Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
MITRE Warns of CVE Program Disruption as DHS Contract Nears Expiration
MITRE alerts that its CVE program, critical for global cyber security, faces disruption as its DHS contract expires on April 16, 2025. The lapse could degrade vulnerability tracking, impacting national databases, incident response, and critical infrastructure.
Key takeaways:
📉 Funding Crisis: MITRE’s contract with the U.S. Department of Homeland Security (DHS) to operate the Common Vulnerabilities and Exposures (CVE) program expires on April 16, 2025, with no renewal confirmed, halting new CVE assignments and risking the program’s website shutdown.
🌐 Global Impact: The CVE program, a 25-year cornerstone of cybersecurity, standardizes vulnerability identification for vendors, governments, and critical infrastructure; its disruption could degrade national vulnerability databases and slow incident response.
🛡️ Industry Alarm: Experts like Casey Ellis of Bugcrowd warn that losing CVE could create a “national security problem,” as it underpins vulnerability management and critical infrastructure protection.
🔄 Mitigation Efforts: CISA is “urgently working” to maintain CVE services, while VulnCheck has reserved 1,000 CVEs for 2025 to temporarily sustain assignments; historical records will remain on GitHub.
Microsoft Defender’s New Feature Isolates Undiscovered Endpoints to Stop Cyberattacks
Microsoft Defender for Endpoint now blocks traffic from undiscovered devices to halt attackers’ lateral movement. The Contain IP policy enhances network security by automatically isolating unmanaged endpoints.
Key takeaways:
🛡️ Automatic Containment: Defender for Endpoint’s new Contain IP policy blocks malicious IP addresses linked to undiscovered or un-onboarded devices, preventing attackers from moving laterally across networks.
🔍 Attack Disruption: The system identifies and isolates critical assets, applying tailored policies to stop threats like ransomware, building on capabilities introduced in June 2022.
🌐 Network Protection: Since 2022, Defender has isolated compromised Windows devices and user accounts. This update extends protection to unmanaged endpoints for broader coverage.
Slow Pisces Deploys Custom Python Malware in Coding Challenge Scam Targeting Crypto Developers
North Korea’s Slow Pisces lures crypto developers with fake job offers and malicious coding challenges, deploying RN Loader and RN Stealer malware. Unit 42 reports the group stole over $1B from the crypto sector in 2023, exploiting LinkedIn and GitHub.
Key takeaways:
🎣 Social Engineering Scam: Slow Pisces, a North Korean state-sponsored group, impersonates recruiters on LinkedIn, sending crypto developers malicious coding challenges disguised as job tasks and infecting systems with RN Loader and RN Stealer.
🦠 Custom Malware: The malware, hidden in compromised GitHub repositories, uses YAML deserialization to execute payloads, avoiding detection by bypassing suspicious Python functions like eval or exec.
💰 Massive Heists: Linked to thefts of $308M from Bitcoin.DMM.com and $1.5B from a Dubai exchange, Slow Pisces targets the crypto sector with precise, controlled attacks to maximize financial gain.
🛡️ Shared Intelligence: Palo Alto Networks’ Unit 42 collaborated with GitHub and LinkedIn to dismantle malicious accounts and repositories, urging developers to verify job offers and scan repositories for threats.
Over 16,000 Fortinet Devices Hit by Symlink Backdoor, Retaining Hacker Access Post-Patch
Shadowserver reports that over 16,000 Fortinet devices are compromised with a symlink backdoor, allowing hackers read-only access even after patches. Fortinet urges upgrading to FortiOS 7.6.2 or later to remove the threat and secure configurations.
Key takeaways:
🔍 Mass Compromise: The Shadowserver Foundation detected 16,620 Fortinet devices with a symlink backdoor, up from 14,000. This backdoor grants attackers persistent read-only access to sensitive files like configurations.
🦠 Exploit Origins: The backdoor, linked to 2023-2024 attacks exploiting vulnerabilities like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, connects user and root filesystems via a malicious symlink in the SSL-VPN language folder.
🛡️ Fortinet’s Fix: FortiOS updates (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) include antivirus signatures to remove the symlink. Fortinet notifies affected customers to upgrade and reset credentials.
🌐 Geographic Spread: Nearly 7,000 compromised devices are in Asia (the U.S., Japan, Taiwan, and China leading), with 3,500 in Europe and 2,600 in North America, per Shadowserver scans.
⚠️ Mitigation Urgency: CISA and CERT-NZ advise disabling SSL-VPNs until patched, as the backdoor may expose credentials and key material, posing risks to unpatched systems.
Four New Windows Task Scheduler Flaws Enable Privilege Escalation and Log Tampering
Cyber security experts found four Windows Task Scheduler vulnerabilities, allowing attackers to bypass UAC, gain SYSTEM access, and erase logs to hide malicious activity. Microsoft has not yet patched these flaws, raising concerns for Windows users.
Key takeaways:
🔓 UAC Bypass: A flaw in “schtasks.exe” lets low-privileged users bypass User Account Control, executing SYSTEM-level commands without approval by impersonating privileged groups like Administrators.
