A CISO’s Guide to the Security Impact of the Attacks on Ukraine

The situation in Ukraine presents many humanitarian and security challenges. We are obtaining a clearer view into a new form of hybrid warfare that we have previously only theorized about. SentinelOne is providing whatever technical resources we can to support Ukrainian organizations. We also have to recognize the larger threat posed by cyber threats leveraged against those that support sanctions, strategic Western sectors, or Ukrainian organizations. In this post, we offer a high-level overview of threats emerging as a result of the ongoing conflict in Ukraine.

To date, we have seen threat actors using three primary tactics: Distributed Denial of Service (DDoS) attacks, website defacements, and malicious wipers. While the techniques may be regarded as simple at a high-level, in conjunction they present a destabilizing force in limiting the availability of official information and services, either temporarily or permanently.

Denial of Service Attacks

In the early stages of the invasion, government websites belonging to Ukraine were taken offline by DDOS attacks. Specifically the Ukraine Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, and the Security Service of Ukraine websites all observed a disruption of service. Additionally, the financial sector in Ukraine also experienced a disruption of service. The UK government attributed the events to the Russian GRU.

HeremeticWiper | Crippling Systems in the Ukraine

On Wednesday, February 23rd, as the physical invasion of Ukraine was underway, researchers discovered that Ukrainian organizations were being targeted with a wiper dubbed HermeticWiper in reference to the digital certificate used to sign the sample.

HermeticWiper appears to be a custom written application with very few standard functions. It leverages the benign EaseUS driver to access physical drives directly as well as getting partition information.

The malware focuses on corrupting the first 512 bytes, the Master Boot Record (MBR), of every physical drive. While that should be enough for a device not to boot again, HermeticWiper proceeds to enumerate and corrupt the partitions for all possible drives. The malware is also able to differentiate between FAT and NTFS partitions and act accordingly to cause the most damage. HermeticWiper eventually initiates  a system shutdown, finalizing the malware’s devastating effect.

HermeticWiper is a ‘fire-and-forget’ tool. It has neither command-and-control nor self-spreading capabilities. The attackers need to establish access to deploy the wiper. In previous cases, they’ve done so via GPO, establishing a scheduled task to run the wiper as well as decoy ransomware.

HermeticWiper is far more thorough, better developed, and efficient than WhisperGate, a wiper deployed in Ukraine in January with a very limited distribution. Our assessment at this time treats the two as separate threats likely created by separate developers.

PartyTicket Ransomware

PartyTicket is the name SentinelLabs has given to the decoy ransomware component of the original HermeticWiper attacks. This malware was observed being delivered to targets alongside HermeticWiper and is believed to be used as a distraction while the devices are wiped.

The ransomware is a custom Golang application that disrupts services and distracts defenders. PartyTicket is incredibly noisy, spawning hundreds of ancillary threads, likely resulting in an inadvertent local denial of service. The program’s custom code is full of taunting references to the US government and the Biden administration.

Project folders and function names referring to the Biden Administration

Similar taunts are present in the “ransom note” presented upon launch of the “ransomware”.

Recommendations for CISOs and CIOs

As the situation evolves, the SentinelOne and SentinelLabs teams continue to provide support for those in need by sharing research, recommendations, indicators, and tools to stay on top of the evolving threat landscape. We also offer 90 days of free access to the SentinelOne Singularity platform for businesses in Ukraine.

While threats have been largely contained to Ukraine (with some spillover effects to neighboring countries), escalating geopolitical tensions and sanctions will likely incentivize attacks towards Western nations. In line with CISA’s recent advisory, SentinelOne urges organizations to adopt a heightened security posture and to take proactive measures including:

  • Ensure that all networks and endpoints are protected by an advanced security solution that can prevent, detect, and respond to known and novel attacks, as well as rollback devices in the event of an attack.
  • Make sure your SOC and IT teams are up-to-date with the latest threat intelligence around cyber attacks on the Ukraine.
  • Monitor government advisories such as CISA’s alerts and Shields Up bulletin.
  • Designate a crisis-response team with updated points of contact for a cybersecurity incident.
  • Verify you have cyber insurance, understand your coverage, and know how to activate incident response services.
  • Run a fire-drill to ensure that everyone understands roles and responsibilities, and what action needs to be taken and when.
  • Plan for a worst-case scenario and ensure a business continuity plan is in place.

Conclusion

While cyberspace has become an integral part of our digital lives, it has also become a key aspect of geopolitical conflicts. As more offensive capabilities are available, they are used by governments for surveillance and disinformation. In the midst of a physical war, cyber has become an indispensable weapon to cripple defense systems, create chaos, and demoralize a population under duress.

SentinelOne’s objective is to keep our customers safe while sharing our expertise with those who are in need. If you are a business in Ukraine or the surrounding area and your devices and networks might be impacted by the current crisis, we are here to help.

