Triage The Week 039 – Kraven Security

Welcome back to Kraven Security’s weekly newsletter, where we triage the week. We’ll recap the week’s biggest news stories, highlight our lead story, give you some educational resources, and wrap up with a few personal notes on what’s happening at the company. Enjoy!

Top 5 News Stories

Linux malware evades detection for 2 years

The sedexp malware has been evading detection since 2022 by leveraging a unique persistence technique using udev rules.

Top 4 key conclusions:

🪲 It adds a udev rule to compromised systems, causing the malware to execute regularly by targeting /dev/random, a critical system component.
🥷 The malware mimics legitimate processes and uses memory manipulation to hide its presence and inject malicious code.
💳 It has been used in financially motivated attacks, such as hiding credit card scraping code on compromised web servers.
🛡️ Organizations are advised to update detection capabilities and perform in-depth forensic analysis to mitigate such threats.

AON

Telegram founder Pavel Durov arrested in France

Pavel Durov, founder and CEO of Telegram, was arrested in France over content moderation mistakes on the platform.

Top 4 key conclusions:

⚠️ Authorities are concerned about Telegram’s lack of moderation, which has reportedly turned the site into a hub for criminal activities such as drug trafficking, money laundering and terrorism.
🧑‍⚖️ Telegram claims it complies with EU law and believes it is unfair to blame the platform or its owner for abuse.
👮 This arrest is aimed at disrupting criminal activities on Telegram and putting pressure on European countries to cooperate on security.
👥 Telegram had over 950 million monthly active users (as of July 2024).

TF1 information

Microsoft Sway targeted by QR code phishing campaign

A new phishing campaign is using Microsoft Sway to host fake pages and steal credentials. The campaign is targeting users in Asia and North America.

Top 4 key conclusions:

📈 In July 2024, there was a 2,000-fold increase in phishing pages using Microsoft Sway. These pages primarily targeted MS Office credentials via QR codes.

⚡️ The campaign uses QR codes and adversary-in-the-middle (AitM) phishing tactics to bypass security measures and collect credentials. They also used transparent phishing and Cloudflare Turnstile to bypass security measures and hide phishing payloads.

🥷 QR codes embedded in images can bypass email scanners, and mobile devices often have weaker security measures. Attackers are now using Unicode text characters to create QR codes, making detection even harder.

🛡️ Organizations should update their security policies and be careful with the new domain format for Microsoft Sway pages to avoid falling victim to these types of attacks.

Network Copy

PoorTry Windows Driver Evolves to EDR Wiper

The PoorTry kernel-mode driver for Windows, used by ransomware gangs, has evolved from disabling Endpoint Detection and Response (EDR) solutions to wiping them, making recovery more difficult.

Top 5 key conclusions:

🪲 PoorTry is a malicious kernel driver used to disable endpoint protection software, often in conjunction with ransomware attacks. It has evolved significantly over time.

😈 Attackers are exploiting holes in Microsoft’s driver signing process and using stolen or leaked certificates to sign malicious drivers.

📈 This shift represents a more aggressive approach by ransomware actors, ensuring better outcomes in the encryption phase by leaving systems unprotected.

🥷 PoorTry uses advanced techniques such as obfuscation, signature timestamps manipulation, and “certificate roulette” to evade detection.

😰 Despite efforts to track and stop PoorTry, developers continue to adapt, posing significant challenges for defenders.

Sophos

Iranian hacker group creates backdoors in government networks using new Tickler malware

Iranian hacker group APT33 (Peach Sandstorm) has deployed new Tickler malware into backdoor networks in the government, defense, satellite, oil and gas sectors in the US and the UAE.

Top 4 key conclusions:

📅 Between April and July 2024, Microsoft observed the Iranian state-sponsored group Peach Sandstorm deploy a new multi-stage backdoor called Tickler.

⚡️ They used password spray attacks and social engineering via LinkedIn to gain access, then leveraged compromised Azure infrastructure for command-and-control operations.

🏭 The attacks targeted the satellite, communications, oil and gas, and government sectors in the US and UAE.

🔒 Starting October 15, Microsoft is making multi-factor authentication (MFA) mandatory for all Azure logins to improve security.

Microsoft Security

Top tips of the week

Threat Information

Participate in threat intelligence forums. Join discussions to share insights and learn from others in the field.

Use CTI in security architecture design. Develop robust architectures that leverage threat intelligence for effective defenses.

Use CTI to inform threat modeling efforts. Identify potential threats and vulnerabilities during the development phase for proactive security measures.

Create a threat intelligence roadmap. Define objectives, processes and milestones for a strategic and effective intelligence program.

Threat Hunt

Implement threat intelligence into your cyber threat hunting workflow. Enhance detection capabilities with real-time threat data.

Leverage threat intelligence in cloud security to hunt cyber threats. Adapt your strategies to the unique challenges of cloud environments.

Custom tools

Implement secure update mechanisms for custom tools. Ensure a secure and seamless process for deploying updates and patches.

Main article

A cyber threat intelligence report template enables you and your team to create structured, standardized, consistent intelligence reports for your organization. Templates save valuable time and effort by reducing the burden that disseminating intelligence places on your CTI team.

It is essential that your CTI team has a standard template for sharing the information you produce.

To help you, we’ve created a comprehensive cyber threat intelligence report template that you can use today! It includes everything you need to effectively share intelligence with your organization and report a cyber threat. Feel free to customize it to your organization’s needs.

Read now

Teaching materials

Edit video faster

I always preach that content creation is the ultimate learning tool. Make a video about a topic and you will learn 10x more about that topic!

This video covers various tips and tricks for quick editing in DaVinci Resolve, so you can make more videos about the things you want to learn. It includes practical advice on using text, dynamic zooms, keyboard shortcuts, and staying organized with bins and smart bins.

Can you trust tech influencers?

There are influential people in technology and cybersecurity everywhere, but should you really listen to them?

This video discusses the role and credibility of tech influencers, specifically in the development community. It explores the concept of “celebrity developers,” their impact, and the potential pros and cons of their influence. It’s easy to draw parallels with cybersecurity influencers and the effect they have on the industry.

The Pay What You Can training is back!

The legendary John Strand is back to deliver Antisyphon’s Pay What You Can cyber security training. This time he’s covering the core skills needed to work in a Security Operations Center (SOC).

These lectures emphasize practical skills over theoretical knowledge, with a focus on essential areas such as networking, operating systems, and incident response. The course is designed to be accessible, with free virtual labs and resources to help students practice and improve their skills.

Strong passwords are important!

This video discusses the importance of strong, unique passwords and the risks of password leaks.

The great Gary Ruddell shows how to use a tool called Flare to check if passwords have been compromised. He also highlights the benefits of using password managers and multi-factor authentication for better security.

Personal notes

🤔 Templates, templates, templates! This week was another one to build templates to get your cyber threat intelligence (CTI) processes going.

On Monday we released our CTI Report Template. It contains everything you need to effectively share intelligence with your organization and report a cyber threat. We’ve made it available as a Word document (so you can use it right away) and as a PDF (so you can see what the finished intelligence product might look like). If you haven’t done it yet, check it out, customize it, and tailor it to your organization’s needs!

This week we built templates for your organization’s Intelligence Requirements document and the CTI team’s Collection Management Framework. These are two key pillars of any successful CTI program, so having a template that comprehensively covers everything that should be in there is incredibly valuable.

We hope to share each template with you in the coming weeks!