Rise in Identity-Based Attacks Drives Demand for a New Security Approach

The frequency of ransomware attacks has doubled over the last couple of years, accounting for 10% of all breaches. According to the 2022 Verizon Data Breach Investigation Report, the ‘human element’ is the primary means of initial access in 82% of breaches, with social engineering and stolen credentials serving as key threat actor TTPs. Attackers consistently attempt to access valid credentials and use them to move throughout enterprise networks undetected. These challenges are driving CISOs to put identity security at the top of their priority list.

Traditional Identity Solutions Still Leave Room for Attacks

Traditional identity security solutions topping the list include Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA). These tools ensure the right users have appropriate access and employ continuous verification, guiding principles of the zero-trust security model.

However, Identity and Access Management – focusing solely on provisioning, connecting, and controlling identity access – is just the starting point to identity security. Coverage must extend beyond the initial authentication and access control to other identity aspects such as credentials, privileges, entitlements, and the systems that manage them, from visibility to exposures to attack detection.

From an attack vector perspective, Active Directory (AD) is an obvious asset. AD is where identity and its key elements naturally exist, which is why it is in an attacker’s crosshairs and a top security concern. In addition, as cloud migration continues at a rapid pace, additional security challenges arise as IT teams move quickly to provision across their environments.

When AD vulnerabilities combine with the cloud’s tendency toward misconfiguration, the need for an additional layer of protection beyond provisioning and access management becomes much clearer.

Identity Security with a New Twist

Modern, innovative identity security solutions provide essential visibility into credentials stored on endpoints, Active Directory (AD) misconfigurations, and cloud entitlement sprawl. Identity Attack Surface Management (ID ASM) and Identity Threat Detection and Response (ITDR) are new security categories designed to protect identities and the systems that manage them.

These solutions complement and operate in conjunction with Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Network Detection and Response (NDR), and other similar solutions.

ID ASM looks to reduce the identity attack surface to limit the exposures attackers can exploit. The fewer exposures, the smaller the identity attack surface. For most enterprises, this means Active Directory, whether on-premises or in Azure.

While EDR is a robust solution that looks for attacks on endpoints and collects data for analysis, ITDR solutions look for attacks targeting identities. Once an ITDR solution detects an attack, it adds a layer of defense by providing fake data that redirects the attacker to an authentic-looking decoy and automatically isolates the compromised system conducting the query.

ITDR solutions also provide incident response assistance by collecting forensic data and gathering telemetry on the processes used during the attack. The complementary nature of EDR and ITDR fit perfectly together to achieve a common goal – thwarting an attacker’s efforts.

ID ASM and ITDR solutions provide detection of credential misuse, privilege escalation, and other tactics that attackers exploit or engage in within the network. They close critical gaps between identity access management and endpoint security solutions, stopping cybercriminal attempts to exploit vulnerable credentials to move through networks undetected.

Identity Threat Security Solutions

SentinelOne has leveraged its deep experience in privilege escalation and lateral movement detection and offers a best-of-breed solution in the Identity Threat Detection and Response and ID ASM spaces. The company has secured its leadership position based on its broad ITDR and ID ASM solutions portfolio.

Identity Security Products:

  • Ranger® AD for continuous assessment of Active Directory exposures and activities that would indicate an attack
  • Singularity® Identity for detection of unauthorized activity and attacks on Active Directory, protection against credential theft and misuse, prevention of Active Directory exploitation, attack path visibility, attack surface reduction, and lateral movement detection

It’s Time for a New Identity Security Approach

With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities. This need is particularly true as organizations race to adopt the public cloud, and both human and non-human identities continue to increase exponentially.

Given the penchant for attackers to misuse credentials, leverage Active Directory (AD), and target identities through cloud entitlement, it is critical to detect identity-based activity with modern ID ASM and ITDR solutions.

Learn more about SentinelOne’s Ranger AD® and Singularity® Identity solutions.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

The Link Between AWM Proxy & the Glupteba Botnet

On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image: Google.com.

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned Meris, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “RSOCKS” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.

IF YOUR PLAN IS TO RIP OFF GOOGLE…

Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in AD1[.]ru, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (UA-3816536).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar Domenadom[.]ru, and the website web-site[.]ru, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers techplast[.]ru and tekhplast.ru — also shared a different Google Analytics code (UA-1838317) with web-site[.]ru and with the domain “starovikov[.]ru.”

The name on the WHOIS registration records for the plastics domains is an “Alexander I. Ukraincki,” whose personal information also is included in the domains tpos[.]ru and alphadisplay[.]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “uai@” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “2222den” and “2222DEN.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “dennstr.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site[.]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address lycefer@gmail.com. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and starovikov[.]com.

A cached copy of the contact page for Starovikov[.]com shows that in 2008 it displayed the personal information for a Dmitry Starovikov, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site[.]ru)was registered in 2005 to two men, one of whom was named Dmitry Sergeevich Starovikov.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

Securing the Nation’s Critical Infrastructure | Action Plans to Defend Against Cyber Attacks

Industries around the globe increasingly rely on operational technology (OT) and industrial control systems (ICS) to support their mission-critical infrastructures while at the same time they are facing a significant increase in cyber threats.