Ukraine Crisis Resource Center
Get 90 days of SentinelOne Singularity access free of charge.

The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good

Finding your hard earned dollars haven’t made their way into your bank account because some pesky cyber thief hacked your payroll provider is the last thing you want to hear on payday, so we welcome the news that an individual arrested for exactly such a crime pleaded guilty in court this week.

Charles Onus, a 34 year old Nigerian national, obtained unauthorized access to over 5,500 user accounts of a payroll services company via credential stuffing attacks. He then changed the bank information the account holder had designated for payroll to that of prepaid debit cards he controlled. Over more than 6 months, Onus managed to steal salaries totalling around $800,000.

While the crimes took place on or around July 2017 to sometime in 2018, the FBI weren’t able to arrest Onus until he decided to fly into the U.S. from Nigeria on April 14 for a two-week vacation in Las Vegas. Unfortunately for him, it was a gamble that didn’t pay off as San Francisco Customs and Border Protection officers were waiting to apprehend him. After this week’s guilty plea to computer fraud, Onus awaits sentencing on May 12, 2022. The charges carry a maximum sentence of 5 years in prison.

The Bad

Network security vendor WatchGuard, along with U.K. and U.S. cybersecurity and law enforcement agencies, this week released an advisory warning that the APT sometimes known as Sandworm but better known as Russia’s GRU unit (the folks who brought the world NotPetya ransomware) has been seen distributing a new malicious botnet, dubbed Cyclops Blink.

The botnet targets home and small office network devices like WatchGuard Firebox and infects them with a malicious Linux ELF binary. Once a device is infected, the malware has functionality that includes file upload/download, system information discovery, self-updating and tasking from a C2 or bot master.

Infected devices have their firmware modified, which allows the malware to persist through reboots and even through subsequent legitimate firmware updates. Researchers say that the APT had “clearly reverse engineered the WatchGuard Firebox firmware update process and identified a weakness”. WatchGuard says that only firewall appliances that have been configured to allow unrestricted management access from the internet are at risk.

In order to detect whether a device is infected with Cyclops Blink, WatchGuard customers need to download a set of tools available from here and follow a four-step remediation process detailed here. Researchers advise that the weakness in the firmware update process is likely present in other WatchGuard devices, and all users are urged to follow the remediation steps.

The Ugly

When bad things happen in the world at large, you can be sure that anything from cyber crime to cyber warfare will soon follow suit in the digital domain. As this week saw the dawn of the long-anticipated Russian invasion of Ukraine, various cyber actors also unleashed their own unwanted contributions to the melee.

Among those was a campaign to destroy the information systems of a number of Ukrainian organizations with a custom wiper that researchers at SentinelLabs dubbed HermeticWiper.

As the name implies, the highly-destructive malware has but one objective: to render any device it runs on unusable. In this case, the targets are Windows 7 machines, still widely in use in Ukrainian organizations, and easy targets due to multiple known vulnerabilities.

Meanwhile, several reports came in on Thursday of DDoS attacks against both Ukrainian and Russian websites. Ukraine’s Kyiv Post was said to be under attack from the moment Russia launched its military offensive. On the other side of the fence, Russian government sites experiencing attack included the Kremlin (kremlin.ru) and the State Duma (duma.gov.ru). The infamous, nebulous and somewhat chaotic collection of individuals sometimes known as “Anonymous” claimed to have knocked the RT News website offline for an entire six hours.

CISA has warned U.S. companies to be on heightened alert as the conflict unfolds in cyber space, and has released an advisory entitled Shields Up. The advisory notes that:

While there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies.

The advisory also contains a number of useful recommendations regarding how to prepare, detect and respond to cyber intrusions that all defenders are urged to review.

Russia Sanctions May Spark Escalating Cyber Conflict

President Biden joined European leaders this week in enacting economic sanctions against Russia in response to its invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure.

Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.

The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyber weapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.

Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.

“The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”

What kinds of attacks are experts most concerned about? In part because the Russian economy is so dependent on energy exports, Russia has invested heavily in probing for weaknesses in the cyber systems that support bulk power production and distribution.

Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities targeting power infrastructure. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

Experts warn that Russia could just as easily use its arsenal of sneaky cyber exploits against energy systems that support U.S. and European nations. In 2014, then National Security Agency Director Mike Rogers told lawmakers that hackers had been breaking into U.S. power utilities to probe for weaknesses, and that Russia had been caught planting malware in the same kind of industrial computers used by power utilities.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” Rogers said at the time.

That haunting prophecy is ringing anew as European leaders work on hammering out additional sanctions, which the European Commission president says will restrict the Russian economy’s ability to function by starving it of important technology and access to finance.

A draft of the new penalties obtained by The New York Times would see the European Union ban the export of aircraft and spare parts that are necessary for the maintenance of Russian fleets.

