The Good, the Bad and the Ugly in Cybersecurity – Week 32 

The Good

This week, a U.S. individual was found guilty of committing 14 federal crimes related to phishing, credential theft, unauthorized access to his employer’s computer network and fraudulent activity which netted him over $25 million.

Argishti Khudaverdyan, 44, of Burbank, was a former employee of T-Mobile, and over a period of five years fraudulently unlocked phones on multiple networks, including T-Mobile, Sprint, AT&T and others, allowing the phones to be sold on the black market.

Khudaverdyan obtained T-Mobile employees’ credentials through phishing emails and socially engineering the T-Mobile IT Help Desk. He also obtained T‑Mobile employee credentials from accomplices in overseas call centers. Khudaverdyan targeted high-level employees, using their personal identifying information in calls to the T-Mobile IT Help Desk requesting password resets. He used over 50 different employees’ accounts to gain unauthorized access to T-Mobile systems and unlock hundreds of thousands of cell phones.

Khudaverdyan and accomplices advertised their fraudulent unlocking services through brokers, email solicitations, and websites such as unlocks247[.]com, falsely claiming the unlocks were “official” T-Mobile unlocks. Khudaverdyan will face statutory maximum sentences of 20 years in federal prison when he is sentenced in October.

The Bad

A semiconductor manufacturer of power engineering components including those used in many wind power turbines has been hit by LV ransomware this week. In a statement, Semikron said it had been “the victim of a cyber attack by a professional hacker group. As part of this attack, the perpetrators have claimed to have exfiltrated data from our system.”

Semikron says it is working on restoring encrypted parts of its network. However, other sources have suggested the ransomware operators are extorting the company and threatening to leak the allegedly stolen data, a double-extortion tactic that is far more common and successful these days than just encrypting data and only demanding payment for a decryptor.

Such tactics increase the effort for criminals but offer richer rewards. Effectively targeting enterprise data that will be of value typically involves some form of human operated ransomware. A common modus operandi leverages some form of initial access such as credential theft through phishing or social engineering, or exploiting a common vulnerability. Actors then use implants such as Cobalt Strike to maintain a backdoor into the target environment, identify and exfiltrate valuable data.

There are suggestions that LV ransomware shares the same source code as the notorious REvil ransomware but is being operated by a different group. For now, Semikron has not made a public statement regarding any ransom demands or whether it is in negotiation with the attackers. The company says it is working with relevant authorities and will update customers and partners if any evidence of data theft is found.

The Ugly

Multiple vulnerabilities in some of Cisco’s most popular business routers have been found that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

A total of eight vulnerabilities have been identified; three in particular, CVE-2022-20827, CVE-2022-20841 and CVE-2022-20842, could be weaponized to execute code on the device with elevated privileges. Cisco says the vulnerabilities may be dependent on one another, with exploitation of one of the vulnerabilities required to exploit another.

CVE-2022-20827 could allow an attacker to submit crafted input to the router’s web filter database update feature. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges. CVE-2022-20841 is a vulnerability in the Open Plug and Play (PnP) module of four different router models. An attacker could exploit the bug by sending malicious input to an affected device and gain the ability to execute arbitrary commands on the underlying Linux operating system. CVE-2022-20842 affects the web-based management interface of certain router models and could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Cisco says they have no evidence of these bugs being exploited in the wild at present, and that there are no workarounds other than applying the patches available. Inevitably, threat actors will actively seek out businesses that fail to patch, and all Cisco customers are urged to check the list of affected models and patch without delay.

Class Action Targets Experian Over Account Security

A class action lawsuit has been filed against big-three consumer credit bureau Experian over reports that the company did little to prevent identity thieves from hijacking consumer accounts. The legal filing cites liberally from an investigation KrebsOnSecurity published in July, which found that identity thieves were able to assume control over existing Experian accounts simply by signing up for new accounts using the victim’s personal information and a different email address.

The lawsuit, filed July 28, 2022 in California Central District Court, argues that Experian’s documented practice of allowing the re-registration of existing Experian accounts without first verifying that the existing account holder authorized the changes violates the Fair Credit Reporting Act.

