SIM Swapper Abducted, Beaten, Held for $200k Ransom

A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities.

The SIM-swapper known as “Foreshadow” pleading for his life.

The grisly kidnapping video has been circulating on a number of Telegram chat channels dedicated to SIM-swapping — the practice of tricking or bribing mobile phone store employees into diverting a target’s phone number, text messages and calls to a device the attackers control.

The teen, known to the SIM-swapping community by the handle “Foreshadow,” appears to have served as a “holder” — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams.

“Yo, Dan, please bro send the 200k,” Foreshadow said in the video, which was shot on Sept. 15 in the backseat of a moving car. Bleeding from a swollen mouth with two handguns pointed at his head, Foreshadow pleaded for his life.

“They’re going to kill me if you don’t,” Foreshadow continued, offering to get a job as a complicit mobile store employee or “plug” to help with future SIM-swaps. “I’ll pay you back. Just let me know what you need. I got you, for real. Any work for free. Whatever. However long you need me, too. I’ll apply to any store you need me to apply to. I can be a plug. I don’t care if I get caught by the cops or anything. I’ll get that money back for you. I used to do that work.”

It’s not clear where in the world the hostage video was recorded. But at one point in the video, the vehicle’s radio can be heard in the background mentioning WMIB, which is a hip-hop station in South Florida that serves both Ft. Lauderdale and Miami.

As Foreshadow’s hostage video began making the rounds on SIM-swapping Telegram channels, a rumor surfaced that Foreshadow had died after being shot in the leg. It soon emerged that Foreshadow had not died, and that he was cooperating with the Federal Bureau of Investigation (FBI). Members of the SIM-swapping community were then warned to delete any messages to or from Foreshadow. One of those messages read:

JUST IN: FORESHADOW IS NOT DEAD!!!!

HES CURRENTLY CO-OPERATING WITH THE FBI DUE TO HIM BEING KIDNAPPED AND AN ATTEMPT TO EXTORT HIM FOR 200K

IF YOU HAVE CHATS WITH HIM CLEAR THEM

Foreshadow appears to be a teenager from Florida whose first name is Justin. Foreshadow’s main Telegram account was converted from a user profile into a channel on Sept. 15 — the same day he was assaulted and kidnapped — and it is not currently responding to messages.

Foreshadow’s erstwhile boss Jarik told KrebsOnSecurity that the youth was indeed shot by his captors, and blamed the kidnapping on a rival SIM-swapper from Australia who was angry over getting shortchanged of the profits from a previous SIM-swapping escapade.

The FBI did not immediately respond to requests for comment.

Foreshadow’s experience is the latest example of a rapidly escalating cycle of physical violence that is taking hold of criminal SIM-swapping communities online. Earlier this month, KrebsOnSecurity detailed how multiple SIM-swapping Telegram channels are now replete with “violence-as-a-service” offerings, wherein denizens of the underground hire themselves out to perform various forms of physical violence — from slashing tires and throwing a brick through someone’s window, to conducting drive-by shootings, firebombings and home invasions.

On Aug. 12, 2022, 21-year-old Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested by the FBI and charged with stalking in connection with several of these violence-as-a-service jobs. Prosecutors say the defendant fired a handgun into a Pennsylvania home, and helped to torch another residence in the state with a Molotov Cocktail — all allegedly in service of a beef over stolen cryptocurrency.

Earlier this month, three men in the United Kingdom were arrested for attempting to assault a local man and steal his virtual currencies. The local man’s neighbor called the cops and said the three men were acting suspiciously and that one of them was wearing a police uniform. U.K. police stopped the three men allegedly fleeing the scene, and found a police uniform and weapons in the trunk of the car. All three defendants in that case were charged with “intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”

Dina Temple-Raston and Sean Powers over at The Record recently interviewed several members of the SIM-swapping community about this escalation in violence. That story is also available on the Click Here podcast — Throwing Bricks for $$$: Violence-as-a-Service Comes of Age.

CISO Wins | A 5-Phase Ramp up Strategy for Success on a New Job

At the helm of a business’s overarching security strategy is their Chief Information Security Officer – a key C-suite role responsible for assessing, planning, and maintaining the safety and digital growth of the enterprise. With the surge of cyberattacks across all industry verticals, more businesses are hiring CISOs to help step up their offense and defense against threat actors.

CISOs ensure the safety and continuity of a business’s operations and data. CISOs are constantly reevaluating their strategy based on the fluctuations of the threat landscape and, in tandem, adjusting how the business monitors and responds to potential attacks. With such work ahead and so many facets of cybersecurity to consider, new CISOs joining a business need to have a plan in place so they can maximize their resources and effectiveness.

The cybersecurity domain is a vast one, so having the right ramp-up strategy can help a new CISO identify main priorities and get started on achieving their goals. For CISOs joining a business, the first three months are significant in establishing credibility as well as a path forward for the business’s security posture. This post outlines a ramp-up strategy structured in five key phases CISOs can use to ensure their first 90 days are successful.

1. Discover | Get to Know the Organization and People

New CISOs on the job will seek to understand their company, identify key subject matter experts, and most critically, take time to listen and learn to those they speak to. Intel is a new CISO’s best friend – the more information collected about the company, the better. To perform a valuable discovery, CISOs may ask questions like:

  • What cybersecurity processes, technology, and teams exist? Where does the cybersecurity program stand, if it exists?
  • What cybersecurity-related challenges does the company face currently? Are the roadblocks or reasons for these challenges identifiable? What is the frequency and/or scale of these challenges?
  • What is business critical and must be protected first? This may include intellectual property, customer databases, how revenue is generated, and critical project data that fall under regulatory compliance controls.

Each business is going to have a unique mission, vision, and industry-specific security requirements that need to be taken into consideration by a new CISO. Most of the discovery phase will require CISOs to get to know the security leaders and teams. By holding interviews with these key roles, a new CISO can start to understand where they stand in overall cybersecurity strategy itself, learn about the security culture of the company, and develop the scope and expectations of their work.

This ensures stakeholders, leadership, and security staff all see what the tenure of the CISO will look like going forward. Building these relationships early in the onboarding process is invaluable to creating trust and establishing a new CISO’s personal commitment and identification to the business’s security values.

2. Assess | Identify and Measure Processes, Gaps, and Opportunities

In the assessment phase, things will get much more granular for a new CISO. This is when CISOs will need to start understanding the current maturity of the company’s security strategy and identify what is and isn’t working in terms of people, process, and technology. Typically, new CISOs will conduct formal security assessments to measure and review:

  • Strengths and gaps in the current strategy and security program activities
  • What industry and business-specific risks exist and how they are currently being avoided, transferred, mitigated, or accepted
  • Any captured metrics showing data security and privacy practices that are tied to the company’s goals and objectives
  • Tools and solutions in use, what the company’s security tech covers, and how well they are deployed and managed
  • Past performance and responsiveness to cyber incidents, recorded benchmarks, and any incident response or business continuity plans

When it comes to understanding the organization’s attack surface, CISOs often employ inventory discovery tools capable of scanning entire networks to locate connected IoT devices as well as protected and unprotected endpoints. Tools like this enable a new CISO to work efficiently to start reducing risk – a core responsibility linked to most company’s business goals.

