The Good, the Bad and the Ugly in Cybersecurity – Week 22

The Good

Identifying hackers is difficult, arresting them and bringing them to justice is even harder. Therefore, when law enforcement agencies are able to press charges against them we can only applaud them for their good work and hope that the courts will hand down sufficient punishment to deter others.

Authorities in Germany pressed charges against a 22-year-old who hacked into private accounts of politicians, journalists and public figures. The person confessed to stealing and leaking online private data belonging to hundreds of politicians, including the German Chancellor Angela Merkel. Additional charges include a blackmail attempt against six German MPs (demanding Bitcoin payment in exchange for not publishing their information) and three false reports to the police regarding bomb attacks or mass shootings.

According to the investigator, the perpetrator used email providers’ password reset facilities to gain access to accounts and obtain personal data, telephone numbers, contact addresses, credit card data, photos and correspondence. This individual’s motives seemed to be sensationalist, political and to some degree, financial.

In another arrest this week in Seattle, a Ukrainian national was allegedly involved in hacking operations run by FIN7, a syndicate known for stealing approximately $1 billion from its victims in the United States. Denys Larmak has been charged with “conspiracy to commit computer hacking, accessing a protected computer to commit fraud, intentional damage to a protected computer, access device fraud, conspiracy to commit wire and bank fraud, wire fraud, and aggravated identity theft”.

According to the authorities, Larmak ran spearphishing campaigns to obtain credentials, credit and debit cards details and other personally identifiable information. Lamark was diligent: he used Jira to document his actions and create a dedicated ticket for each victim, and used the system to effectively share information obtained with other members of the FIN7 hacking collective.

The Bad

German authorities published an advisory this week to companies in the energy, water and power sectors, stating that a Kremlin-linked hacking group is targeting their sectors. The group, called variously Berserk Bear, DragonFly 2.0 and Dymalloy, is apparently operating on behalf of Russia’s FSB intelligence agency and using the supply chain to access the German companies’ IT systems.

The APT group, known to be active since at least late 2015 or early 2016 and specialising in Energy sector hacks against European and American targets, utilizes publicly available and proprietary written malware to penetrate IT networks, gain persistence and steal information. Most worryingly, they aim to penetrate highly-critical Operational Technology (OT) networks.

The same group previously targeted US companies using infected websites for harvesting login credentials and utilizing these to compromise critical infrastructure companies in Europe and North America. In the past, the group was accused of attacking German energy providers.

The Ugly

The UK’s privacy watchdog has announced that the number of reported data breaches has declined in the last 2 years since GDPR came into effect. However, it seems the British are bucking the trend, as data breaches across the globe are only increasing.

Just this week, Japanese Telco Giant NTT announced a data breach affecting hundreds of customers, and Bank of America announced a data breach affecting customers applying for the Paycheck Protection Program (PPP).

These breaches are overshadowed by another massive data breach affecting 29 million Indian job seekers. A cybersecurity firm discovered a threat actor selling personal details of millions of job hunters from different states across India. The leak likely happened via a resumé aggregator service which collects data from various known job portals. The information offered for sale includes personal information about users including their email address, phone number, home address, and qualifications.

If 29 million records sounds like a big number, then try to fathom this one: 8 billion. That’s the number of internet records leaked from a subsidiary of Thailand’s largest cell network, Advanced Info Service (AIS). The database containing real-time internet records of millions of customers was released in May during a test scheduled by the company, who claim that no important data was made available. The database has now been made inaccessible.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

How startups can leverage elastic services for cost optimization

Due to COVID-19, business continuity has been put to the test for many companies in the manufacturing, agriculture, transport, hospitality, energy and retail sectors. Cost reduction is the primary focus of companies in these sectors due to massive losses in revenue caused by this pandemic. The other side of the crisis is, however, significantly different.

Companies in industries such as medical, government and financial services, as well as cloud-native tech startups that are providing essential services, have experienced a considerable increase in their operational demands — leading to rising operational costs. Irrespective of the industry your company belongs to, and whether your company is experiencing reduced or increased operations, cost optimization is a reality for all companies to ensure a sustained existence.

One of the most reliable measures for cost optimization at this stage is to leverage elastic services designed to grow or shrink according to demand, such as cloud and managed services. A modern product with a cloud-native architecture can auto-scale cloud consumption to mitigate lost operational demand. What may not have been obvious to startup leaders is a strategy often employed by incumbent, mature enterprises — achieving cost optimization by leveraging managed services providers (MSPs). MSPs enable organizations to repurpose full-time staff members from impacted operations to more strategic product lines or initiatives.