In July’s Experian, You Have Some Explaining to Do, we heard from two different readers who had security freezes on their credit files with Experian and who also recently received notifications from Experian that the email address on their account had been changed. So had their passwords and account PIN and secret questions. Both had used password managers to pick and store complex, unique passwords for their accounts.

Both were able to recover access to their Experian account simply by recreating it — sharing their name, address, phone number, social security number, date of birth, and successfully gleaning or guessing the answers to four multiple choice questions that are almost entirely based on public records (or else information that is not terribly difficult to find).

Here’s the bit from that story that got excerpted in the class action lawsuit:

KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.

After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.

Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”

After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?

To be clear, Experian does have a business unit that sells one-time password services to businesses. While Experian’s system did ask for a mobile number when I signed up a second time, at no time did that number receive a notification from Experian. Also, I could see no option in my account to enable multi-factor authentication for all logins.

In response to my story, Experian suggested the reports from readers were isolated incidents, and that the company does all kinds of things it can’t talk about publicly to prevent bad people from abusing its systems.

“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”

“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”

That sounds great, but since that story ran I’ve heard from several more readers who were doing everything right and still had their Experian accounts hijacked, with little left to show for it except an email alert from Experian saying they had changed the address on file for the account.

I’d like to believe this class action lawsuit will change things, but I do not. Likely, the only thing that will come from this lawsuit — if it is not dismissed outright — is a fat payout for the plaintiffs’ attorneys and “free” credit monitoring for a few years compliments of Experian.

Credit bureaus do not view consumers as customers, who are instead the product that is being sold to third party companies. Often that data is sold based on the interests of the entity purchasing the data, wherein consumer records can be packaged into categories like “dog owner,” “expectant parent,” or “diabetes patient.”

A chat conversation between the plaintiff and Experian’s support staff shows he experienced the same account hijack as described by our readers, despite his use of a computer-generated, unique password for his Experian account.

Nevertheless, most lenders rely on the big-three consumer credit reporting bureaus, including Equifax, Experian and Trans Union — to determine everyone’s credit score, fluctuations in which can make or break one’s application for a loan or job.

On Tuesday, The Wall Street Journal broke a story saying Equifax sent lenders incorrect credit scores for millions of consumers this spring.

Meanwhile, the credit bureaus keep enjoying record earnings. For its part, Equifax reported a record fourth quarter 2021 revenue of 1.3 billion. Much of that revenue came from its Workforce Solutions business, which sells information about consumer salary histories to a variety of customers.

The Biden administration reportedly wants to create a public entity within the Consumer Financial Protection Bureau (CFPB) that would incorporate factors like rent and utility payments into lending decisions. Such a move would require congressional approval but CFPB officials are already discussing how it might be set up, Reuters reported.

“Credit reporting firms oppose the move, saying they are already working to provide fair and affordable credit to all consumers,” Reuters wrote. “A public credit bureau would be bad for consumers because it would expand the government’s power in an inappropriate way and its goals would shift with political winds, the Consumer Data Industry Association (CDIA), which represents private rating firms, said in a statement.”

A public credit bureau is likely to meet fierce resistance from the Congress’s most generous constituents — the banking industry — which detests rapid change and is heavily reliant on the credit bureaus.

And there is a preview of that fight going on right now over the bipartisan American Data Privacy and Protection Act, which The Hill described as one of the most lobbied bills in Congress. The idea behind the bill is that companies can’t collect any more information from you than they need to provide you with the service you’re seeking.

“The bipartisan bill, which represents a breakthrough for lawmakers after years of negotiations, would restrict the kind of data companies can collect from online users and the ways they can use that data,” The Hill reported Aug. 3. “Its provisions would impact companies in every consumer-centric industry — including retailers, e-commerce giants, telecoms, credit card companies and tech firms — that compile massive amounts of user data and rely on targeted ads to attract customers.”

