Research Paper | Emulating Phineas Phisher Attacks in Modern EDR Environments

A Guest Post by Giorgos Karantzas and Professor Constantinos Patsakis

Introduction

A few years ago, a vigilante hacker under the name “Phineas Phisher” conducted a series of high-profile attacks, including hacking into a company that, among others, was developing and selling spyware to government agencies named “Hacking Team”. This was not a result of a random attack but a well-planned and targeted one.

To achieve his goals, the hacker developed a 0-day for the SonicWall VPN appliance. After this attack, the attacker scanned the internet for such devices and found out that an offshore bank in the Cayman Islands was using the same vulnerable version. Beyond this exploit, he reported through his write-ups that he used common hacker utilities like Meterpreter and Empire and that he was not some kind of APT with custom malware writers nor did he receive significant funding and support; on the contrary, he claimed to be a humble ‘one-man army’.

The final goal of the bank hack was to access Bottomline’s SWIFT management panel and initiate transactions targeting his own accounts. Then, he uploaded the VMs used by the bank along with all the sensitive clients’ information that was stored in these systems.

The scenario is rather intriguing as, despite the impact and sensitivity of the information, it provides a deep insight into an environment in which few people operate. Moreover, such environments are not well publicly documented, and their digital twins are hard to find.

We argue that emulating such an attack scenario and adapting it to current tools and methods, offensive and defensive-wise, can provide a good baseline to understand the capabilities of both sides and stress the changes that have undergone these years. To this end, in our scenario, we have tried to follow the evolution in defensive and offensive security by rebuilding such an environment and equipping it with modern defense mechanisms.

Since most organizations are now integrating endpoint detection and response (EDR) systems to their endpoints to behaviorally detect and throttle cyber-attacks, we have equipped our endpoints accordingly. However, as shown in our previous research, EDRs are no silver bullets and have their weak points as well. In fact, Advanced Persistent Threat (APT) groups have significantly advanced their capabilities. Having access to several such defensive technologies, they study them and customize their malware accordingly to target them and minimize their detection. Moreover, APTs and ransomware groups use several C2 frameworks, with the most widely used being Cobalt Strike; however, there are different options that may provide different capabilities and serve fit better in the cyber kill chain.

Based on the above, this work can be considered a purple teaming scenario in the financial sector. Practically, we present the blue versus red team fight detailing, where possible, detection and bypass methods, their rationale, and gaps, where applicable, mainly through the use of C2 servers. We present in each step the attacker’s and defender’s perspectives of the same scenario. This means that we report by what means an EDR would report and/or block and how the attacker would try to prevent this.

Experiment Background and Differences with Common Tests

Unlike common tests like MITRE ATT&CK, our threat actor is highly adapted to the target’s defenses as any serious actor would do instead of placing a generic baseline. Such an actor’s type of offensive security ranges from basic attacks and operations performed on the network to weaponizing a series of private toolkits, from the highest end and combat-proven solutions to lesser-known yet highly effective options.

The lab’s architecture did not emulate human traffic, thus denying  the attacker typical places to hide and admittedly offering an advantage to EDR solutions as the samples would stand out easily. Detection engineering can be considered the art of avoiding false positives, and in these cases with low traffic, there are not many chances of blending in with regular user and applications traffic; therefore, we tried to mimic this as static principles to be followed in the environment we had.

Given this fact, we decided to constantly modify the policies ranging from production-ready to BETA features, pushing both the researchers conducting the experiment and the product, leading to highly sensitive discoveries that were kept private to ensure SentinelOne’s client safety. In close collaboration with the RnD department of SentinelOne, several bugs were reported and fixed as well as real-world bypasses and architectural blind spots.

We weaponized the statistically more probable way of entering an organization and exploited several post-foothold TTPs through a series of ways and frameworks enabling operational and scientific diversity.

Network Architecture Analysis

We try to keep the scenario simplistic yet expose a complex mindset, ideas and tooling (at points); therefore, we consider the case of a financial institution that is based on a recreation of Sherwood’s target network; the infrastructure of Cayman Island National Bank and Trust that Phineas Phisher penetrated, reconfiguring it and extending it with new machines on a Hyper-V server. On the network level PfSense, Virtual Switches, RRAS and Squid were used to enforce network segmentation and security policies. Mainstream applications and banking related ones were installed on servers and workstations, a virtual Citrix XenApp instance was used and a virtual SWIFT secure zone was emulated as well using jump servers. Various versions of Windows that were production ready were used and several security features such as Credential Guard were employed on hosts to stage a scenario with a minimum level of operational sophistication and realism. In general, the network design allows us to demonstrate several privileged and unprivileged attack vectors by giving local admin access on some endpoints and allowing loading of kernel drivers and performing several other actions.

Toolset Analysis

During this study we will go through several tools of various levels of sophistication. Of specific interest are the C2s that the attacker may use. To this end, we provide a brief overview of each one.

Brute Ratel

Brute Ratel C4, by Dark Vortex, is one of the most ambitious attempts we have seen in the industry. It is a low cost alternative to Cobalt Strike with less well-known indicators, more opsec and user friendly, as well as adaptable. It is maintained by a highly active developer with serious red teaming experience who is adding an increased number of features to the core.

Some of the highlights include the custom plugin called LDAP sentinel which can be used for enumeration, the customized reflective loader and the BOF files as well as the easily configurable TTPs ranging from the network communication to process injections and more.

BRC4 should be a solution capable of bringing all operations to a successful end.

Version 0.7 was the latest at the time of testing and version 0.8 was tested; however, new versions come out quickly making them hard to follow. After a comment from the developer, we replicated some tests with the latest version at the time, 0.9.

Notably, during our testing process we faced several limitations. The most important limitation being the form of delivery.

Before continuing we should make a note. BRC4 is a new product, this justifies some stability issues related to the shellcode upon execution that would lead to a “half-beacon” that crashes immediately after execution. We attempted several times to conduct each attack and we managed to successfully execute the beacon in both protected and unprotected machines. We noticed based on the frequency of the crashes combined with the creation of the werfault process and the fact that the badger was unusable that the crash of the badger was more probable to happen on VMs protected with an In-Process agent.

Cobalt Strike 4.4

Cobalt Strike is the norm when it comes to C2 frameworks. It provides the core functionality needed to perform basic operations but is also fully extendable. We can see that a significant amount of the work is done by the community judging from the plug-ins in the forms of BOFs, Reflective DLLs, various kits etc. The latest version at the time of the writing of this section is 4.4 and it is the one we are using in our experiments. In this version, among others, a custom reflective loader capability is introduced, meaning you can replace the default one with your own, like boku7’s implementation. Moreover, you can use BOFs, pieces of code that will be executed inside the local process and avoid default fork and run behavior of the version.

Cobalt Strike is not that opsec safe anymore, yet you can always implement several security features on your own and embed them on your loader.

In our case, most of Cobalt Strike’s out-of-the-box features and kits will not be helpful as many detections nowadays are multi-layered and generic which means they try to target the very core of the threat and adapt to different usage scenarios from an attacker’s point of view. We will present a few POC detections from various commercial tools to support the fact that a wide range of IOCs exists, and the framework will have high chances of being detected at least at some point in a highly advanced network that will employ various defenses.