According to CISA, the Russian government is exploring options for cyberattacks against critical infrastructure systems. Other threat actors have deliberately targeted critical infrastructure in the past and the challenge remains: how do we protect mission-critical cyber assets that are crucial to the nation’s well-being?

Why Do Cybercriminals Target Critical Infrastructure?

There are several reasons why cybercriminals target critical infrastructure. Most of the malicious cyber activities on ICS and Supervisory control and data acquisition (SCADA) systems are financially or politically motivated.

Financially-motivated attackers seek to hit public services with ransomware, in part because such assets are often running on legacy hardware or software and may be vulnerable to known exploits. Ransomware operators also hope that the mission-critical nature of such targets will force organizations to pay the ransom in order to protect those that rely on the services they provide. 

Politically-motivated attackers, meanwhile, seek to disrupt critical national infrastructure during times of crisis or when significant events are taking place, such as elections, health emergencies and wars. Such politically-motivated attacks often reach beyond their intended targets, causing collateral damage to other organizations. During Russia’s invasion of Ukraine, for example, threat actors targeted essential organizational infrastructure within and beyond the region. These state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks and the deployment of destructive malware against the Ukrainian government and critical national infrastructure (CNI) organizations.

Targeting critical infrastructure to trigger a panic can include attacking the nation’s financial and healthcare systems or electricity grids. Cybercriminals have attacked high-value organizations and those that provide critical services in several high-profile incidents. These included AcidRain, an attack on Viasat KA-SAT modems in Europe, Russian state-sponsored distributed denial-of-service (DDoS) attacks, the Colonial Pipeline attack, a ransomware attack on JBS Foods, and a supply chain attack on Kaseya Limited.

How Do Cybercriminals Exploit Critical Infrastructure?

Several factors have contributed to devastating organizational breaches. Here are some of the ways that cyber criminals explore options for potential cyberattacks:

  • Exploit vulnerable systems – Unpatched and misconfigured devices in the critical infrastructure pose a significant risk of being breached. Attackers look for vulnerabilities that exist in the standard and proprietary ICS protocols, including MMS (Manufacturing Message Specification), GOOSE (Generic Object Oriented Substation Event) by IEC 61850 standard, MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control). They know the mitigations may not always be possible and attempt to exploit these weaknesses.
  • Perform denial-of-service (DOS) attacks – Attackers can gain access through a compromised IT system, perform reconnaissance activities and move laterally to the OT network to launch a denial-of-service attack.
  • Deploy ransomware and/or wipers – a recent report from CISA shows an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. CISA, the FBI and the NSA have observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. They also observed that several ransomware groups had developed code to stop critical infrastructure or industrial processes.

Recommended Action Plans to Protect ICS Systems

Securing infrastructure requires a new approach to mitigating cyber-attacks targeting OT/ICS systems vulnerabilities. Here are some recommended action plans that will help protect essential OT assets in today’s interconnected world:

  • Conduct security assessments of OT (ICS/SCADA) systems regularly.
  • Identify OT and IT networks and implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised.
  • Identify assets in the OT network and eliminate possible vulnerabilities across a comprehensive set of attack vectors.
  • Protect endpoints to reveal any suspicious, malicious activity in industrial networks. Identify, detect, and investigate suspicious activity indicating lateral movements within IT and OT networks. Deploy endpoint-based solutions, such as Singularity Identity to detect lateral connections.
  • Protect credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
  • Implement data backup procedures on both the IT and OT networks. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware. Understand actual behavior, e.g., the type of device, what it is doing, and what it tries to connect to.

How Can the SentinelOne Identity Portfolio Help?

SentinelOne is the leader in deception technology and offers innovative ICS security solutions to protect critical infrastructure. Five of the Fortune 10’s largest ICS/SCADA organizations have already widely deployed the company’s comprehensive solutions. The PNNL(Pacific Northwest National Laboratory), a DoE national laboratory, also validated the security solutions protecting critical national infrastructure.

The Singularity™ Hologram solution provides comprehensive deception capabilities covering traditional enterprise IT and OT networks. The deception platform offers adaptive cybersecurity defense using machine learning to create deception campaigns that address the evolving attack surface. The platform supports a large subset of ICS protocols and allows customers to build emulations of various PLCs, SCADA nodes, medical equipment and more. Attackers targeting and exploiting vulnerabilities in Human Machine Interface (HMI) systems are common attack vectors. Customers can deploy decoy HMI systems using golden images.

The ICS security solution provides comprehensive deception capabilities covering traditional enterprise IT and OT networks. The platform projects deceptive decoys into SCADA, ICS, IoT, Point of Sale, and Medical Device networks, identifying attacker lateral movement and reconnaissance activity targeting production-critical systems. Additionally, the Singularity™ Identity solutions deploy deceptive credentials that can detect and report on cybercriminals leveraging their operations through remote services and exploiting ICS infrastructure.

