Hello there π
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the weekβs top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about whatβs happening at the company. Enjoy!
Top 5 News Stories
Ransomware Gangs Utilize SSH Tunnels to Compromise VMware ESXi
Ransomware actors are exploiting SSH tunneling for undetected access to VMware ESXi servers, showcasing their evolving tactics. This approach allows them to remain hidden while they persist on critical infrastructure.
Key takeaways:
π SSH Tunneling: Ransomware groups use SSH tunnels as a stealthy method to access and maintain presence on VMware ESXi servers.
πΎ ESXi Importance: These servers are vital for virtualization, running multiple virtual machines on a single physical server, making them high-value targets.
π΅οΈββοΈ Detection Evasion: Attackers can bypass monitoring by leveraging SSH since ESXi logs are spread across multiple files, making it challenging to track unauthorized activities.
π Persistence: The technique allows for long-term access without frequent re-entry, taking advantage of ESXi’s rare reboots.
π¨ Security Recommendations: To detect such stealthy intrusions, it is advised to centralize ESXi logs and integrate them into a Security Information and Event Management (SIEM) system.
DeepSeek Halts New Signups Following Large-Scale Cyberattack
DeepSeek, the Chinese AI startup, has temporarily stopped accepting new users due to “large-scale malicious attacks” on its services amidst skyrocketing popularity. This cyber incident raises questions about security in the fast-growing AI sector.
Key takeaways:
π Signup Suspension: DeepSeek has paused new user registrations to manage the impact of the cyberattack on its infrastructure.
π Rising Popularity: The AI platform had recently become the most downloaded free app on the Apple App Store, surpassing ChatGPT, which likely contributed to the strain and vulnerability.
π¨ Cyberattack: The company described the incident as “large-scale malicious attacks,” though specifics about the nature of these attacks remain undisclosed.
π AI Sector Impact: This event underscores AI companies’ cyber security challenges as they expand rapidly and gain international attention.
π Ongoing Investigation: DeepSeek is presumably working on mitigating the attack and restoring services, but no clear timeline has been given for reopening signups.
Clone2Leak Attacks Exploit Git Vulnerabilities to Compromise Credentials
A new set of attacks named ‘Clone2Leak’ leverages Git credential helpers to steal user credentials by exploiting flaws in how these helpers process authentication requests. Immediate updates to Git and related tools are recommended to safeguard against these credential thefts
Key takeaways:
π Attack Mechanism: Clone2Leak exploits Git’s credential helper system to leak credentials through methods like carriage return smuggling, newline injection, and logic flaws in credential retrieval.
π Affected Systems: The vulnerabilities impact GitHub Desktop, Git LFS, GitHub CLI/Codespaces, and Git Credential Manager, allowing attackers to redirect credentials to malicious servers.
π‘οΈ Patches Available: Security updates have been released to address these flaws. Users are urged to ensure they’re running the latest versions to protect against these attacks.
π° Discovery: Security researcher RyotaK from GMO Flatt Security responsibly disclosed these vulnerabilities, highlighting the importance of proactive security research.
βοΈ Mitigation: Enabling Git’s ‘credential.protectProtocol’ option is recommended as an additional defense against these credential smuggling tactics.
Hackers Exploit SimpleHelp RMM Vulnerabilities to Infiltrate Networks
Hackers are capitalizing on recently patched vulnerabilities in SimpleHelp RMM software to gain unauthorized network access. Organizations must ensure all systems are updated to the latest version to prevent breaches.
Key takeaways:
π¨ Vulnerability Exploitation: Hackers are exploiting three CVEs in SimpleHelp RMM – CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 – to infiltrate networks.
π₯ File Manipulation: These vulnerabilities allow attackers to download and upload files, potentially leading to data theft or further compromise.
π Privilege Escalation: The flaws enable attackers to escalate their privileges to administrative levels, gaining significant control over compromised systems.
π Patch Availability: Patches for these vulnerabilities were released on January 8 and 13 January, 2025, urging users to update to versions 5.5.8, 5.4.10, or 5.3.9.
