and their importance in cyber security.
Learning Resources
Is Ethical Hacking Hard?
A career in ethical hacking can be fun, exhilarating, and financially rewarding. However, people looking to enter the industry often don’t stop to ask if ethical hacking is hard, what challenges they will encounter, and how they can overcome them.
This article will answer all of those questions. It explores how long it’ll take to become an ethical hacker, what you need to learn, and the importance of continuous learning to stay on track throughout your career.
Then, we’ll explore common challenges you’ll face during your career and provide solutions to help you overcome them.
Discover How to Create Your Own Honeypot
Explore how to create your own honeypot in this awesome, step-by-step tutorial on the open-source T-POT project. You will learn what honeypots are, why they are valuable for cyber threat intelligence, and how to create your own in the cloud. This great guide will add another valuable tool to your cyber security skillset.
Explore How to Protect You and Your Team From Burnout
Burnout is a common challenge in cyber security and technology. This insightful Black Hat presentation discusses strategies for identifying, overcoming, and protecting yourself and your team from it.
The different perspectives on situational vs. chronic burnout and how to combat each will provide you with actionable advice on fighting against our invisible adversary.
Test Your Skills in Splunk’s Attack Range
The Splunk Threat Research Team has released version 3.0 of the Splunk Attack Range, an open-source project for emulating adversary behavior and building detections in Splunk.
It will quickly get you up and running with a complete lab environment to test your hacking, threat hunting, and incident response skills in just 5 minutes. This includes Apache Guacamole and Splunk pre-installed. Definitely worth trying out in your own cloud environment to level up your cyber security skills using Splunk for free!
If you want to learn how to build and automatically deploy your own malware analysis environment, check out How to Automatically Deploy a Malware Analysis Environment.
Learn to Create Your Own AWS Honeytokens
Empower your cyber security defenses by learning to create honeytokens and automatically generate slack alerts when hackers try to use them. This epic guide by GitGuardian provides a step-by-step guide on how to use the open-source project GGCanary to build and deploy honeytokens in your AWS environment.
Combating cyber threats with active countermeasures and deception tactics is an excellent skill for any CTI analyst or cyber security professional. This video tutorial will teach you how to do it for free!
Personal Notes
🤔 This week at Kraven, we finished off a few articles for our Structure Analytical Techniques series. These new additions focus on the Diamond model and Analysis of Competing Hypotheses (ACH) to accompany our guide on the Cyber Kill Chain. We are excited to keep adding to this series because it gives you practical skills (completely for free) that will elevate your cyber skills and raise your organization’s security posture!
We have also been returning to the grind of creating new articles on cyber security fundamentals like YARA rules and the Traffic Light Protocol (TLP). Again, we love adding to this series because it builds the foundations with our readers and helps them understand key concepts, common language, and what everyone is talking about. This ensures when we delve into more complex topics, like CTI report writing, our readers can keep up and not get lost in the jargon.
Enjoy your weekend, use the learning resources, and keep being awesome!