Conti’s Ransomware Toll on the Healthcare Industry

Conti — one of the most ruthless and successful Russian ransomware groups — publicly declared during the height of the COVID-19 pandemic that it would refrain from targeting healthcare providers. But new information confirms this pledge was always a lie, and that Conti has launched more than 200 attacks against hospitals and other healthcare facilities since first surfacing in 2018 under its earlier name, “Ryuk.”

On April 13, Microsoft said it executed a legal sneak attack against Zloader, a remote access trojan and malware platform that multiple ransomware groups have used to deploy their malware inside victim networks. More specifically, Microsoft obtained a court order that allowed it to seize 65 domain names that were used to maintain the Zloader botnet.

Microsoft’s civil lawsuit against Zloader names seven “John Does,” essentially seeking information to identify cybercriminals who used Zloader to conduct ransomware attacks. As the company’s complaint notes, some of these John Does were associated with lesser ransomware collectives such as Egregor and Netfilim.

But according to Microsoft and an advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), Zloader had a special relationship with Ryuk/Conti, acting as a preferred distribution platform for deploying Ryuk/Conti ransomware.

Several parties backed Microsoft in its legal efforts against Zloader by filing supporting declarations, including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.

Weiss said ransomware attacks from Ryuk/Conti have impacted hundreds of healthcare facilities across the United States, including facilities located in 192 cities and 41 states and the District of Columbia.

“The attacks resulted in the temporary or permanent loss of IT systems that support many of the provider delivery functions in modern hospitals resulting in cancelled surgeries and delayed medical care,” Weiss said in a declaration (PDF) with the U.S. District Court for the Northern District of Georgia.

“Hospitals reported revenue losses due to Ryuk infections of nearly $100 million from data I obtained through interviews with hospital staff, public statements, and media articles,” Weiss wrote. “The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks – costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems plus other expenses.”

The figures cited by Weiss appear highly conservative. A single attack by Ryuk/Conti in May 2021 against Ireland’s Health Service Executive, which operates the country’s public health system, resulted in massive disruptions to healthcare in Ireland. In June 2021, the HSE’s director general said the recovery costs for that attack were likely to exceed USD $600 million.

Conti ravaged the healthcare sector throughout 2020, and leaked internal chats from the Conti ransomware group show the gang had access to more than 400 healthcare facilities in the U.S. alone by October 2020.

On Oct. 28, 2020, KrebsOnSecurity broke the news that FBI and DHS officials had seen reliable intelligence indicating the group planned to ransom many of these care facilities simultaneously. Hours after that October 2020 piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.

“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.

“It’s more like one a day,” the source confided.

A report in February 2022 from Sophos found Conti orchestrated a cyberattack against a Canadian healthcare provider in late 2021. Security software firm Emsisoft found that at least 68 healthcare providers suffered ransomware attacks last year.

While Conti is just one of many ransomware groups threatening the healthcare industry, it seems likely that ransomware attacks on the healthcare sector are underreported. Perhaps this is because a large percentage of victims are paying a ransom demand to keep their data (and news of their breach) confidential. A survey published in February by email security provider Proofpoint found almost 60 percent of victims hit by ransomware paid their extortionists.

Or perhaps it’s because many crime groups have shifted focus away from deploying ransomware and toward stealing data and demanding payment not to publish the information. Conti shames victims who refuse to pay a ransom by posting their internal data on their darkweb blog.

Since the beginning of 2022, Conti has claimed responsibility for hacking a cancer testing lab, a medical prescription service online, a biomedical testing facility, a pharmaceutical company, and a spinal surgery center.

The Healthcare Information and Management Systems Society recently released its 2021 HIMSS Healthcare Cybersecurity Survey (PDF), which interviewed 167 healthcare cybersecurity professionals and found 67 percent had experienced a “significant security incident” in the past year.

The survey also found that just six percent or less of respondent’s information technology budgets were devoted to cybersecurity, although roughly 60 percent of respondents said their cybersecurity budgets would increase in 2022. Last year, just 79 percent of respondents said they’d fully implemented antivirus or other anti-malware systems; only 43 percent reported they’d fully implemented intrusion detection and prevention technologies.

The FBI says Conti typically gains access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials, and that it weaponizes Microsoft Office documents with embedded Powershell scripts — initially staging Cobalt Strike via the Office documents and then dropping Emotet onto the network — giving them the ability to deploy ransomware. The FBI said Conti has been observed inside victim networks between four days and three weeks on average before deploying Conti ransomware.

The Good, the Bad and the Ugly in Cybersecurity – Week 16

The Good

It seems like criminal marketplaces are falling like dominoes these days. After last week’s seizure of servers belonging to Hydra market comes this week’s shuttering of RaidForums in a joint law enforcement operation involving the DoJ, Europol and several other national agencies, codenamed ‘Operation Tourniquet’.

RaidForums, an online forum providing criminals with stolen personal data, was unusual in the world of hacking forums for a couple of reasons: It operated on the open internet rather than the darknet, its primary language was English rather than Russian, and–as revealed this week by the DoJ–its principal operator was only 14 when it came into being in 2015.

21-year old Diogo Santos Coelho of Portugal, aka Omnipotent, was arrested back in January 2022 in the U.K. and is currently awaiting extradition to the U.S. Two other individual have also been arrested in connection with operating the site and the domains raidforums.com, Rf.ws, and Raid.Lol have been seized.

Since its launch seven years ago as a site for coordinating online harassment and swatting (hence the name), RaidForums has sold access to more than 10 billion consumer records stolen in some of the world’s most significant data breaches.

While marketplace takedowns may not solve the cybersecurity problem alone, coordinated law enforcement action like Operation Tourniquet and others we’ve reported on in recent months make it harder for cybercriminals to operate, sell, buy and exchange stolen data, and increases the cost of doing business for those behind cyberattacks. It also shows that law enforcement can work globally to reduce the impact of cybercrime.

The Bad

At the end of March, we learned that $620 million in crypto currency had been stolen from Axie Infinity’s Ronin bridge, making it the largest crypto hack in history. Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, confirmed the breach.

While most of the stolen funds are still in the attacker’s wallet, this week, the FBI attributed the breach to North Korean-based Lazarus Group.

Source

In response to the hack, Sky Mavis, the developer behind Axie Infinity and Ronin, was forced to temporarily suspend the Ronin blockchain, preventing anyone from exchanging funds. Mavis pledged to reimburse player losses and has managed to raise $150M in an investment round led by Binance.

The Lazarus group has operated since 2009 and is responsible for some of the most notorious cyberattacks in history, including the Sony breach and WannaCry. They added stealing cryptocurrency to their bow in 2017. At the end of 2019, SentinelLabs connected the Lazarus and TrickBot groups, showing how the DPRK is extending to collaborate with cybercrime groups and take over funds to support their government.

The Ugly

The real-world impact of cybercrime and ransomware is mostly seen through the lens of financial implications, but as we’ve noted before there are other costs, including brand reputation, customer trust, and even stock price. Unfortunately, some businesses are unable to recover and pay the ultimate cost. This week we learned of yet another organization that could not survive after a crippling cyberattack.

After 157 years in operation, Lincoln College in Illinois is closing its doors after a run of financial setbacks in the wake of the COVID-19 pandemic that were further compounded by a ransomware attack last December.

The attack directly impacted the college’s ability to raise funds from admission activities, caused a complete loss of access to all institutional data and resulted in denial of service for systems related to recruitment, retention and fundraising.

The institution, which saw record-breaking enrollment during 2019 but then suffered heavily as the pandemic bit into its financial activities, had put into place a recovery plan that was upended by December’s cyberattack.

Sadly, despite having survived the economic crises of 1887 and 2008, a campus fire in 1912, the Spanish flu in 1918, the Great Depression, and two World Wars, cybercriminals have ensured this venerable institution will not outlive the COVID-19 pandemic. David Gerlach, president of Lincoln College, said “The loss of history, careers, and a community of students and alumni is immense.”

Building the Revenue Organization for Hyperscale and IPO

Listen to Mark Parrinello, Chief Sales Officer at SentinelOne, talk about how he prepared for SentinelOne’s stunning 2021 IPO and the hypergrowth trajectory that the company is on in this edition of the Sales Bluebird podcast.

Mark stresses the importance of keeping a candid culture so that your team buys into company concepts, perseveres through constant changes, and keeps an entrepreneurial spirit as you continue to grow and stretch your team.

Mark discusses how to simplify the process of preparing for IPO and hypergrowth through creating a proper sales process and operations roadmap that has actionable goals with realistic timelines. Sometimes, we can be hasty and want things done as soon as possible but building those plans in bite-sized chunks is so much more effective.

When it comes to the IPO, Mark explains that it’s important not only to focus on your strengths and weaknesses throughout but also to enjoy the process. Enjoy the learning opportunities and take a minute to step back and remember what you’ve accomplished and how far you’ve come.

Tune in to learn more about Mark’s unique journey, his career learnings and insights for success.

Mark Parrinello, CSO at SentinelOne, building the revenue organization for hyperscale and IPO: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Andrew Monaghan:
Welcome to Episode 115 of the Sales Bluebird podcast, which exists because at B2B startups it’s hard to get go to market fit, grow revenue and scale the business and the sales team. Sales we were provides tips, tricks, experiences, examples, inspiration, and ideas from people who’ve been doing this for many years and at many different companies. I am your host, Andrew Monahan, and our guest today is Mark Parrinello, the CSO at SentinelOne. Mark, welcome to the podcast.