Why companies need cost optimization in the long run

Salesforce stock is taking a hit today after lighter guidance in yesterday’s earning’s report

In spite of a positive quarter with record revenue that beat analysts’ estimates, Salesforce stock was taking a hit today because of lighter guidance. Wall Street is a tough audience.

The stock was down $8.29/share, or 4.58%, as of 2:15 pm ET.

The guidance, which was a projection for next quarter’s earnings, was lighter than what the analysts on Wall Street expected. While Salesforce was projecting revenue for next quarter in the range of $4.89 to $4.90 billion, according to CNBC, analysts had expected $5.03 billion.

When analysts see a future that is a bit worse than what they expected, it usually results in a lower stock price, and that’s what we are seeing today. It’s worth noting that Salesforce is operating in the same economy as everyone else, and being a bit lighter on your projections in the middle of a pandemic seems entirely understandable.

In yesterday’s report, CEO Marc Benioff indicated that the company has been offering some customers some flexibility around payment as they navigate the economic fallout of COVID-19, and the company’s operating cash took a bit of a hit because of this.

“Operating cash flow was $1.86 billion, which was largely impacted by delayed payments from customers while sheltering in place and some temporary financial flexibility that we granted to certain customers that were most affected by the COVID pandemic,” president and CFO Mark Hawkins explained in the analyst call.

Still, the company reported revenue of $4.87 billion for the quarter, putting it on a run rate of $19.48 billion.

In a statement, David Hynes, Jr. of Canaccord Genuity remained high on Salesforce. “If you step back and think about what Salesforce is actually providing, tools that help businesses get closer to their customers are perhaps more important than ever in a slower-growth, socially distanced world. We have long reserved a spot for CRM among our top names in large cap, and we feel no differently about that view after what we heard last night. This is a high-quality firm with many levers to growth, and as such, we believe CRM is a good way to get a bit of defensive exposure to the favorable trends at play in software.”

The company is, after all, still firmly on the path to $20 billion in revenue. As Hynes points out, overall the kinds of tools that Salesforce offers should remain in demand as companies look for ways to digitally transform much more rapidly in our current situation, and look to companies like Salesforce for help.

Aaron Levie: ‘We have way too many manual processes in businesses’

Box CEO Aaron Levie has been working to change the software world for 15 years, but the pandemic has accelerated the move to cloud services much faster than anyone imagined. As he pointed out yesterday in an Extra Crunch Live interview, who would have thought three months ago that businesses like yoga and cooking classes would have moved online — but here we are.

Levie says we are just beginning to see the range of what’s possible because circumstances are forcing us to move to the cloud much faster than most businesses probably would have without the pandemic acting as a change agent.

“Overall, what we’re going to see is that anything that can become digital probably will be in a much more accelerated way than we’ve ever seen before,” Levie said.

Fellow TechCrunch reporter Jon Shieber and I spent an hour chatting with Levie about how digital transformation is accelerating in general, how Box is coping with that internally and externally, his advice for founders in an economic crisis and what life might be like when we return to our offices.

Our interview was broadcast on YouTube and we have included the embed below.

Just a note that Extra Crunch Live is our new virtual speaker series for Extra Crunch members. Folks can ask their own questions live during the chat, with past and future guests like Alexis Ohanian, Garry Tan, GGV’s Hans Tung and Jeff Richards, Eventbrite’s Julia Hartz and many, many more. You can check out the schedule here. If you’d like to submit a question during a live chat, please join Extra Crunch.

On digital transformation

The way that we think about digital transformation is that much of the world has a whole bunch of processes and ways of working — ways of communicating and ways of collaborating where if those business processes or that way we worked were able to be done in digital forms or in the cloud, you’d actually be more productive, more secure and you’d be able to serve your customers better. You’d be able to automate more business processes.

We think we’re [in] an environment that anything that can be digitized probably will be. Certainly as this pandemic has reinforced, we have way too many manual processes in businesses. We have way too slow ways of working together and collaborating. And we know that we’re going to move more and more of that to digital platforms.