According to the Electronic Frontier Foundation, a nonprofit digital rights group, the bill as drafted falls short in protecting consumers in several areas. For starters, it would override or preempt many kinds of state privacy laws. The EFF argues the bill also would block the Federal Communications Commission (FCC) from enforcing federal privacy laws that now apply to cable and satellite TV, and that consumers should still be allowed to sue companies that violate their privacy.

A copy of the class action complaint against Experian is available here (PDF).

Scammers Sent Uber to Take Elderly Lady to the Bank

Email scammers sent an Uber to the home of an 80-year-old woman who responded to a well-timed email scam, in a bid to make sure she went to the bank and wired money to the fraudsters.  In this case, the woman figured out she was being scammed before embarking for the bank, but her story is a chilling reminder of how far crooks will go these days to rip people off.

Travis Hardaway is a former music teacher turned app developer from Towson, Md. Hardaway said his mother last month replied to an email she received regarding an appliance installation from BestBuy/GeekSquad. Hardaway said the timing of the scam email couldn’t have been worse: His mom’s dishwasher had just died, and she’d paid to have a new one delivered and installed.

“I think that’s where she got confused, because she thought the email was about her dishwasher installation,” Hardaway told KrebsOnSecurity.

Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email, and that the scammers told her she owed $160 for the installation, which seemed right at the time. Then the scammers asked her to install remote administration software on her computer so that they could control the machine from afar and assist her in making the payment.

After she logged into her bank and savings accounts with scammers watching her screen, the fraudster on the phone claimed that instead of pulling $160 out of her account, they accidentally transferred $160,000 to her account. They said they they needed her help to make sure the money was “returned.”

“They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.’”

Hardaway said he was out of town when all this happened, and that thankfully his mom eventually grew exasperated and gave up trying to help the scammers.

“They told her they were sending an Uber to pick her up and that it was on its way,” Hardaway said. “I don’t know if the Uber ever got there. But my mom went over to the neighbor’s house and they saw it for what it was — a scam.”

Hardaway said he has since wiped her computer, reinstalled the operating system and changed her passwords. But he says the incident has left his mom rattled.

“She’s really second-guessing herself now,” Hardaway said. “She’s not computer-savvy, and just moved down here from Boston during COVID to be near us, but she’s living by herself and feeling isolated and vulnerable, and stuff like this doesn’t help.”

According to the Federal Bureau of Investigation (FBI), seniors are often targeted because they tend to be trusting and polite. More importantly, they also usually have financial savings, own a home, and have good credit—all of which make them attractive to scammers.

“Additionally, seniors may be less inclined to report fraud because they don’t know how, or they may be too ashamed of having been scammed,” the FBI warned in May. “They might also be concerned that their relatives will lose confidence in their abilities to manage their own financial affairs. And when an elderly victim does report a crime, they may be unable to supply detailed information to investigators.”

In 2021, more than 92,000 victims over the age of 60 reported losses of $1.7 billion to the FBI’s Internet Crime Complaint Center (IC3). The FBI says that represents a 74 percent increase in losses over losses reported in 2020.

The abuse of ride-sharing services to scam the elderly is not exactly new. Authorities in Tampa, Fla. say they’re investigating an incident from December 2021 where fraudsters who’d stolen $700,000 from elderly grandparents used Uber rides to pick up bundles of cash from their victims.

LABScon | Security Research in Real Time – Talks Not To Miss, Part One

The speakers are pumped, the stunning venue is primed, and the guest list is (almost) complete. For the inaugural LABScon, the program committee has worked tirelessly on an incredible agenda showcasing fresh research from some of the sharpest minds in the industry.

LABScon, a SentinelLabs event presented by SentinelOne, will take place over three days from September 21-24th, showcasing bleeding-edge research into cyber threat actors, malware hunting techniques, vulnerabilities, exploits, and tools from the best cybersecurity researchers on the planet.

Hosted at Arizona’s premier resort, The Phoenician, LABScon is an intimate, invite-only conference. Want to know what’s going on and who else will be there? Here’s a first look showcasing the LABScon 2022 speaker lineup and some of the topics we are most excited about.

