We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Triaging the Week

Triaging the Week 060 

Hello there 👋 

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy! 

Top 5 News Stories

Triaging the Week News Stories

DeepSeek AI Tools Impersonated by Infostealer Malware on PyPI 

Cybercriminals have infiltrated PyPI with fake DeepSeek AI packages, ‘deepseeek’ and ‘deepseekai,’ which are actually info stealers. Developers, beware, and always verify the authenticity of packages before installation! 
 
Key takeaways: 
🕵️ Malicious Packages: Two packages, ‘deepseeek’ and ‘deepseekai’, were found on PyPI. They impersonate tools for the popular DeepSeek AI platform but are, in fact, information stealers. 
🚫 Data Theft: Once installed, these packages steal sensitive information such as API keys, database credentials, and permissions, posing a significant security risk to users. 
🕒 Recent Development: The malicious packages were uploaded on January 29, 2025, and although PyPI removed them, they managed to accumulate 222 downloads, indicating potential exposure. 
🔍 Detection: Positive Technologies researchers discovered the attack and reported the issue to PyPI, which removed the packages. 
🛡️ Security Measures: This incident underscores the need for developers to use package verification tools, maintain up-to-date security practices, and perhaps use package managers with built-in security checks. 

🎯 Threat Hunting Package

Positive Technologies 

North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS 

North Korean hackers are using fake job interviews to distribute FERRET malware, targeting macOS users. Be cautious of unsolicited job offers and software updates from unknown sources, especially those requiring you to install new software for virtual meetings. 
 
Key takeaways: 
🕵️ Targeting macOS: North Korean hackers associated with the Contagious Interview campaign are deploying FERRET, a suite of macOS-specific malware, through deceptive job interview processes. 
🎭 Social Engineering: Victims are misled into installing fake software updates or applications like VCam or CameraAccess, which are purportedly needed for virtual job interviews. 
🔄 Malware Components: The attack involves multiple stages, including deploying JavaScript-based malware named BeaverTail, which can lead to installing a Python backdoor called InvisibleFerret. 
Attack Vectors: This campaign leverages npm packages and native applications masquerading as legitimate tools, highlighting the risks of supply chain attacks in software distribution. 
🚨 Warning: This incident underscores the need for increased vigilance in accepting digital communications and software from unverified sources, particularly in professional contexts like job interviews. 

🎯 Threat Hunting Package

SentinelOne 

Five Eyes Cyber Agencies Release Guidance for Securing Network Edge Devices 

The Five Eyes cyber security agencies have issued critical guidance for securing network edge devices, emphasizing forensic visibility to detect and investigate attacks. Manufacturers and network defenders, take note to enhance your security posture.  

Key takeaways:  

🌐 Collaborative Guidance: The UK, Australia, Canada, New Zealand, and the US, under the Five Eyes alliance, have collaboratively released security recommendations for network edge device manufacturers and users.  

🔍 Forensic Visibility: The guidance stresses the importance of forensic capabilities in devices to aid in detecting malicious activities and post-incident investigations. 

🛡️ Security by Design: Manufacturers are encouraged to integrate robust, secure-by-default logging and forensic features into their products to prevent exploitation by threat actors. 

⚠️ Threat Landscape: This action follows several high-profile attacks targeting network edge devices, highlighting the need for better security measures at the network’s perimeter. 

📝 For Network Defenders: The guidance includes minimum requirements for forensic visibility that network defenders should consider when selecting network devices for their infrastructure.  

CISA 

PyPI Implements Project Archiving to Thwart Malicious Updates 

PyPI introduces ‘Project Archival’ to combat malicious updates. This feature allows developers to mark projects as archived to prevent unwanted changes. This move aims to enhance the security of the Python ecosystem by signaling when projects are no longer maintained. 
 
Key takeaways: 
🔒 Project Archival Feature: PyPI has introduced a new system called ‘Project Archival’, which lets developers archive their projects to indicate that no further updates should be expected. 
🛑 Security Enhancement: This feature is designed to stop malicious actors from hijacking old, unmaintained projects to distribute malicious code through updates. 
📥 Continued Availability: Archived projects remain available for download but come with a warning about their maintenance status, helping users make informed decisions about dependencies. 
🚨 Response to Threats: This measure addresses the common tactic of attackers taking over abandoned projects to push out malware-laden updates, a significant issue in open-source software security. 
📝 Maintainer Control: Project maintainers can release a final version before archiving, providing an opportunity to inform users about the project’s status, though this step is not mandatory. 