The other aspect for new CISOs to consider in the assessment phase is to take note of recent threat intel gathered by the cybersecurity community. A new CISO will take into consideration new and developing cyber breaches, global and industry-specific threat trends, documented tactics, techniques, and procedures (TTP), indicators of compromise (IoCs), zero-day vulnerabilities, and attack patterns to inform their initial security assessment.

3. Plan | Build the Plan and Prioritize the Goals

After conducting their own security assessment and analyzing the data, a new CISO’s next step will be to draft the strategy or upgrade an existing one based on their findings. A holistic cybersecurity strategy typically showcases:

  • A detailed analysis of findings based on data gathered in the assessment phase. This may include year-over-year statistics, security metrics and how they are related to business objectives, as well as overviews describing both sufficient and insufficient areas of the existing security strategy.
  • A roadmap including both short-term goals and long-term initiatives. Short-term goals will focus on areas of security that most urgently need to be addressed or remediated. Goals and projects on the roadmap will be accompanied by measurable outcomes, metrics, and a budget.

CISOs lead the business’s security program by developing and deploying company-wide initiatives that firm up policy frameworks and help spread awareness about the importance of secure work practices. New CISOs coming into a business will usually frame their initiatives around the company’s overall goals. This may include, but is not limited to:

  • Improving the customer’s experience – When customers engage with businesses, they trust that their user data and digital records will be secured and handled appropriately. CISOs need to build their strategy with customer needs in mind and ensure that transactions and data management and storage are in line with industry-specific compliance requirements.
  • Increasing operational efficiency – Businesses will rely on their new CISO to keep up with new, leading-edge technologies and solutions that may help with automating operations and staying ahead of cyberthreats. CISOs are also expected to embed incoming cyber intelligence into the rolling strategy, keeping the latest threat vectors, attacks, and cyber trends at the forefront of planning efforts.
  • Driving growth – CISOs play a significant part in driving consistent business growth. When the business builds cyber resilience and has strong defenses in place, it can focus on other areas of operation. CISOs help their business embrace digital adoption to safeguard networks and sensitive customer and employee data. Any policies, frameworks, and technology a new CISO implements should support other business units in working more efficiently and safely.
  • Reducing risk – Threat intelligence helps build secure operations. When developing a new cybersecurity strategy, CISOs will need to factor incoming threat intelligence into their risk management plans and install the right defenses needed for the business to continue operating successfully in the age of hyper connectivity.

A crucial part of this phase is communicating the proposed strategy to stakeholders and obtaining buy-in and agreement on the priorities identified. The strategy’s direction and goals, as well as headcount, financial requirements, and schedule, will need to be approved by the business’s leadership before it is rolled out to the rest of the security directors and managers.

4. Execute | Measure and Communicate Progress and Wins

Successful execution of the new CISO’s cybersecurity strategy requires consistent measurement of the baseline metrics approved in the planning phase. CISOs will lead the effort in setting clear expectations, capturing accurate metrics, and demonstrating progress towards the goals and initiatives.

Regular reporting is a key responsibility new CISOs will need to meet. Reporting should show a portfolio of security metrics and status updates on the development towards all goals on the roadmap. Reports will show evidence of the strategy’s success and highlight any recent wins and emerging challenges while providing an explanation of the tactics or technology used to address obstacles.

As the security landscape evolves, CISOs will also need to adjust their roadmaps at regular intervals and communicate changes to both stakeholders and security initiative leaders. Long-term goals on roadmaps are often subject to changes in business objectives, budget, and both internal and external factors.

5. Maintain | Review the Plan and Iterate for the Future

New CISOs manage their resources to focus on tangible accomplishments – more initial success early in their tenure builds credibility, leading to more buy-in from stakeholders and adoption by directors and managers. This is the positive cycle for improving the security posture across the business. Often, information security is assigned as a responsibility of a few security leads, which creates gaps in knowledge across a business’s various departments. Security is a shared responsibility across all employees in an organization, with the CISO upholding regular awareness campaigns and building support systems.

Once the strategy is put into motion, a new CISO can start to focus on keeping the security of the business as agile as possible. As cyber trends continue to fluctuate and new intel comes in, new CISOs must evolve their plans to meet future requirements of the business. New intel and research give rise to opportunities for improvement and the CISO will spearhead the effort in making the business more adaptable and responsive to the ever-changing threat landscape.

A significant part of this evolution includes enhancing the in-house security team and technology. CISOs will work with other parts of the business to ensure that new hires and promotions are in alignment to the growing cybersecurity strategy and that an appropriate training and ongoing cyber education program are in place to support the growing team.

Conclusion

Chief Information Security Offers are a critical pillar in a business’s defenses. New CISOs transitioning into an organization will have a lot to account for, even if there is already a cybersecurity strategy or program in place. Having a set of clearly defined steps can help new CISOs plan and execute their work in a streamlined manner and make best use of the first 90 days of their tenure.

The ramp up strategy described above can help new CISOs move their company towards a stronger security posture. The five key phases – discover, assess, plan, execute, and maintain – serve as a broad outline that newly appointed CISOs can use to start planning and executing on their vision for security. For more in-depth guidance, SentinelOne offers free ebooks for new CISOs including 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success.

CISOs around the globe have partnered with SentinelOne to augment their security vision and safeguard their critical data. As new CISOs begin to pursue security resilience, shore up urgent vulnerabilities, and implement long-term initiatives such as endpoint protection, cloud security, detection and response capabilities and more, SentinelOne’s industry experts are on hand to assist CISOs as they stand up their new strategies. Contact us for more information, or sign up for a demo today.

90 Days | A CISO’s Journey to Impact

Botched Crypto Mugging Lands Three U.K. Men in Jail

Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence to settle scores and disputes.

Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.

“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the Lincolnshire Police. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”

Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and “with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”

KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.

Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.

“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”

The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.

Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.

“They had a list of people they wanted to hit consecutively as far as I know,” he said.

The foiled robbery is the latest drama tied to members of certain criminal hacking communities who are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.

Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.

Prosecutors say Patrick McGovern-Allen recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.

The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. Joseph James O’Connor, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.

Robert Lewis Barr, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.

In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.

The Good, the Bad and the Ugly in Cybersecurity – Week 38

The Good

This week, ten individuals and two entities were sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for their roles in a variety of malicious cyber acts, including ransomware activity. The individuals are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and tracked under a number of threat actor names, including TunnelVision and APT 35.

