Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Russian-speaking Groups Dominate Ransomware Scene
TRM Labs, a blockchain intelligence and analytics firm specializing in crypto-assisted money laundering and financial crime, reveals that Russian-speaking threat actors play an outsized role in crypto-enabled cybercrime.
Top 5 takeaways:
💸 Russian-speaking threat actors play a significant role in various types of crypto-enabled cybercrime, including ransomware, darknet drug sales, and illicit crypto exchanges. At least 69% of all crypto proceeds linked to ransomware in the past year, exceeding $500 million.
🪖 Many of these actors operate from Russia or have connections to the Kremlin, with some using crypto to acquire foreign equipment for the Russian war effort.
😈 Major ransomware groups like LockBit, Black Basta, ALPHV/BlackCat, Cl0p, PLAY, and Akira were run by Russian-speaking actors.
🌍 Russia-based Garantex handled 82% of cryptocurrency managed by sanctioned entities worldwide, often linked to military equipment purchases for Russia.
🥷 North Korea led in stealing cryptocurrency through exploits and breaches, with over $1 billion stolen in 2023.
Proofpoint Email Protection Exploited in “EchoSpoofing” Attack
A massive phishing campaign called “EchoSpoofing” exploited weak permissions in Proofpoint’s email protection service to send millions of spoofed emails impersonating major brands.
Top 4 takeaways:
✉️ Attackers used compromised Microsoft Office 365 accounts and Virtual Private Servers to relay emails through Proofpoint’s servers, passing SPF and DKIM checks to appear legitimate.
😈 Guardio Labs discovered a critical exploit in Proofpoint’s email protection service, allowing threat actors to send millions of spoofed phishing emails from well-known companies.
🩹 Proofpoint introduced new configurations and headers to help verify email sources and prevent future attacks, fixing the issue.
📅 The campaign, active since January 2024, sent up to 14 million spoofed emails daily, targeting major brands like Disney, IBM, and Coca-Cola.
Dark Angels Bag Record Breaking Ransomware Payout of $75 Million
A Fortune 50 company paid $75 million to the Dark Angels ransomware gang, the highest known ransom payment.
Top 4 takeaways:
🎯 The gang uses a “Big Game Hunting” strategy, targeting high-value companies for massive payouts.
🪲 Initially using Windows and VMware ESXi encryptors, Dark Angels now employs a Linux encryptor.
🌐 They operate a site called ‘Dunghill Leaks’ to extort victims by threatening to leak stolen data.
💸 The largest known ransom payment was previously $40 million, which insurance giant CNA paid after suffering an Evil Corp ransomware attack.
Microsoft Azure Hit by Massive DDoS Attack
A nine-hour outage on Tuesday was caused by a Distributed Denial-of-Service (DDoS) attack, affecting multiple Microsoft 365 and Azure services.
Top 4 takeaways:
⚡ Microsoft confirmed in a mitigation statement that the root cause behind Tuesday’s outage was a DDoS attack, although it has yet to link it to a specific threat actor.
🌐 Services impacted included Microsoft Entra, Microsoft 365, Microsoft Purview, and various Azure services.
🛡️ Microsoft’s DDoS protection mechanisms initially amplified the attack’s impact. Networking configuration changes and failovers were implemented to mitigate the issue.
📅 Microsoft plans to release a Preliminary Post-Incident Review within 72 hours and a Final Post-Incident Review within two weeks.
Mass SMS Stealer Campaign Targets Android Devices in 110+ Countries
A global campaign targets Android devices using Telegram bots to distribute SMS-stealing malware and steal OTPs for over 600 services.
Top 6 takeaways:
🪲 A large-scale, Android-targeted SMS stealer campaign has been active since February 2022, with over 107,000 malware samples identified.
😈 Attackers use malicious advertisements and Telegram bots to trick users into downloading malware disguised as legitimate applications.
⚡ The malware uses various methods to establish command and control (C&C) channels, including Firebase and Github repositories.
💸 The campaign has a financial component, with stolen data being used for fraudulent activities and sold on platforms accepting cryptocurrency.
🌍 Victims, mainly in India and Russia, face unauthorized charges and potential legal implications due to the misuse of their devices.
🛡️ It is recommended to avoid downloading APKs from outside Google Play, do not grant risky permissions, and ensure Play Protect is active on your device.
Top Tips of the Week
Threat Intelligence
- Conduct threat intelligence awareness sessions. Ensure that all team members understand the value and application of threat intel.
- Integrate threat intelligence into threat detection tools. Enhance the capabilities of your detection systems for more accurate alerts.
- Stay informed about APT groups. CTI helps identify and counter advanced persistent threats effectively.
- Automate the collection and analysis of threat data. Speed up response times and stay ahead of emerging threats.
Threat Hunting
- Validate threat intelligence in cyber threat hunting. Ensure accuracy and relevance for informed cybersecurity decisions.
Custom Tooling
- Use agile development methodologies for custom tools. Iterate quickly, respond to feedback, and adapt to evolving requirements.
- Collaborate with threat intelligence teams for custom tool development. Incorporate real-time threat data to enhance detection capabilities.
Feature Article
Analyzing cyber threat intelligence can be hard. You are often overwhelmed with data, drowned in overlapping connections, and unclear where to start or when to finish your analysis. To help guide their analysts through the maze, intelligence organizations across the globe use the intelligence lifecycle.
The intelligence lifecycle is a structured approach to collecting, analyzing, and distributing intelligence. It acts as a template that analysts can follow to produce or consume intelligence. The cyber security industry has adapted this lifecycle to suit its needs by creating the cyber threat intelligence (CTI) lifecycle. 
This article is your essential guide to the CTI lifecycle. You will learn about its six stages, how this model is used in the real world, and how you can get the most out of it. Let’s jump in!
Learning Resources
How to Use AI for Social Engineering Hacking (2024 Guide)
This guide will teach you how to use AI for social engineering. You will learn how this revolutionary technology can transform your old and stale phishing emails into comprehensive social engineering engagements that can convince even the most security-conscious targets. All with minimal effort or time on your part!
Social engineering tests the human element of security. You build an emotive pretext, deliver it to an unsuspecting victim, and trick them into doing your bidding. AI has propelled social engineering to new heights. It makes building complex social engineering campaigns easier, faster, and more effective with its ability to generate text, media, and voice that mimics a real human.
Elevate Your Cyber Threat Intelligence Skills for Free
MITRE has awesome free training that covers what the MITRE ATT&CK framework is and how you can use it for threat intelligence. The material is delivered in video lectures you can easily follow along with and even includes exercises for you to practice your new skills.
Understanding Sysmon & Threat Hunting
Dive into the world of threat hunting using data collected via Sysmon. This excellent interview from Lawrence Systems discusses threat hunting, detection engineering, incident response, and how Sysmon can make a huge difference! It also demonstrates practical examples of using Sysmon to catch intrusion attempts.
Personal Notes
🤔 Another week and another video recorded and edited! The transformation of written content to video content was in full force this week at Kraven as we continued to update and refine our MISP series. For anyone who hasn’t edited video before, it takes a long time, no matter what fancy AI technology you use!
We also brainstormed other ways to help those looking to make the most of cyber threat intelligence and continue to deliver value to the community. Popular ideas included a 5-day email kickstart guide, a podcast, and templates that will give you a jumpstart on creating your own CTI processes. Hopefully, we can start implementing some of these excellent ideas soon.
As always, have a fantastic weekend, enjoy the outdoors, and keep on learning!