Therefore, a combination of TTPs may be needed including using other C2s, customizing tradecraft and tailoring Cobalt Strike both host wise and network wise to the target (e.g., sideload into teams and make traffic look like legit teams’) but retaining guardrails against both UM and KM based detections), something that could cost a large amount of time and effort while other tools could be simply more effective for specific tasks.

However, although some of the offensive coders out there are highly skilled, the stability of some publicly available tools is questionable as they are mostly created during someone’s free time and not the same way as a production software maintained by a company. However, the most important part is that Beacon will usually get detected one way or another even when some customization takes place.

Cobalt Strike in all our tests needed us to conduct monstrosities to be able to use it, usually after some tampering occurred based on privileged attacks or product-specific bugs which again did not guarantee success.

Havoc

Havoc represents the category of malware that is not a commercial product; rather, it was developed by an aspiring, young security researcher who is still a student. We therefore wish to demystify this kind of tool and demonstrate the capabilities of non-corporate software developed with stealth and stability in mind.

Havoc was built targeting the vast majority of endpoint solutions and therefore it had a few IOCs by design. We assisted the developer to transition the software to a more suitable condition for this scenario by contributing slightly in the development process.

The network communication is performed through the TCP protocol’s sockets with AES encrypted content and capability of sleeps during which no command will be fetched.

Havoc has proven to be able to go through extremely hardened environments as long as the operators are willing to employ some basic op-sec techniques and modify the code base.

Nighthawk by MDSec

Nighthawk is a high-end C2 framework developed by MDSec designed by hardcore red teamers for hardcore red teamers with stealth, configurability, and feature richness in-mind. This toolkit is the tip of the spear for several reasons as we will discuss in our experiments and offers by design capabilities that would require serious amounts of work to adapt to existing tooling or even create custom tooling. As of this writing, MDSec has added even more features than those used in this work, including some stealthy injection chains that will bypass even ETWTi and spoofing strategies for mini-filter callbacks.

Nighthawk delivers a set of op-sec features which includes ROP-based system call unhooking and later on full DLL unhooking which comes “by-design” therefore it makes the operator’s life easier, it also includes other useful features like Thread Stack Spoofing and in-memory hiding via heap-based encryption as well as it usually avoids several tools (depending on the case) that will scrap through the memory of a process for abnormal indicators such as. The idea behind Nighthawk is being fully malleable which means you can control all the behavior of the C2 manually without writing any code. This enabled us to change the behavior of the implant during the operation according to our needs. This means among others, customized process injection methods, universal usage of system calls and network-callback related options to guarantee undercover beaconing.

At this moment Nighthawk was proven to be the most feature rich, stable and effective solution we used.

Oyabun – Stage 0

Oyabun is a newly created tool by Red Code labs with a somewhat more generic and limited scope when it comes to its usage. It is a multi-platform Golang based toolkit that has proven to be highly effective against modern defenses to pass some initial barriers. The more time passes, the more its instabilities reduce thanks to the development team’s commitment, although the design is solid from time-to-time discrepancies may occur.

In this case, we will not test a C2 framework such as Nighthawk, BRC4 or Cobalt Strike. Those aforementioned frameworks are armed with highly advanced features related to opsec and can be used to reach objectives at all stages of the intrusion.

There are, however, cases, that a specific malware strain will be deployed to deploy later those heavy weapons. This malware is called “stage-0″ as it is the first malware performing callbacks to a server controlled by the attacker to touch the victim network.

Modus Operandi

The main goals of the actor included:

  • Operate below the radar.
  • Tamper with endpoint defenses as much as needed from user mode hook avoidance and removal to offensively render the EDREPP solution useless.
  • Demonstrate both operational security principles and bare minimum needs for an attack to be successful even if this means increased footprint that can be exploited by the defenders.
  • Demonstrate diverse ways of achieving goals including different tools and mindsets.

Initial Access

The toolset that was used included both lesser-used and regarded techniques and ones that are extremely popular and trending but with high adaptations to the internal mechanisms of the defensive tools. Several malicious files including XLLs, MSIs, EXEs were used for initial access and even privileged attack packages impairing the defenses using exploitable drivers to inject into free AV software as it was one of the few ways to totally avoid the in-process client. DLLs with cloned exports were used for hijacking into legitimate applications our unstaged payloads in some cases.

SentinelOne demonstrated a capability of disallowing generic threats on-touch including Cobalt Strike and BRC4 in many different ways.  SentinelOne’s traps sustained spoofing the format of the BRC4 code provided, including many different more “exotic” and customized loading types such Customized Phantom DLL Hollowing, commercial tools like Shellter Pro, MacroPack and more, something that surprised us. In the case of Nighthawk, malleability, bug fixes and delivery format enabled us to step on the network leaving the defenders valuable context of the attack.

Havoc needed customization to survive in the environment and our team collaborated with the developer leading upgrades to Havoc C2.

Oyabun was able to survive but only for a few limited actions and for a very specific format that could be targeted by Application Whitelisting.

Post-Ex Tool Deployment

Tools were deployed in various ways including reflection, heavily monitored, yet working PowerShell sessions and CLR loading but always under a safe context op-sec wise to cover beaconing and tool execution as much as possible. The researchers managed to circumvent all PIC-related mitigations and run malicious post-ex tools in various formats. Admittedly, those mitigation covered 90% of the attempts made and needed heavy customization.

Tampering

Tampering occurred in many cases using exploitable drivers during the experiments but also we were able to find ways to completely disregard all user mode traps with several techniques one being NightHawk’s ROP based system call unhooking scheme and the other one being a bugs in the logics that our team discovered and reported.

Lateral Movement

Lateral movement included RDP, WMI, WinRM, an WebDAV based internal phishing toolkit called the Farmer and Credential Stealing Tool in PIC, PIC that was essential a PE-Loader Bootstrapped to the code such as sRDI and executable forms to collect credentials and of-course SOCKS proxying with an RDP client. When it came to credential dumping from processes like LSASS, we had to avoid all common techniques and had serious problems executing the attack that led us to exploit a bug in SentinelOne’s architecture to be able to have such an opportunity, something unlikely to happen in the wild.

Process Injection

The detection model employed limits usage of common evasion techniques and injections targeting both the technique and the shellcode itself, it took a significant amount of effort to bypass those guardrails in place place, yet again kernel-based traps caught the behavior of the PIC. At this place we revealed bugs that were immediately fixed, related to SentinelOne’s APC protections raising the bar for attackers again. Our experience taught us that such attempts are easy to complicate things with SentinelOne and we avoided risking our context.

Ransomware

Although ransomware was not the goal of such an attacker, known variants with customized loaders performing various injections with heavily modified payload format, including Ryuk, Ragnar and Babuk, were successfully mitigated, some at a ransomware and some at deployment levels.

SentinelOne’s Outcome

Given the sensitivity of the tests, not much can be revealed to ensure clients are safe.  SentinelOne’s team indeed took into account our proposals and our various bug and miss reports and during testing, the product was able to effectively tackle most of the generic attacks existing out there as “out-of-the-box” solutions (always depending on the policy). What  SentinelOne does is push the attacker while giving the defender valuable context that could be later exploited using STAR rules to effectively track down specific attackers. That said, a holistic model that tackles at the right points the attacker is invaluable and something that can be achieved to some extent if proper configuration occurs. Having the chance to BETA test some of the upcoming features we can say that the upcoming stability could ease the defenders’ side by making the customization more and more necessary costing to the attackers a lot.