The Python Package Index Blog 

Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting Journalists and Activists 

Meta has confirmed a zero-click spyware attack on WhatsApp that affected 90 journalists and activists. This exploit, linked to Israeli company Paragon Solutions, underscores the need for constant vigilance and updates in digital security. 
 
Key takeaways: 
🚨 Zero-Click Exploit: Meta has acknowledged a sophisticated zero-click attack on WhatsApp targeting around 90 individuals, primarily journalists and civil society members. 
🕵️ Spyware Source: The attack used spyware from Paragon Solutions, an Israeli company, highlighting the ongoing challenge of safeguarding encrypted communication platforms against state-sponsored espionage. 
🔍 No User Interaction Needed: This attack does not require the victim to interact with malicious content; merely receiving a message or call can trigger the exploit. 
🔒 Privacy Implications: The incident raises significant privacy concerns, especially for sensitive professionals who rely on secure communication tools. 
🛡️ Response and Mitigation: Meta has taken action to disrupt the campaign, but users are urged to update WhatsApp to the latest version to protect against this and potentially similar vulnerabilities. 

The Guardian 

Top Tips of the Week

Triaging the Week Top Tips of the Week

Threat Intelligence

  • Foster cross-industry threat intelligence collaboration. Learn from and share insights with organizations facing similar threats. 

    Threat Hunting

    • Investigate patterns, not just incidents, in cyber threat hunting. Recognizing patterns aids in understanding tactics and identifying potential threats. 
    • Engage in threat intelligence forums in cyber threat hunting. Participate in discussions to share insights and learn from others in the field. 
    • Stay informed on emerging threats. Regularly update your threat intelligence sources for accurate and relevant insights. 
    • Simulate tabletop exercises for threat scenarios. Practice response strategies for effective threat hunting. 
    • Test your defenses regularly. Simulate cyber attacks to evaluate preparedness and identify areas for improvement. 
        

    Custom Tooling

    • Educate your team on using custom tools. Provide training and resources to maximize the benefits of your creations.  

      Feature Video

      Estimative language is a cornerstone of any good cyber threat intelligence report. It allows analysts to make clear, precise, and transparent assessments about the likelihood of an outcome or event so key stakeholders can make informed decisions. Without it, the lines between judgment and fact become blurred.  

      This guide will teach you what you need to start using estimative language in your threat intelligence reports and accurately assign a confidence level to your assessments. You will learn what estimative language is, its importance, and its three main components.  

      Watch Now 

      Learning Resources

      Triaging the Week Learning Resources

      The Rise of InfoStealer Malware

      Infostealer malware is an increasing cyber threat, targeting both consumer and corporate accounts by extracting saved credentials, browser fingerprint data, and session cookies. Hackers distribute these logs via dark web forums and Telegram channels, enabling account takeovers, bypassing multi-factor authentication, and even mimicking browser sessions for fraudulent access.  

      The great talk from the team at Flare highlights the rising use of these techniques, particularly through residential proxies and illicit marketplaces. They discuss how threat actors are even using sophisticated automation and AI-generated voices to take these scams to the next level! 

      Tracking Malicious Infrastructure with Censys

      Censys is a powerful Internet scanning tool that can help you proactively track malicious infrastructure and stay a step ahead of the bad guys. This webcast will show you how! 

      It covers how to find and investigate C2 and other malicious infrastructure, simplify finding devices and services of interest, and more. Combined with threat intelligence feeds, domain reputation analysis, and behavior analytics, Censys is a fantastic tool for identifying and neutralizing these threats. 

      Tracking Malicious Infrastructure: A Censys Lunch and Learn 

      Detection Engineering in Action

      Remote code execution (RCE) vulnerabilities pose a significant risk to organizations. You need a way to detect them in your environment and defend key business assets.  

      This excellent tech talk by Michael Haag showcases how you can do just that using forward proxies like Nginx, Docker images that host vulnerable versions of popular SaaS products, and a bit of threat hunting. 

      He walks you through his detection engineering process as a Principal Threat Researcher at Splunk to create security content for defending against CVEs! 

      Detecting Remote Code Executions With the Splunk Threat Research Team

      Five Cyber Security “Predictions” for 2025

      A recent web cast by the great team at Black Hills Security featured John Strand critiquing common industry trends, highlighting five major security issues that continue to be ignored in 2025. 

      Instead of making “predictions” filled with recycled buzzwords, he highlights persistent security issues such as legacy applications, security exceptions, the overreliance on cloud services, developers cutting corners, and the industry’s fixation on compliance rather than real security improvements. 

      It is both an entertaining and educational watch I highly recommend watching! 

      Related Posts