Mark Parrinello:
Thanks, Andrew. Good. Good to be here. Thanks for having me excited about the next 35 minutes or so.

Andrew Monaghan:
Yeah, you know, I’m looking forward to as well. I think there’s a great story about what’s been happening with SentinelOne and your leadership of this sales organization over there. So I’m looking forward to seeing where this goes. Before we get into it, I do want to ask the listeners for the first time, I’m now taking sponsors for the podcast. If you want to reach a bunch of sellers and sales leaders, mostly in the cybersecurity world, with whatever messages or sponsorship messages that you have, the trick to do is go to sales. Bloomberg.com and at the top menu, there’s an option there for sponsors. Just let me know what you’re looking for and we can have a conversation and figure out something that is right for you. I’ve got some special early adopter pricings. We’re just kicking this off in terms of taking sponsors. So if that is attractive to you, I might want to go there soon and see if we can get you lined up early on. Mark, back to you. So I’ve got six questions to get to know the real mark. These are not up for debate. They’re not either ors and maybes. And perhaps as in it depends. It’s a simple pick one and let’s get through it a few second maximum answers. Are you ready?

Mark Parrinello:
Yeah, I’m ready.

Andrew Monaghan:
First one dive bar or cocktail bar?

Mark Parrinello:
Dive bar.

Andrew Monaghan:
Suite of the Four Seasons or Cabin in the Woods.

Mark Parrinello:
Suite at the Four Seasons.

Andrew Monaghan:
Tricked out Jeep or German car with all the gadgets.

Mark Parrinello:
Both.

Andrew Monaghan:
Kind of both.

Mark Parrinello:
All right. I’ll go with the German car. With the gadgets. Although the gadgets start to confuse me. If there’s too many of them.

Andrew Monaghan:
Yeah, and they start failing. Feature mountains.

Mark Parrinello:
Beach.

Andrew Monaghan:
They say home is where the heart is. Where is home for you?

Mark Parrinello:
Los Gatos, California. And for those of you that may or may not know, Los Gatos is about it’s right next to San Jose in the Bay Area and it’s about 40 miles south of San Francisco.

Andrew Monaghan:
And how did you first make money as a kid?

Mark Parrinello:
My first job. I was in fifth grade and I sold newspapers. I did newspaper routes in the morning. I’d wake up at 430 and run across the street and bundle them all up, take them and deliver them, and then go collect throughout the day. That’s a lost art now, but that’s what I did. Back then, I was, I think, 11 years old.

Andrew Monaghan:
There’s probably people listening to this going. People delivered newspapers.

Mark Parrinello:
Yeah, there are a lot of millennials who have no idea about that concept. Right.

Andrew Monaghan:
But so many people growing up, I remember I grew up in Scotland. My cousins did that, you know, up early. You have to get up super early, get to the store, get.

Mark Parrinello:
Very early.

Andrew Monaghan:
Get out there. Right. Rain or shine.

Mark Parrinello:
For 11 year old.

Andrew Monaghan:
Yeah. No kidding. No kidding. And Los Gatos, is that where you grew up or is that just where you’ve been for a while?

Mark Parrinello:
No, no. I was born in Detroit, and pretty much raised in Phoenix, Arizona. I made my way to the Bay Area and the early nineties and I’ve been here 25, 26 years now, something like that. So I’m a West Coaster.

Andrew Monaghan:
So it feels like home now, right?

Mark Parrinello:
Yeah.

Andrew Monaghan:
And you went from the cold and the I don’t know what the right word is. Detroit, let’s say stereotypical Detroit to Arizona, which is hot for most of the year.

Mark Parrinello:
Yeah, in the mid-seventies, which is when we moved from Detroit to Phoenix, a lot of people from Detroit, New York, New Jersey, Chicago were moving out of the cold and into either Florida, Houston or Phoenix. So so I got Midwestern roots. People that always meet me and know me, think I’m an East Coaster. That’s probably because I got that little Detroit edge to me. But I am a West Coaster. I’ve been out in the West Coast other than the stint in Texas for most of my life now.

Andrew Monaghan:
And was your dad in the car industry?

Mark Parrinello:
No, no. He likes cars, but he wasn’t in the car industry.

Andrew Monaghan:
It’s usually the thing in Detroit. Area rates is such a.

Mark Parrinello:
It is. All right.

Andrew Monaghan:
Yeah. Yeah. Well, let’s go to your LinkedIn history here, Mark, and let me see if I can just quickly pull out a few things from this to to run by you. So what I see is someone who has been in this world of enterprise sales since the mid-nineties, you start off, these are all big names, well-known names, blue-chip vendors to work for in my eyes. Good Dell Platinum see NetApp nimble cohesive T and then SentinelOne. There’s a rich, rich vein of really successful companies in there. I’m wondering which ones perhaps were the most formative stays for you?

Mark Parrinello:
I’d say two one, which you didn’t list on there because it’s before the Dell, which, by the way, was the EMC, the EMC days, and that’s Lanier. My first sales job was selling copiers, and that is the hardest job in the world. And it was the hardest thing I’d ever done. I learned raw selling skills and went door to door, literally door to door and cold, calling on phones, door to door in San Francisco. That was this formative is anything I’d ever done. And so it’s not listed on what you just talked about. And then I think if I had to choose, I got into leadership some time at Platinum. But NetApp was a was a really amazing experience for me because I really, truly I was always a culture guy and I was always working hard at teams and collaboration and team building and promoting and career path team. But I think NetApp was an inflection point for me where I learned what cultures could look like long term. So I’d say that NetApp was big and I could go on about that. But NetApp was a big inflection point for me in my leadership days.

Andrew Monaghan:
And were you there when Tom Mendoza was there?

Mark Parrinello:
Yes. Yeah, yeah. I’m a great leader, a great motivator, a great speaker and a passionate leader.

Andrew Monaghan:
Yeah, I heard him on a podcast recently and I was very a very impressive person in all sorts.

Mark Parrinello:
He’s great. He’s a he’s an impressive person. He’s a great human being, is a mentor. He’s a friend.

Andrew Monaghan:
Well, let me take you back, Mark. June 30th, 2021, a big day all around the day of the One IPO last year under the ticker symbol SE. Looking at the stats out there and you can correct me if I’ve got any of this wrong, but on the first day the stock closed up about 2020 1%. It gave the company a $10 billion valuation, which at the time and maybe still be the case, was the biggest cybersecurity IPO at the time. And I saw the pictures and you were on stage there helping to ring the bell, is that right?

Mark Parrinello:
I was, yeah. It was a great experience. You know, I’d I’d been a part of public companies and startups, but this was my first time in the New York Stock Exchange ringing a bell. So it was a fun experience, a good experience. But I think, you know, the larger discussions are around leading up to that, which we’ll get into, obviously. And what does it look like after that? Those are kind of the more important pieces for sure.

Andrew Monaghan:
Yeah, it’s good to have everything in light and have that experience, I guess, but it doesn’t all happen by accident, right? When you joined SentinelOne in February 2020, interesting time to join a company, I would imagine.

Mark Parrinello:
Yes, I joined a company and I think at the time I had in my sales organization, which is sales ops, all things revenue, operations channels and all that, I think it was about 120 people when I joined and the pandemic, I went off to a kick-off in Tel Aviv and then the pandemic hit. So the first year I had to lead an organization and build relationships and make changes and tweaks and build for scale in my house like the rest of the world. But it was a little challenging and different because of the pandemic. I could go on about that for a long time. I think the main lessons learned were for me, I had to evolve as a leader because I’m a field guy. And so I. The way I lead and build relationships and inspect as I get into the business and I earn the right to inspect by being in the field. And I couldn’t do that. And so I had to work on different skill sets, frankly, kind of like if you follow basketball, a player that comes the league who’s really fast and agile and can jump over everyone over time has to develop post-up skills and different things as they start to slow down. So I had to develop all those skills, frankly, in other things I had to work on to build the relationships and do it differently than I’d ever done it before. It worked out. It happens that I joined a company that was growing and technology is great. And so we were they were doing well before I got here. And we really took off in this pandemic because work from home, work from anywhere that concept and protecting endpoints, laptops, desktops, I think accelerated more than ever in this pandemic world that we lived in. So it worked out fine. But it was it was an interesting time.

Andrew Monaghan:
One of the things I did and lead up to this interview, Mark, is I went out to some other of your peers, Cros and cybersecurity, and said, what questions do you have for Mark about the lead up to the IPO? Chris Smith The CRO at Aqua had a really interesting question. We know what it’s like to take over an underperforming team, but that’s not what it seems like. Mark had done a sensitive one. You know, Nick Warner was running a whole bunch part of the business and he kind of went up and brought someone in you to take over as a proper CRO. So the question was how do you get your design prints on a successful team knowing there are probably some things you want to make but you don’t want to break the momentum or you don’t want to do anything to screw things up as you improve things.