Conclusion

Critical infrastructure is vital to public safety and health in many ways, but these essential services are often maintained by organizations with small budgets running legacy hardware and software.

To ensure the safety of mission-critical assets, organizations must put in place robust action plans that include autonomous endpoint security controls that can reduce the need for a large SOC while still continuously monitoring the ICS network for suspicious and malicious activity. To learn more about how SentinelOne can help, contact us or request a free demo.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good

This week saw good news as cops in Europe busted a gang said to be behind several million euros worth of fraud. In a joint operation run by Belgian and Dutch police, an organised crime group involved in phishing, fraud, scams and money laundering was dismantled.

As a result of the operation, police made nine arrests and seized electronic devices, designer jewelry, firearms, cryptocurrency and tens of thousands of euros in cash. The arrested individuals were men between the ages of 25 and 36 and a 25-year-old woman.

europol cyber crime

The gang’s MO involved sending victims phishing links via email, text messages and chat apps including WhatsApp. The links led to fake banking websites, where victims were lured into entering their banking credentials, which the gang subsequently harvested.

It is believed the gang stole several million euros and used money mules to cash out the proceeds. Investigators believe that the group may also have been involved in drugs and firearms trafficking.

While the victims appear to have largely been located in Belgium, the suspects were all arrested in the Netherlands. This is another good example of how important collaboration between different law enforcement agencies is in tackling the cross-border nature of cyber crime.

The Bad

Last month we reported on a new zero-click remote code execution vulnerability affecting the Microsoft Windows Support Diagnostic Tool (ms-msdt) popularly known as Follina and more formerly tracked as CVE-2022-30190. This week, Ukrainian cyber defense outift CERT-UA spotted exploitation of Follina via a lure document titled “Nuclear Terrorism A Very Real Threat.rtf”.

It seems that the Russian intelligence GRU-linked threat actor APT28 is using fear of nuclear war to distribute malware via a poisoned Word document.

APT28 Follina exploitation

According to other researchers, the document is weaponized with Follina and downloads and executes a .Net executable that steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The stolen data is then exfiltrated via email to an attacker-controlled email account.

Several other attacks leveraging CVE-2022-30190 have been attributed to various APTs since Follina was first discovered four weeks ago, including Chinese-linked hackers and another Russian APT threat actor widely known as Sandworm. APT28 is just the latest jumping on the bandwagon.

While browser theft isn’t the most heinous of cyber crimes that organizations have to worry about, it’s worth remembering that credentials stored in browsers can provide threat actors with the kind of initial access they crave for long-tail hacks that are difficult to attribute or trace. It’s also a timely reminder for organizations to revisit their coverage for the Follina vulnerability. Microsoft finally got around to patching the flaw in its June 14th update and security teams are urged to ensure they take appropriate mitigation measures.

The Ugly

240 million users of cloud storage service MEGA received unwelcome news this week when researchers showed the company’s privacy claims fell somewhat short of the truth. MEGA advertises itself as offering “secure cloud storage and communication privacy by design”, boasting that “MEGA has a robust cryptographic process…no one will ever be able to access your data on MEGA. Even in the exceptionally improbable event MEGA’s entire infrastructure is seized!”

Mega bug

Unfortunately, it turns out that it is precisely the “robust cryptographic process” that is insecure. The research says that MEGA–or some entity with control over MEGA’s infrastructure–can decrypt user data and that a malicious service provider could insert files into a user’s cloud storage.

In an advisory, MEGA admitted that the research identified flaws that could be exploited “either by MEGA acting maliciously or by an external party acting similarly”. Presumably, that includes MEGA complying with any confidential law enforcement or government order it might be served with.

The problem lies in the way MEGA “rolled its own” cryptographic architecture, a double-whammy which means that while the company has patched the initial attack vector used by the researchers, it has not resolved the underlying weaknesses due to the complexity of its own architecture. The company did reward the research team from ETH Zurich with a “significant payment”, but whether MEGA users will be satisfied that their data remains unreadable by the company, law enforcement, or “bad actors” remains to be seen.

On the Board of Directors? Beware of These Six Common Cyber Security Myths

The days when cyber security was merely a technical or niche issue to be dealt with by some small department in the basement are long behind us. Boards now have CISOs and CIOs, and yet there is still a need for all directors to understand the impact of cyber security risk when making strategic business decisions as well as to understand what to ask when a breach takes place.

Failing to grasp the nature of cyber security in today’s business environment can have dire consequences. Proper board preparedness and planning are critical both to protecting the business and to insulating officers and directors from liability.  Accordingly, directors must ensure that the business is ready to face cyber risks and the potential legal ramifications of those risks by aligning the organization’s cyber risk profile with its business needs.

Of course, there is no shortage of information out there on cyber security and cyber risk, but much of it is couched in sales and marketing jargon peculiar to one vendor or another, and what isn’t is often aimed at a technical audience with a level of detail that is rarely relevant to high-level decision makers. In this post, we cut through the clutter and cover the basics of cyber risk management for directors by dispelling six common cybersecurity myths.

