The Good, the Bad and the Ugly in Cybersecurity – Week 40

The Good

Good news this week from Meta (aka Facebook). The social media giant has taken down some 1600 accounts and disrupted a Russian disinformation campaign spread across 60 fraudulent news websites. The campaign, Meta says, spread fake stories and Russian propaganda regarding the war on Ukraine. The Facebook accounts were removed for what the company calls “coordinated inauthentic behavior”.

Meta says the operation began in May and centered around impersonating legitimate websites of news organizations including Der Spiegel, The Guardian and Bild. The fake sites used a technique known as “typosquatting” to mimic legitimate domain names such as with fakes like Guardian[.]co[.]com. The fake news sites posted articles criticizing Ukraine and arguing that Western sanctions on Russia would backfire. The articles and related memes were then shared on the now-removed Facebook and Instagram accounts, as well as on Telegram and Twitter.

Russian disinformation campaign

Notably, as known domains were taken down or blocked, the actors behind the campaign attempted to set up replacement websites, “suggesting persistence and continuous investment in this activity across the internet”, the report says. In some cases, the disinformation content was amplified through the Facebook Pages of a number of Russian embassies.

Mass online disinformation campaigns have now become a regular tool of nation-state actors, and it’s unlikely we’ll see a reversal of that trend anytime soon. Of the few remedies we have to protect civil society and informed discourse aside from public awareness is active countermeasures as we’ve seen Meta take this week. Well done to them.

The Bad

The APT group variously known as TA410, Witchetty and LookingFrog has been up to some new tricks involving steganography and malware hidden in an image of the old Windows flag logo.

According to researchers, a bitmap image of the Windows flag logo was hosted on Github and laced with code for a backdoor. Hosting the image on a trusted public service avoids suspicious traffic to an attacker’s C2 (Command & Control) server, and hiding the malware in an iconic image helps the payload to remain hidden from casual inspection.

windows flag logo used to hide malware
Windows flag logo used to hide malware (Source)

The payload hidden in the image is decrypted with an XOR key and delivers a full-featured backdoor with the ability to move and delete files, start and stop processes, exfiltrate data and manipulate Windows Registry keys.

Researchers say the threat actors have been attacking targets in the Middle East, including at least one government agency, since February 2022. Initial compromise exploits the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers. The actors steal credentials by dumping the contents of LSASS from memory, and then pivot via lateral movement to install further malware on computers across the network.

Unfortunately, it remains the case that many organizations have still failed to patch against ProxyShell and ProxyLogon vulnerabilities, and until they do, they and their customers remain at high risk of compromise from both APT and cybercrime threat actors.

The Ugly

Speaking of ProxyShell and ProxyLogon, this week news broke of two new MS Exchange zero days that one researcher has dubbed ProxyNotShell. Microsoft confirmed the vulnerabilities shortly after as CVE-2022–41040 and CVE-2022–41082.

ProxyNotShell uses the same path and Server-Side Request Forgery (SSRF)/Remote Code Execution (RCE) pair as the earlier ProxyShell. However, in this case the attacker needs to be authenticated to exploit the vulnerabilities – any valid non-admin email credentials will suffice. CVE-2022-41040 enables the authenticated attacker to remotely trigger CVE-2022-41082, which allows remote code execution when PowerShell is accessible.

Researchers spotted the vulnerability being exploited in the wild in August 2022 against critical infrastructure and other targets, although attribution at this time remains unknown.

The vulnerabilities impact organizations running on-prem Microsoft Exchange Server 2013, 2016, and 2019 and a public-facing Outlook Web App. It is estimated that worldwide there could be up to 250,000 Exchange servers vulnerable to ProxyNotShell. Microsoft says it is “working on an accelerated timeline to release a fix”. In the meantime, impacted organizations should follow the mitigation advice here.

Fake CISO Profiles on LinkedIn Target Fortune 500s

Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.

If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.

The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron.

Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).

Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.

Maryann’s profile says she’s from Tupelo, Miss., and includes this detail about how she became a self-described “old-school geek.”

“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.

However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.

Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:

The fake CISO for ExxOnMobil was indexed in Cybercrime Magazine’s CISO 500.

Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.

“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous,, Signalhire, and Cybersecurity Ventures.”

Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.

Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.

None of the profiles listed here responded to requests for comment (or to become a connection).

In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.

“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”

LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.