Mark Parrinello:
Yeah. It’s a really interesting question because you’re right, this business was doing very well when I got here. So it wasn’t a rebuild. It’s always a tweak. There are always things to work on. I think fundamentally if you were to ask Nick about this, there’s kind of two things at play. There are so many other aspects of the business that he had to go work on, so he needed someone he could hand over the keys to the car, so to speak. And he did that. And I was I had some trepidation about that, frankly, because I know how I am as a sales leader. And I wasn’t sure if Nick would be able to do that. He did it, and I thank him for it. It was an amazing turnover, frankly. And he trust in the business in me, and it’s worked flawlessly. I think he would also say what he needed was someone to take it to another level in terms of building the process, the infrastructure for proper scale through hyper-growth mode, and into an IPO. And so that’s presumably the next place you’re going to go is one of the things you put in place for IPO. But I think Nick was a student enough to know he wanted to hire someone who knew what a post IPO sales organization need to look like, and he had other things he had to work on. So he went and found something like me to do that.

Andrew Monaghan:
So what were the things that you had to start working on to get the right foundations that might not be in place already?

Mark Parrinello:
Well, you know, first and foremost, I’m not sure I came here knowing we would go IPO or I think even thinking we’d go IPO. I mean, how many companies go IPO? Oh, really? What percentage is that? Tiny, right. I mean, everyone talks about IPO and that’s always what you want to do. But how many do is a different discussion? I’m not sure I ever knew or thought we would. And the reason I point that out is. When I was at I pointed to a company you mentioned in the past called Nimble when I went there, I think when I got there to run the Americas, they were four or five, six months IPO. So I knew what that world looked like in a post world IPO sales organization A and B, Nimble was an operational machine. So I learned a lot about data dashboards, metrics, and process tools for scale. And so I think what I’m trying to articulate to you is I didn’t put things in place for IPO. I put things in place to build a machine, a machine of a sales organization that could scale, whether it’s the IPO or something else. Right. So when I say a machine, I mean that in the early days of a startup through the first couple of three years, whether you’re getting to 10 million and then 50 million and 100 million, it’s running and gunning and spraying and praying and just chaos.

Mark Parrinello:
And we were doing that. But at some point, you have to move from sporadic closing selling forecasting to building that machine that built-in velocity play with routes to market, a truly effective business model, a forecasting methodology with a framework, a framework in place that you can enable everyone on that framework. Therefore, you can have a repeatable sales process and sales cycles where the sum of 1000 deals can equal a reliable booking forecast. So I set out to build that machine. And that infrastructure sales approach is styles and methodologies that can be taught repeatable and well oiled. By the way, a well-oiled enablement program. Sales leaders like myself sometimes take the enablement programs for granted. I would argue one of the things we have to do early in the process is build out enablement, right, and make that a well-oiled machine. So enablement, revenue operations, sales structure and process tools for scale, these are all the things that I think that I was brought in to do and we did. And then because we built these things, we kept going through hyperscale mode. And when the IPO came, it wasn’t like, Oh, what do we build for? Ipo is like, Oh yeah, we’ve built all this stuff. We’re going now.

Andrew Monaghan:
What were some of those things starting to get in the way or or not having those things were getting in the way and it was pretty important to get them done quickly. Or was it just you got ahead of time to put the right structures in place and the right processes?

Mark Parrinello:
Yeah, I’ll say it this way. I’m someone who wants everything done yesterday. I’m a bigger busy guy, as I’m sure most of the listeners would call themselves on this podcast. But five, seven, eight years ago I would have tried to do all of that stuff in my first six months. The Pandemic. Here’s the interesting thing about the pandemic. It slowed me down. I got here and all of a sudden it’s like, Hey, don’t spend because we’re not sure what the hell is going to happen. So what it allowed me to do is indirectly was slow down and sort of map out first quarter of some organizational shifts. Second quarter is enablement, third quarter is channel changes or tweaks or growth by fourth quarter is revenue, operations, functions and process and so forth. So does that make sense? So all of these things added up. We changed a lot in the sales organization, but I did it in bite sized chunks because the pandemic forced us to have to do it that way. It actually worked out to my advantage because I was the new person and I may have come in and try to do all that too much, too soon, and it might have been too much to throw at the field. But because I was doing it in bite sized chunks, I was bringing the sales force along with me, A and B, more importantly, building relationships with the customers and the partners and my organization along the way to build trust. So they understood and trust of what I was going to do was going to make us more successful.

Andrew Monaghan:
So it allowed you to build a proper roadmap as opposed to just saying everything’s ASAP. All right.

Mark Parrinello:
That’s right. And I’m just being very frank, I’m not sure I would have done it as properly in a succinct if there wasn’t a pandemic. I might have just tried to do all of it in six, or seven months.

Andrew Monaghan:
Yeah. Yeah. So at what point then after you joined, did it become the obvious next step then to say, look, we’re going to get ready for IPO, we’re in that year and in three or four months, did it start becoming real?

Mark Parrinello:
You know, I think I’ve been here about seven or eight months. Clearly, we’d had a couple, three quarters under our belts where we were doing well. Despite the pandemic and the trepidation, everyone sort of adjusted to this new world. The market was hot, security was hot, and the CEO made a decision, we’re going and we frankly weren’t ready. I’m not saying that necessarily and sales weren’t ready. I don’t think as an organization we were ready. But the CEO had a vision of the market. Dynamics are such we better go now because you never know what the hell is going to happen. Right? Turned out to be proven true. So so I think seven months in and I was already putting the pieces in place for foundational for that scale. So I didn’t have to change anything. I was doing the company, I had to make a lot of changes and it was a race to the finish. We pulled it off. The one thing I’ve learned through the process is I was really, really fearful the company was not ready for an IPO. But now that I went through it, I realized I’m not sure any company out there pick the most successful ones. I’m not sure any of them are ever quite ready. They do what they do, and it’s the proverbial duck on a pond, right? The duck swims and looks smooth and underneath, you know, they’re pedaling like crazy. I think that’s probably 95% of the people that go IPO. That was us. And I think it’s probably everyone else too.

Andrew Monaghan:
I think also as well, if you say let’s take three years to get ready, you’ll take three years to get ready. That’s right. If someone says we’ve got three months to get ready, you’ll be ready in three months. Right?

Mark Parrinello:
Andrew, It’s a great point. And that’s a CEO’s job, a visionary to say, you know, I understand your trepidation, folks. I understand your concerns. We’re going to go because the macroeconomics are such so let’s do the best we can. And we did. And, you know, the one thing I learned through that process, too, is it’s not like you build everything and then your IPO and you’re done some stuff you’re still not quite ready for when you’re building after the fact, too. And we’re still doing that always.

Andrew Monaghan:
Right. Yeah. Another question I got was from Bryant Gumbel, who’s the crow at Arms and Arms are, I think, pretty public on the idea that they’re marching towards an IPO at some point. Bryant’s question was leading up to the IPO. How did you how did the company decide what growth rate you were going to tell the street that you would hit, knowing, of course, that if you didn’t hit it, the stock would tank. So there’s a balance there, right? You’re going to be aggressive, but not too aggressive.

Mark Parrinello:
So I think, you know, the obvious statement is you always build in a strategy that allows you to beat and raise. And I think I’m stating the obvious there because I think everyone knows that. And frankly, the markets know it, too. If you didn’t beat your raise two quarters in, you probably have a big problem with the stock, right? I will tell you, it’s a great question. I will tell you that you’re the people, the bankers and the investors that bring you out are well experienced in this. May I help you with that? They sit down, they go through the books with you, they understand the forecast, and then they help build a plan for you to. That’s something that I was not aware of, how involved they are in the process, but they are. So they’ll help to that process. I think the larger point that is a Crowe you need to solve is that forecast, that methodology, that repeatable process that I mentioned earlier better be in place, you know. So I think those are the things that the Crow needs to focus on, is how do you build that velocity play, what are your routes to market? Is that tightened up? Do you have the proper dashboards and metrics to manage against? Do you have a forecast methodology? Do you have? By the way, I’m a big believer in this and I’ve now used it three times in a row. I’ve got a product that I buy that is an AI tool that sits on top of Salesforce. I never look at Salesforce for forecasting. I’ve got a tool that sits on top. I’m a big believer. You go out and you buy a tool like that ahead of time. It’s not the end all be all the tools. Not going to tell you what to forecast, but it’s a barometer. It’s another thing to measure science against your art. There’s a little bit of science and art that we all know goes into forecasting. So these types of things you have to put in place, then the makers will help you with some of the other stuff.

Andrew Monaghan:
So they’re coming back to you saying, well, let me. So growth is a thing, right? You know, profits are a distant second. It seems like growth is what gets valued.

Mark Parrinello:
And so it’s not market change their mind and they want profits but yes. Yeah, right yeah yeah.

Andrew Monaghan:
Growth is what’s valued until it’s not any sense something no one was on a tear right. So it’s not like you were thinking do we, do we go with 30% growth, right. Or 35 your s one looked like, you know, 100% year over year growth, things like that were in there. Right. So you weren’t a great tier anyway. But then I.

Mark Parrinello:
Guess you on that point there, I want to hit on that point that and I’m remembering and reflecting back now that we were looking at what our peers have done around the rule of 40. When you go public, have you got the rule of 40? Then there market’s going to love you and they’re going to give you you know, they’re going to buy in all those things. Right. Well, hold on 1/2.