Overall Outcome

Nowadays, true value comes in information, and goal-driven intelligence has met an outstanding amount of development in recent years, especially following the advancements in personal, corporate, public, and critical infrastructure.

Threat actors may come from various backgrounds, being government-sponsored, self-motivated based on curiosity, financially motivated, hacktivists and more. However, the goals can be achieved through a common chain of actions. This chain is what modern security vendors try to tackle, producing useful alerts with minimal disruption and false positives. Defensive strategies may vary per organization and per product; however, certain limitations are posed by each operating system or network appliance and must be considered. Holistically covering as much attack surface as possible is the modern goal, increasing the chances of blocking the threat actor or revealing his existence at some point at a minimum.

An environment must always be re-adapted every few months/years to a certain security model on multiple levels, from very basic security-oriented network segmentation to constantly updating assets and ensuring proper privilege management. In this study, we will face at some point such issues on purpose.

The most important asset, however, is the endpoint, whether a server or a workstation; thus, the defensive focus is primarily oriented towards this direction, where even the internals of the operating system are at stake.

The motive is not to discourage people about EDRs but to show that silver bullets simply do not exist – by using the top-notch industry products to present attack-specific examples with as much transparency as possible – and that attackers can easily investigate and adapt to most defenses. Obviously, if computers are in closed networks without plugin capabilities for devices, they will be highly secure but also more difficult to function. Today’s security personnel try to find a golden mean between functionality, security and performance.

The main point of this research, however, is that no matter how well structured a defense is, a sophisticated actor or a group of people, each with its own specialization, will be able to penetrate even some of the most advanced and mature networks. This assumption is based on the level of motivation and the time to be spent on a single objective, as well as the sophistication of the attacker. The study depicts this situation as we go through a threat emulation scenario in our own lab, representing a sensitive and high-value target. We see through the attacker’s eyes and understand how to think, research, experiment and tackle objectives one after the other while being in a constant race with the blue team. The attacker’s mistakes give the blue team the next move and vice versa.

From the aforementioned statement on the criticality of the endpoints, we can easily suppose that tooling that interacts with such endpoints is of extreme importance to the attackers. This is another focus of this study, demonstrating state-of-the-art malware, some of which is not easily accessible. This tooling will ease the execution and provide us with stealth and post-exploitation capabilities to spread across the target network.

During this journey, we explored all parts of an intrusion that will be exposed to both blue and red teams, explaining what is executed TTP-wise, why it is executed, the background concepts, and the footprint left.

All the experiments were conducted before April 2022 and any views expressed do not reflect the opinion of employers of the people involved.

Microsoft Patch Tuesday, June 2022 Edition

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that’s seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

Three of the bugs tackled this month earned Microsoft’s most dire “critical” label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is CVE-2022-30190, a vulnerability in the Microsoft Support Diagnostics Tool (MSDT), a service built into Windows.

Dubbed “Follina,” the flaw became public knowledge on May 27, when a security researcher tweeted about a malicious Word document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.

“What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack,” writes Mayuresh Dani, manager of threat research at Qualys. “Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.”

Kevin Beaumont, the researcher who gave Follina its name, penned a fairly damning account and timeline of Microsoft’s response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.

Beaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn’t a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it released recommendations on how to mitigate the threat from the vulnerability.

Microsoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. Orca Security said that back on January 4 it told Microsoft about a critical bug in Azure’s Synapse service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.

In an update to their research published Tuesday, Orca researchers said they were able to bypass Microsoft’s fix for the issue twice before the company put a working fix in place.

“In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor,” wrote Orca’s Avi Shua. “Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

Amit Yoran, CEO of Tenable and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran wrote in a post on LinkedIn. “To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

Also in the critical and notable stack this month is CVE-2022-30136, which is a remote code execution flaw in the Windows Network File System (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.

“This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0,” wrote Trend Micro’s Zero Day Initiative. “It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.”

Beginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the dirt on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Gartner Summit 2022 Recap: Reframing Risk & Simplifying Security

Thousands of people in the cybersecurity community converged upon National Harbor, Maryland last week for Gartner’s annual Security & Risk Management Summit. For many of us, it was our first in-person industry conference since February 2020, and our excitement was palpable. Between this event and RSA Conference 2022 in San Francisco, the SentinelOne team had an exciting week connecting with our fellow cybersecurity professionals and reflecting on the latest developments in the cybersecurity landscape.

The theme of this year’s summit was “Reframe and Simplify,” a mantra that was reiterated in keynotes and breakout sessions throughout the week. “Reframe” signifies the need for security professionals to transform the conversations we have with our business leaders in order to help them understand what we do not do. As Gartner’s VP analyst Jay Heiser put it, “We can’t eliminate security failure. But we can help you understand risk and how to get back up again.”

“Simplify” is, well, simple: Only do what’s most important to mitigate risk for your business, and focus security modernization on composable security tools, like ones built with APIs that give you the flexibility to add more capabilities in the future.

Missed out on the fun? Here are some notable takeaways from the summit.

The Era of XDR is Here, But What Does it Mean?

Ask five different vendors what XDR is, and you’ll get five different answers. Ask five different analyst firms the same question, and you’ll get the same result. While certain Gartner analysts estimate that we’re about 18 to 24 months out from landing on a consistent answer, one common point of agreement among vendors and analysts alike seems to be that identity security and endpoint protection, detection and response are critical building blocks for an XDR platform.

From CAASM to xSPM, Acronyms Abound in Infosec

As modern attack surfaces expand and evolve, security experts continue to define and refine capabilities for addressing the threat vectors that follow. This is reflected in a never-ending list of industry acronyms—EASM, CAASM, xSPM, _DR, just to name a few. According to Gartner VP Analyst Pete Shoard, Managed Detection and Response (MDR) is the only “DR” that’s a service and not a technology.

Speaking of technologies, we’ve now reached the dawn of Threat Detection and Incident Response (TDIR), a SaaS-based evolution of managed services designed for maturing security practices. It is not to be confused with Identity Threat Detection and Response (ITDR), a term coined by Gartner less than a year ago to describe the collection of tools and best practices to defend identity systems.

ITDR is the New Top Trend

Heiser identified ITDR as the most forward-looking trend in his talk, “Top Trends in Security and Risk Management.” An action plan for implementation starts with prioritizing the security of your identity infrastructure with tools to monitor, protect, detect, and remediate threats. Other keys to success include using the MITRE ATT&CK framework to correlate ITDR techniques with common attack scenarios, investing in foundational identity and access management (IAM) security best practices, and modernizing your IAM infrastructure with current and emerging standards.

CISOs Must Communicate in a Language Business Leaders Understand

In a fireside chat with conference chair Patrick Hevesi, guest keynote John Brennan shared learnings from his experience as CIA Director and Senior National Security & Intelligence Analyst during the Obama administration. His key takeaway for the audience: Most of your leaders are less technical than you, so stay out of the weeds and present the facts in a way that helps them understand the impact to their business.

