Transacting in Person with Strangers from the Internet

/0 Comments/in /by

Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions.

Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras.

These safe trading places exist because sometimes in-person transactions from the Internet don’t end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.

This is not to say that using Craigslist is uniquely risky or dangerous; I’m sure the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist’s competitors.

Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it’s only sensible to take a few simple precautions. For example, choosing to transact at a designated safe place such as a police station dramatically reduces the likelihood that anyone wishing you harm would even show up.

I recently stumbled upon one of these designated exchange places by accident, hence my interest in learning more about them. The one I encountered was at a Virginia county sheriff’s office, and it has two parking spots reserved with a sign that reads, “Internet Purchase & Exchange Location: This Area is Under 24 Hour Video Surveillance” [image above].

According to the list maintained at Safetradestations.com, there are four other such designated locations in Northern Virginia. And it appears most states now have them in at least some major cities. Safeexchangepoint.com also has a searchable index of safe trading locations in the United States and Canada.

Granted, not everyone is going to live close to one of these designated trading stations. Or maybe what you want to buy, sell or trade you’d rather not have recorded in front of police cameras. Either way, here are a few tips on staying safe while transacting in real life with strangers from the Internet (compliments of the aforementioned safe trading websites).

The safest exchange points are easily accessible and in a well-lit, public place where transactions are visible to others nearby. Try to arrange a meeting time that is during daylight hours, and consider bringing a friend along — especially when dealing with high-value items like laptops and smart phones.

Safeexchangepoint.com also advises that police or merchants that host their own exchange locations generally won’t get involved in the details of your transaction unless specified otherwise, and that many police departments (but not all) are willing to check the serial number of an item for sale to make sure it’s not known to be stolen property.

Of course, it’s not always practical or possible to haul that old sofa to the local police department, or a used car that isn’t working. In those situations, safetradestations.com has some decent suggestions:

  • Meet at a police station where you can exchange and photocopy each others’ identification papers, such as a driver’s license. Do NOT carry cash to this location.
  • Photocopy the license or identification paper, or use your phone to photograph it.
  • Email the ID information to a friend, or to someone trusted (not to yourself).
  • If you’re selling at home, or going to someone’s home, never be outnumbered. If you’re at home, make sure you have two or three people there — and tell the person who is coming that you will have others with you.
  • At home or an apartment, NEVER let someone go anywhere unaccompanied. Always make sure they are escorted.
  • Never let more than one group come to your home at one time to buy or sell.
  • Beware of common scams, like checks for an amount higher than the amount of the deal; “cashier’s checks” that are forged and presented when the bank is closed.
  • If you are given a cashier’s check, money order or other equivalent, call the bank — at the number listed online, not a number the buyer gives you — to verify the validity of the check.

Cyber Risks in the Education Sector | Why Cybersecurity Needs to Be Top of the Class

/0 Comments/in /by

With summer on its last legs, the phrase “back to school” can be heard everywhere. For opportunistic threat actors though, this holds an entirely different meaning than it does for students, educators, and guardians. Data for 2022 in the US suggests that the education sector has seen an increase in monthly cyberattack volume since 2021. In the UK, government statistics indicate that 62% of higher education institutions reported experiencing breaches or attacks at least weekly in the previous 12 months.

On a global level, key statistics for 2022 showed that:

  • In July, the education sector experienced double the number of weekly cyberattacks when compared to other industry averages.
  • Education is the most targeted industry with an average of 2297 cyberattacks against organizations each week in the first half of 2022; a 44% increase compared to the first half of 2021.

Cybersecurity in K-12 and higher educational organizations is complicated by multiple factors, including a large and disparate attack surface, varying degrees of cybersecurity awareness among users, restricted budgets, and the need for strategic oversight at the management level. On top of that, schools sit on a honeypot of valuable personal data belonging to students, staff and even parents that is attractive to threat actors.

In this post, we review the risks facing the education sector and discuss recent policy initiatives and cyber defense solutions to help schools, colleges, and universities better manage the cybersecurity challenges they face.

Student PII and Education Software

As school districts lean further into digitizing their methods of teaching, learning, and managing students’ progress, threat actors are leveraging these tools as springboards to accessing student data. In particular, student tracking software is a direct gateway for actors to obtain students’ personally identifiable information (PII), defined by NIST as any data that can be used to distinguish or trace an individual’s identity.