Who’s Speaking at LABScon

Arrival day will kick off with a casual and candid conversation between former Director of CISA and co-founder of Krebs Stamos Group, Chris Krebs and Thomas Rid, founding director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins SAIS, to welcome guests and set the tone for the conference. The LABScon Keynote day will include distinguished speakers like Dmitiri Alperovitch, head of the Silverado Policy Accelerator, and co-founder of CrowdStrike, and veteran security journalist and author Kim Zetter.

In an homage to the foundations of malware analysis, we are honored to host Mark Russinovich, CTO of Microsoft Azure, as he shares the secret history of the essential SysInternals suite of tools we all use and love.

And that’s just for starters! There’s an exciting program with more than 30 talks and workshops at LABScon, packed into three full days of education, entertainment, and collaboration. The list of confirmed speakers for LABScon is already available here. Just keep an eye on the #LABScon Twitter feed for ongoing speaker and agenda updates.

In the meantime, enjoy this sneak peek at what’s on offer. Below, we proudly spotlight a selection from the presentations and workshops we have lined up to give you a flavor of what to expect at LABScon 2022.

Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure – Kristin Del Rosso (Sophos)

The US is still lagging behind China in terms of vulnerability discovery and disclosure. While the gap between the US National Vulnerability Database (NVD) and the Chinese NVD (CNNVD) has slightly shrunk over the last 5 years, there are still hundreds of vulnerabilities registered in China that are yet to be listed on the US NVD. The CNNVD is a known subsidiary of the Chinese Ministry of State Security’s Technical Bureau, which drives Chinese cyber espionage, and has a history of altering CVE disclosure dates and providing APT groups with exploits.

This talk will walk through the discovery of a CNVD that is not listed on the US NVD, and the larger picture behind the discovery and disclosure of vulnerabilities in China. This will cover how and where they are sourced, including a newly discovered sourcing event, the scope of disparity between US and Chinese vulnerability reporting, and how researchers can proactively hunt to close this knowledge gap between US and Chinese CVEs.

Demystifying Threats to Satellite Communications in Critical Infrastructure – MJ Emanuel – CISA

Satellite communications are an integral part of many industrial control systems across many sectors, but their usage, specifically in critical infrastructure, continues to be misunderstood by the industry. While there have been multiple investigations into vulnerabilities and exploitation methods of satellite systems, less attention has been given to threat vectors and how they impact the environments that rely on them – much buzz was generated by the Viasat outages in February and their effect on European wind turbines, but not on how much the service disruption impacted these systems. Furthermore, a lot of guidance into securing satellite communication systems focuses heavily on military applications, which can have different architectures and needs than those deployed in critical infrastructure networks.

Drawing on lessons learned from recent incident responses involving satellite companies and systems, this talk will cover the basics of how different sectors rely on satellite communications, trust relationships of the satellite provider ecosystem that could be potentially abused by threat actors, how various attack methods could impact infrastructure processes, and potential detection methods of abuse.

Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi) – Alex Matrosov (Binarly)

Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 12 months, the Binarly efiXplorer team disclosed 107 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS.

The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room for breaking general security promises, allowing for  successful attacks.

In this presentation, we will share our work exploring recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs as an example. The  presentation will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about  the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM).

These topics have never been publicly discussed from the offensive security research perspective.

Whose Router Is It Anyway? – Danny Adamitis (Black Lotus Labs)

Black Lotus Labs, the threat intelligence division within Lumen Technologies, is currently tracking elements of a sophisticated campaign that has been leveraging infected SOHO routers to target North American and European networks of interest undetected for nearly two years. We identified a multistage remote access trojan (RAT), dubbed ZuoRat, developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain a foothold.

Chasing Shadows: The Rise Of A Prolific Espionage Actor – Kris McConkey (PwC UK)

The proliferation of tooling such as ShadowPad across China-based APT actors and the existence of digital quartermasters has long been a feature of public reporting and a strong indication of ultimate actor sponsorship, based on US indictments and adjacent research.