Andrew Monaghan:
Rule 40, what does that mean?

Mark Parrinello:
It’s pretty specific, but a rule four is a thumb about it’s measuring your profitability and your growth and comparing them. And so all these other companies that had went out that we were comparing ourselves to and you could name the companies as well, we want to be put in that category. These companies that were had 150, $200 stocks, all of those folks, when they went out, they were somewhere around 70, 80 to 100% growth. So we decided that we needed to talk about 100% growth. So I will tell you that then we built a playbook was such for the following year that said, you know, what is the hiring we need? What’s the plan? We need to sustain 100% growth year over year. And so that’s part of what went into our methodology.

Andrew Monaghan:
That’s where I was going with that, right? I mean, if you’ve got the foundation, you’ve got the model starting to crank, then the question is, well, how do we move the levers so that we hit the growth numbers that you want as opposed to sitting there going, I don’t know, I guess we’ll throw some bodies at it. Right, which I’m not saying people do. Yes, you know.

Mark Parrinello:
That can be.

Andrew Monaghan:
Correct. Yeah. So having the foundation is what allows you to then work with the bankers and with the CFO, CEO to get the right execution happening beforehand. Sounds like that’s right.

Mark Parrinello:
And having the vision of what you want to look like, you’ve got all these if you’ve got six or seven companies that are like-minded and you’ve had they’ve had successful IPOs, then do you want to look similar? Well, how did they go out? What did they look like? What was their rule of 40? What was their growth? And then you build a plan around that.

Andrew Monaghan:
Another question from John Mahle. He’s a CRO at cyber Greeks how do you maintain focus in the team? I mean, people within the company start knowing either officially or the here and see things and you can get I guess people get distracted, right? It’s like excitement around it. How do you keep your interest on doing their job?

Mark Parrinello:
Yeah, that’s as important of a question as any you could ask, especially if you’re running a sales organization and there’s no right or wrong way here. I can tell you some things that we did that I did, but every culture is different, but it’s such an important piece, I will tell you that. I messaged a lot over and over and over because the world and I hit on this earlier, the world of a pre IPO is going to look so much different than the world of post IPO and the culture is going to shift a little, you know, the days of the sales rep calling up the controller and getting this deal approved a book because he bought her a bottle of wine two quarters ago. That doesn’t work in a post IPO world. Right. So that spraying and praying and running gun that I’m mentioning ham calls sewn up I’m getting something done and winging it just does not work. And so the world feels different to the startup people, the sales reps who are running on I’m selling. Why are you trying to prohibit me? Why are you putting this process in place? Why do you need this from me? Right. So what I think to keep the culture is so important to do is message over and over and over.

Mark Parrinello:
And one of the things I would do in every all-hands is I talked about the what and the why and the when. Here’s what we’re doing. Here’s what it means to you. Here’s why we’re doing it. Here’s what it means in the change in the process. We’re moving your cheese because of this, right when we’re doing it. As best as I can tell you is this time frame, because ultimately in the IPO, it means this and the end result will mean this for all of us. Right? The what and the why and the when. And I messaged it and I gave examples over and over and over. And I’m telling you, every two months I talk about keeping the culture and persevering through these changes. And knock on wood, it worked for us so far. We’ve kept that entrepreneurial spirit in place. We haven’t lost hardly any of our four and five and six-year veterans who were here when it was nothing. And they’re still here and we’re big now because they bought into the concepts. So I just it’s a really, really important question and I’m not telling you what I did or I’m telling you about is what everyone should do. I’m just telling you why I did it and it works for us.

Andrew Monaghan:
So if I was a seller, would I be able to be in connecting my million dollar deal to saying, you know, this is the increase in value of the company or something. Here’s why this is so important. Therefore, I can’t be distracted. I can’t be distracted. Would they get then to that level?

Mark Parrinello:
I think I think if you’re a seller in Chicago and your territory is you’re going from I used to have the Midwest, then I now have Chicago and you’re putting three more reps in your segmenting out health care and sled. And I don’t like it because you’re shrinking my ability to sell. The discussion is around. If you’re with a company where you’re not carving up territories, you’re the wrong company. That means they’re not growing. So just socializing what that means to them and what it can mean to them monetarily and ultimately what it means is at 100% growth in a post IPO world, then we can be a $10 billion company and the stock will be 40 or 50 bucks. And what does that mean to your pocketbook sort of taking what’s happening to them in the field? Right. And articulating what we need to do as a company and then what it means to the long term? That’s what I’m referring to.

Andrew Monaghan:
No, I like that a lot, actually. It happens. It does happen. Right. I mean, if someone takes something away from you, supposedly there’s an emotional reaction to it. Right. And you do.

Mark Parrinello:
Understand.

Andrew Monaghan:
This is good, right? It’d be really, really bad if we weren’t taking stuff away from you.

Mark Parrinello:
That’s why I call it moving my cheese, right? Saying I woke up and my cheese got moved again. You know, Aaron, my cheese keeps getting moved every year, but now as we’ve marched towards an IPO, mark you’re moving my cheese every month. I’ve got a new operations person to talk to. We get this new process. It’s like, yes, but here’s why we’re doing it. And you could expect more of this. You’ve got to adapt.

Andrew Monaghan:
I’m just interested how your CEO kept the focus of the big why, but what sensitive one is trying to achieve in cybersecurity as the big why versus the why being we’re going to IPO in six months or a year, whatever and become very financial and things like that. Was that something that you talked about as an exec team?

Mark Parrinello:
We did. And I think I think the CEO’s perspective was security was and is still so very hot that the macroeconomics were such that we go out. So we did talk about it. There was a lot of things that went into why we were going out and security was a part of that. But not the only reason. Part of it was macroeconomics.

Andrew Monaghan:
Question for again from John Mahle from Cyber Ex, how did customers respond?

Mark Parrinello:
You know, I think customers are really excited because they’re part of the process. They take a leap of faith by buying you and they watch you grow up and they coach you along the way and tell you what you need to improve in. And they attend your customer advisory boards and they always give feedback and they feel a connection to you. And then they hear you going out and they’re really excited for you. I think on a whole that’s what our customer’s feedback was. Now the flip side is just like I talked about messaging with internally who’s moving my cheese and why you got to do it with the customers too, because the customers are concerned. They know full well in a post IPO world, you’ve got a different boss now and the boss is the markets and the shareholder value. And so they do worry about are you going to go try and buy other companies? Are you going to lose sight of the products that got you here? And so I think having a lot of conversations with them about that, getting their feedback, talking about what our plans are. And as I mentioned a minute ago, customer advisory boards to invite them in and hear them out is half the battle. Let them be heard. Let them talk to you about their concerns, address those concerns. But it was mostly excitement, but there was some trepidation from customers as well. You have to address that head on.

Andrew Monaghan:
Yeah. I would imagine, though, that an IPO is a pretty attractive thing compared to be acquired by a big company and then who knows what, right?

Mark Parrinello:
Yeah, I think that’s a great point, Andrew, in that most companies, are most customers are more excited about your IPO because they know you’re going to keep that culture intact that they like and buy into versus some big behemoth buying them. Now they’re not sure what’s going to happen.

Andrew Monaghan:
The roadmap yeah, roadmap is up in the air.

Mark Parrinello:
I think 95% positive from customers. Just a little trepidation around what will you become.

Andrew Monaghan:
When you think back about where you spent your time before the IPO and after the IPO? Was there any big change in there just because the nature of what was happening or is it just going down the same path, down on the same march?

Mark Parrinello:
It’s it’s probably not the answer you’re looking for, but my job is not changed that much. And I think it’s because going back to my earlier comments, I was obsessed with building the infrastructure, the foundation for a hypergrowth company. I think when I got here, the RR was 55 to 60 million and we just hit hit 300 ish. So I was fixated on building that either way, IPO or not. So nothing really changed. The pressures change. I’m going to state the obvious. Everyone, I liken it to going out in your front yard during the pandemic. We were all working at home and, you know, and walked around our front yard on the phone and so forth. I liken it to going out in your front yard, in your boxers, get the mail and everyone sees you. Now, everyone knows what my numbers were last quarter. They didn’t know that in a pre-IPO world. So the pressures are mounted your buddies and your friends are texting and calling and way I saw you did this and that and what’s with this purchase of this company? So there’s some of that. But honestly, Andrew, my role, the things I focus on have not really changed in the past eight, nine months.

Andrew Monaghan:
Okay. Yeah, I can see that, especially if it is this march you’re on, right? We’re constantly getting better anyway. It’s just not something going to change because we are different. That’s right. Structure in the company.

Mark Parrinello:
It’s still about execution.

Andrew Monaghan:
Yeah, yeah, for sure. One of the questions I got, Mark, was from Chris Smith again at Aqua and he was asking some questions about culture and that, but one of them was about trust. So to his question, trust is the cornerstone to any functioning team as we’re working together and making these changes that are happening and we’re on this march forward. How do you think about giving and gaining trust from the team and how do you instill it throughout everything that they do, either internally but also externally?