The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.

“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.

“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.

Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.

“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”

Microsoft: Two New 0-Day Flaws in Exchange Server

Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.

In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.

Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.

“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”

GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.

In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.

Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.

Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.

Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.

In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.

If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.

S Ventures Invests in Armorblox to Combat Email Threats Using Natural Language Understanding and AI

Email remains one of the most targeted attack vectors in cybersecurity, and attackers are becoming increasingly sophisticated with their techniques. At the same time, many organizations are well on their way to moving email systems to the cloud. With cloud environments being particularly susceptible to threats such as phishing and credential stuffing, many enterprises are re-thinking their approach to addressing email security with emphasis on their need to analyze massive amounts of data efficiently and at scale.

This is why SentinelOne is excited to invest in Armorblox, a platform helping organizations fight email threats with the power of natural language understanding (NLU) and artificial intelligence (AI). The Armorblox platform connects over API and analyzes thousands of signals to understand the context of day-to-day email communications. The signals stem from user identity, user behavior, and email language; all to help build a fuller security understanding. This type of context-aware detection protects both people and data from compromise, outpacing what legacy email security controls are capable of. Armorblox is led by a strong team of entrepreneurs formerly of Netskope, Duo Security, StackRox, and ThoughtSpot.

Many vendors in the cybersecurity industry claim to be “powered by AI,” but often require keeping a human element in the monitoring and detection process. Armorblox’s approach is fully autonomous. As the pioneers of AI in an endpoint protection, detection, and response application, the SentinelOne Innovation team weighed in on Armorblox’s use of NLU and AI:

“We dove deep with the Armorblox team into their technology and were impressed. Armorblox has strong capabilities in machine learning (ML) and NLU which, when applied to email security, result in high detection rates and low false positives.” – Ido Kotler, Innovation Lead at SentinelOne

Leveraging the power of AI also means that enterprises can tailor fit their solutions to any specific needs of the business. Armorblox’s AI-based infrastructure is capable of using past learnings to create dynamic policies and building custom ML models for each end user to facilitate an iterative improvement process.

The value of Armorblox’s approach and overall platform was validated by our own experience as a customer. SentinelOne has been in production with Armorblox as our sole email protection platform for over a year.

“Armorblox was able to solve a lot of the issues we were facing when we implemented cloud-based email. Armorblox connected over API in 5 minutes and analyzed 6 months of email archives to build a communication baseline, showing quick time-to-value and high effectiveness.” – Sridhar Yelfireddy, Senior IT Infrastructure and Operations Leader at SentinelOne

Now, Armorblox and SentinelOne customers can benefit from our joint integration and partnership as well. SentinelOne’s XDR integration with the email security platform enriches incidents with contextual information about a user and any related email alerts. It also ensures that customers can prevent attacks, investigate hidden threats, and respond across these infrastructures with agility and precision.

Together, SentinelOne and Armorblox empower joint customers to protect their enterprises. Read more about the XDR integration and partnership here.

SentinelOne’s investment in Armorblox solidifies our partnership and showcases the power of AI-driven speed, scale, and accuracy across all facets of cybersecurity.

Feature Spotlight | Combating Email Threats Through AI-Driven Defenses with Armorblox Integration

SentinelOne endeavors to protect enterprises from email-based attacks through a data-driven approach and autonomous security. To combat email threats, we are excited to announce our new integration with Armorblox, a disruptive API-based email security platform that uses artificial intelligence (AI), machine learning (ML), and natural language processing (NLP) to detect and prevent modern, advanced BEC attack vectors including vendor email compromise, executive email impersonation, payroll division fraud, credential phishing, and more. The integration is set to provide joint customers with enhanced investigation and response abilities.

Securing the Easy Ways In | Email Security for Enterprises

Email is a popular mode of communication, but it’s also a frequent target for cyberattacks. Targeted email attacks like Business Email Compromise (BEC), impersonation, account takeover, vendor fraud, and phishing attacks pose high financial risks to organizations of all sizes. Able to evade traditional security tools, email-based attacks work by targeting the human aspect of an enterprise and compromising legitimate accounts. As reported by the Armorblox 2022 Email Security Threat Report, the number of Business Email Compromise (BEC) attacks targeting organizations increased by 74% in 2021.