One of these actors, however, stands out for its technical capabilities, rapid operational tempo, and global reach. Red Scylla combines access to shared tools with sophisticated custom capabilities, aggressive scanning of targets across the globe, and substantial resources, enabling it to compromise public and private sector victims spanning three continents. This talk will detail the rise and operations of a dominant player in the international corporate espionage world.

InkySquid: The Missing Arsenal – Paul Rascagneres (Volexity)


InkySquid (aka Group123, APT37) is an infamous threat actor linked to North Korea that has been active for at least 10 years. This actor is known to use social engineering in order to breach targets and exploit n-day vulnerabilities in Hangul Word Processor (HWP), as well as browser-based technologies. One of the most documented intrusion sets used by this actor is RoKRAT, a Windows RAT using cloud providers as C2 servers. In this presentation, attendees will learn about an undocumented macOS port of RoKRAT. Paul will describe the internal mechanisms and different espionage features of the malware, as well as built-in attempts to bypass macOS security features and embedded exploit code based on n-day exploits.

Request an Invite

There are still a limited number of tickets available, so if you haven’t yet requested your invite, now is the time to push that button.

CISO Insights | How to Get the Most Out of XDR

Extended Detection and Response (XDR) has generated a lot of buzz in recent times with security practitioners, analysts, and the vendor community. According to the Gartner Hype CycleTM for Security Operations, 2022, XDR is at peak market interest, promising to deliver significant security visibility and response improvements to threat exposures.

XDR promises to reduce complexity and cost while improving incident response and remediation, and increasing productivity. With so much to gain, it’s not surprising that these benefits have at times met with some over-zealous marketing, leaving CISOs and other interested buyers with the unenviable task of sorting through the messaging to understand the true benefits.

Analysts and industry pundits say the potential of XDR is that it can make good on unmet security promises, like those made by SIEM (security information and event management) platforms, accelerating how security teams detect, investigate, and remediate threats with greater productivity and lower ownership costs.

And while many companies are interested in adopting XDR, what should organizations consider as they research the growing number of solutions in the market? Here are three key insights from CISOs we interviewed to help you prioritize as you look to adopt XDR.

Start With an XDR Solution With Roots in EDR

“I want to replicate what is working with EDR to other areas in my organization.”

As we talked to different CISOs, one common insight we heard for implementing XDR was extending what works currently in their organization to other attack surfaces–XDR that is based on a solid EDR foundation and all the benefits that brings. That means, for example, drawing on EDR’s high-fidelity telemetry to provide critical supporting data from endpoints, as well as the real-time detection and remediation capabilities of EDR.

However, XDR extends beyond endpoint protection to providing detection and response coverage across the entire organization. This means that it provides greater visibility and more context into threats. The high fidelity telemetry that makes EDR so valuable and provides vital supporting data from endpoints, is now available from more sources.

Good EDRs offer real-time behavioral detection and remediation, which can be deployed more broadly across the organization with XDR. Alerts that might otherwise have been missed at an early stage can now be identified earlier and remediated before they have a significant impact. And it is easier to get a more complete understanding of what is happening within the whole enterprise security estate.

Choose an XDR That Increases SecOps Efficiency

“One of our key objectives this year is to improve security productivity with built-in controls.”

Look for an XDR solution that increases SecOps efficiency with various built-in integrations that extend functionality and lighten the burden on taxed security teams.

Cybersecurity analysts are already overloaded and the situation is likely to get worse as threats increase, tools proliferate and the skills shortage continues to negatively impact the efficacy of security operations practitioners. That’s why it’s important to have a tool that automatically correlates related activity into unified alerts, which drastically simplifies the task for analysts. Central to the above points is automation. It’s crucial to maximizing the value of your existing tools and to unburdening the SOC team. Automation can improve threat detection, triage and response.

For example, with SentinelOne’s threat intelligence integration, threats are auto enriched from various sources, enabling customers to accelerate threat investigation and triage capabilities. Customers can also make use of an extensive library of threat hunting queries curated by SentinelOne research which continually evaluates the latest methodologies to uncover new IOCs and Tactics, Techniques, and Procedures (TTPs).