Myth 1: Cyber Security Is Only Necessary for Some Businesses

Many believe that only certain kinds of companies require cyber security and that if they are not in that list, cyber security isn’t for them. Typically that list includes:

  • technology companies

  • companies that store sensitive customer data (PII)

  • Health, infrastructure and other organizations legally required by law

  • Companies of a certain size or value

Cybersecurity is critical for all organizations, regardless of their industry. The ongoing wave of ransomware attacks has shown that attackers are opportunistic and will target any organization that has valuable data or systems that they can exploit.

Even companies that don’t store sensitive data (PII) can be hacked or infected with ransomware if their systems are not properly secured, and PII is not the only thing that can be stolen or compromised in a cyber attack. Organizations can also lose money, suffer damage to their reputation, and experience other negative consequences as a result of a cyber breach.

Similarly, size is not a significant factor in risk assessment. Any organization, regardless of size, can be a target for cyber attacks. Small businesses are often seen as easier targets because they may not have the same resources to devote to cyber security as larger organizations. The level of risk increases if the business does not take the necessary precautions to protect itself.

All businesses regardless of size, industry or value should have a comprehensive cyber security plan in place to protect themselves from potential attacks.

Myth 2: Security Software Is All You Need to Stay Safe

There are so many pinpoint tools in the cybersecurity defense arsenal. Tools like SIEM, SOAR, Firewalls, Anti Virus, and many others have proven in recent years that they are not sufficient to keep businesses out of negative news cycles.

The modern working environment allows employees more freedom than ever before, with the ability to install software and to gain access to company assets from the endpoint, wherever they may be physically located.

The effort of staying safe from cyber risk may start with getting the right tool to see it all, but it does not end there. As the cybersecurity landscape continues to evolve, defense capabilities need to keep pace, too.

The idea of total protection from cyber threats is unrealistic. However, organizations are best served when their boards promote a culture of cyber awareness and integrate investments into cyber resilience with the overall strategic vision of the organization.

Myth 3: Software Vulnerabilities Aren’t an Issue for the Board

Every piece of software that an organization uses can also introduce vulnerabilities that make it easy to penetrate the corporate network.

Some recent high-profile examples include CVE-2022-30190 (aka the Follina vulnerability), which allows attackers to compromise a Windows machine simply by sending a malicious Word document, and CVE-2021-44228 (aka Log4Shell), a vulnerability in a Apache’s Log4j library that most companies didn’t even realize was in their software stack.

Unfortunately, the biggest and most likely source of vulnerabilities in your software stack is likely the operating system itself. Here’s some sobering statistics:

  • In 2020, Microsoft confirmed 1,220 new vulnerabilities impacting their products, a 60% increase on the previous year.

  • 807 of 1,220 vulnerabilities were associated with Windows 10, with 107 of those related to code execution, 105 to overflows, 99 to gaining information, and 74 to gain privileges.

  • In 2021, 836 new vulnerabilities were confirmed, 455 of which impact Windows 10 and 107 allow malicious code execution.

While patch management is certainly the responsibility of your IT team, boards need to understand that no amount of patching is going to negate the security risk presented by the operating system itself.

This means that your organizations should look to partner with security-first companies that can provide a holistic approach to security. Avoid relying on the OS vendor either to patch everything or to provide security add-ons to plug the gaps.

Develop a strategy that aims to reduce risk by decreasing dependencies while easily integrating your security solution with the rest of your software stack.

Myth 4: You Don’t Need to Worry About Supply Chain Attacks

Even if an organization manages to keep its own software safe, any other service provider can unknowingly facilitate a way into the network. In recent times, we’ve seen the SolarWinds supply chain attack, where the attackers were able to compromise thousands of organizations through the SolarWinds software update, and the Kaseya incident, in which attackers targeted Kaseya VSA servers—commonly used by MSPs and IT management firms—to infect downstream customers with ransomware.

Such attacks are highly lucrative for threat actors because compromising one weak link enables access to a complete portfolio of customers using that software.

Ensuring you have maximal protection against digital supply chain attacks is a strategic decision that needs to be taken at the board level.

Ensure your board’s strategy includes things such as deploying the right security solution, developing an Incident Response (IR) plan, ensuring application integrity policies only allow authorized apps to run, and driving a cybersecurity-centric culture.

Myth 5: You Can’t Do Anything About Cyber Security Threats

While it is true that some threats are out of your control, there are many things you can do to protect your organization from cyber attacks. Implementing strong cyber security measures can help reduce your risk of being targeted by cyber criminals.

It is also important to remember that while it may be true that you cannot secure your organization against every possible attack, there are steps that organizations can take to make themselves as secure as possible against the most likely attacks.

In the vast majority of cases, threat actors are financially-motivated, and they are looking for easy wins. Like the weakest animal in the herd, the companies that cannot protect themselves will soon be picked off by cyber predators.

Implementing a comprehensive cybersecurity plan, including several layers of security, will help to protect your organization from most attacks.