Born-in-the-Cloud Enterprises Provide a Guide to the Future State of Security

In “Outlook for Cloud Security,” Gartner Senior Director Analyst Charlie Winckless outlined the limitations of a lift-and-shift migration from on-premises to the cloud versus a born-in-the-cloud approach. Lifting and shifting will work to a certain degree, but you’re going to need to rethink your strategy pretty quickly. He cautioned that not all clouds are the same and pointed out that identity is now the control plane for security. He explained that “identity is a perimeter” — or in SentinelOne’s terminology, a surface — and that Cloud Infrastructure Entitlement Management (CIEM) facilitates automation of complex auditing.

XDR + Native Identity Data = Better Together

Gartner SentinelOne booth

This week’s conference marked our first opportunity to showcase the Singularity XDR platform’s new identity security capabilities following our acquisition of Attivo Networks. Our combined forces spent the week demonstrating how Singularity Ranger AD, Singularity Identity, and Singularity Hologram can help organizations reduce their Active Directory and Azure AD attack surfaces, protect identity infrastructure, and detect in-network attacks and insider threats, respectively.

Integration, Partnerships and Visibility Are Key to Enterprise Security

Finally, we observed many of the same trends as our fellow Sentinels in attendance at RSAC 2022; whether pulling from firsthand practitioner experience or observing the industry at a macro level, consolidation of vendors and tools, strategic technology integrations and growing partner ecosystems, and a huge focus on gaining visibility across every segment of an expanding attack surface seem top of mind for all.

Conclusion

We didn’t have Incubus perform at a FOMO party. We didn’t have a giant purple tree calling to people from across the expo hall floor to come learn about autonomous threat defense. But with SentinelOne-branded lanyards slung around the neck of nearly every attendee, we enjoyed our own sense of omnipresence.

More importantly, over the course of a private dinner with CISOs, one-on-one meetings with Gartner analysts, and three days in the exhibit hall, we had countless meaningful conversations with people who, just like us, are deeply passionate about helping to defend organizations against cyber attacks with speed, scale, and accuracy.

We look forward to continuing these conversations and to starting new ones as we hit the road to the next show.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

“Downthem” DDoS-for-Hire Boss Gets 2 Years in Prison

A 33-year-old Illinois man was sentenced to two years in prison today following his conviction last year for operating services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against hundreds of thousands of Internet users and websites.

The user interface for Downthem[.]org.

Matthew Gatrel of St. Charles, Ill. was found guilty for violations of the Computer Fraud and Abuse Act (CFAA) related to his operation of downthem[.]org and ampnode[.]com, two DDoS-for-hire services that had thousands of customers who paid to launch more than 200,000 attacks.

Despite admitting to FBI agents that he ran these so-called “booter” services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Gatrel’s co-defendant and partner in the business, Juan “Severon” Martinez of Pasadena, Calif., pleaded guilty just before the trial.

After a nine-day trial in the Central District of California, Gatrel was convicted on all three counts, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Prosecutors said Downthem sold subscriptions allowing customers to launch DDoS attacks, while AmpNode provided “bulletproof” server hosting to customers — with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government charged that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

“Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers,” prosecutors wrote in a memorandum submitted in advance of his sentencing. “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

The U.S. and United Kingdom have been trying to impress on would-be customers of these booter services that hiring them for DDoS attacks is illegal. The U.K. has even taken out Google ads to remind U.K. residents when they search online for terms common to booter services.

The case against Gatrel and Martinez was brought as part of a widespread crackdown on booter services in 2018, when the FBI joined law enforcement partners overseas to seize 15 different booter service domains.

Those actions have prompted a flurry of prosecutions, with wildly varying sentences when the booter service owners are invariably found guilty. However, DDoS experts say booter and stresser services that remain in operation continue to account for the vast majority of DDoS attacks launched daily around the globe.

Ransomware Group Debuts Searchable Victim Data

Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form.

The ALPHV site claims to care about people’s privacy, but they let anyone view the sensitive stolen data.

ALPHV recently announced on its victim shaming and extortion website that it had hacked a luxury spa and resort in the western United States. Sometime in the last 24 hours, ALPHV published a website with the same victim’s name in the domain, and their logo on the homepage.

The website claims to list the personal information of 1,500 resort employees, and more than 2,500 residents at the facility. At the top of the page are two “Check Yourself” buttons, one for employees, and another for guests.

Brett Callow, a threat analyst with security firm Emsisoft, called the move by ALPHV “a cunning tactic” that will most certainly worry their other victims.

Callow said most of the victim shaming blogs maintained by the major ransomware and data ransom groups exist on obscure, slow-loading sites on the Darknet, reachable only through the use of third-party software like Tor. But the website erected by ALPHV as part of this new pressure tactic is available on the open Internet.

“Companies will likely be more concerned about the prospect of their data being shared in this way than of simply being posted to an obscure Tor site for which barely anyone knows the URL,” Callow said. “It’ll piss people off and make class actions more likely.”

It’s unclear if ALPHV plans to pursue this approach with every victim, but other recent victims of the crime group include a school district and a U.S. city. Most likely, this is a test run to see if it improves results.

“We are not going to stop, our leak distribution department will do their best to bury your business,” the victim website reads. “At this point, you still have a chance to keep your hotel’s security and reputation. We strongly advise you to be proactive in your negotiations; you do not have much time.”

Emerging in November 2021, ALPHV is perhaps most notable for its programming language (it is written in Rust). ALPHV has been actively recruiting operators from several ransomware organizations — including REvilBlackMatter and DarkSide — offering affiliates up to 90 percent of any ransom paid by a victim organization.

Many security experts believe ALPHV/BlackCat is simply a rebrand of another ransomware group — “Darkside” a.k.a. “BlackMatter,” the same gang responsible for the 2021 attack on Colonial Pipeline that caused fuel shortages and price spikes for several days last summer.

Callow said there may be an upside to this ALPHV innovation, noting that his wife recently heard directly from a different ransomware group — Cl0p.

“On a positive note, stunts like this mean people may actually find out that their PI has been compromised,” he said. “Cl0p emailed my wife last year. The company that lost her data still hasn’t made any public disclosure or notified the people who were impacted (at least, she hasn’t heard from the company.)”

Apple’s macOS Ventura | 7 New Security Changes to Be Aware Of

Apple’s Worldwide Developer Conference for 2022 has just closed out and with it we have had our first look at macOS 13, aka macOS Ventura, slated for public release in the last quarter of 2022. As usual, Apple has added some headline-grabbing new features such as the Stage Manager viewing mode and the ability to use Quick Look in Spotlight search results, but there are more interesting – and potentially disruptive – changes with macOS Ventura that have received less attention. In this post, we highlight seven major changes that will be of interest to enterprise security teams and Mac administrators.

1. Ventura Hardware Limitations | Can Your Enterprise Macs Run macOS 13?

A new OS can sometimes mean new hardware for those that want to adopt it and any security improvements it may promise, and Ventura drops support for more Mac hardware than any other recent version of macOS.

You’ll need a machine that’s no older than 2017, and in the case of the MacBook Air and the Mac Mini models, advance that one more year to 2018. For Mac Pro owners, you’ll need something newer than the iconic “trash can” version – only Mac Pros from 2019 onwards support macOS 13 Ventura.