“The bloc will also ban the export of specialized oil-refining technology as well as semiconductors, and it will penalize more banks — although it will stop short of targeting VTB, Russia’s second-largest bank, which is already crippled by American and British sanctions,” The Times wrote.

Dmitri Alperovitch is co-founder and former chief technology officer at the security firm CrowdStrike. Writing for The Economist, Alperovitch said America must tailor its response carefully to avoid initiating a pattern of escalation that could result in a potentially devastating hot war with Russia.

“The proposed combination of sanctions on top Russian banks and implementation of export controls on semiconductors would be likely to severely debilitate the Russian economy,” Alperovitch wrote. “And although many in the West may initially cheer this outcome as righteous punishment for Russia’s blatant violation of Ukrainian sovereignty, these measures will probably trigger significant Russian retaliation against America. That prospect all but guarantees that the conflict will not come to an end with an invasion of Ukraine.”

Faced with a potentially existential threat to its economic well-being — and seeing itself as having nothing more to lose — Russia will have several tools at its disposal with which to respond, he said: One of those will be carrying out cyber-attacks against American and European financial institutions and energy infrastructure.

“Having already exhausted the power of economic sanctions, America and its European allies would have few choices other than to respond to these attacks with offensive cyber-strikes of their own,” Alperovitch wrote. “This pattern of tit-for-tat cyber retaliation could place Russia and the West on a worrying path. It could end with the conflict spilling out of cyberspace and into the realm of a hot conflict. This outcome—a hot conflict between two nuclear powers with extensive cyber capabilities—is one that everyone in the world should be anxious to avoid.”

In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. Alperovitch says a retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.

“The colonial pipeline is going to be like child’s play if the Russians truly unleash all their capability,” Alperovitch told CNBC this week.

For example, having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with “wiper” malware that simply overwrites or corrupts data on infected systems.

Kim Zetter, a veteran Wired reporter who now runs her own cybersecurity-focused Substack newsletter, has painstakingly documented two separate wiper attacks launched in the lead-up to the Russian invasion that targeted Ukrainian government and contractor networks, as well as systems in Latvia and Lithuania.

One contractor interviewed by Zetter said the wiper attacks appeared to be extremely targeted, going after organizations that support the Ukrainian government — regardless of where those organizations are physically located.

“The wiper, dubbed HermeticaWiper, appears to have been in the works for months but was only released on computers today,” Zetter wrote. “It follows on a previous wiper attack that struck Ukrainian systems in January called WhisperGate. Like that previous infection, HermeticaWiper is designed to overwrite files on systems to render them inoperable.”

A joint advisory last week by the FBI, National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Russian cyber actors have been targeting cleared defense contractors, and that since January 2020 and continuing through this month, the cyber actors had maintained a persistent presence on those contractor networks. The advisory said the attackers exfiltrated email and data, and were able to “acquire sensitive, unclassified information, as well as proprietary and export-controlled technology.”

A report Thursday by NBC News suggested President Biden had been presented with options for massive cyberattacks against Russia, including the disruption of Internet access across Russia, shutting off the power, and stopping trains in their tracks.

But White House National Security Council spokesperson Emily Home told Reuters the NBC News report was “wildly off base and does not reflect what is actually being discussed in any shape or form.”

That’s good news, according to Jim Lewis, director of the public policy program at the Center for Strategic and International Studies. Lewis said the United States and its allies have far more to lose if the West gets embroiled in an escalation of cyber attacks with Russia over sanctions.

“The asymmetry in pressure points makes the idea of us doing something probably not a good idea,” Lewis told KrebsOnSecurity. “If Putin hasn’t gone completely nuts, he’ll be cautious of doing anything that might be construed under international law as the use of force through cyber means.”

Lewis said a more likely response from Russia would include enlisting cybercriminals throughout Russia and the Commonwealth of Independent States to step up ransomware and other disruptive attacks against high-impact targets in specific industries.

“The pressure points for Putin are his political support — the oligarchs and security services,” Lewis said. “If we want to squeeze him, that’s where we have to squeeze, things like seizing all their real estate in Miami Beach, or putting them on no-fly lists. If you want to hurt Putin, a cyberattack probably wouldn’t do it. Unless it was against his bank account.”

In a call to action issued earlier this week dubbed “Shields Up,” CISA warned that Russia could escalate its destabilizing actions in ways that may impact others outside of Ukraine. CISA also published a new catalog of free public and private sector cybersecurity services.

Ciao Baby Portable High Chair

High chairs are important, even if you’re just going to be feeding your child dinner in the living room while watching TV. At some point, you’ll need it so that your baby can eat on their own level. High chairs keep your baby safe and clean while you’re feeding them, and they also help prevent food stains on your furniture.

There are many varieties of high chairs, but there’s one portable model that might be perfect for you. It’s called the Ciao Baby Portable High Chair, and it may just become your go-to high chair!

This product is available online through Amazon, with attractive shipping options. The best part about this particular high chair is that you can fold it up and put it in a bag when you’re done using it, making it portable. You can take this high chair while traveling or to family gatherings.

