Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Apple Removes iCloud End-to-End Encryption in the UK
Apple has quietly dropped iCloud’s end-to-end encryption for UK users, bowing to pressure from the Online Safety Act. Privacy takes a hit—UK folks, your backups aren’t as secure as they once were!
Key takeaways:
🍏 Feature Axed: Apple removed end-to-end encryption (E2EE) for iCloud backups in the UK, reversing plans after the feature was already available elsewhere since 2022.
📜 Legal Pressure: The decision aligns with the UK’s Online Safety Act, which pushes tech firms to scan for illegal content, clashing with E2EE’s privacy protections.
🔓 Security Shift: UK users’ iCloud data—like photos and notes—is now encrypted only at rest, meaning Apple can access it if compelled, unlike in fully E2EE regions.
🌍 Global Divide: While 163 other countries enjoy Advanced Data Protection, UK users face reduced privacy, sparking concerns among security advocates.
A Break Down of Bybit’s Record-Breaking $1.46 Billion Crypto Heist
Bybit confirms a staggering $1.46B crypto theft from its ETH cold wallet, the largest heist ever, linked to North Korea’s Lazarus Group. A sophisticated attack masked the crime—users, keep your assets safe, and demand transparency!
Key takeaways:
💰 Historic Theft: Bybit lost $1.46 billion in Ethereum from a cold wallet, marking the biggest crypto heist ever, outstripping past breaches like Ronin Network’s $624M loss.
🕵️♂️ Sophisticated Hack: Attackers used a cunning trick to mask malicious smart contract changes during a routine transfer, seizing control and siphoning funds undetected.
😈 Lazarus Link: Blockchain experts tie the attack to North Korea’s Lazarus Group, a prolific cybercrime outfit behind billions in crypto thefts fueled by state-sponsored motives.
🛡️ Bybit’s Response: CEO Ben Zhou assures users other wallets are safe, operations continue, and authorities are involved, but the breach shakes trust in exchange security.
Phishing Emails Exploit PayPal’s New Address Feature
Scammers are hijacking PayPal’s “Add a New Address” feature to send phishing emails that trick users into sharing sensitive info. Verify emails directly with PayPal, and stay cautious!
Key takeaways:
📧 Sneaky Scam: Cybercriminals are abusing PayPal’s new address feature to send fake emails that look legit, urging users to confirm details or log in.
🎣 Phishing Goal: These emails lead to fraudulent sites that steal login credentials, payment info, or personal data from unsuspecting victims.
🕵️♂️ Realistic Ploy: The emails mimic PayPal’s branding and originate from compromised accounts, making them harder to spot as scams.
🛡️ Stay Safe: Users should avoid clicking links in unsolicited emails and check their PayPal account directly for any address updates or alerts.
CISA Flags Two Actively Exploited Flaws in Adobe and Oracle Products
CISA warns of two exploited flaws in Adobe ColdFusion and Oracle Agile PLM—patches are out, but federal agencies have until March 17 to secure their networks. Act fast to block these vulnerabilities before attackers strike!
Key takeaways:
🚨 Urgent Alert: CISA added two bugs—CVE-2017-3066 (Adobe ColdFusion) and CVE-2024-20953 (Oracle Agile PLM)—to its Known Exploited Vulnerabilities list due to active exploitation.
💻 Vulnerability Details: The Adobe flaw allows code execution via deserialization, while the Oracle issue permits authentication bypass, both of which risk data breaches or system takeovers.
⏰ Deadline Set: Federal agencies must patch by March 17, 2025, though no public exploit details are out yet—proactive updates are critical for all users.
🔍 Wider Threats: GreyNoise spotted unrelated Cisco exploits tied to the Salt Typhoon group, hinting at broader telecom-targeted campaigns by state actors.
Cybersecurity & Infrastructure Security Agency (CISA)
VSCode Extensions with 9 Million Installs Removed Due to Hidden Security Threats
After researchers found malicious code lurking inside, Microsoft yanked two VSCode extensions with nearly 9M installs from the Marketplace. Once trusted by millions, the Material Theme extensions now serve as a reminder to double-check your dev tools!