Here’s the full list of Macs that support macOS 13 Ventura:

  • MacBook 2017 and later
  • MacBook Pro 2017 and later
  • iMac 2017 and later
  • iMac Pro 2017
  • MacBook Air 2018 and later
  • Mac Mini 2018 and later
  • Mac Pro 2019 and later
Source: Apple

2. Gatekeeper in Ventura – Fortified, But Still Flawed

Gatekeeper is Apple’s first line of defence in its model of check, block and remove. Whereas MRT.app has traditionally dealt with removal and XProtect with blocking certain kinds of common malware, Gatekeeper’s role is to ensure that when users execute some code, that code meets the local system policy. The policy includes checks such as whether the code is validly signed and whether it has been tampered with in certain ways.

Prior to Ventura, these checks are only performed the first time the code is run. That means a malicious actor or malicious process could still alter the code of apps and executables after they have passed their first Gatekeeper check.

Now in Ventura, Gatekeeper’s responsibilites have been extended to include checking that notarized apps have also not been modified by unauthorized processes subsequently to that first launch. Apple says that Gatekeeper will allow apps to be modified by some processes – a vital function for things such as updates – but those processes need to be explicitly allowed by the developer.

This is welcome news, and it should help fight malicious hijacking of legitimate apps already on the user’s system. However, the Gatekeeper check here is overridable by users. When an unauthorized modification is attempted, Gatekeeper throws a warning and asks the user if they want to allow it in System Settings.

Expect to see some creative social engineering attempts around this weak spot, as well as some intensive scrutiny by security researchers. Based on previous macOS architecture, we would anticipate that this “user consent” will be under the control of the notoriously buggy TCC framework.

3. Paths to Persistence – Warnings for Login Items, LaunchAgents and LaunchDaemons

Perhaps one of the biggest – or at least most noticeable – changes to both security and the user experience is the change to the venerable ‘System Preferences’ application. Renamed and redesigned, System Preferences.app is now System Settings.app.

/System/Applications/System Settings.app

The iOS-style makeover will be controversial among long-time Mac users. Some will say a redesign was well overdue and that the iOS styling adds consistency to the ‘Apple experience’, while others will argue that a UI designed for touch doesn’t transition well to a keyboard-based form factor. However you feel about it, what is certain is that you’ll need to use the search field to find your way around in the list-based interface.

From a security angle, one new feature is that users can now manage Login Items, LaunchAgents and LaunchDaemons all from a single place in System Settings. Previously, the only visibility into items that execute when the device starts up or the user logs in required finding hidden directories in the Finder, using the Terminal, or relying on 3rd party software. This has always been problematic, particularly with LaunchAgents, since any process can add a persistence item without authorization from or notification to the user.

Now in macOS Ventura, not only can users see which items are set up for persistence, they can also control them from a single place in System Settings. Importantly, when apps add a LaunchAgent, LaunchDaemon or Login Item, the system now generates a notification alert (or two…).

As LaunchAgents are the single most widely used means of persistence by macOS malware, this can only be a good thing. The extra visibility and control over this process is certainly a good thing from a security perspective, and this is a long overdue and important improvement to macOS security that we welcome.

Inevitably, however, there are caveats that enterprise teams need to be aware of. This extra security to protect against malware and misuse will also impact the vast majority of software that uses these items legitimately. First, there are the extra alerts to work through and dismiss. In some cases, as in our example above, one installation may produce more than one alert. Secondly, and perhaps more worryingly, users may not understand the impact of disabling such items in System Settings.

If your organization uses essential software with such persistence mechanisms, you will want to figure out what kind of support calls you might receive if a user disables these. At present, it is not clear whether the final release of Ventura will include the ability to lock down these items via MDM or some other mechanism to prevent users disabling critical software.

4. Passkeys – Is It the Beginning of the End for Phishing Attacks on macOS?

In collaboration with Google, Microsoft and other industry players, Apple has been working on a new logon technology for web and other remote services called ‘passkeys’. Passkeys are meant to replace passwords and to overcome the multiple security problems that passwords present. Passwords are easily phished from users or stolen from servers and provide the gateway to account takeover and enterprise compromise.

Passkeys aim to solve the problems with passwords. They are essentially a form of public-private key encryption, with a private key generated and held securely on the user’s device and a public key on the server. Each passkey is generated by the device and guaranteed to be strong and only ever used for a single account. Users don’t need to remember them as the device will allow the user to choose available passkeys automatically when they try to log on to a service. Touch or FaceID is used to verify that the person accessing the passkey is the owner of the account.

To make passkeys as portable as passwords, however, they need to be synced across a user’s devices, and that means – at least in Apple’s case – via iCloud Keychain. So long as a user has one device with them that has passkeys stored, they can use that device to log in to shared or public computers by means of authentication via QR codes. Interestingly, the devices presenting and scanning the QR codes need to be in close physical proximity – in fact, within Bluetooth range of each other – making email and other common phishing techniques “impossible”.

Apple says that “entire categories of security problems, like weak and reused credentials, credential leaks, and phishing, are just not possible anymore” with passkeys. We hope that’s true, but of course we will have to see how attackers adapt to – or bypass – this security innovation.

5. Wave Goodbye to CAPTCHAS (And Thanks for All The Bridges)

Aside from Passkeys, macOS Ventura aims to improve the logon experience of users accessing remote servers by bringing an end to the need for the dreaded “CAPTCHAS”.

CAPTCHAS are meant to prevent robots and automated scripts from attempting to access services that should only be accessed by actual human beings, and they are in widespread use as part of the fight against fraud. As almost anyone who has ever used one will attest, however, they can be frustratingly difficult at times. They also present issues for Accessibility and can negatively impact certain kinds of users. On top of that, Apple says, CAPTCHAS tend to be used with tracking or device fingerprinting technologies such as IP capture, posing a risk to privacy.

With macOS 13 Ventura, Apple has introduced Private Access Tokens in the hope that these will eventually make CAPTCHAS a thing of the past. While the technical details of how PATs work is one we’ll leave for the developer documentation, the takeaway for users is that as developers begin to adopt PATs in their apps and on their servers, the prevalence of CAPTCHAS on macOS should begin to dwindle.

6. ESLogger | Visibility for Security Researchers

One of the things we, and we suspect many security-focused IT teams, are excited about in macOS Ventura is the potential of the new ESLogger command line tool. It’s not often that Apple gives us new tools to play with that are specifically targeted at security, but ESLogger looks like it may be extremely useful for security practitioners, malware analysts and threat detection engineers.

As per the tool’s man page, ESLogger interfaces with the Endpoint Security framework to log ES events, which can be output to file, stdout or the unified logging system.

Source: Apple

Apple has also renewed its commitment to 3rd party security products by adding further NOTIFY events to the ES framework, and ESLogger supports all 80 NOTIFY events that are now available in macOS Ventura. ESLogger offers much needed and convenient visibility into security-relevant events for researchers without needing to deploy a full ES client.

7. Improved DNS Security With DNSSEC

With macOS 13, Apple has brought in support for developers wishing to use DNSSEC and DNS with DDR in their applications. As most security teams know, DNS is fraught with problems due to the fact that it can be easily snooped and spoofed. That’s because DNS neither supports encryption nor authorization, making it possible for attackers to conduct attacks like DNS Cache poisoning, in which an attacker switches the genuine DNS data for a particular website and redirects requests from a client app to a site controlled by the attacker.