A closer look at The Ciao Baby Portable High Chair

The Ciao Baby Portable High Chair is one of the most popular baby high chairs on the market today. The portable design makes it an excellent travel highchair, and it’s safe for your child. The design keeps your child in an upright position so you can feed them with ease.

The Ciao Baby is perfect for babies aged 4 months or older. It has a removable tray, and the chair itself folds up so that it easily fits into a bag when you’re finished using it. The tray also comes entirely off of the high chair so that you can clean it with ease.

The Ciao Baby Portable High Chair is an excellent alternative to traditional high chairs and makes a beautiful gift for new parents or expecting parents.

Ciao Baby Portable High Chair Features:

  • 5-point safety harness that keeps your baby safe and secure
  • easy-to-clean removable tray – no need to worry about spills and mess
  • durable construction, so the high chair can last you a long time
  • spacious and comfortable, to keep your baby happy
  • lightweight, for convenience
  • comes with a carry bag, for easier traveling
  • available in various colors to match your taste

The Ciao Baby Portable High Chair is the perfect combination of style, convenience, and comfort. It sets up in seconds to provide your child with a safe eating environment at home or while traveling.

It’s also great for when you’re working in the garden, cooking dinner, or want an extra high chair for your other children if you have them.

How to clean the Ciao Baby Portable High Chair?

The Ciao Baby Portable High Chair is easy to clean. The tray comes off for easier cleaning, and you can either put it in the dishwasher or wash it by hand once your child has finished eating.

You should also wipe down the high chair itself when your baby is done with dinner to remove any food particles that may have stuck to it. The Ciao Baby Portable High Chair cleans easily with just water, but you can also use a mild detergent.

Bleach or other solvent cleaners should not be used on plastic or cloth since harm to the material may occur.

Is the Ciao Baby Portable High Chair worth buying?

If you’re looking for a portable high chair that your baby can use while traveling, then the Ciao Baby Portable High Chair is the perfect solution. It’s lightweight and folds up to go anywhere with you.

You can also use it as a temporary high chair for home if you don’t already have one, or keep it in your car so that you always have a safe place to feed your baby while on the go. Travel with your baby is easier than ever!

The post Ciao Baby Portable High Chair appeared first on Comfy Bummy.

Report: Missouri Governor’s Office Responsible for Teacher Data Leak

Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 — two years after responsibility for securing the state’s IT systems was centralized within Parson’s own Office of Administration.

Missouri Gov. Mike Parson (R), vowing to prosecute the St. Louis Post-Dispatch for reporting a security vulnerability that exposed teacher SSNs.

In October 2021, St. Louis Post-Dispatch reporter Josh Renaud alerted Missouri education department officials that their website was exposing the Social Security numbers of more than 100,000 primary and secondary teachers in the state. Renaud found teachers’ SSNs were accessible in the HTML source code of some Missouri education department webpages.

After confirming that state IT officials had secured the exposed teacher data, the Post-Dispatch ran a story about their findings. Gov. Parson responded by holding a press conference in which he vowed his administration would seek to prosecute and investigate “the hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”

“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson said in October. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”

Parson tasked the Missouri Highway Patrol to produce a report on their investigation into “the hackers.”  On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that Renaud did nothing wrong and only accessed information that was publicly available.

Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was “not an actual network intrusion” and the state database was “misconfigured.” The emails also revealed the proposed message when education department leaders initially prepared to respond in October:

“We are grateful to the member of the media who brought this to the state’s attention,” was the proposed quote attributed to the state’s education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson’s vow to prosecute “the hackers.” Khan’s attorney Elad Gross told the publication his client was not being charged, and that “state officials committed all of the wrongdoing here.”

“They failed to follow basic security procedures for years, failed to protect teachers’ Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem,” Gross told The Post-Dispatch. “We thank the Missouri State Highway Patrol and the Cole County Prosecutor’s Office for their diligent work on a case that never should have been sent to them.”

IRS: Selfies Now Optional, Biometric Data to Be Deleted

The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs the agency’s identity proofing system. The IRS also said any biometric data already shared with ID.me would be permanently deleted over the next few weeks, and any biometric data provided for new signups will be destroyed after an account is created.

“Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data – including facial recognition – will be required if taxpayers choose to authenticate their identity through a virtual interview,” the IRS said in a Feb. 21 statement.

“Taxpayers will still have the option to verify their identity automatically through the use of biometric verification through ID.me’s self-assistance tool if they choose,” the IRS explained. “For taxpayers who select this option, new requirements are in place to ensure images provided by taxpayers are deleted for the account being created. Any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.”

In addition, the IRS said it planned to roll out Login.gov as an authentication tool for those seeking access to their tax records online. Login.gov is a single sign-on solution already used to access 200 websites run by 28 federal agencies.