📝 Log Tampering: Two defense evasion techniques allow attackers to overwrite Task Event Logs and flood Security Logs, erasing audit trails using oversized XML task descriptions.
🚨 Unpatched Risk: Discovered by Cymulate’s Ruben Enkaoua, these vulnerabilities remain unaddressed by Microsoft, posing risks of privilege escalation and covert attacks on Windows systems.
🔧 Task Scheduler Flaws: The issues stem from Task Scheduler’s handling of privileges, process integrity, and user impersonation, making it a prime target for exploitation via CLI flags like /ru and /rp.
Top Tips of the Week
Threat Intelligence
- Educate end-users on CTI relevance. Enhance organizational security by fostering a culture of threat awareness.
- Leverage diverse sources for threat intelligence. A wide range of inputs provides a more comprehensive understanding of the threat landscape.
Custom Tooling
- Prioritize security in custom tool development. Ensure compliance with industry standards to minimize vulnerabilities.
- Optimize custom tools for performance. Regularly assess and refine code to ensure efficient operation.
- Regularly update and patch custom tools. Stay vigilant against potential vulnerabilities and ensure ongoing reliability.
- Create custom tools with flexibility in mind. Anticipate future changes and design tools that can adapt to evolving requirements.
- Consider the long-term maintenance of custom tools. Design with scalability and future updates in mind.
Feature Article
How does your business prepare to enter a new market or do business in a different geography? Do they consider the cyber element, the risks involved, and how you can manage them? You should! You should use Intelligence Preparation of the Cyber Environment (IPCE).
IPCE is a methodology for evaluating the risks present in your business’s cyber environment. It empowers you to analyze everything from environmental factors like technological trends to threat actors who will target you. This guide will teach you how to perform IPCE in four simple steps, along with PESTLE analysis to assess the macro-environmental factors that could impact you,
Let’s start by defining IPCE and PESTLE so you can use them to operationalize cyber threat intelligence, manage risks, and even generate intelligence requirements!
Learning Resources
Creating Priority Intelligence Requirements on a Budget
Priority intelligence requirements (PIRs) are your mission-critical intelligence requirements that your cyber theater intelligence (CTI) team must fulfill. Unfortunately, creating PIRs can be very challenging!
Worry not. This insightful talk shows you how to create PIRs even when budget and resource constraints are a concern.
The approach discussed centers on conducting stakeholder interviews to deeply understand organizational needs and improve CTI output using a 90-day roadmap. Your first 30 days focus on setting up the PIR collection project. The following 30 days involve running the PIR process with a single stakeholder to identify inefficiencies early and avoid credibility risks. Finally, the last 30 days include collecting feedback, expanding PIR outreach, and scaling your approach across the business.
A great presentation that provides practical tools like email templates, interview questions, and tracking sheets to simplify the adoption of PIRs on a budget.
Pivoting 101
Pivoting is a skill all cyber security analysts must master!
This sharp, research-driven talk, by the legendary Joe Slowik explores this fundamental concept and advocates for its transition from an intuitive art to a replicable science. He challenges analysts to view IOCs as composite objects built of interconnected data points that provide behavioral insight into adversary tactics.
This shift enables defenders to go beyond reactionary threat detection and proactively anticipate and identify malicious infrastructure or tools. The next step is building a rigorous, repeatable system that allows your cyber team to conduct this pivoting at scale.
A great talk that provides actionable guidance on moving from IOC-based hunting to focusing on adversary behavior!
Dive into the Mind of a Threat Hunter
Threat hunting is the cool and sexy thing all blue teamers aspire to do. In this compelling talk, Chris Sanders dives into the cognitive foundations of threat hunting and presents a structured, data-driven method to elevate it from an intuitive craft to a scientific discipline.
He opens with a case study comparing two equally experienced analysts whose performance diverged dramatically, attributing the difference to cognitive traits: curiosity and metacognition. Sanders argues that cyber security is in a “cognitive crisis,” marked by a skills shortage, unreliable information sources, and the inability to tackle systemic threats.
It’s now time for analysts to follow the “universal investigation process”, which follows the scientific method, using reflective thinking and hypothesis-driven inquiry to draw conclusions about cyber incidents.
A great, research-driven talk that can help elevate the investigatory capabilities of any cyber security analyst!
A Maturity Model for CTI
Maturity models are used throughout industry to measure the capabilities of business units and create a roadmap to improve those capabilities. Cyber security is now an exception, and cyber threat intelligence (CTI) is beginning to catch up, with initiatives like CTI-CMM.
This presentation presents a custom-built maturity model for CTI teams, offering a framework that balances theory with practical implementation. Rooted in personal experience building CTI programs, the model addresses common challenges such as chaotic growth, stakeholder misalignment, and the myth that sheer longevity equals maturity.
The speaker emphasizes that true CTI maturity requires structured planning, stakeholder dialogue, technology integration, and performance measurement rather than relying solely on analyst expertise or tool acquisition. It lays out over 230 actionable controls across strategic, operational, and tactical levels that guide users through self-assessment and goal setting.
It is a fantastic presentation that tackles an area often neglected by CTI teams.