The individuals and entities have been responsible for a number of campaigns throughout 2021, targeting and compromising U.S.-based transportation providers, healthcare practices, emergency service providers, and educational institutions. The sanctioned cyber actors were observed exploiting Microsoft Exchange vulnerabilities such as ProxyShell to attack and disrupt the services of an electric utility company, among others.

The IRGC-affiliated group is comprised of employees and associates of Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System), OFAC said. The ten individuals were named as “Mansour, Ali Ahmadi, Mohammad Ahmadi, Mahdavi, Rashidi, Khatibi, Nikaein, Mostafa, Mojtaba, and Shakeri”.

Three of the ten sanctioned individuals–Mansour, Khatibi, and Nikaein–have also been indicted with violating the Computer Fraud and Abuse Act (CFAA) and conspiring to violate the CFAA. A reward of up to $10 million is being offered for information leading to their identification or location.

The Bad

North Korean threat actor Lazarus has been up to its old tricks again in a continuation of its Operation Dream Job campaign, first observed in 2020. Now, the threat actors are using a trojanized version of the PuTTY SSH client to infect victims who fall for a fake Amazon job assessment.

The original Operation Dream Job campaign lured unsuspecting employees of prominent U.S. defense and aerospace companies with fake job offers in an attempt to install backdoors and spyware. Now, researchers have discovered that the Lazarus group’s latest ruse is to send emails to targets with a lucrative job offer at Amazon. The respondents then chat with the attackers via WhatsApp, where they are requested to take an assessment test and to download an ISO file called amazon_assessment.iso.

The .iso file includes a “readme.txt” with an IP address, login credentials and a PuTTY.exe executable. The executable contains a working version of the open-source SSH console application but has also been modified to infect the victim with a Themida-packed DLL. The malicious DLL contains shellcode that results in opening a backdoor on the victim’s device to allow the attackers to conduct espionage and other malicious activities. The backdoor is configured with three C2 URLs:

hxxps://hurricanepub[.]com/include/include.php
hxxps://turnscor[.]com/wp-includes/contacts.php
hxxps://www.elite4print[.]com/support/support.asp

It is not known at this point how widespread the campaign is, but further details and IoCs are available here.

The Ugly

This week’s Patch Tuesday was notable for more than the usual fixes of zero days and other Microsoft bugs, with MSFT revealing that this year the company had patched 1000 CVEs already, reaching “a sizable milestone for the calendar year” and a stark reminder of just how big an attack surface the OS vendor’s sprawling suite of products provides. Also notable was what was not patched: a bug in Microsoft Teams desktop client that allows attackers to access authentication tokens and accounts with multi-factor authentication (MFA) turned on.

The Teams vulnerability is present across OS platforms Windows, Linux and macOS and revolves around the fact that Teams stores user authentication tokens in clear text on the user’s local drive in locations that are unprotected by user access or TCC controls, meaning they can be read not just by someone with access to the machine but by other processes, including malicious ones, running as the same user.

The locations for each platform being:

Windows

%AppData%MicrosoftTeamsCookies
%AppData%MicrosoftTeamsLocal Storageleveldb

Linux

~/.config/Microsoft/Microsoft Teams/Cookies
~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

macOS

~/Library/Application Support/Microsoft/Teams/Cookies
~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb

Researchers discovered that these locations contain valid authentication tokens, account information, session data, and marketing tags that can be scraped by info-stealing malware and used to login remotely, bypassing MFA and gaining full access to the user’s account.

Microsoft, for their part, have said that the vulnerability “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network”. Make of that what you will, but with news just in that Uber are investigating a breach that involved socially-engineering a user with MFA turned on, maximum coverage across all attack surfaces should be top of mind. Security teams worried about the Teams vulnerability can find mitigation advice here.

From the Front Lines | Slam! Anatomy of a Publicly-Available Ransomware Builder

The barrier to entry for enterprising cybercriminals has been dropping considerably over recent years, in part due to the availability of RaaS (Ransomware as a Service) offerings on the darknet but also due to publicly-accessible code being shared for free. One such offering is the Slam Ransomware Builder, which had been hosted until recently on Github. In this post, we highlight how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. We provide a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.

Ransomware For “Educational Purposes Only”?

The Slam Ransomware Builder first appeared in late 2021, with Slam ransomware payloads appearing in the wild shortly after (e.g., ConsoleApp2.exe). During mid-2022, downloadable and executable versions of the Slam Ransomware Builder appeared on a publicly-visible repository on Github and were available for several months until Github admins removed the repository on September 1st, 2022.

The owner of the now-removed repository dubbed it “The Most Advanced Free Ransomware Builder” and has a history of providing “educational” videos on Vimeo, Youtube and KZHome, instructing viewers how to build ransomware and “virus payloads”.

Slam ransomware builder video hosted on Vimeo
Source: Slam ransomware builder video hosted on Vimeo

While the author’s public postings contain the usual “for educational purposes only” and “don’t try this” disclaimers to avoid responsibility, they also contain language such as “most advanced ransomware” and “damage rate: destructive”.

Slam ransomware builder video hosted on Youtube
Source: Slam ransomware builder video hosted on Youtube

The author had described the ransomware’s behavior in detail in earlier publicly-posted videos, describing how victim data could be exfiltrated to an attacker-controlled site.

The author’s reasons for distributing free ransomware builders can only be guessed at, but despite being free, the builder and payloads are genuine threats that can cause real damage. As our analysis below shows, Slam is a full-featured ransomware with AES256 encryption, UAC bypass, shadow backup copy deletion and data exfiltration capabilities. In other words, everything needed to lock and steal enterprise data.

Slam Ransomware Builder Features

The most recent release of the Slam ransomware builder prior to being removed from Github was version 1.7. Earlier versions of the tool supported either English or Spanish locales, while later versions including 1.7 allow toggling between the two.

The existing feature set includes the following:

  • Fully customizable ransom notes
  • Custom encryption passphrases
  • All ransomware to lay dormant until a network is available
  • UAC Bypass (1)
  • Run external commands with the ransomware launch
  • VSS/ backup deletion
  • Basic file transfers (HTTP) for exfiltration

Despite the code being removed from Github, it is possible the author intends to find or already has other distribution outlets. A list of features promised for the future include screen locking, MBR overwrites, and “LogonUI overwriting”.

Upon running the code provided on Github, users of the builder are presented with a menu leading to different builder components or indications of their upcoming release.

Version 1.6 of the Slam Ransomware Builder
Version 1.6 of the Slam Ransomware Builder

When choosing the “slam ransomware builder” option, users must first “Install”, then “Start” to launch the builder interface. This installation essentially consists of writing the builder EXE to c:slam_ransomware_builder. Any other component requiring an “Install” step will also go to the root of the C drive (e.g., c:slam_mbr_builder)

Once the main interface is launched, the user is presented with a standard set of options for building their ransomware payloads.