Mark Parrinello:
Well, I’ll first say I’ll talk about the staff for a moment before I get into Chris’s specific questions about my ability, my trust with the team and all that. But I think an important element of a successful IPO is trust amongst your peers with the staff. Every company says they’ve got a candid culture and about ten, 15% actually do. I will tell you that. And it starts top down. If the CEO allows candid feedback in the staff meeting, then you’re going to have it and it’s going to permeate. You’re going to have a great culture because of it. Our CEO does he he has no problem with you pushing back and us debating issues and strategies. And so we have this really candid staff. We debate one another. We get in fights just like anyone else does, but it’s mutual respect. And that candidness then permeates down into the field. And that’s ultimately what creates a great culture, which I’m telling you 100% when you talk to will say that no one has. So I start with that above the CHRO and at the staff level. You know, I think Chris question is, I can spend a lot of time on this, but I call I just hired America’s person recently and he’s out in the field and we agreed that he’d be in the field for the first six months.

Mark Parrinello:
Customers. Partners. Reps. S channel. Just meeting people. Build the relationship. I call it earning the right because sales leaders, we have to inspect the business. We have to lead. We have to give tough decisions at some point, tough messages. But I believe that you can’t really start doing all that until you’re in the field and earning the right. So I would start with that that it’s and I’ll tell you, there’s it’s a delicate balance because when you’re CRO, you can’t just be in the field all day long because you’ve got to go back to corporate and do the foundational stuff. So there is a balance there. I learned that the hard way too. I used to be the only field, so I would just share with you that I think that earning the right is a part of that process. And the only the last piece on that is it was harder to do in a post-pandemic world. So you know what I would do? I would just talk on the phone from 6:30 a.m. to 7 p.m. at night to everyone over and over and over and talk about their families and their friends and all kinds of things you hear. Then you go like, Oh no shit. Like we all do that I just over-rotate on that for literally six months because that’s all I had to do.

Mark Parrinello:
I couldn’t travel, so I couldn’t earn the right the way I’d normally done it. So I just spent a lot of time and you know, the and the last piece, Andrew, I’ll tell you, is all hands. I went from doing one all-hands a quarter. I was doing a monthly messaging. Here are the changes we’re making. We’re implementing this process. Here’s why. Again, the what and the why. Remember, I talked about those other skills that I honed in. I started doing some things differently to earn that trust. The message more they saw me, the more they felt comfortable with me. I send off Saturday clips. I’d be on zoom and I would just do a top of mind. Hey, this week we did great. We had two great wins. Here’s something I’m concerned about in the business. I might be changing this or we might be looking into this. Stay tuned. And it would literally be like a one and a half minute clip and I would send it off to the field and they would click on it on a Saturday. But then they got to know me and see me in my living room or I’m in the office right now. This is not prison behind me. It’s just a brick wall in my office. So little things like that, I think, help build that trust.

Andrew Monaghan:
I like that so much because you’re right, you know, if you’re used to breaking bread with teams, you know, showing up in person to their meetings, to their customer dinners, to their various goods going on, and that’s taken away. Then you lose that chance to really get to know each other. Right. And it seems like you’ve managed to overcome that with your over-indexing on talking. Yeah.

Mark Parrinello:
Yeah, there was so I could spend a lot of time, but lots of tricks that I learned and did. And you know, and a lot of people did it. We all had to adjust to this pandemic world. So I’m not special. The things I did, we all did them. I’m just sharing some things that I did, some little pieces to the puzzle.

Andrew Monaghan:
Sure. Last question about the journey that you were on at Central One. As you look back, you mentioned the roadmap and getting the chance with COVID to do a road map as opposed to doing it all. Now, what else did you look back on and say? You know, we were kind of lucky how that played out. I wasn’t expecting that like that, but it all worked out pretty nicely.

Mark Parrinello:
You know, and reflecting back, hopefully, I’ll get to this and if I don’t ask a question again, because I was reflecting back on something that I would change frankly, and it might not be the answer you’re looking for, but it’s important. I wish I would have enjoyed the process and the event more because, you know, I’m a big believer. Your strengths become your weaknesses and a strength of mine. Probably like a lot of people that are in my position is a strength is to very quickly take a very successful quarter or a successful year and move on from it. What’s assess what’s not working the business, what needs to be fixed and move on to that execution. And so I quickly move and again, it’s a strength, quickly move to what’s not working and move on. And I’ll never forget you brought this up earlier, Andrew, sitting in the New York Stock Exchange, which is one of the most famous. Flaws and all the world. And I was on that balcony that we’ve seen presidents and dignitaries on for 100 years. And there was 15 of us up there whenever it was 16 of us. And I was looking down and I was sweet, invited about 85 people from Central one to come and party and celebrate for a couple of days.

Mark Parrinello:
They were all on the floor looking up. We’re on TV clapping. You know, the thing that all of us see and I got off the stage and someone said to me, like, Mark, you didn’t look happy at all. And the reason why I don’t look happy is that I was looking down at the 85 people and I was thinking, we’ve got to go sell. All these people are partying and taking the weekends and bringing their spouses in and celebrating and we got a lot of shit to sell. And I was already in execution mode and. It’s not a bad place to be in and but it just I wish I would have appreciated enjoyed that moment more and then not just that event that I’m referring to, but all things leading up to that man. This is exciting. Let’s really enjoy this. The learning process, the post IPO learning process, and I don’t think I enjoyed it enough. I took it for granted. Like we always take things for granted and I just went right an execution mode. So that might not get to the heart of your question. But I think for me that’s one of my lessons learned and takeaways that’s enlightening.

Andrew Monaghan:
And, you know, it happens so much in sales, though, that we you know, when you’re in the weeds and you feel the pressure about delivering all the time and incessant things going on, sometimes people struggle with taking a step back and just saying, you know, I’m in a great spot. Things are good. Life is.

Mark Parrinello:
Good. Yeah, it’s the nature of hypergrowth. We had a great quarter, but next quarter we got to do this and we’re not doing well here and we all do it. And and so for those out there that are eyeing an IPO or going to have the amazing experience of having it, I would say really enjoy that. The execution, the need to go sell some shit. As I say, that’s always going to be there, but really enjoy that moment. And I just didn’t. I took it for granted. Like we take a lot of things for granted, frankly.

Andrew Monaghan:
Well, however, I had Mark things clearly worked out well. I was looking at the latest release, earnings release that you had recently, and it showed to me what was 123% year over year R growth. Clearly, momentum is continuing and you’re guiding really high as well into this fiscal year. So looking in from the outside and hearing stories from you and a few friends that I have over there, it seems like an incredible culture, incredible vehicle momentum is building over there. That must be fun to be part of. And I really appreciate you joining me on the on the chat on the podcast today.

Mark Parrinello:
Absolutely. It’s been a great experience. As I say to everyone, we’re only in chapter four over 12 book. We’ve got a lot of work to do, a lot of things to tweak, but we’re having a good time. And thanks for having me on. I’ve enjoyed it. You know, I like these things because we can all learn from each other. And so if me spending some 35 to 40 minutes with you and people could take away a couple of anecdotes or a couple of things, a couple of notes to improve on what they’re doing great because I surely I actually see the value on these things. So anyway, I enjoyed it. Thanks for having me on.

Andrew Monaghan:
Yeah. And I was looking for new opportunities at SentinelOne. I imagine your careers page is probably the place to go.

Mark Parrinello:
What I just hired in my organization. Yeah, the short answer is yes. I just I’m laughing because I’ve just hired about 165 people in four months. So we’re always hiring.

Andrew Monaghan:
That’s a great way. Well, Mark, I really enjoyed the conversation. Thanks for joining me.

Mark Parrinello:
Thank you.

Sonix has many features that you’d love including powerful integrations and APIs, automated translation, upload many different filetypes, automated subtitles, and easily transcribe your Zoom meetings. Try Sonix for free today.

(function(s,o,n,i,x) {
if(s[n])return;s[n]=true;
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”https://sonix.ai/widget.js”,”https://sonix.ai/widget.css”);

Microsoft Patch Tuesday, April 2022 Edition

Microsoft on Tuesday released updates to fix roughly 120 security vulnerabilities in its Windows operating systems and other software. Two of the flaws have been publicly detailed prior to this week, and one is already seeing active exploitation, according to a report from the U.S. National Security Agency (NSA).

Of particular concern this month is CVE-2022-24521, which is a “privilege escalation” vulnerability in the Windows common log file system driver. In its advisory, Microsoft said it received a report from the NSA that the flaw is under active attack.

“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available,” assessed Dustin Childs with Trend Micro’s Zero Day Initiative. “Go patch your systems before that situation changes.”

Nine of the updates pushed this week address problems Microsoft considers “critical,” meaning the flaws they fix could be abused by malware or malcontents to seize total, remote access to a Windows system without any help from the user.

Among the scariest critical bugs is CVE-2022-26809, a potentially “wormable” weakness in a core Windows component (RPC) that earned a CVSS score of 9.8 (10 being the worst). Microsoft said it believes exploitation of this flaw is more likely than not.

Other potentially wormable threats this month include CVE-2022-24491 and CVE-2022-24497, Windows Network File System (NFS) vulnerabilities that also clock in at 9.8 CVSS scores and are listed as “exploitation more likely by Microsoft.”

“These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data,” said Kevin Breen, director of cyber threat research at Immersive Labs. “It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.”

Speaking of wormable flaws, CVE-2022-24500 is a critical bug in the Windows Server Message Block (SMB).

