Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
GitHub Comments Used to Spread Info-Stealer Malware
GitHub is being abused to distribute the Lumma Stealer malware through fake fixes posted in project comments.
Top 3 takeaways:
🪲 Lumma Stealer targets cookies, credentials, passwords, credit cards, browsing history, and cryptocurrency wallets.
🥸 Users are tricked into downloading a password-protected archive containing the malware.
🔒 GitHub Staff is actively deleting these comments, but some users have already fallen victim. Affected users should change their passwords and migrate cryptocurrency to new wallets.
New Voldemort Malware Uses Google Sheets for C2
A new malware named “Voldemort” is spreading globally, targeting organizations by impersonating tax agencies.
Top 5 takeaways:
⚡️ The campaign uses a mix of common and uncommon techniques, including Google Sheets for command and control (C2), and targets various sectors, with a focus on insurance companies.
📧 Attackers craft phishing emails to match the targeted organization’s location, leading victims to malicious links.
🪲 Voldemort is a custom backdoor capable of information gathering and dropping additional payloads, with observed use of Cobalt Strike.
🥷 The campaign appears to be more aligned with espionage rather than financial gain, despite some characteristics typical of cybercriminal activity.
🛡️ Organization’s are recommended to limit access to external file-sharing services, block unnecessary connections to TryCloudflare, and monitor for suspicious PowerShell execution.
Admins of MFA Bypass Service Convicted for Fraud
Three men admitted to running OTP.Agency, a platform that helped criminals obtain one-time passcodes (OTPs) to bypass multi-factor authentication and access victims’ bank accounts.
Top 4 takeaways:
😈 The three men ran a website, www.OTP.Agency, enabling criminals to bypass banking anti-fraud checks by socially engineering bank account holders.
💸 The service targeted over 12,500 people and offered subscriptions ranging from £30 to £380, promising access to OTPs for over 30 online services. The group potentially made up to £7.9 million from their illegal activities.
👮 The National Crime Agency investigated and arrested the trio, who targeted over 12,500 people between 2019 and 2021. All three men pleaded guilty and will be sentenced in November 2024.
🧑⚖️ The trio faces charges of conspiracy to commit fraud and money laundering, with potential prison sentences of up to 14 years. Sentencing is scheduled for November 2.
National Crime Agency (NCA)
New Eucleak Attacks Lets Attackers Clone YubiKey FIDO Keys
A new vulnerability in FIDO devices using the Infineon SLE78 microcontroller allows attackers to extract ECDSA secret keys and clone the device.
Top 4 takeaways:
⚡️ The attack requires extended physical access, specialized equipment, and advanced knowledge of electronics and cryptography, limiting its risk to general users.
🔑 YubiKey 5 Series, YubiKey Bio Series, Security Key Series, and YubiHSM 2 are among the impacted devices. These microcontrollers are used to generate/store secrets and perform cryptographic operations, and they are considered highly secure.
🛡️ Users are advised to use RSA signing keys instead of ECC signing keys and limit session durations to reduce risk.
🩹 New YubiKey firmware and Infineon patches address the vulnerability, but the patches are not yet Common Criteria certified.
US Targets Disinformation Campaigns Ahead of 2024 Election
The FBI seized 32 web domains used by the Doppelgänger network, linked to Russian influence operations targeting the U.S. presidential election.
Top 4 takeaways:
😈 Doppelgänger spread Russian propaganda to promote pro-Russian policies, reduce support for Ukraine, and influence elections in multiple countries.
👮 Russian nationals and RT executives were indicted and sanctioned for orchestrating a $10 million disinformation scheme by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).
🧠 Russian state-sponsored actors used tools like AI deep fakes and disinformation to undermine U.S. election processes.
🛡️ The FBI assured that disruptive activities targeting voting infrastructure will not impact the integrity of the 2024 U.S. general election. Actions include sanctions, visa restrictions, and rewards for information on foreign interference.
Top Tips of the Week
Threat Intelligence
- Integrate CTI into threat intelligence sharing platforms. Facilitate seamless sharing and dissemination of threat intelligence within and beyond the organization.
- Consider the dark web in CTI research. Monitor underground forums for insights into potential threats.
Threat Hunting
- Foster threat hunting skills in-house. Develop a culture of continuous learning to adapt to the evolving threat landscape.
- Conduct cyber threat intelligence exercises. Simulate scenarios to test readiness and identify areas for improvement.
- Develop hypotheses for threat hunting. Form educated guesses about potential threats and use them as guides.
- Educate your team on cyber threat hunting techniques. A knowledgeable team is your first line of defense. Train regularly for threat awareness.
Custom Tooling
- Optimize custom tools for performance across different devices. Ensure compatibility and optimal user experience on various platforms.
Feature Article
Threat modeling is a key component of any successful cyber security program. It allows you to identify and assess your organization’s threats, what risks to prioritize, and mitigation strategies that will significantly improve your security posture.
This guide will teach you what threat modeling is, why it is important, and five methodologies and techniques you can use to elevate your threat modeling skills. It will also walk you through how to start with threat modeling by demonstrating the methods described in a case study. The article wraps up with practical recommendations for applying threat modeling in the real world.
Let’s get started exploring this cornerstone of effective cyber threat intelligence and cyber security programs!
Learning Resources
Master the Power of grep
Learn about the powerful Linux command line pattern matching tool grep. This quick guide will show you the basics of grep, popular use cases, and how to make the most of this epic core utility.
Interested in the Cloud? Don’t Fall into These Traps
In this video, the legendary faceless YouTube creator Fireship walks you through how big cloud providers like AWS, Microsoft Azure, and Google Cloud operate from a business perspective. Then, he reveals how you can optimize your cloud computing costs and avoid vendor lock-in.
Discover a Better Way to Navigate the Terminal
A new directory navigation tool is out, and it is awesome! Check out this quick guide on zoxide, a “smarter cd command, inspired by z and autojump.” If you love using the Linux terminal, then this is a must-watch.
Personal Notes
🤔 This week, we have focused on refreshing our website to help clarify our services to potential clients. We have brought our product menu, copy, and pricing to the forefront of our website (rather than hidden away in a discovery call) so it’s easier for prospects to see if we are the right fit. This provides clients with the information they need upfront and saves us time by better-qualifying clients before they book a discovery call.
The redesign also allows us to showcase how we have helped clients in the past that go beyond one-on-one coaching. This includes generating intelligence requirements, running CTI workshops that cover topics like reporting and threat modeling, and more!
We love sharing our expertise with anyone looking to unlock the power of CTI, be it through free learning resources or paid services.