Student tracking software is used by educators to document and manage day-to-day student data such as absenteeism, learning or developmental challenges, disciplinary action plans, reporting, and more. While this type of software greatly helps educators support students, threat actors are targeting the technology for malicious purposes.

The data breach reported by California-based education technology (ed-tech) vendor, Illuminate Education, is a recent example of this. Illuminate Education, which integrates K-12 technology systems for student instruction, assessment, and data analytics fell victim to a data breach, exposing student PII across two of the US’ largest public school systems, New York City Department of Education and Los Angeles Unified School District (LAUSD) with cyber incidents beginning to crop up in other states as well. This breach is especially concerning as Illuminate Education claims to reach 17 million students across 5200 American school districts.

Cybercriminals Hone in on School Data Stockpiles

Schools and the technology they use to collect and manage information offer an attractive target for threat actors as they represent a gateway to data, and lots of it. Schools hold large amounts of sensitive data not only on their students but also on parents and staff.

Unfortunately, where there is data online, there is cyber risk. Sensitive data such as addresses, birthdays, social security numbers, loan applications, and tuition-related banking information can all be targeted by threat actors, who advertise it for sale on online criminal marketplaces and publicly-accessible forums. Even delicate data like notes about a student’s home life, illnesses, ethnicity, test scores, citizenship or migration status can be leveraged by threat actors in reconnaissance efforts and profiling.

In the short term, the consequences of exposing PII stored by the school could lead to a variety of cyberattacks including data breaches through phishing, ransomware attacks, Distributed-Denial-of-Service (DDoS) attacks, and even hacktivism through “zoom-bombing”, “meeting invasions”, and email spamming.

Identity theft is another cyber risk stemming from compromised student PII. Higher education institutions are particularly likely to report impersonation attacks. However, the problem has also been reported in K-12 schools as well. Earlier this year, one family found that their child’s name was being used to apply for a credit card, car loan, and discounts on their “child’s” electric utility account. The child’s personal information had been part of a data breach at their elementary school just a few months prior. From a threat actor’s perspective, credit checks are rarely conducted on children and teenagers, meaning any fraudulent activity carried out in their names may not be noticed until months and years later.

In terms of long-term consequences, there is the potential for stolen PII to be misused in ways that could affect a future college, loan, or even job application. In the Illuminate Education data breach, reports stated that personal details of both present and former students dating back more than a decade had been compromised.

Attention & Action Taken at the Federal Level

Mounting cyberattacks on education are making their way to policymakers at the federal level. In late 2021, President Biden signed the K-12 Cybersecurity Act calling for the Cybersecurity and Infrastructure Security Agency (CISA) to analyze cyber risks faced by elementary and secondary schools and develop recommendations on how to assist them in facing threats.

In March of this year, President Biden’s State of the Union address called on Congress directly to strengthen privacy protections for children, including the collection of their personal data.

This was followed in June 2022 by the Federal Trade Commission (FTC) issuing a policy statement reiterating the Children’s Online Privacy Protection Act (COPPA) for ed-tech providers. Their August statement outlined the following:

  • Providers must not collect more information than is necessary when accessing a child’s online activity,
  • A child’s personal personal information can only be used for the benefit of their school,
  • A child’s personal personal information cannot be kept longer than needed for the specific purpose of data collection, and
  • Processes must be put in place to maintain the privacy, security, and integrity of the child’s personal information.

#StopRansomware | Vice Society

In their latest joint cybersecurity advisory, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reported on increasing ransomware attacks on the education sector by intrusion, exfiltration, and extortion hacking group, Vice Society.

US authorities warn that “Vice Society actors [are] disproportionately targeting the education sector with ransomware attacks.” The group is known to deploy common ransomware available on the darknet such as HelloKitty and Zeppelin.

Outlining the scope of impact to include “restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff”, attacks by this particular hacking group is just one example amongst the wave of attacks on the sector.

As the school year starts this week across American schools, the FBI, CISA, and MS-ISAC anticipate the number of attacks to increase. At a higher level, this joint advisory is part of an ongoing #StopRansomware effort published to detail observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) to help network defenders and organizations protect against ransomware.