“This is especially poignant as we approach the anniversary of WannaCry, which famously used the EternalBlue SMB vulnerability to propagate at great pace,” Breen added. “Microsoft advises blocking TCP port 445 at the perimeter firewall, which is strong advice regardless of this specific vulnerability. While this won’t stop exploitation from attackers inside the local network, it will prevent new attacks originating from the Internet.”

In addition, this month’s patch batch from Redmond brings updates for Exchange Server, Office, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler components.

As it generally does on the second Tuesday of each month, Adobe released four patches addressing 70 vulnerabilities in Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce. More information on those updates is available here.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.

RaidForums Gets Raided, Alleged Admin Arrested

The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks.

Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent.

“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.

The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States’ request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.’s National Crime Agency (NCA) said the RaidForums takedown was the result of “Operation Tourniquet,” an investigation carried out by the NCA in cooperation with the United States, Europol and four other countries that resulted in “a number of linked arrests.”

A copy of the indictment against Coelho is available here (PDF).

Reduce Risk with Unified XDR and Cyber Asset Management

A Guest post by Jamie Cowper, VP of Marketing, Noetic Cyber

As Gartner identified in their recent report on the ‘Top Trends in Cybersecurity 2022’, organizations need to protect an ‘ever-expanding digital footprint.’ The report points out that a ‘dramatic increase in attack surface is emerging from changes in the use of digital systems…’.

This expanding attack surface reflects many changes in how we have adopted and use technology, including the continuing shift to cloud services, use of SaaS applications, and a hybrid workforce. All these factors are expected to continue to grow and mean that security teams need to adapt to address external and internal coverage gaps.

A fundamental challenge for security teams here is understanding what they need to protect. Asset management for cybersecurity, or as Gartner refers to it, Cyber Asset Attack Surface Management (CAASM), has evolved to address the problem faced by security. To understand and mitigate their attack surface, they need to understand what assets they have and their current security posture.

This is not a problem of insufficient security data. The reality is that security has enough tools, but the insights they need are fragmented and siloed across different security, DevOps, and IT management systems, and currently hard to access. As a result, 71% of global IT leaders admit to finding new endpoints in their environment on a weekly basis. Noetic Cyber’s partnership with SentinelOne is intended to address this problem.

XDR and CAASM Deliver Integrated Cyber Asset Detection, Inventory, and Remediation

The integration of SentinelOne Singularity XDR and the Noetic Continuous Cyber Asset and Controls platform enables security teams to extend the visibility, detection, and endpoint insights of SentinelOne into a wider asset inventory and management architecture, maximizing the value of their investment in SentinelOne and other security tools.

To build a complete coverage map of all cyber assets in an organization, across cloud and on-premises, the Noetic platform leverages high-value data from existing security and IT management tools, which each have their own perspective on cyber posture, network access, and business criticality. SentinelOne’s endpoint, cloud telemetry, and incident data are high-fidelity sources of data that help security teams understand security coverage gaps and system misconfigurations.

By integrating the SentinelOne data with information from other systems, such as Configuration Management Databases (CMDB), Vulnerability Management (VM), and Identity & Access Management (IAM), Noetic can provide security teams with a correlated, aggregated visualization of all cyber assets in the organization, and more importantly, the cyber relationships between them which help prioritize critical security coverage gaps based on risk and business criticality.

How It Works

The Noetic Connector for SentinelOne is an agentless integration that uses the OpenAPI spec to create a bi-directional link between the two platforms. Noetic customers simply enable the connector in their platform, provide it with API credentials and perform an initial configuration. The Noetic connector will then ingest relevant information from SentinelOne, looking for information indicating new, updated, or removed assets. This information is aggregated and correlated with information from various other data sources into a graph database in Noetic and updated regularly.

At this point, we have an incredibly rich source of security insights instantly available to security teams to query, but the connector also contains more pre-packaged capabilities to deliver immediate value.

Common security use cases, resources, and dashboards are included in the integration, so security teams can quickly understand and remediate them.

The Noetic connector for SentinelOne is bi-directional, which is critical, as Noetic has a highly flexible automation and workflow engine as part of the platform, so as Noetic and SentinelOne uncover security problems, the necessary remediation can be identified and automated for ongoing purposes.

Common Use Case | Missing Endpoint Security Agents

Organizations will typically have a policy that SentinelOne must be installed on all virtual or physical machines, but in the real world, machines can be deployed without the correct security policies. The challenge for SentinelOne, as with any security tool, is to understand where this is happening.

The Noetic platform has an abstract model where we have standard security concepts, one of those is ‘machine’, so that when it ingests information from SentinelOne, AWS, Microsoft Active Directory, ServiceNow, or any other technology, we are identifying and correlating different perspectives of the same machine based on the information we receive.

A simple, repeatable task in Noetic is therefore to run the query ‘All Machines without EDR’, this will present us with a list of all machines identified within other tools, but not known to SentinelOne.

This query can be automated to run on a weekly, daily, or hourly basis to continuously uncover rogue machines without the SentinelOne agent deployed. It can also be modified to identify misconfigured or outdated versions of the SentinelOne agent.

Once Noetic identifies machines missing the required agent, it is a simple automated workflow to trigger their enrolment, either via the SentinelOne console or through a systems management software like Microsoft SCCM or AWS SSM.

For organizations with large numbers of unprotected machines, Noetic can also help with workload prioritization. If there are hundreds or even thousands of missing endpoint agents, then it may not be practical to roll out the software immediately. By understanding other cyber factors associated with the machines – what sensitive information they may have access to, the presence of any unpatched critical vulnerabilities, etc., security can then align with the IT organization to focus on a prioritized software roll-out program to minimize the risk to the business.

Parting Thoughts

The partnership between SentinelOne and Noetic is designed to help improve the cybersecurity posture for our customers. These initial use cases are the first step in leveraging SentinelOne’s extensive cloud, endpoint, network, and vulnerability data as a high-fidelity ‘source of truth’ to feed into the wider cybersecurity model.

Noetic’s bi-directional connector allows security teams to quickly take advantage of existing workflows and remediation processes that are already defined and active within their SentinelOne deployment and extend them to new cybersecurity use cases, improving cyber hygiene and reducing risk. To learn more about SentinelOne and Noetic Cyber, attend the upcoming webinar or read the joint solution brief.

Double-Your-Crypto Scams Share Crypto Scam Host

Online scams that try to separate the unwary from their cryptocurrency are a dime a dozen, but a great many seemingly disparate crypto scam websites tend to rely on the same dodgy infrastructure providers to remain online in the face of massive fraud and abuse complaints from their erstwhile customers. Here’s a closer look at hundreds of phony crypto investment schemes that are all connected through a hosting provider which caters to people running crypto scams.

A security researcher recently shared with KrebsOnSecurity an email he received from someone who said they foolishly invested an entire bitcoin (currently worth ~USD $43,000) at a website called ark-x2[.]org, which promised to double any cryptocurrency investment made with the site.

The ark-x2[.]org site pretended to be a crypto giveaway website run by Cathie Wood, the founder and CEO of ARKinvest, an established Florida company that manages several exchange-traded investment funds. This is hardly the first time scammers have impersonated Wood or ARKinvest; a tweet from Wood in 2020 warned that the company would never use YouTube, Twitter, Instagram or any social media to solicit money.

At the crux of these scams are well-orchestrated video productions published on YouTube and Facebook that claim to be a “live event” featuring famous billionaires. In reality, these videos just rehash older footage while peppering viewers with prompts to sign up at a scam investment site — one they claim has been endorsed by the celebrities.

“I was watching a live video at YouTube where Elon Musk, Cathy Wood, and Jack Dorsey were talking about Crypto,” the victim told my security researcher friend. “An overlay on the video pointed to subscribing to the event at their website. I’ve been following Cathy Wood in her analysis on financial markets, so I was in a comfortable and trusted environment. The three of them are bitcoin maximalists in a sense, so it made perfect sense they were organizing a giveaway.”

“Without any doubt (other than whether the transfer would go through), I sent them 1 BTC (~$42,800), and they were supposed to return 2 BTC back,” the victim continued. “In hindsight, this was an obvious scam. But the live video and the ARK Invest website is what produced the trusted environment to me. I realized a few minutes later, when the live video looped. It wasn’t actually live, but a replay of a video from 6 months ago.”

Ark-x2[.]org is no longer online. But a look at the Internet address historically tied to this domain (186.2.171.79) shows the same address is used to host or park hundreds of other newly-minted crypto scam domains, including coinbase-x2[.]net (pictured below).

The crypto scam site coinbase-x2[.]net, which snares unwary investors with promises of free money.

Typical of crypto scam sites, Coinbase-x2 promises a chance to win 50,000 ETH (Ethereum virtual currency), plus a “welcome bonus” wherein they promise to double any crypto investment made with the platform. But everyone who falls for this greed trap soon discovers they won’t be getting anything in return, and that their “investment” is gone forever.

There isn’t a lot of information about who bought these crypto scam domains, as most of them were registered in the past month at registrars that automatically redact the site’s WHOIS ownership records.