Options including the following are present in this interface:

  • Ransom note name and text
  • Wallpaper modification options and images
  • Affected file extensions
  • File encryption (types / extensions to encrypt)
  • Remote folder options (OneDrive)

The tool provides more ‘Advanced’ configuration options as well. These options are accessible via the “advanced” button.

Options in this section include:

  • Network awareness (remain idle until Wi-Fi is available)
  • Verbose output options (decrypter)
  • Persistence (add to startup)
  • Inhibit recovery (website blocking, self-destruction, backup destruction).

The “block antivirus websites” option is meant to inhibit the victims from being able to download security software or check suspicious files on public malware repository sites such as VirusTotal.

The ransomware achieves this by modifying the device’s Hosts file, adding a long list of sites belonging to the likes of Avast, Avira, Bitdefender, CCleaner, Google, Kaspersky, McAfee, Microsoft, Panda Security, Trend Micro, VirusTotal, YouTube, and others. Each site is simply bound to the machine’s loopback address (typically, 127.0.0.1), preventing the domain name from being resolved to an external IP address.

Some of the almost 100 domain names added to the Hosts file
Some of the almost 100 domain names added to the Hosts file

With regard to bypasses, the version of Slam we analyzed includes a single UAC bypass, based on UACMe, which attempts to defeat Windows User Account Control by abusing the built-in Windows AutoElevate backdoor. UACMe is a bypass technique that has been known for some years and widely abused by a number of other malware families including Multiplug adware, Dyre, Empercrypt and IcedID.

To exfiltrate victim data, the user can specify an HTTP server in the configuration interface, where a connection test can also be performed. If the connection test fails, an error is displayed. Other options available to the user include USB infection and execution of custom commands when the payload is detonated on the victim machine.

Slam Ransomware Payloads

With all options configured, the executable payloads generated are standard EXE files. The builder outputs both the encryptor and decryptor tools.

When executed with non-Administrator privileges, the UAC prompts and/or configured bypasses will come into play.

Slam payload UAC prompt
Slam payload UAC prompt

Post-execution, the victim device is encrypted according to the options configured in the builder.

The payload is written to %AppData%Localdiscord.exe, which is called in the registry (Run key), ensuring the ransomware payload is persistent.

As advertised, the Slam payload successfully inhibits recovery via removal of VSS backups on an unprotected machine. Both wmic and vssadmin methods are utilized for VSS deletion.

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

wmic shadowcopy delete

The ransomware also deletes various logs, Windows installation and recovery-related files via cleanmgr.exe. In the payload we analyzed, for example, a process named wgMHhFHnkiczPUNfqaA8Cx4kqwVcRG.exe issues the cleanmgr.exe command with the /AUTOCLEAN parameter, which executes Windows disk cleanup and removes Windows installation files on unprotected devices.

system32cleanmgr.exe /autoclean /d C:

Slam MBR Builder

The Slam builder also contains a very early stage “Alpha” MBR builder tool. Choosing to “Install” should write start.exe to c:slam_mbr_builderstart.exe. This does not appear to occur in our testing and analysis, and the feature appears to be non-functional in the version of the Slam Builder we analyzed from Github.

However, we were able to obtain a copy of the builder from another source that allowed us to launch the builder and observe the output.

Slam “Alpha” MBR builder

Within the MBR Builder interface, users are able to configure the message displayed to the victim.

Slam MBR Builder Ransom Note Configuration
Slam MBR Builder Ransom Note Configuration

Prior to executing the build, a final screen allows the attacker to choose the “reboot mode” with the options being

  • Do Nothing
  • BSOD
  • Reboot
  • Shutdown
  • Nothing

Payloads from the MBR builder have been observed in the wild with the following PDB string.

C:slam_mbr_builderMbrOverwritermbrcsobjDebugmbrcs.pdb

Conclusion

In this area and many others of infosec, there is a fine line between “education” and researcher-led offensive security that seeks to explore and improve weaknesses in enterprise defenses on the one hand, and simple, out-and-out malicious code designed to aid and abet criminal offenses on the other. We see no indications in the various public artifacts around the Slam ransomware builder (code, videos, Github repository) that suggest it could reasonably be interpreted as in the service of the former.

However that may be, once in the hands of unscrupulous actors, full-featured projects such as these represent a real risk to enterprises and organizations.

We applaud Github for removing this code and hope this post serves as a reminder to defenders to be vigilant as threat actors continue to simplify the ransomware-centric extortion process. The barrier to entry into the world of cybercrime has never been lower.

SentinelOne Singularity™ detects and prevents malicious behavior associated with Slam Ransomware and its associated artifacts.

Indicators of Compromise

Observed File Names
ConsoleApp2.exe
mbrcs.exe
JpegMedic ARWE
slam ransomware builder.exe

Observed PDB Strings

C:slam_mbr_builderMbrOverwritermbrcsobjDebugmbrcs.pdb
c:slam_ransomware_builderConsoleApp2ConsoleApp2objDebugConsoleApp2.pdb
C:UsersamdgaDesktopUACME-masterSourceAkagioutputWin32DebugAkagi.pdb
D:agent_work20sbinariesx86retbini386vcruntime140d.i386.pdb
c:slam_ransomware_builderuacConsoleApp2objDebugConsoleApp2.pdb
c:slam_ransomware_builderConsoleApp2ConsoleApp2objDebugConsoleApp2.pdb
C:slam_mbr_builderMbrOverwritermbrcsobjDebugmbrcs.pdb
C:UsersamdgasourcereposconectconectobjDebugconect.pdb
C:Usersandersourcereposslam ransomware builderslam ransomware builderobjDebugslam ransomware builder.pdb