With DNSSEC (Domain Name Security), developers can now ensure that their apps are only talking to who they are meant to be talking to and that data they receive has not been intercepted and changed along the way.

According to Apple, “DNSSEC protects data integrity by attaching signatures in responses. If a response is altered by an attacker, the signature of the altered data will not match the original one. In that case, the client can detect the altered response and discard it.”

DNSSEC is a specification created by the IETF. Apple says that while a number of DNS service providers already support it, client support is not widespread. With DNSSEC now being supported in both macOS Ventura and iOS 16, it’s hoped that this will accelerate adoption and decrease the number of attacks through this vector.

Conclusion

With this latest iteration of macOS, Apple has made some bold – and, in general, largely welcome – security improvements. Of these, the two most important being that Gatekeeper now checks that previously approved code hasn’t been subsequently modified and that users receive UI notifications when Login Items, LaunchAgents or LaunchDaemons are added. There are, of course, other ways for malware to persist in macOS, and we are sure it won’t be long before creative malware authors start utilizing them.

In that regard, it is also important to see that Apple has renewed its commitment to 3rd party security tools with further events added to the ES framework, and we look forward to seeing how ESLogger will help our researchers in their investigations and malware analysis going forward.

Adconion Execs Plead Guilty in Federal Anti-Spam Case

At the outset of their federal criminal trial for hijacking vast swaths of Internet addresses for use in large-scale email spam campaigns, three current or former executives at online advertising firm Adconion Direct (now Amobee) have pleaded guilty to lesser misdemeanor charges of fraud and misrepresentation via email.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob BychakMark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment (PDF) on felony charges of conspiracy, wire fraud, and electronic mail fraud.

The government alleged that between December 2010 and September 2014, the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

Prosecutors said the men also sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

All four defendants pleaded not guilty when they were charged back in 2018, but this week Bychak, Manoogian and Qayyum each entered a plea deal.

“The defendants’ jobs with Adconion were to acquire fresh IP addresses and employ other measures to circumvent the spam filters,” reads a statement released today by the U.S. Attorney for the Southern District of California, which said the defendants would pay $100,000 in fines each and perform 100 hours of community service.

“To conceal Adconion’s ties to the stolen IP addresses and the spam sent from these IP addresses, the defendants used a host of DBAs, virtual addresses, and fake names provided by the company,” the statement continues. “While defendants touted ties to well-known name brands, the email marketing campaigns associated with the hijacked IP addresses included advertisements such as ‘BigBeautifulWomen,’ ‘iPhone4S Promos,’ and ‘LatinLove[Cost-per-Click].’”

None of the three plea agreements are currently available on PACER, the online federal court document clearinghouse. However, PACER does show that on June 7 — the same day the pleas were entered by the defendants —  the government submitted to the court a superseding set of just two misdemeanor charges (PDF) of fraud in connection with email.

Another document filed in the case says the fourth defendant — Pacas — accepted a deferred prosecution deal, which includes a probationary period and a required $50,000 “donation” to a federal “crime victims fund.”

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market.

This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, prosecutors published information about the source of some IP address ranges from which the Adconion employees allegedly spammed. For example, the government found the men leased some of their IP address ranges from a Dutch company that’s been tied to a scandal involving more than four million addresses siphoned from the African Network Information Centre (AFRINIC), the nonprofit responsible for overseeing IP address allocation for African organizations.

In 2019, AFRINIC fired a top employee after it emerged that in 2013 he quietly commandeered millions of IPs from defunct African entities or from those that were long ago acquired by other firms, and then conspired to sell an estimated $50 million worth of the IPs to marketers based outside Africa.

“Exhibit A” in a recent government court filing shows that in 2013 Adconion leased more than 65,000 IP addresses from Inspiring Networks, a Dutch network services company. In 2020, Inspiring Networks and its director Maikel Uerlings were named in a dogged, multi-part investigation by South African news outlet MyBroadband.co.za and researcher Ron Guilmette as one of two major beneficiaries of the four million IP addresses looted from AFRINIC by its former employee.

Exhibit A, from a May 2022 filing by U.S. federal prosecutors.

The address block in the above image — 196.246.0.0/16 — was reportedly later reclaimed by AFRINIC following an investigation. Inspiring Networks has not responded to requests for comment.

Prosecutors allege the Adconion employees also obtained hijacked IP address blocks from Daniel Dye, another man tied to this case who was charged separately. For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra. In 2018, Dye pleaded guilty to violations of the CAN-SPAM Act.

Optinrealbig’s CEO was the spam king Scott Richter, who changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, MicrosoftMySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

The last-minute plea deals by the Adconion employees were reminiscent of another recent federal criminal prosecution for IP address sleight-of-hand. In November 2021, the CEO of South Carolina technology firm Micfo pleaded guilty just two days into his trial, admitting 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 700,000 IPs from the American Registry for Internet Numbers (ARIN) — AFRINIC’s counterpart in North America.

Adconion was acquired in June 2014 by Amobee, a Redwood City, Calif. online ad platform that has catered to some of the world’s biggest brands. Amobee’s parent firm — Singapore-based communications giant Singtel — bought Amobee for $321 million in March 2012.

But as Reuters reported in 2021, Amobee cost Singtel nearly twice as much in the last year alone — $589 million — in a “non-cash impairment charge” Singtel disclosed to investors. Marketing industry blog Digiday.com reported in February that Singtel was seeking to part ways with its ad tech subsidiary.

One final note about Amobee: In response to my 2019 story on the criminal charges against the Adconion executives, Amobee issued a statement saying “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

Yet as the government’s indictment points out, the alleged hijacking activities took place up until September 2014, which was after Amobee’s acquisition of Adconion Direct in June 2014. Also, the IP address ranges that the Adconion executives were prosecuted for hijacking were all related to incidents in 2013 and 2014, which is hardly “years prior to Amobee’s acquisition of the company.”

Amobee has not yet responded to requests for comment.

The Good, the Bad and the Ugly in Cybersecurity – Week 24

The Good

The United States, Cyprus and Latvia have successfully seized and dismantled a major dark web marketplace dealing in personally identifiable information (PII).

According to a FBI press release this week, law enforcement bodies confirmed the shutdown of the SSNDOB Marketplace, a series of websites that had listed the names, dates of birth, and Social Security Numbers of approximately 24 million individuals based in the United States.

U.S. Attorney Roger Handberg announced the closure, saying “I applaud the extensive work and cooperation by our domestic and international law enforcement partners in bringing a halt to this global scheme. The theft and misuse of personal information is not only criminal but can have a catastrophic impact on individuals for years to come.”

In the press release, the FBI detailed how the administrators used online monikers distinct from their true identities, maintained servers in several countries, and required digital payment or cryptocurrencies to protect anonymity and fly under the radar.

The authorities also laid out the SSNDOB Marketplace’s activities, such as offering customer support functions, advertising their services on criminal forums, and regularly monitoring activities and payments on their websites. While it was active, the Marketplace raked in more than $19 million USD in revenue.