Myth 6: It’s Impossible to Train Employees to be Cyber Secure

While employees are a key part of any organization’s cyber security strategy, they cannot be expected to be experts in cybersecurity. Organizations need to provide employees with appropriate training and resources. This includes regular awareness of the kinds of threats the business faces, simple steps in how to identify things like phishing emails or unusual requests, and clear steps for reporting suspicious activity. Social engineering, more commonly known as the subtle art of convincing people to click on spear phishing emails, remains one of the most common ways cybercriminals operate today.

Think of employees as an aid to your cyber defenses, and ensure that they not only have the means to report anything suspicious but that they feel safe and confident in doing so.

Conclusion

Cybersecurity is all about managing risk as effectively as possible. There is no organization in the world that is immune to cyber threats, but in today’s threat landscape, it is vital that cyber security is understood to be a strategic factor that must be planned from the very top of the organization. The risk to the business is too great for it to start anywhere else.

If you would like to learn more about how SentinelOne can help manage cyber security risk in your organization, contact us or request a free demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022

In the first half of 2022, there has been no let up in the number of attacks on businesses by ransomware operators. Conti, LockBit, BlackCat and the LAPSUS$ group may have been generating most of the prime-time cyber headlines, but there are a number of smaller players that have emerged or developed over recent months that are quietly infiltrating companies, stealing their data and demanding high-dollar sums for file decryption and a promise not to leak sensitive company data.

In this post, we provide a high-level overview of three new ransomware threats that have recently emerged–Zeon, HelloXD, and Dark Angels–and provide technical indicators for each to aid threat hunting and intrusion detection teams.

1. Zeon Ransomware

Zeon ransomware was first observed in late January 2022. The group does not currently advertise its victims or data via a known public blog, although the dropped ransom note makes the usual threat of such public exposure for non-compliant victims, stating “We’ve downloaded a pack of your internal data and are ready to publish it on out [sic] news website if you do not respond”.

Zeon ransom note

The ransom note further prompts victims to visit a TOR-based payment portal to proceed with the payment. According to one source, victims must pay in XMR or BTC, with a fee of 25% in case of the latter.

Observed Zeon payloads are Python-based executables packaged via pyInstaller and further obfuscated via pyArmor.

On execution, Zeon ransomware payloads attempt to stop any services or processes that could inhibit the encryption process. These include common backup processes and utilities as well as well known security products. For example, Zeon will attempt to stop known processes from McAfee, Sophos and Kaspersky.

The ransomware uses both taskkill.exe and net.exe to terminate the prescribed processes. The following table provides a full list of affected processes.

mfevtp backup EPUpdate acronis
MBAM vmcomp W3S MsDts
Back IISAdmin Monitor EsgShKernel
Smcinst vmwp RESvc Endpoint
bedbg swi_ Veeam PDVF
CCSF TrueKey task xchange
IMAP4 Afee mfemms ESHASRV
mms vss SmcService FA_Scheduler
DCAgent NetMsmq ntrt sql
VeeamTransportSvc Report Sophos UIODetect
veeam VeeamNFSSvc EPSecurity wbengine
Backup ekrn Eraser Enterprise
POP3 KAVF klnagent WRSVC
SNAC Antivirus SMTP AVP
AcrSch Exchange EhttpSrv tmlisten
mfefire McShield

Zeon achieves persistence via Scheduled Task. The ransomware generates and executes its scheduled task via cmd.exe.

The following command output can be observed upon execution:

cmd.exe /c schtasks.exe /Run /TN zE0xO6us
schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
Zeon execution chain

Once encrypted, the .zeon extension will be added to all affected files and the ransom note is dropped as “re_ad_me.html” on the Desktop.

The ransomware also changes the victim’s desktop wallpaper.

Zeon Desktop Wallpaper

2. HelloXD Ransomware

HelloXD is a new ransomware family that first appeared towards the end of 2021. It is another in a long line of families derived from the various Babuk source code leaks. As such, both Windows and Linux variants of HelloXD have been observed.

Like Zeon, HelloXD does not currently host a public blog or victim shaming site. The ransom note instructs victims to engage the attackers via TOX chat as opposed to a direct chat link, .onion TOR website or standard email.

HelloXD ransom note

HelloXD is under rapid development, and many versions have been observed in the wild, with the author making continuous efforts to improve upon the malware’s obfuscation and file encryption routines. Initial samples of HelloXD were encrypted with a version of UPX, and some early versions also used a combination of HC-128 and Curve25519-Donna. Later examples of HelloXD ransomware have built additional layers onto the modified UPX packing, as well as updated the file encryption routine, swapping out HC128 for Rabbit Cipher.

We have observed that HelloXD payloads attempt to inhibit recovery via deletion of shadow copies:

vssadmin.exe delete shadows /all /quiet

Analyzed payloads have a rather noisy way of incorporating delays into the execution of the malware using the following:

PING.EXE 1.1.1.1 -n 1 -w 3000

Upon encryption, files are given the .HELLO extension.

Recent examples of HelloXD also install copies of MicroBackdoor, which provides the threat actors with additional RAT-level access to breached systems.

