Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Linux Malware Evades Detection for 2 Years
The sedexp malware has been evading detection since 2022 by using a unique persistence technique involving udev rules.
Top 4 takeaways:
🪲 It adds a udev rule to compromised systems, ensuring the malware runs frequently by targeting /dev/random, a critical system component.
🥷 The malware mimics legitimate processes and uses memory manipulation to hide its presence and inject malicious code.
💳 It has been used in financially motivated attacks, such as hiding credit card scraping code on compromised web servers.
🛡️ Organizations are advised to update detection capabilities and engage in thorough forensic analysis to mitigate such threats.
Telegram Founder Pavel Durov Arrested in France
Pavel Durov, founder and CEO of Telegram, was arrested in France due to content moderation failures on the platform.
Top 4 takeaways:
⚠️ Authorities are concerned about Telegram’s lack of moderation, which has allegedly turned it into a hub for criminal activities like drug trafficking, money laundering, and terrorism.
🧑⚖️ Telegram claims it complies with E.U. laws and argues that blaming the platform or its owner for misuse is unreasonable.
👮 This arrest aims to disrupt criminal activities on Telegram and pressure European countries to collaborate on security issues.
👥 Telegram has over 950 million monthly active users as of July 2024.
Microsoft Sway Targeted in QR Code Phishing Campaign
A new phishing campaign uses Microsoft Sway to host fake pages and steal credentials, targeting users in Asia and North America.
Top 4 takeaways:
📈 In July 2024, there was a 2,000-fold increase in phishing pages using Microsoft Sway, primarily targeting MS Office credentials through QR codes.
⚡️ The campaign employs QR codes and adversary-in-the-middle (AitM) phishing tactics to bypass security measures and harvest credentials. They also used transparent phishing and Cloudflare Turnstile to bypass security measures and hide phishing payloads.
🥷 QR codes embedded in images can evade email scanners, and mobile devices often have weaker security measures. Attackers are now using Unicode text characters to create QR codes, making detection even more difficult.
🛡️ Organizations should update security policies and be cautious of the new domain format for Microsoft Sway pages to avoid falling victim to these attacks.
PoorTry Windows Driver Evolves into EDR Wiper
The PoorTry kernel-mode Windows driver, used by ransomware gangs, has evolved from disabling Endpoint Detection and Response (EDR) solutions to wiping them, making restoration harder.
Top 5 takeaways:
🪲 PoorTry is a malicious kernel driver used to disable endpoint protection software, often in conjunction with ransomware attacks. It has evolved significantly over time.
😈 Attackers exploit gaps in Microsoft’s driver signing process, using stolen or leaked certificates to sign malicious drivers.
📈 This shift represents a more aggressive approach by ransomware actors, ensuring better outcomes in the encryption stage by leaving systems unprotected.
🥷 PoorTry uses advanced techniques like obfuscation, signature timestamp manipulation, and “certificate roulette” to evade detection.
😰 Despite efforts to track and stop PoorTry, its developers continue to adapt, posing significant challenges for defenders.
Iranian Hacking Group Backdoors Government Networks Using New Tickler Malware
The APT33 Iranian hacking group (Peach Sandstorm) has deployed new Tickler malware to backdoor networks in the government, defense, satellite, oil, and gas sectors in the US and UAE.
Top 4 takeaways:
📅 Between April and July 2024, Microsoft observed the Iranian state-sponsored group Peach Sandstorm deploying a new multi-stage backdoor named Tickler.
⚡️ They used password spray attacks and social engineering via LinkedIn to gain access. They then leveraged compromised Azure infrastructure for command-and-control operations.
🏭 The attacks targeted the satellite, communications, oil and gas, and government sectors in the US and UAE.
🔒 Microsoft will make multi-factor authentication (MFA) mandatory for all Azure sign-ins starting October 15 to enhance security.
Top Tips of the Week
Threat Intelligence
- Engage in threat intelligence forums. Participate in discussions to share insights and learn from others in the field.
- Use CTI in security architecture design. Develop robust architectures that align with threat intelligence for effective defenses.
- Use CTI to inform threat modeling efforts. Identify potential threats and vulnerabilities during the development phase for proactive security measures.
- Create a threat intelligence roadmap. Define objectives, processes, and milestones for a strategic and effective intelligence program
Threat Hunting
- Implement threat intelligence in your cyber threat hunting workflow. Enhance detection capabilities with real-time threat data.
- Leverage threat intelligence in cloud security in cyber threat hunting. Adapt your strategies for the unique challenges of cloud environments.
Custom Tooling
- Implement secure update mechanisms for custom tools. Ensure a secure and seamless process for deploying updates and patches.
Feature Article
A cyber threat intelligence report template allows you and your team to create structured, standardized, consistent intelligence reports for your organization. Templates save valuable time and effort by reducing the strain the dissemination of intelligence puts on your CTI team.
It is vital your CTI team has a standard template for sharing the intelligence you produce.
To help you, we have created a comprehensive cyber threat intelligence report template you can use today! It includes everything you need to effectively share intelligence with your organization and report a cyber threat. Feel free to customize it to suit your organization’s needs.
Learning Resources
Edit Video Faster
I always preach that content creation is the ultimate learning tool. Make a video about a topic and you will 10x your learning of said topic!
This video covers various tips and tricks for editing quickly in DaVinci Resolve so you can make more videos about the things you want to learn. It includes practical advice on using text, dynamic zooms, keyboard shortcuts, and staying organized with bins and smart bins.
Should You Trust Tech Influencers?
Tech and cyber security influencers are everywhere, but should you actually listen to what they say?
This video discusses the role and trustworthiness of tech influencers, particularly in the development community. It explores the concept of “celebrity developers,” their impact, and the potential benefits and drawbacks of their influence. You can easily draw parallels to cyber security influencers and the effect they have on the industry.
Pay What You Can Training is Back!
The legendary John Strand is back teaching Antisyphon’s Pay What You Can cyber security training. This time, he covers the core skills needed for working in a Security Operations Center (SOC).
These lectures emphasize practical skills over theoretical knowledge, focusing on essential areas like networking, operating systems, and incident response. The course is designed to be accessible, offering free virtual labs and resources to help learners practice and improve their skills.
Strong Passwords Matter!
This video discusses the importance of strong, unique passwords and the risks associated with password breaches.
The awesome Gary Ruddell demonstrates how to use a tool called Flare to check if passwords have been compromised. He also highlights the benefits of using password managers and multi-factor authentication for better security.
Personal Notes
🤔 Templates, templates, templates! This week has been another one for building templates to help you kickstart your cyber threat intelligence (CTI) processes.
On Monday, we released our CTI Report Template. This includes everything you need to effectively share intelligence with your organization and report a cyber threat. We made this available as a Word Document (so you can start using it immediately) and as a PDF (so you can see what the finished intelligence product could look like). If you haven’t already, check it out, customize it, and tailor it to your organization’s needs!
This week, we built templates for your organization’s Intelligence Requirements document and the CTI team’s Collection Management Framework. These are two key pillars of all successful CTI programs, so having a template that comprehensively covers everything that should be in them is very valuable.
We hope to share each template with you in the coming weeks!
