Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
regreSSHion Bug in OpenSSH Leads to Remote Code Execution on Linux
A new OpenSSH vulnerability, CVE-2024-6387 (regreSSHion), allows unauthenticated remote code execution with root privileges on glibc-based Linux systems.
Top 5 takeaways:
⚡ Exploitation can lead to complete system takeover, malware installation, data manipulation, and network propagation.
📈 Over 14 million potentially vulnerable OpenSSH server instances are exposed to the Internet, with 700,000 being internet-facing.
🧠 The flaw is hard to exploit and requires multiple attempts, but AI tools may increase success rates.
🪲 OpenSSH versions 8.5p1 to 9.8p1 are vulnerable4. Older versions are not affected if patched for previous vulnerabilities. OpenBSD systems are not impacted.
🛡️ Organizations are advised to patch the vulnerability urgently and use patch management tools for remediation.
Aussie Arrested Over Evil Twin WiFi Attacks at Airports
A 42-year-old man from Western Australia was charged for conducting an ‘evil twin’ WiFi attack on domestic flights and airports in Perth, Melbourne, and Adelaide.
Top 4 takeaways:
🛜 The investigation began in April 2024 after an airline employee reported a suspicious WiFi network. The man’s devices were seized and analyzed, revealing dozens of personal credentials.
🥸 The man allegedly used a portable wireless device to create ‘evil twin’ WiFi networks, tricking users into entering their email or social media logins on fake web pages.
👨⚖️ The man faces multiple charges, including unauthorized impairment of electronic communication and possession of data with intent to commit a serious offense.
🛡️ The AFP advises caution when using public WiFi, recommending using VPNs, disabling file sharing, and changing device settings to ‘forget network’ after use.
Vulnerabilities in CocoaPods Leads to iOS and macOS Supply Chain Attack
Three security vulnerabilities in the CocoaPods dependency manager could allow attackers to claim ownership of unclaimed pods and insert malicious code into popular iOS and macOS applications.
Top 4 takeaways:
🪲 The issues include CVE-2024-38368 (CVSS score: 9.3), CVE-2024-38366 (CVSS score: 10.0), and CVE-2024-38367 (CVSS score: 8.2), each exploiting different aspects of the email verification and package claiming processes.
🔥 These flaws could lead to severe supply chain attacks, compromising the security of downstream customers and impacting thousands to millions of apps, including those from major companies like Google, Amazon, and Microsoft.
📅 CocoaPods has patched these vulnerabilities as of October 2023 and reset all user sessions in response to the disclosures.
🛡️ Developers are advised to review dependencies, validate checksums, perform scans, and avoid using unmaintained packages to mitigate risks.
Google Offers $250,000 for KVM Zero-Day Vulnerabilities
Google has launched a new vulnerability reward program, kvmCTF, offering up to $250,000 for full VM escape exploits in the Kernel-based Virtual Machine (KVM) hypervisor.
Top 4 takeaways:
💸 The program includes various reward tiers ranging from $10,000 for relative memory read to $250,000 for full VM escape.
⌚ Participants can reserve time slots to access a guest VM and attempt guest-to-host attacks to exploit zero-day vulnerabilities.
ℹ️ kvmCTF targets zero-day vulnerabilities and does not reward exploits for known vulnerabilities.
🌐 The program is hosted on Google’s Bare Metal Solution (BMS) environment, ensuring high-security standards.
Infostealer Malware Unmasks Child Predators
Thousands of individuals involved in downloading and sharing child sexual abuse material (CSAM) were identified through information-stealing malware logs leaked on the dark web.
Top 3 takeaways:
🪲 Infostealer malware steals sensitive information like login credentials and payment data, and is often distributed through phishing and fake software updates.
🪪 Recorded Future’s Insikt Group used the stolen credentials from malware logs to track 3,324 unique accounts accessing CSAM portals, linking them to legal online accounts.
👮 The gathered information has been shared with law enforcement to unmask and arrest these individuals.
Top Tips of the Week
Threat Intelligence
- Conduct threat intelligence training sessions. Equip your team with the skills and knowledge needed for effective intelligence analysis.
- Collaborate with threat hunters. Share insights and enhance collective abilities to detect and respond to threats.
- Implement CTI metrics for performance measurement. Track the impact of threat intelligence on security outcomes.
- Share threat intelligence with law enforcement. Collaboration strengthens efforts to combat cybercrime and protect against malicious actors.
Threat Hunting
- Foster a culture of continuous improvement in cyber threat hunting. Regularly assess and enhance your processes for optimal effectiveness.
- Encourage diversity in threat hunting teams. Different perspectives enhance problem-solving and threat identification.
Custom Tooling
- Consider cross-platform compatibility in custom tool development. Ensure your tools work seamlessly across different environments.
Feature Article
Data collection is integral to cyber threat intelligence, making your threat intelligence collection sources one of your program’s most important components. Failure to have strong intelligence collection sources will cloud your visibility of threats and prevent you from generating accurate intelligence that bolsters your organization’s cyber defenses.
This guide will teach you what intelligence collection sources are by breaking down the differences between closed and open, technical and human, and internal and external sources. It will then showcase what you can use as a collection source and the potential benefits and drawbacks.
It is vital that you define your intelligence collection sources and streamline the collection process so you and your team can effectively collect, analyze, and disseminate actionable intelligence. Let’s get started learning how!
Learning Resources
Why You Need Cyber Deception
This awesome presentation by the great and powerful John Strand discusses the importance of cyber deception in security programs, counters common misconceptions, and demonstrates practical tools and techniques to implement deception effectively.
I highly recommend watching it if you’re interested in cyber threat intelligence!
New Notetaking App for Linux Users
Jay from Learn Linux TV reviews a new notetaking app for Linux users. He shares his experiences with the app and explains why it might be ideal for those who want a customizable open-source, multi-platform app that can be self-hosted.
Worth a watch if you’re looking for a new notetaking app!
How to Find Time for Side Projects Without Getting Burned Out
I find managing multiple projects at once challenging. If you’re the same, I highly recommend watching this excellent video from Steve Winn.
He shares his experience and strategies for managing multiple successful side projects without burning out, emphasizing the importance of strategy, investment, optimizing daily energy levels, and efficiency.
Discover the Power of Shodan
Shodan is a search engine for internet-connected devices. In this demo, Gary Ruddell showcases how to use it to find various devices and services exposed on the internet and discusses the possible ramifications.
He also highlights Shodan’s query language, how to search for specific software, and how you can use the platform to monitor your external attack surface. This is a must-watch for those interested in cyber threat intelligence.
Personal Notes
🤔 This week has been another heavy time investment into our YouTube channel. We have been focused on bringing our Threat Intelligence with MISP series to life with new updates and dynamic video content that makes it easier for you to get up and running with the platform.
The MISP series is just the first of our pre-existing series, which we want to revitalize and transform into video content. Eventually, we want to make all our articles into videos so you can choose how you consume our content. If there is any series or articles you want us to prioritize, please reach out!