And all of this can be consolidated into fewer alerts, which reduces the strain on security teams. For example, in the 2022 MITRE Engenuity’s ATT&CK Evaluation, which tested leading XDR solutions against a range of benchmarks, SentinelOne’s Singularity XDR consolidated two days of continuous testing into just nine campaign-level console alerts. This demonstrates the ability to alleviate SOC burdens by using machine speed to correlate and contextualize large numbers of alerts. In the end, fewer alerts, fewer clicks and fewer screens mean increased SOC efficiency.

Invest in an XDR That Maximizes Existing Security Investments

“You are ONE of the many solutions that my SOC uses. Do you play nice with others?”

A strong XDR solution helps maximize the value of your security investments. While a closed XDR requires the vendor to supply all the required sensors for typical use cases, an open XDR concentrates on backend analytics and workflow and integrates with the organization’s existing security controls.

That makes sense because many organizations have tools and technologies deployed in their SOC that it would be wasteful to simply decommission. These best-in-breed technologies provide point solution coverage and each comes with a steep learning curve and operational burden for SecOps efficiency. Switching those out for a new tool simply starts you on another learning curve with a new burden. XDR can allow you to make use of these existing tools, connecting them through simple built-in integrations.

SentinelOne’s Singularity Marketplace makes it easy to add integrations to third-party systems such as SIEM or SOAR solutions, with just a few clicks. Email, identity management systems, cloud services and other third-party systems can all be brought into the XDR system, which is a huge improvement on having to secure each one individually and use a different dashboard to manage alerts. These integrations can then be enabled and automated without the need to write complex code.

On top of these benefits is a lower total cost of ownership for the organization. XDR expands the powerful capability to the entire connected ecosystem of security tools across the enterprise. Automated response actions now extend to third-party applications. For example, you can force step-up authentication in your identity management tools when the system detects suspicious behavior. Users will then be asked to submit additional forms of authentication. And you can automatically block email or web connectivity for suspicious resources or users based upon pre-defined rules and triggers. Automated one-click responses serve to reduce adversary dwell time and contain threats quickly.

Seeing Beyond the Buzz for Measurable Outcomes

When choosing an XDR, CISOs need to look beyond the buzz and focus on what really matters: the outcomes it can deliver. Identifying KPIs not only helps to determine the effectiveness of tools and processes but also to communicate that effectiveness to the leadership and board. Cybersecurity is not always something the board understands, but the leadership will be aware of the growing risk of attacks and will want to know that their defenses are aligned with the company’s risk profile and appetite.

XDR can improve common KPIs because of its faster, deeper and more effective threat detection and response than individual, disparate tools like EDR and SIEM. Drawing on a wider range of sources means that XDR can improve Mean Time to Detect (MTTD). XDR’s central source of information and more manageable alert workload helps to reduce Mean Time to Investigate (MTTI) by accelerating triage and reducing time to investigate and scope. XDR’s simple, fast and relevant automation reduces Mean Time to Respond (MTTR) by enabling simple, fast, and relevant automations to quickly contain threats.

Of course, the board is not just concerned with the effectiveness of cybersecurity measures. Its members have to worry about budgets, too. It can sometimes seem as if CISOs are constantly asking for the money to add yet more tools, so XDR’s ability to reduce total cost of ownership is welcome. AI and automation mean that security analysts carry less of a burden, which means they can work more efficiently and be more productive.

While it can sometimes be difficult to know how much difference a security tool or platform is making, XDR delivers clear, measurable benefits. It helps reduce costs, increases efficiency and improves visibility across the entire cyber security estate.

Parting Thoughts

The world of cybersecurity is constantly changing and it is often wise to be skeptical about new trends. However, XDR is more than a new trend. It is a new way of thinking about security – a platform that can be deployed to make an organization fit for the modern challenges in the ever-evolving cybersecurity landscape. With teams short of staff and those staff overwhelmed by alerts and drowning in data, a new approach is long overdue. XDR goes beyond the latest marketing buzzwords to deliver meaningful impact for organizations of every size. It is an essential part of the future of the modern SOC.