SentinelOne in Defense of the Education Sector

While more restrictive policies are yet to be enforced on ed-tech vendors, vulnerable school districts are not helpless against cyberattacks. Schools can bolster their cyber defenses against ransomware, DDoS attacks, identify theft, and more by implementing a single, robust security platform to ensure full transparency across their networks and endpoints.

Many schools without the resources to fund and staff dedicated security teams choose to outsource cybersecurity to an MSP (Managed Service Provider) or MSSP (Managed Security Service Provider), an increasing number of which rely on SentinelOne’s Singularity platform to provide managed security services to schools and other organizations.

Educational institutions can partner directly with SentinelOne and take advantage of AI-powered prevention, detection, response, and advanced threat hunting capabilities. SentinelOne’s single autonomous platform delivers protection for Chromebooks, Macs, Windows and Linux devices, as well as server and cloud workload protection. The school’s IT team can see everything happening across their network at machine-speed, staying ahead of threat actors and preventing malicious behavior from developing into full-blown cyberattacks. Schools, colleges, and universities can also rely on SentinelOne’s integrated Identity solution to help prevent breaches through the abuse or theft of credentials.

Conclusion

Protecting the data, services and users within educational organizations is a challenge that requires a coordinated strategy. The complexity of the threat along with the squeeze on resources means planners need to be aware of the risks they face and current government guidelines. Partnering with external cybersecurity providers and deploying a modern, trusted security solution can help address these challenges within the school’s budget.

Leveraging our deep industry knowledge and experience with fighting back privileged escalation and lateral movement, SentinelOne’s Singularity™ XDR delivers comprehensive security with autonomous protection. Through AI-based behavioral detection and superior detection of ransomware attacks, SentinelOne eases the burden on under-resourced school IT teams, leaving staff to focus their attention on operational tasks instead.

To learn more about how SentinelOne helps protect K-12 and higher education, please contact us or request a demo.

Singularity for ChromeOS
Real-Time Protection for Chromebooks

Learn More

Accelerating Your Cloud Security with Workload Protection

/0 Comments/in /by

As more organizations make the shift towards hybrid and cloud environments, security teams need a new way to keep their cloud workloads safe from cyber threats. Cloud services offer organizations a scalability that isn’t possible with on-premise infrastructure as well as a boost to efficiency; however, the shift also comes with unique considerations when it comes to security. Outside the scope of your typical cybersecurity practices, cloud computing requires organizations to secure containers, virtual machines, serverless workloads and Kubernetes whether the cloud is public, private, or a hybrid of both.

While the cloud has hugely supported a modern, digital means of collaboration and operation, especially since the COVID-19 pandemic, its adoption also adds cyber risks that are associated with it. Organizations can mitigate these risks by implementing a holistic security strategy focused on workload protection to protect their cloud environments.

Defining a Security Strategy for Cloud

The increase of remote work has given rise to cybersecurity threats to both cloud and hybrid workspaces. With new attack techniques plentiful in the vast threat landscape, threat actors are taking advantage of the larger attack surface as organizations start to store more data and offer services in the cloud.

Defining a security strategy for cloud starts with discovery based on an organizations’ core business objectives, principles, and priorities. No security strategy that is out of alignment with an organization’s goals ever proves to be successful – how can you fully protect what you can’t see? Before beginning the migration into cloud, invest time and effort in mapping out the key aspects of your organization, your attack surface, and their relationship to the cloud security you need.

  • What are my organization’s most critical assets/data?
    • What compliance regulations or requirements does my cloud need to meet in terms of storage?
  • What are the most critical cloud threats my organization faces?
    • What processes and technology does my organization have in place to secure those threats?
  • What are the immediate and long-term impacts should my organization face a successful cyberattack on the cloud?
    • What incident response plans and processes does my organization have in place?
  • What internal and external vulnerabilities does my organization’s cloud have?
    • What is the likelihood of these vulnerabilities being exploited?
    • What processes and technology does my organization have to address these vulnerabilities?

When not managed properly, cloud computing can actually end up exposing organizations to opportunistic cyberattacks. Clouds are particularly vulnerable to misconfiguration, Active Directory vulnerabilities, insider threats, and supply chain attacks. The likelihood of these threat activities targeting the cloud will continue to grow in number, so having a strong cloud security strategy puts preventative measures in place against breach and data loss.