However, several dozen of the domains are in the .us domain space, which is technically supposed to be reserved for entities physically based in the United States. Those Dot-us domains all contain the registrant name Sergei Orlovets from Moscow, the email address ulaninkirill52@gmail.com, and the phone number +7.9914500893. Unfortunately, each of these clues lead to a dead end, meaning they were likely picked and used solely for these scam sites.

A dig into the Domain Name Server (DNS) records for Coinbase-x2[.]net shows it is hosted at a service called Cryptohost[.]to. Cryptohost also controls several other address ranges, including 194.31.98.X, which is currently home to even more crypto scam websites, many targeting lesser-known cryptocurrencies like Polkadot.

An ad posted to the Russian-language hacking forum BHF last month touted Cryptohost as a “bulletproof hosting provider for all your projects,” i.e., it can be relied upon to ignore abuse complaints about its customers.

“Why choose us? We don’t keep your logs!,” someone claiming to represent Cryptohost wrote to denizens of BHF.

Cryptohost says its service is backstopped by DDoS-Guard, a Russian company that has featured here recently for providing services to the sanctioned terrorist group Hamas and to the conspiracy theory groups QAnon/8chan.

A scam site at Cryptohost targeting Polkadot cryptocurrency holders.

Cryptohost did not respond to requests for comment.

Signing up as a customer at Cryptohost presents a control panel that includes the IP address 188.127.235.21, which belongs to a hosting provider in Moscow called SmartApe. SmartApe says its main advantage is unlimited disk space, “which allows you to host an unlimited number of sites for little money.”

According to FinTelegram, a blog that bills itself as a crowdsourced financial intelligence service that covers investment scams, SmartApe is a “Russian-Israeli hosting company for cybercriminals.”

SmartApe CEO Mark Tepterev declined to comment on the allegations from FinTelegram, but said the company has thousands of clients, some of whom have their own clients.

Cryptohost’s customer panel, which points to an IP address at Russian hosting provider SmartApe.

“Also we host other hostings that have their own thousands of customers,” Tepterev said. “Of course, there are clients who use our services in their dubious interests. We immediately block such clients upon receipt of justified complaints.”

Much of the text used in these scam sites has been invoked verbatim in similar schemes dating back at least two years, and it’s likely that scam website templates are re-used so long as they continue to reel in new investors. Searching online for the phrase “During this unique event we will give you a chance to win” reveals many current and former sites tied to this scam.

While it may seem incredible that people will fall for stuff like this, such scams reliably generate decent profits. When Twitter got hacked in July 2020 and some of the most-followed celebrity accounts on Twitter started tweeting double-your-crypto offers, 383 people sent more than $100,000 in a few hours.

In Sept. 2021, the Bitcoin Foundation (bitcoin.org) was hacked, with the intruders placing a pop-up message on the site asking visitors to send money. The message said any sent funds would be doubled and returned, claiming that the Bitcoin Foundation had set up the program as a way of “giving back to the community.” The brief scam netted more than $17,000.

According to the U.S. Federal Trade Commission, nearly 7,000 people lost more than $80 million in crypto scams from October 2020 through March 2021 based on consumer fraud reports. That’s a significant jump from the year prior, when the FTC tracked just 570 cryptocurrency investment scam complaints totaling $7.5 million.

A recent report from blockchain analysis firm Chainalysis found that scammers stole approximately $14 billion worth of cryptocurrency in 2021 — nearly twice the $7.8 billion stolen by scammers in 2020, the report found.

In March, Australia’s competition watchdog filed a lawsuit against Facebook owner Meta Platforms, alleging the social media giant failed to prevent scammers using its platform to promote fake ads featuring well-known people. The complaint alleges the advertisements, which endorsed investment in cryptocurrency or money-making schemes, could have misled Facebook users into believing they were promoted by famous Australians.

In many ways, the crypto giveaway scam is a natural extension of perhaps the oldest cyber fraud in the book: Advanced-fee fraud. Most commonly associated with Nigerian Letter or “419” fraud and lottery/sweepstakes schemes, advanced fee scams promise a financial windfall if only the intended recipient will step up and claim what is rightfully theirs — and oh by the way just pay this small administrative fee and we’ll send the money.

What makes these double-your-crypto sites successful is not just ignorance and avarice, but the idea held by many novice investors that cryptocurrencies are somehow magical money-minting machines, or perhaps virtual slot machines that will eventually pay off if one simply deposits enough coinage.

The Good, the Bad and the Ugly in Cybersecurity – Week 15

The Good

Good news this week as Germany’s Federal Criminal Police Office (BKA) announced the take down of what has been described as “the world’s largest darknet market”. Servers belonging to the “Hydra Market” were seized on Tuesday and Bitcoins amounting to the equivalent of approximately $25 million were seized. The seizures were carried out after extensive investigations by German and US authorities beginning in August 2021.

Hydra was notorious as a trading place for narcotics, stolen databases, forged documents, and hacking for hire services. Police found data belonging to around 17 million customers and over 19,000 registered traders. The Russian-language platform had been in operation since at least 2015 and is believed to have had the highest turnover worldwide for an illegal marketplace. Authorities said its sales amounted to at least $1.34 billion in 2020 alone.

Authorities also noted that the site offered a service for obfuscating digital transactions called Bitcoin Bank Mixer, intended to make investigations and analysis into criminal activities difficult for law enforcement agencies.

At the time of writing, the site’s home page has been replaced by a notice from authorities. While reportedly no arrests have been made so far, the investigation is ongoing and the seized infrastructure is still being evaluated.

The Bad

It’s been a week of bad news for mobile users with the discovery of multiple campaigns distributing banking trojans and other malware via the Google Play Store.

Researchers discovered six different apps masquerading as AV software in the Google Play Store that were found to be deploying the SharkBot banking trojan. It is thought that combined the fake AV apps had as many as 15000 downloads, and while the apps have since been removed from the store by Google, the malware remains active.

SharkBot is able to steal user credentials and banking information. The malware abuses Accessibility features on the device to lure victims into entering credentials in windows that mimic legitimate credential input forms. The data entered is then sent to a server controlled by threat actors. While the researchers did not attribute the campaign to a particular actor, they did note that SharkBot uses geofencing to identify and ignore devices located in China, India, Romania, Russia, Ukraine and Belarus.

Source

Also this week came news of a campaign that has achieved over 50,000 installations of malicious Android software targeting banks and other financial institutions. The Octo Android banking trojan is dropped by a number of rogue apps such as Pocket Screencaster (com.moh.screen), Fast Cleaner 2021 (vizeeva.fast.cleaner), Play Store (com.restthe71), Postbank Security (com.carbuildz), Pocket Screencaster (com.cutthousandjs), BAWAG PSK Security (com.frontwonder2), and Play Store app install (com.theseeye5).

Octo is said to be a revised version of ExobotCompact and can gain remote control over devices, capture screen contents in real-time, log keystrokes and receive commands from a C2.

The Ugly

Network security vendor WatchGuard found themselves embroiled in controversy this week over a severe vulnerability silently patched last year and recently exploited by Cyclops Blink botnet.

What later became CVE-2022-23176, a flaw with a severity rating of 8.8, was fixed back in May 2021. At the time, this and other “internally detected security issues” were obliquely referred to in the company’s release notes. WatchGuard stated that certain non-specific security issues had been found by their own engineers, and were not actively found in the wild.

Importantly, the company said at the time that they were not sharing technical details about the flaws “for the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues”.

Such an approach, widely disparaged as “security by obscurity”, typically irks security researchers and WatchGuard has found themselves on the receiving end of sharp criticism since the revelation earlier this week. As pointed out by one industry professional, threat actors did indeed discover and exploit these issues, and the vendor’s lack of transparency only served to “put their customers at unnecessary risk”. Had the vendor been more transparent at an earlier stage, the argument goes, more customers would have been able to patch and security teams able to actively hunt for exploitation attempts.

Transparency with regard to software patching is always a double-edged sword for vendors. Take, for example, the contrasting approaches taken by OS vendors Microsoft and Apple, with the latter famously less transparent than the former. On the one hand, Microsoft can claim customers remain informed and in control; on the other, Apple will claim that their systems are widely perceived as “more secure”, although the very obscurity that Apple relies on makes such a claim difficult to evaluate. The reality is that whatever approach is taken by a vendor, it is always going to result in criticism when it “backfires” and threat actors compromise organizations and users.

Best-of-Breed Identity Threat Detection and Response Meets Best-of-Breed XDR

These are exciting times for SentinelOne and the Singularity XDR platform. Attivo is a highly differentiated Identity Security platform serving over 300 global enterprises. With the acquisition of Attivo, we are gaining an immensely valuable set of Identity Security capabilities in aid of the core foundations of our XDR Strategy: visibility, detection and protection.

In this post, we will look at how Identity Security will merge seamlessly into the Singularity platform, the benefits it will bring, and the power it will offer our customers as part of a single, unified platform for XDR.

ITDR (Identity Threat Detection and Response) As A Natural Extension to XDR

The Singularity platform offers a unique balance of speed, scale and simplicity for solving detection and response problems across every security surface – Endpoint, Cloud, Mobile, iOT, Network, Storage and now Identity. Our platform ingests and processes just under 1.5 trillion events per day, offering faster queries, longer data retention periods and more automated workflows than any other single platform. As we have spoken about before, Singularity is both a Native and an Open XDR platform. This is why, within a single month, you see us launch multiple open XDR partnerships  alongside the recent introduction of native Identity coverage with the addition of Attivo into the fold of Singularity.