Key takeaways:
🕵️♂️ Malware Detected: Two popular VSCode extensions, “Material Theme – Free” and “Material Theme Icons – Free,” with almost 9 million downloads, were pulled after cyber security researchers uncovered malicious code signaling potential intent to harm users.
🔍 Compromise Suspected: Experts suspect either a supply chain attack via a Sanity dependency or a hijacked developer account. The malicious update slips past initial checks until flagged by specialized scanners.
🚫 Swift Removal: Microsoft acted fast, disabling the extensions in VSCode and banning the developer, Mattia Astorino, from the Marketplace, though users are frustrated by the sudden disruption.
💻 Widespread Impact: With over 13 million total installs across Astorino’s extensions, the incident highlights the risks in open-source tools trusted by developers worldwide.
🛡️ Stay Vigilant: Devs are urged to Flatten their codebase, check their extensions, and keep their tools patched to avoid a nasty surprise!
Top Tips of the Week
Threat Intelligence
- Implement CTI in threat intelligence awareness campaigns. Promote a culture of vigilance and proactive threat awareness throughout the organization.
- Monitor critical infrastructure for threat indicators. Enhance resilience by proactively identifying and mitigating potential risks.
Threat Hunting
- Monitor supply chain risks. Assess and address vulnerabilities to mitigate potential threats.
- Monitor the dark web for potential threats targeting your organization. Gain insights into emerging risks.
- Share threat hunting experiences at industry events. Learn from peers and contribute to the community’s knowledge.
- Conduct threat hunting simulations. Practice scenarios to improve skills and readiness for real-world threats.
Custom Tooling
- Optimize custom tools for usability. Create interfaces that are intuitive, user-friendly, and aligned with user expectations.
Feature Article
Cyber threat intelligence is the latest evolution in traditional intelligence tradecraft and espionage – a discipline dating back to ancient times. To understand how the current threats you face have come to be, you must explore the history of cyber threat intelligence.
This guide aims to give you a quick overview of the significant historical events that led to the formation of cyber threat intelligence in the modern era. It covers the evolution of intelligence from antiquity to the Cold War, how the digital age affected intelligence work, and the current threat landscape.
The guide concludes with a breakdown of the threats dominating modern cyberspace and how cyber threat intelligence is pivotal to combating them. Let’s jump in!
Learning Resources
Automate Your Purple Team
All organizations should perform some level of purple teaming, whether validating security controls or testing processes to keep up with the latest threats.
This excellent presentation from Stephen Sims and Erik Van Buggenhout shows how to integrate continuous integration and continuous deployment (CI/CD) into your purple teaming operations.
It showcases how automation, AI, and breach attack simulation tools can enhance detection capabilities, improve response times, and streamline security operations. A must-watch for any security engineer!
Insights into SOC Metrics
In this podcast episode, Hayden Covington, a security operations expert at Black Hills, discusses key aspects of SOC (Security Operations Center) performance, including the importance of meaningful metrics.
He highlights that alert counts alone can be misleading and stresses the significance of KPIs like SLA adherence, reduced escalations, and strong communication.
The conversation explores the challenges of balancing technical work with training, collaboration, and delivering business value. It includes some great insights into SOC metrics you can use today
Build a Cyber Security Lab for Free!
This step-by-step tutorial from Hack The Box walks you through creating a fully isolated cyber security lab for malware analysis, digital forensics, and security monitoring using free tools like VMware Workstation Pro, Splunk, and Remnux.
The video explains how to configure virtual machines, set up network segmentation, and install necessary security tools to practice real-world cyber defense scenarios.
This hands-on lab setup is perfect for beginners and seasoned professionals looking to sharpen their skills!
10 Tips for Effective Automation
Automation in Linux environments is essential for scalability and efficiency. This podcast episode from Learn Linux TV explores ten key tips for implementing automation successfully, from using the right tools to common pitfalls.
I am a big fan of automation. It is an essential skill to learn for any cyber security practitioner if you want to 10x your output. This episode will help beginners and experienced administrators refine their automation workflows!