“The General Services Administration is currently working with the IRS to achieve the security standards and scale required of Login.Gov, with the goal of moving toward introducing this option after the 2022 filing deadline,” the agency wrote.

The IRS first announced its partnership with ID.me in November, but the press release received little public attention. On Jan. 19, KrebsOnSecurity published the story IRS Will Soon Require Selfies for Online Access, detailing a rocky experience signing up for IRS access via ID.me.

The IRS says it will require ID.me for all logins later this summer.

That story went viral, and the ensuing media coverage forced the IRS to answer questions about why it was incentivizing the collection and storage of biometric data by a private company. On Feb. 7, the IRS announced its intention to transition away from requiring biometric data from taxpayers who wish to access their records at the agency’s website, but it left unanswered the question of what would happen with the facial recognition data already collected by ID.me on behalf of the IRS.

In a letter to the IRS this month, Senate Finance Committee Chairman Ron Wyden (D-Ore.) challenged the Treasury Department and IRS to reconsider the biometric requirements, saying login.gov is perfectly up to the task if given all of the resources and funding it deserves.

“Unfortunately, login.gov has not yet reached its full potential, in part because many agencies have flouted the Congressional mandate that they use it, and because successive Administrations have failed to prioritize digital identity,” Wyden wrote. “The cost of this inaction has been billions of dollars in fraud, which has in turn fueled a black market for stolen personal data, and enabled companies like ID.me to commercialize what should be a core government service.”

The Good, the Bad and the Ugly in Cybersecurity – Week 7

The Good

Good news this week comes by way of Spanish law enforcement, which publicly announced the dismantling of a criminal SIM-swapping organization. Investigations into the operation began in March 2021, following official complaints from locations across Spain.

The arrest of eight individuals follows a year-long investigation by the National Police into fraudulent bank transfers. The group’s MO was somewhat different from traditional SIM swapping. In this case, the group sought to extract private information from targets through emails and text messages spoofing banks. The collected data was then used to create fake identity documentation for the next stage in the scam.

Rather than just convincing a carrier to register a different SIM to the target’s number, the gang used their fake documentation to convince employees of phone stores to provide duplicate SIMs, which then gave them access to banking security messages and allowed them to conduct financial transactions. Adding insult to injury, the victims’ devices would be disabled once the gang’s devices were activated with the duplicate SIMs.

The eight detainees – seven from Barcelona and one from Seville – laundered their ill-gotten gains through bank transfers and online payment platforms. Police say that besides the arrests they have also blocked twelve bank accounts associated with the gang’s activities.

The Bad

This week SentinelLabs published research on an Iranian-aligned threat actor called TunnelVision. The research focuses on the threat actor’s exploitation of VMware Horizon Log4j vulnerabilities. The TunnelVision actor has been observed targeting organizations throughout the Middle-East and the United States.

TunnelVision has been actively exploiting the Log4j vulnerability in VMware Horizon to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.

The research takes a look at how this threat actor evolves their attack techniques making use of 1-day vulnerabilities – bugs in software that have recently been patched by vendors but not yet widely updated by organizations. Once the actors gain initial access, they download tunneling software like ngrok, Plink and FRPC (Fast Reverse Proxy Client). The threat actor also aims to avoid detection in its C2 activity by making use of legitimate public services like pastebin, transfer.sh and webhook.site, among others.

While the group’s activity is not new – other vendors have tracked activity similar to TunnelVision under different, sometimes overlapping, threat actor names – SentinelLabs says that the cluster of activity they have observed is distinct enough to warrant unique attribution.

The Ugly

As tensions continue to rise over the Ukrainian crisis, threat activity in the cyber domain has escalated in the last week. Multiple events have occurred including Ukraine technology service disruptions, potential psychological impact-themed efforts and, of course, disinformation.

Multiple Ukrainian bank services and the Ukrainian Ministry of Defense website were temporarily inaccessible due to a DDoS attack this week. Additionally, fake SMS messages have been circulating in Ukraine claiming a large impact to the ATM services across the country. The true objective of these attacks is unclear; however, one theory is that the attackers were attempting to have a psychological impact on the citizens of Ukraine, as well as draw the attention of media outlets around the world.

Disinformation campaigns are also apparent, with the West noting that Russian-controlled media is being seeded with stories of false provocations against Russian interests. Russia’s Foreign Ministry briefed journalists on Monday saying that “Moscow does not rule out provocations against the self-proclaimed republics in Donbass”. Meanwhile, Russia continues to claim that the U.S., in particular, is being deliberately alarmist and using language that only serves to inflame the situation. The Polish Ministry of Foregin Affairs has also been vocal in calling out Russian disinformation on social media.

One thing that no one is in doubt about, however, is that organizations need to be wary of the potential for cyber attacks related to the ongoing situation. CISA released an advisory Wednesday recommending network defenders review the TTPs and IoCs around suspected MBR wiper activity seen targeting Ukrainian organizations. The potential for malicious cyber activity well-beyond that realm, particularly against U.S. targets, should not be underestimated.

Red Cross Hack Linked to Iranian Influence Operation?

A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.

On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, violence, migration and other causes.

The same day the ICRC went public with its breach, someone using the nickname “Sheriff” on the English-language cybercrime forum RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff’s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn’t be leaked or sold online.

“Mr. Mardini, your words have been heard,” Sheriff wrote, posting a link to the Twitter profile of ICRC General Director Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can pay.”

RaidForums member “unindicted” aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com

In their online statement about the hack (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.

“In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” the ICRC statement reads.

Asked to comment on Sheriff’s claims, the ICRC issued the following statement:

“Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.”

Update, 2:00 p.m., ET: The ICRC just published an update to its FAQ on the breach. The ICRC now says the hackers broke in on Nov. 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). “This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Original story:

The email address that Sheriff used to register at RaidForums — kelvinmiddelkoop@hotmail.com — appears in an affidavit for a search warrant filed by the FBI roughly a year ago. That FBI warrant came on the heels of an investigation published by security firm FireEye, which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.

“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.”

The FBI says the domains registered by the email address tied to Sheriff’s RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran.

According to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net.

A review of Sheriff’s postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: “Unindicted,” and “threat_actor.” In several posts, Sheriff taunts one FireEye employee by name.

In a Jan. 3, 2022 post, Sheriff says their “team” is seeking licenses for the Cobalt Strike penetration testing tool, and that they’re prepared to pay $3,000 – $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses frequently are used in the run-up to ransomware attacks.

“We will buy constantly, make contact,” Sheriff advised. “Do not ask if we still need)) the team is interested in licenses indefinitely.”

On Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum’s escrow account.

The demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That’s because escrow transactions necessarily force the buyer to make a deposit with the forum’s administrators before proceeding on any transaction.

Sheriff appears to have been part of a group on RaidForums that offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data (PDF screenshot from threat intelligence firm KELA). In a “scam report” filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization.

Instead, the claimant maintains, Sheriff only paid them roughly 25 percent. “The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute,” the affiliate wrote.

In another post on RaidForums, a user aptly named “FBI Agent” advised other denizens to steer clear of Sheriff’s ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) that restrict commerce with people residing in Iran.

“To make it clear, we don’t work with individuals under the OFAC sanctions list, which @Sheriff is under,” the ransomware affiliate program administrator wrote in reply.

RaidForums says Sheriff was referred to the forum by Pompompurin, the same hacker who used a security hole in the FBI’s website last year to blast a phony alert about a cybercrime investigation to state and local authorities. Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and selling access to stolen information.

Reach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never “snitch” on Sheriff.

“I know who he is but I’m not saying anything,” Pompompurin replied.

The information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer.

That person then proceeded to share the information about the connection between Sheriff’s email address and the FBI search warrant, as well as the account’s credentials.

The same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff’s account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff.

It seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.

Simplify Security, Streamline Workflows and Extend Protection with Singularity XDR and Zscaler

Historically, most corporate applications and solutions that store corporate data were protected behind the corporate network. The adoption of cloud applications and the mobile workforce has changed this paradigm dramatically. Whereas once it would have been unthinkable to allow employees to access applications outside of the corporate network, today such applications are accessible virtually anywhere thanks to cloud-native solutions. For this reason, the old perimeter that security professionals would set and protect no longer exists, and perimeter-based security models are obsolete.

Pandemic-Enabled Digital Transformation

The  COVID-19 pandemic has accelerated digital transformation efforts for organizations that need to rapidly stand up infrastructure to support an instant remote and later hybrid workforce. IT teams deployed new solutions to enable business continuity, including cloud infrastructure and Software-as-a-Service (SaaS) platforms like Zoom and Office 365.

Organizations adopted solutions that could scale and deploy without needing access to the physical data center, in some cases deploying applications that were exposed to the open internet. In parallel, many organizations needed to provide endpoints for new remote employees and roll out bring your device (BYOD) programs. In reality, securing these new operating environments was a secondary concern.

These radical shifts resulted in users accessing applications and data outside of the traditional corporate network. While some organizations tried to scale their on-premises infrastructure to cope, creating a new perimeter around the new compute-where-you-are environment with legacy tooling requires too much effort and is prohibitively expensive.

The modern organization’s attack surfaces now encompass the cloud, containers, mobile devices, IoT, and storage. As attack vectors multiply, many enterprises address each vector with a best-in-class solution to protect those specific vulnerabilities. However, these point tools don’t connect the dots across the entire technology stack. As a result, security data is collected, analyzed, and investigated in isolation, creating gaps in what security teams can see and detect.

In addition, as the number of deployed security solutions grows in the enterprise, the capacity to manage them and effectively respond to their alerts also grows. Administrators can quickly become overwhelmed by the entirety of data produced from multiple systems and a consistent stream of security alerts. All of this results in long adversary dwell times, potentially causing material damage to an organization.

Security teams need a new way of working, one that enables productivity for end-users and security for the organization—one that provides frictionless protection from endpoint to network to application.

XDR and Zero Trust as Frameworks for Improving Security for Remote Workers

XDR is the evolution of EDR, Endpoint Detection, and Response. While EDR collects and correlates activities across multiple endpoints, XDR broadens the scope of detection beyond endpoints to provide detection, analytics, and response across endpoints, networks, servers, cloud workloads, SIEM, and more.

​​XDR automatically collects and correlates data across multiple security vectors, facilitating faster threat detection so that security analysts can respond quickly before the scope of the threat broadens.  Out-of-the-box integrations and pre-tuned detection mechanisms across multiple different products and platforms help improve productivity, threat detection, and forensics.

Forrester defines Zero Trust as “moving security from a network-oriented, perimeter-based security model to one based on continuous verification of trust.” For organizations, this means rethinking the trust-by-default approach and replacing it with a default-deny posture that only authenticates users to least privilege after assessing multiple sources of risk and context. This approach assumes that attackers are already within the network and ensures that every attempt to access the resources or applications be continuously scrutinized to ensure the request is legitimate.

Fundamentally XDR and Zero Trust solve the same challenge with a different approach and methodology. While Zero Trust is risk-centric and XDR is threat-centric, both involve deep integration of the technology stack to exchange telemetry between solutions and to respond in the face of a changing threat or risk landscape. Both seek to minimize enterprise risk and attack surface while enabling end-user productivity and efficiency.

End-to-End Protection from Endpoint to Cloud

SentinelOne and Zscaler joint solution delivers end-to-end protection from endpoint to cloud while streamlining SOC workflows.

SentinelOne and Zscaler combine to simplify enterprise security across endpoint, network, and cloud, enabling enhanced end-to-end visibility, automated response, and conditional access.

With integration into SentinelOne’s new data platform, Zscaler logs are ingested into SentinelOne. They can then be queried and faceted, allowing security operations teams to quickly triage and respond to attacks.

This joint solution empowers SOC teams to accelerate response with policy-driven actions that remediate threats automatically in Zscaler before an endpoint compromise results in cloud data exfiltration or other damage.

Analysts can trigger automatic and manual response actions from SentinelOne into Zscaler, such as revoking access or moving them into a more restrictive group, automatically limiting an attacker’s ability to infiltrate and launch an attack.

Coordinated user access control via the Zscaler Zero Trust Exchange provides secure conditional access to private and SaaS applications based on Zero Trust principles. Additional Zero Trust integration points include device posture checks by the Zscaler Cloud Connector agent to enable conditional access policies based on whether the SentinelOne agent is installed and running. This approach minimizes the enterprise attack surface with a zero-trust policy for conditional access.

With seamless integration, Zscaler and SentinelOne enable security teams to accelerate investigations and remediate threats without pivoting between consoles. Security Operation Centers can triage, investigate, and remediate threats much more efficiently and with greater confidence.

“Today’s security challenges require defense in depth. SentinelOne and Zscaler are key components in our security stack that help us advance our overall security posture. Together, Singularity XDR and Zscaler automate the triage and investigation functions in the SOC, enabling a small team to respond against threats with speed and accuracy.” — John McLeod, CISO, NOV

Use Case 1: Extended Visibility and Holistic Remediation Between Endpoint and Cloud

This joint solution enables SentinelOne to consume Zscaler logs for expanded visibility and enables security analysts to configure flexible response policies right from the SentinelOne console.

Analysts can quickly and automatically mitigate threats such as limiting user access, quarantining a user, blocking access to one or a group of critical applications, or restricting access to specific applications only with browser isolation.

Here’s how it works:

  • Install the free app from Singularity Marketplace and provide it with Zscaler API credentials.
  • Ingest the Zscaler logs into the SentinelOne Singularity XDR framework
  • Use default or custom policies to trigger response actions by changing user group membership such as predefined restrictive or browser isolated groups. Ensure that users are granted access to enterprise applications and data based on the dynamic conditions of threats and user risk, with speed and consistency.

Use Case 2: Zero Trust Conditional Access Based on Endpoint Security Posture

The SentinelOne and Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) integration enable seamless conditional access, ensuring that the trusted identity on a trusted device can directly access authorized corporate applications without exposing the network.

The guiding principles of Zero Trust are to assume that attackers are already in the network, which means never implicitly trusting users or applications before verifying. Assuming that the environment is already compromised, nothing should be trusted until users, devices, and applications demonstrate their trustworthiness.

Zscaler and SentinelOne combine best-in-class Zero Trust access control with unparalleled visibility, AI-powered detection, and automated response across endpoints, applications, and cloud workloads. SentinelOne continuously checks policy and enforces compliance on the endpoint. At the time of access, Zscaler checks whether SentinelOne is installed and running, considers the endpoint’s security posture, and grants access to corporate applications.

Here’s how it works:

  • SentinelOne secures endpoints with enterprise-grade prevention, detection, response, and hunting.
  • Zscaler Client Connector (ZCC) verifies the presence of SentinelOne by using device posture as an additional authorization vector for access control. Zscaler ZIA and ZPA can be configured to allow only compliant endpoints – ones that pass the posture check – to access selected applications.
  • Zscaler admins can specify (for Windows and Mac workstations) that SentinelOne is installed and running for an endpoint to be granted access to critical business applications.

Parting Thoughts

With attack vectors multiplying due to hybrid work models and BYOD programs, enterprises struggle to secure increasing numbers of vulnerable assets inside and outside the traditional network perimeter. SentinelOne and Zscaler help organizations prevent, detect, and respond to threats more quickly and effectively by providing a comprehensive view of threats across the cloud and endpoints.

Together, SentinelOne and Zscaler provide joint customers with increased SOC efficiency, streamlined workflows, and enhanced threat protection across endpoint, cloud, and network.

To learn more, check out the SentinelOne and Zscaler joint solution brief or attend our upcoming webinar.

Solving for X(DR) | Modernizing Security Operations with SentinelOne and Zscaler
Webinar: Thursday, March 3rd at 10:00am PST / 1:00pm EST

Everything You Need To Know Before Buying Scoop Rockers For Your Child

Comfortable kids’ chairs do not need to look traditional – and scoop rockers prove it! If your child is restless and not able to sit at the table long enough, it is worth having a look at these chairs. They are built with children’s active lifestyles in mind – their seats are scooped to provide optimal comfort, like seating on a rocking chair.

If you’re interested in getting scoop rockers for your kids, we’ve got all the information you need to know before buying one.

What are scoop rockers?

Scoop rockers are a fun, unique seating option for kids while reading, playing video games, or watching television. Scoop rockers are chairs that look like a bowl of a giant spoon: they do not have armrests or a base. It’s a phenomenal seating option for small children and kids with special needs.

They are pretty comfortable and offer a different experience than traditional chairs because of their scooped back. It’s kind of an unstable seating for kids, but it has a significant benefit: the risk of your child falling off is almost none because they’re literally inside the bowl. The other benefit? Your kids will love them!

Typically, these chairs are recommended for children ages 3 to 10 years old.

Where can you buy scoop rockers?

Scoop Rockers are available for purchase online through Amazon.

What are some things to consider when buying scoop rockers?

When purchasing scoop rockers for your children, consider the following:

  • The weight limit. Most have a weight limit of 100 to 150 pounds.
  • The size of the chair. Taller kids will need bigger chairs with longer leg spans.
  • The chair’s durability. If you want to ensure that your scoop rocker lasts for more than one child, make sure the material is high quality and durable.
  • The chair’s appearance. Choose a design or color that you know will go with most of your kids’ furniture.
  • Your budget when buying scoop rockers.

Scoop Rockers are available at a wide range of prices. Some are very inexpensive, while others may be more expensive depending on the materials used to make them and their durability.

Are scoop rockers safe?

The Scoop Rockers are non-toxic and made out of BPA- and phthalate-free plastic and are absolutely safe for little ones.

It’s also extremely unlikely that a child or adult would be able to pull off or break one of the scoops; they’re are designed to withstand up to 150lbs of pressure each. The plastic is sturdy, flexible, and durable. The weight of an adult sitting down won’t cause the scoops to fall off or break under normal circumstances.

How to clean scoop rockers?

Scoop rockers can be cleaned with standard household cleaners, such as mild dish soap and a damp cloth. Most of the scoop rockers are made of plastic and vinyl, making them easy to clean.

How to store scoop rockers?

Scoop rockers are very easy to store. You can stack them or lean them against each other. They are also small enough to fit under the bed or in the closet, which is helpful if you don’t have much room.

Why would I buy scoop rockers?

They look fun! If you’re looking for something new for your children’s bedroom or living area, scoop rockers are a perfect choice. They’re easy to move around (and fun!) and they also come in a wide variety of colors and styles to match any kid’s personality or decor style.

Why scoop rockers?

  • They are comfortable and safe for children of almost any age (from the time they can sit up by themselves and keep good posture on their own to prepubescence).
  • The scoop itself absorbs some of the weight of a child as they sit, making it feel like they’re sitting on a cushion.
  • The design is durable, made from high-quality materials that are extremely unlikely to break or be pulled off under normal circumstances.
  • They are easy to clean (just use mild dish soap and a damp cloth)
  • They’re small enough to fit under the bed or in the closet, allowing you to store them away when guests come over
  • Kids also love how fun and unique they are!

The post Everything You Need To Know Before Buying Scoop Rockers For Your Child appeared first on Comfy Bummy.