Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Cyber Security Contractor Indicted for Hacking to Promote His Services
A Kansas City man, previously a cybersecurity contractor, has been indicted for hacking into the networks of a gym and a nonprofit to promote his services. His actions compromised security and led to financial losses for the victims.
Key takeaways:
🚨 A man from Kansas City was indicted for illegally accessing networks to pitch his cybersecurity services.
🔓 He hacked into a gym’s security camera system and a nonprofit’s computer, causing damage and financial loss.
🕵️♂️ The suspect used stolen credit card information to buy hacking tools, further escalating his criminal activities.
🔒 His actions included installing VPNs and changing account passwords, compromising the systems’ integrity.
⚖️ If convicted, he faces up to 15 years in prison and must pay restitution to the victims for the damages caused.
U.S. Attorney’s Office, Western District of Missouri
Malware Exploits Avast Driver in BYOVD Attack to Disable Security Measures
Cyber security experts have uncovered a new malware campaign utilizing the BYOVD technique, exploiting a legitimate Avast driver to bypass antivirus protections and disable 142 security processes. This malicious software, named ‘kill-floor.exe’, uses the driver’s kernel access to take control of infected systems, highlighting the need for enhanced security measures against BYOVD attacks.
Key takeaways:
🛡️ Malware uses a legitimate Avast Anti-Rootkit driver (aswArPot.sys) to evade security, employing the BYOVD (Bring Your Own Vulnerable Driver) technique.
🔒 The malware, known as ‘kill-floor.exe’, terminates 142 security-related processes, bypassing antivirus protections to gain control of the system.
🚨 It leverages the driver’s kernel-level access to disable protective software, showing the dangers of using vulnerable drivers in security contexts.
🔍 Cyber security firm Trellix warns of the potential for such attacks, urging organizations to implement BYOVD safeguards.
📢 Recommendations include updating systems to patch vulnerabilities and enhancing security protocols to prevent similar exploits in the future.
NHS Hit by Third Major Cyber Incident of 2024: Arrowe Park and Clatterbridge Hospitals Impacted
The NHS has declared another major cyber incident, the third this year, affecting Arrowe Park and Clatterbridge Hospitals in Wirral. All outpatient appointments are canceled; only emergencies should be attended to at the hospital’s emergency departments.
Key takeaways:
🏥 Third Cyber Attack in 2024: Arrowe Park and Clatterbridge Hospitals are the latest NHS units to suffer a cyber incident this year.
🚫 Appointment Cancellations: All outpatient appointments have been canceled, with plans to reschedule for affected patients.
🚨 Emergency Only: The hospitals are urging the public to only visit emergency departments for life-threatening conditions.
🔒 Cyber Security Reasons: The incident has been attributed to cybersecurity issues, though specifics remain undisclosed.
📰 Tight-Lipped Official Response: Hospital officials are not providing details on the nature of the cyber attack or its impact on wider hospital operations.
NachoVPN Exploit: Rogue VPN Servers Install Malicious Updates on Unpatched Clients
New vulnerabilities, dubbed “NachoVPN,” allow rogue VPN servers to push malicious updates to unpatched SonicWall NetExtender and Palo Alto GlobalProtect clients. AmberWolf has released an open-source tool to simulate these attacks, highlighting the urgency for system updates.
Key takeaways:
🚨 Vulnerability Exploited: Rogue VPN servers can install malicious updates on unpatched SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients.
🔒 Attack Vectors: Includes stealing login credentials, executing code with high privileges, and forging certificates for man-in-the-middle attacks.
🛡️ Patch Availability: SonicWall patched their vulnerability in July, while Palo Alto Networks released updates today for their flaw.
🧰 Tool Release: AmberWolf introduced “NachoVPN” tool to simulate attacks and help with vulnerability testing.
⚠️ Security Recommendations: Users must update their VPN clients immediately to prevent exploitation.