To compound the issue, threat actors leveraging BEC attacks are also exploiting the accelerated move by enterprises from on-prem to hybrid and cloud environments. Clouds are especially susceptible to threats such as phishing, credential stuffing, and password spraying. With these associated risks to consider, the need for robust email security is one of the foremost priorities for enterprises today.

As such, an email security solution is designed to detect and neutralize these threats as an important part of any organization’s cybersecurity posture. However, as organizations adopt best-of-breed solutions for each attack vector, the average SOC has between 25-49 tools from 10+ vendors resulting in operational complexity. Security operations teams are finding themselves inundated with alerts and struggle with managing too many point-specific tools that often do not integrate.

The lack of integrated tools has led to a decrease in efficiency for SOC teams, largely because data stays trapped within individual systems, reducing the effectiveness and productivity across incident triage, investigation, and response. SecOps teams find themselves repetitively checking similar suspicious emails across mailboxes, meticulously inspecting headers and metadata, as well as manually triaging threats. These manual tasks end up being a huge time sink and cause restraints in bandwidth for teams who must prioritize time working on strategic projects.

Prioritization and investigation of threats have suffered, leaving organizations vulnerable to sophisticated attacks and data breaches. This has led to overworked analysts, disjointed infrastructure, and too many missed attacks.

A New Approach | Extended Detection & Response (XDR)

In response, enterprise security teams are turning to Extended Detection and Response (XDR) platforms. XDR presents a new approach featuring a single security platform that collects and correlates data from multiple security tools to provide a more comprehensive view of an organization’s security posture.

XDR can help reduce alert fatigue, speed up incident response times, and improve overall security operations. XDR also streamlines an organization’s security infrastructure by providing a centralized detection and response control plane that integrates with the different point tools in an organization’s environment, enabling SOC teams to be more efficient and effective in their jobs.

XDR platforms use automation to enrich the detection, triage, and investigation of incidents, freeing up human analysts to focus on more complex tasks. In addition, XDR platforms can also automate response procedures, helping security teams contain incidents before they cause significant damage. By automating key security operations tasks, XDR platforms can help security teams work more efficiently and effectively, protecting organizations from a wide range of threats.

Why XDR and Email?

As one of the most common enterprise attack vectors, email security is an important part of any XDR solution. Email solutions provide critical context about a user and their mailbox, helping answer how malicious files arrived on the endpoint. Email security solutions also sandbox attachments pre-delivery, offering a rich source of threat intelligence for improved detection. Through the sharing of intelligence from email and endpoint security solutions, analysts obtain increased visibility and context for threats that would not be addressed in a typical siloed security approach. This allows security teams to remediate and avert propagation, protecting the organization and reducing an incident turning into a full-scale breach.

Behavioral Protection for The Enterprise Attack Surface

The joint integration between SentinelOne and Armorblox presents best-of-breed, machine-learning-based XDR and email security to holistically address advanced attacks that may laterally move across an organization. SentinelOne’s industry-leading XDR platform and Armorblox’s email security platform bring two critical security infrastructures – emails and endpoints – together. It ensures that customers can prevent attacks, investigate hidden threats, and respond across these infrastructures with agility and precision.

“Armorblox pioneers natural language understanding to detect and prevent sophisticated threats, enabling organizations to stop BEC and other financial frauds,” said DJ Sampath, Cofounder and CEO, Armorblox. “Our integration with SentinelOne XDR platform brings unprecedented threat intelligence from email systems to automate investigation and response of threats.”

“Attackers are utilizing known vulnerabilities to compromise enterprise networks at a rapid pace,” said Raj Rajamani, Chief Product Officer, SentinelOne. “Our integration with Armorblox helps enterprises improve their security posture and minimize enterprise risk by improving detection with email intelligence, investigating threats by correlating incidents between email and endpoints, and automating response to file-based threats. With fewer tools, enterprises can better fortify and protect against every edge of the network.”

Armorblox’s behavioral-based protection provides SentinelOne with email-based indicators of compromise and threat enrichment. Within the SentinelOne management console, detected threats are enriched with actionable context to enable security teams to kill malicious processes or network quarantine endpoints across an ecosystem. Security teams gain access to an integrated view of multi-vector threats across an enterprise’s technology stack to simplify security operations.