SHA1 Hashes
1ba9043ac164c6c60de4a1ee2ca50b2e7f4ebaf5
2037d9f2e7cd15930e83f5142c5a48adecd3b617
272566e8b5880e32cefb7a165a833652815a003f
27b1ca0793caa19edabfbc49e6cffc05b73093da
2c41f64557056e69541acf5ba52313869122f625
336371f4200af680f73c0b9c51fca5a25dd5754a
35ab1d4924990bf98a8e2e1026f91b5c9052de8e
3fa6705ca1b056a66f25a689dff72af0893f5b86
40bfa92e86484c09f2f7668121a1c4047c17ae72
44aaef83b79f4e963c4fee56250bc053eae5ec64
4879bd193dd73681c977371c857217257f141c92
4cff2b02cb6c1f866499125c003af1032a81b480
5a28f787cc73cffa7b5786faf3298d43e00d12aa
61e8ba86725ec3f4e034c51950cabc6254c5cca5
6325c42719b1aa3a48dd39b8add200054d3e0118
669ce00937bde782a88526205f083861e6d71be1
6e420a6c7b8e2d144df66dcbbae1afba62c82f4b
7429fdf9151dfa9e4d4dc8ef86528313d13dc73f
7690c273c8164a65602ed8f4284f0d50966d27c6
863edff3c71e89349674df35ab07f27ecb6702ef
880c343e75e7e8731f185ce756357599c37be065
8b46ce2ffa24a377ff30ea094e02bc3ba3e808da
8f3dc8437563182e06699763581fd6f7923b7582
9edd3d920fbe89240d52cc8b300a90e5bf576f73
b031d4c3747b58d930f33fe73abbf518dac63a31
be82474f54f49249c43c701c12907ec730e2a723
c5351846988ef5d6e7b95f564416138f59e2092a
c84aeb8c0b3939fd7f6beb9d73e72cc5ed8745db
c998384c7b8cfd2ca881f282dfdbc104d8402bac
ca2999c9c5a17b0253579194f651b4aafdce16f1
cb243b61a8d43816e1de7f0767b1377d0276dd71
cf30cc1e653043df81aa9d8974f2f927ceadc826
d187d81f4d021839e8f6e925dc192e231eb4679c
d635103117daaf2a2b93d465e32e7b722dd4d367
d6c9a556f5770f0a8f8ad05c5d46becd0cd021d3
d94eb94bb3c2c6c0c70916f8be2417ac616e8b43
dc327f3afbb6c770656be16fc885e1090f8395a3
ddba71aae3b8139210f71e835e1b89e90b0bd1dc
e0868fdb2f09d3a4aefe4c79d6af88c2f9b55ce2
e2052995d368355e899a518dbbbab716045abbd1
e9a5b40d0ba5a8bb5c4a1c5471616c93e0851558
ea4f7dda5a64a740a9c5570870ccba2788c69ea6
ee144154139619b8c1d890e5b6f9bf130d929e6f
eeafbbfaaf05d8b7a8a1dc3f7858a21e7fdb0531
f31855a1d5509b1e906caee75db3326515488cbc
fcd90af249796fc3c40e1e94d558b6f2d61304b5

MITRE ATT&CK
T1542.003 – Pre-OS Boot: Bootkit
T1047 – Windows Management Instrumentation
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1564.003 – Hide Artifacts: Hidden Window
T1112 – Modify Registry
T1490 – Inhibit System Recovery
T1486 – Data Encrypted for Impact
T1491.001 – Defacement: Internal Defacement
T1083 – File and Directory Discovery
T1005 – Data from Local System
T0809 – Data Destruction

Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Image: NCR

Here are some variations on deep insert skimmers NCR found in recent investigations:

Variations on deep insert skimmers recently found inside compromised ATMs.

The image on the left below shows another deep insert skimmer and its constituent components. The picture on the right shows a battery-operated pinhole camera hidden in a false fascia directly to the right of the ATM’s PIN pad.

Images: NCR.

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which stops current skimmer designs from locating and locking into the card reader. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantly, covering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

If you enjoyed this story, check out these related posts:

Crooks Go Deep With Deep Insert Skimmers

Dumping Data from Deep Insert Skimmers

How Cyber Sleuths Cracked an ATM Shimmer Gang

Endpoint, Identity and Cloud | Top Cyber Attacks of 2022 (So Far)

Businesses have thrived in the era of more – more tools, more access, and more connections. When it comes to the digital landscape though, the notion of having more doesn’t come without risk. While businesses have continued to grow and scale, cyber attacks have done the same and quickly so.

This post discusses some of the most dangerous endpoint, identity, and cloud-based cyber attacks from the first three quarters of this year. Understanding their causes and impacts is the first step businesses can take to strengthen their defenses against similar attacks in the future.

Endpoint-Based Attacks

Endpoint attacks have evolved in the last two decades from computer viruses to sophisticated ransomware campaigns targeting high-profile organizations. The challenge today is that protecting endpoints isn’t what it used to be. Threat actors are professionalizing, turning ransomware activities into full-scale service models. The rise of Ransomware-as-a-Service (RaaS) means that even low-level cybercriminals can now access and become profitable off of complex malware tools.

In the first three quarters of this year alone, ransomware has targeted multiple critical infrastructure organizations, including those listed below:

  • Bernalillo County (Ransomware attack) – In January 2022, New Mexico’s most heavily populated county, experienced a ransomware attack which took out many of its government systems and services. The attack forced officials to keep most county buildings closed to the public.
  • Denso (Pandora Ransomware) – In February, Denso, a Fortune 500 company supplying automotive parts for Toyota, Honda, Mercedes-Benz, Volvo, Fiat, General Motors, and Ford, detected unauthorized, third-party access to its network. The attack was later claimed by ransomware gang Pandora, who then threatened to leak 1.4 terabytes of the company’s trade secrets and transactional records.
  • Bridgestone (LockBit Ransomware) – In March, Bridgestone was hit with a cyber attack that forced operators to shut down affected computer networks and production across its North American factories. The LockBit ransomware group later took responsibility for this attack.
  • Costa Rican Government (Conti) – In April, a ransomware attack on the Costa Rican government led to the first national emergency declared in response to a cyber attack. The impact of the ransomware attack affected government services, the country’s ministry of finance, as well as the import and export sectors. Later claimed by Conti ransomware group, the government was asked to pay $20 million dollars. Shortly after, Conti group hit the Costa Rican government a second time, this time using HIVE ransomware to cause widespread disruption of the country’s public health services systems.
  • Spice Jet (Ransomware attack) – India’s second largest airline, SpiceJet, faced a ransomware attack in May, leading to a cascading delay of flights which stranded many passengers at both airports and within aircrafts. Many passengers aired their frustrations regarding the delay and lack of communications over social media.
  • Entrust (LockBit 3.0) – In June, Digital security firm, Entrust, confirmed that its networks were breached by a ransomware gang who successfully stole data from their internal systems. Entrust’s services include identity management, comms encryption, and secure digital payments making news of their ransomware attack an immediate concern for organizations using their software for authentication. Subsequently, Entrust was found to be added to the LockBit 3.0 Tor-based website.
  • Knauf (Black Basta) – In July, Black Basta ransomware gang claimed responsibility for their cyber attack on Knauf, the multinational building and construction materials giant. Knauf’s global team was forced to shut down all of their IT systems to isolate the attack, which disrupted business operations and delivery processes. Post-attack, Black Basta published 20% of the exfiltrated files, congruent to their notoriety for double-extorting their high-profile victims.

In addition, in the 3rd quarter of 2022, CISA and the FBI warned of a number of ongoing, widespread ransomware campaigns currently attacking unnamed businesses and organizations.