In some cases, it’s simple, like moving to being able to do video conferences and being able to collaborate virtually. Some of it will become more advanced. How do I begin to automate things like client onboarding processes or doing research in a life sciences organization or delivering telemedicine digitally, but overall, what we’re going to see is that anything that can become digital probably will be in a much more accelerated way than we’ve ever seen before.

How the pandemic is driving change faster

Career Choice Tip: Cybercrime is Mostly Boring

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way combat cybercrime and steer offenders toward a better path.

Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

“The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

From the paper:

“We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

“However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.


For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

“And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”


Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

“While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”


Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

“Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

“If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

“Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

“Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

macOS Threat Hunting & Incident Response eBook | Intro By Alex Burinskiy

With macOS increasingly important in the enterprise, security analysts need to understand how macOS malware behaves and how to find evidence of its activity. This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.

At Cengage, we run a large fleet of Macs within a larger fleet of other desktop, server, laptop and multi-use devices, all protected by SentinelOne’s EPP/EDR platform.

Macs have a deserved reputation for robustness, longevity and reliability. Along with that, there is a widespread perception that Macs do not suffer from the kind of security issues that most of us are familiar with on Windows-driven devices.

Alas, while it’s true there is nothing like the same quantity of malware out there targeting Macs as there is Windows machines, there is still plenty of malicious backdoors, trojans, adware, and PUPs lurking in the wild, just waiting for an opportunity to infect unprotected devices or unwary users. 

Ebook: macOS Threat Hunting & Incident Response
This guide will arm you with the knowledge you need to defend your organization’s macOS fleet.

My experience in the enterprise suggests that many Mac users still have to learn the same kind of caution that is much more widespread in the Windows-PC world. From being more circumspect about what websites they visit or what software they download to taking a pause before offering up administrator privileges to installations that really have no business asking for them, Mac users owe it to themselves – and their employers – to realize that the threat landscape has changed markedly for macOS in recent years. The number of threats we see blocked by SentinelOne on our endpoints has grown dramatically over time, and all the signs are that this is a trend set to continue.

This new eBook from SentinelOne answers an important question for anyone running macOS, and particularly for those challenged with defending Macs in the enterprise: if you suspected that you might have just installed a piece of malicious software, become victim to a phishing attack, or let an intruder sneak in and out of your system, where would you look for evidence? And what evidence would you look for?

Did you know that there is Mac malware that goes to sleep when you open the Activity Monitor and backdoors that persist by means other than LaunchAgents? Many Mac users, perhaps most, do not.

This eBook serves as a comprehensive reference and guided tutorial on where to find evidence of threats on macOS, how to collect data on file, system and user activity, and how to read some of the Mac’s more obscure and obtuse databases.

For anyone interested in macOS security, this eBook is a valuable resource, and I am delighted to recommend it to the reader. 

Alex Burinskiy
Manager of Security Engineering

Want to learn more about macOS Security?
Read all about the security challenges facing macOS and how to defend the Macs in your organization.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Mirantis releases its first major update to Docker Enterprise

In a surprise move, Mirantis acquired Docker’s Enterprise platform business at the end of last year, and while Docker itself is refocusing on developers, Mirantis kept the Docker Enterprise name and product. Today, Mirantis is rolling out its first major update to Docker Enterprise with the release of version 3.1.

For the most part, these updates are in line with what’s been happening in the container ecosystem in recent months. There’s support for Kubernetes 1.17 and improved support for Kubernetes on Windows (something the Kubernetes community has worked on quite a bit in the last year or so). Also new is Nvidia GPU integration in Docker Enterprise through a pre-installed device plugin, as well as support for Istio Ingress for Kubernetes and a new command-line tool for deploying clusters with the Docker Engine.

In addition to the product updates, Mirantis is also launching three new support options for its customers that now give them the option to get 24×7 support for all support cases, for example, as well as enhanced SLAs for remote managed operations, designated customer success managers and proactive monitoring and alerting. With this, Mirantis is clearly building on its experience as a managed service provider.

What’s maybe more interesting, though, is how this acquisition is playing out at Mirantis itself. Mirantis, after all, went through its fair share of ups and downs in recent years, from high-flying OpenStack platform to layoffs and everything in between.

“Why we do this in the first place and why at some point I absolutely felt that I wanted to do this is because I felt that this would be a more compelling and interesting company to build, despite maybe some of the short-term challenges along the way, and that very much turned out to be true. It’s been fantastic,” Mirantis CEO and co-founder Adrian Ionel told me. “What we’ve seen since the acquisition, first of all, is that the customer base has been dramatically more loyal than people had thought, including ourselves.”

Ionel admitted that he thought some users would defect because this is obviously a major change, at least from the customer’s point of view. “Of course we have done everything possible to have something for them that’s really compelling and we put out the new roadmap right away in December after the acquisition — and people bought into it at very large scale,” he said. With that, Mirantis retained more than 90% of the customer base and the vast majority of all of Docker Enterprise’s largest users.

Ionel, who almost seemed a bit surprised by this, noted that this helped the company to turn in two “fantastic” quarters and was profitable in the last quarter, despite COVID-19.

“We wanted to go into this acquisition with a sober assessment of risks because we wanted to make it work, we wanted to make it successful because we were well aware that a lot of acquisitions fail,” he explained. “We didn’t want to go into it with a hyper-optimistic approach in any way — and we didn’t — and maybe that’s one of the reasons why we are positively surprised.”

He argues that the reason for the current success is that enterprises are doubling down on their container journeys and because they actually love the Docker Enterprise platform, like infrastructure independence, its developer focus, security features and ease of use. One thing many large customers asked for was better support for multi-cluster management at scale, which today’s update delivers.

“Where we stand today, we have one product development team. We have one product roadmap. We are shipping a very big new release of Docker Enterprise. […] The field has been completely unified and operates as one salesforce, with record results. So things have been extremely busy, but good and exciting.”

Cisco to acquire internet monitoring solution ThousandEyes

When Cisco bought AppDynamics in 2017 for $3.7 billion just before the IPO, the company sent a clear signal it wanted to move beyond its pure network hardware roots into the software monitoring side of the equation. Yesterday afternoon the company announced it intends to buy another monitoring company, this time snagging internet monitoring solution ThousandEyes.

Cisco would not comment on the price when asked by TechCrunch, but published reports from CNBC and others pegged the deal at around $1 billion. If that’s accurate, it means the company has paid around $4.7 billion for a pair of monitoring solutions companies.

Cisco’s Todd Nightingale, writing in a blog post announcing the deal said that the kind of data that ThousandEyes provides around internet user experience is more important than ever as internet connections have come under tremendous pressure with huge numbers of employees working from home.

ThousandEyes keeps watch on those connections and should fit in well with other Cisco monitoring technologies. “With thousands of agents deployed throughout the internet, ThousandEyes’ platform has an unprecedented understanding of the internet and grows more intelligent with every deployment, Nightingale wrote.

He added, “Cisco will incorporate ThousandEyes’ capabilities in our AppDynamics application intelligence portfolio to enhance visibility across the enterprise, internet and the cloud.”

As for ThousandEyes, co-founder and CEO Mohit Lad told a typical acquisition story. It was about growing faster inside the big corporation than it could on its own. “We decided to become part of Cisco because we saw the potential to do much more, much faster, and truly create a legacy for ThousandEyes,” Lad wrote.

It’s interesting to note that yesterday’s move, and the company’s larger acquisition strategy over the last decade is part of a broader move to software and services as a complement to its core networking hardware business.

Just yesterday, Synergy Research released its network switch and router revenue report and it wasn’t great. As companies have hunkered down during the pandemic, they have been buying much less network hardware, dropping the Q1 numbers to seven year low. That translated into a $1 billion less in overall revenue in this category, according to Synergy.

While Cisco owns the vast majority of the market, it obviously wants to keep moving into software services as a hedge against this shifting market. This deal simply builds on that approach.

ThousandEyes was founded in 2010 and raised over $110 million on a post valuation of $670 million as of February 2019, according to Pitchbook Data.

UK Ad Campaign Seeks to Deter Cybercrime

The United Kingdom’s anti-cybercrime agency is running online ads aimed at young people who search the Web for services that enable computer crimes, specifically trojan horse programs and DDoS-for-hire services. The ad campaign follows a similar initiative launched in late 2017 that academics say measurably dampened demand for such services by explaining that their use to harm others is illegal and can land potential customers in jail.

For example, search in Google for the terms “booter” or “stresser” from a U.K. Internet address, and there’s a good chance you’ll see a paid ad show up on the first page of results warning that using such services to attack others online is illegal. The ads are being paid for by the U.K.’s National Crime Agency, which saw success with a related campaign for six months starting in December 2017.

A Google ad campaign paid for by the U.K.’s National Crime Agency.

NCA Senior Manager David Cox said the agency is targeting its ads to U.K. males age 13 to 22 who are searching for booter services or different types of remote access trojans (RATs), as part of an ongoing effort to help steer young men away from cybercrime and toward using their curiosity and skills for good. The ads link to advertorials and to the U.K.’s Cybersecurity Challenge, which tries gamify computer security concepts and highlight potential careers in cybersecurity roles.

“The fact is, those standing in front of a classroom teaching children have less information about cybercrime than those they’re trying to teach,” Cox said, noting that the campaign is designed to support so-called “knock-and-talk” visits, where investigators visit the homes of young people who’ve downloaded malware or purchased DDoS-for-hire services to warn them away from such activity. “This is all about showing people there are other paths they can take.”

While it may seem obvious to the casual reader that deploying some malware-as-a-service or using a booter to knock someone or something offline can land one in legal hot water, the typical profile of those who frequent these services is young, male, impressionable and participating in online communities of like-minded people in which everyone else is already doing it.

In 2017, the NCA published “Pathways into Cyber Crime,” a report that drew upon interviews conducted with a number of young men who were visited by U.K. law enforcement agents in connection with various cybercrime investigations.

Those findings, which the NCA said came about through knock-and-talk interviews with a number of suspected offenders, found that 61 percent of suspects began engaging in criminal hacking before the age of 16, and that the average age of suspects and arrests of those involved in hacking cases was 17 years old.

The majority of those engaged in, or on the periphery of, cyber crime, told the NCA they became involved via an interest in computer gaming.

A large proportion of offenders began to participate in gaming cheat websites and “modding” forums, and later progressed to criminal hacking forums.

The NCA learned the individuals visited had just a handful of primary motivations in mind, including curiosity, overcoming a challenge, or proving oneself to a larger group of peers. According to the report, a typical offender faces a perfect storm of ill-boding circumstances, including a perceived low risk of getting caught, and a perception that their offenses in general amounted to victimless crimes.

“Law enforcement activity does not act as a deterrent, as individuals consider cyber crime to be low risk,” the NCA report found. “Debrief subjects have stated that they did not consider law enforcement until someone they knew or had heard of was arrested. For deterrence to work, there must be a closing of the gap between offender (or potential offender) with law enforcement agencies functioning as a visible presence for these individuals.”

Cox said the NCA will continue to run the ads indefinitely, and that it is seeking funding from outside sources — including major companies in online gaming industry, whose platforms are perhaps the most targeted by DDoS-for-hire services. He called the program a “great success,” noting that in the past 30 days (13 of which the ads weren’t running for funding reasons), the ads generated some 5.32 million impressions, and more than 57,000 clicks.


Richard Clayton is director of the University of Cambridge Cybercrime Centre, which has been monitoring DDoS attacks for several years using a variety of sensors across the Internet that pretend to be the types of systems which are typically commandeered and abused to help launch such assaults.

Last year, Clayton and fellow Cambridge researchers published a paper showing that law enforcement interventions — including the NCA’s anti-DDoS ad campaign between 2017 and 2018 — demonstrably slowed the growth in demand for DDoS-for-hire services.

“Our data shows that by running that ad campaign, the NCA managed to flatten out demand for booter services over that period,” Clayton said. “In other words, the demand for these services didn’t grow over the period as we would normally see, and we didn’t see more people doing it at the end of the period than at the beginning. When we showed this to the NCA, they were ever so pleased, because that campaign cost them less than ten thousand [pounds sterling] and it stopped this type of cybercrime from growing for six months.”

The Cambridge study found various interventions by law enforcement officials had measurable effects on the demand for and damage caused by booter and stresser services. Source: Booting the Booters, 2019.

Clayton said part of the problem is that many booter/stresser providers claim they’re offering lawful services, and many of their would-be customers are all too eager to believe this is true. Also, the price point is affordable: A typical booter service will allow customers to launch fairly high-powered DDoS attacks for just a few dollars per month.

“There are legitimate companies that provide these types of services in a legal manner, but there are all types of agreements that have to be in place before this can happen,” Clayton said. “And you don’t get that for ten bucks a month.”


The NCA’s ad campaign is competing directly with Google ads taken out by many of the same people running these DDoS-for-hire services. It may surprise some readers to learn that cybercrime services often advertise on Google and other search sites much like any legitimate business would — paying for leads that might attract new customers.

Several weeks back, KrebsOnSecurity noticed that searching for “booter” or “stresser” in Google turned up paid ads for booter services prominently on the first page of results. But as I noted in a tweet about the finding, this is hardly a new phenomenon.

A booter ad I reported to Google that the company subsequently took offline.

Cambridge’s Clayton pointed me to a blog post he wrote in 2018 about the prevalence of such ads, which violate Google’s policies on acceptable advertisements via its platform. Google says it doesn’t allow ads for services that “cause damage, harm or injury,” and that they don’t allow adverts for services that “are designed to enable dishonest behavior.”

Clayton said Google eventually took down the offending ads. But as my few seconds of Googling revealed, the company appears to have decided to play wack-a-mole when people complain, instead of expressly prohibiting the placement of (and payment for) ads with these terms.

Google told KrebsOnSecurity that it relies on a combination of technology and people to enforce its policies.

“We have strict ad policies designed to protect users on our platforms,” Google said in a written statement. “We prohibit ads that enable dishonest behavior, including services that look to take advantage of or cause harm to users. When we find an ad that violates our policies we take action. In this case, we quickly removed the ads.”

Google pointed to a recent blog post detailing its enforcement efforts in this regard, which said in 2019 the company took down more than 2.7 billion ads that violated its policies — or more than 10 million ads per day — and that it removed a million advertiser accounts for the same reason.

The ad pictured above ceased to appear shortly after my outreach to them. Unfortunately, an ad for a different booter service (shown below) soon replaced the one they took down.

An ad for a DDoS-for-hire service that appeared shortly after Google took down the ones KrebsOnSecurity reported to them.

The CISO’s Quick Guide to Verizon’s 2020 Data Breach Investigations Report

For the 13th consecutive year, Verizon has released its Data Breach Investigations Report, a comprehensive source of data breach-related information that offers invaluable insights to CISOs and CIOs. This year’s report was composed from data received from 81 organizations, including cybersecurity companies, law enforcement agencies, ISACs, CERTs, consulting firms and government agencies. It encompasses 157,525 reported incidents and 108,069 breaches. At 119 pages, there’s a lot to absorb. Here, we’ll detail the most important findings and provide our key recommendations to help inform your security operations.

Who Are Behind Most Cyber Attacks?

While insider attacks are certainly a thing (about 30% of the time, in fact) and may even be on the increase, by far the largest number of threats to your organization originate from external actors. The data for last year shows that 70% of breaches were from external actors. Only 1% involved multiple parties and again, a mere 1% were found to involve partner actions. The report states that:

“It is a widely held opinion that insiders are the biggest threat to an organization’s security, but one that we believe to be erroneous.”

However, we would caution the reader not to make the mistake of believing that the number of threats from a particular origin equates to the size of the risk presented by those threats: one insider attack could potentially cause ten times the harm of an external attack, depending on the nature of incident. Nevertheless, while security teams need to keep focus on attacks from any origin, the data make it pretty clear that external threat actors are queuing up not just to knock on your door, but to batter down your defenses.

But who are all these “external actors”, besides not being people you employ? Around 55% were categorized as “organized crime”, by which the researchers mean to refer to “criminals with a process, not the mafia”. Perhaps a better way to understand that is: an attack from criminals with a clearly observable objective and methodology. We’ll get to “objectives” in the next section, but for now let’s note that the use of “criminal” here excludes nation-state actors, and the use of “a process” excludes opportunistic attacks, hacktivists, and attacks where the motive could not be discerned.

What Do Threat Actors Want?

If you guessed the answer to the $64 million question was “money”, you would be right. At least in the overwhelming majority of cases. Some 86% of breaches were financially motivated, according to the report. This should not surprise anyone within the security industry, but for others in your organization, who keep hearing about high profile nation-state hackers and APTs, it may come as a surprise.

The focus on financial reward also makes sense of another interesting data point: attackers mostly engage in attacks that include no more than two or three steps. Anything more complicated than that is either abandoned or likely to originate from more persistent attackers. The explanation for this is that if you are a cyber criminal and your goal is financial reward, you tend to automate attacks as much as possible; picking off the low-hanging fruit is always preferable to investing time and effort in a hardened target. Operating at velocity and scale and employing automated targeting and exploitation tools is a simple ROI calculation. The lesson for defenders is straightforward: if you cover your bases and make the bad guys work hard, the vast majority of them will go elsewhere.

But while money may ultimately be what attackers really (really) want, they often come away with a whole lot more. In particular, 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. Indeed, as we’ll see below, user credentials are a prime commodity for threat actors. Note also that your organization may be breached as a gateway to another, more valuable target. Perhaps you have a weakly-secured server that an attacker is only interested in enslaving as part of a botnet in a DDoS attack against someone else; on the other hand, perhaps you’re part of the supply chain of a more juicy victim, or you’re a compromised MSP whose real value to the threat actor lies in your clients rather than your organization itself.

How Do Hackers Penetrate Your Defenses?

The data on this one is overwhelming: stolen, phished or brute-forced credentials are attackers’ primary means into your network, and once they’re inside, obtaining further credentials for persistence or for sale is one of their primary objectives. Over 80% of breaches that involved hacking comprised some form of brute force or use of lost or stolen user credentials. That doesn’t surprise us. Credential stuffing, which involves replaying a list of (often leaked in other breaches) username/password combinations against multiple accounts, is said to occur tens of millions of times a day.

This is closely related to the fact that many organizations have shifted a substantial amount of their services and data to the cloud, where it is more difficult to drop malware. Instead, attackers opt for a much simpler, scalable solution: they bombard the service with login requests using the credentials they have stolen or obtained from data dumps. And, as the more aggressive ransomware attacks now exfiltrate data prior to encrypting it, it is highly likely that this data will be sold or even re-used by the same attackers to “stuff” their way back into the same organizations’ account at a later time. As the report authors put it:

“It appears to be a ubiquitous process that moves at a more or less consistent pace: Get a leak, append to your dictionary, continue brute forcing the internet. Rinse, repeat.”

Given the intense focus on stealing credentials both for compromise and persistence, it is imperative that organizations increase their focus on securing these.

Social engineering remains the primary way to steal new creds, gain a foothold and/or defraud companies out of money. Some 96% of phishing attacks were crafted through malicious email or malspam. The overwhelming filetype of choice for actors here was Office documents and Windows apps. Other filetypes that were seen used to a lesser extent included shell scripts, archives, Java, Flash, PDFs, DLLs and Linux, Android, and macOS applications.

Which Assets Are Attackers Leveraging the Most?

While attacks against on-premise assets still dominated the threat landscape at around 70% of breaches, cloud assets were involved in about 24% of breaches in the past year. Of these, email or web application servers were involved 73% of the time, and in those cases, credentials were stolen 77% of the time. It is evident that the attackers understand that organizations now store sensitive information in cloud infrastructure and applications, and are shifting their efforts in line with this trend in order to obtain and monetize this information.

Web application servers are targeted more than any other asset (including social engineering of people). Typically, this involves either using stolen credentials (as previously mentioned) or exploiting unpatched vulnerabilities.

Security teams should pay heed to this particular data point: only around half of all reported vulnerabilities are actually patched in the first quarter after discovery. This presents two points of weakness. First, attackers often move fast to beat the patch cycle, using services like Shodan to scan the entire net for vulnerable devices. Second, and perhaps more likely to be overlooked, is that the IT teams that don’t patch in the first quarter after discovery are less likely to ever patch at all. Vulnerabilities that receive special attention from attackers include those affecting SQL, PHP and local file injection, particularly against targets in the Retail industry.

Are Poor Security Practices Contributing to Your Own Downfall?

To err is human, it is said, but organizations are people guided by processes, and human error is something that businesses, if not the individuals within them, can control with better process implementation and oversight. In particular, human error leading to misconfigured storage is on the increase in reported breaches. According to the data, errors were causally significant in 22% of confirmed breaches. To put that in context, that’s the same percentage as attributed to social engineering as a tactic across the same dataset.

While the good news is that some portion, perhaps a significant one, of breaches due to misconfigured storage are reported by security researchers rather than discovered by threat actors, the bad news is such reports tend to make headlines, and reputational damage, though hard to quantify, could be as costly as a data theft by a malicious actor.

What Kinds of Malware Are Favored by Attackers?

Around 17% of confirmed breaches involved some form of malware. Of those, 27% were due specifically to ransomware, something that should come as no surprise given the volume of high-profile incidents reported in the media over the previous year.

As SentinelLabs has been noting for some time, ransomware tactics have evolved in recent months to include an element of extortion: by exfiltrating data before encryption, ransomware gangs are then able to threaten leaking sensitive customer data or IP if victims don’t pay. This trend began in earnest after the cut-off point for Verizon’s data collection, so we will see this trend more evident in next year’s report. However, even prior to October 2019 (the latest date for entry into the 2020 report), it’s clear that ransomware was on the increase during the earlier part of the year. Ransomware was noted as:

“…the third most common Malware breach variety and second most common Malware incident variety.”

Of the various sectors covered by the report, the Education and Public sectors were heavily targeted by ransomware operators throughout the year.

The most common kind of malware, in keeping with the data showing that credential theft was most threat actors’ top priority, were password dumpers. Following that, downloaders (think Emotet and TrickBot, for example) came in next, along with Trojans, which are largely a tool associated with advanced attackers looking for long-term persistence through backdoors and C2 functionality. Interestingly, there has been a sharp decline in cryptojacking malware after its surge in popularity during 2017 and, in particular, 2018.

SentinelOne Recommendations

At 119 pages, there is much more detail in the report than we could cover here, but we do hope to have painted a clear picture of the report’s main findings. In this section, we outline some recommendations based on our understanding of the entire report and SentinelOne’s own telemetry.

Unlike APTs, the majority of attackers do not go in for hugely complicated attacks with multiple stages. This means that catching an attack at any – rather than every – stage of the threat lifecycle (aka ‘The kill chain’) will significantly increase your chances of avoiding a breach. Moreover, the earlier you can do that the better chance you have of forcing the attacker out empty-handed and determined to try his luck elsewhere. As the recent MITRE ATT&CK evaluation results proved, SentinelOne excels at stopping attacks at all stages, but specifically at preventing attacks before they have taken a foothold. Hence, our first and obvious recommendation: ensure you have a trusted, proven next-gen AI platform protecting your endpoints.

As we have seen above, attackers are using automated attacks to make their own lives easy. Make it harder for them by ensuring that you do not leave unnecessary ports open and reduce the number of exposed ports. Allow only essential services to access the internet, and limit who has access to them. SSH and Telnet (on default ports 22 and 23, respectively) are a major target for malicious connection attempts. Who in your organization really needs them? Identify your needs and restrict everyone else.

Credentials are the pot of gold at the end of the rainbow for attackers. Ensure your Windows systems have all moved away from legacy LM and NTLMv1 and implement our recommendations here for protecting Windows credentials.

Windows Security Essentials | Preventing 4 Common Methods of Credentials Exfiltration
Credential dumping is a prelude to lateral movement, and some well-known password attacks are still successful in the wild. Have you got the basics covered?

Data is your lifeblood. Control access to data, maintain an up-to-date inventory of confidential and sensitive files and, above all, use encryption.

Aside from weakly protected servers, people are one of the main “assets” attackers seek to exploit, through social engineering and phishing attacks. By all means, keep up your user awareness programs to help educate your staff about phishing attacks. Support them with automated endpoint security software that will catch malware even if they fall for a malicious link or drive-by download scam. Raise the bar for attackers by enforcing 2FA and MFA on all user login accounts.

Error and misconfigurations are your unintentional backdoors to being compromised. Conduct a thorough review on your storage permissions, and just as importantly, implement proper review processes that can help prevent and identify misconfigurations. How many people are allowed to spin up repositories without some kind of security oversight or review? The answer should be none.

Finally, you’ve heard it before and you’ll no doubt hear it again. Patch early, patch often. That failure to patch within the 1st quarter of a vulnerability disclosure is a telling statistic that you don’t want your organization to add to, and it’s a failure you don’t want adversaries to discover, either.


It’s not exactly news, but it’s also worth emphasizing: most threat actors follow the money. And just as surely as organizations have begun the move from on-prem to the cloud, attackers are following. As the perimeter-less, zero trust network paradigm ripples out across global enterprises, attackers care most about obtaining those priceless sign-on credentials. And while organizations continue to rely on email and expecting people to click links to do their work, attackers will keep on sending phishing links to do their work, too.

The latest data on breach investigations is a reflection of current practices in organizational behavior. Where we go, they follow. Preventing breaches is a matter of recognizing this symbiotic relationship, anticipating the dangers and putting into place the security solutions, people practices and organizational processes that raise the cost of attack beyond that which the threat actor is willing to pay.

If you would like to see how SentinelOne can help protect your business from security breaches, contact us today or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security