Email Threat Intelligence Ingestion

Armorblox inspects an organization’s email traffic and uses machine learning (ML) models to analyze it for risks. It applies a set of risk scores across different dimensions such as phishing, malware, impersonation, and data exfiltration. These risk scores help analysts prioritize the investigation of incidents. Armorblox’s integrated sandbox quarantines suspicious email attachments to protect end users, while extracting file attributes and indicators of compromise (IOCs) from malicious files.

Armorblox provides the IOCs from email threats it detects to SentinelOne Singularity XDR. Within Singularity XDR, the IOCs can be used to create STAR™ (Storyline Active Response) rules for alerts and automated responses. These actions include killing processes and quarantining any files matching malicious hashes provided by Armorblox or network quarantining the endpoint.

Threat Enrichment | The SentinelOne & Armorblox Integration

SentinelOne’s Behavioral AI and Storyline™ context produce high-quality alerts that are enriched with user and email threat data from Armorblox. If a user has any contextually-related alerts in Armorblox such as clicking a phishing email, exfiltrating sensitive data, or sending malicious documents, the relevant information will be enriched in the threat’s XDR feed.

SentinelOne Singularity XDR console with Armorblox Enrichment
SentinelOne Singularity XDR console with Armorblox Enrichment
  • The SentinelOne and Armorblox integration is easily configurable for customers by sharing the appropriate API key.
  • Once the API connection is set up, Armorblox’s behavioral-based protection provides SentinelOne with email-based indicators of compromise and threat enrichment.
  • Within the SentinelOne console, detected threats are enriched with actionable context from Armorblox’s related user and threat details. As email-based indicators of compromise from Armorblox are fed into the console, SentinelOne is able to kill malicious processes or network quarantine endpoints across an ecosystem.


Many vendors in the security space use the phrase “powered by AI” but still require a human element in their monitoring and detection process. With the global decrease in cyber expertise, many enterprise’s in-house teams have found themselves increasingly overwhelmed when it comes to scaling up their protective services against advanced email-based attacks. By leveraging AI and ML-based solutions, teams can automate and orchestrate the immense amount of data entailed in email monitoring efforts.

Both SentinelOne and Armourblox are fully autonomous, leveraging the power of behavioral AI to ensure a cohesive view of networks, assets, and business-critical communications. With the SentinelOne and Armorblox integration, joint customers can now synchronize their security posture to stop threats across both endpoints and emails.

Learn how you can bring natural language-based techniques to XDR and enhance your security team’s abilities to detect, investigate and respond to threats by contacting us or booking a personalized demo today.

LABScon 2022 Event Highlights | Advancing Cybersecurity Research for Collective Digital Defense

Last week, SentinelLabs launched the very first LABScon with the purpose of challenging the boundaries of threat understanding as we know it today. From September 21 to 24, we connected world-class researchers with top leaders from the infosec industry to share cutting-edge cyber research and learn about new ideas, tools, techniques, and trends.

While the inaugural LABScon was a premier, invite-only event, SentinelLabs will be sharing many of the research papers and video recordings in the weeks ahead. In the meantime, here’s a snappy digest of the main events and research findings presented at LABScon 2022.

Cybersecurity’s Leading Voices on Sharing and Collaboration

Russia’s war on Ukraine has been a major concern across cybersecurity as elsewhere this year, and it was inevitably a topic many wanted to hear more about at LABScon. Award-winning investigative journalist Kim Zetter sat down with Dmitri Alperovitch, Executive Chairman of the Silverado Policy Accelerator and Co-founder & CTO of Crowdstrike, for an in-depth discussion of the war in Ukraine, the involvement of cyber, and corollaries to a possible invasion of Taiwan.

LABScon also saw Morgan Adamski, Director of NSA’s Cyber Collaboration Center, deliver a keynote presentation sharing her views on the future of collaboration between researchers, vendors, and the public sector. By fostering collaborative relationships, the community can improve the way we secure the nation and co-create cybersecurity tradecraft, Morgan told the conference.

Morgan Adamski NSA at LABScon

Chris Krebs, Founding Partner of Krebs Stamos Group and the First Director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), drew on his time as former first director for the DHS and CISA to share in-the-trenches perspectives on modern cybersecurity and its associated government policies.

Mark Russinovich, CTO of Microsoft Azure and the founder of Sysinternals, talked tools, and presented the story of his seminal malware analysis toolkit from its inception to how it has transformed the current malware analysis and forensic investigation landscape. Mark took the opportunity to demo the latest version of Sysmon, 14.1, which has been enhanced in part to help foil Russian cyber activity in Ukraine.