If you’d like to read more about CISO insights to help you with XDR adoption, read the 5 CISO Best Practices Whitepaper.

To learn more about how the SentinelOne Singularity platform can help your organization achieve these goals, contact us for more information or request a free demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

No SOCKS, No Shoes, No Malware Proxy Services!

With the recent demise of several popular “proxy” services that let cybercriminals route their malicious traffic through hacked PCs, there is now something of a supply chain crisis gripping the underbelly of the Internet. Compounding the problem, several remaining malware-based proxy services have chosen to block new registrations to avoid swamping their networks with a sudden influx of customers.

Last week, a seven-year-old proxy service called 911[.]re abruptly announced it was permanently closing after a cybersecurity breach allowed unknown intruders to trash its servers and delete customer data and backups. 911 was already akin to critical infrastructure for many in the cybercriminal community after its top two competitors — VIP72 and LuxSocks — closed or were shut down by authorities over the past 10 months.

The underground cybercrime forums are now awash in pleas from people who are desperately seeking a new supplier of abundant, cheap, and reliably clean proxies to restart their businesses. The consensus seems to be that those days are now over, and while there are many smaller proxy services remaining, few of them on their own are capable of absorbing anywhere near the current demand.

“Everybody is looking for an alternative, bro,” wrote a BlackHatForums user on Aug. 1 in response to one of many “911 alternative” discussion threads. “No one knows an equivalent alternative to 911[.]re. Their service in terms of value and accessibility compared to other proxy providers was unmatched. Hopefully someone comes with a great alternative to 911[.]re.”

NEW SOCKS, SAME OLD SHOES

Among the more frequently recommended alternatives to 911 is SocksEscort[.]com, a malware-based proxy network that has been in existence since at least 2010. Here’s what part of their current homepage looks like:

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

But faced with a deluge of new signups in the wake of 911’s implosion, SocksEscort was among the remaining veteran proxy services that opted to close its doors to new registrants, replacing its registration page with the message:

“Due to unusual high demand, and heavy load on our servers, we had to block all new registrations. We won’t be able to support our proxies otherwise, and close SocksEscort as a result. We will resume registrations right after demand drops. Thank you for understanding, and sorry for the inconvenience.”

According to Spur.us, a startup that tracks proxy services, SocksEscort is a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay.

Spur says SocksEscort’s proxy service relies on software designed to run on Windows computers, and is currently leasing access to more than 14,000 hacked computers worldwide. That is a far cry from the proxy inventory advertised by 911, which stood at more than 200,000 IP addresses for rent just a few days ago.

Image: Spur.us

SocksEscort is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source.

The disruption at 911[.]re came days after KrebsOnSecurity published an in-depth look at the long-running proxy service, which showed that 911 had a history of incentivizing the installation of its proxy software without user notice or consent, and that it actually ran some of these “pay-per-install” schemes on its own to guarantee a steady supply of freshly-hacked PCs.

That story also showed once again that the people who are building and leasing these botnets are surprisingly easy to identify in real life, particularly given that they operate malware-based anonymity services that enable a great deal of cybercrime activity.

Such was the case again with SocksEscort. Hilariously, the common link that exposed the real-life identities of the people running this SOCKS service was that they all worked for the same online shoe store.

ANGRY CODERS

SocksEscort[.]com was originally registered to the email address “michdomain@gmail.com,” which according to DomainTools.com was used to register a handful of related domains, including its previous incarnation — super-socks[.]biz. Cached versions of the site show that in 2010 the software which powers the network was produced with a copyright of “Escort Software.”

Super-socks[.]biz came online around the same time as another domain registered to that “michdomain” email: ip-score[.]com, which soon became shorthand on several cybercrime forums for a service that could tell visitors whether their Internet address  — or more precisely, the proxy they were using —  was flagged by any security software or services as compromised or malicious.