π‘οΈ Mitigation: Uninstalling unused SimpleHelp clients and ensuring all software is up-to-date are critical steps in reducing the attack surface.
Critical Vulnerabilities in Node.js Expose Systems to Remote Attacks
Critical security flaws in various Node.js versions (v18.x, v20.x, v22.x, v23.x) have been exposed, posing significant risks, including data theft, DoS, and system compromise. Immediate updates are crucial to safeguard against these vulnerabilities.
Key takeaways:
π¨ Critical Vulnerabilities: Multiple high-severity security issues in Node.js versions v18.x to v23.x could lead to sensitive data exposure, denial of service (DoS), and system takeover.
π Affected Versions: The vulnerabilities impact both LTS (Long Term Support) and current releases. Users should check and update their Node.js installations.
π‘οΈ Security Measures: To mitigate these risks, users are advised to upgrade to the latest patched versions, such as v18.20.6, v20.18.2, v22.13.1, and v23.6.1.
π Remote Exploitation: These flaws can be exploited remotely, allowing attackers to gain unauthorized access and control over systems.
Top Tips of the Week
Threat Intelligence
- Regularly update threat intelligence feeds. Timely information is crucial for identifying and mitigating new threats.
- Implement threat intelligence in vulnerability management. Prioritize patches based on real-time threat information.
Threat Hunting
- Regularly review and update your threat hunting tools in cyber threat hunting. Ensure they are aligned with the latest threat intelligence and methodologies.
- Foster a cyber threat hunting community. Collaborate with peers, share experiences, and learn from one another.
- Integrate threat intelligence into security awareness programs in cyber threat hunting. Educate employees to recognize and report potential threats.
- Develop threat hunting playbooks in cyber threat hunting. Standardize procedures for consistent and effective detection and response.
Custom Tooling
- Regularly assess the performance of custom tools. Optimize code, address bottlenecks, and ensure efficient operation.
Feature Video
Crown Jewel Analysis teaches you what to protect and how to protect it.
This fundamental risk management methodology has been used for decades to help organizations determine what is important to them and where to prioritize their resources to defend against cyber attacks.
Letβs explore how to use Crown Jewel Analysis and focus on defending what is most important to your business today!
Watch Now!
Learning Resources
SOC Core Skills
John Strand is back, teaching his awesome SOC Core Skills course. It covers everything a junior Security Operations Center (SOC) analyst needs to know, from using Windows and Linux command lines for cyber security tasks to understanding network protocols.
The course emphasizes the importance of practical skills over just certifications, encouraging learners to engage with hands-on labs and real-world scenarios. John is a great instructor, and I highly recommend checking it out if you’re new to the industry or want to upskill!
DeepSeek Disrupts the AI Industry
Chinese company DeepSeek has disrupted the AI industry with its open-source R1 model, outperforming OpenAI, Claude, and Gemini on key benchmarks. The model, developed as a side project with a budget under $10 million, has shaken Big Tech, challenging the notion that AI requires massive computational resources.
This entertaining video highlights how this breakthrough threatens Nvidia’s dominance in AI hardware and the sustainability of the AI bubble as open-source models gain traction.
Control Your Emotions, Maintain Your Power
Emotional control is a crucial skill that allows individuals to maintain power over their own reactions. The video emphasizes that being emotionally affected by mere words or insults gives others control over your mind. Stay calm in response to offensive remarks to reach self-mastery.
Maintaining psychological discipline is key to improving your interpersonal skills and achieving personal and professional success.
Structured Analytical Techniques Beyond ACH
Donβt stop at the Analysis of Competing Hypotheses (ACH)! There are tons of great structured analytic techniques (SATs) in intelligence and cyber security that you can use to add analytical rigor to your intelligence assessments.
This video explores some of these SATs, including brainstorming, scenario planning, key assumption checks, and red hat analysis. Use them to avoid cognitive biases and make more informed decisions!