Research & Discovery Highlights

LABScon is an intelligence-focused conference gathering together world-class security researchers to disseminate new ideas, findings, and the latest in threat hunting tools and techniques.

SentinelLabs’ own Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski introduced a previously unknown advanced threat actor dubbed ‘Metador’. This elusive adversary attacks high-value targets using novel malware frameworks and custom-built backdoors. Metador’s known targets include telecommunications, internet service providers, and universities.

Metador at LABScon

The researchers have published a blog post about Metador here.

In Tracking Militants On the Ground Through Online Information, Bellingcat’s Michael Sheldon presented his research on using open source research techniques (OSINT) to track militant groups through the online presence of their members, official releases, and information released by third parties. These case studies show how OSINT has contributed to information collection processes on conflict actors. Michael’s engaging talk also won him best speaker award at LABScon.

Black Lotus Labs is currently tracking an advanced campaign leveraging infected small office/home office (SOHO) routers. In Whose Router Is It Anyway?, Danny Adamitis revealed how the campaign had operated undetected for two years while targeting North American and European networks. Danny’s presentation detailed the discovery of the multistage remote access trojan (RAT), currently dubbed “ZuoRat”, that has been pivoting into local networks and hijacking communications to gain access to additional systems on the LAN. For his efforts, Danny was also awarded “2nd Best Speaker” at LABScon.

In Demystifying Threats to Satellite Communications in Critical Infrastructure, MJ Emanuel delved into the fascinating world of satellite communications, an integral part of many industry control systems, and how their usage in critical infrastructure continues to be misunderstood by the industry. MJ’s session discussed how trust relationships between satellite provider ecosystems could be leveraged by a threat actor, and how attacks on these systems directly impact our critical infrastructure processes. Danny also nabbed third place in our Best Speaker awards.

APTs, and More APTs

Donald ‘Mac’ McCarthy highlighted a case study showing how a state-sponsored RAT was designed to accept a C2 using CNAME records. His presentation, CNAME and Control | Open Source Context, examined the encoding and detection methodology which discovered the Chinese state actor’s attack on the Defense Industrial Base (DIB) and related entities.

In APT 42: Wild Kittens and Where to Find Them, Mandiant threat intelligence researchers Ashley Zaya and Emiel Haeghebaert teamed up to give a primer on APT42, a cluster of threat activity linked to the Iranian government. APT42 has focused on conducting credential theft operations against Western think tanks and academics, government officials, and high-profile individuals within Iran as well as in the United Kingdom, Israel, and the United States.

PwC lead researcher Kris McConkey delivered an exclusive exposé on Chinese-based advanced persistent threat actors in Chasing Shadows: The Rise of a Prolific Espionage Actor. The talk detailed the rise and operations of dominant players in the international corporate espionage world.

SentinelLabs’ own Tom Hegel rounded out the full day of talks on Thursday with new intel on a cyber mercenary group known as Void Balaur. Tom’s presentation, The Sprawling Infrastructure of Void Balaur revealed how the hack-for-hire gang has been expanding its infrastructure and focusing on a wide variety of industries that have political interests tied to Russia. Void Balaur often makes use of multi-factor authentication ploys to seek access to email and social media accounts. Tom has published his research here.

A full list of all the research papers and participants appears on the LABScon home page.

Event Specials | Awards & Gala Highlights

At LABScon, bringing together the brightest minds of the industry also meant taking a few moments to recognize the incredible efforts being made to keep our community secure. First, we were pleased to award Dmitri Alperovitch with the SentinelLabs MVP award in recognition of his continuing work to advance cyber policy and education through his Silverado Policy Accelerator and Hopkins Alperovitch Institute initiatives.

SentinelLabs was also delighted to present a Lifetime Achievement award to Mark Russinovich for his work in furthering malware analysis understanding.

No Burnout Here

LABScon is about threat intelligence, knowledge, and sharing, but it’s also about community. Building and maintaining relationships across the infosec industry is an essential part of successfully defending and protecting everyone against cyber threats. At LABScon, we found some innovative ways to help everyone feel like part of the family and share in some fun.

From a cybercrime-themed gala party to epic swag, here’s a glimpse into the after-hours activities that went on after a hard day’s learning and sharing!

Why LABScon?