In the U.S., the IRS’ Criminal Investigation Cyber Crimes Unit and Criminal Investigation’s Tampa field office led the investigation alongside the FBI’s Tampa division. They worked closely with the Latvian police, the Cyprus police, and the FBI’s Legal Attaché Offices responsible for Latvia and Cyprus with support from the U.S. Department of Justice’s Office of International Affairs.

When authorities executed seizure orders against the Marketplace’s domain names, the Marketplace was effectively shut down.

While agents in the statement lamented the “devastating impact” identity theft had on victims’ mental and financial health, this closure is a major milestone for international cooperation in shutting down cyber criminal operations, and we hope it is the first step in helping victims of these threat actors find closure.

The Bad

Yet another public school district has fallen victim to a ransomware attack.

On June 8th, 2022, Tenafly Public Schools announced that they would have to cancel final exams as the district worked on restoring its computer systems. This incident comes immediately after an audit that yielded new recommendations to mitigate the district’s cyber risk.

Until remediation is complete, the schools are continuing classes under modified lesson plans, since students cannot access their Google Classroom, Genesis, email accounts and other day-to-day services.

According to the district, administrators became aware of a breach when several computers in the district network were encrypted. The district’s IT department quickly isolated devices, shut down the district’s computer network and brought in cybersecurity consultants to help with incident response and remediation. Reports also indicate that law enforcement officials are working with the district and its experts to investigate the breach.

Representatives for the district did not comment on the size of the ransom, but they did say that the district has not decided whether they would be paying the ransom. As remediation continues, the Tenafly school district has laid out plans to begin implementing recommended improvements from the audit as their systems come back online. However, representatives did not say when the computer systems would be back up, only stating that they “anticipate that it will just be a few days.”

Incidents like these demonstrate how crucial it is to regularly evaluate your cybersecurity program and ensure that your organization is keeping pace with recommended security measures — you never know when a cyber criminal could threaten your day-to-day operations.

The Ugly

Old and new security threats are coming together to enable lateral movement across networks and launch double extortion attacks.

According to a recent report, researchers have observed the Black Basta ransomware group leveraging Qbot (also known as Qakbot), a 24-year old infostealing trojan to enable lateral movement across infected networks.

Black Basta first emerged in April 2022, and targets a variety of firms and industries by initially stealing network data before encrypting infected machines. Once the encryption is complete, Black Basta demands a ransom payment for the return of the stolen data. If the victim refuses to pay, the ransomware gang leaks the victim’s data on a dedicated Tor site.

Meanwhile, Qbot was first spotted in 2008. Initially an infostealing trojan targeting Windows users, this malware has constantly evolved over the past 14 years, adopting context-aware delivery tactics, phishing capabilities and other tactics to avoid detection in order to exfiltrate cookies, engage in keylogging, and steal credentials for online banking accounts and other login details.

Although cyber criminals commonly use Qbot to help their ransomware establish a foothold in targeted networks, Black Basta is leveraging the malware with new methods. When Black Basta gains access to a network, it remotely uses Qbot to create a temporary service on a target host.

Once it’s used Qbot to establish a foothold, Black Basta uses RDP and a batch file to enable RDP logons, which allows the group to establish remote desktop sessions on infected machines.

Emerging threats like these are a good reminder to security professionals that older threats can still pose some risk, especially in the hands of inventive cyber criminals.

RSA 2022 Conference Recap: Securing the Cloud, Experiencing FOMO, and Evolving XDR

It’s the last day of RSAC 2022, and the SentinelOne team has been taking San Francisco by storm with a stunning booth, innovative demos, FOMO-inducing parties, and exciting announcements galore. As this tried-and-true conference draws to a close, our team decided to look back and share some of their takeaways gained from the show floor and long-anticipated conversations with customers & partners.

Welcome to the Era of XDR

Consolidation was the name of the game at RSAC 2022.

We came ready to talk about what security professionals need in their cybersecurity programs; while the answer wasn’t surprising or novel, it was universally resonant. CISOs and analysts alike talked about consolidating tools, and reducing the number of vendors and point-specific solutions they rely on.

While vendor consolidation is not a new trend or objective, the concept of extended detection and response (XDR) offered enterprises a more promising roadmap and approach to achieving its benefits.

Most importantly, we heard how today’s security teams are in need of security tools that more seamlessly integrate with the other vendors in their stack. We had a lot of great conversations about how our Singularity XDR platform can empower our customers and partners with centralized, end-to-end visibility, and how security teams can leverage a Marketplace full of integrations to protect all of your attack surfaces.

As RSAC 2022 continued, we saw that attack surface management was a top-of-mind concern for many of the booth visitors that sat down with us as well as on the show floor. Customers and peers highlighted how they were considering outside-in External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM) to gain the enterprise visibility they currently lacked. These key conversations affirmed our approach to addressing common visibility challenges by providing actionable insight into the endpoint, network, cloud, and identity layers. Without this visibility, vendors and practitioners miss the first step to accomplishing the data-driven investigations and automated response actions originally promised by the vision of XDR.

Learning more from the attendees of RSAC on the expectations and desired outcomes of XDR makes us even more excited to continue our journey to fulfill the original vision and promise of XDR by filling visibility gaps across your technology stack by correlating threats across vectors and attack surfaces.

Cloud Infrastructure Isn’t the Future. It’s Now.

This year’s RSAC also proved that everyone’s heads are in the clouds.

Previous years’ conversations that simply broached or entertained cloud transformation are over. The plans are already in motion, and today, more enterprises are turning to cloud infrastructure platforms than ever to run their operations.

And this trend shows no signs of slowing down. According to projections from Gartner, infrastructure-as-a-service (IaaS) spending will eclipse $120 billion USD in 2022, up 30% YoY.

As cloud becomes integral to an enterprise’s day-to-day, we had a lot of productive conversations about the growing number of cloud-based threats (such as runtime threats like crypto-mining malware, zero-days like Log4j, or real-time fileless attacks) on the horizon. It’s clear that enterprises and SOCs need a cloud defense-in-depth strategy, which establishes multiple layers of protection and best practice configurations around your sensitive data, with cloud workload detection & response as a reactive line of defense.

Introducing SentinelOne Skylight

We also sparked some radical conversation on the replacement of legacy SIEM—and introduced security pros to just the solution for the job.

SentinelOne kicked off Day 3 of RSAC 2022 by introducing Skylight, a solution that provides full data visibility, ingestion, and storage capabilities by integrating data from both SentinelOne and third parties within SentinelOne Storyline™ technology. Now, our enterprise customers can make better decisions, automate workflows, and derive more value from the data they ingest from existing technology and security tools—without the costs, upkeep, and time they’ve come to associate with traditional SIEM.

Stronger Together (Hello, Attivo!)

RSAC 2022 was the first time we hit the road with our new Identity experts following the acquisition of Attivo Networks.

Customers got to sit down with us and have their first look at the new Identity capabilities of the Singularity XDR platform.

We spoke about how Singularity Identity detects active attacks against all device types and OSes, and safeguards against unauthorized privilege escalation and lateral movement to protect your Active Directory and Azure AD domain controllers and domain-joined endpoints in real time. They also got a look at how Singularity Ranger AD can mitigate your identity-based risk by identifying misconfigurations, vulnerabilities, and real-time indicators of attack to get in line with security best practices.

