Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
New Banshee Stealer Malware Targets macOS Systems
A new malware is targeting Apple macOS systems to steal system information, browser data, and cryptocurrency wallets from over 100 browser extensions.
Top 3 takeaways:
🪲 Banshee Stealer gathers system info, browser data, and cryptocurrency wallet details, saving them in specific directories before sending them to a remote server.
🥷 The malware uses anti-analysis and anti-debugging techniques to evade detection, including avoiding systems where Russian is the primary language, using C++ symbols, sysctl API for debugging detection, and system_profiler for virtualization detection.
🔑 It also leverages osascript to display fake password prompts for privilege escalation.
New Mad Liberator Ransomware Group Uses Fake Windows Update Screen to Evade Detection
A new data extortion group targeting AnyDesk users uses a fake Windows update screen to distract victims while stealing data.
Top 5 takeaways:
😈 Mad Liberator is a new ransomware group that focuses on data exfiltration, using social engineering tactics and occasionally double extortion.
🥸 The group initiates an unsolicited AnyDesk connection, displays a fake Windows update screen, and uses AnyDesk’s File Transfer tool to exfiltrate data. The fake update screen hides the group’s activities and disables user input to prevent detection.
💸 They then contact breached firms, offering to help fix security issues for a ransom. They publish the victim’s name and stolen data on their site if ignored.
📝 Unlike typical ransomware, Mad Liberator does not encrypt data but leaves ransom notes in shared directories.
🛡️ Companies are advised to provide proper staff training around social engineering and use Anydesk Access Control Lists to restrict connections.
New Hacking Tool Leverages Cloud APIs for Bulk SMS Phishing
Malicious actors are using a tool named Xeon Sender to conduct large-scale SMS phishing and spam campaigns by abusing legitimate cloud services.
Top 4 takeaways:
💬 The tool uses APIs from services like Amazon SNS, Twilio, and others to send bulk SMS messages.
👨💻 Xeon Sender is distributed via Telegram and hacking forums, making it accessible to lower-skilled actors. It has multiple versions, often credited to different actors, with no significant differences between them.
🐍 The tool’s use of provider-specific Python libraries makes it difficult for security teams to detect abuse.
🛡️ Organizations should monitor SMS sending permissions and changes to distribution lists to defend against such tools.
Cloud Extortion Campaign Exploits Misconfigured AWS .Env Files
A sophisticated campaign exploited misconfigured AWS .env files to target 110,000 domains, stealing credentials and ransoming cloud storage data.
Top 3 takeaways:
⚡️ The attackers used automation, VPS endpoints, Tor network, and VPNs for reconnaissance, initial access, and data exfiltration.
❌ The campaign highlighted common security failures, including exposed environment variables, use of long-lived credentials, and lack of least privilege architecture.
🛡️ Recommendations include not committing .env files to version control, using environment variables directly, limiting access, conducting regular audits, and using secrets management tools.
Man Hacks State Registry to Fake His Death
Jesse Kipf, a 39-year-old from Kentucky, hacked the Hawaii Death Registry System to fake his own death to avoid child support payments.
Top 4 takeaways:
⚡️ He used stolen credentials of a physician to create a false death certificate and accessed various networks to sell information on dark web markets.
🧑⚖️ Kipf was sentenced to 81 months in federal prison and must serve at least 69 months. He will also be under supervision for three years after release.
💸 The total damage from his actions, including unpaid child support, is estimated to be over $195,7502.
👮 The case was investigated by multiple agencies, including the FBI and the Attorney General’s Offices of Kentucky and Hawaii.
United State’s Attonery’s Office
Top Tips of the Week
Threat Intelligence
- Regularly update documentation for custom tools. Ensure that information is current, accessible, and supports ongoing development and maintenance.
Threat Hunting
- Conduct threat hunting simulations in cyber threat hunting. Practice scenarios to improve skills and readiness for real-world threats.
- Develop a threat intelligence roadmap in cyber threat hunting. A well-defined strategy guides efforts in integrating and optimizing processes.
- Develop threat hunting playbooks. Standardize procedures for consistent and effective threat detection and response.
Custom Tooling
- Implement access controls for custom tools. Restrict permissions to minimize the risk of misuse and unauthorized access.
- Implement logging and monitoring in custom tools. Gain insights into tool performance and detect anomalies or potential issues.
- Regularly update documentation for custom tools. Ensure that information is current, accessible, and supports ongoing development and maintenance.
Feature Article
Do you know what defensive capabilities your organization has? Do you know what team is doing what to combat threats? Do you have a way of coordinating your defensive efforts? Let me introduce you to the Courses of Action (CoA) matrix.
This key strategic planning tool will allow you to assess your defensive capabilities, provide security teams with situational awareness, and enable you to coordinate defensive efforts. It provides a structured framework to help you organize your tactical and procedural responses to cyber threats.
Let’s dive in and explore!
Learning Resources
15 Actionable Writing Tips to Improve Your Communication Skills
Writing is a crucial skill for any cyber security professional. You must be able to clearly communicate information, ideas, and threats with your colleagues and the wider community.
This excellent video provides 15 actionable tips to improve your writing skills overnight. The tips cover various aspects of writing, from structuring sentences to enhancing reader engagement and overcoming writer’s block.
What Happened with Windows and IPv6 Last Week
A critical Windows vulnerability was uncovered last week. It impacted the Windows TCP/IP stack, allowed for unauthenticated remote code execution via specially crafted IPv6 packets, and affected all supported versions of Windows and Windows Server
In this comedic video, The Primeagen touches on the broader implications of such vulnerabilities and the importance of timely updates.
10 Python Functions to Make Your Life Easier
Python is an excellent language for learning programming, building small tools, and saving time with the power of automation. I recommend everyone to learn it!
This video introduces 10 Python functions that can simplify coding tasks, making them more efficient and readable. Each function is explained with practical examples to demonstrate its utility.
What is Docker?
If you don’t know what Docker is, you should learn it now!
This video provides a comprehensive introduction to Docker, covering installation, usage, and practical applications. It explains how Docker containers package applications and their dependencies, ensuring portability and consistency across different environments.
It also demonstrates running a web server and the game Doom in Docker containers, highlighting Docker’s efficiency and isolation capabilities.
Personal Notes
🤔 This week at Kraven has been focused on building templates for our clients and students to use. Templates are an incredibly valuable resource that allows you to quickly learn and adhere to best practices, build efficient processes, and ensure you consistency.
We have been working on three templates this week. A cyber threat intelligence report template that allows you to share consistent and comprehensive intelligence assessments. An Intelligence Requirements template that you can use to formalize your organization’s intelligence requirements. Finally, a Collection Management Framework (CMF) template that can be used as a reference for your CTI and security operations teams during investigations.
I am excited to share these templates with you in the coming weeks and guarantee you will find them very useful!