Choosing the Right Cloud Security Technology

Planning, building, and enforcing the organization’s cloud strategy will be a main area of concern for CISOs and security teams. A large part of that strategy will be the direct result of choosing the right security solution for an organization’s cloud setup. The right solution for an organization’s cloud needs to be scalable, easy to manage, and able to defend against increasingly complex cloud-related cyber threats.

These are the key aspects that a cloud security solution must address:

  • Visibility Management – Cloud-based environments are easy to scale up in response to growing data volumes, which makes them a popular solution for organizations wanting to improve their flexibility and agility. As easy as it is to spin up new workloads in the cloud though, lack of visibility and misconfiguration of those workloads could leave them exposed to potential security vulnerabilities. A foundational step is to maintain deep visibility into what is running in your cloud at all times to limit exposure and reduce risk.
  • Integration Compatibility – Larger organizations with established tech stacks must think about tool compatibility and the quality of their integrations. Especially for organizations who have hybrid environments, existing tools must be able to integrate with the cloud. Having seamless integration between your cloud and your security tools ensures nothing operates in isolation and that data is synchronized in a reliable exchange.
  • Real-time Detection – With enough time and resources, threat actors frequently meet their goals. This makes fast detection the keystone in preventing actors from inflicting critical damage to your cloud environment. With the time between initial intrusion and lateral movement getting shorter, quick detection time is a crucial element of an organization’s defenses.
  • Autonomous Response – A solution that employs artificial intelligence (AI) and machine learning (ML) can be leveraged very effectively against modern threat actors from attacking your cloud. AI technology augments security teams by automating the interpretation of attack signals, prioritizing alerts and incidents, and adapting responses based on the scale and speed of the attacker.
  • Data Compliance – Cybersecurity and compliance go hand in hand. Cloud security technology should help organizations meet the requirements of the regulation frameworks they abide by and allow them to use, store, manage, transmit, and protect sensitive data in accordance with applicable controls. This includes, but is not limited to, data encryption and a robust endpoint protection (EPP) solution.

Singularity Cloud | SentinelOne’s Approach to Securing the Cloud

SentinelOne enables organizations to protect their endpoints across all cloud environments, public, private, and hybrid, through Singularity Cloud. With thousands of accounts spread across multiple clouds, organizations need the right security in place for their cloud infrastructure. Singularity Cloud works by extending distributed, autonomous endpoint protection, detection, and response to compute workloads running in both public and private clouds, as well as on-prem data centers.

Within the current cyber landscape, cloud workload protection platforms (CWPP) are the final line of defense in a multi-layer cloud security strategy. Organizations rely on CWPP’s like Singularity Cloud for autonomous, real-time detection as well as remediation of complex threats at the VM and K8 pod level with no need for human detection. Further, Singularity Cloud’s runtime protection of containerized workloads identifies and kills unauthorized processes such as malware, ransomware, and more.

  • AI-Powered Cloud Workload Protection – Behavioral AI detects unknown threats such as zero-day exploits and indicators of compromise consistent with novel ransomware and then quarantines them in real-time. Singularity Cloud protects runtime containers without container interference for Linux, Windows servers, and VMs.
  • Enterprise-Grade EPP & EDR – Get full endpoint detection and response as well as container coverage in one SentinelOne agent. Singularity Cloud allows for complete container visibility with one agent per node and without pod instrumentation.
  • Enterprise Management & Deployment – Choose to auto-deploy Kubernetes Sentinel Agent, a component of Singularity Cloud to EKS, AKS, and GKE clusters, or Linux and Windows Server Sentinel Agents to AWS EC2, Azure VM, and Google Compute Engine.

Conclusion

Opportunistic threat actors attacking clouds count on the fact that cloud networks are large, complex, and require in-depth configuration and management. This means it is critical for organizations to choose the right cloud security platform in support of their overarching security strategy. SentinelOne is here to help you improve your cloud security plan and fuse autonomous threat hunting, EDR capability, and security together to fit your business. Contact us today or book a demo to see how Singularity Cloud brings agility, AI-powered security, and compliance to organizations globally.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Get a Demo

Violence-as-a-Service: Brickings, Firebombings & Shootings for Hire

/0 Comments/in /by

A 21-year-old New Jersey man has been arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals. Prosecutors say the defendant recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested on Aug. 12 on a warrant from the U.S. Federal Bureau of Investigation. An FBI complaint alleges McGovern-Allen was part of a group of co-conspirators who are at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups.

Prosecutors say that around 2 a.m. on Jan 2, 2022, McGovern-Allen and an unidentified co-conspirator fired multiple handgun rounds into a residence in West Chester, Pa. Fortunately, none of the residents inside the home at the time were injured. But prosecutors say the assailants actually recorded video of the attack as “proof” that the shooting had been carried out.

A copy of that video was obtained by KrebsOnSecurity. According to investigators, McGovern-Allen was one of the shooters, who yelled “Justin Active was here” as they haphazardly fired at least eight rounds into the lower story of the West Chester residence.

On Dec. 18, 2021, police in Abington Township, Pa., responded to reports of a house fire from homeowners who said it sounded like something was thrown at their residence just prior to the fire.

Weeks later, on the day of the shooting in West Chester, a detective with the Westtown East Goshen Police Department contacted the Abington police and shared another video that was circulating on several online message boards that appeared to show two individuals setting fire to the Abington Township residence. The criminal complaint said the two police officers agreed the same suspect was present in both videos.

A copy of that video also was obtained by KrebsOnSecurity, and it shows at least two individuals smashing a window, then lighting a rag-soaked Mad Dog 20/20 grape wine bottle and hurling it at the side of the home [Update: My apologies for the file download link, but YouTube just deleted both of the videos included in this story — for allegedly violating their community standards].

“The Molotov cocktail caused the immediate surrounding area to ignite, including the siding of the house, grass, and the wooden chair,” the government’s complaint against McGovern-Allen states. “The two suspects then fled on foot toward the street and begin yelling something when the video stops.”

The government mentions the victims only by their initials — “K.M.” in the shooting and “A.R.” in the firebombing — but said both had been the target of previous harassment by rival cybercriminal groups that included swatting attacks, wherein the perpetrators spoof a distress call to the police about a hostage situation, suicide or bomb threat with the goal of sending a heavily-armed police response to a targeted address.

A number of previous swatting incidents have turned deadly. But these more “hands-on” and first person attacks are becoming increasingly common within certain cybercriminal communities, particularly those engaged in SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

The complaint mentions a handle and user ID allegedly used by McGovern-Allen’s online persona “Tongue” on the Discord chat service, (user: “Tongue#0001”).

“In the chats, [Tongue] tells other Discord users that he was the person who shot K.M.’s house and that he was willing to commit firebombings using Molotov Cocktails,” the complaint alleges. “For example, in one Discord chat from March 2022, [the defendant] states ‘if you need anything done for $ lmk [“let me know”]/I did a shooting/Molotov/but I can also do things for ur entertainment.”

KrebsOnsecurity reviewed hundreds of chat records tied to this Tongue alias, and it appears both attacks were motivated by a desire to get back at a rival cybercriminal by attacking the female friends of that rival.

Recall that the shooters in the West Chester, Pa. incident shouted “Justin Active was here.” Justin Active is the nickname of an individual who is just as active in the same cybercriminal channels, but who has vehemently denied knowledge of or participation in the shooting. Justin Active said on Telegram that the person targeted in the shooting was his ex-girlfriend, and that the firebombing targeted another friend of his.

Justin Active has claimed for months that McGovern-Allen was responsible for both attacks, saying they were intended as an intimidation tactic against him. “DO THE PATRICK MCGOVERN ALLEN RAID DANCE!,” Justin Active’s alias “Nutcase68” shouted on Telegram on Aug. 12, the same day McGovern-Allen was arrested by authorities.

Justin Active’s version of events seems to be supported by a reference in the criminal complaint to an April 2, 2022 chat in which Tongue explained the reason for the shooting.

“The video/is [K]’s house/getting shit/shot/justin active/ was her current bf/ the reason it happened,” Tongue explained. “So that’s why Justin active was there.”

The Telegram chat channels that Justin Active and Tongue both frequented have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window.

“If you live near Edmonton Canada dm me need someone bricked,” reads on Telegram message on May 31, 2022.

“If you live near [address redacted] Lakewood, CA, dm [redacted] Paying 3k to slash the tires,” reads another help wanted ad in the same channel on Feb. 24, 2022. “If you live near here and can brick them, dm [address omitted] Richland, WA,” reads another from that same day.

McGovern-Allen was in the news not long ago. According to a Sept. 2020 story from The Press of Atlantic City, a then 19-year-old Patrick McGovern Allen was injured after driving into a building and forcing residents from their home.

“Police found a 2007 Lexus, driven by Patrick McGovern-Allen, 19, that had lost control and left the road, crashing into the eastern end of the 1600 building,” the story recounted. “The car was driven through the steps that provide access to the second-floor apartments, destroying them, and also caused damage to the outer wall.”

A search on the Inmate Locator of the U.S. Bureau of Prisons website shows that McGovern-Allen remains in federal custody at a detention facility in Philadelphia. He’s currently represented by a public defender who has not responded to requests for comment.

A copy of the criminal complaint against McGovern-Allen is available here (PDF).

ANALYSIS

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in several Telegram channels focused singularly on SIM swapping activity. As a result, the vast majority of the people being targeted for brickings and other real-life physical assaults tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

There are dozens of SIM swappers who are now teenage or 20-something millionaires, by virtue of having stolen vast sums of cryptocurrencies from SIM swapping victims. And now many of these same individuals are finding that communities like Telegram can be leveraged to hire physical harassment and intimidation of their rivals and competitors.

The primary barrier to hiring someone to brick a home or slash some tires seems to be the costs involved: A number of solicitations for these services advertised payment of $3,000 or more upon proof of successful completion, which usually involves recording the attack and hiring a getaway driver in the town where the crime is to take place (calling a cab or hailing an Uber from the scene of a bricking isn’t the brightest idea).

My fear is these violence-as-a-service offerings will at some point migrate outside of the SIM swapping communities. This is precisely what happened with swatting, which for years was a crime perpetrated almost exclusively against online gamers and people streaming their games online. These days, swatting attacks are commonly used by SIM swapping groups as a way to harass and extort regular Internet users into giving up prized social media account names that can be resold for thousands of dollars.

The Good, the Bad and the Ugly in Cybersecurity – Week 36

/0 Comments/in /by

The Good

This week, the United Kingdom announced plans to roll out a new security framework to protect telecoms networks from cyberattacks. The framework’s regulations and best practices are the result of last year’s Telecommunications (Security) Act, developed with the UK’s National Cyber Security Centre, and a 10-week long public consultation.

The new framework, which will begin rolling out next month, requires telecommunications providers to identify and assess the risk to any “edge” equipment that could be directly exposed to potential attackers. This includes tightly regulating who is allowed to make network-wide changes, protecting networks from malicious signals, being aware of their network security risks, and ensuring their business processes are in line with good security practices. Providers are required to meet these guidelines within the next two years, or face fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 (approx. $116,000 USD) per day.

This new framework is a positive step towards bolstering the UK’s telecoms security regulations. As various industries continue to digitize their operations, it’s an encouraging sign that legislators are taking the risks that threat actors pose seriously, and implementing cyber hygiene requirements to secure sensitive data for individuals and organizations alike.

The Bad

According to recent reports, the threat actors behind Nitrokod, a cryptocurrency mining trojan, are disguising their malware as software from legitimate developers like Google. Nitrokod works by disguising itself as a clean Windows application, and then executes code to mine the cryptocurrency Monero days or weeks after a user downloads the app.

The scary part? Post-download, the applications appear to be fully functional but are actually loaded with mining malware. Nitrokod’s developers were found to be using Chromium-based frameworks to provide the functionality that the application claims to have. For example, researchers broke down how “the Google translate desktop application is converted from the Google Translate web page using the CEF (Chromium Embedded Framework) project. This gives the attackers the ability to spread functional programs without having to develop them.”

Since their emergence in 2019, Nitrokod’s developers may have infected thousands of systems across eleven countries. Over the past three years, they have distributed cryptomining malware on free software download sites like Softpedia, claiming to be desktop versions of popular online services such as Google Translate, Microsoft Translator Desktop, and MP3 downloader programs.

The threat actors’ disguises have been scarily effective; Nitrokod’s Google Translate app has been downloaded more than 112,000 times since December 2019 on Softpedia alone. Researchers are also warning the public that Nitrokod can evade detection with multi-stage infection campaigns that can continue for years.

Unfortunately, we live in a time where it’s incredibly easy to fall for malware masquerading as a useful application from a legitimate developer. This week, SentinelLabs reported on a novel threat actor called JuiceLedger that has been spreading infostealer malware through fraudulent applications.

The Ugly

Calling all Okta and Authy SMS users: your one-time passwords (OTPs) may be at risk. In the aftermath of a breach involving the cloud communications company Twilio, Okta disclosed that a threat actor dubbed “Scatter Swine” may have accessed sensitive information.

Before this breach, the popular identity and access management (IAM) company used Twilio to serve customers that authenticated their sign-ins through SMS. Okta noted in their threat response summary that they changed providers once details of the breach emerged. However, the investigation found that Scatter Swine actively searched for Okta customer data, including phone numbers and OTP codes.

Okta’s findings show that the threat actor was targeting a specific organization. During the Twilio intrusion, Scatter Swine used previously stolen credentials to trigger SMS-based MFA challenges and searched Twilio’s administrative portal for 38 phone numbers associated with Okta and the affiliated OTPs. During the search, Twilio’s console returned 50 of the most recent messages delivered through Okta’s Twilio account. Earlier this week, Twilio also confirmed that the threat actor successfully accessed Authy 2FA accounts and temporary OTPs.

Okta’s security team also believes Scatter Swine is the same threat actor responsible for multiple phishing campaigns against various technology firms, including the infamous 0ktapus phishing campaign and stealing nearly 1,000 sets of credentials.

The fallout of the Twilio breach demonstrates the devastating consequences that a supply chain attack can have. With attacks like this ramping up, it’s all the more vital for enterprise security teams to ensure their security stack is up-to-date, and to mitigate their cybersecurity risks before threat actors can find an opening to leverage.

Advancing Security | The Age of AI & Machine Learning in Cybersecurity

/0 Comments/in /by

Modern cyber attackers’ tactics, techniques, and procedures (TTPs) have become both rapid and abundant while advanced threats such as ransomware, cryptojacking, phishing, and software supply chain attacks are on an explosive rise. The increasing dependence global workforces have on digital resources adds another facet to a growing cyber attack surface we all now share. In an effort to stand up to these challenges, businesses task their CISOs with developing, maintaining, and constantly updating their cybersecurity strategies and solutions.

From a tactical standpoint, CISOs ensure that their business’s security architecture can withstand the ever-shifting modern threat landscape. This means choosing the right tool stack that is capable of combating complex cyber threats at the breakneck speed in which they appear. As single-layer, reactive security solutions can no longer keep up with increasingly sophisticated cybercriminals, CISOs now have to stack multi-layered and proactive solutions together to build an adequate defense posture.

Advanced Threats Call for Advanced Solutions

Today, many CISOs know that artificial intelligence (AI) and machine learning (ML) are needed to accelerate and automate the quick decision-making process needed to identify and respond to advanced cyber threats. AI is designed to give computers the responsive capability of the human mind. The ML discipline falls under the umbrella of AI. It continuously analyzes data to find existing patterns of behavior to form decisions and conclusions and, ultimately, detect novel malware.

The task of building the right security stack is also one constantly under discussion, even on a federal level. In May 2022, the U.S. Senate Armed Forces Committee’s Subcommittee on Cyber held a congressional hearing on the importance of leveraging artificial intelligence and machine learning within the cyberspace. This hearing, including representatives from Google and the Center for Security and Emerging Technology at Georgetown University, discussed the use of AI and ML to defend against adversary attacks, effectively organize data, and process millions of attack vectors per second, far surpassing any human-only capability at threat detection.

The committee also highlighted a growing concern occurring in the cybersecurity space now: the “shortfall of technically trained cybersecurity personnel across the country in government and industry alike.” The global shortage is concerning, with over 2.7 million cybersecurity roles unfilled according to the 2021 Cybersecurity Workforce Study.

With a decrease in cyber expertise, the alert to response ratio can quickly overwhelm many in-house security teams. Leveraging AI can help overworked teams to scale up protective services and to automate and orchestrate complex, time-consuming response actions. All representatives underscored the value of harnessing AI in cybersecurity with its key benefits summarized below:

  • Automated Attack Vector Processing – AI is able to process millions of vectors every second and combat emerging attacks by detecting new patterns in real-time.
  • Zero-Trust Model Support – Human patterns are predictable and disparate data sets without AI are simply not useful nor actionable. AI helps build the complete threat analysis needed to sustain a working zero-trust model.
  • Threat Operations Management – AI technology can augment cybersecurity teams by automating the interpretation of attack signals, prioritizing alerts and incidents, and adapting responses based on the scale and speed of the attacker.

Analog Players in a Digital World – The Shortcomings of Legacy AV

In a time long passed, the number of malware threats could be reasonably documented and accounted for. Back then, legacy anti-virus (AV) and anti-malware (AM) solutions offered businesses a means of blocking out known threats – malware variants that have already been discovered and assigned a signature which are then deployed to all protected endpoints. These legacy AV and AM solutions are signature-based, designed to flag known threats but blind to anything unexpected. This allows a gap to appear between the initial use of the malware and the existence of a new signature to block it.

The problem with today’s threat landscape is that threat actors have become incredibly skillful at creating novel malware. VirusTotal reports that it receives 2 million new samples every day. In 2021 alone, they reported that over a million samples signed with legitimate certificates were found to be suspicious. Only able to defend against known threats, legacy AV and AM are simply unable to keep up with the barrage of novel malware, ransomware, incoming zero-day vulnerabilities, or new hacker tradecraft.

During an attack, speed is crucial but legacy solutions like AV and AM are incapable of detecting and stopping malicious attacks in real time. AVs and AMs are only as good as their last update, and actionable analyses from previous attacks are usually weeks or months-old by the time they are usable by these solutions.

Why AI & ML Thrive in the Cybersecurity Arms Race

Artificial intelligence and machine learning can be leveraged very effectively against modern threats and their capabilities go far beyond the identification and flagging of known threats. They are designed to learn emerging threat patterns and identify new, malicious behaviors based on their similarity to existing exploitations, threat actor TTPs, and malware. The application of AI and ML is invaluable in bolstering an organization’s cybersecurity strategy.

  1. Preventative Strategies & Response – With AI and ML, a security solution can autonomously detect and prevent malicious files and processes early in the attack lifecycle. Most commodity malware attacks can be prevented and remediated before they execute, reducing the attack surface and lowering the burden on the organization’s malware triage team.
  2. Accelerated Threat Hunting – AI and Machine learning, coupled with strong monitoring capabilities, provide SOC analysts with deep visibility into what actually happened on a device during a cybersecurity incident. Rather than facing a long, manual triage process, analysts receive pre-correlated storylines that reveal the relationships between events, in many cases obviating the need to run further forensics tools.
  3. Improved Security Policies – A security solution backed with AI offers users the ability to select the level of protection they want to automate. For example, in the case of a particularly critical device or user,  automatic remediation can be enabled on any suspicious activity. In other situations, a more permissive rule might be set, allowing suspicious activity to generate alerts but without any automated remediation.

The SentinelOne Approach | How AI & ML Augment Your Security

The best approach for CISOs building a scalable security stack is to converge AI and ML together with human expert analysts. A smart blend of these can amplify the strengths of a business’s IT team while covering any weaknesses and the key to this approach lies in automation. SentinelOne’s Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) seamlessly combines automation with both AI and ML to detect and remediate modern attacks in real-time, at machine speed, and without extra intervention. This means that businesses can focus their resources on addressing operations-specific tasks. SentinelOne’s EPP solution also fully replaces legacy AV and AM solutions and can be scaled and tailored to fit a businesses’ specific requirements and processes.

SentinelOne focuses on acting faster and smarter through AI-powered prevention and autonomous detection and response. With the Singularity XDR Platform, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.

Singularity™ Identity provides an easy to manage platform that prevents, detects, responds, and hunts in the context of all enterprise assets, allowing organizations to see what has never been seen before and control the unknown. It is the only platform powered by AI that provides advanced threat hunting and complete visibility across every device, virtual or physical, on prem or in the cloud.

Learn more about how Singularity helps organizations autonomously prevent, detect, and recover from threats in real time by contacting us or requesting a demo.

Final Thoughts on Ubiquiti

/0 Comments/in /by

Last year, I posted a series of articles about a purported “breach” at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press.

As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual.

This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website.