IP-score offered a revenue sharing program for websites that chose to embed its IP-scoring code, and the copyright on that userbar program was “Angry Coders.”

A copy of ip-score.com, as indexed by Archive.org.

A review of the Internet addresses historically used by Super-socks[.]biz and SocksEscort[.]com reveals that these domains at various times over the years shared an Internet address with a small of other domains, including angrycoders[.]net, iskusnyh[.]pro, and kc-shoes[.]ru.

Cached copies of angrycoders[.]net from the Wayback Machine don’t reveal much about this particular group of irate programmers, but a search on the domain brings up several now-dormant listings for an Angry Coders based in Omsk, a large city in the Siberian region of Russia. The domain was registered in 2010 to an Oleg Iskushnykh from Omsk, who used the email address iboss32@ro.ru.

According to Constella Intelligence [currently an advertiser on KrebsOnSecurity], Oleg used the same password from his iboss32@ro.ru account for a slew of other “iboss” themed email addresses, one of which is tied to a LinkedIn profile for an Oleg Iskhusnyh, who describes himself as a senior web developer living in Nur-Sultan, Kazakhstan.

Iskusnyh’s Github profile shows he has contributed code to a number of online payment-related technologies and services, including Ingenico ePayments, Swedbank WooCommerce, Mondido Payments, and Reepay.

DON’T JUDGE A MAN UNTIL YOU’VE WALKED A MILE IN HIS SOCKS

The various “iboss” email accounts appear to have been shared by multiple parties. A search in Constella’s database of breached entities on “iboss32@gmail.com” reveals someone using the name Oleg Iskusnyh registered an online profile using a phone number in Bronx, New York. Pivoting on that phone number — 17187154415 — reveals a profile exposed in the breach at sales intelligence firm Apollo with the first name “Dmitry” who used the email address chepurko87@gmail.com.

That email is connected to a LinkedIn profile for a Dmitry Chepurko in Pavlodar, Kazakhstan. Chepurko’s resume says he’s a full stack developer, who most recently worked in the Omsk offices of a German shoe company called KC Shoes (the aforementioned kc-shoes.ru]. Chepurko’s resume says before that he worked on his own for a decade using the freelancing platform Upwork.

The Upwork profile listed in Chepurko’s LinkedIn C.V. is no longer active. But that same now-defunct Upwork account link is still listed as the profile of a “Dmitry C.” in an UpWork profile page for the Angry Coders team in Omsk, Russia.

The UpWork profile page for the Angry Coders programming team from Omsk, RU.

Who is the “Alexander S.” listed above under the “Agency members” heading in the Upwork profile for Angry Coders? Historical DNS records from Farsight Security show angrycoders.net formerly included the subdomain “smollalex.angrycoders[.]net”.

A simple Internet search on “kc-shoes” reveals a Github account for a user from Omsk with the first name Alexander and the account name “Smollalex.” Alexander’s Github account indicates he has contributed code to the kc-shoes website as well.

Constella’s service shows that “Smollalex” was a favorite handle chosen by an Alexandr Smolyaninov from Omsk. The Smollalex Github account associates this individual with a company in Omsk that sells parts for oil and gas pipelines.

That shoes are apparently the common link among the Angry Coders responsible for SocksEscort is doubly amusing because — at least according to the posts on some cybercrime forums — one big reason people turn to these proxy services is for “shoe botting” or “sneaker bots,” which refers to the use of automated bot programs and services that aid in the rapid acquisition of limited-release, highly-sought-after designer athletic shoes that can then be resold at huge markups on secondary markets.

It’s not clear if the Angry Coders team members remain affiliated with SocksEscort; none of them responded to requests for comment. There were certain connections made clear throughout the research mentioned above that the Angry Coders outsourced much of the promotion and support of their proxy service to programmers based in India and Indonesia, where apparently a large chunk of its customers currently reside.

Further reading:

July 29, 2022: 911 Proxy Service Implodes After Disclosing Breach

July 28, 2022: Breach Exposes Users of Microleaves Proxy Service

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’

June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet

June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet

Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark