Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Story #1: New MacOS Spyware Targets Intel and Arm Macs
A new macOS spyware called Cuckoo has been discovered. It targets both Intel and Arm Macs and sets up persistence on infected hosts to act as spyware.
Top 4 takeaways:
- The malware is distributed via websites offering music ripping and conversion tools, with the malicious binary executed after a locale check.
- Cuckoo can extract hardware information, capture processes, query installed apps, take screenshots, and harvest data from various applications and services.
- The spyware applications are signed with valid Developer IDs, except for one hosted on fonedog[.]com, which has a different developer ID.
- This spyware is part of a series of recent cyber security threats targeting macOS systems, such as a new variant of AdLoad malware written in Go called Rload (aka Lador) that’s engineered to evade the Apple XProtect malware signature list.
Story #2: LockBit Ransomware Admin Identified and Sanctioned
The FBI, UK National Crime Agency, and Europol have announced indictments and sanctions against Dmitry Yuryevich Khoroshev, the admin of the LockBit ransomware operation.
Top 3 takeaways:
- Launched in September 2019, LockBit has extorted over $500 million in ransom payments and conducted over 7,000 attacks across various countries.
- A law enforcement action that took down LockBit’s infrastructure, leading to the recovery of stolen data, cryptocurrency addresses, decryption keys, and a reduction in the number of active affiliates.
- Despite the recent law enforcement actions, there is speculation that the same threat actors may continue their activities under a new name.
National Crime Agency (NCA)
Story #3: Hackers Pose as Journalists to Steal Cloud Data
The Iranian state-backed hacking group APT42 uses social engineering to infiltrate networks and cloud environments, targeting NGOs, media, academia, legal services, and activists.
Top 4 takeaways:
- They pose as journalists and event organizers, building trust through ongoing correspondence to deliver legitimate documents and harvest credentials.
- APT42 covertly exfiltrates data of interest to Iran, utilizing built-in features and open-source tools to avoid detection.
- The group employs custom backdoors like NICECURL and TAMECAT for initial access, bypassing multi-factor authentication and executing commands covertly.
Story #4: New Attack Abuses DHCP to Bypass VPN Encryption
A new attack called “TunnelVision” can bypass VPN encryption, allowing attackers to snoop on unencrypted traffic while maintaining the appearance of a secure VPN connection.
Top 4 takeaways:
- The attack exploits the Dynamic Host Configuration Protocol’s (DHCP) option 121 to alter routing tables, directing VPN traffic to a malicious gateway.
- The vulnerability, identified as CVE-2024-3661, has existed since at least 2002, and there are no known active exploitation cases.
- Users can mitigate risks by using network namespaces, configuring VPN clients to deny non-VPN traffic, ignoring DHCP option 121, connecting via personal hotspots or VMs, and avoiding untrusted networks.
- VPN providers are encouraged to enhance client software with additional security checks.
Story #5: State of Ransomware 2024
SecureList (Kaspersky) has released its annual report on the ransomware landscape. The report discusses the 30% increase in targeted ransomware groups and the 71% rise in known victims from 2022 to 2023.
Top 3 takeaways:
- Lockbit 3.0, BlackCat/ALPHV, and Cl0p are highlighted as the most active ransomware families in 2023.
- Every third incident in 2023 was related to ransomware, with attacks via contractors and service providers emerging as a top attack vector.
- The ransomware ecosystem is becoming fragmented, with smaller groups emerging from the tools and code of larger, disbanded groups.
Top Tips of the Week
Threat Intelligence
- Leverage threat intelligence in fraud prevention. Identify and mitigate fraudulent activities with proactive intelligence.
- Utilize threat intelligence for proactive threat hunting. Leverage intelligence to identify and neutralize threats before they escalate.
- Implement CTI in threat intelligence forums. Contribute insights, learn from peers, and stay updated on emerging trends.
Threat Hunting
- Stay agile in cyber threat hunting. The threat landscape evolves; so should your strategy. Adaptability is key to effective cybersecurity.
- Share threat intelligence with industry-ISACs in cyber threat hunting. Contribute to collective defense efforts against sector-specific threats.
- Monitor insider threats in cyber threat hunting. Combine behavioral analytics with threat intelligence for a comprehensive approach.
Custom Tooling
- Combine multiple data sources into your tools to make higher confidence assessments. For instance, don’t just use one CTI source, use three or more.
Feature Article
If you use the Cyber Kill Chain in the real world, Cyber Kill Chain challenges you will face.
Lockheed Martin’s Cyber Kill Chain is an excellent framework for analyzing cyber attacks and mapping intrusion data. However, using it in the real world can prove challenging if you misinterpret its purpose, lack experience using it, or fail to integrate it with other cyber security frameworks and models.
This article explores the top five Cyber Kill Chain challenges you will encounter using the framework. These range from its static, linear design to its assumption of complete visibility and the heavy focus on preventative measures. Along with each challenge, strategies for overcoming them are presented so you can get back to kicking ass.
Let’s begin by quickly recapping the Cyber Kill Chain and its seven stages.
Learning Resources
8 New Features in Microsoft Edge You Need to Try
These 8 new features might make Edge a contender for the top web browser in 2024. They include Microsoft Copilot, Ask PDF, Translate and Read Aloud for PDF, Split screen, and lots more!
My top ones:
- Copilot with Edge
- Split screen
- Creating, translating, and reading PDFs aloud
Are You Prepared to Lose Your Job?
With the tech industry’s boom and busts in the last few years, you should have a strategy if you quickly find yourself out of a job. This excellent video discusses how to prepare right now and what to do if it happens. Always have a backup option!
7 Hidden Microsoft Apps You Should Be Using
Microsoft is constantly updating and releasing new apps for the 365 ecosystem. Some of these will be absolute game-changers to your productivity, and you will likely get them for free at work.
The M365 apps I use daily:
- Lists
- Whiteboard
- Planner
- Stream
GitHub Copilot Just Got a Major Upgrade
Take a first look at GitHub Copilot Workspace, a new AI coding tool that can build features and fix bugs directly in your codebase. This entertaining video explains Copilot Workspace and compares it to other AI tools like Devin.
Personal Notes
🤔 Microsoft, Microsoft, Microsoft (as Steve Balmer would say). This week, we have been switching our backbone IT systems to Microsoft 365, which has been a bit of a learning experience.
We have set up all our employees with new flashy Microsoft 365 accounts, moved our company documents to SharePoint, and switched our online communications from Google Meet to Teams. The reason for all this change and becoming a Microsoft shop? Ease of use (eventually), a complete and mature ecosystem of productivity tools, and better integration with our clients (many of whom use Microsoft products).
Microsoft is a powerhouse of productivity tools, and we decided it was time to buy into what they were offering to see if it can significantly improve our business processes. We are excited to use their ecosystem and automation platform (Power Automate) to streamline our workflows. I’ll keep you updated on how we do.
P.S. This is why there are a bunch of learning resources related to Microsoft.