HelloXD has, for a time, been openly discussed and sold in darknet crime forums. Alongside that, the actor behind HelloXD has been receiving some unwanted attention around the exposure of HelloXD as well and mocked for being exposed by security researchers.

Threat actors learn from x4k’s exposure
Threat actors learn from x4k’s exposure

3. Dark Angels Ransomware

In May 2022, researchers found another Babuk-derivative that behaves very similarly to HelloXD called ‘Dark Angels’ (aka DarkAngels). Early reports on Dark Angels suggest that each ransomware sample is targeted specifically for a given organization, not unlike Mindware and SFile, which we reported on previously.

Dark Angels’ victims are instructed to communicate with the threat actor via TOR-based chat portal and are given the (now) usual warning about not attempting to contact law enforcement, engage recovery teams or hire negotiators.

Dark Angels ransom note

The ransomware attempts to stop the following services upon execution:

memtas mepocs sophos
veeam backup GxVss
GxBlr GxFWD GxCVD
GxCIMgr DefWatch ccEvtMgr
ccSetMgr SavRoam RTVscan
QBFCService QBIDPService Intuit.QuickBooks.FCS
QBCFMonitorService YooBackup YooIT
zhudongfangyu sophos stc_raw_agent
VSNAPVSS VeeamTransportSvc VeeamDeploymentService
VeeamNFSSvc veeam PDVFSService
BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser
BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService
BackupExecRPCService AcrSch2Svc AcronisAgent
CASAD2DWebSvc CAARCUpdateSvc

Dark Angels payloads have the ability to spread to available network shares and can accept associated parameters. The ‘paths’ and ‘shares’ command line parameters are both available. The method of share discovery can vary depending on the option provided.

Dark Angels ransomware team

In the absence of any command line options, the malware enumerates all local drives and encrypts all targeted files. Upon encryption, files are given the .crypt extension.

Conclusion

Ransomware is continuing to evolve and pivot in an ever-evolving race to gain illicit profits by attacking data on businesses’ computer systems. Threat actors know they must constantly work to stay ahead of both the legal system and the ongoing influx of inhibiting technical controls. Staying abreast of the latest developments in the evolving crimeware scene can help your security and IT teams keep your business secure.

SentinelOne Singularity detects and prevents attacks by Zeon, HelloXD and Dark Angels as well as all other known ransomware families. For more information about how SentinellOne can protect your business, contact us or request a free demo.

Indicators of Compromise

Zeon SHA1
66535700bbce7f90d2add7c504bc0e0523d4d71d
51d18417b2593bb946e08d436692e26da44cfa48
c45d82da884285100ce067bb004a3f1e31e151f5

Zeon SHA256
c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
8ff189783dc0646513c791421df723187b614f6dbfafad16763e3c369c5dfa2a
fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590

HelloXD SHA1
4a2ee1666e2e9c40d372853e2203a7f2336b6e03
7a1b6d3ccf9429a5a5c03ce1e6db91c3095e9f34
9785231ebf3d00216aa979f8c705e2513568802e
9c8feeab65f71344713d63f4879e247aba49dce4
4d65559a14bca55f6cca722d09d80ba3e262053d
0ddf8c9a59f5fe5337e65d1e5b2e22381c3ce7e2
1758a8db8485f7e70432c07a9e3d5c0bb5743889

HelloXD SHA256
435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589
ebd310cb5f63b364c4ce3ca24db5d654132b87728babae4dc3fb675266148fe9
65ccbd63fbe96ea8830396c575926af476c06352bb88f9c22f90de7bb85366a3
903c04976fa6e6721c596354f383a4d4272c6730b29eee00b0ec599265963e74
7247f33113710e5d9bd036f4c7ac2d847b0bf2ac2769cd8246a10f09d0a41bab
4e9d4afc901fa1766e48327f3c9642c893831af310bc18ccf876d44ea4efbf1d
709b7e8edb6cc65189739921078b54f0646d38358f9a8993c343b97f3493a4d9

Dark Angels SHA1
529e24c81ede5dfcedcc4fbc7d0030f985c67af1

Dark Angels SHA256
38e05d599877bf18855ad4d178bcd76718cfad1505328d0444363d1f592b0838

Meet the Administrators of the RSOCKS Proxy Botnet

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address stanx@rusdot.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address istanx@gmail.com registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444. Another record indexed by Constella suggests Denis’s real surname may in fact be “Emilyantsev” [Емельянцев].

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.

“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”

Rsocks told the BlackHatWorld community they would be back soon under a new name.

Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

Detecting Unconstrained Delegation Exposures in AD Environment

Active Directory misconfigurations can lead to total domain compromise of an organization. Once an attacker gets a foothold on a compromised network, it can discover AD misconfigurations and gain higher-level privileges to access the domain.

A typical Kerberos authentication attack scenario originates from an unconstrained delegation, where attackers identify misconfigurations and steal authentication information, such as password hashes, Kerberos tickets, and application access tokens. Attackers can escalate higher privileges and move laterally within an organization’s IT infrastructure to target high-value assets.

This post discusses what a delegation is, how attackers escalate unconstrained delegation exposure, and what security measures every organization should implement to protect itself.

