Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Vulnerabilities in Automatic Tank Gauge Expose Gas Stations to Remote Attacks
Critical flaws have been identified in six Automatic Tank Gauge (ATG) systems used in gas stations to monitor fuel levels, which can expose them to remote cyberattacks.
Top 4 takeaways:
⚡️ Exploits include command injection, authentication bypass, and SQL injection vulnerabilities. These vulnerabilities, if exploited, could lead to unauthorized control of fuel systems, posing risks of theft, environmental damage, and even cyberattacks on national infrastructure.
🛜 The affected systems, from manufacturers like Maglink and OPW, are often exposed to the internet, increasing the risk of disruptive attacks on critical infrastructure.
👨💻 Some vulnerabilities allow attackers full system access, posing significant security threats.
🛡️ Organizations using ATG systems must prioritize cybersecurity measures, such as applying security patches, segmenting networks, and monitoring systems to mitigate potential threats.
Rhadamanthys Malware Adds AI-Powered OCR to Target Crypto Wallets
The Rhadamanthys stealer malware has evolved with AI-powered optical character recognition (OCR), enabling it to extract cryptocurrency wallet seed phrases from images.
Top 4 takeaways:
🪲 The latest version, 0.7.0, includes improvements in execution stability and additional features like wallet-cracking algorithms and advanced text extraction.
🤖 OCR allows the malware to extract cryptocurrency wallet seed phrases from images, significantly increasing its threat level. The malware also uses evasion techniques, such as MSI installer disguise, to bypass detection.
⚡️ The malware is part of a malware-as-a-service model and remains a potent threat despite bans from underground forums.
🎯 It targets cryptocurrency wallets and credentials, using innovative evasion techniques to bypass detection.
New Cryptojacking Campaign Leverages Docker Swarm to Mine at Scale
A new cryptojacking campaign is targeting Docker API endpoints to deploy cryptocurrency miners and build a malicious Docker Swarm botnet.
Top 6 takeaways:
⚡️ Threat actors are targeting misconfigurations in containerized environments like Kubernetes and Docker, taking advantage of exposed APIs, open ports, and vulnerable authentication mechanisms.
🐋 Attackers exploit unauthenticated Docker APIs, using containers to execute scripts that enable lateral movement across Docker, Kubernetes, and SSH hosts.
🥷 Once inside, they deploy malicious containers or workloads that run cryptomining operations. They hide these mining processes using the libprocesshider rootkit and install persistent backdoors.
⛏️ These operations typically mine for Monero (XMR), a popular cryptocurrency due to its privacy features, which makes tracing difficult.
😈 The campaign’s tactics align with known behaviors of TeamTNT, a threat group focused on cloud-based cryptojacking.
🛡️ Organizations are advised to secure their cluster environments through techniques such as monitoring, controlling API access, enforcing least privilege, and using container security fundamentals like isolation, namespaces, and seccom.
Hackers Launch AI Deepfake Nude Generator Sites to Spread Malware
FIN7 hackers have created fake AI-powered “deepnude” generator websites, luring users to upload photos for fake nude creation.
Top 3 takeaways:
🪲 These honeypot domains, which promise to create deepfake nudes, instead spread Lumma Stealer and other malware, collecting credentials, crypto wallets, and sensitive data.
🥷 The sites leverage social engineering and black hat SEO techniques to lure victims.
🧠 FIN7’s approach marks an innovative and dangerous exploitation of AI and deepfake technology in cybercrime.
Fake Job Applications Target HR Professionals With Malware
A spear-phishing campaign is using fake job applications to target HR professionals with the dangerous More_eggs malware.
Top 4 takeaways:
🥸 The campaign tricks victims into downloading a malicious resume file, which installs the backdoor malware.
🪪 Once active, More_eggs collects sensitive information, including login credentials for banking and email accounts.
🪲 More_eggs uses social engineering tactics and fileless techniques to avoid detection.
😈 This attack is attributed to the Golden Chickens group, a known threat actor selling malware-as-a-service (MaaS) to various cybercriminal groups.
Top Tips of the Week
Threat Intelligence
- Regularly update and validate your CTI. Keep it current, relevant, and aligned with the evolving threat landscape.
- Integrate threat intelligence into threat modeling. Enhance your security posture by identifying potential threats early in the development process.
Threat Hunting
- Foster a mindset of continuous learning in cyber threat hunting. Encourage your team to stay updated on the latest threat trends and technologies.
- Incorporate threat intelligence into cyber threat hunting. Stay ahead with up-to-date insights on emerging threats.
- Stay aware of geopolitical events. Understand global impacts on cyber threats and adjust your strategy accordingly.
- Foster a culture of information sharing in cyber threat hunting. Open communication channels enhance collective ability to respond to threats.
Custom Tooling
- Collaborate with your team when creating custom tools. Multiple perspectives can lead to more robust and effective solutions.
Feature Article
MISP (Malware Information Sharing Platform and Threat Sharing) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence.
Today, you will learn how to search and filter this data to find what is relevant to you. You will see how you can perform a basic search, use more advanced filtering options, and perform these actions on MISP vents and attributes.
Learning Resources
Discover How to Investigate Cybercrime
In this insightful talk, Will Thomas will explain how to gather intelligence about threat actors, cybercrime gangs, and malware campaigns.
He discusses his own investigations and shares methods such as navigating the dark web, analyzing adversaries using the diamond model (adversary, infrastructure, capabilities, and victims), malware analysis, and blockchain analysis.
A must-watch for any CTI analyst!
Don’t Be a Python Noob
Python is the most popular programming language in cyber security. It’s easy to learn, use, and can save you lots of time.
Up your Python programming game by following this quick and fun walkthrough of 25 habits you need to ditch to graduate from noob to Python master. Improve your code and your prestige just a bit by ditching those habits and doing things the Pythonic way.
Adversaries Are Evolving: You Should Too!
Discover how adversaries are evolving with strange new tactics due to improvements in detection tools like EDR and SIEM.
This talk discusses these developments and explores adversaries’ creative and unusual strategies to bypass modern security technologies. It also highlights defensive strategies to combat these new tactics, like Group Policy restrictions, understanding network baselines, and enhancing user training to recognize suspicious activities.
Why You Should Use Type Hints in Python
Type hints in Python enhance code clarity, reduce documentation needs, and help avoid errors during development. They make data structures explicit, facilitate easier refactoring, and improve IDE support.
Despite criticisms, type hints streamline coding processes and promote better software design, ultimately leading to clearer and more maintainable code.
Learn why you should start using them in this insightful video
Personal Notes
🤔 Another week of video creation and coaching is complete!
This week was dominated by coaching calls on everything from CTI reporting to threat research. I love jumping on a call, problem-solving, and sharing my experiences and expertise with clients looking to improve their CTI processes or elevate their skills.
Seeing their success is the fuel that keeps this company going!
When I wasn’t on coaching calls this week, the team and I continued our push to create video content to add to our free learning resources. We are about to wrap up our MISP series and are now moving on to less technical topics like the CTI lifecycle, intelligence requirements, etc. It will be fun to see how we can bring these topics to live with VFX and SFX
Till next week, stay awesome!