  • Zeppelin Ransomware Campaign – In August, the FBI and CIS released a joint cybersecurity advisory to share known indicators of compromise, as well as tactics, techniques, and procedures of Zeppelin malware, functioning as a RaaS. This malware has been used against defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.
  • Vice Society Campaign – In September, the FBI, CISA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory warning against a disproportionate increase of ransomware attacks on the education sector by Vice Society in tandem with the start of the 2022-2023 academic year for American schools.

Identity-Based Attacks

Ransomware, data breaches, and supply chain attacks saturate global news headlines, but another rising threat has gained traction in 2022. Identity-based attacks are now a threat businesses keep at the forefront of their threat awareness efforts. With remote workforces, widespread adoption of IoT, and the huge numbers of digital identities being created even for a single organization, the attack surface continues to widen, leaving businesses vulnerable to identity-based exploitation by opportunistic threat actors.

Attacks on Active Directory – Cisco

Too often, threat actors weaponize legitimate tools and solutions that their targets use. Active Directory (AD) works by storing information about objects on a network in a logic hierarchy to make information easy to find for administrators and users. As seen in several identity-based attacks over the last few quarters, threat actors leverage Active Directory (AD) infrastructure in their ransomware campaigns and extortion efforts especially when there is a lack of identity protection. Consider the following examples where ransomware gangs targeted AD as part of their tactics.

In late 2021, researchers reported on a recent BazarLoader infection and how it led to the use of Cobalt Strike, and finally Conti ransomware to perform network reconnaissance. Just three minutes after the initial compromise, the threat actor used ADFind, a command line tool, to enumerate an AD environment on the infected host. By compromising AD, the actors were able to discover users, computers, file shares, and more from the environment. Typically, a threat actor’s next step is to gain access to the domain controller and other network servers, moving laterally into the system.

The Cisco breach that occurred in May 2022 leveraged legitimate employee credentials synced in an employee’s browser and a combination of vishing (voice phishing) attacks and MFA fatigue techniques to achieve VPN access to the targeted network. Once in, the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory.

Abuse of AD serves threat actors well as it is designed to provide convenient access into a network. Compromising AD means threat actors can move deep into the network, escalating their access rights and encrypting andexfiltrating data on the way. With AD being the crown jewels of a business, attackers have zeroed in on targeting identity and access management gaps to reach what it is they want.

Attacks on Identity Management Platforms – Okta and Lapsus$

In March of this year, Lapsus$ digital extortion gang published what looked like substantial amounts of source code from Microsoft’s Bing and Cortana products. Though a potential Microsoft breach was serious enough, Lapsus$ also posted screenshots of their control over an Okta super admin account. Okta is a popular identity management platform used by thousands of large-scale organizations allowing users to access multiple services and apps through a single login interface.

Lapsus$’s control of an Okta super admin account is dire indeed as businesses increasingly rely on identity management software to streamline login experiences for their employees, partners, and customers. Businesses are falling victim to more account takeovers that directly stem from compromised identity management vendors, giving threat actors system privileges such as resetting account passwords, changing account email addresses, and access to sensitive data.

As ransomware and other malicious actors target on-premises Active Directory and cloud-hosted Azure AD for initial access and lateral movement, Identity protection has become a must for organizations.

Cloud-Based Attacks

The accelerated move from on-prem to hybrid and cloud environments has introduced a pressing need for businesses to keep their cloud workloads safe from threat actors. Cloud servers allow businesses to scale with ease, boosting efficiency, but also requires unique considerations such as securing serverless workloads and Kubernetes, virtual machines, and containers.

Amazon Web Services (AWS)

A subsidiary of Amazon, AWS is a comprehensive cloud computing platform providing a variety of on-demand services such as data storage, content delivery, networking, and more. One of its main services is Amazon Simple Storage Service (S3) – an object storage service built to house and retrieve any amount of data for its users. Objects (files) are then stored in S3 buckets which serve as containers for any amount of data belonging to an account.

While AWS S3 buckets are highly popular, they have become a prime target for threat actors as they are accessible to the public and are often misconfigured. Once an S3 bucket is compromised, it provides the threat actor with access to incredible amounts of data of which they could exfiltrate, use for ransom, sell on darknet marketplaces, or all of the above.

In the recent Civicom data leak, the misconfiguration of an S3 bucket resulted in a massive data leak, compromising over 100,000 files. In this case, the bucket was left open without password or security verification. The online video conferencing firm reported that 8 terabytes of stolen data included the video and audio files of customers’ meetings, recordings, and transcripts. As the firm’s main customer base included B2B companies, much of the data may have contained private company secrets or intellectual property. Further, the leak also revealed personally identifiable information (PII) of many of Civicom’s own employees.

The July breach of Pegasus Airlines showcases yet another example of unprotected S3 buckets leading to data loss. In this attack, the airline reported 6.5 terabytes of data was compromised with over 23 million files publicly exposed. Files in the unprotected bucket were linked to proprietary software developed by the company for use in aircraft navigation and in-flight processes such as take off and landing, refueling, and safety procedures. Pegasus Airlines also confirmed that sensitive information such as the PII of flight crews, source code, secret keys, and even plain-text passwords were also exposed. At least two other affiliated airlines using the same proprietary software may also be compromised in relation to this breach, exponentially increasing the number of total persons affected.

Kubernetes Vulnerabilities

Kubernetes is an open-source system that automates the deployment, scaling, and management of applications running in containers. It uses a cluster architecture composed of many control plans and one of more virtual or physical machines called worker nodes. The worker nodes are what host “Pods” – components of the application workload. The control plane exists to establish policy which manages the worker nodes and Pods in the cluster. Since the control plan is responsible for running across multiple endpoints to provide fault-tolerance and high availability, it is a valuable target for threat actors seeking to leverage its infrastructure for malicious purposes or to cause a denial of service attack.

As it is hosted in a cloud environment, Kubernetes is afflicted with the same main threat vectors that clouds are susceptible to:

  • Supply Chain Risks – These kinds of risks can occur at the container level if a malicious container or third-party application provides threat actors with a foothold in the cluster. Actors could also gain a foothold into any of the worker nodes or part of the control plane was compromised.
  • Malicious Threat Actors – Threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes infrastructure allowing them to gain access from a remote location.
  • Insider Threats – Administrators, users, or cloud service providers (CSPs) would all have access to physical systems or hypervisors managing Kubernetes nodes. This level of access could be used to compromise a Kubernetes environment.

How SentinelOne Measures Up to 2022 Cyber Attacks

2022 has, so far, been a complex year as businesses settle back into offices and hybrid workspaces but face the ramifications of geopolitical uncertainty, economic downturn, and cyber attacks that are climbing to new heights. Having more tools, access, and connections has no doubt benefited businesses, but it has also opened up a larger attack surface in which threat actors can operate.

While no business is immune from cyber attacks, examining the most dangerous attacks of the first three quarters of 2022 allows for better preparation for the following quarter and beyond. SentinelOne’s autonomous, AI-driven solutions can help deliver comprehensive security for those in search of endpoint, identity, and cloud protection.

In a single cybersecurity platform, Singularity XDR, fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, cloud workload protection (CWPP), and identity threat detection and response (ITDR). With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.

Request a demo of Singularity XDR to start leveraging AI-powered prevention, detection, response, and threat hunting across user endpoints, containers, cloud workloads, and IoT devices. Need expert advice? Contact us here.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Wormable Flaw, 0days Lead Sept. 2022 Patch Tuesday

This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which offers a new privacy and security feature called “Lockdown Mode.” And Adobe axed 63 vulnerabilities in a range of products.

Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a “privilege escalation” weakness in the Windows Common Log File System Driver that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild.

Kevin Breen, director of cyber threat research at Immersive Labs, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list.

“Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers,” Breen said. “Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround to date, so patching is the only effective mitigation.”

Satnam Narang at Tenable said CVE-2022-24521 — a similar vulnerability in the same Windows log file component — was patched earlier this year as part of Microsoft’s April Patch Tuesday release and was also exploited in the wild.

“CVE-2022-37969 was disclosed by several groups, though it’s unclear if CVE-2022-37969 is a patch-bypass for CVE-2022-24521 at this point,” Narang said.

Another vulnerability Microsoft patched this month — CVE-2022-35803 — also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not.

Trend Micro’s Dustin Childs called attention to CVE-2022-34718, a remote code execution flaw in the Windows TCP/IP service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8,” Childs said. “However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”

Cisco Talos warns about four critical vulnerabilities fixed this month — CVE-2022-34721 and CVE-2022-34722 — which have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft.

“These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet,” wrote Jon Munshaw and Asheer Malhotra. “Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner.”

Not to be outdone, Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari. CVE-2022-32984 is a problem in the deepest recesses of the operating system (the kernel). Apple pushed an emergency update for a related zero-day last month in CVE-2022-32983, which could be used to foist malware on iPhones, iPads and Macs that visited a booby-trapped website.

Also listed under active attack is CVE-2022-32817, which has been fixed on macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 15.7 and iPadOS 15.7, and iOS 16. The same vulnerability was fixed in Apple Watch in July 2022, and credits Xinru Chi of Japanese cybersecurity firm Pangu Lab.

“Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS,” Trend Micro’s Childs noted. “Apple does state in its iOS 16 advisory that ‘Additional CVE entries to be added soon.’ It’s possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.”

Apple’s iOS 16 includes two new security and privacy features — Lockdown Mode and Safety Check. Wired.com describes Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse.

“The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions,” wrote Lily Hay Newman.

“Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS’s general security defenses haven’t been able to keep pace with these specialized threats.”

To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode. Safety Check is located in the same area.

Finally, Adobe released seven patches addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. More on those updates is here.

Don’t forget to back up your data and/or system before applying any security updates. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Fortune Names SentinelOne a Top Workplace in Tech 

SentinelOne has been named a Best Workplace in Technology on Fortune’s US Ranking for 2022. Over 150K employees working in the tech industry were surveyed on the quality and consistency of the employee experience on attributes including trust, respect, credibility, fairness, pride, and camaraderie.

We spoke to a few teammates to learn more about what makes our organization a top workplace. Tremendous pride in our leading-edge deep tech, transformative professional and personal opportunities and the equitable culture at SentinelOne were at the top of the list.

David Jung, Staff Software Engineer

David is building his career at SentinelOne and loving his fully-remote New York City lifestyle. He started at SentinelOne a little over three years ago as an intern while studying at the University of British Columbia.

“Working at SentinelOne while I was studying Computer Engineering was life-changing,” said David, who was also a Sentinel during the record-breaking IPO. “There was so much energy in the room the day we went public. There was an intense air of celebration, and then equally as intense – we were ready to get back to work!”

David has enjoyed significant career growth since starting at SentinelOne as an intern. He recently received his third promotion, going from Engineer, to Senior Engineer to now Staff Engineer.


“I have progressed very quickly by working on amazing tech with amazing people. They are all extremely smart, and at the same time, very humble. That’s a great combination.”

David works on the event database team, migrating customers into our systems and querying endpoint detection and response events. This includes developing new features, as well as making our system more scalable and efficient.

Our goal is to ingest and query as much data as fast as we possibly can,” said David. “The amount that we are dealing with solves a lot of interesting engineering problems and that’s what I like about my job.

When David is not working, he enjoys biking, running and spending time with his dog Spitzer, a Beagle Terrier mix. He recently picked up a new hobby that allows him to express his creativity.

“I love writing code, but I can’t physically touch it,” said David. “I recently took a 12-week pottery class where I learned how to make bowls, vases and pots. It’s great to make something I can hold onto.”

David’s remote team stays connected on Zoom and Slack. His team recently had an offsite, where they were grateful to connect in person. He also enjoys spending time at the local WeWork.

“My place isn’t that big living in New York City,” said David. “It’s great having the perk to be able to enjoy really cool office space.”

Elena Militsyna, Senior Software Engineer

Writing code is Elena’s favorite part of her job. She’s been working at SentinelOne on the Cloud Security Team for just four months and is proud to be part of such a talented team.


“It’s so cool building something from scratch to help so many customers,” said Elena. “The tech itself is an amazing  instrument, but it’s our people who make it all work so well.”

Elena describes our deep technology as the best on the market.

“There’s not many companies that can offer the opportunity to work on state-of-the-art technology,” said Elena. “We are offering solutions that provide direct value to customers by keeping all of their data safe in one autonomous platform. And we just keep getting better!

Elena said she is also grateful for the focus on wellness and career growth in our workplace culture. Prior to working here, she worked as Java developer for several companies, including a large corporation and a smaller machine learning startup, and had a chance to compare working environments of a different style. She believes SentinelOne is combining the advantages of a corporation with established processes and the innovative vibe and ability to change quickly of a startup.

Here we have great work-life balance,” said Elena. “We have a very fast pace when we innovate. There can be stress at times, but it’s always balanced. Our team is growing, and the company is giving us the resources we need to grow ourselves and do our best work.”

Elena works in the newly-opened Prague Office in the Czech Republic in Missouri Park with a view of Prague Castle. Built with sustainability in mind, the location has Leed Platinum Status, the highest level of certification for green buildings.

“We love going into the office, it’s so fun to work there,” said Elena. “People go in when they can, they want to be together.”

Elena immigrated to the Czech Republic four years ago, from a small town in Russia. She studied complex protection of information systems at Orenburg State University.

