Hello there π
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the weekβs top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about whatβs happening at the company. Enjoy!
Top 5 News Stories
Clop Ransomware Group Behind Cleo Data Theft Exploitation
The notorious Clop ransomware gang has claimed responsibility for the recent data theft attacks targeting Cleo’s file transfer software, exploiting zero-day vulnerabilities. This follows their pattern of targeting managed file transfer solutions.
Key takeaways:
π Zero-Day Exploit: Clop confirmed to BleepingComputer that they exploited a zero-day vulnerability in Cleo’s Harmony, VLTrader, and LexiCom-managed file transfer platforms to steal data.
π₯οΈ Previous Exploits: This attack mirrors Clop’s history of targeting similar software, including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA in past campaigns.
ποΈ Data Impact: The extent of the data stolen isn’t clear, but Cleo’s platforms are used across numerous organizations for secure file sharing, potentially impacting multiple sectors.
π¨ CISA Confirmation: The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the vulnerability was exploited in ransomware attacks, emphasizing the severity of the issue.
π΅οΈ Investigation: Despite the confirmation from Clop, no organizations have publicly acknowledged being victims, and Cleo has not responded to inquiries regarding the breach.
Russian Cyberspies Deploy New Android Spyware
Russian cyberspies, known as Gamaredon or Shuckworm, have expanded their espionage toolkit with new Android spyware, BoneSpy, and PlainGnome, targeting Russian-speaking users in former Soviet states. Beware of fake apps and phishing attempts.
Key takeaways:
π·πΊ Gamaredon’s New Tools: The Russian-linked group has introduced two new spyware families, BoneSpy active since 2021 and PlainGnome from 2024, focusing on Android devices.
π² Targeted Distribution: These spyware variants are distributed through social engineering, often via trojanized Telegram apps or by posing as Samsung Knox security software.
π Surveillance Capabilities: Both spyware can intercept text messages, access contacts, log calls, and utilize device cameras, all while seeking dangerous permissions under false pretenses.
π« No Google Play Presence: Neither BoneSpy nor PlainGnome have appeared on Google Play, indicating they are likely spread through targeted websites or direct downloads.
π Geopolitical Targeting: The operation focuses on individuals in former Soviet states, aligning with Russia’s geopolitical interests and demonstrating a shift towards mobile espionage.
Malicious Ads Propagate Lumma Info-Stealer Through Fake CAPTCHA
Beware of deceptive ads pushing the Lumma infostealer via fake CAPTCHA pages that trick users into running harmful PowerShell scripts. This campaign has spread across thousands of websites, compromising user security.
Key takeaways:
π Massive Campaign: A large-scale malvertising effort has been distributing the Lumma Stealer malware through misleading CAPTCHA verification prompts.
π Ad Networks Exploited: The Monetag ad network was used to spread over a million ad impressions daily across about 3,000 websites, amplifying the reach of this scam.
π€ PowerShell Execution: The attack involves a JavaScript snippet that copies a malicious PowerShell command to the clipboard, which users are then tricked into executing.
π Data Theft: Once installed, Lumma Stealer targets passwords, credit card information, cryptocurrency wallets, and other sensitive data from various browsers.
π‘οΈ Advice: Users are advised never to run unknown commands prompted by websites and to be cautious with CAPTCHAs on unfamiliar or suspicious sites.
AI-Driven Investment Scam Exploits Social Media Platforms
Cybersecurity experts warn of a new AI-powered investment scam, named Nomani, growing by 335% in 2024. It uses social media ads and AI video testimonials to deceive victims into phishing traps, stealing data and over $6.3 million.
Key takeaways:
π€ AI Manipulation: The scam leverages AI to produce convincing video testimonials featuring well-known figures to endorse fake investment platforms.
π Growth and Impact: Nomani has seen a 335% increase in activity, with over 100 new URLs detected daily, leading to significant financial and data losses.
π Social Media Exploitation: Malvertising on platforms like X (formerly Twitter), YouTube, and LinkedIn is used to spread the scam, often targeting those previously scammed with promises of refunds.
π Phishing Tactics: The scheme directs users to phishing websites where personal and financial information is harvested, with some victims losing thousands to this fraud.
π΅οΈ Cybersecurity Response: ESET has been tracking this threat, advising users to be skeptical of investment ads, especially those with too-good-to-be-true promises or unsolicited endorsements.
Attackers Exploit Microsoft Teams and AnyDesk for DarkGate Malware
Cybercriminals are leveraging Microsoft Teams calls and AnyDesk to distribute the DarkGate malware. Through social engineering, attackers pose as clients to gain remote access, deploying multiple malicious payloads. Immediate security measures are advised.