As threat actors target identity-focused attack surfaces, many key discussions between RSAC attendees centered around how security teams could secure their estates and manage relevant vulnerabilities in real time— at SentinelOne, we’re glad that we can offer solutions to proactively address these attacks.

Celebrating the Good Guys

With the threat landscape constantly evolving, the security industry works hard—but we also wanted to recognize a rare moment of celebration and peace-of-mind for our valued customers and partners. That’s why we teamed up with Armis, Torq, and our special guests Incubus to bring over 2,500 people together for FOMO, our RSA party. We hope you enjoyed the celebration!

Conclusion

As we head back home to start executing on what we learned at RSA 2022, we want to thank all of the customers, partners, and peers who stopped by Booth S-627 to say hello. We can’t wait to see you next year with a few more exciting developments and contributions to the cybersecurity landscape under our belt. See you next year!

To learn more about how Singularity XDR provides visibility and context across enterprise data, schedule a demo.

Top 10 Ways to Protect Your Active Directory

Active Directory (AD) is a high-value target for attackers, who frequently attempt to compromise it to escalate their privileges and expand their access. Unfortunately, its operational necessity means that AD must be easily accessible to users throughout the enterprise—making it notoriously difficult to secure. Microsoft has stated that more than 95 million AD accounts come under attack every day, underscoring the seriousness of the problem.

While protecting AD is a challenge, it is far from impossible—it just requires the right tools and tactics. Below are ten tips that enterprises can use to more effectively secure AD against some of today’s most common attack tactics.

1. Prevent and Detect Enumeration of Privileged, Delegated Admin, Service, and Network Sessions

Once an adversary has penetrated perimeter defenses and established a foothold within the network, they will conduct reconnaissance to identify potentially valuable assets—and how they can get to them. One of the best ways they do this is to target AD since they can disguise those as normal business activities with little chance of detection.

The ability to detect and prevent enumerations of privileges, delegated admins, and service accounts can alert defenders to the presence of an adversary early in the attack cycle. Deploying deceptive domain accounts and credentials on endpoints can also trip up attackers and allow defenders to redirect them to decoys for engagement.

2. Identify and Remediate Privileged Account Exposures

Users often store credentials on their workstations. Sometimes they do this accidentally, while other times willingly—usually for convenience. Attackers know this and will target those stored credentials to gain access to the network environment. The right set of credentials can go a long way, and intruders will always look to escalate their privileges and access further.

Enterprises can avoid giving attackers an easy way into the network by identifying privileged account exposures, remediating misconfigurations, and removing saved credentials, shared folders, and other vulnerabilities.

3. Protect and Detect “Golden Ticket” and “Silver Ticket” Attacks

Pass-the-Ticket (PTT) attacks are among the most powerful techniques adversaries use to move laterally throughout the network and escalate their privileges. Kerberos’s stateless design strategy makes it easy to abuse, which means attackers can easily forge tickets within the system. “Golden Ticket” and “Silver Ticket” are two of the most severe types of PTT attacks that adversaries use to achieve domain compromise and domain persistence.

Addressing this requires the ability to detect vulnerable Kerberos Ticket Granting Ticket (TGT) and computer service accounts, identifying and alerting on misconfigurations that could potentially lead to PTT attacks. Additionally, a solution like Singularity Identity can prevent the use of forged tickets at the endpoints.

4. Protect Against Kerberoasting, DCSync, and DCShadow Attacks

A “Kerberoasting” attack is an easy way for adversaries to gain privileged access, while DCSync and DCShadow attacks maintain domain persistence within an enterprise.

Defenders need the ability to perform a continuous assessment of AD that provides real-time analysis of AD attacks while alerting on the misconfigurations that lead to those attacks. Furthermore, a solution capable of leveraging endpoint presence to prevent bad actors from discovering accounts to target can inhibit their ability to carry out these incursions.

5. Prevent Credential Harvesting From Domain Shares

Adversaries commonly target plaintext or reversible passwords stored in scripts or group policy files stored in domain shares like Sysvol or Netlogon.

A solution like Ranger AD can help detect these passwords, allowing defenders to remediate the exposures before attackers can target them. Mechanisms like those in the Singularity Identity solution can also deploy deceptive Sysvol group policy objects in the production AD, helping to further disrupt the attacker by misdirecting them away from production assets.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

6. Identify Accounts With Hidden Privileged SID

Using the Windows Security Identifier (SID) injection technique, adversaries can take advantage of the SID “history” attribute, allowing them to move laterally within the AD environment and further escalate their privileges.

Preventing this requires detecting accounts set with well-known privileged SID values in the SID history attribute and reports.

7. Detect Dangerous Access Rights Delegation on Critical Objects

Delegation is an AD feature that allows a user or computer account to impersonate another account. For example, when a user calls a web application hosted on a web server, the application can mimic the user’s credentials to access resources hosted on a different server. Any domain computer with unconstrained delegation enabled can impersonate user credentials to any other service on the domain. Unfortunately, attackers can exploit this feature to gain access to different areas of the network.

Continuous monitoring of AD vulnerabilities and delegation exposures can help defenders identify and remediate these vulnerabilities before adversaries can exploit them.

8. Identify Privileged Accounts With Delegation Enabled

Speaking of delegation, privileged accounts configured with unconstrained delegation can lead directly to Kerberoasting and Silver Ticket attacks. Enterprises need the ability to detect and report on privileged accounts with delegation enabled.

A comprehensive list of privileged users, delegated admins, and service accounts can help defenders take stock of potential vulnerabilities. In this instance, delegation is not automatically bad. It is often necessary for an operational reason, but defenders can use a tool like Singularity Identity to prevent attackers from discovering those accounts.

9. Identify Unprivileged Users in AdminSDHolder ACL

Active Directory Domain Services (AD DSs) use the AdminSDHolder object and the Security Descriptor propagator (SDProp) process to secure privileged users and groups. The AdminSDHolder object has a unique Access Control List (ACL), which controls the permissions of security principals that are members of built-in privileged AD groups. To enable lateral movement, attackers can add accounts to the AdminSDHolder, granting them the same privileged access as other protected accounts.

Organizations can prevent this activity with a tool like Ranger AD to detect and alert on the presence of unusual accounts within the AdminSDHolder ACL.

10. Identify Recent Changes to Default Domain Policy or Default Domain Controllers Policy

Within AD, organizations use group policies to manage several operational configurations by defining security settings specific to the environment. These often configure administrative groups and include startup and shutdown scripts. Administrators configure them to set organization-defined security requirements at each level, install software, and set file and registry permissions. Unfortunately, attackers can change these policies to achieve domain persistence within the network.

Monitoring changes to default group policies can help defenders quickly spot these attackers, mitigating security risks and helping to prevent privileged access to AD.

Putting the Right Tools in Place

Understanding the most common tactics adversaries use to target AD can help enterprises defend it. When developing tools like Ranger AD and Singularity Identity, we considered many attack vectors and identified how best to detect and derail them.

With these tools in place, today’s enterprises can effectively identify vulnerabilities, detect malicious activity early, and remediate security incidents before intruders can escalate their privileges and turn a small-scale attack into a major breach. Protecting AD is a challenge, but it is not an insurmountable one, thanks to today’s AD protection tools.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD