Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams

Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of startups into giving him tens of millions of dollars. Bernard’s latest victim — a Norwegian company hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad, in which Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

John Bernard is a pseudonym used by John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice and residing in Ukraine. Davies’ Bernard persona has fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments.

For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking investment opportunities. Bernard generated a stream of victims by offering extraordinarily generous finder’s fees for investment brokers who helped him secure new clients. But those brokers would eventually get stiffed as well because Bernard’s company would never consummate a deal.

In case after case, Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

But Bernard would adopt a slightly different approach to stealing from Freidig Shipping Ltd., a Norwegian company formed in 2017 that was seeking the equivalent of USD $100 million investment to bring its green fleet of 30 new offshore service vessels to fruition.

Journalists Harald Vanvik and Harald Berglihn from the Norwegian Business Daily write that through investment advisors in London, Bernard was introduced to Nils-Odd Tønnevold, co-founder of Freidig Shipping and an investment advisor with 20 years of experience.

“Both Bernard and Inside Knowledge appeared to be professionals,” the reporters wrote in a story that’s behind a paywall. “Bernard appeared to be experienced. He knew a lot about start-ups and got into things quickly. Credible and reliable was the impression of him, said Tønnevold.”

“Bernard eventually took on the role of principal investor, claiming he had six other wealthy investors on the team, including artist Abel Makkonen Tesfaye, known as The Weeknd, Uber founder Garrett Camp and Norilsk Nickel owner Russian Vladimir Potanin,” the Norwegian journalists wrote. “These committed to contribute $99.25 million to Freidig.”

So in this case Bernard conveniently claimed he’d come up with almost all of the investment, which came $750,000 short of the goal. Another investor, a Belgian named Guy Devos, contributed the remaining $750,000.

But by the spring of 2020, it was clear that Devos and others involved in the shipping project had been tricked, and that all the money which had been paid to Bernard — an estimated NOK 15 million (~USD $1.67 million) — had been lost. By that time the two co-founders and their families had borrowed USD $1.5 million, and had transferred the funds to Inside Knowledge.

“Further investigations indicated that Bernard was in fact a convicted and wanted Briton based in the Ukrainian capital Kiev,” the Norwegian Business Daily reported. “Guy Devos has sued Nils-Odd Tønnevold with a claim of 750,000 dollars because he believes Tønnevold has a responsibility for the money being transferred to Bernard. Tønnevold rejects this.”

Bernard’s scam is genius because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And because the best cons begin as an idea or possibility planted in the target’s mind.

What’s remarkable about Freidig Shipping’s fleecing is that we heard about it at all. In the first of this now five-part series, we heard from Jason Kane, an attorney who focuses on investment fraud. Kane said companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

“These are cases where you might win but you’ll never collect any money,” Kane said. “This seems like an investment twist on those fairly simple scams we all can’t believe people fall for, but as scams go this one is pretty good. Do this a few times a year and you can make a decent living and no one is really going to come after you.”

It does appear that Bernard took advantage of a stunning lack of due diligence by the Freidig co-founders. In this May 2020 post on Twitter — well after their funds had already been transferred to Bernard — Nils-Odd Tønnevold can be seen asking Uber co-founder Garrett Camp if he indeed had agreed to invest in his company:

John Clifton Davies, a.k.a. John Bernard, Jonathan Bibi, John Cavendish, is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail on suspicion of murdering his third wife on their honeymoon in India. The U.K. authorities later dropped the murder charges for lack of evidence. Davies currently resides with his fourth wife in or near Kyiv, Ukraine.

If you liked this story, check out my previous reporting on John Bernard/Davies:

Due Diligence That Money Can’t Buy

Who is Tech Investor John Bernard?

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million

Investment Scammer John Davies Reinvents Himself?

The Good, the Bad and the Ugly in Cybersecurity – Week 4

The Good

Cyber hygiene within the education sector is often overlooked when the spotlight frequently shines on attacks against high-profile enterprise targets, but the devices and networks used by our schools, teachers and students are nevertheless popular targets for criminals. Good news, then, that an individual responsible for hacking into 25 school network email accounts has pleaded guilty in Philadelphia this week.

Timothy Spillane, 39, admitted to setting up fraudulent email and bank accounts in his victims’ names after breaching the digital networks of two Philadelphia colleges. The attacker had hoped to conduct an elaborate tax fraud scheme using stolen student financial information, but he failed when he was unable to guess the victims’ adjusted gross income from the previous tax year.

The FBI had received a tip about Spillane’s activity, which spanned November 2017 to January 2018, and conducted a search warrant and arrest at his home after a short investigation. Sentencing has yet to be determined.

Meanwhile, DeepDotWeb co-owner and operator Tal Prihar, who pleaded guilty to money laundering last March, was sentenced to over 8 years jail time this week. Prihar and co-defendant Michael Phan earned over $8 million in kickbacks from purchases of contraband on darknet marketplaces.

The Bad

This week’s ransomware tales show just how ubiquitous the problem is for everyone connected to the internet, whether it’s a lone MIT professor in the U.S. or a multi billion dollar company in Taiwan, ransomware operators are out there encrypting files and demanding pay days.

Thousands of individual QNAP users were hit this week with ‘Deadbolt’ ransomware. The Taiwanese NAS backup and storage device maker was itself asked to pay a ransom for information about the alleged “zero day” exploit used in the attack. However, given the details that have emerged so far, it’s likely that the operators had instead based their targeting on scanning the internet for misconfigured devices that could be accessed from the internet without authentication. In any case, there was no shortage of victims, who were told they needed to pay 0.3 in Bitcoin. At least one reported that, having paid the ransom, they did not receive the promised decryption key.

At the other end of the scale, a reported attack by the Conti ransomware gang struck at another Taiwanese company this week, Delta Electronics. Delta, which serves as a contractor to both Apple and Tesla, was asked to pay a $15 million ransom by the gang, which claimed to have encrypted around a fifth of the company’s estimated 65,000 endpoints.

Although Delta have said no production systems were impacted, other reports suggest that the company has yet to restore most of the affected systems, with the company using an alternative web server while its official sites remain down.

The Ugly

It’s been a busy and not particularly pretty week for anyone involved with Apple security. The week began with news of OSX.DazzleSpy, a backdoor RAT that appears to be related to macOS.Macma and a watering-hole attack against Hong Kong Pro-Democracy activists. Then, the Cupertino device-maker was forced into pushing patches across its platforms for a number of bugs, some of which, the company said, were being actively exploited in the wild.

Among the vulnerabilities patched is an iOS bug that was first reported to 3rd-party vendor Trend Micro’s “Zero-Day Initiative” and apparently sat on for two months. By the time the researcher reported it directly to Apple in frustration at the lack of action, it had already been exploited in the wild.

Meanwhile, a bug in PackageKit that could allow a privileged attacker to bypass macOS’s System Integrity Protection, CVE-2022-22583, was patched and jointly credited to several different researchers. According to one analysis, an attacker could bypass SIP by abusing post-install scripts run by .pkg files and mounting an image onto /private/tmp, which is not itself protected by SIP.

This would allow the attacker to swap the SIP-entitled legitimate script run by the installer from a subdirectory in /private/tmp for one supplied by the attacker. Apple fixed the flaw by moving the location of installer scripts to a subfolder in the SIP-protected /Library folder.

CVE-2022-22583 builds on the Shrootless vulnerability reported previously by Microsoft as CVE-2021-30892. While it will undoubtedly cause concerns, it is unlikely to be exploited in the wild. As with Shrootless, exploiting this vulnerability requires the attacker to already have elevated privileges, and the use case for bypassing SIP from that vantage point is difficult to see. Stealthier persistence deep in the bowels of the system would be one, but modern versions of macOS with signed system volume (SSV) protection would likely notice any tampering there as soon as the system was rebooted, undermining the investment in stealth.

That said, there are plenty of other flaws addressed in the patches released by Apple this week, and users are strongly urged to update all their fruity devices.

What is Malware (Malicious Software)?

Any individual or enterprise can fall victim to cybercriminal attacks. It has never been more crucial to keep your data safe.

While some new technology has made life easier, it has also created new challenges. In the case of the internet, perhaps chief of all those challenges is the threat of malware whether you’re a user of Mac, Windows, Linux, or mobile devices.

Malware Definition

Malware, or malicious software, is a broad term that describes any code or software used with malicious intent against an individual computer, network, or server. “Malicious intent” is a general term, but in the context of cybersecurity, it can include stealing personal information, damaging or disabling computers and other devices, hijacking someone’s computer to mine bitcoin and other cryptocurrencies, and even stealing financial assets.

How Does Malware Spread?

There are many types of malware. Cybercriminals have created countless creative ways to infect devices with malware.

The most common ways malware tends to infect your computer are through phishing emails, malicious advertisements, fake software installations downloaded from the web, SMS text messages, malicious apps, and infected USB drives.. Whenever you’re online, you’re at risk of malware infection, though the extent of that risk varies depending on the situation.

A Brief History of Malware

The modern concept of a “computer virus” didn’t originate from something with malicious intent. Over the past six decades, scientists and engineers have contributed – whether knowingly or not – to creating malicious software as we know it, evolving from harmless experiments to malicious digital plagues requiring increasingly sophisticated antivirus programs and other cybersecurity systems to defend against them.

John von Neumann

The scientist, John von Neumann, is credited with introducing the theoretical concepts that would later lead to the development of malware. In his paper, “Theory and Organization of Complicated Automata,” published in 1966, von Neumann discusses the concept of self-replicating computer programs. The paper was a kind of experiment, and von Neumann’s designs for a self-replicating computer program were not created with malicious intent.

The Creeper Program

In 1971, Bob Thomas created a program called the “Creeper.” He designed it to test computer security systems and see if a self-replicating computer program was possible. The Creeper worked by moving from computer to computer, attaching itself to new drives while detaching itself from its previous host. When it was successful, it displayed a message on the screen of the infected computer that said, “I’M THE CREEPER. CATCH ME IF YOU CAN!”

The Rabbit Virus

In 1974, the first computer virus, called The Rabbit Virus, was created. Once it infected a computer, it would replicate itself until it caused the computer to crash. It was named the “Rabbit Virus” for the speed of its replication process.

The First Trojan

Computer programmer John Walker created the first Trojan, a virus that sneaks onto a computer by either posing as or piggybacking onto useful software. Once installed on a computer, it reveals itself as malicious. Walker created the first Trojan, called ANIMAL, in 1975.

Floppy Disks

Although floppy disks were not originally developed with this function in mind,  in the 1980s, viruses commonly spread via infected floppy disks.. Programs like Brain and Elk Cloner could spread by installing themselves on computers once a floppy disk was inserted into them (usually the A or B drive). Brain and Elk Cloner were relatively harmless, but the methods by which they spread and propagated laid the groundwork for the design of modern malicious software. Programs like these first inspired Frederick Cohen and Len Adlemanthe to coin the phrase “computer virus” in 1983.

The 1990s and beyond

As personal computers became more popular, programmers began experimenting with new ways to use computer programs. Early malware could be as simple as malicious code hiding in a Microsoft Word document to more sophisticated, socially-engineered programs that would pose instant messaging (IM) users or web ads that trick users into downloading malware. Cybercriminals used similar tactics with email, and later social media. When smartphones became popular, hackers and scammers developed viruses for them as well.

How to Tell If You’ve Been Infected with Malware

There are many different ways to tell if your device is infected with malware, depending on the type of malware and which device is infected.

Some signs to look out for:

  • Your device slows down. Slower performance can mean that your hard drive is running out of memory, that you have too many programs running, that you need more RAM, or that your computer or device is infected with malicious software. Poorer than usual performance is a dead giveaway that something is wrong.
  • You are being plagued with annoying pop-up ads. Nobody likes annoying ads. It’s generally a good idea to avoid clicking any pop-ups you see on any website; they’re often a front for malicious software like adware or worse. If you see a lot of pop-up ads at unexpected times – especially if you don’t have a web browser open or are disconnected from the internet, you have likely been infected with malware.
  • Your internet browser redirects you to a web page you didn’t choose. If this happens, clear your browser’s cache and run a virus scan, and don’t log in to any web pages that contain sensitive information you wouldn’t want in the hands of a hacker.
  • Anything else that seems strange. If your computer behaves in irregular or unpredictable ways, play it safe. Assume that it’s been infected with malware and take the necessary steps.

Common Types of Malware

Spyware

Spyware is a type of malware that infects computer systems or other devices with a goal of stealing private information. While it usually targets users of desktop computers, mobile devices can be infected as well. Spyware can infect machines by exploiting security vulnerabilities, but it can also infect devices by tricking users into downloading harmful files via phishing, clickbait, downloading free software bundles or through Trojans, and many other ways.

Password stealers

Spyware can also be used to steal passwords from infected computers via malicious software. These may include login credentials for various websites, login passwords for offline software, and even critical system credentials.

Keyloggers

Sometimes called system monitors, spyware can take the form of malicious software that tracks keystrokes to steal passwords, spy on which websites you visit, steal your search history, and many other things that can be harmful to your computer or to your personal information.

Mobile spyware

Malicious software can target Android, iPhone, and other mobile devices to steal or spy on SMS text messages, emails, call logs, audio phone conversations, voicemails, and even your physical location. With work from anywhere, BYOD, and accelerating mobile malware attacks, mobile threat defense has quickly become a key part of a cohesive security strategy for all organizations.

Ransomware

Ransomware is a type of malware that locks you out of your device through encryption,, then demands payment (ransom) in exchange for returning access to you.

Ryuk

A recent example of ransomware was Ryuk, a virus that targeted large businesses, demanding high ransoms in the form of cryptocurrency to release the hijacked systems. The virus is attributed to the cybercriminal group CryptoTech.

Trojans

Trojans, or Trojan Horses, are a type of malicious software that disguises itself as legitimate software to gain entry to your computer, similar to how Greek soldiers snuck into the city of Troy in Homer’s The Iliad.

Mobile Trojans

Mobile Trojans can look like legitimate apps and programs. They’re often encountered in unofficial or pirated app marketplaces. Once they gain access to a mobile device, they can steal files, infect a computer network, extort users via ransomware, or spread to other devices.

Trojan Spyware

Trojans can be used to install spyware on your computer or device.

Adware

Adware is a type of malware that, once installed, causescountless ads to pop up on your screen unprompted. These ads may or may not seem legitimate and may contain additional malware.

Worms

Like the “Creeper” program, worms are malicious software that copy themselves as they move from one device to another. They typically spread by exploiting security vulnerabilities and don’t necessarily involve interaction with a user.

Rootkit

Some malicious software, called rootkit malware, can gain access to a computer or similar device in order to give the attacker administrative access. This allows them to make critical changes to a computer system, network,  or gain access to files the user wants to keep hidden or secure.

Fileless

Fileless Malware is a type of cyber attack that uses legitimate programs within a computer to execute malicious code or steal information. It’s challenging to track because it doesn’t install malicious software. Instead, it executes commands used by programs that come installed on a computer, so most antivirus programs mistake it for harmless activity by the device’s operating system or other benign software.

Cryptojacking

Cryptojacking is the process of installing malware that hijacks your computer’s processing power to mine bitcoin or other cryptocurrencies for the benefit of the hacker. This can lead to severe system slowdowns and even crashes.

How to Remove and Protect Yourself From Malware

If you find yourself with a malware problem, it may be time to re-evaluate your cybersecurity needs. Some best practices to consider:

  1. Streamline your defenses using an advanced endpoint detection and response (EDR) security solution like SentinelOne’s Singularity Complete platform.
  2. Use an enterprise protection solution that works in both cloud and hybrid environments.
  3. Rely on proven cybersecurity solutions that provide measurable results.

SentinelOne can help defend against advanced cybersecurity threats. You can request a demo of SentinelOne to see us in action and learn more about the Singularity Platform. SentinelOne’s cybersecurity solution encompasses AI-powered prevention, detection, response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous platform.

Man-in-the-Middle Attack (MITM): Detection and Prevention Techniques

Although not as widespread of a cybersecurity threat as phishing or ransomware, MITM attacks can cause severe problems for enterprises. Attackers can use MITM attacks to steal credit card information and gain access to networks used by companies of all sizes by hijacking data and eavesdropping on sensitive exchanges of data between computers.

What is a Man-in-the-Middle Attack?

A man-in-the-middle attack is a type of cyberattack in which the attacker digitally interjects themselves into the middle of a conversation between a network user and a web application or server. As the so-called “man in the middle,” they can spy on users, intercept sensitive information, and even send their own messages while impersonating trusted computers.

There are several ways to do this depending on the vulnerabilities of your computer and/or your network.

Notable examples of MITM Attacks

  • In 2003, a type of wireless router made by Belkin was found to periodically use a type of MITM attack to feed users ads for Belkin products. It accomplished this by taking over a connection being routed through it. Once done, the router failed to pass the traffic on to the user’s computer, sending them instead to a web page containing the ad. Belkin later removed this function via a firmware update following a public outcry against this feature.
  • In 2013, Nokia’s Xpress mobile web browser was found to be decrypting HTTPS traffic from the phones using a kind of MITM attack, giving Nokia the ability to see its customer’s encrypted data, including financial information and passwords, without their knowledge or consent.
  • In 2017, Equifax withdrew its mobile phone apps when it became apparent that they contained severe security vulnerabilities to MITM attacks.

How Does a Man-in-the-Middle Attack Work?

A man-in-the-middle attack consists of four steps.

  1. The attacker eavesdrops on the victim’s machine’s digital conversation with another computer.
  2. A message is sent from one user to another.
  3. The attacker intercepts the message.
  4. The attacker hijacks the message, then either alters it or sends their own message in its place without the other parties knowing, bypassing security measures like firewalls.

Common Types of Man-in-the-Middle Attacks

Although there are many different ways to pull off a successful MITM attack, they always involve some combination of four broad “buckets” of digital subversion with the end goal of imposing themselves into a data exchange between two computers.

The four buckets are:

  • Eavesdropping
  • Hijacking
  • Intercepting
  • Spoofing

Eavesdropping

MITM attacks usually involve the attacker eavesdropping on conversations between two computers in a network.

For example, a common type of MITM attack is called WiFi Eavesdropping. This occurs when a MITM attacker uses an unsecured WiFi network to trick people into logging into fake pages to steal their login credentials. Attackers commonly pull this off by creating fake WiFi networks with common names to trick users into logging into their accounts while the attacker eavesdrops or watches what they type while logging into different websites. This allows them to steal login credentials for their email, credit card, and even bank accounts.

Hijacking

Another type of MITM Attacks is DNS Cache Poisoning in which the attacker finds a way to take over a DNS resolver, aka a DNS recursor, which helps run a DNS by connecting computers in a network to each other. Once the recursor has been hijacked, the attacker can mislead you by telling the DNS resolver that the website you’re trying to access actually lives at a different IP address owned by the attacker. The attacker then gives your computer a fake DNS entry via the hijacked DNS resolver, leading you to a malicious website designed to look legitimate.

Intercepting

IP spoofing is a cyberattack in which the attacker intercepts and modifies the IP address of a packet of data sent from one computer to the recipient computer without the original sender knowing.

Another way MITM attackers may accomplish this is by interrupting a sequence of data sent from the trusted source. The attacker then sends data from their computer while flooding the server with a denial of service (DoS) attack, which prevents or impairs the original sender from responding in time.

Using this method, the attacker can send your computer data packets that seem like they came from a trusted source, tricking your computer into accepting data that couldcompromise the recipient’s personal info or sensitive enterprise data.

Spoofing

Spoofing is another MITM attack  where a threat actor impersonates, piggybacks off, masquerades as, or mimics  a legitimate sources to trick someone into acting against the interest of an organization.

Although we already covered IP spoofing earlier in this article, there are many ways spoofing can be used in MITM attacks. For example, in an HTTPS spoofing attack, attackers set up fake HTTPS websites.. This is often accomplished by sending victims phishing emails designed to look like they came from major banks, social media sites, or payment mediums like PayPal. The emails prompt the user to follow a link leading them to a fake website created by the attacker designed to look like the real thing.

The victim then downloads the Certificate Authority (CA) from the fake site, which is like a digital stamp of approval for users on public networks, indicating that they are trustworthy actors.

The attacker then digitally signs the certificate and sends it back to the user, who stores it in their trusted key store – along with all other trusted keys for legitimate websites. The threat actor then relays web traffic to the actual website and can now monitor all of  the victim’s web traffic for the session.

How to Detect a Man-in-the-Middle Attack

Man-in-the-middle attacks are designed to be very stealthy. After all, the whole point is to allow the attacker to bypass security measures like firewalls.

Fortunately, they are not wholly undetectable. MITM attacks can sometimes be picked out before they cause too much damage if you know what to look for.

Signs to Look For

Unexpected or repeated connections are sometimes a telltale sign of a MITM attack. Cybercriminals will disconnect users from a network so they can intercept their login details or eavesdrop on them when they try to reconnect.

Strange URLs are another dead giveaway that you’re dealing with an MITM attack or other cybersecurity threats.. For example, if you receive a seemingly trustworthy email from “Salesforce” asking you to follow a link to verify your account information, and that link leads to “salesforcel.mobileservice2013.com/txn?id=178948” instead of “www.salesforce.com,” you may be dealing with a cybercriminal, and logging into the site may compromise your organizations network and sensitive customer information.

Using unsecured or public networks is another way to leave yourself vulnerable to MITM attacks. Remember, MITM attackers sometimes create fake WiFi networks with common names to trick you into connecting with their computer so they can watch you log into various websites.

How to Prevent a Man-in-the-Middle Attack

Generally, it is easier to prevent MITM attacks than detect them. Following these general rules can save you a lot of money and headaches in the long run.

General Best Practices

  • Connect only to networks that are secured and encrypted. This is especially true for remote employees.
  • If you hover your mouse over a suspicious link without clicking on it, your browser should display the URL embedded in that link. If the URL leads to a different site than advertised, never click on it.
  • Pay attention to the grammar and spelling of the email. Bad grammar and spelling are usually signs that you’re not dealing with the genuine article.
  • Use a VPN for employees not on an office-managed network.
  • Only connect to URLs that say “HTTPS” in the beginning (example: https://www.sentinelone.com).
  • Use multi-factor authentication to log in whenever possible and have a corporate-level solution for login credentials.
  • Perhaps most importantly, trust no one, even behind a firewall! Cybercriminals are smart, and their methods constantly evolve. When it comes to cybersecurity, it’s always better to be safe than sorry.

How SentinelOne Can Help with MITM and Other Attacks

As long as cybercriminals can use MITM attacks to steal login credentials and other sensitive information successfully, the methods by which they seek to do so will continue to change and evolve, especially with the expansion of more IoT devices and as IT supply chains become more complex.

SentinelOne can help defend against advanced cybersecurity threats, including MITM attacks. You can request a demo of SentinelOne to see us in action and learn more about the Singularity Platform.  SentinelOne’s cybersecurity solution encompasses AI-powered prevention, detection, response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous platform.

Who Wrote the ALPHV/BlackCat Ransomware Strain?

In December 2021, researchers discovered a new ransomware-as-a-service named ALPHV (a.k.a. “BlackCat“), considered to be the first professional cybercrime group to create and use a ransomware strain written in the Rust programming language. In this post, we’ll explore some of the clues left behind by a developer who was reputedly hired to code the ransomware variant.

Image: Varonis.

According to an analysis released this week by Varonis, ALPHV is actively recruiting operators from several ransomware organizations — including REvil, BlackMatter and DarkSide — and is offering affiliates up to 90 percent of any ransom paid by a victim organization.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill wrote.

One concern about more malware shifting to Rust is that it is considered a much more secure programming language compared to C and C++, writes Catalin Cimpanu for The Record. The upshot? Security defenders are constantly looking for coding weaknesses in many ransomware strains, and if more start moving to Rust it could become more difficult to find those soft spots.

Researchers at Recorded Future say they believe the ALPHV/BlackCat author was previously involved with the infamous REvil ransomware cartel in some capacity. Earlier this month the Russian government announced that at the United States’ request it arrested 14 individuals in Russia thought to be REvil operators.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.”

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil.

WHO IS BINRS?

A confidential source recently had a private conversation with a support representative who fields questions and inquiries on several cybercrime forums on behalf of a large and popular ransomware affiliate program. The affiliate rep confirmed that a coder for ALPHV was known by the handle “Binrs” on multiple Russian-language forums.

On the cybercrime forum RAMP, the user Binrs says they are a Rust developer who’s been coding for 6 years. “My stack is Rust, nodejs, php, golang,” Binrs said in an introductory post, in which they claim to be fluent in English. Binrs then signs the post with their identification number for ToX, a peer-to-peer instant messaging service.

That same ToX ID was claimed by a user called “smiseo” on the Russian forum BHF, in which smiseo advertises “clipper” malware written in Rust that swaps in the attacker’s bitcoin address when the victim copies a cryptocurrency address to their computer’s temporary clipboard.

The nickname “YBCatadvertised that same ToX ID on Carder[.]uk, where this user claimed ownership over the Telegram account @CookieDays, and said they could be hired to do software and bot development “of any level of complexity.” YBCat mostly sold “installs,” offering paying customers to ability to load malware of their choice on thousands of hacked computers simultaneously.

There is also an active user named Binrs on the Russian crime forum wwh-club[.]co who says they’re a Rust coder who can be reached at the @CookieDays Telegram account.

On the Russian forum Lolzteam, a member with the username “DuckerMan” uses the @CookieDays Telegram account in his signature. In one thread, DuckerMan promotes an affiliate program called CookieDays that lets people make money by getting others to install cryptomining programs that are infected with malware. In another thread, DuckerMan is selling a different clipboard hijacking program called Chloe Clipper.

The CookieDays moneymaking program.

According to threat intelligence firm Flashpoint, the Telegram user DuckerMan employed another alias — Sergey Duck. These accounts were most active in the Telegram channels “Bank Accounts Selling,” “Malware developers community,” and “Raidforums,” a popular English-language cybercrime forum.

I AM DUCKERMAN

The GitHub account for a Sergey DuckerMan lists dozens of code repositories this user has posted online over the years. The majority of these projects were written in Rust, and the rest in PHP, Golang and Nodejs — the same coding languages specified by Binrs on RAMP. The Sergey DuckerMan GitHub account also says it is associated with the “DuckerMan” account on Telegram.

Sergey DuckerMan’s GitHub profile.

Sergey DuckerMan has left many accolades for other programmers on GitHub — 460 to be exact. In June 2020, for example, DuckerMan gave a star to a proof-of-concept ransomware strain written in Rust.

Sergey DuckerMan’s Github profile says their social media account at Vkontakte (Russian version of Facebook/Meta) is vk.com/duckermanit. That profile is restricted to friends-only, but states that it belongs to a Sergey Pechnikov from Shuya, Russia.

A look at the Duckermanit VKontakte profile in Archive.org shows that until recently it bore a different name: Sergey Kryakov. The current profile image on the Pechnikov account shows a young man standing closely next to a young woman.

KrebsOnSecurity reached out to Pechnikov in transliterated Russian via the instant message feature built into VKontakte.

“I’ve heard about ALPHV,” Pechnikov replied in English. “It sounds really cool and I’m glad that Rust becomes more and more popular, even in malware sphere. But I don’t have any connections with ransomware at all.”

I began explaining the clues that led to his VK account, and how a key cybercriminal actor in the ransomware space had confirmed that Binrs was a core developer for the ALPHV ransomware.

“Binrs isn’t even a programmer,” Pechnikov interjected. “He/she can’t be a DuckerMan. I am DuckerMan.”

BK: Right. Well, according to Flashpoint, the Telegram user DuckerMan also used the alias Sergey Duck.

Sergey: Yep, that’s me.

BK: So you can see already how I arrived at your profile?

Sergey: Yep, you’re a really good investigator.

BK: I noticed this profile used to have a different name attached to it. A ‘Sergey Kryakov.’

Sergey: It was my old surname. But I hated it so much I changed it.

BK: What did you mean Binrs isn’t even a programmer?

Sergey: I haven’t found any [of] his accounts on sites like GitHub/stack overflow. I’m not sure, does binrs sell Rust Clipper?

BK: So you know his work! I take it that despite all of this, you maintain you are not involved in coding malware?

Sergey: Well, no, but I have some “connections” with these guys. Speaking about Binrs, I’ve been researching his personality since October too.

BK: Interesting. What made you want to research his personality? Also, please help me understand what you mean by “connections.”

Sergey: I think he is actually a group of some people. I’ve written him on telegram from different accounts, and his way of speaking is different. Maybe some of them somehow tied with ALPHV. But on forums (I’ve checked only XSS and Exploit) his ways of speaking are the same.

BK: …..

Sergey: I don’t know how to explain this. By the way, binrs now is really silent, I think he’s lying low. Well, this is all I know.

No doubt he is. I enjoyed speaking with Sergey, but I also had difficulty believing most of what he said. Also, I was bothered that Sergey hadn’t exactly disputed the logic behind the clues that led to his VK account. In fact, he’d stated several times that he was impressed with the investigation.

In many previous Breadcrumbs stories, it is common at this point for the interviewee to claim they were being set up or framed. But Sergey never even floated the idea.

I asked Sergey what might explain all these connections if he wasn’t somehow involved in coding malicious software. His answer, our final exchange, was again equivocal.

“Well, all I have is code on my github,” he replied. “So it can be used [by] anyone, but I don’t think my projects suit for malwares.”

6 Real-World Threats to Chromebooks and ChromeOS

Chromebooks and ChromeOS have earned themselves a deserved reputation for being more secure than many other devices and operating systems, so much so that “Chromebooks don’t get viruses” is the new “Macs don’t get viruses”. But as many Mac users of the past will now tell you today, complacency in taking proper security measures is the first step on the path to compromise.

The popularity of Chromebooks among students and in educational institutions means they provide an enticing target to threat actors looking to scoop up PII for sale, or credentials to leverage in targeted attacks. Chromebooks may not have the same kind or number of security problems as, say, Windows devices, but that’s not to say there are not genuine threats that ChromeOS users need to be aware of.

1. Actors Actively-Exploiting Chrome Zero Days

One of Chromebooks’ most-vaunted security features is its ability to check and repair the integrity of the operating system on reboot. It’s a great feature and one partly copied by Apple’s macOS, where Apple’s signed system volume (SSV) protection checks the integrity of the OS on boot.

But such a system cannot protect the user or their data against zero-days that are invisible to the operating system. Flaws like CVE-2020-15999 were found to be actively exploited in the wild and needed Google to push out an update to protect users after-the-fact.

Google fixed another actively-exploited Chrome zero-day, CVE-2021-21148, in 2021. While details of how these bugs were deployed against users in the wild is scarce, the fact that Google stated they were “actively exploited” should be enough to tell Chromebook users that the device and the OS is being targeted and attackers are finding ways through.

And indeed, there is no shortage of high-risk bugs being found in Chrome and ChromeOS by security researchers. 2021 alone saw Google patch over 300 bugs, with some 260 or more related to potential or actual remote attacks.

Some of the many remote attack bugs reported in 2021 against Chrome and ChromeOS

2. Android Apps and App Stores

When Chromebooks were first introduced, they were touted as being highly secure because they prevented the most common way for security compromises to occur: the download and execution of executable files. The only problem was, Chromebooks weren’t that useful. Most people’s computing needs extended beyond the reach of the limited, and sometimes clunky, web apps being offered by Google.

Since those days, Chromebooks have gained the ability to download many different kinds of apps, increasing both their utility and their attack surface at the same time. Android apps give Chromebooks more versatility, but Android malware is also extremely common.

In November 2021, researchers discovered four different families of malware infecting more than 300,000 Android devices via malicious apps downloaded from Google Play Store. The threat actors had uploaded initially benign apps to get past Google’s automated review, then later delivered banking trojan malware to select users via an app update.

In January 2022, researchers reported another financially motivated scamware campaign dubbed Dark Herring that, they say, poses a threat to all devices capable of running Android apps. The threat actors behind Dark Herring uploaded almost 470 malicious apps to the Google Play store and achieved over 100 million installations.

3. Sideloading Linux and Linux Apps

Making Chromebooks more useful has been one of the major demands of its users over the years, and back in 2018 they got their wish when Google made it possible to run Linux apps and share the ChromeOS downloads folder with a natively-hosted Linux VM. Perfect for developers and others that want to do more with their Chromebook device. The catch? An increased attack surface. Linux malware may not be common in comparison to Windows, but it’s on the rise, by 35% in 2021 according to some estimates.

The question for those managing Chromebooks that allow Linux app installations, as with Android app installations, is what to do about visibility? In other words, if you did get hit by some Linux malware, how would you know? On top of that, ChromeOS has no native security mechanisms that can protect, detect or mitigate Linux-based malware.

4. Windows Malware on ChromeOS? Oh, Yes (Oh, No!)

Despite Google’s best intentions, it seems that in the end everything comes full circle. The original idea to deliver an OS that didn’t have Windows’ horrific problem with malware is finally undermined when it turns out that savvy users can in fact install Windows 10 apps if they choose.

But who would do that? Well, for one, users coming from a Windows background. Many students and teachers were brought up on Windows machines and Microsoft software, and old habits–and dependencies–die hard. Data that may be locked in proprietary software or just software that users are long-habituated to can now be accessed on a Chromebook by running Windows apps on ChromeOS.

On older versions of ChromeOS, they would have been out of luck, but thanks to the ability to run Linux apps discussed above, they can also install WINE, a Windows emulator, and with WINE they can download and execute Windows 10 applications.

Running Windows apps on a Chromebook doesn’t mean you will get malware, anymore than running Windows apps on a PC means you will get malware. But it does mean the attack surface has now opened up and the Chromebooks original promise–no downloading or launching of local, executable files–is entirely broken.

5. Malicious Chrome Extensions

Browser extensions have always been a security problem on every platform, and with ChromeOS’s heavy reliance on the Chrome browser, some of its biggest security headaches have been around users unknowingly installing malicious extensions.

The situation was particularly bad up until 2019, until Google started tackling the problem in more earnest, but the problem of malicious Chrome extensions is still with us in 2022.

6. Google Chromebook, The Internet and Scams

Chromebooks originally made their name on the concept of having users do everything in the cloud and on the web, but the internet is a dangerous place. The web only works because of JavaScript, and malicious websites that take advantage of the powers of JavaScript are easy to come across even during the safest of searches.

Some extortion sites use JavaScript to lock a user’s browser and try to extort money in order to “free” the computer. Others offer phoney ‘cloned’ login pages of popular websites in an attempt to steal credentials.

As with any other device, Google Chromebooks are susceptible to man-in-the-middle (MiTM) attacks when using public Wi-Fi. Coffee shops, beloved by study groups and tutors, are a prime location for an attacker to set up a fake network and sniff traffic. While encryption between the browser and most websites these days offer better protection than in the past, attackers can still scrape useful data that may help them target or profile users.

Secure Your Chromebooks Like Any Other Device

Here’s a simple truth that the recent history of malware and cyber attacks has proven time and time again: all computing devices are at risk of compromise if they contain valuable data, or are connected to a network where other devices contain valuable data. There is no such thing as a device or OS that can’t get malware. Threat actors have successfully exploited every kind of device and operating system at some point in time: Windows, Mac, iOS, Android, Linux, Docker containers, IoT devices, and yes, Chromebooks, too.

The only responsible security stance to take on all endpoints is to install an agent that offers you visibility and protection. If you would like to know more about how SentinelOne can help protect your Chromebooks and other devices, read more here, contact us, or request a free demo.

Singularity for ChromeOS
Real-Time Protection for Chromebooks

Paw Patrol Toddler Bed – A Trendy Big Kid Bed For Your Little Paw Patrol Fan!

What kid doesn’t love Paw Patrol?! It is the #1 TV show for kids and has the highest ratings on Nickelodeon! My son is obsessed. All of his friends are obsessed, too. We keep hearing great things about Paw Patrol, and we just had to see what the fuss was all about: that’s why we have already compiled a list of Paw Patrol kids chairs!

Paw Patrol TV series tells a story about boy-and-his-dog adventures with his six best friends: Chase, Marshall, Skye, Rocky, Zuma, and Rubble. Their mission is to protect Adventure Bay from different threats with technology or superpowers. The pups have their own land, sea, and air transportation vehicles.

Its primary audience is 2-5 years old, but I think that older kids would enjoy this show as well. 4 of the pups are boys and 1 girl pup – Skye. They are all fun and cute, very lovable!

We invest in the toys and cartoons we buy our kids to help shape their development. They love to watch, read, and play it all (and ask for more!). So when you decide to look into getting your toddler their very first big boy/big girl bed, of course, you want to look for one that they would be excited about – and one that would continue their love for Paw Patrol!

Paw Patrol Toddler Bed

When looking for a kids’ bed, you want it to be safe, sturdy, and stable. But you also want it to have the cool factor – something that your kid will enjoy and love! That’s why we were so excited about this Paw Patrol toddler bed: we knew our son would go nuts over this! When in doubt, get them something with their favorite Paw Patrol character on it!

The Paw Patrol Toddler Bed is an excellent gift for your child. A new toddler bed with a Paw Patrol design will give them the feeling of being in their own room and of sleeping safely on their own.

Toddler beds are a great way to transition your toddler from the crib into a regular bed, and with this Paw Patrol Toddler Bed, they’ll feel like part of the action straight away!

We have done our best to provide you with the most popular models on the market – toddler beds that are durable, comfortable, and aesthetically pleasing. Have a look!

Delta Children Wood Toddler Bed

This Paw Patrol Toddler Bed from Delta Children is just perfect! It comes in a bright, fun red color. The bed’s frame looks like a firetruck, with all the Paw Patrol decals you’ll love. It is, no doubt, the perfect firetruck bed for toddlers!

This toddler bed has elevated bedsides to help children feel secure and cozy at night – which is very important for little ones transitioning away from a crib. Thanks to them, your little one is safe from falling out of bed or from climbing over the edge.

The Delta Children Wood Toddler Bed is a great transitional item for toddlers up through preschool-aged kids. Made from solid wood construction with non-toxic paint, this bed is sturdy and built to hold up against the roughest of pups.

The mattress is not included with this toddler bed, but it’s easy to buy one separately! Any standard toddler mattress will fit.

Delta Children Plastic Toddler Bed

This Paw Patrol toddler bed from Delta Children is an excellent option for those looking for something less pricey.

Made from plastic; it is lightweight and easy to move around the room. It easily assembles. The Paw Patrol graphics are very cute – just right for toddlers!

The material used to create this bed is covered with non-toxic paint. On top of that, it’s very durable and lightweight – perfect for kids transitioning into their first big boy/girl bed! It includes an attached guard rail to keep your pup secure.

The bed matches regular-sized toddler mattresses. You can also get a matching Paw Patrol toddler bed set!

This Paw Patrol toddler bed is definitely one that you should consider buying. It has everything that your little fan will love – it’s fun, comfortable, and safe! Not just that, but the great design of this bed makes it very easy to fit in any kid’s room. Let your child feel like part of the team with this awesome toddler bed!

Delta Children 3D-Footboard Toddler Bed

If your child is a huge fan of Paw Patrol, then this bed is going to be his favorite for sure! It is fun, comfy, and very safe. The best part? It has a guard rail to prevent your toddler from falling off! Let’s face it – toddlers are not the most coordinated creatures. They are still exploring their sense of balance so that this Paw Patrol toddler bed will provide maximum safety for them.

Also, the Paw Patrol 3D-Footboard Toddler Bed has a low height for ease of access; it’s perfect for toddlers transitioning from the cot to a bed. The bed itself is made of non-toxic PVC. It has the Paw Patrol design with Chase on top, and it’s straightforward to assemble and clean (which is great for parents).

This bed does not come with a mattress, but it accommodates a standard crib mattress size, so you won’t have any trouble finding the right fit for your toddler’s bed. Recommended for ages 15 months+/ holds up to 50 lbs.

This is a quality toddler bed at a very reasonable price. It’s sturdy and safe for your little Paw Patrol fan to use! We love it!

Conclusion

This was our selection of the best toddler beds for your little Paw Patrol fan. Just pick one, order it and let your child feel like part of the team! They will surely fall in love with his new big kid bed!

We hope that through our review, you can make up your mind about which toddler bed is the best one for you. So hurry up and get yours! Your little pup will surely love it!

The post Paw Patrol Toddler Bed – A Trendy Big Kid Bed For Your Little Paw Patrol Fan! appeared first on Comfy Bummy.

Scary Fraud Ensues When ID Theft & Usury Collide

What’s worse than finding out that identity thieves took out a 546 percent interest payday loan in your name? How about a 900 percent interest loan? Or how about not learning of the fraudulent loan until it gets handed off to collection agents? One reader’s nightmare experience spotlights what can happen when ID thieves and hackers start targeting online payday lenders.

The reader who shared this story (and copious documentation to go with it) asked to have his real name omitted to avoid encouraging further attacks against his identity. So we’ll just call him “Jim.” Last May, someone applied for some type of loan in Jim’s name. The request was likely sent to an online portal that takes the borrower’s loan application details and shares them with multiple prospective lenders, because Jim said over the next few days he received dozens of emails and calls from lenders wanting to approve him for a loan.

Many of these lenders were eager to give Jim money because they were charging exorbitant 500-900 percent interest rates for their loans. But Jim has long had a security freeze on his credit file with the three major consumer credit reporting bureaus, and none of the lenders seemed willing to proceed without at least a peek at his credit history.

Among the companies that checked to see if Jim still wanted that loan he never applied for last May was Mountain Summit Financial (MSF), a lending institution owned by a Native American tribe in California called the Habematelol Pomo of Upper Lake.

Jim told MSF and others who called or emailed that identity thieves had applied for the funds using his name and information; that he would never take out a payday loan; and would they please remove his information from their database? Jim says MSF assured him it would, and the loan was never issued.

Jim spent months sorting out that mess with MSF and other potential lenders, but after a while the inquiries died down. Then on Nov. 27 — Thanksgiving Day weekend — Jim got a series of rapid-fire emails from MSF saying they’ve received his loan application, that they’d approved it, and that the funds requested were now available at the bank account specified in his MSF profile.

Curiously, the fraudsters had taken out a loan in Jim’s name with MSF using his real email address — the same email address the fraudsters had used to impersonate him to MSF back in May 2021. Although he didn’t technically have an account with MSF, their authentication system is based on email addresses, so Jim requested that a password reset link be sent to his email address. That worked, and once inside the account Jim could see more about the loan details:

The terms of the unauthorized loan in Jim’s name from MSF.

Take a look at that 546.56 percent interest rate and finance charges listed in this $1,000 loan. If you pay this loan off in a year at the suggested bi-weekly payment amounts, you will have paid $3,903.57 for that $1,000.

Jim contacted MSF as soon as they opened the following week and found out the money had already been dispersed to a Bank of America account Jim didn’t recognize. MSF had Jim fill out an affidavit claiming the loan was the result of identity theft, which necessitated filing a report with the local police and a number of other steps. Jim said numerous calls to Bank of America’s fraud team went nowhere because they refused to discuss an account that was not in his name.

Jim said MSF ultimately agreed that the loan wasn’t legitimate, but they couldn’t or wouldn’t tell him how his information got pushed through to a loan — even though MSF was never able to pull his credit file.

Then in mid-January, Jim heard from MSF via snail mail that they’d discovered a data breach.

“We believe the outsider may have had an opportunity to access the accounts of certain customers, including your account, at which point they would be able to view personal information pertaining to that customer and potentially obtain an unauthorized loan using the customer’s credentials,” MSF said.

MSF said the personal information involved in this incident may have included name, date of birth, government-issued identification numbers (e.g., SSN or DLN), bank account number and routing number, home address, email address, phone number and other general loan information.

A portion of the Jan. 14, 2022 breach notification letter from tribal lender Mountain Summit Financial.

Nevermind that his information was only in MSF’s system because of an earlier attempt by ID thieves: The intruders were able to update his existing (never-deleted) record with new banking information and then push the application through MSF’s systems.

“MSF was the target of a suspected third-party attack,” the company said, noting that it was working with the FBI, the California Sheriff’s Office, and the Tribal Commission for Lake County, Calif.  “Ultimately, MSF confirmed that these trends were part of an attack that originated outside of the company.”

MSF has not responded to questions about the aforementioned third party or parties that may be involved. But it is possible that other tribal lenders could have been affected: Jim said that not long after the phony MSF payday loan was pushed through, he received at least three inquiries in rapid succession from other lenders who were all of a sudden interested in offering him a loan.

In a statement sent to KrebsOnSecurity, MSF said it was “the victim of a malicious attack that originated outside of the company, by unknown perpetrators.”

“As soon as the issue was uncovered, the company initiated cybersecurity incident response measures to protect and secure its information; and notified law enforcement and regulators,” MSF wrote. “Additionally, the company has notified individuals whose personal identifiable information may have been impacted by this crime and is actively working with law enforcement in its investigation. As this is an ongoing criminal investigation, we can make no additional comment at this time.”

According to the Native American Financial Services Association (NAFSA), a trade group in Washington, D.C. representing tribal lenders, the short-term installment loan products offered by NAFSA members are not payday loans but rather “installment loans” — which are amortized, have a definite loan term, and require payments that go toward not just interest, but that also pay down the loan principal.

NAFSA did not respond to multiple requests for comment.

Nearly all U.S. states have usury laws that limit the amount of interest a company can charge on a loan, but those limits traditionally haven’t applied to tribal lenders.

Leslie Bailey is a staff attorney at Public Justice, a nonprofit legal advocacy organization in Oakland, Calif. Bailey says an increasing number of online payday lenders have sought affiliations with Native American tribes in an effort to take advantage of the tribes’ special legal status as sovereign nations.

“The reason is clear: Genuine tribal businesses are entitled to ‘tribal immunity,’ meaning they can’t be sued,” Bailey wrote in a blog post. “If a payday lender can shield itself with tribal immunity, it can keep making loans with illegally-high interest rates without being held accountable for breaking state usury laws.”

Bailey said in one common type of arrangement, the lender provides the necessary capital, expertise, staff, technology, and corporate structure to run the lending business and keeps most of the profits. In exchange for a small percent of the revenue (usually 1-2%), the tribe agrees to help draw up paperwork designating the tribe as the owner and operator of the lending business.

“Then, if the lender is sued in court by a state agency or a group of cheated borrowers, the lender relies on this paperwork to claim it is entitled to immunity as if it were itself a tribe,” Bailey wrote. “This type of arrangement — sometimes called ‘rent-a-tribe’ — worked well for lenders for a while, because many courts took the corporate documents at face value rather than peering behind the curtain at who’s really getting the money and how the business is actually run. But if recent events are any indication, legal landscape is shifting towards increased accountability and transparency.”

In 2017, the Consumer Financial Protection Bureau sued four tribal online payday lenders in federal court — including Mountain Summit Financial — for allegedly deceiving consumers and collecting debt that was not legally owed in many states. All four companies are owned by the Habematolel Pomo of Upper Lake.

The CFPB later dropped that inquiry. But a class action lawsuit (PDF) against those same four lenders is proceeding in Virginia, where a group of plaintiffs have alleged the defendants violated the Racketeer Influenced and Corrupt Organizations Act (RICO) and Virginia usury laws by charging interest rates between 544 and 920 percent.

According to Buckley LLP, a financial services law firm based in Washington, D.C., a district court dismissed the RICO claims but denied the defense’s motion to compel arbitration and dismiss the case, ruling that the arbitration provision was unenforceable as a prospective waiver of the borrowers’ federal rights and that the defendants could not claim tribal sovereign immunity. The district court also “held the loan agreements’ choice of tribal law unenforceable as a violation of Virginia’s strong public policy against unregulated lending of usurious loans.”

Buckley notes that on Nov. 16, 2021, the U.S. Court of Appeals for the Fourth Circuit upheld the district court ruling, concluding that the arbitration clauses in the loan agreements “impermissibly force borrowers to waive their federal substantive rights under federal consumer protection laws, and contained an unenforceable tribal choice-of-law provision because Virginia law caps general interest rates at 12 percent.”

Jim said he learned of the Thanksgiving weekend MSF loan only because the hackers apparently figured it was easier to push through loans using existing MSF customer account information than it was to alter anything in the records other than the bank account for receiving the funds.

But had the hackers changed the email address, Jim might have first found out about the loan when the collection agencies came calling. And by then, his exorbitant loan would be in default and racking up some wicked late charges.

Jim says he’s still hopping mad at MSF, and these days he’s just waiting for the other shoe to drop.

“They issued this loan in my name without verification and without even checking my credit at all, even though they were already on notice that they shouldn’t have been dealing with me from the May incident,” Jim said. “I still feel like I’m going to get that call at some point from a collection agency asking why I haven’t been making payments on some installment loan I never asked for.”

Speed, Accuracy, Scale: Redefining Enterprise-Grade Response with Kroll and SentinelOne

We live in an age in which cyber attacks make front page news on a weekly, sometimes even daily basis. As the threat actors behind these attacks move faster, more deliberately, and more audaciously than ever before, it becomes increasingly clear that cyber incident preparedness and response must be treated as more than just a checkbox for today’s businesses. Moreover, not all approaches to incident response are created equal. Few organizations know this better than Kroll.

Kroll and Meeting the Needs of a Complex Threat Landscape

For 50 years, Kroll has been a premier provider of services and digital products related to valuation, governance, risk, and transparency, including cyber risk and incident response services. As organizations around the globe face disruptive, potentially devastating security events, they call on Kroll to detect, mitigate, and recover from the incident as quickly, accurately, and efficiently as possible. Evolving at pace with the growing complexity of cyber attacks requires Kroll’s responders to be equipped with the “latest and greatest technology,” defined by proven accuracy, enterprise scalability, and deep investigative capabilities.

Dave Wagner, Senior Vice President of Cyber Risk, heads up response operations at Kroll. As the front line operators of EDR technology from deployment and triage through remediation and recovery, Dave’s team “needs a partner that empowers us to deliver at the high level our clients expect and not be bound by technological limitations.” Enter SentinelOne.

“We are dealing with a complex threat landscape. Attacks are shifting really fast. The quicker we can get answers, the more likely our clients are to avoid costly implications.” — Dave Wagner, Vice President of Response Operations, Kroll

 

Accelerate Forensic Collection, Triage, and Response at Scale with Remote Script Orchestration

For SentinelOne clients, Kroll delivers three critical stages of the response process: collection of forensic artifacts, hunting and monitoring of active threat actor activity, and eradication of malicious activity in the environment followed by steps to build resilience in the long term. Plus, Kroll can also help with post-incident challenges thanks to their end-to-end solutions across cyber governance, assessments, and litigation support.

A crucial tool for the success of each of these steps is Remote Script Orchestration (RSO) powered by SentinelOne. Thanks to proprietary integrations between Kroll’s digital forensics tools like KAPE, SentinelOne RSO eliminates the need for Kroll clients to deploy additional agents during an incident, maximizing the value of the existing security stack to conduct forensics at scale and remotely respond to events on endpoints.

This enables Kroll to rapidly pull forensic triage from a client’s entire enterprise estate; Dave compares this to the days—if not weeks—it sometimes requires firms who are still markedly limited in their remote collection and response capabilities.

Additionally, RSO empowers the Kroll team to more quickly identify and diagnose the “patient zero” machine from an attack often in just minutes or hours, saving clients precious time and money, while formulating an appropriate response. For example, in the case of a ransomware attack, Kroll can leverage SentinelOne to determine the degree of data exfiltration that has occurred in the client environment.

Tracking and Mitigating Malicious Activity in Real Time

From these collected artifacts and the live telemetry recorded through SentinelOne’s ActiveEDR technology, Dave’s team can then determine relevant Indicators of Compromise (IOCs) and hunt for malicious behaviors using the Deep Visibility module. With these IOCs, they can also put detections in place using Storyline Active ResponseTM (STAR). STAR lets Kroll incorporate custom detection logic and immediately push it out to their customer’s entire fleet, or a subset, to either kill any matching process or alert on it for further investigation.

“With STAR, Kroll’s team can automate responses to suspicious processes based on additional behaviors such as IP address or DNS, which is helpful when IOCs are not hashes where a hash blacklist makes sense. We want to treat these IOCs as malicious, so whatever is reaching out will be killed and quarantined automatically, helping with containment. We use STAR rules as part of our engagements and are really pleased with it.” – Dave Wagner

Full-Circle Remediation and Recovery

With a clear, comprehensive picture of the attacker’s movements in the client environment, Kroll can then engage RSO once more to roll out custom remediation scripts and/or automated response playbooks to impacted machines.

These scripts can not only eradicate the malicious files that may have been found, but also capture, log, and remove any persistence mechanisms or other malicious artifacts that may have been put in place.

An added bonus? SentinelOne’s approach to RSO helps orchestrate script usage, mitigating delays or errors that might otherwise result when systems are offline.

Answering Key Incident Response Questions with Ranger

Implementing the right course of action in a cyber incident starts with visibility and insight. In turn, SentinelOne’s Ranger helps accelerate Kroll’s response by quickly identifying potential blind spots in coverage.

The network discovery and attack surface control capabilities of SentinelOne Singularity Ranger allow Dave and team to understand their coverage of the client environment and the scope of the threat within.

With Ranger, Dave can track the deployment of the Sentinel Agent in a tangible, measurable way. If 80% of an environment is covered by an agent, Ranger can quickly and easily install the agent on the unprotected 20%. Having eyes on every corner of the enterprise environment helps ensure his team carries out a complete, comprehensive response.

Ranger also comes into play in the many cases where attacks move laterally within the client’s network. Ranger can, for example, help Dave’s team hone in on DNS records resolving to a device with a particular IP address, and achieve visibility of the device’s current connectivity. This allows them to identify and contain affected devices in the attacker’s path, and even prevent further proliferation of the threat.

Revolutionize Incident Response With The Power of Partnership

Though many of the world’s top incident preparedness and response firms are equipped with a sweeping array of technologies with which they can eliminate a cyber threat, these technologies alone do not guarantee the most comprehensive, effective incident response.

It’s when technology is paired with expertise and strategic partnership that we can deliver sustainable solutions for organizations in their moments of need. That’s why SentinelOne and Kroll, partnered together, are following through on speed, efficiency, and accuracy for Kroll’s clients every day.

Beyond an intuitive user interface and support team that makes it easier to streamline operations, the response team at Kroll also has access to a dedicated Technical Account Manager at SentinelOne for immediate, informed guidance—even in the midst of an engagement. This ultimately drives faster results and recovery for Kroll’s clients when they need it most.

The Kroll team even directly interfaces with SentinelOne’s product management team, helping both parties to evolve their solutions and approach as the threat landscape grows in complexity and pace.

With this teamed approach, Kroll and SentinelOne can continue to defeat the cyber threats putting organizations around the globe at risk.

To read more, visit the SentinelOne Cyber Risk Partners page. If you would like to learn more about RSO, STAR, and the SentinelOne Singularity XDR platform, contact us for more information or request a free demo.

Cyber Risk Partners
SentinelOne partners are ready to respond to any type of security incident, and extend our technology, intelligence, and expertise to the complete security lifecycle.

The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good

This week, it was announced that several members of the ‘SilverTerrier’ group have been arrested. The Nigerian Police Force, along with Interpol, took down eleven members of the criminal outfit as part of Operation Falcon II.

The SilverTerrier group is tied to massive BEC (Business Email Compromise) campaigns across the region. BEC involves target organizations being tricked into making wire transfers or other payments to a malicious 3rd party rather than the intended recipient.

The operation was carried out in late December 2021, with the resulting arrests taking place across Lagos and Asaba. This is not the first time this group has been disrupted. Many additional members of the SilverTerrier group were arrested back in 2020 as part of Operation Falcon I.

The current operation discovered more than 50,000 possible targets within the group’s crosshairs. One of the suspects was in possession of over 800,000 sets of stolen credentials, said to have been obtained as per the group’s standard, malicious operations. At present, the IGFCTF (INTERPOL’s Global Financial Crime Taskforce) is working towards seizing or freezing the bank accounts and additional assets tied to the group.

It’s no surprise that email and spam are still the number one attack vectors out there. Criminals know that large corporations are still largely email-dependent when it comes to commerce with 3rd parties, and it is exactly this scenario that they target. It can not be said enough: be careful what you open and be cautious of what you click. The full Operation Falcon II release can be found here.

The Bad

This week it was disclosed that Italian fashion company, Moncler, was the target of a large-scale ransomware attack. The attack took place in the last weeks of 2021 and appears to have been the handiwork of BlackCat, a relatively new RaaS delivering payloads written in Rust.

The reveal comes on the heels of the BlackCat group publishing some of the pilfered data on their TOR-based victim blog. This includes all of “the logistics activities related to the shipping of final products”. In addition, the company has stated that unauthorized access to potentially sensitive personal information did occur, including information related to employees, consultants, and customers that appeared on the BlackCat leaks site.

The company has admirably taken a firm stance against paying ransoms. In addition, the company has issued a stern warning with regards to the holding and distribution of any of their stolen data.

“Moncler reminds all that information in the possession of cybercriminals is the result of illegal activities and that consequently, the acquisition, use and dissemination of the same constitutes a criminal offense.”

The company also stated that no payment or credit card data was compromised during the attack.

The Ugly

This week, it was revealed that the personal data of over a half-million individuals may have been exposed due to a large-scale cyberattack on a Red Cross contractor, according to an announcement from the ICRC (International Committee of the Red Cross).

The impacted data is highly sensitive as it pertains to the ‘Restoring Family Links’ program. This program is responsible for assisting the reunification of families that have been separated due to extraordinary factors such as natural disasters, war and conflict. The loss or leak of this type of data could be potentially devastating to those involved in the program. The director-general of the ICRC (Robert Martdini) was quoted as saying

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

It is stated that the attack, in total, affected data from at least sixty Red Cross and Red Crescent National Societies locations around the world.

While further details of the attack have not yet been released, it is likely that the attack mirrors other attacks by ransomware operators. As such, strong hygiene and prevention are the only means of risk avoidance here.