We have been closely monitoring the Identity space from multiple angles in the past year – from being a critical surface in its own right to its impact on Zero Trust strategies and naturally also on XDR. We identified several key areas in which our platform could evolve and Attivo’s portfolio of solutions matched that need. The fact that the Attivo team, led by Tushar, Venu and Srikant look at the landscape in such a similar way made this a perfect fit.

Attivo | A Market Leading Identity Platform

In the past 24 months, Attivo have evolved their own platform to address the key challenges of Identity Threat Detection and Response. Much like the paradigm shift that EDR brought to the Endpoint space, Attivo have managed to make a significant impact to the security of their customers by addressing key workflows relating to the creation of visibility, protection and remediation of Identity based risks on Devices, Domain Controllers, Active Directory and the Network.

Attivo have delivered a market leading Identity platform addressing three main customer needs:

  1. Identity Threat Detection and Response
  2. Identity Infrastructure Assessment
  3. Identity Deception and Insider Threat Protection

The entire portfolio will be holistically integrated into the Singularity XDR platform.

Thanks to the open nature of Singularity, we are able to rapidly deliver multiple layers of XDR synergies with Attivo’s offerings – ranging from the Ingestion of Critical Identity data to Contextualised Threats and the exposure of new Remediation Actions. Our ability to integrate with such ease is based on various existing platform components – from the underlying XDR Data platform to AI and Automation elements such as Storyline and Singularity Marketplace. Delivering a unified experience is a significant element of our strategy – this means that we will look to introduce integration points between Attivo and multiple other Singularity products such as Remote Script Orchestration and Ranger.

How Customers Will Benefit From Attivo Integration With Singularity XDR

Here are some examples of upcoming improvements to the Singularity XDR platform thanks to the merging of SentinelOne and Attivo that will be available for our customers and partners soon.

  • Enhanced Identity and Credential protection thanks to the combined research and detection efforts – for both Endpoints and Domain Controllers.

    The Attivo platform delivers market leading coverage of the newly announced MITRE Engage framework, which alongside SentinelOne’s proven MITRE ATT&CK leadership offers our customers maximal alignment to the critical mappings MITRE has created.  Furthermore, Attivo also brings valuable additions to our existing Endpoint Protection capabilities such as Credential Theft, Lateral Movement and Privilege Escalation.

  • Expansion of our Attack Surface Management and Environment Hardening utilising the synergies between Ranger and Attivo’s Risk Management offering – now covering Endpoint, Network, IoT AND Active Directory.

    Since its introduction, Singularity Ranger has evolved from an IoT solution to a complete Attack Surface Reduction product, creating visibility into unmanaged devices and network mapping and improving vulnerability and application management. Combined with AD Assessor, Ranger will expand its coverage to address significant Zero Trust needs. Attivo offers continuous, real-time monitoring and analysis of Identity risk and vulnerability based on Active Directory Analysis. Our customers can now analyse risk but also remediate vulnerable Desktops, Servers, Workflows, Domain Controllers, Active Directories and User Accounts – all from one platform.

  • Increased Identity context based on a combination of SentinelOne and Attivo’s existing visibility and the combined tech-partnership strategy of both vendors, as facilitating faster Triage and Root cause Analysis.

    Moving forward, we’ll be adding significant enhancements to the already robust context that is part of every SentinelOne alert. Identity centric insight such as information about users, their accounts, entitlements, authentication techniques and more will all help provide an even more actionable and insightful triage and investigation process.

  • More effective Incident Response.

    SentinelOne’s arsenal of response capabilities, ranging from rollback to scaled peer-to-peer deployment and cross platform script orchestration, will be integrated with Attivo to expand the types of response alongside enabling the seamless utilisation of all capabilities regardless of which platform component is being used. In the near future, we’ll be introducing several Identity-centric response workflows focusing on delivering Secure Access to achieve Zero Trust initiatives

Parting Thoughts

The above is just a taste of what we’ll be working on. We now also have the benefit of delivering on a shared roadmap, with multiple exciting Singularity XDR – Identity products and features just around the corner.

We are 100% committed to offering a single, unified platform for XDR. Unlike other vendors, who in recent times have acquired or introduced new technologies without actually integrating them in a sustainable way – we already have a crystal clear path for integration of the two platforms and it’s already started.

Best-of-Breed Identity Detection and Response meets Best-of-Breed XDR – the sky’s the limit.

If you would like to learn more about how SentinelOne Singuarlity XDR can protect your organization, contact us or request a free demo.

Get a Demo of Attivo’s Identity Suite
Bringing Identity to XDR. Ready to experience Attivo Networks, the market’s leading identity security suite?

Actions Target Russian Govt. Botnet, Hydra Dark Market

The U.S. Federal Bureau of Investigation (FBI) says it has disrupted a giant botnet built and operated by a Russian government intelligence unit known for launching destructive cyberattacks against energy infrastructure in the United States and Ukraine. Separately, law enforcement agencies in the U.S. and Germany moved to decapitate “Hydra,” a billion-dollar Russian darknet drug bazaar that also helped to launder the profits of multiple Russian ransomware groups.

FBI officials said Wednesday they disrupted “Cyclops Blink,” a collection of compromised networking devices managed by hackers working with the Russian Federation’s Main Intelligence Directorate (GRU).

A statement from the U.S. Department of Justice (DOJ) says the GRU’s hackers built Cyclops Blink by exploiting previously undocumented security weaknesses in firewalls and routers made by both ASUS and WatchGuard Technologies. The DOJ said it did not seek to disinfect compromised devices; instead, it obtained court orders to remove the Cyclops Blink malware from its “command and control” servers — the hidden machines that allowed the attackers to orchestrate the activities of the botnet.

The FBI and other agencies warned in March that the Cyclops Blink malware was built to replace a threat called “VPNFilter,” an earlier malware platform that targeted vulnerabilities in a number of consumer-grade wireless and wired routers. In May 2018, the FBI executed a similar strategy to dismantle VPNFilter, which had spread to more than a half-million consumer devices.

On April 1, ASUS released updates to fix the security vulnerability in a range of its Wi-Fi routers. Meanwhile, WatchGuard appears to have silently fixed its vulnerability in an update shipped almost a year ago, according to Dan Goodin at Ars Technica.

SANDWORM AND TRITON

Security experts say both VPNFilter and Cyclops Blink are the work of a hacking group known as Sandworm or Voodoo Bear, the same Russian team blamed for disrupting Ukraine’s electricity in 2015.

Sandworm also has been implicated in the “Industroyer” malware attacks on Ukraine’s power grid in December 2016, as well as the 2016 global malware contagion “NotPetya,” which crippled companies worldwide using an exploit believed to have been developed by and then stolen from the U.S. National Security Agency (NSA).

The action against Cyclops Blink came just weeks after the Justice Department unsealed indictments against four Russian men accused of launching cyberattacks on power utilities in the United States and abroad.

One of the indictments named three officers of Russia’s Federal Security Service (FSB) suspected of being members of Berserk Bear, a.k.a. Dragonfly 2.0, a.k.a. Havex, which has been blamed for targeting electrical utilities and other critical infrastructure worldwide and is widely believed to be working at the behest of the Russian government.

The other indictment named Russians affiliated with a skilled hacking group known as “Triton” or “Trisis,” which infected a Saudi oil refinery with destructive malware in 2017, and then attempted to do the same to U.S. energy facilities.

The Justice Department said that in Dragonfly’s first stage between 2012 and 2014, the defendants hacked into computer networks of industrial control systems (ICS) companies and software providers, and then hid malware inside legitimate software updates for such systems.

“After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices,” the DOJ said. “Through these and other efforts, including spearphishing and “watering hole” attacks, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.”

In Dragonfly’s second iteration between 2014 and 2017, the hacking group spear-phished more than 3,300 people at more than 500 U.S. and international companies and entities, including U.S. federal agencies like the Nuclear Regulatory Commission.

“In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant,” the DOJ’s account continues. “Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.”

HYDRA

Federation Tower, Moscow. Image: Evgeniy Vasilev.

Also this week, German authorities seized the server infrastructure for the Hydra Market, a bustling underground market for illegal narcotics, stolen data and money laundering that’s been operating since 2015. The German Federal Criminal Police Office (BKA) said Hydra had roughly 17 million customers, and over 19,000 vendors, with sales amounting to at least 1.23 billion euros in 2020 alone.

In a statement on the Hydra takedown, the U.S. Department of Treasury said blockchain researchers had determined that approximately 86 percent of the illicit Bitcoin received directly by Russian virtual currency exchanges in 2019 came from Hydra.

Treasury sanctioned a number of cryptocurrency wallets associated with Hydra and with a virtual currency exchange called “Garantex,” which the agency says processed more than $100 million in transactions associated with illicit actors and darknet markets. That amount included roughly $8 million in ransomware proceeds laundered through Hydra on behalf of multiple ransomware groups, including Ryuk and Conti.

“Today’s action against Hydra and Garantex builds upon recent sanctions against virtual currency exchanges SUEX and CHATEX, both of which, like Garantex, operated out of Federation Tower in Moscow, Russia,” the Treasury Department said.