What is Active Directory Delegation?

Delegation is an Active Directory feature for when a user or computer account needs to impersonate another account. For example, when a user calls a web application hosted on the web server, the application can impersonate the user credentials to access resources hosted on a different server, such as a database server. Any domain computers with unconstrained delegation enabled can impersonate user credentials to any service in the domain.

How Attackers Escalate Higher Privileges With Unconstrained Delegation

Unconstrained delegation is a privilege that domain administrators can assign to a domain computer or a user. They can enable this privilege from the Delegation tab settings within the object properties.

Attackers can discover computers on a domain with an unconstrained delegation property set using the Active Directory PowerShell module cmdlet, Get-ADComputer:

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

When a user authenticates to a computer with unconstrained Kerberos delegation enabled, the authenticated user’s TGT (ticket-granting ticket) gets saved to that computer’s memory. Caching the TGT allows the system to verify that the user has already authenticated without requesting re-authentication and can impersonate the authenticated user to access any other services. Attackers can steal this cached information through Credential Access techniques.

Attackers can then advance their attacks against unconstrained delegation using PowerShell and Mimikatz commands. They can

  • Dump and reuse credentials out of LSASS.
  • Export all private certificates.
  • Escalate privileges to have debug rights on the remote computer.

Detecting Unconstrained Delegation Exposures

Unconstrained delegation configuration poses a serious security risk to an organization where attackers who compromise a single server can compromise the entire domain. The Attivo networks ADAssessor solution offers continuous monitoring for AD vulnerabilities and detects misconfigured dangerous delegation exposures that can lead to credential theft.

Mitigation Steps

  • Identify all the servers that have delegation configured. Disable unconstrained Kerberos delegation and configure constrained delegation for servers that require it.
  • Enable the “Account is sensitive and cannot be delegated” setting for high privileged accounts.
  • Security admins should be more cautious of granting privileged permissions to users who can enable unconstrained Kerberos delegation. The option “Enable computer and user accounts to be trusted for delegation” is available under Security Settings >> Local Policies >> User Rights Assignment.
  • Adding user accounts to the Protected Users Security Group, available starting with Windows Server 2012 R2, can also mitigate unconstrained delegation exposure.

Conclusion

Detecting Active Directory exposures at an early stage can massively reduce the impact of an attack. The Ranger® AD solution can enhance visibility and remediate unconstrained delegation exposures, preventing further AD attacks.

For more information, please visit Singularity Ranger AD.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

Why Paper Receipts are Money at the Drive-Thru

Check out this handmade sign posted to the front door of a shuttered Jimmy John’s sandwich chain shop in Missouri last week. See if you can tell from the store owner’s message what happened.

If you guessed that someone in the Jimmy John’s store might have fallen victim to a Business Email Compromise (BEC) or “CEO fraud” scheme — wherein the scammers impersonate company executives to steal money — you’d be in good company.

In fact, that was my initial assumption when a reader in Missouri shared this photo after being turned away from his favorite local sub shop. But a conversation with the store’s owner Steve Saladin brought home the truth that some of the best solutions to fighting fraud are even more low-tech than BEC scams.

Visit any random fast-casual dining establishment and there’s a good chance you’ll see a sign somewhere from the management telling customers their next meal is free if they don’t receive a receipt with their food. While it may not be obvious, such policies are meant to deter employee theft.

The idea is to force employees to finalize all sales and create a transaction that gets logged by the company’s systems. The offer also incentivizes customers to help keep employees honest by reporting when they don’t get a receipt with their food, because employees can often conceal transactions by canceling them before they’re completed. In that scenario, the employee gives the customer their food and any change, and then pockets the rest.

You can probably guess by now that this particular Jimmy John’s franchise — in Sunset Hills, Mo. — was among those that chose not to incentivize its customers to insist upon receiving receipts. Thanks to that oversight, Saladin was forced to close the store last week and fire the husband-and-wife managers for allegedly embezzling nearly $100,000 in cash payments from customers.

Saladin said he began to suspect something was amiss after he agreed to take over the Monday and Tuesday shifts for the couple so they could have two consecutive days off together. He said he noticed that cash receipts at the end of the nights on Mondays and Tuesdays were “substantially larger” than when he wasn’t manning the till, and that this was consistent over several weeks.

Then he had friends proceed through his restaurant’s drive-thru, to see if they received receipts for cash payments.

“One of [the managers] would take an order at the drive-thru, and when they determined the customer was going to pay with cash the other would make the customer’s change for it, but then delete the order before the system could complete it and print a receipt,” Saladin said.

Saladin said his attorneys and local law enforcement are now involved, and he estimates the former employees stole close to $100,000 in cash receipts. That was on top of the $115,000 in salaries he paid in total each year to both employees. Saladin also has to figure out a way to pay his franchisor a fee for each of the stolen transactions.

Now Saladin sees the wisdom of adding the receipt sign, and says all of his stores will soon carry a sign offering $10 in cash to any customers who report not receiving a receipt with their food.