Bootkitty: The First UEFI Bootkit for Linux
Researchers from ESET have unveiled Bootkitty, the first UEFI bootkit malware specifically designed for Linux systems. While probably a proof-of-concept, this malware underscores the evolving landscape of cyber threats by targeting Linux, potentially evading Secure Boot protections.
Key takeaways:
🚨 First Linux UEFI Bootkit: ESET researchers discovered Bootkitty, the first known UEFI bootkit aimed at Linux systems.
🔒 Bypasses Secure Boot: It attempts to disable kernel signature verification, allowing it to execute code during the boot process.
🧑💻 Proof of Concept: Bootkitty appears to be more of a proof-of-concept rather than a fully operational threat, suggesting it’s in early development.
🛠️ Limited Scope: It’s designed to work only with specific Ubuntu configurations because it uses hardcoded byte patterns for kernel and GRUB versions.
🔍 Indicators of Compromise: Indicators of compromise for Bootkitty are available, but no live system infections have been detected yet.
Top Tips of the Week
Threat Intelligence
- Automate routine CTI tasks for efficiency. Free up resources for in-depth analysis and response efforts.
- Incorporate CTI into security awareness training. Educate employees on recognizing and responding to threats based on real-time intelligence.
- Foster a culture of continuous improvement in CTI. Regularly assess and enhance processes for optimal effectiveness.
Threat Hunting
- Collaborate with law enforcement in cyber threat hunting. Sharing threat intelligence strengthens overall efforts against cybercrime.
- Integrate threat intelligence into DevSecOps. Embed security practices early in the development lifecycle for proactive threat mitigation.
Custom Tooling
- Use version control for custom tool code. Track changes, collaborate seamlessly, and roll back if issues arise.
- Regularly update and patch your custom tools. Stay vigilant against potential vulnerabilities and ensure ongoing reliability.
Feature Video
The Cyber Kill Chain is a framework for understanding cyber attacks, analyzing intrusions, and planning cyber defenses.
It is used throughout the industry by cyber security professionals in security operations, incident response, and cyber threat intelligence to investigate and report how a cyber attack happened.
Let’s explore why the Cyber Kill Chain is useful and how to get the most from this fundamental structured analytical technique!
Learning Resources
Unlock the Power of an Open-Source CTI Platform
OpenCTI is a powerful open-source cyber threat intelligence platform that you can get started using for FREE!
This webinar demonstrates how to use OpenCTI for streamlined threat analysis and efficient collaboration. They walk through tools for consulting reports, assigning tasks, and monitoring progress in a dynamic threat intelligence workflow leveraging custom dashboards and advanced investigation features.
I highly recommend checking out the platform and using it to structure your CTI work.
Learn to Conduct Investigations in Maltego
Maltego is an excellent link analysis tool used as a de facto OSINT investigation tool for many years. This superb tutorial will teach you how to use it to trace digital footprints, gather personal identifiers, and connect individuals to online profiles, email addresses, and social networks.
All cyber threat intelligence analysts and cyber security professionals should know how to use Maltego to structure their investigations, extract information automatically from data sources, and create visual reports.
Learn to use Maltego today!
Discover the Capabilities of Shodan
Shodan is a powerful search engine that scans devices connected to the Internet of Things (IoT). It collects vital information such as the operating system, services, and open ports of devices like routers, servers, webcams, and even SCADA systems.
You can use it to monitor your attack surface, find adversary C2 infrastructure, and much more!
This tutorial walks you through using Shodan’s browser interface, performing searches, and installing its command-line tool for automating your investigations.
Setup Open-Source Security Tools in Your Home Lab
Learn to use powerful, free, self-hostable open-source security tools for network security and log management in your home lab today!
This awesome guide walks you through how to setup and configure Graylog, Wazuh, and Security Onion for log aggregation, network security monitoring, and perform security incident investigations.
Getting hands-on experience with these tools will provide you with the skills required to land your first cyber security role or move up the career ladder.