Security research events such as LABScon hold increasing significance in the infosec space. We hosted LABScon to provide a venue for advanced security collaboration and encourage practitioners, researchers and vendors alike to examine the threat landscape for what it is and then push past our current boundaries. Here’s what some of our guests thought about LABScon 2022:

And that’s a wrap on our very first LABScon event! SentinelOne would like to give a special thanks to all of our sponsors who helped make this very first LABScon event a successful one. LABScon 2022 was sponsored by Stairwell, Luta Security, Cisco Talos, GreyNoise, HP Wolf Security, Aesir, Binarly, Team Cymru, and ReversingLabs. We’ll see you next year! #LABScon23

Selected research papers from LABScon 2022 will be coming soon on SentinelLabs. Follow @LABScon to stay tuned!

Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

Back in August, researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange In this post, we review the details of this ongoing campaign and publish the latest indicators of compromise.

Coinbase Campaign Turns to

North-Korean linked APT threat actor Lazarus has been using lures for attractive job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed ‘Operation Dream Job’.

While those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic. Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends at ESET back in August 2022, with indications that the campaign dated back at least a year. Last week, SentinelOne observed variants of the malware using new lures for vacancies at

Decoy document advertising positions on
Decoy document advertising positions on

First Stage and Persistence

Although it is not clear at this stage how the malware is being distributed, earlier reports suggested that threat actors were attracting victims via targeted messaging on LinkedIn.

The first stage dropper is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase variant. The first stage creates a folder in the user’s Library called “WifiPreference” and drops a persistence agent at ~/Library/LaunchAgents/com.wifianalyticsagent.plist, targeting an executable in the WifiPreferences folder called wifianalyticsagent.

Persistence agent com.wifianalyticsagent
Persistence agent com.wifianalyticsagent

The LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush, but changes the target executable location and the agent file name. Analysis of the binary shows that these details are simply hardcoded in the startDaemon() function at compile time, and as such there are likely to be further variants extant or forthcoming.

The startDaemon() function hardcodes the persistence agent details
The startDaemon() function hardcodes the persistence agent details

The WifiPreference folder contains several other items, including the decoy document, Crypto.com_Job_Opportunities_2022_confidential.pdf.

The PDF is a 26 page dump of all vacancies at Consistent with observations in the earlier campaign, this PDF is created with MS Word 2016, PDF version 1.5. The document author is listed as “UChan”.

The PDF decoy was created with MS Word 2016
The PDF decoy was created with MS Word 2016

The first stage malware opens the PDF decoy document and wipes the Terminal’s current savedState.

open '/Users/tritium/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_confidential.pdf' && 
rm -rf '/Users/tritium/Library/Saved Application State/'

The second stage in the variant is a bare-bones application bundle named “”; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called “”. The application uses the bundle identifier finder.fonts.extractor and has been in existence since at least 2021.

The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a C2 server. The Coinbase variant used the domain com.concrecaptial[.]com. In the sample, this has changed to market.contradecapital[.]com.

Hardcoded C2 in the third-stage downloader
Hardcoded C2 in the third-stage downloader

The payload is written to the WifiPreference folder as WifiCloudWidget. Unfortunately, due to the C2 being offline when we analysed the sample, we were unable to retrieve the WifiCloudWidget payload.

The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets. The binaries are all universal Mach-Os capable of running on either Intel or M1 Apple silicon machines and signed with an ad hoc signature, meaning that they will pass Apple’s Gatekeeper checks despite not being associated with a recognized developer identity.

The wifianalyticsagent sample passes Gatekeeper with an ‘ad hoc’ signature
The wifianalyticsagent sample passes Gatekeeper with an ‘ad hoc’ signature

Staying Protected Against Lazarus Malware

SentinelOne customers are protected against the malware variants used in this campaign. For those not currently protected by SentinelOne, security teams and administrators are urged to review the indicators of compromise at the end of this post.


The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges. This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.

Indicators of Compromise

SHA 1 Name/Description
57684cc460d4fc202b8a33870630414b3bbfafc 1st Stage, xxx
65b7091af6279cf0e426a7b9bdc4591679420380 Crypto.com_Job_Opportunities_2022_
1f0f9020f72aa5a38a89ffd6cd000ed8a2b49edc 2nd Stage, WifiAnalyticsServ
1b32f332e7fc91252181f0626da05ae989095d71 3rd stage, wifianalyticsagent



File paths


Labels and Bundle Identifiers

Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S.

A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019.

On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Kloster, a.k.a. Denis Emelyantsev, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.

A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Kloster’s personal blog, which featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world.” Kloster’s blog even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

The Bulgarian news outlet reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko, and that the accused asked to be handed over to the American authorities.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in an American court.”

Launched in 2013, RSOCKS was shut down in June 2022 as part of an international investigation into the cybercrime service. According to the Justice Department, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers; later in its existence, the RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers, the DOJ said.

The Justice Department’s June 2022 statement about that takedown cited a search warrant from the U.S. Attorney’s Office for the Southern District of California, which also was named by Bulgarian news outlets this month as the source of Kloster’s arrest warrant.

When asked about the existence of an arrest warrant or criminal charges against Kloster, a spokesperson for the Southern District said, “no comment.”

Update, Sept. 24, 9:00 a.m. ET: Kloster was named in a 2019 indictment (PDF) unsealed Sept. 23 by the Southern District court.

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

24Chasa said the defendant’s surname is Emelyantsev and that he only recently adopted the last name Kloster, which is his mother’s maiden name.

As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010.

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, the defendant in this case probably knows quite a bit about other top players in the botnet spam and malware community.

A Google-translated version of the Rusdot spam forum.

Despite maintaining his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.

“America is looking for me because I have enormous information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”

The Bulgarian court agreed, and granted his extradition. Kloster’s fiancee also attended the extradition hearing, and reportedly wept in the hall outside the entire time.

Kloster turned 36 while awaiting his extradition hearing, and may soon be facing charges that carry punishments of up to 20 years in prison.

The Good, the Bad and the Ugly in Cybersecurity – Week 39

The Good

This week saw the inaugural LABScon – a security conference intent on fostering the advancement of cybersecurity research to build a stronger collective digital defense. LABScon is hosted by SentinelLabs, the research arm of SentinelOne, with the aim of bringing together researchers and experts from across the industry to share and disseminate critical threat intelligence and knowledge.

The multi-day event featured talks from prominent infosec voices including Mark Russinovich (Microsoft Azure), Chris Krebs (Krebs Stamos Group), Dmitri Alperovitch (Silverado Policy Accelerator), and Thomas Rid (Alperovitch Institute), among others.

On the second day of the event, SentinelLabs researchers revealed their discovery of a previously unknown advanced threat actor. Dubbed ‘Metador’, the shady group attacks high-value targets in the telecoms, networking, and education sectors using novel malware frameworks and custom-built backdoors.

The researchers said that the advanced nature of the actor’s toolset was difficult to detect and challenging to reverse engineer, warning that we have likely only seen the tip of the iceberg of intrusions attributable to Metador. Describing the group as the “1%ers” in reference to their elite status, the researchers called on the infosec community to review their telemetry and collaborate on learning more about this new adversary.

Security research events such as LABScon are significant in the infosec space as they provide a venue for advanced security collaboration and encourage practitioners, researchers and vendors alike to push the envelope of threat landscape understanding.

The Bad

This week, New York emergency response and ambulance service provider, Empress EMS, disclosed a ransomware attack resulting in the exfiltration of sensitive patient files.

As the files contained protected health information (PHI) like patient names, insurance information, and social security numbers, Empress EMS has reached out to affected individuals offering credit monitoring services and recommending that they review their healthcare statements for any discrepancies regarding charged services. Investigations report that the breach and encryption were followed by double-extortion efforts.

Through the HITECH Act, the U.S. Department of Health and Human Services (HHS) must publish breaches involving unsecured PHI affecting 500 or more individuals. So far, the Empress breach has affected 318,558 individuals.

While Empress EMS did not disclose the identity of the hackers that infiltrated their systems, the report points to the Hive ransomware group having published their victim’s data in late July. The breach unfortunately comes right on the heels of a warning issued just this April by the HHS about Hive’s aggressive, financially-motivated attacks disproportionately targeting healthcare organizations.

So, what happens when emergency services have their own emergencies? The question is a brutal one, throwing the reality of cyberattacks on healthcare into stark relief. When medical services and practitioners are impeded by cyberattacks, it’s people’s lives on the line. As the industry further digitizes its health record management, clinical support, prescription and dispensing, telemedicine, and health surveillance systems, healthcare providers will need to establish robust cybersecurity solutions to safeguard their increasingly complex data environments.