Many business owners are reluctant to involve the authorities when they discover that a current or former employee has stolen from them. Too often, organizations victimized by employee theft shy away from reporting it because they’re worried that any resulting media coverage of the crime will do more harm than good.

But there are quiet ways to ensure embezzlers get their due. A few years back, I attended a presentation by an investigator with the criminal division of the U.S. Internal Revenue Service (IRS) who suggested that any embezzling victims seeking a discreet law enforcement response should simply contact the IRS.

The agent said the IRS is obligated to investigate all notifications it receives from employers about unreported income, but that embezzling victims often neglect to even notify the agency. That’s a shame, he said, because under U.S. federal law, anyone who willfully attempts to evade or defeat taxes can be charged with a felony, with penalties including up to $100,000 in fines, up to five years in prison, and the costs of prosecution.

The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good

According to a report from the U.S. Department of Justice, a United States District Judge sentenced a man who operated multiple distributed denial of service (DDoS) facilitation websites to 24 months in federal prison.

This sentencing follows a nine-day trial that took place in September 2021, when a federal jury found this threat actor guilty of one count of conspiracy to commit unauthorized impairment of a protected computer, one count of conspiracy to commit wire fraud, and one count of unauthorized impairment of a protected computer.

The threat actor ran AmpNode and DownThem, two websites that allowed users to pay to launch DDoS attacks. When they were active, AmpNode offered server hosting to customers. These servers could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” that users can leverage. Meanwhile, DownThem operated on a subscription model, allowing subscribers to launch DDoS attacks.

According to records recovered by authorities, many of AmpNode’s customers were using the website to offer for-profit DDoS services themselves. DownThem had over 2,000 registered users and had launched over 200,000 attacks on homes, schools, universities, municipal and local government websites, and financial institutions around the world.

In a sentencing memorandum, prosecutors commented that this malicious attacker “ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers. He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

This sentencing is a triumph for the FBI’s Cyber Initiative and Resource Fusion Unit, Anchorage field office, and cybersecurity partners in the private sector. Hopefully, it might also provide closure to hundreds of thousands of victims who were targeted by the threat actor’s paying users.

The Bad

Researchers this week have disclosed details of a new class of side-channel attacks against Intel and AMD CPUs that they say could allow remote attackers to steal cryptographic keys and other data from servers.

Previous work on power-analysis attacks had shown that CPUs could ‘leak’ secret data if attackers could measure the power a CPU consumes while processing known data values. The problem was not considered particularly worrisome, however, because until now it was thought that a remote attacker had no practical means of measuring power consumption of a CPU as it processed data. Hertzbleed, as the vulnerability has been dubbed, offers just such a means.

The researchers exploited a feature common to all AMD and Intel CPUs called “dynamic voltage frequency scaling” (DVFS). In a nutshell, DVFS allows for CPU frequency to change in response to the data being processed, a feature implemented by chip manufacturers to help ensure that CPUs stay within power and thermal limits during high loads.

Since CPU frequency is data-dependent, the researchers say, a remote attacker can use specially-crafted queries to deduce the CPU frequency of the server by timing the responses received.

In a blog post describing Hertzbleed, the authors claim that “In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.”

While admitting that practical exploits through a frequency side channel attack are currently unlikely, the researchers argue that Hertzbleed demonstrates that current ‘best practice’ guidelines for developers to mitigate against timing attacks is now obsolete.

Intel has updated its guidance for developers here in light of the research, while AMD have yet to respond at the time of writing. Hertzbleed is tracked as CVE-2022-23823 and CVE-2022-24436.

The Ugly

Security researchers have identified “WannaFriendMe,” a new variant of Chaos ransomware that disguises itself as Ryuk ransomware, but with one major twist: the operators behind this ransomware were selling the ransomware’s decryptor on the online gaming platform Roblox.

In June 2021, a malicious attacker began selling the Chaos ransomware builder, which allowed cyber criminals to create their own ransom notes, encrypted file extensions, and other customization selections to create their own ransomware.

Post-encryption, WannaFriendMe victims will see a ransom note that prompts them to buy the threat actor’s decrypter tool on the Roblox Game Pass store using Roblox’s in-game Robux currency. Once a victim buys the decrypter from the threat actor (who had the Roblox username “iRazorMind”), they’re prompted to contact the threat actor with confirmation to recover their files.

However, victims that follow the ransom note’s instructions are not likely to recover their data. Chaos ransomware variants often destroy data by overwriting any file larger than 2 MB with random data instead of simply encrypting the file, only allowing victims to recover files smaller than 2 MB.

At the time of publication, Roblox developers offered a public statement to the media, saying “Roblox maintains many systems to keep our users safe and secure, and while this case did not relate to any exploit or vulnerability on Roblox, we have taken swift action to remove the Game Pass in question and we have permanently removed the account responsible for a breach of our Terms of Service.” Roblox has also removed the decrypter tool from its storefront and banned the account hosting it.

Although Roblox has thankfully taken steps to respond to this abuse of their platform, it is disheartening to see cyber criminals target Roblox’s young users to launch cyber attacks that will cause damage and create major ramifications for victims.