Welcome back to the Kraven Security weekly newsletter, triaging the week. In it, we round up the week’s top news stories, highlight our featured article, provide some learning resources, and finish with a few personal notes about what’s happening at the company.
This week, attackers targeted a major zero-day vulnerability in Palo Alto network firewalls and organizations worldwide with malicious code hidden in images. It was also a week that reminded us that smart locks can be not-so-smart, with a critical vulnerability in Chirp Systems’ smart locks, and cloud CLI tools can inadvertently expose secrets if used incorrectly.
This week’s learning resources include our featured article on the Diamond Model, a fundamental threat analysis technique, and some excellent with cyber security veterans John Strand and Sergio Caltagirone. There is also an exciting documentary on how Google built its cyber security program, how to build honeypots in Azure, and more. Let’s dive in!
Top 5 News Stories
Story #1: Zero-day Exploited in Palo Alto Networks
Suspected state-sponsored hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls, leading to data and credential theft. Tracked as CVE-2024-3400, threat actors have exploited the vulnerability since March 26, 2024.
Attackers created a cron job to fetch and execute commands from an external server using a Python-based backdoor named UPSTYLE. The backdoor parses a web server error log for commands hidden in network requests and executes them, leaving minimal traces.
Organizations are advised to check for internal lateral movement and apply patches by April 19, as CISA directs.
Story #2: Hive Malware Creator and Seller Arrested
A collaboration between the Australian Federal Police (AFP) and the FBI led to the arrest of two individuals linked to the “Firebird” RAT, later renamed “Hive.” Firebird/Hive, marketed as a remote administration tool, offered features like stealthy access and password recovery, hinting at its illicit use.
Two men were arrested. Edmond Chakhmakhchyan, aka “Corruption,” who faces multiple counts with a maximum of 10 years, and an unnamed Australian suspect who faces 12 charges with a potential 36-year sentence.
United States Department of Justice (DoJ)
Story #3: New SteganoAmor Attacks Use Steganography
A new cyberattack campaign by TA558 uses steganography to hide malicious code in images and targets 320 organizations globally.
Attackers send emails with document attachments exploiting CVE-2017-11882 (a Microsoft Office Equation Editor vulnerability) to download malware. The campaign delivers various malware tools, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm.
Updating Microsoft Office to a recent version can defend against these attacks, as they exploit a seven-year-old bug.
Story #4: CISA Issues Warning on Vulnerability in Chirp Systems Smart Lock Key
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned about a vulnerability in Chirp Systems smart locks that could allow unauthorized remote access to around 50,000 dwellings due to hard-coded credentials in the Android app.
Chirp Systems has not responded to the issue despite being notified in March 2021. Their parent company, RealPage, Inc., is facing lawsuits for alleged rent inflation collusion.
The flaw, Matt Brown of Amazon Web Services reported, involves hard-coded credentials within the lock’s source code, leading to a CVSS rating of 9.1.
RealPage is being sued by attorneys general for creating a rental monopoly, with the U.S. Department of Justice supporting the lawsuit. Users are advised to secure their doors with additional mechanical locks as a precaution.
Story #5: Cloud CLI Tools Could Leak Credentials in Build Logs
New research has identified that CLI tools from AWS and Google Cloud can inadvertently expose sensitive credentials in build logs, presenting a security risk dubbed LeakyCLI
Microsoft has addressed a similar issue with Azure CLI by releasing security updates in November 2023, with the vulnerability assigned CVE-2023-360521. Both Amazon and Google advise against storing secrets in environment variables. Instead, they recommend using services like AWS Secrets Manager or Google Cloud Secret Manager.
If adversaries access these environment variables, they could potentially view sensitive information, including credentials, leading to unauthorized resource access.
Top Tips of the Week
Threat Intelligence
- Educate end-users on CTI relevance. Enhance organizational security by fostering a culture of threat awareness.
- Leverage diverse sources for threat intelligence. A wide range of inputs provides a more comprehensive understanding of the threat landscape.
Threat Hunting
- Test your incident response plan regularly. Simulate scenarios to identify weaknesses and improve readiness.
- Incorporate threat intelligence into your risk management strategy for cyber threat hunting. By identifying and mitigating potential risks, you can enhance resilience.
Custom Tooling
- Secure your custom tool deployment process. Follow best practices to minimize security risks during tool distribution.
- Prioritize security in custom tool development. Ensure compliance with industry standards to minimize vulnerabilities.
Feature Article
The Diamond Model is a foundational cyber threat intelligence tool that you must learn how to use. It is a framework for analyzing cyber intrusions and mapping the relationships between the attacker, their tools, and the infrastructure used to perform an attack. Used effectively, it will reveal questions to ask about an attack, allow you to group intrusions, and track attack campaigns and threat actors.
This comprehensive guide will teach you the model, its seven axioms, and how to use it effectively through a practical demonstration. It also discusses when you should use the model and some of the limitations you may encounter in the real world.
Let’s start discovering the Diamond Model’s power and elevating our cyber threat intelligence skillset!
Learning Resources
How Google Built Their Cyber Defense
Take an inside look at how a cyber attack triggered Google to revolutionize its cyber security and become one of the industry leaders in threat-informed defense. This insightful mini-documentation series is worth watching if you’re interested in cyber threat intelligence, incident response, or exploring a career in cyber.
Pentesting, Security Architecture, and Training With John Strand
Check out this great interview with the legendary John Strand from the team at ACI Learning. John shares his coveted insights on cyber security, regulatory compliance, penetration testing, and career advice. It is an interview packed with practical advice, useful tidbits, and hard-fought lessons.
Learn to Create an Azure Honey Pot
This excellent presentation by Kent Ickler and Jordan Drysdale of Black Hills Information Security explores creating a honey pot in Azure to gather intelligence about cyber attacks. The pair discusses developing a lab manager, spooling services for the Internet, and how long a service stays on the Internet before it gets attacked. Great insights into the practicalities of creating a honey pot, the data you can gather, and some of the common pitfalls.
Discover How to Create Honey Users (Quick and Easy)
Honey users are fake accounts you can deploy in your environment to catch bad guys performing password attacks (e.g., brute force, credential spraying, credential stuffing, etc.). If someone tries to log in as one, you know they are up to no good.
This mini-tutorial from John Strand teaches you how to quickly and easily set up honey users in your account. From there, you can create detection rules that trigger whenever someone interacts with them. An easy win.
Career Advice From an Industry Legend
Sergio Caltagirone is a 20-year industry veteran with an incredible CV that includes work in the intelligence community as a cyber security analyst, director of threat intelligence, and educator.
In this awesome lecture, he offers advice on starting and growing a career in cybersecurity, digital forensics, or cyber threat intelligence. It features everything from which jobs to look for, how to become a manager, and acing the job interview process. A lecture you don’t want to miss if you want to get a job in cyber or advance your career!
Personal Notes
🤔 It’s been a short but busy week at Kraven as I prepare to be out of the office for a week. Preparing and scheduling content and social media posts to be released, rescheduling calls, and ensuring everything runs smoothly while I am away is always a hassle. However, we all need vacations now and then to keep us sane!
On the content front, we have been working on several new articles for our Definitions & Key Concepts series. This series focuses on helping newcomers learn the lingo, familiarize themselves with industry standards, and get up to speed so they can join in with conversations about cyber threat intelligence (CTI).
It’s a series designed to ensure everyone is on the same page and can follow along with the more advanced stuff. If you are new to CTI, I recommend checking it out. For everyone else, get stuck in with the learning resources!