Key takeaways:
π Teams Exploitation: Attackers use Microsoft Teams calls to impersonate clients or colleagues, tricking users into downloading remote access tools like AnyDesk.
π AnyDesk Abuse: Once installed, AnyDesk allows attackers to control the victim’s system remotely, facilitating malware deployment.
π΅οΈββοΈ Payload Delivery: Multiple malicious payloads, including DarkGate, a credential stealer, and a PowerShell script, are deployed to compromise the system further.
π Attack Chain: The strategy involves email spam to overwhelm the victim, followed by direct interaction via Teams, showcasing advanced social engineering tactics.
β οΈ Security Recommendations: Enabling multi-factor authentication, whitelisting approved software, and being cautious with unsolicited communication are key defenses.
Top Tips of the Week
Threat Intelligence
- Monitor social media for indicators of compromise. Threat actors may inadvertently reveal information that aids in threat detection.
- Foster a culture of accountability in CTI. Ensure that insights lead to concrete actions and improvements.
- Embrace a threat-centric mindset. Infuse threat intelligence into your organization’s DNA for a proactive cybersecurity culture.
Threat Hunting
- Leverage threat intelligence in cloud security. Adapt your threat hunting strategies for the unique challenges of cloud environments.
Custom Tooling
- Collaborate with threat hunters during custom tool development. Incorporate insights to enhance the tool’s threat detection capabilities.
- Prioritize security when developing custom tools. Ensure they meet industry standards and do not introduce new vulnerabilities.
- Optimize custom tools for efficiency. Streamline workflows and automate repetitive tasks for enhanced productivity.
Feature Video
The majority of threat actors buy and use commodity malware. To tailor this malicious software to their needs, they use malware configuration settings that dictate how it behaves. Parsing this data is an essential skill for any threat hunter or detection engineer, making learning to use malware configuration parsers vital.
Malware configuration parsing allows you to correlate intrusions, track campaigns, enrich threat hunts, improve incident response, and write better detection rules. It is a skill often overlooked due to its technical requirements, but with malware configuration parsing tools, you can add this game-changing anal skill to your arsenal.
Feature Article
How do you collect data? Do you browse a website, scroll through all the content, and manually copy and paste your desired data? What if I told you there was a much more efficient method to save you time and energyβ¦ letβs jump into the world of web scraping!
Web scraping allows you to automate your data collection by harnessing the power of code to search, filter, and export data from your favorite collection sources. It is a game changer for cyber threat intelligence analysts who must research new threats daily. However, web scraping can be overwhelming.
You must learn how to code, bypass common anti-scraping techniques, and figure out a way to automate it all in code or using a platform like Zapier.
This is where Octoparse comes in.
A no-code solution that will save you time, energy, and money. Let me show you how to use it to build your custom cyber threat intelligence web scraping tool!
Learning Resources
Learn Go in One Project
Go is a fantastic programming language to learn. It is fast, simple, and cross-platform. A great choice for any cyber security pro looking to upskill.
This video teaches Go programming through an engaging slot machine project. It covers Go’s syntax and core features like data types, functions, and loops so you can gain hands-on experience and a deeper understanding of Go’s unique characteristics.
It is the ideal guide for those eager to quickly grasp Go’s capabilities!
Do You Care About Your Privacy? Maybe, Try Signal
Considering the recent big telecoms being breached, you might want something more privacy-focused for your messaging needs, and Signal might be the answer.
Signal Messenger is a robust choice for secure messaging in 2024. With end-to-end encryption as its foundation, Signal ensures that only the sender and recipient have access to their messages, while its nonprofit Signal Foundation avoids the pitfalls of surveillance capitalism.
This excellent video demonstrates how you can use Signal to enhance your privacy using disappearing messages, QR-code-based connections, and customizable settings for visibility and phone number usage.
Want to be More Productive on Your Mac?
This video dives into optimizing macOS productivity through advanced window and workspace management techniques. It explores tools like Aerospace (a tiling window manager for macOS) and SketchyBar (a customizable status bar) in depth, demonstrating how they transform a single 4K monitor into a powerhouse for streamlined multitasking.
A must-watch if you a struggling with clunky macOS window management and are looking for an efficient experience tailored to your needs.
Which Open-Source Git Platform to Use?
GitLab CE and Gitea are two powerful open-source Git platforms you can run in your home lab, but which to choose? This video compares them both.
GitLab offers robust integrations and enterprise-level features like advanced DevOps tools, code scanning, and Terraform backend support. Gitea excels in minimalism and ease of use, requiring only a fraction of GitLab’s resources.
The choice ultimately depends on individual needs: those prioritizing advanced features may lean towards GitLab, while users seeking efficiency and simplicity may prefer Gitea.