“My father encouraged me to study technical things,” Elena said. “Even before I started working in cybersecurity, I studied it for five years. It’s fascinating to me.”

Noa Frankel, Senior Product Manager

Noa is part of a cross-functional global team working on the Singularity XDR Platform, providing customers with a limitless data platform to ingest, retain, correlate, search and action all enterprise security data – real time and historical, from any source.

Noa has been at SentinelOne for two years and has recently relocated to London. Her teammates are located in the US, Israel and Czech Republic.

Working with people all across the globe provides diverse perspectives,” said Noa. “That diversity allows us to better serve our customers – and each other.

Noa describes the Sentinel team culture as one of relentless innovation.


“Working with people who are excited about our product is the foundation of our culture,” said Noa. “We are working on a vision and executing as a team. The commitment to innovation is something I feel on a daily basis.”

Noa works in product management in partnership with development, marketing and sales to create product roadmaps and execute our mission.

“Data is the key in the world of XDR,” said Noa. “It is difficult for organizations to make sense of such massive amounts of data and this is what we are here to solve. I am proud to collaborate with other leaders in our space to create a vendor-agnostic taxonomy to help all security teams realize better, faster data ingestion and analysis.”

Noa is also excited about our approach to customers as the first priority of the business.

I don’t look at our customers as customers, I look at them as people,” said Noa. “I strive to understand their pain points to deliver what answers their needs and deliver on their requests.

Prior to joining SentinelOne, Noa worked with two other security companies and for the Israel Defense Forces in the Joint Cyber Command. She is grateful for the transparency and equity she feels in her day-to-day interactions at all levels of the organization.

“The people at SentineOne are the best in the business,” said Noa. “It doesn’t matter what your level is at SentinelOne, you are always encouraged to suggest new things. All input is welcomed and encouraged.”

Is SentinelOne a Good Place to Work?

In addition to this Fortune ranking, SentinelOne has received a number of other recent accolades highlighting our best-in-class culture, including:

  • INC. Best Workplaces 2022
  • Fortune Best Workplaces in the Bay Area 2022
  • Fortune Best Workplaces for Millennials 2022
  • Best Workplaces in the Netherlands 2022
  • Best Workplaces in the UK 2022
  • Best Workplaces for Wellbeing in the UK 2022
  • The Bay Area’s Best Places To Work 2022
  • Comparably Best Company Outlook 2022
  • Comparably Best Company For Global Culture 2022
  • Comparably Best Company in the Bay Area 2022
  • Comparably Best Company for Career Growth 2022
  • Comparably Best CEOs for Women 2022
  • Comparably Best CEOs for Diversity 2022
  • Comparably Best Sales Team 2022
  • Comparably Best Engineering Team 2022

To learn more about our award-winning culture and job opportunities, visit our careers page.

The Good, the Bad and the Ugly in Cybersecurity – Week 37

The Good

This week, the DoJ, FBI, and Portuguese authorities dismantled WT1SHOP, a prolific cybercrime marketplace known for the sale of over 5.85 million records of personal identifiable information (PII). One of the largest of its kind, the market sold pilfered login credentials for retailers and financial organizations, email and PayPal accounts, as well as identification cards and network credentials.

Across WT1SHOP’s website and four of its domains, a DoJ report noted approximately 106,273 users and 94 sellers operated in the marketplace as of December 2021. The report also alleges that Moldovian national, Nicolai Colesnicov, was the operator and administrator of WT1SHOP. If convicted, Colesnicov faces up to 10 years in federal prison on the charges of conspiracy and unauthorized device tracking.

With WT1SHOP offline, law enforcement teams around the world add another cyber takedown to their books. This year has seen a number successful darknet seizures including Hydra Market – a notorious, long-running black market for drugs offering cryptocurrency mixing and laundering services, RaidForums – a popular cybercrime marketplace for selling high-profile hacked data, and SSNDOB – a series of websites harboring the social security numbers, names and birthdays of approximately 24 million U.S. citizens.

The continued crackdowns on these marketplaces results in a snowball effect – with each successful bust, investigators find additional leads and data on the next target, eventually making strides in disrupting the greater cybercrime infrastructure and economy.

The Bad

While back-to-school garners mixed emotions across students (some parts excitement, some parts dread) and parents (relief), cybercriminals are, unfortunately, feeling opportunistic. CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory earlier this week against the continuing rise of ransomware attacks on the education sector. The advisory named K-12 institutions as particularly attractive targets to threat actors as their systems are seen as a deep trove of sensitive student data.

The FBI, CISA, and the MS-ISAC expect the number of attacks to increase throughout the school year. Just hours prior to the advisory, Los Angeles Unified (LAUSD) disclosed a ransomware attack on its IT systems. LAUSD represents the second largest school district in the U.S. and supports more 640,000 students.

The attack was reported to have affected the district’s server infrastructure, but instruction, transportation, student meals, and safety systems were not interrupted. However, ransomware actors will typically exfiltrate files from the targeted environment allowing them to ransom their victims later on.

Over the years, the impact of ransomware attacks on schools has ranged from restricted access to critical networks and data to the theft of PII leading to identity crime and extortion. With educators continuing to digitize their administrative assets, protecting sensitive data will be a continuing challenge that requires a coordinated effort across federal leadership, edu-tech vendors, school boards, managed security service providers (MSSPs), and the students and educators themselves.

The Ugly

Energy providers headquartered in the United States, Canada, and Japan have found themselves in the crosshairs of Lazarus APT Group, a North Korean-linked cybercrime group. Security researchers reported this week on a cyberattack campaign specifically targeting energy companies and speculated that the “main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives.”

During the six-month long campaign, Lazarus employed the Log4j vulnerability to compromise internet-facing VMWare Horizon servers and then gain entry into the targeted enterprise networks. After gaining their initial foothold, the APT group deployed an HTTP bot called “VSingle” and “YamaBot”, a backdoor, to establish long-term persistence. Further analysis revealed that the group used known malware families as well as a custom remote access trojan now dubbed “MagicRAT”.

Attributed by CISA to the North Korean government, Lazarus Group gained notoriety for a string of high-profile attacks including the Sony hack in 2014 and the WannaCry 2.0 global ransomware attack in 2017. Efforts of the Lazarus hacking group have long supported the DPRK’s espionage-driven cyber objectives. The campaign targeting major global energy providers highlights the group’s capability of coordinating various TTP and using a wide range of existing and new, bespoke malware to achieve their operational goals.

In July, the US government put a $10 million reward up for offer in return for information on DPRK-linked threat groups and their members. Bounties like this are a part of an ongoing campaign by the U.S. State Department in search of threat intelligence, particularly concerning malicious intentions on critical infrastructure and interference with federal elections.