PinnacleOne ExecBrief | Nation-State Targeting of Enterprise Cloud

Key Takeaways

  • The Russian Foreign Intelligence Service (SVR) continues to intensively exploit their breach of Microsoft, leveraging access to source code, internal systems, and sensitive data including Microsoft executive’s emails and customer secrets. This poses severe risks to organizations using Microsoft’s products and services.
  • Microsoft’s communications have been minimal and inadequate, likely because it lacks a full understanding of the implications of its breach.
  • The SVR is actively exploiting stolen information (at an increased scale via password sprays) to target enterprise cloud customers in government and industry for further compromise.
  • This is the latest in a string of breaches against Microsoft by nation-state threat actors, including China, highlighting systemic weaknesses in Microsoft’s security posture and customer protections.
  • Immediate actions by MS customers are needed, including enforcing MFA, auditing for suspicious activity, disabling unused accounts and devices, and considering third-party security capabilities.

Microsoft’s Security and Public Communications Failures

Microsoft’s recent disclosure of additional information on the Russian SVR breach, three months after it began, raises acute concerns about the scale and scope of the incident. In an SEC filing and blog post, Microsoft shared that the SVR gained access to source code repositories, internal systems, and sensitive data including executive emails. However, key questions remain unanswered:

  1. What source code was accessed and was it modified to introduce supply chain vulnerabilities?
  2. What customer secrets were exposed and how is Microsoft notifying impacted organizations?
  3. How did the SVR pivot from breaching an unused test tenant to accessing executive emails and critical internal systems?
  4. Does Microsoft have full confidence the SVR has been completely evicted from its networks?

Microsoft’s lack of transparency leaves customers unable to accurately assess risks to their own organizations from this incident. Microsoft has so far communicated the bare minimum required by law. The paucity of details suggests Microsoft does not have a good handle on the situation and likely cannot answer fundamental questions about the impact of the breach.

This fits a troubling pattern – in 2023, Chinese state-sponsored hackers breached Microsoft email servers and used that access to steal sensitive data from U.S. government agencies. Just as with the SVR incident, Microsoft said very little, leaving customers frustrated and concerned.

Experts have been sounding alarm bells about Microsoft’s security weaknesses for some time. The company is a huge target for nation-state attackers, yet struggles with fundamental security hygiene like enforcing multi-factor authentication and network segmentation. Microsoft’s authentication systems seem to be a particular issue. Nation-state actors are exploiting these gaps to clear effect.

Meanwhile, organizations are growing ever-more reliant on Microsoft, trusting the company not just for office software but for mission-critical cloud infrastructure, identity and access management, and security tools. This concentration of risk and responsibility in Microsoft is deeply concerning in light of repeated security failures.

Microsoft’s track record does not inspire confidence in its ability to defend against determined nation-state adversaries, who are now actively targeting Microsoft clients.

Recommendations for Senior Executives

Given the severe risks and Microsoft’s failure to provide sufficient information and assurances, organizations should take immediate defensive actions:

  1. Enforce MFA everywhere, with no exceptions. Compromising credentials is the top technique the SVR and other advanced threats use for initial access.
  2. Audit and monitor all user identities and device registrations in Azure AD and M365. Look for any suspicious activity like reactivated dormant accounts or new device registrations. Remove any unused accounts and devices.
  3. Reduce privilege as much as possible. Only grant admin rights where absolutely necessary and avoid standing privileges. Enforce conditional MFA access and one-time passwords and move to a zero trust identity model.
  4. Review all Azure security settings and compare to best practice guides from NSA, CISA, and CIS. Centralize all log and audit data for automated analytics, monitoring, and threat hunting.
  5. Implement email data loss prevention and encryption tools to prevent sensitive data from being exfiltrated via email.
  6. Consider third-party security tools to complement Microsoft’s native capabilities. Having multiple layers of defense from different vendors is prudent.
  7. Update incident response and disaster recovery plans to account for the potential of compromised Microsoft systems being unavailable or untrustworthy. Have fallback crisis communication and collaboration systems in place.
  8. Brief senior leadership and the board on Microsoft risks and your organization’s response plan. Ensure the C-suite understands the potential business impact.

Conclusion

The SVR breach of Microsoft is a stark reminder of the serious risks posed by sophisticated nation-state adversaries targeting major cloud providers. Over reliance on any single vendor, even one as prominent as Microsoft, can be catastrophic.

Microsoft’s opacity in its breach disclosure and history of security missteps means customers cannot simply take the company at its word that the situation is under control. Organizations must take proactive steps to mitigate risks and reduce their attack surface as much as possible.

Ultimately, a defense-in-depth approach with multiple layers of security controls and aggressive monitoring for threats is needed to combat determined nation-state actors. Senior leaders must be engaged and willing to make hard choices, including potentially diversifying away from Microsoft where it cannot meet the organization’s security and resilience needs. Failing to act decisively in the wake of this breach would be an abdication of the duty to protect the enterprise.

The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good | Top LockBit Ransomware Admin Charged & Ordered to Pay Restitutions

Russian-Canadian cybercriminal Mikhail Vasiliev has been sentenced to nearly four years in prison for his involvement in the LockBit ransomware operation. Initially arrested in November 2022, Vasiliev has pled guilty to eight charges, including cyber extortion, mischief, and weapons-related allegations.

Court sketch of Mikhail Vasiliev by John Mantha

Within LockBit, Vasiliev held a significant administrative role, participating in numerous high-profile attacks totalling over $100 million in ransom demands, which primarily affected businesses across Canada. Alongside a four-year sentence, he must pay $860,000 in restitution to his Canadian victims and faces extradition to the United States for further charges. American prosecutors have Vasiliev lined up to receive up to five years in a US prison for conspiring to intentionally damage protected computers and transmitting ransom demands.

LockBit, a notorious ransomware-as-a-service (RaaS) operation, has extorted at least $120 million in ransom payments from over 2000 victims in the last 3 years alone. The gang experienced major setbacks just last month, though, when a joint law enforcement operation seized its main infrastructure and arrested key affiliates. While the group quickly resumed operations on new leak sites to maintain activity, analysis suggests that most data leaked post-operation belonged to victims from before the takedown, indicating the threat groups’ struggle to regain momentum.

Currently, the Department of State is offering rewards up to $15 million for information that could lead to the arrest of other LockBit key leaders and affiliates. Two suspected members of LockBit, Ruslan Astamirov and Mikhail Matveev, were also apprehended in 2023 though only Astamirov has been officially charged for deploying LockBit ransomware. Matveev remains at large facing cyber sanctions and a 20-year prison term in the event of arrest and conviction.

The Bad | Almost 13 Million Authentication Secrets Exposed on GitHub

Threat actors are increasingly exploiting GitHub and repositories as a conduit for malicious activities. In a recent report detailing the issue of secrets sprawl, the findings show that in 2023 alone, GitHub users inadvertently exposed a 12.8 million authentication and sensitive secrets across over 3 million public repositories, with only 1.8% of users rectifying the issue upon receiving alerts.

These exposed secrets include critical data such as passwords, API keys, TLS/SSL certificates, OAuth tokens, and encryption credentials – all of which, if obtained by a threat actor, lead to unauthorized access and costly data breaches. This data corroborates another report from summer of 2023 pointing to compromised credentials as the root cause of 50% of recorded attacks in the first half of last year.

Just this week, security researchers observed a new phishing campaign that delivered remote access trojans (RATs) like VCURMS and STRRAT via a malicious Java-based downloader. The attackers behind these RATs are employing sophisticated tactics, leveraging public services such as GitHub and Amazon Web Services (AWS) to store malware and evade detection.

Millions of organizations rely on source code management platforms like GitHub for software development, version control, and continuous integration and deployment (CI/CD). The abuse of such platforms speaks to a concerning trend where threat actors leverage public infrastructure for malicious purposes.

Securing DevOps platforms and open-source code repositories involves implementing access controls, updating dependencies, and enforcing strong authentication. Threat intelligence and security monitoring tools help detect and respond to suspicious activities, while solutions like XDR offer comprehensive protection against cyber threats and infrastructure abuse.

The Ugly | One-Day Flaws Exploited by Money-Hungry ‘Magnet Goblin’ Threat Actor

A financially motivated threat actor dubbed ‘Magnet Goblin’ has been exploiting one-day vulnerabilities in public-facing servers to distribute custom Linux malware. Magnet Goblin’s adoption of the flaws has been quick: Security researchers confirmed cases where the one-days were already being leveraged to gain initial entry.

In one instance, Magnet Goblin integrated an exploit for the Ivanti Connect Secure RCE bug (CVE-2024-21887) just a day after a proof-of-concept (PoC) was published online. This exploit facilitated arbitrary code execution, enabling the group to compromise systems that had not yet patched to the latest updates. Magnet Goblin’s exploits extend beyond Ivanti, targeting platforms like Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and potentially Apache ActiveMQ.

The group is currently deploying custom remote access trojans (RATs) and backdoors, including variants of the Nerbian family such as NerbianRAT and MiniNerbian. Upon execution, NerbianRAT establishes communication with a command-and-control (C2) server, allowing malicious activities like executing commands, modifying connection intervals, and updating configurations.

Source: Check Point

Over the years, the Linux OS has attracted threat actors for its ubiquity, powering a significant portion of servers, cloud infrastructure, and IoT devices which, in turn, provides a large attack surface. Its open-source nature also allows actors to study its codebase, identifying vulnerabilities and developing tailored exploits. With emerging threat actors like Magnet Goblin adding to the threat landscape who take advantage of the chaos that follows released PoCs, having a strict patch management process in place becomes a critical factor in staying ahead of one-day flaws.

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.

A testimonial on onerep.com.

Customer case studies published on onerep.com state that it struck a deal to offer the service to employees of Permanente Medicine, which represents the doctors within the health insurance giant Kaiser Permanente. Onerep also says it has made inroads among police departments in the United States.

But a review of Onerep’s domain registration records and that of its founder reveal a different side to this company. Onerep.com says its founder and CEO is Dimitri Shelest from Minsk, Belarus, as does Shelest’s profile on LinkedIn. Historic registration records indexed by DomainTools.com say Mr. Shelest was a registrant of onerep.com who used the email address dmitrcox2@gmail.com.

A search in the data breach tracking service Constella Intelligence for the name Dimitri Shelest brings up the email address dimitri.shelest@onerep.com. Constella also finds that Dimitri Shelest from Belarus used the email address d.sh@nuwber.com, and the Belarus phone number +375-292-702786.

Nuwber.com is a people search service whose employees all appear to be from Belarus, and it is one of dozens of people-search companies that Onerep claims to target with its data-removal service. Onerep.com’s website disavows any relationship to Nuwber.com, stating quite clearly, “Please note that OneRep is not associated with Nuwber.com.”

However, there is an abundance of evidence suggesting Mr. Shelest is in fact the founder of Nuwber. Constella found that Minsk telephone number (375-292-702786) has been used multiple times in connection with the email address dmitrcox@gmail.com. Recall that Onerep.com’s domain registration records in 2018 list the email address dmitrcox2@gmail.com.

It appears Mr. Shelest sought to reinvent his online identity in 2015 by adding a “2” to his email address. A search on the Belarus phone number tied to Nuwber.com shows up in the domain records for askmachine.org, and DomainTools says this domain is tied to both dmitrcox@gmail.com and dmitrcox2@gmail.com.

Onerep.com CEO and founder Dimitri Shelest, as pictured on the “about” page of onerep.com.

A search in DomainTools for the email address dmitrcox@gmail.com shows it is associated with the registration of at least 179 domain names, including dozens of mostly now-defunct people-search companies targeting citizens of Argentina, Brazil, Canada, Denmark, France, Germany, Hong Kong, Israel, Italy, Japan, Latvia and Mexico, among others.

Those include nuwber.fr, a site registered in 2016 which was identical to the homepage of Nuwber.com at the time. DomainTools shows the same email and Belarus phone number are in historic registration records for nuwber.at, nuwber.ch, and nuwber.dk (all domains linked here are to their cached copies at archive.org, where available).

Nuwber.com, circa 2015. Image: Archive.org.

A review of historic WHOIS records for onerep.com show it was registered for many years to a resident of Sioux Falls, SD for a completely unrelated site. But around Sept. 2015 the domain switched from the registrar GoDaddy.com to eNom, and the registration records were hidden behind privacy protection services. DomainTools indicates around this time onerep.com started using domain name servers from DNS provider constellix.com. Likewise, Nuwber.com first appeared in late 2015, was also registered through eNom, and also started using constellix.com for DNS at nearly the same time.

Listed on LinkedIn as a former product manager at OneRep.com between 2015 and 2018 is Dimitri Bukuyazau, who says their hometown is Warsaw, Poland. While this LinkedIn profile (linkedin.com/in/dzmitrybukuyazau) does not mention Nuwber, a search on this name in Google turns up a 2017 blog post from privacyduck.com, which laid out a number of reasons to support a conclusion that OneRep and Nuwber.com were the same company.

“Any people search profiles containing your Personally Identifiable Information that were on Nuwber.com were also mirrored identically on OneRep.com, down to the relatives’ names and address histories,” Privacyduck.com wrote. The post continued:

“Both sites offered the same immediate opt-out process. Both sites had the same generic contact and support structure. They were – and remain – the same company (even PissedConsumer.com advocates this fact: https://nuwber.pissedconsumer.com/nuwber-and-onerep-20160707878520.html).”

“Things changed in early 2016 when OneRep.com began offering privacy removal services right alongside their own open displays of your personal information. At this point when you found yourself on Nuwber.com OR OneRep.com, you would be provided with the option of opting-out your data on their site for free – but also be highly encouraged to pay them to remove it from a slew of other sites (and part of that payment was removing you from their own site, Nuwber.com, as a benefit of their service).”

Reached via LinkedIn, Mr. Bukuyazau declined to answer questions, such as whether he ever worked at Nuwber.com. However, Constella Intelligence finds two interesting email addresses for employees at nuwber.com: d.bu@nuwber.com, and d.bu+figure-eight.com@nuwber.com, which was registered under the name “Dzmitry.”

PrivacyDuck’s claims about how onerep.com appeared and behaved in the early days are not readily verifiable because the domain onerep.com has been completely excluded from the Wayback Machine at archive.org. The Wayback Machine will honor such requests if they come directly from the owner of the domain in question.

Still, Mr. Shelest’s name, phone number and email also appear in the domain registration records for a truly dizzying number of country-specific people-search services, including pplcrwlr.in, pplcrwlr.fr, pplcrwlr.dk, pplcrwlr.jp, peeepl.br.com, peeepl.in, peeepl.it and peeepl.co.uk.

The same details appear in the WHOIS registration records for the now-defunct people-search sites waatpp.de, waatp1.fr, azersab.com, and ahavoila.com, a people-search service for French citizens.

The German people-search site waatp.de.

A search on the email address dmitrcox@gmail.com suggests Mr. Shelest was previously involved in rather aggressive email marketing campaigns. In 2010, an anonymous source leaked to KrebsOnSecurity the financial and organizational records of Spamit, which at the time was easily the largest Russian-language pharmacy spam affiliate program in the world.

Spamit paid spammers a hefty commission every time someone bought male enhancement drugs from any of their spam-advertised websites. Mr. Shelest’s email address stood out because immediately after the Spamit database was leaked, KrebsOnSecurity searched all of the Spamit affiliate email addresses to determine if any of them corresponded to social media accounts at Facebook.com (at the time, Facebook allowed users to search profiles by email address).

That mapping, which was done mainly by generous graduate students at my alma mater George Mason University, revealed that dmitrcox@gmail.com was used by a Spamit affiliate, albeit not a very profitable one. That same Facebook profile for Mr. Shelest is still active, and it says he is married and living in Minsk (last update: 2021).

The Italian people-search website peeepl.it.

Scrolling down Mr. Shelest’s Facebook page to posts made more than ten years ago show him liking the Facebook profile pages for a large number of other people-search sites, including findita.com, findmedo.com, folkscan.com, huntize.com, ifindy.com, jupery.com, look2man.com, lookerun.com, manyp.com, peepull.com, perserch.com, persuer.com, pervent.com, piplenter.com, piplfind.com, piplscan.com, popopke.com, pplsorce.com, qimeo.com, scoutu2.com, search64.com, searchay.com, seekmi.com, selfabc.com, socsee.com, srching.com, toolooks.com, upearch.com, webmeek.com, and many country-code variations of viadin.ca (e.g. viadin.hk, viadin.com and viadin.de).

The people-search website popopke.com.

Domaintools.com finds that all of the domains mentioned in the last paragraph were registered to the email address dmitrcox@gmail.com.

Mr. Shelest has not responded to multiple requests for comment. KrebsOnSecurity also sought comment from onerep.com, which likewise has not responded to inquiries about its founder’s many apparent conflicts of interest. In any event, these practices would seem to contradict the goal Onerep has stated on its site: “We believe that no one should compromise personal online security and get a profit from it.”

The people-search website findmedo.com.

Max Anderson is chief growth officer at 360 Privacy, a legitimate privacy company that works to keep its clients’ data off of more than 400 data broker and people-search sites. Anderson said it is concerning to see a direct link between between a data removal service and data broker websites.

“I would consider it unethical to run a company that sells people’s information, and then charge those same people to have their information removed,” Anderson said.

Last week, KrebsOnSecurity published an analysis of the people-search data broker giant Radaris, whose consumer profiles are deep enough to rival those of far more guarded data broker resources available to U.S. police departments and other law enforcement personnel.

That story revealed that the co-founders of Radaris are two native Russian brothers who operate multiple Russian-language dating services and affiliate programs. It also appears many of the Radaris founders’ businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

KrebsOnSecurity will continue investigating the history of various consumer data brokers and people-search providers. If any readers have inside knowledge of this industry or key players within it, please consider reaching out to krebsonsecurity at gmail.com.

Exploiting Repos | 6 Ways Threat Actors Abuse GitHub & Other DevOps Platforms

For millions of organizations today, source code management platforms like GitHub play a fundamental role in software development, operating as a central hub for both proprietary and open-source code repositories, enabling collaboration, version control and continuous integration and deployment (CI/CD).

In this blog post, we explore the less-discussed side of these essential platforms, where threat actors leverage their features for malicious activities, to stage cyber attacks and steal sensitive data. By understanding the ways threat actors abuse such platforms, organizations can better equip themselves to protect their repositories and mitigate the potential risks associated with code sharing and CI/CD platforms.

Current Threat Landscape | SaaS Abuse On the Rise

The compromise of open-source software projects is becoming more prevalent, with threat actors targeting libraries distributed via package managers and public repositories like PyPI, Crate.io, and GitHub. After infiltrating these trusted resources, threat actors can inject vulnerabilities into widely-used software, potentially compromising the security of many more associated applications and systems.

Beyond the cyber threat on open-source platforms, a broader trend has emerged: Legitimate internet services and critical platforms are frequently exploited by threat actors for malicious activities. GitLab and BitBucket, used for source code management and version control, have also suffered from bugs leading to opportunities for threat actors to gain access to sensitive data, propagate malware, and orchestrate various forms of cybercrime.

Notable Cases of Recent Repo Hacks

Some prominent cyber attacks that leveraged shared code repositories include:

  • Pro-Russia hacktivist group NoName057(16) made headlines by leveraging GitHub to host its toolkit and enticing key contributors with payments.
  • The Rust development community fell victim to the CrateDepression supply-chain attack, which specifically targeted organizations using GitLab Continuous Integration (CI) pipelines.
  • The 3CX SmoothOperator supply chain attack involved pulling encrypted C2 details hidden in icon files hosted in a dedicated GitHub repository.
  • The recent ‘everything’ package prank exposed the potential for GitHub to be used in denial-of-service attacks, highlighting the broader repercussions of such abuse on global software ecosystems.
  • Secret Gists and git commit commands have been used to deliver C2 commands and retrieve malware payloads.
  • A GitHub leak reported earlier this year impacted major brands like Toyota, Mercedes Benz, Binance, and X (formerly Twitter), exposing sensitive proprietary code and credentials.

1. Hosting Malware & Phishing Campaigns

The most obvious misuse of code sharing platforms is hosting malware in plain sight. Threat actors create repositories that appear benign at first glance but can be used to trick developers into downloading and executing code that holds malware or facilitates phishing schemes. Poisoned projects can help attackers reach far more victims if developers unwittingly build bad code into legitimate software, as well as target specific enterprises.

Robust code review processes are essential for detecting malicious code within repositories. Automated scanning tools can further enhance security by identifying known malware signatures and suspicious patterns. To combat the risk of phishing, educating developers and users about common schemes is crucial, especially when users are interacting with code from untrusted sources.

GitHub Malware Advisory
GitHub Malware Advisory

2. Hosting Command & Control (C2)

Public repositories can serve as a strategic platform for threat actors to distribute or host command-and-control (C2) servers, or more commonly to serve as channels by which to distribute C2 URLs, fallback commands or configuration files.

The ability to blend in with legitimate network traffic and sidestep domain block lists makes public code repositories highly attractive. In addition, high uptime and ubiquity of the services make GitHub and similar platforms ideal for attackers’ decentralized C2 infrastructure. Tactics such as dead drop resolvers and obfuscated domains embedded within web services help adversaries to obscure back-end C2 infrastructure from discovery through malware binary analysis.

Organizations can implement network traffic monitoring and anomaly detection systems to help identify unusual patterns indicative of C2 communication. Additionally, leveraging threat intelligence feeds to block known malicious IP addresses and domains associated with C2 infrastructure can enhance defense mechanisms. Defenders should also conduct regular auditing and proactively revoke access for suspicious accounts or repositories.

3. Credential Theft & Supply Chain Attacks

Code repositories have become a prime target for threat actors targeting credential theft and supply chain attacks.

Git repositories can contain not only proprietary code but also sensitive credentials like API keys, passwords, and cryptographic keys.

To defend against such risks, organizations can adopt robust authentication mechanisms such as multi-factor authentication (MFA) and OAuth to safeguard their user accounts and credentials. Implementing a secrets management solution can also support more secure storage and management of sensitive credentials, reducing exposure to potential attackers. Security leaders can also consider deploying code signing and verification mechanisms to ensure the integrity of software supply chains.

4. Cloning & Manipulating GitHub (& Other) Repos

Adversaries may inject malicious code directly into exposed libraries or submit fraudulent pull requests, introducing backdoors, executing code injection attacks, or leverage proof-of-concept code, often itself hosted on public repositories like GitHub, to expliot vulnerabilities in open source code.

Attackers have been seen cloning GitHub repositories and adding malicious code to forks designed to infect developer systems and pilfer sensitive files that included software keys.

In another case, suspicious commits in hundreds of GitHub repositories were discovered to be carrying malicious code. All of the commit messages were created by attackers to disguise their exfiltration of secrets to a C2 server before they injected web-form password-stealing malware into JavaScript files.

Regularly updating and patching dependencies is critical for addressing known vulnerabilities and security issues. Security defenders are also advised to stay informed on emerging security alerts providing updates related to third-party libraries used by their organizations.

Software composition analysis (SCA) tools can enhance security by scanning repositories for vulnerable dependencies and automating remediation or flagging issues for manual review.

5. Abuse of GitHub Actions & CI/CD Pipelines

Threat actors have exploited GitHub’s continuous integration/continuous deployment (CI/CD) pipelines and automation features, such as GitHub Actions, to automate malicious activities and orchestrate attacks. By leveraging these capabilities, they deploy malware, exfiltrate data, or execute unauthorized commands within CI/CD workflows.

To combat these risks, enforce least privilege access controls to restrict the execution of CI/CD workflows and automation scripts and reduce the attack surface. Pre-defined templates and secure coding practices can also help prevent injection attacks and unauthorized code execution.

Security teams may also adopt logging and auditing features in order to more thoroughly track changes and activities within CI/CD pipelines. GitHub’s guide to security hardening for GitHub Actions provides further advice, as does CISA’s guide on how to defend CI/CD environments.

6. Distributed Denial of Service (DDoS) Attacks

Public hosting infrastructure and version control systems have been increasingly exploited to orchestrate distributed-denial-of-service (DDoS) attacks. Flooding repositories or services with a high volume of requests disrupts normal operations, degrades performance, and renders services unavailable to legitimate users.

In the case of the GMP project, an open source arithmetic library, servers came under attack by several hundred IP addresses owned by Microsoft, causing a surge of network traffic and slowed associated programs linked to the library to a crawl.

Note by principal author of GMP to the project’s mailing list
Note by principal author of GMP to the project’s mailing list

Deploying web application firewalls (WAFs) and implementing rate limiting mechanisms can help mitigate DDoS attacks targeting public repositories and services. Content delivery networks (CDNs) can enable organizations to distribute traffic and absorb volumetric attacks, reducing the impact on GitHub’s infrastructure.

Security teams are also recommended to implement network-level defenses such as traffic filtering and IP reputation blocklisting, which aid in preventing malicious traffic and safeguarding public infrastructure from disruption.

Conclusion

Defending Continuous Integration/Continuous Delivery environments is an essential part of an enterprise’s security posture. Implementing least privilege access controls to restrict unauthorized actions, prioritizing on regularly updating and patching dependencies are key to mitigating vulnerabilities, along with enforcing strong authentication mechanisms to protect user accounts and credentials for resources hosted on source code management platforms.

Utilizing threat intelligence feeds and security monitoring tools designed to proactively identify and respond to suspicious activities are also key to minimizing the risk of exploitation and data breaches. Solutions like XDR can play a large role in protecting organizations from cyber threats originating from public infrastructure abuse and exploitation by providing comprehensive visibility, advanced analytics, automated response, and centralized management capabilities.

Learn more about Singularity XDR by booking a demo with us today, or contacting our expert team directly.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Patch Tuesday, March 2024 Edition

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.

Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Incognito Darknet Market Mass-Extorts Buyers, Sellers

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

An extortion message currently on the Incognito Market homepage.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

The “Payment Status” page set up by the Incognito Market extortionists.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

New Incognito Market users are treated to an ad for $450 worth of heroin.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”

Five Ways to Inspire Inclusion Through Allyship

On International Women’s Day, we celebrate the diverse talents, skills, and perspectives that women bring to our workplace and our world. This year’s theme is #InspireInclusion – a fitting call to action for women and allies to continue on this journey as we work to enjoy the same rights, opportunities and impact as our male counterparts.

Allyship is defined as the actions, behaviors, and practices that leaders take to support, amplify, and advocate with others, most especially with individuals who don’t belong to the same social identities as themselves. Men are a key part of our strong ally base at SentinelOne, fortified by an amazing group of female leaders who have ascended on their career trajectory in cybersecurity and have committed to taking other women with them on the journey.

Today we want to share five ways to #InspireInclusion through allyship at your organization to enable women to have the same access to successful, fulfilling careers in tech and have game-changing impact on their workplaces and communities.

Change Starts At the Top

According to the Women In Cybersecurity Report, women held 25% of cybersecurity jobs globally in 2022, up from 20% in 2019 and 10% in 2013. When we look at women in leadership, the gap is even wider. According to Women in Tech Network, only 5% of leadership positions in the tech sector are held by women.

At SentinelOne, we prioritize bridging the gender gap at the leadership level knowing it propels our efforts as we continue to diversify at all levels of the organization. Today, over 30% of all VPs at SentinelOne and 39% of the C-Suite leaders are women. Last year, 47% of our newly hired VP+ leaders and 32% of our internal VP+ promotions were also women. Driving massive change like this takes an intentional strategy and the collective efforts of committed allies who believe that equity in the workplace drives better business results.

1 – Commit to Purposeful Talent Acquisition & Development

You can’t wish for 50% of female candidates to walk through your door – you have to work for it! It starts with a diverse candidate slate, which can be extremely challenging in tech and specifically cybersecurity. Our goal is to have the top of the candidate pipeline consist 50-75% of women to increase the likelihood of having at least two female finalists. Critically adjacent to this strategy is having one woman on the interview panel.

Sourcing women early in career is a great strategy to find female talent. Having an internship program funneled by a university recruiting effort is very effective at SentinelOne. Partnering with collegiate chapters of Women in CyberSecurity (WiCyS) to engage candidates across the globe only strengthens this part of our pipeline.

We know that if we don’t work to develop our people and enable them with career opportunities, our competitors will. Losing women to the next opportunity will negate your efforts to bridge the gender gap, so keep them engaged and learning while making space for them to grow within your organization. Robust learning and development opportunities are critical for all, and maybe even more so for women as we try to make progress. A well-laid out career pathing program with defined experiences and skill sets for each level will let women know what needs to be added to their knowledge base to prepare for their next opportunity.

2 – Understand That Mentorship Matters

It’s a zero-cost, high-return strategy to drive gender parity. A win-win on both sides of the equation, both parties can learn and grow through high-quality mentor-mentee relationships. Mentorship is critical in shaping careers, giving women a safe place to ask questions and gain insights that can build confidence and guide them through career challenges.

I encourage you to seek the power of difference in the women you mentor. We often gravitate to the people most like us, but considering a mentee of a different gender, function, level or even organization can contribute to the richness of the relationship. Embracing a growth mindset and being conscious of your bias can be extremely beneficial for both sides of the relationship.

If your organization does not have a formal mentorship program, consider advocating for one. At SentinelOne, we launched MentorOne last year with tremendous success and already established 200+ mentor relationships. If that’s not a feasible option, I urge you to recruit a woman to mentor. A thoughtful quarterly conversation is an investment that could pay dividends for years to come.

3 – Champion & Sponsor Women At All Levels

Making this effort a daily behavior can drive substantial change in your workplace culture. Amplifying the women you know doing great work by giving them credit for their ideas and accomplishments can go a long way in boosting confidence and helping strong performers shape their brand. So often we are onto the next task without recognizing how we accomplished the last one, so celebrate! Reach out to the leaders of high-performing women and share authentic accolades to recognize their impact.

Getting involved with the Employee Resource Groups at your organization is a great way to show your allyship. Our Women’s Inclusion Network at SentinelOne is an army that is 160+ strong, full of women and allies who start conversations that both move the business forward and create a safe space for learning, making space for all voices.

Inviting more women into conversations serves two purposes – instilling confidence and sourcing ideas and solutions to drive your business forward! Asking them to share opinions and ideas is an easy way to build the muscle of confidence. Also be careful not to interrupt someone sharing an idea, even if it’s just to reinforce their point.

If you are new to the sponsorship game, get creative! It can be as simple as attending an event sponsored by an employee resource group and asking a thoughtful question or offering support in the live chat. Just seeing your face in a room or on Zoom can let your female colleagues know that you are an ally. Volunteering is another way to become a champion, sharing your career insights and skill sets to inspire the next generation of tech and cybersecurity professionals.

4 – Embrace the Tough Conversations

Tough conversations are often great catalysts for change. It’s important to speak up – if you hear something, say something. Allowing microaggressions in the workplace only reinforces the age-old problem of imposter syndrome, something 75% of all working women have experienced at some point in their career.

Women often face a double standard at work in regards to their behavior. Historically in the workplace, women with confidence and strength were described as pushy and aggressive. If you hear a woman being described in that way, ask yourself, would the same words be used to describe her male counterpart showing the same behavior? If the answer is ‘no’, challenge that in the moment. Be part of the action that helps to build up the brand of a strong woman while taking down the cycle of this double standard.

Give women in your network the gift of direct, in the moment feedback. Women are often juggling so much, multi-tasking the full-time responsibility of family and career. Communicating with honesty, patience and kindness makes even difficult feedback a teachable moment that can change the trajectory of a woman’s career. Be sure to ask probing questions, listening carefully to understand before jumping into working through a solution.

5 – Inspire Inclusion All Year Long 

March is just a moment for celebration. Action planning and execution needs to be top of mind 12 months of the year if we are going to close the gender gap in the workplace.

I challenge all non-birthing parents to start at home by sharing household responsibilities, freeing up time and energy for your partner to also focus on career growth. If your company offers a gender-neutral parental leave, take it to establish your role as a caregiver. Hearing from Sentinel parents who cherished our 16-week benefit is a huge source of pride, knowing the ripple effect it will have on their child’s lifetime.

Just recently, a father returning from parental leave sent me the following thank you note:

“Having this uninterrupted time with my children has strengthened our bond and created cherished memories that will last a lifetime. It has allowed me to return to work feeling refreshed, energized, and even more committed to my role at the company. I witnessed how my wife experienced her postpartum period in a totally different, much more pleasant and relaxing way. I also gained a deeper appreciation for the sacrifices and dedication my wife makes each day to care for our family.”

Happy International Women’s Day from SentinelOne!

Take action, in small ways and big ways, and we will continue to drive progress. Start by joining your organization’s Women’s Inclusion Network and contributing to the conversation. Continually ask how you can help, and seek out an important role in gender parity efforts. Making a commitment to #InspireInclusion is not just something we are doing to improve the workplace – it’s a call to action to improve the world!

The Good, the Bad and the Ugly in Cybersecurity – Week 10

The Good | U.S. Sanctions Spyware Targeting Government Officials & Journalists

This week the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) took a stand against commercial spyware specifically crafted to target government officials, journalists, and policy experts within the nation. Sanctions were placed on individuals and five entities affiliated with Intellexa Alliance for their involvement in the creation, operation, and dissemination of the spyware.

This move comes in response to the threat posed by escalating adoption of commercial spyware, which not only poses significant security risks within the United States, but has also been exploited by foreign entities to abuse human rights, suppress dissident voices around the world, and foster state-sponsored cyber espionage campaigns. According to OFAC, Intellexa boasts a global clientele, including authoritarian regimes, and acted as a consortium of several companies linked to mercenary spyware solutions such as Predator.

Predator spyware is capable of infiltrating both Android and iOS devices through zero-click attacks, granting operators unrestricted access to sensitive data and the ability to monitor designated targets covertly. OFAC disclosed that Predator had been deployed against U.S. government officials, journalists, and policy experts by unspecified foreign actors.

The sanctions target key figures and entities within the Intellexa Alliance, including its founder, a corporate specialist, and various affiliate companies, all of which belong to economic blocklists. A strong follow-up to the Biden administration’s commitment to countering spyware technology, the sanctions place visa restrictions on all individuals involved in the misuse of commercial spyware. This is a significant and first-of-its-kind step in curbing the illicit activities of mercenary spyware companies and rallies international organizations against doing business with or supporting sanctioned entities and individuals.

The Bad | Google AI Technology Stolen by Ex-Employee for China Tech Firms

A 38-year-old Chinese national and a California resident has been indicted for allegedly stealing trade secrets from Google while secretly collaborating with two China-based tech firms.

Linwei “Leon” Ding, a former Google engineer arrested this week, stands accused of illicitly transferring proprietary and confidential data to his personal account while covertly affiliating with companies in China’s artificial intelligence (AI) sector, as stated by the DoJ. Ding purportedly stole over 500 confidential files containing AI trade secrets with the intent of providing an advantage to Chinese companies in the ongoing, global AI race.

The DoJ emphasized that Ding’s actions gave unfair competitive benefits to himself and the affiliated PRC-based companies by stealing information on Google’s supercomputer data center infrastructure used specifically for hosting large and sophisticated AI models.

Ding is accused of concealing the theft by copying data from Google source files to the Apple Notes application on his company-provided MacBook, converting them to PDF files, and then uploading them to his Google account. Ding currently faces four counts of theft of trade secrets, each carrying a maximum penalty of 10 years in prison and up to a $250,000 fine if convicted.

Last year, President Biden issued an executive order on AI, intended to maintain America’s leadership in AI development, particularly in light of competition from nations such as China. Both the U.S. and Chinese governments recognize AI as an emerging technology that is strategically important with vast potential to enhance economic productivity across civilian industries and provide key capabilities for military and intelligence purposes. Theft of trade secrets and intelligence fuels economic espionage and other national-level security concerns related to advancements in AI technology.

The Ugly | BlackCat Ransomware Gang Pulls off Exit Scam

It seems that BlackCat ransomware operators have pulled a vanishing act this week, taking down their darknet website after allegedly scamming $22 million from one of their affiliates, currently attributed with attacking a subsidiary of healthcare giant, UnitedHealth Group.

While the gang has shut down its servers, data leak blog, and ransomware operation negotiation sites, security researchers have called out the likely possibility of an exit scam or an effort in rebranding the entire ransomware-as-a-service (RaaS) operation under a new identity. Source code analysis done on the takedown notice shows that it was taken from an archived leak site and displayed using a Python HTTP server. Further, Europol and the U.K.’s National Crime Agency (NCA) have declined involvement in taking down BlackCat operations.

This abrupt disappearance follows reports of a purported $22 million ransom payment received from UnitedHealth’s Change Healthcare unit, with allegations that the group reneged on sharing the proceeds with an affiliate involved in the attack. Speculations emerged from a disgruntled affiliate, known as ‘notchy’, who accused BlackCat of embezzling funds after their account suspension on the RAMP cybercrime forum, which also hints at the possibility of an exit scam and eventual rebranding.

So far, the cyber defense community has seen BlackCat ransomware run through various life cycles and monikers, including DarkSide/BlackMatter. The latest occurred in December of 2023 when BlackCat’s servers were hacked by the FBI and an international law enforcement operation seized their Tor negotiation and data leak sites. However, the gang was able to restart its operations. With a speculated exit scam to evade consequences and a possible rebrand on the way, organizations are reminded of the resilience and adaptability of modern ransomware operations.

PinnacleOne ExecBrief | Malicious Insider Threat to Strategic Enterprises

Last week, PinnacleOne examined China’s application of emerging AI tools to augment their rapidly improving cyber capabilities and emphasized the urgency for defenders to keep pace.

This week, we focus on the recent arrest of a PRC national indicted for theft of Google AI IP and we identify lessons learned for firms to improve malicious insider threat detection and response.

Please subscribe to read future issues — and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: Malicious Insider Threat to Strategic Enterprises

The recent indictment and arrest of a PRC national for theft and transfer of Google’s AI related trade secrets illustrates the nature and scope of the insider threat facing strategic enterprises.

The case shows how relatively unsophisticated techniques were able to evade Google’s data loss prevention system and insider threat program, and how a delayed response increased risk.

Firms working at the leading edge of technology (like frontier AI model labs) and those in the crosshairs for strategic geopolitical targeting must catch up to the scale of the threat, immediately.

Google’s Insider Detection and Investigation Failures

  1. An indicted lead software engineer, Ding Linwei worked on confidential LLM infrastructure and software systems that trained and ran Google Brain, DeepMind, and Anthropic IP.
  2. He exfiltrated over 500 confidential files by copying data from Google source files into the Apple Notes application on his Google-issued MacBook laptop, converted those notes into PDF files, and uploaded them from the Google network into a separate, personal Google drive account, which evaded detection by Google’s data loss prevention systems.
  3. He also had a fellow employee use his access badge to scan into his assigned Google office building while he was in China conducting business activities using the stolen information.
  4. Ding was only investigated by Google when he uploaded files from the Google network to a second personal account while he was in the PRC, but his access was not subsequently limited. He arrived in China on October 29th, but his presence was not detected until December 8th, 2023.
  5. Google suspended his network access and remotely locked his laptop 27 days after the investigation began, three days after he resigned, and only when Google discovered that Ding had presented his business plan at a Beijing investor conference as CEO of a company that would focus on the same technology stolen from Google.

Lessons Learned

  1. The attack surface goes beyond narrow trust boundaries and access control for crown jewels and extends across distributed or 3rd-party networks and infrastructure.
  2. Malicious insiders may spend years in the firm enhancing their access and conducting covert collection – more overt indicators tend to only arise after the horse has left the barn.
  3. Physical correlation of network detections enhanced by AI are necessary but not sufficient. Expert counterintelligence investigators must discern and mitigate at speed to mitigate enterprise risk.
  4. Tradecraft for lone wolf commercial espionage is less sophisticated than a foreign intelligence operation, but it was nevertheless successful in this case – the accelerating economic returns from AI businesses will exponentially increase the financial incentive for insider employees to steal.
  5. Frontier model labs and other firms working on strategic and prized technologies should consider (as an ideal, if potentially unreachable goal) security controls that mirror those used to protect government special access programs, including strict compartmentalization, personal reliability examinations, travel monitoring and reporting, comprehensive network monitoring, and continuous insider threat hunting. Design programs with the future value of the tech in mind.

Insider Threat Mitigation

Firms should develop and assess a comprehensive set of insider threat scenarios tailored to their threat model, technical controls, organizational design, and internal culture. See below for some example threat scenarios that span nation-state and lone-wolf/commercial threat actor profiles, plausible targets and objectives, and attack paths/exploitation methods.

Insider Threat Scenarios for Security Control Validation and Program Assessment

These scenarios are by no means comprehensive but should serve as a starting point for firms to validate controls and develop a roadmap for process, technology, and organizational improvements. In 2022, PinnacleOne worked with a firm exiting Russia to test over 100 insider scenarios. We found their detection and response capabilities (alerts, triage, escalation, etc.) mostly inadequate. We are also currently helping a systemically important SaaS firm assess and improve their insider trust program.

Implications for Geopolitically Targeted Multinationals

China has an explicit strategy to target industries via insider and cyber espionage to transfer valuable IP and know-how that supports economic competitiveness and military capabilities. The set of firms that fall into this geopolitical bullseye are known, but the list is expanding and the political incentives to pursue more aggressive targeting will continue to grow.

Insider threats extend beyond IP theft and include intentional weakening of cybersecurity controls (e.g., cloud misconfigurations by IT insiders) or even covert sabotage of products or services (where such sabotage might support tactical objectives in a conflict scenario). The threat is real and growing.

A Close Up Look at the Consumer Data Broker Radaris

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

Formed in 2009, Radaris is a vast people-search network for finding data on individuals, properties, phone numbers, businesses and addresses. Search for any American’s name in Google and the chances are excellent that a listing for them at Radaris.com will show up prominently in the results.

Radaris reports typically bundle a substantial amount of data scraped from public and court documents, including any current or previous addresses and phone numbers, known email addresses and registered domain names. The reports also list address and phone records for the target’s known relatives and associates. Such information could be useful if you were trying to determine the maiden name of someone’s mother, or successfully answer a range of other knowledge-based authentication questions.

Currently, consumer reports advertised for sale at Radaris.com are being fulfilled by a different people-search company called TruthFinder. But Radaris also operates a number of other people-search properties — like Centeda.com — that sell consumer reports directly and behave almost identically to TruthFinder: That is, reel the visitor in with promises of detailed background reports on people, and then charge a $34.99 monthly subscription fee just to view the results.

The Better Business Bureau (BBB) assigns Radaris a rating of “F” for consistently ignoring consumers seeking to have their information removed from Radaris’ various online properties. Of the 159 complaints detailed there in the last year, several were from people who had used third-party identity protection services to have their information removed from Radaris, only to receive a notice a few months later that their Radaris record had been restored.

What’s more, Radaris’ automated process for requesting the removal of your information requires signing up for an account, potentially providing more information about yourself that the company didn’t already have (see screenshot above).

Radaris has not responded to requests for comment.

Radaris, TruthFinder and others like them all force users to agree that their reports will not be used to evaluate someone’s eligibility for credit, or a new apartment or job. This language is so prominent in people-search reports because selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically do not include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and another people-search service Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

An excerpt from the FTC’s complaint against TruthFinder and Instant Checkmate.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

“All the while, the companies touted the accuracy of their reports in online ads and other promotional materials, claiming that their reports contain “the MOST ACCURATE information available to the public,” the FTC noted. The FTC says, however, that all the information used in their background reports is obtained from third parties that expressly disclaim that the information is accurate, and that TruthFinder and Instant Checkmate take no steps to verify the accuracy of the information.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

WHO IS RADARIS?

According to Radaris’ profile at the investor website Pitchbook.com, the company’s founder and “co-chief executive officer” is a Massachusetts resident named Gary Norden, also known as Gary Nard.

An analysis of email addresses known to have been used by Mr. Norden shows he is a native Russian man whose real name is Igor Lybarsky (also spelled Lubarsky). Igor’s brother Dmitry, who goes by “Dan,” appears to be the other co-CEO of Radaris. Dmitry Lybarsky’s Facebook/Meta account says he was born in March 1963.

The Lybarsky brothers Dmitry or “Dan” (left) and Igor a.k.a. “Gary,” in an undated photo.

Indirectly or directly, the Lybarskys own multiple properties in both Sherborn and Wellesley, Mass. However, the Radaris website is operated by an offshore entity called Bitseller Expert Ltd, which is incorporated in Cyprus. Neither Lybarsky brother responded to requests for comment.

A review of the domain names registered by Gary Norden shows that beginning in the early 2000s, he and Dan built an e-commerce empire by marketing prepaid calling cards and VOIP services to Russian expatriates who are living in the United States and seeking an affordable way to stay in touch with loved ones back home.

A Sherborn, Mass. property owned by Barsky Real Estate Trust and Dmitry Lybarsky.

In 2012, the main company in charge of providing those calling services — Wellesley Hills, Mass-based Unipoint Technology Inc. — was fined $179,000 by the U.S. Federal Communications Commission, which said Unipoint never applied for a license to provide international telecommunications services.

DomainTools.com shows the email address gnard@unipointtech.com is tied to 137 domains, including radaris.com. DomainTools also shows that the email addresses used by Gary Norden for more than two decades — epop@comby.com, gary@barksy.com and gary1@eprofit.com, among others — appear in WHOIS registration records for an entire fleet of people-search websites, including: centeda.com, virtory.com, clubset.com, kworld.com, newenglandfacts.com, and pub360.com.

Still more people-search platforms tied to Gary Norden– like publicreports.com and arrestfacts.com — currently funnel interested customers to third-party search companies, such as TruthFinder and PersonTrust.com.

The email addresses used by Gary Nard/Gary Norden are also connected to a slew of data broker websites that sell reports on businesses, real estate holdings, and professionals, including bizstanding.com, homemetry.com, trustoria.com, homeflock.com, rehold.com, difive.com and projectlab.com.

AFFILIATE & ADULT

Domain records indicate that Gary and Dan for many years operated a now-defunct pay-per-click affiliate advertising network called affiliate.ru. That entity used domain name servers tied to the aforementioned domains comby.com and eprofit.com, as did radaris.ru.

A machine-translated version of Affiliate.ru, a Russian-language site that advertised hundreds of money making affiliate programs, including the Comfi.com prepaid calling card affiliate.

Comby.com used to be a Russian language social media network that looked a great deal like Facebook. The domain now forwards visitors to Privet.ru (“hello” in Russian), a dating site that claims to have 5 million users. Privet.ru says it belongs to a company called Dating Factory, which lists offices in Switzerland. Privet.ru uses the Gary Norden domain eprofit.com for its domain name servers.

Dating Factory’s website says it sells “powerful dating technology” to help customers create unique or niche dating websites. A review of the sample images available on the Dating Factory homepage suggests the term “dating” in this context refers to adult websites. Dating Factory also operates a community called FacebookOfSex, as well as the domain analslappers.com.

RUSSIAN AMERICA

Email addresses for the Comby and Eprofit domains indicate Gary Norden operates an entity in Wellesley Hills, Mass. called RussianAmerican Holding Inc. (russianamerica.com). This organization is listed as the owner of the domain newyork.ru, which is a site dedicated to orienting newcomers from Russia to the Big Apple.

Newyork.ru’s terms of service refer to an international calling card company called ComFi Inc. (comfi.com) and list an address as PO Box 81362 Wellesley Hills, Ma. Other sites that include this address are russianamerica.com, russianboston.com, russianchicago.com, russianla.com, russiansanfran.com, russianmiami.com, russiancleveland.com and russianseattle.com (currently offline).

ComFi is tied to Comfibook.com, which was a search aggregator website that collected and published data from many online and offline sources, including phone directories, social networks, online photo albums, and public records.

The current website for russianamerica.com. Note the ad in the bottom left corner of this image for Channel One, a Russian state-owned media firm that is currently sanctioned by the U.S. government.

AMERICAN RUSSIAN MEDIA

Many of the U.S. city-specific online properties apparently tied to Gary Norden include phone numbers on their contact pages for a pair of Russian media and advertising firms based in southern California. The phone number 323-874-8211 appears on the websites russianla.com, russiasanfran.com, and rosconcert.com, which sells tickets to theater events performed in Russian.

Historic domain registration records from DomainTools show rosconcert.com was registered in 2003 to Unipoint Technologies — the same company fined by the FCC for not having a license. Rosconcert.com also lists the phone number 818-377-2101.

A phone number just a few digits away — 323-874-8205 — appears as a point of contact on newyork.ru, russianmiami.com, russiancleveland.com, and russianchicago.com. A search in Google shows this 82xx number range — and the 818-377-2101 number — belong to two different entities at the same UPS Store mailbox in Tarzana, Calif: American Russian Media Inc. (armediacorp.com), and Lamedia.biz.

Armediacorp.com is the home of FACT Magazine, a glossy Russian-language publication put out jointly by the American-Russian Business Council, the Hollywood Chamber of Commerce, and the West Hollywood Chamber of Commerce.

Lamedia.biz says it is an international media organization with more than 25 years of experience within the Russian-speaking community on the West Coast. The site advertises FACT Magazine and the Russian state-owned media outlet Channel One. Clicking the Channel One link on the homepage shows Lamedia.biz offers to submit advertising spots that can be shown to Channel One viewers. The price for a basic ad is listed at $500.

In May 2022, the U.S. government levied financial sanctions against Channel One that bar US companies or citizens from doing business with the company.

The website of lamedia.biz offers to sell advertising on two Russian state-owned media firms currently sanctioned by the U.S. government.

LEGAL ACTIONS AGAINST RADARIS

In 2014, a group of people sued Radaris in a class-action lawsuit claiming the company’s practices violated the Fair Credit Reporting Act. Court records indicate the defendants never showed up in court to dispute the claims, and as a result the judge eventually awarded the plaintiffs a default judgement and ordered the company to pay $7.5 million.

But the plaintiffs in that civil case had a difficult time collecting on the court’s ruling. In response, the court ordered the radaris.com domain name (~9.4M monthly visitors) to be handed over to the plaintiffs.

However, in 2018 Radaris was able to reclaim their domain on a technicality. Attorneys for the company argued that their clients were never named as defendants in the original lawsuit, and so their domain could not legally be taken away from them in a civil judgment.

“Because our clients were never named as parties to the litigation, and were never served in the litigation, the taking of their property without due process is a violation of their rights,” Radaris’ attorneys argued.

In October 2023, an Illinois resident filed a class-action lawsuit against Radaris for allegedly using people’s names for commercial purposes, in violation of the Illinois Right of Publicity Act.

On Feb. 8, 2024, a company called Atlas Data Privacy Corp. sued Radaris LLC for allegedly violating “Daniel’s Law,” a statute that allows New Jersey law enforcement, government personnel, judges and their families to have their information completely removed from people-search services and commercial data brokers. Atlas has filed at least 140 similar Daniel’s Law complaints against data brokers recently.

Daniel’s Law was enacted in response to the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge (his mother). In July 2020, a disgruntled attorney who had appeared before U.S. District Judge Esther Salas disguised himself as a Fedex driver, went to her home and shot and killed her son (the judge was unharmed and the assailant killed himself).

Earlier this month, The Record reported on Atlas Data Privacy’s lawsuit against LexisNexis Risk Data Management, in which the plaintiffs representing thousands of law enforcement personnel in New Jersey alleged that after they asked for their information to remain private, the data broker retaliated against them by freezing their credit and falsely reporting them as identity theft victims.

Another data broker sued by Atlas Data Privacy — pogodata.com — announced on Mar. 1 that it was likely shutting down because of the lawsuit.

“The matter is far from resolved but your response motivates us to try to bring back most of the names while preserving redaction of the 17,000 or so clients of the redaction company,” the company wrote. “While little consolation, we are not alone in the suit – the privacy company sued 140 property-data sites at the same time as PogoData.”

Atlas says their goal is convince more states to pass similar laws, and to extend those protections to other groups such as teachers, healthcare personnel and social workers. Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states would limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminals charges against media outlets that publish the same type of public and governments records that fuel the people-search industry.

PEOPLE-SEARCH CARVE-OUTS

There are some pending changes to the US legal and regulatory landscape that could soon reshape large swaths of the data broker industry. But experts say it is unlikely that any of these changes will affect people-search companies like Radaris.

On Feb. 28, 2024, the White House issued an executive order that directs the U.S. Department of Justice (DOJ) to create regulations that would prevent data brokers from selling or transferring abroad certain data types deemed too sensitive, including genomic and biometric data, geolocation and financial data, as well as other as-yet unspecified personal identifiers. The DOJ this week published a list of more than 100 questions it is seeking answers to regarding the data broker industry.

In August 2023, the Consumer Financial Protection Bureau (CFPB) announced it was undertaking new rulemaking related to data brokers.

Justin Sherman, an adjunct professor at Duke University, said neither the CFPB nor White House rulemaking will likely address people-search brokers because these companies typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“These dossiers contain everything from individuals’ names, addresses, and family information to data about finances, criminal justice system history, and home and vehicle purchases,” Sherman wrote in an October 2023 article for Lawfare. “People search websites’ business pitch boils down to the fact that they have done the work of compiling data, digitizing it, and linking it to specific people so that it can be searched online.”

Sherman said while there are ongoing debates about whether people search data brokers have legal responsibilities to the people about whom they gather and sell data, the sources of this information — public records — are completely carved out from every single state consumer privacy law.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman wrote. “Tennessee’s consumer data privacy law, for example, stipulates that “personal information,” a cornerstone of the legislation, does not include ‘publicly available information,’ defined as:

“…information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”

Sherman said this is the same language as the carve-out in the California privacy regime, which is often held up as the national leader in state privacy regulations. He said with a limited set of exceptions for survivors of stalking and domestic violence, even under California’s newly passed Delete Act — which creates a centralized mechanism for consumers to ask some third-party data brokers to delete their information — consumers across the board cannot exercise these rights when it comes to data scraped from property filings, marriage certificates, and public court documents, for example.

“With some very narrow exceptions, it’s either extremely difficult or impossible to compel these companies to remove your information from their sites,” Sherman told KrebsOnSecurity. “Even in states like California, every single consumer privacy law in the country completely exempts publicly available information.”

Below is a mind map that helped KrebsOnSecurity track relationships between and among the various organizations named in the story above:

A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge.