The Good, the Bad and the Ugly in Cybersecurity – Week 36

The Good

“Stalkerware” is a term that refers to commercial software used to monitor the digital activities of others, typically without their consent. Although there are legitimate uses for location tracking (think fleet vehicles) and activity monitoring (parental monitoring, say) some companies market software that stretches these boundaries and is intended to appeal to an audience of abusive partners, unscrupulous employers, cyber stalkers, and others who seek to control the behavior of their victims through covert surveillance. In the security industry, we often end up referring to these as PUPs or PUAs (Potentially Unwanted Programs/Applications) to alert users to their presence when detected.

However, in the case of “SpyFone”, they went beyond even the usual boundaries of commercial spyware, with a catalog of misbehavior that has now been called out by the FTC. The company and CEO have been found to have committed several misdeeds including illegally harvesting private information from SpyFone users and failing to secure that information from other hackers and identity thieves. They also failed to comply with a previous FTC order to fully investigate a hack of the company’s servers back in 2018.

The FTC has now banned both company and CEO from any further trading in surveillance software, not just in the US, but worldwide. In addition, the FTC has ordered the company behind SpyFone (Support King) and the CEO to “delete any information illegally collected from their stalkerware apps”, as well as “notify owners of devices on which SpyFone’s apps were installed that their devices might have been monitored and the device may not be secure”. Hopefully, this will serve as an example to other ne’er-do-wells thinking of dipping their feet into the murky world of Stalkerware apps: the FTC is watching you.

The Bad

This week, news broke of a particular seller on one underground forum selling a new evasion method with the hope of appealing to cybercriminals looking for an edge. The seller offered a Proof-of-Concept to execute code in GPUs made by Intel, AMD and Nvidia. Executing code directly from the GPU is attractive for malicious purposes as it may provide an avenue to bypass certain types of endpoint security controls.

The seller states that the tool “allocates address space in GPU memory buffer, inserts and executes code from there”. They go on further to indicate that the technique can be used against Windows systems running OpenCL 2x and above. The original advertisement went up for sale in early August 2021. On the 25th of August, the same seller updated the thread simply stating “Sold”.

There have been other methodologies published in the past for executing code out of GPU, and other participants in the same forum were quick to point this out to the seller.

While the novelty of this seller’s product may be up for debate, the threat of such a tactic should be taken seriously. Attempting to execute code via various side channels has always been advantageous to enterprising attackers. There is plenty of academic research out there documenting similar tactics as well as in-the-wild examples. Whether the apparent buyer of this PoC will turn up on our radar remains to be seen, but we suspect that if the developer’s code has genuine utility, we’ll see that ‘Sold’ message revert to ‘For Sale’ again before too long.

The Ugly

An article published this week by NPR raised some fresh, and worrying, concerns related to the recent rash of MS Exchange server hacks committed by Chinese APT actor Hafnium. The article suggests that those attacks and others over recent years may have been committed specifically for the purpose of feeding and training a Chinese-built AI system with data on US citizens.

The article notes that four years ago, China was producing more research related to AI than any other country, and that it currently has over 1,000 AI firms. Combine this with the fact that it’s been an open secret among Western intelligence agencies that China is on a campaign to steal massive amounts of data and what might seem like random, untargeted attacks on small and medium-sized businesses running on-premises Exchange servers starts to take on a different complexion.

Former director of the NCSC (National Counterintelligence and Security Center) William Evanina recently testified in front of the Senate Committee on Intelligence claiming that a catalog of hacks in recent years had hovered up the PII (personally identifiable information) of more than 80% of all Americans.

“The Chinese have more data than we have on ourselves…So you have the OPM data breach…you have an entire security clearance file for someone, you have Anthem records, you have his Marriott point record, credit cards, Equifax, his loans, his mortgages, his credit score. They know everything about you…”

To what end? The South China Morning Post claims the country has a vision to be a world leader in AI by 2030 with a focus on “social governance, national defence construction, and industrial value chain”. According to Evanina, the name of the game is manipulation, at home and abroad. Whether it’s coercing individuals or stealing IP or curbing criticism, we all know that data means power, and China appears to be grabbing all the data it can get its hands on. Not for nothing has President Biden declared that cyber security is a matter of national and economic security, but it’s not just the government that needs to up its game. We are all targets now. We owe it to ourselves and each other to take our own cybersecurity posture more seriously.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Customer experience startup Clootrack raises $4M, helps brands see through their customers’ eyes

Getting inside the mind of customers is a challenge as behaviors and demands shift, but Clootrack believes it has cracked the code in helping brands figure out how to do that.

It announced $4 million in Series A funding, led by Inventus Capital India, and included existing investors Unicorn India Ventures, IAN Fund and Salamander Excubator Angel Fund, as well as individual investment from Jiffy.ai CEO Babu Sivadasan. In total, the company raised $4.6 million, co-founder Shameel Abdulla told TechCrunch.

Clootrack is a real-time customer experience analytics platform that helps brands understand why customers stay or churn. Shameel Abdulla and Subbakrishna Rao, who both come from IT backgrounds, founded the company in 2017 after meeting years prior at Jiffstore, Abdulla’s second company that was acquired in 2015.

Clootrack team. Image Credits: Clootrack

Business-to-consumer and consumer brands often use customer satisfaction metrics like Net Promoter Score to understand the customer experience, but Abdulla said current methods don’t provide the “why” of those experiences and are slow, expensive and error-prone.

“The number of channels has increased, which means customers are talking to you, expressing their feedback and what they think in multiple places,” he added. “Word of mouth has gone digital, and you basically have to master the art of selling online.”

Clootrack turns the customer experience data from all of those first-party and third-party touchpoints — website feedback, chat bots, etc. — into granular, qualitative insights that give brands a look at drivers of the experience in hours rather than months so that they can stay on top of fast-moving trends.

Abdulla points to data that show a customer’s biggest driver of brand switch is the experience they receive. And, that if brands can reduce churns by 5%, they could be looking at an increase in profits of between 25% and 95%.

Most of the new funding will go to product development so that all data aggregations are gathered from all possible touchpoints. His ultimate goal is to be “the single platform for B2C firms.”

The company is currently working with over 150 customers in the areas of retail, direct-to-consumer, banking, automotive, travel and mobile app-based services. It is growing nine times year over year in revenue. It is mainly operating in India, but Clootrack is also onboarding companies in the U.S. and Europe.

Parag Dhol, managing director of Inventus, said he has known Abdulla for over five years. He had looked at one of Abdulla’s companies for investment, but had decided against it due to his firm being a Series A investor.

Dhol said market research needs an overhaul in India, where this type of technology is lagging behind the U.S.

“Clootrack has a very complementary team with Shameel being a complete CEO in terms of being a sales guy and serial entrepreneur who has learned his lessons, and Subbu, who is good at technology,” he added. “As CMOs realize the value in their unstructured data inside of their own database of the customer reviews and move to real-time feedback, these guys could make a serious dent in the space.”

 

Barbershop technology startup theCut sharpens its platform with new $4.5M round

TheCut, a technology platform designed to handle back-end operations for barbers, raised $4.5 million in new funding.

Nextgen Venture Partners led the round and was joined by Elevate Ventures, Singh Capital and Leadout Capital. The latest funding gives theCut $5.35 million in total funding since the company was founded in 2016, founder Obi Omile Jr. told TechCrunch.

Omile and Kush Patel created the mobile app that provides information and reviews on barbers for potential customers while also managing appointments, mobile payments and pricing on the back end for barbers.

“Kush and I both had terrible experiences with haircuts, and decided to build an app to help find good barbers,” Omile said. “We found there were great barbers, but no way to discover them. You can do a Google search, but it doesn’t list the individual barber. With theCut, you can discover an individual barber and discover if they are a great fit for you and won’t screw up your hair.”

The app also enables barbers, perhaps for the first time, to have a list of clients and keep notes and photos of hair styles, as well as track visits and spending. By providing payments, barbers can also leverage digital trends to provide additional services and extras to bring in more revenue. On the customer side, there is a search function with barber profile, photos of their work, ratings and reviews, a list of service offerings and pricing.

Omile said there are 400,000 to 600,000 barbers in the U.S., and it is one of the fastest-growth markets. As a result, the new funding will be used to hire additional talent, marketing and to grow the business across the country.

“We’ve gotten to a place where we are hitting our stride and seeing business catapulting, so we are in hiring mode,” he added.

Indeed, the company generated more than $500 million in revenue for barbers since its launch and is adding over 100,000 users each month. In addition, the app averages 1.5 million appointment bookings each month.

Next up, Omile wants to build out some new features like a digital store and the ability to process more physical payments by rolling out a card reader for in-person payments. TheCut will also focus on enabling barbers to have more personal relationships with their customers.

“We are building software to empower people to be the best version of themselves, in this case barbers,” he added. “The relationship with customers is an opportunity for the barber to make specific recommendations on products and create a grooming experience.”

As part of the investment, Leadout founder and managing partner Ali Rosenthal joined the company’s board of directors. She said Omile and Patel are the kind of founders that venture capitalists look for — experts in their markets and data-driven technologists.

“They had done so much with so little by the time we met them,” Rosenthal added. “They are creating a passionate community and set of modern, tech-driven features that are tailored to the needs of their customers.”

 

Feature Spotlight: Ease Deployment and Minimize Risk With Ranger Pro™

We are pleased to announce Ranger Pro, an available extension of Singularity Ranger®, which uses configurable job automation to conveniently and efficiently close agent deployment gaps. This exciting new option reduces stress and raises the productivity of an already overburdened Security team by offloading the ongoing and repetitive task of EPP/EDR agent installation. With peer-to-peer agent deployment, Ranger Pro finds and closes any agent deployment gaps, ensuring that no endpoint is left unsecured.

What Is An Agent Deployment Gap?

As SentinelOne customers already know, Singularity Ranger® is about proactive attack surface management. The first challenge that Ranger solves is visibility, showing you what is on your network.

Ranger uses a proprietary ML device fingerprinting engine (FPE) to find any IP-enabled device connected to your network without any additional agents, hardware, or network changes. Ranger creates a device inventory in moments, organized by device function and by security state: Secured, Unsecured, Unsupported, and Unknown.

  • Secured: These are endpoints that already have a Sentinel agent.
  • Unsecured: These devices can support an agent, but do not yet have one.
  • Unsupported: These devices, whether by hardware or software limitations, cannot support a Sentinel agent. Examples include OT (operational technology) devices, such as manufacturing process sensors.
  • Unknown: These are devices that the FPE could not yet categorize. The fingerprinting engine gets  ‘smarter’ the longer it observes device communication traffic.
Ranger can autonomously discover unprotected devices

It is the so-called unsecured endpoints that are of particular interest to Ranger Pro. Any such device represents a gap in your agent deployment and a potential attack surface to be exploited. The security gap needs to be closed before malware or ransomware can exploit it.

How Do These Gaps Happen?

We often hear the question, “How do these gaps happen?” There are a number of possibilities. First, you may not have completed your initial agent rollout, but thought you did. Limited visibility is a real challenge facing IT security, and our solution tackles that challenge head-on. As previously mentioned, Ranger will spotlight any unsecured devices. In this way, it helps Security confidently answer the question, “Have I completed my agent rollout?” And if that answer is no, you will know exactly where to look. (And please, hold that thought for two paragraphs more…)

Another likely scenario is a hardware replacement cycle: new user endpoints or servers were purchased and put into service by IT, perhaps without a Sentinel agent installed to protect against known and unknown threats. Similarly, new employees are onboarded, often with new laptops or desktops which need autonomous cybersecurity protection, detection, and response.

In all of these cases, Ranger would show when an endpoint needs a Sentinel agent. Security teams can configure the solution to alert anytime such an unsecured endpoint is found.

Why Did We Create Ranger Pro?

After finding the coverage gap, the inevitable next step facing the security team is closing the gap. Security administrators can indeed choose to do so manually via the SentinelOne Management Console, but such repetitive tasks are begging to be automated.

No one suggests that installing an agent is not a necessary cause worthy of Security’s attention, only that such a task comes at the opportunity cost of a SOC analyst’s valuable time. Security teams are often stretched way too thin and need sensible automation to help them do their job more effectively.

Moreover, how long would the endpoint remain in the wild without a Sentinel agent keeping watch? After all, SOC analysts are on the front lines of a high-stakes battle for the security of the organization against all threats. Much like nurses and physicians in a hospital emergency room, security staff are often forced to triage events, giving their time and focus to the most pressing matters of the day. SentinelOne created Ranger Pro to solve this pain.

Slashing an uncertain response time to a matter of moments, Ranger Pro is both a highly configurable and reliably automated means of completing your Sentinel agent rollout to unsecured endpoints.

An available add-on, Ranger Pro includes all of the Ranger capabilities available for your chosen functionality level – Singularity Core, Control, or Complete – with the added convenience and repeatability of automated deployment. Inevitably, the next question is, “How does it work?”

How Does Ranger Pro Work?

The following sequence walks you through the process.

First, by using the networked device inventory capability, an administrator notices a few unsecured endpoints. In this example site, there are five endpoints, four of which are unsecured. The admin selects 2 of those 4 endpoints – she could have just as easily selected all 4, but perhaps this is her first experience with Ranger Pro’s automated agent deployment and so wants to test it on a subset.

Under the Actions pull-down, she selects Deploy Agent.

Selecting unsecured devices for Agent deployment

The Auto Deploy pop-up window is opened, and the administrator selects the appropriate Agent deployment package.

Selecting the Agent deployment package

Once the package is chosen, the administrator enters the master passphrase credentials for her secure credential vault. SentinelOne does not have access to the credentials.

Entering the Master Passphrase credentials
Entering the Master Passphrase credentials

Then the admin selects the appropriate site to assign the endpoints.

Completing Auto-Deploy configuration

And then Ranger Pro is off to the races, handling the details of Agent installation.

Switching to the Task Management context, the administrator can check the job status as it moves from “Pending” to “In Progress” to “Completed.”

Keeping an eye on job status via Task Management

Ranger Pro examines nearby secured endpoints and selects the one which can most efficiently install the Agent via the peer-to-peer deployment mechanism. Here the first Agent installation is completed.

Ranger Pro autonomously deploys the correct agent

Once Ranger Pro completes the installation and the next device inventory scan is done, the updated inventory reflects the newly secured endpoints. In this example, we installed an agent on two endpoints. In practice, a security administrator is just as likely to have configured the agent installation for all unsecured endpoints on this site. Or, perhaps this was the first attempt using Ranger Pro and the admin just wanted to explore the process on a subset of endpoints.

Once the admin is comfortable and confident with the auto-deploy capability, she can easily tackle the remaining endpoints’ agent installation with a few simple clicks.

A few clicks and you can auto-deploy agents across an entire site

Summary

Ranger Pro provides a convenient means of quickly and reliably installing a SentinelOne endpoint security agent on unsecured endpoints. The best part? Ranger does not need extra agents to manage your network attack surface; its AI is woven into the Sentinel agent itself. Using peer-to-peer agent deployment, Ranger Pro conveniently finds and closes any agent deployment gaps, providing security administrators with yet another way of proactively reducing their attack surface.

To explore Ranger and Ranger Pro, visit our solution page, read the datasheet, and when you are ready, contact us to discuss how SentinelOne can help your team do more.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Pixalate tunes into $18.1M for fraud prevention in television, mobile advertising

Pixalate raised $18.1 million in growth capital for its fraud protection, privacy and compliance analytics platform that monitors connected television and mobile advertising.

Western Technology Investment and Javelin Venture Partners led the latest funding round, which brings Pixalate’s total funding to $22.7 million to date. This includes a $4.6 million Series A round raised back in 2014, Jalal Nasir, founder and CEO of Pixalate, told TechCrunch.

The company, with offices in Palo Alto and London, analyzes over 5 million apps across five app stores and more 2 billion IP addresses across 300 million connected television devices to detect and report fraudulent advertising activity for its customers. In fact, there are over 40 types of invalid traffic, Nasir said.

Nasir grew up going to livestock shows with his grandfather and learned how to spot defects in animals, and he has carried that kind of insight to Pixalate, which can detect the difference between real and fake users of content and if fraudulent ads are being stacked or hidden behind real advertising that zaps smartphone batteries or siphons internet usage and even ad revenue.

Digital advertising is big business. Nasir cited Association of National Advertisers research that estimated $200 billion will be spent globally in digital advertising this year. This is up from $10 billion a year prior to 2010. Meanwhile, estimated ad fraud will cost the industry $35 billion, he added.

“Advertisers are paying a premium to be in front of the right audience, based on consumption data,” Nasir said. “Unfortunately, that data may not be authorized by the user or it is being transmitted without their consent.”

While many of Pixalate’s competitors focus on first-party risks, the company is taking a third-party approach, mainly due to people spending so much time on their devices. Some of the insights the company has found include that 16% of Apple’s apps don’t have privacy policies in place, while that number is 22% in Google’s app store. More crime and more government regulations around privacy mean that advertisers are demanding more answers, he said.

The new funding will go toward adding more privacy and data features to its product, doubling the sales and customer teams and expanding its office in London, while also opening a new office in Singapore.

The company grew 1,200% in revenue since 2014 and is gathering over 2 terabytes of data per month. In addition to the five app stores Pixalate is already monitoring, Nasir intends to add some of the China-based stores like Tencent and Baidu.

Noah Doyle, managing director at Javelin Venture Partners, is also monitoring the digital advertising ecosystem and said with networks growing, every linkage point exposes a place in an app where bad actors can come in, which was inaccessible in the past, and advertisers need a way to protect that.

“Jalal and Amin (Bandeali) have insight from where the fraud could take place and created a unique way to solve this large problem,” Doyle added. “We were impressed by their insight and vision to create an analytical approach to capturing every data point in a series of transactions —  more data than other players in the industry — for comprehensive visibility to help advertisers and marketers maintain quality in their advertising.”

 

Explosion snags $6M on $120M valuation to expand machine learning platform

Explosion, a company that has combined an open source machine learning library with a set of commercial developer tools, announced a $6 million Series A today on a $120 million valuation. The round was led by SignalFire, and the company reported that today’s investment represents 5% of its value.

Oana Olteanu from SignalFire will be joining the board under the terms of the deal, which includes warrants of $12 million in additional investment at the same price.

“Fundamentally, Explosion is a software company and we build developer tools for AI and machine learning and natural language processing. So our goal is to make developers more productive and more focused on their natural language processing, so basically understanding large volumes of text, and training machine learning models to help with that and automate some processes,” company co-founder and CEO Ines Montani told me.

The company started in 2016 when Montani met her co-founder, Matthew Honnibal in Berlin where he was working on the spaCy open source machine learning library. Since then, that open source project has been downloaded over 40 million times.

In 2017, they added Prodigy, a commercial product for generating data for the machine learning model. “Machine learning is code plus data, so to really get the most out of the technologies you almost always want to train your models and build custom systems because what’s really most valuable are problems that are super specific to you and your business and what you’re trying to find out, and so we saw that the area of creating training data, training these machine learning models, was something that people didn’t pay very much attention to at all,” she said.

The next step is a product called Prodigy Teams, which is a big reason the company is taking on this investment. “Prodigy Teams  is [a hosted service that] adds user management and collaboration features to Prodigy, and you can run it in the cloud without compromising on what people love most about Prodigy, which is the data privacy, so no data ever needs to get seen by our servers,” she said. They do this by letting the data sit on the customer’s private cluster in a private cloud, and then use Prodigy Team’s management features in the public cloud service.

Today, they have 500 companies using Prodigy including Microsoft and Bayer in addition to the huge community of millions of open source users. They’ve built all this with just 6 early employees, a number that has grown to 17 recently and they hope to reach 20 by year’s end.

She believes if you’re thinking too much about diversity in your hiring process, you probably have a problem already. “If you go into hiring and you’re thinking like, oh, how can I make sure that the way I’m hiring is diverse, I think that already shows that there’s maybe a problem,” she said.

“If you have a company, and it’s 50 dudes in their 20s, it’s not surprising that you might have problems attracting people who are not white dudes in their 20s. But in our case, our strategy is to hire good people and good people are often very diverse people, and again if you play by the [startup] playbook, you could be limited in a lot of other ways.”

She said that they have never seen themselves as a traditional startup following some conventional playbook. “We didn’t raise any investment money [until now]. We grew the team organically, and we focused on being profitable and independent [before we got outside investment],” she said.

But more than the money, Montani says that they needed to find an investor that would understand and support the open source side of the business, even while they got capital to expand all parts of the company. “Open source is a community of users, customers and employees. They are real people, and [they are not] pawns in [some] startup game, and it’s not a game. It’s real, and these are real people,” she said.

“They deserve more than just my eyeballs and grand promises. […] And so it’s very important that even if we’re selling a small stake in our company for some capital [to build our next] product [that open source remains at] the core of our company and that’s something we don’t want to compromise on,” Montani said.

Box, Zoom chief product officers discuss how the changing workplace drove their latest collaboration

If the past 18 months is any indication, the nature of the workplace is changing. And while Box and Zoom already have integrations together, it makes sense for them to continue to work more closely.

Their newest collaboration is the Box app for Zoom, a new type of in-product integration that allows users to bring apps into a Zoom meeting to provide the full Box experience.

While in Zoom, users can securely and directly access Box to browse, preview and share files from Zoom — even if they are not taking part in an active meeting. This new feature follows a Zoom integration Box launched last year with its “Recommended Apps” section that enables access to Zoom from Box so that workflows aren’t disrupted.

The companies’ chief product officers, Diego Dugatkin with Box and Oded Gal with Zoom, discussed with TechCrunch why seamless partnerships like these are a solution for the changing workplace.

With digitization happening everywhere, an integration of “best-in-breed” products for collaboration is essential, Dugatkin said. Not only that, people don’t want to be moving from app to app, instead wanting to stay in one environment.

“It’s access to content while never having to leave the Zoom platform,” he added.

It’s also access to content and contacts in different situations. When everyone was in an office, meeting at a moment’s notice internally was not a challenge. Now, more people are understanding the value of flexibility, and both Gal and Dugatkin expect that spending some time at home and some time in the office will not change anytime soon.

As a result, across the spectrum of a company, there is an increasing need for allowing and even empowering people to work from anywhere, Dugatkin said. That then leads to a conversation about sharing documents in a secure way for companies, which this collaboration enables.

The new Box and Zoom integration enables meeting in a hybrid workplace: chat, video, audio, computers or mobile devices, and also being able to access content from all of those methods, Gal said.

“Companies need to be dynamic as people make the decision of how they want to work,” he added. “The digital world is providing that flexibility.”

This long-term partnership is just scratching the surface of the continuous improvement the companies have planned, Dugatkin said.

Dugatkin and Gal expect to continue offering seamless integration before, during and after meetings: utilizing Box’s cloud storage, while also offering the ability for offline communication between people so that they can keep the workflow going.

“As Diego said about digitization, we are seeing continuous collaboration enhanced with the communication aspect of meetings day in and day out,” Gal added. “Being able to connect between asynchronous and synchronous with Zoom is addressing the future of work and how it is shaping where we go in the future.”

15-Year-Old Malware Proxy Network VIP72 Goes Dark

Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

Like other anonymity networks marketed largely on cybercrime forums online, VIP72 routes its customers’ traffic through computers that have been hacked and seeded with malicious software. Using services like VIP72, customers can select network nodes in virtually any country, and relay their traffic while hiding behind some unwitting victim’s Internet address.

The domain Vip72[.]org was originally registered in 2006 to “Corpse,” the handle adopted by a Russian-speaking hacker who gained infamy several years prior for creating and selling an extremely sophisticated online banking trojan called A311 Death, a.k.a. “Haxdoor,” and “Nuclear Grabber.” Haxdoor was way ahead of its time in many respects, and it was used in multiple million-dollar cyberheists long before multi million-dollar cyberheists became daily front page news.

An ad circa 2005 for A311 Death, a powerful banking trojan authored by “Corpse,” the administrator of the early Russian hacking clique Prodexteam. Image: Google Translate via Archive.org.

Between 2003 and 2006, Corpse focused on selling and supporting his Haxdoor malware. Emerging in 2006, VIP72 was clearly one of his side hustles that turned into a reliable moneymaker for many years to come. And it stands to reason that VIP72 was launched with the help of systems already infected with Corpse’s trojan malware.

The first mention of VIP72 in the cybercrime underground came in 2006 when someone using the handle “Revive” advertised the service on Exploit, a Russian language hacking forum. Revive established a sales presence for VIP72 on multiple other forums, and the contact details and messages shared privately by that user with other forum members show Corpse and Revive are one and the same.

When asked in 2006 whether the software that powered VIP72 was based on his Corpse software, Revive replied that “it works on the new Corpse software, specially written for our service.”

One denizen of a Russian language crime forum who complained about the unexplained closure of VIP72 last month said they noticed a change in the site’s domain name infrastructure just prior to the service’s disappearance. But that claim could not be verified, as there simply are no signs that any of that infrastructure changed prior to VIP72’s demise.

In fact, until mid-August VIP72’s main home page and supporting infrastructure had remained at the same U.S.-based Internet address for more than a decade — a remarkable achievement for such a high-profile cybercrime service.

Cybercrime forums in multiple languages are littered with tutorials about how to use VIP72 to hide one’s location while engaging in financial fraud. From examining some of those tutorials, it is clear that VIP72 is quite popular among cybercriminals who engage in “credential stuffing” — taking lists of usernames and passwords stolen from one site and testing how many of those credentials work at other sites.

Corpse/Revive also long operated an extremely popular service called check2ip[.]com, which promised customers the ability to quickly tell whether a given Internet address is flagged by any security companies as malicious or spammy.

Hosted on the same Internet address as VIP72 for the past decade until mid-August 2021, Check2IP also advertised the ability to let customers detect “DNS leaks,” instances where configuration errors can expose the true Internet address of hidden cybercrime infrastructure and services online.

Check2IP is so popular that it has become a verbal shorthand for basic due diligence in certain cybercrime communities. Also, Check2IP has been incorporated into a variety of cybercrime services online — but especially those involved in mass-mailing malicious and phishous email messages.

Check2IP, an IP reputation service that told visitors whether their Internet address was flagged in any spam or malware block lists.

It remains unclear what happened to VIP72; users report that the anonymity network is still functioning even though the service’s website has been gone for two weeks. That makes sense since the infected systems that get resold through VIP72 are still infected and will happily continue to forward traffic so long as they remain infected. Perhaps the domain was seized in a law enforcement operation.

But it could be that the service simply decided to stop accepting new customers because it had trouble competing with an influx of newer, more sophisticated criminal proxy services, as well as with the rise of “bulletproof” residential proxy networks. For most of its existence until recently, VIP72 normally had several hundred thousand compromised systems available for rent. By the time its website vanished last month — that number had dwindled to fewer than 25,000 systems globally.

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes.

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.”

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf victims, when that option is available.  For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

The Gift Card Gang’s Footprint

How do the compromised email credentials break down in terms of ISPs and email providers? There are victims on nearly all major email networks, but Bill said several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said.  “I don’t know why they’re getting popped so heavily.”

That may sound like a lot of hacked inboxes, but Bill said some of the bigger ISPs represented in his data have tens or hundreds of millions of customers.

Measuring which ISPs and email providers have the biggest numbers of compromised customers is not so simple in many cases, nor is identifying companies with employees whose email accounts have been hacked.

This kind of mapping is often more difficult than it used to be because so many organizations have now outsourced their email to cloud services like Gmail and Microsoft Office365 — where users can access their email, files and chat records all in one place.

“It’s a little complicated with Office 365 because it’s one thing to say okay how many Hotmail connections are you seeing per day in all this credential-stuffing activity, and you can see the testing against Hotmail’s site,” Bill said. “But with the IMAP traffic we’re looking at, the usernames being logged into are any of the million or so domains hosted on Office365, many of which will tell you very little about the victim organization itself.”

On top of that, it’s also difficult to know how much activity you’re not seeing.

Looking at the small set of Internet address blocks he knows are associated with Microsoft 365 email infrastructure, Bill examined the IMAP traffic flowing from this group to those blocks. Bill said that in the first week of April 2021, he identified 15,000 compromised Office365 accounts being accessed by this group, spread over 6,500 different organizations that use Office365.

“So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,” Bill explained. “And with our puny visibility into probably less than one percent of overall password stuffing traffic aimed at Microsoft, we’re seeing 600 Office accounts being breached a day. So if I’m only seeing one percent, that means we’re likely talking about tens of thousands of Office365 accounts compromised daily worldwide.”

In a December 2020 blog post about how Microsoft is moving away from passwords to more robust authentication approaches, the software giant said an average of one in every 250 corporate accounts is compromised each month. As of last year, Microsoft had nearly 240 million active users, according to this analysis.

“To me, this is an important story because for years people have been like, yeah we know email isn’t very secure, but this generic statement doesn’t have any teeth to it,” Bill said. “I don’t feel like anyone has been able to call attention to the numbers that show why email is so insecure.”

Bill says that in general companies have a great many more tools available for securing and analyzing employee email traffic when that access is funneled through a Web page or VPN, versus when that access happens via IMAP.

“It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”

Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication.

“For context, our research indicates that multi-factor authentication prevents more than 99.9% of account compromises,” reads a statement from Microsoft. “Moreover, for enterprise customers, innovations like Security Defaults, which disables basic authentication and requires users to enroll a second factor, have already significantly decreased the proportion of compromised accounts. In addition, for consumer accounts, adding a second authentication factor is required on all accounts.”

A Mess That’s Likely to Stay That Way

Bill said he’s frustrated by having such visibility into this credential testing botnet while being unable to do much about it. He’s shared his data with some of the bigger ISPs in Europe, but says months later he’s still seeing those same inboxes being accessed by the gift card gang.

The problem, Bill says, is that many large ISPs lack any sort of baseline knowledge of or useful data about customers who access their email via IMAP. That is, they lack any sort of instrumentation to be able to tell the difference between legitimate and suspicious logins for their customers who read their messages using an email client.

“My guess is in a lot of cases the IMAP servers by default aren’t logging every search request, so [the ISP] can’t go back and see this happening,” Bill said.

Confounding the challenge, there isn’t much of an upside for ISPs interested in voluntarily monitoring their IMAP traffic for hacked accounts.

“Let’s say you’re an ISP that does have the instrumentation to find this activity and you’ve just identified 10,000 of your customers who are hacked. But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”

Which means those 10,000 customers are then going to start receiving error messages whenever they try to access their email.

“Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.”

Indictators of Compromise (IoCs)

It’s not often KrebsOnSecurity has occasion to publish so-called “indicators of compromise” (IoC)s, but hopefully some ISPs may find the information here useful. This group automates the searching of inboxes for specific domains and trademarks associated with gift card activity and other accounts with stored electronic value, such as rewards points and mileage programs.

This file includes the top inbox search terms used in a single 24 hour period by the gift card gang. The numbers on the left in the spreadsheet represent the number of times during that 24 hour period where the gift card gang ran a search for that term in a compromised inbox.

Some of the search terms are focused on specific brands — such as Amazon gift cards or Hilton Honors points; others are for major gift card networks like CashStar, which issues cards that are white-labeled by dozens of brands like Target and Nordstrom. Inboxes hacked by this gang will likely be searched on many of these terms over the span of just a few days.

5 Traits of a Great Endpoint Security System

Managing risk requires an adaptive and agile security culture, one that binds process, technology, and people together in a way that is effective and that allows the organization to act smarter. Having the right security products in place is essential, of course, but when it comes to adding to your arsenal, how do you know that what you are buying will be effective and worthwhile?

Comparing specifications takes time and expertise, and different vendors sometimes use the same terms to mean different things. Is the latest innovation from your usual vendor actually new or is it a rebranded version of existing technology? Is the new bit of kit from a vendor you haven’t used before actually capable of doing all that it promises?

One way to start cutting through the noise is to take a high-level look at the core capabilities of the product being offered. While there’s no one-size fits all, ensuring the product has certain features will give you confidence that it can meet your organization’s needs not just for today but also for the future, as your organization’s internal and external requirements evolve over time. So what exactly are the most important traits of a great endpoint security system?

What is an Endpoint in Today’s Enterprise?

Of course, the term ‘endpoint’ covers a lot more today than perhaps when it first came into popular use. Once upon a time, organizations had workstations and servers and a firewall, and they bought products to fit that infrastructure. Nowadays, a modern enterprise has a network of devices running such things as:

  • Laptops
  • Desktops
  • Cell Phones
  • Virtual Machines
  • Cloud Containers
  • Tablets
  • Servers
  • IoT Devices

In short, an endpoint is anything that functions as one end of a communications channel. The term refers to parts of a network that don’t simply relay communications along channels, or switch those communications from one channel to another. Rather, an endpoint is the place where communications originate, and where they are received.

All of these may be connecting via a local intranet or using cloud SaaS platforms or even the public internet. You may have Single Sign On (SSO) and Zero Trust Architecture (ZTA), perhaps you are moving or have already moved your data to a public, on-premises or hybrid cloud, with endpoints connecting to your network from multiple locations around the globe.

What Enterprises Needs To Do To Stay Safe

The current realities that enterprises face are more challenging than ever before. On the one hand, there is a growing need for security, while on the other, a growing demand for business continuity, supporting large fleets of endpoint and data sources that can be anywhere, at any time.

The new reality of our work culture, where endpoints can access sensitive data regardless of where they are connected from, forces CISOs and other security leaders to rely on the security-awareness of their users and the integrity of the endpoint as the last, and sometimes the only, defence. The failure of that strategy, unfortunately, hits the headlines on a regular basis. Data breaches like that at T-Mobile, which the company recently described as “humbling for us all at T-Mobile”, resulted in the compromise of data belonging to millions of its customers, past, present and prospective.

How Cybercriminals Are Seizing the Day

What happened to T-Mobile happens to organizations of all sizes, and despite twenty years of vendors selling enterprise endpoint security products, the frequency of successful attacks is increasing rather than decreasing. How is it possible that cybersecurity has been such an unmitigated disaster, and that in 2021 even the President of the United States has said that fixing it is a top priority and essential to national and economic security?

There are a few driving factors behind the success of cybercrime, particularly ransomware. First, Microsoft Windows, which is relied on in most organizations, is full of vulnerabilities. Whether its Windows Defender, the Printer spooler service, NTLM authentication, Exchange server or any number of other MS software products, attackers have invested in and found ways to exploit holes in these software products to attack organizations. Even if you’re one of those rare organizations that is not a “Windows shop”, there’s a good chance that someone in your supply chain is.

Meanwhile, attackers have been spurred on by the incentives of big rewards with little risk, lurking in countries where the authorities are not interested in making arrests for attacks on Western organizations, and cashing out cryptocurrency with impunity.

Compounding these problems are other factors like the underground trade of weapons-grade malware and the proliferation of Ransomware-as-a-Service products sold at low prices in bulk quantities.

But perhaps by far the biggest problem in this new threatscape is that organizations are trying to defend against modern threats with outdated technologies in some cases, and the wrong approach in others: relying on legacy AVs that criminals learned to bypass in the first instance or “Next-Gen” solutions that rely on a human analyst to beat machine-speed malware on the other. The SolarWinds breach showed that companies relying on either of these approaches could not be defended.

5 Traits of a Great Endpoint Security System

Endpoints are at the heart of every organization, and defending them is the only way to win the cybersecurity battle. There are products out there that have learned the lessons of the last 20 years of cybercrime and which have been shown to be effective against even the most sophisticated of threats. But how can you tell the right product from the wrong product? Let’s consider five essential characteristics needed by any modern security solution.

Rapid Threat Hunting with Storylines
Time always seems to be on the attacker’s side, but security analysts can get ahead by hunting threats faster than ever before.

1. A Proactive Approach to Novel Threats

By far the biggest weakness in security products of the past was the reliance on malware signatures. The main problem with these, of course, is that they are reactive. The process of creating a signature starts from seeing a threat active in the wild (which means enterprises are getting compromised by it) before any protection is in place. Then, there is a race against the clock to write the signature and then to push it as an update to all the endpoints. Faced with a novel threat, the entire product becomes dead weight.

If the past five years of ransomware have taught us anything, it is that this approach, which was developed in the 90s and 2000s, cannot keep organizations safe today. For that reason, some vendors have turned to machine learning models and behavioral AI to allow us to identify patterns and similarities common to malicious files and malicious behavior, regardless of origin.

Machine learning models can be trained to effectively deal with the majority of commodity malware seen today, much of which is not written from scratch but often reuses successful code from earlier samples. While ML alone cannot be relied on to catch all malware pre-execution, it is a great way to keep endpoints safe from common attacks without relying on the need for frequent updates to security signatures.

Behavioral AI supplements ML models by identifying patterns of behavior typical of cyberattacks. For example, almost all ransomware will, at some point, exhibit some combination of the following behaviors:

  • Detect and try to remove backups and shadow copies
  • Encrypt large numbers of files
  • Prompt the user with a message (eg., ransom note)
  • Communicate with a remote server

Behavioral AI seeks to recognize such patterns of behavior even if the activity appears to be coming from inside the network or from some other source that is not file-based.

Making sure that your security product has the ability to proactively detect the unknown via machine learning and behavioral AI is the first trait you should look for in a great security product, but there’s a caveat: avoid solutions that rely on the Cloud connectivity to offer those features as cybercriminals can easily disconnect a device while deploying their attack. Look for a product with behavioral AI and ML engines that work locally on the endpoint and are able to make decisions at machine speed for the greatest endpoint protection

2. Automatic Mitigation Without Human Intervention

Detection is only one half of the puzzle that needs to be solved for reliable endpoint security. A solution that can detect but relies on human beings to intervene in order to protect is of little use in the enterprise. You need a solution that is capable of automatically mitigating and remediating malicious activity on the device, so the user can keep on working and not spend their day working with IT to clean up the mess.

Many security products struggle with this aspect, including some of the market leaders. Some vendors offer remote access tools integrated within the endpoint security solution that may ease the IT burden somewhat, but that still requires a manual flow with delay and disruption an accepted part of life. What if your security product could detect security incidents and clean them up without the need for any human intervention whatsoever? Computers were built to automate the tiresome parts of our lives, and autonomously mitigating detected threats shouldn’t be beyond a so-called “Next-Generation” product.

Ask your endpoint security vendors about what automated mitigations are available, and don’t forget to ask what happens in the case of a missed detection, too! A great endpoint security system should be able to unquarantine a false detection just as easily as quarantining a real detection.

3. Multi-Site, Multi-Tenancy Flexibility

The art of managing large fleets of devices and data points is not an easy task. Add on top of that remote geographical locations, different time zones, and in the case of global teams, sometimes even language barriers and you have a complexity that cannot be effectively managed by shoehorning it into some security vendor’s rigid vision of what your organization should be like.

To manage, respond and collect data from your global sites requires a product that supports multi-tenancy and multi-sites, allowing local teams to inherit from the main policy, but also to manage locally when it makes sense to do so, supporting local needs without compromising the needs of others in the organization.
Multi-tenancy is not only a need for large global teams, either. The way modern enterprises are growing today, this flexibility is required more than ever even for smaller and fast-growing teams.

4. Plug the Gaps With Auto-Deploy

One of the easiest routes to compromise is simply devices without proper endpoint protection, and in modern day enterprises, it’s unfortunately a common reality that IT admins and security administrators simply do not know everything that is on their networks. Many compromises have occurred simply because an attacker found an unprotected server somewhere that everybody inside the organizaton had forgotten about.

In an analysis of a cyberattack on his organization, the CISO of ANU explained:

“The actor built a shadow ecosystem of compromised ANU machines, tools and network connections to carry out their activities undetected. Some compromised machines provide a foothold into the network. Others, like the so-called attack stations, provided the actor with a base of operations to map the network, identify targets of interest, run tools and compromise other machines.”

With a vast organization spanning multiple sites and multiple sub-networks, the only effective solution is to ensure you can map the network, and fingerprint devices in such a way that you can not only determine what is connected, but also what is unprotected. Armed with that knowledge, you need a security solution that can do the heavy lifting of deploying agents to plug the coverage gap. Security teams are often stretched way too thin and need sensible automation to help them do their job more effectively.

Therefore, make sure that your endpoint security product offers an automated means of quickly and reliably finding deployment gaps and installing the solution.

5. Visibility

Even when all the above needs are met, there is still a lot to discover about what is happening on your endpoint. The problem of visibility is not new, but with the shift to a more digital way of life, the amount of data we all generate requires more efficient ways to index, correlate, and identify malicious activities at scale.

This is why the best endpoint security systems are now moving beyond EDR and into XDR, which helps organizations address cybersecurity challenges from a unified standpoint. With a single pool of raw data comprising information from across the entire ecosystem, XDR allows faster, deeper and more effective threat detection and response, collecting and collating data from a wider range of sources.

When evaluating vendors offering XDR, there’s a few things to look out for. An effective XDR platform needs to work seamlessly across your security stack, utilizing native tools with rich APIs. It should offer out-of-the-box cross-stack correlation, prevention, and remediation and enable users to write their own cross-stack custom rules for detection and response. Beware vendors offering immature or rushed solutions that may be nothing more than old tools bolted together. Your XDR should offer a single platform that allows you to easily and rapidly build a comprehensive view of the entire enterprise.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Conclusion

The endpoint security market is booming. Gartner predicts that the cybersecurity spend will exceed $150 billion this year alone. On the other hand, we hear almost every day about yet another enterprise being compromised.

Closing this gap requires better tools, but also better collaboration between us, defenders, and the security layers we use. SentinelOne is checking all the boxes mentioned in this post and if you work for the enterprise, our team will be happy to share a dedicated demo and help you move to the best solution available now to keep your network safe.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security