The Ugly

Once in a while, cybercriminals have to contend with the trouble of insider threats, too. News came out this week detailing a data leak coming from “an allegedly disgruntled developer” within the LockBit ransomware operation itself.

The “developer” leaked a builder for the newest version of the LockBit encryptor, which had been tested and launched in June and boasted new anti-analysis features, a ransomware bug bounty program, and all-new methods for encryption.

Reports noted that VX-Underground was given a copy of the builder and communicated directly with a public representative of LockBit operations. The representative denied that LockBit had been hacked, claiming rather that a disgruntled developer who was unhappy with the group’s leadership chose to leak the builder.

The ramifications of this leak will be fairly severe for the LockBit gang as competing threat actors will seek to leverage the builder to launch their own attacks. Worse for the rest of us, the new encryptor enables anyone with the code to build and launch their own ransomware operations as it includes the encryptor, decryptor, and specialized hacking tools needed for a threat campaign. Reports show that the builder allows any user to customize a ransomware campaign to their exact needs and link a ransom note directly to their own hacking infrastructure.

News of this insider leak lends yet another peek into the inner workings of cyber criminal enterprises, the last major incident in this vein occurring early this February when sixty thousand of Conti group’s chat messages were exposed. Ransomware operations closely resemble many professional establishments in having product testing processes, bug bounty programs, and even dealing with acts of vengeful employees through public relations representatives.

The rise of Ransomware-as-a-Service (RaaS) groups shows the alarming advancement and professionalization of cybercriminals. As low and medium-level threat actors increasingly turn to RaaS groups to launch complex campaigns, robust cybersecurity solutions are no longer a nice-to-have for organizations – they’re an absolute necessity.

Investing in Tomorrow | Why We Started S Ventures

Today, we are excited to launch S Ventures, a $100M fund investing in the next generation of category-defining security and data companies.

Tomer Weingarten co-founded SentinelOne nearly ten years ago with the premise that the cybersecurity challenges facing the world could only be solved through the power of data and AI. Within data and AI, we gain new insights and more intelligent approaches to accomplishing the day-to-day tasks that limit the potential of security and IT teams. Tomer and the greater SentinelOne team saw our role as more than just a technology vendor, but a force for good within cybersecurity. We remain a founder-led business, and our approach to security has led to us becoming one of the fastest-growing public software companies on the market.

We’ve also seen how AI and data empower security and adjacent disciplines; our DataSet product, originating from our acquisition of Scalyr in 2021, is the backend infrastructure powering ingestion, investigation, and analytics capabilities in our Singularity XDR platform. We’ve also externalized this technology to help DevOps, engineering, and IT teams solve the same data use cases we did.

As we look ahead to the next decade and beyond, we see the potential for AI and data to be applied to many challenges – this drives the need to build an entirely new ecosystem of companies. With a significant part of SentinelOne’s success a result of our partner-first approach to the business, we believe we can take this one step further to innovate beyond our own four walls.

Our initial portfolio companies share our mission to tackle enterprise-level challenges with innovative, intelligent approaches:

  • Torq accelerates complex threat response workflows through a no-code security automation platform
  • Laminar delivers a cloud data security platform that discovers, protects, secures, and monitors sensitive data in everything built and run in the cloud
  • Armorblox combats email threats and email data loss using natural language processing and AI
  • Noetic Cyber provides teams with unified visibility and actionable insights into the security posture of all assets across cloud and on-premises systems

SentinelOne has forged the journey from startup to hypergrowth, and we are now looking to leverage this experience in providing valuable help to companies and founders charting their own paths today.

Some of the value we will offer through S Ventures includes:

  • Access to SentinelOne experts and leaders – lessons from building and running a hypergrowth company, being on the front lines of security, and building data platforms that solve real customer pain points
  • Enhanced exposure across the SentinelOne ecosystem – CISOs, customers, and partners
  • Product integration and GTM enablement – through the Singularity Marketplace and access to the DataSet platform to build and grow data-intensive products

Our motto is to be a “force for good” for our customers, employees, shareholders, partners, and society.  With S Ventures, we want to be a force multiplier in helping establish, guide, and scale an entirely new generation of security and data companies.

To learn more about S Ventures, visit us here.

S Ventures
Investing in the next generation of category-defining security and data companies.