OpenSSL 3 Critical Vulnerabililty | What Do Organizations Need To Do Now?

Last week, the OpenSSL project team announced the release of OpenSSL version 3.0.7, which will be made available on Tuesday, November 1st. The update is a security fix for a critical vulnerability in OpenSSL 3.0.x, and developers and organizations are being urged to ensure that they patch any instances of OpenSSL 3 in their software stack as a matter of urgency. The vulnerability is reported to affect version 3.0.x and does not impact OpenSSL 1.1.1 or LibreSSL.

SentinelOne customers have instant visibility of OpenSSL versions within their organizations.  As such, Singularity XDR becomes a useful visibility solution in ensuring your organization is ready for the Tuesday, Nov 1st OpenSSL updates.

What is OpenSSL?

OpenSSL is an open-source cryptography library widely used by applications, operating systems and websites to secure communications over the internet using SSL (Secure Sockets Layer) and TLS (Transport Layer Security). OpenSSL has been around since 2012, with version 3 released in September 2021, and is one of the most widely used open-source libraries worldwide.

Which Versions Of OpenSSL Are Vulnerable?

OpenSSL version 3.0.0 and higher are vulnerable to the critical security flaw, which is patched in version 3.0.7. The majority of OpenSSL implementations in use today use version 1.1.1 or 1.0.2; however, OpenSSL 3 is bundled with many flavors of Linux, including RedHat, Fedora, CentOS, Linux Mint and others.

Docker containers typically include some version of OpenSSL but which version and whether it is vulnerable will depend on the original configuration. The library can also be optionally installed on macOS and Windows devices, although by default Macs run the unaffected LibreSSL library. Vulnerable versions of OpenSSL are also used in popular development software like Gradle, privacy tools such as TOR and security platforms like Kali Linux.

Vulnerable 

  • OpenSSL 3.0.x

Not Vulnerable

  • OpenSSL 1.1.1
  • OpenSSL 1.1.0
  • OpenSSL 1.0.2
  • OpenSSL 1.0.1
  • LibreSSL

What Is the Risk with OpenSSL 3 Critical Vulnerability?

Although there are few details of the vulnerability at present and a CVE is yet to be assigned, the OpenSSL project says that a critical vulnerability affects common configurations which are likely to be exploitable. In addition, flaws with a ‘critical’ severity rating include those which can be easily exploited remotely or where remote code execution is considered likely.

This isn’t the first time OpenSSL has suffered from a critical vulnerability. In 2014,  CVE-2014-0160, dubbed Heartbleed, was discovered in OpenSSL v1.0.1. Heartbleed was due to a buffer over-read in the TLS Heartbeat Extension, which allowed more data to be read than should be allowed. In practice, the bug could be exploited to acquire passwords or encryption keys.

Despite the patch being available the same day the flaw was disclosed, many were slow to patch. The bug was used to compromise a number of websites and steal sensitive data, including Social Insurance Numbers belonging to Canadian taxpayers. Even 5 years after initial disclosure, it was estimated that over 90,000 servers remained vulnerable to Heartbleed.

How To Prepare and Patch the OpenSSL 3 Critical Vulnerability

As with Heartbleed, which was rapidly exploited, organizations need to ensure that they prioritize discovering and patching the OpenSSL critical vulnerability as soon as the update to 3.0.7 is made available, estimated to be between 1300-1700 UTC on Tuesday 1st November.

SentinelOne customers can run queries to determine which endpoints are running vulnerable versions of OpenSSL in the management console. Customers should consult the KB documentation here.

openssl hunting in SentinelOne

End users can run simple queries locally to see if their operating system contains the vulnerable version.

openssl version

An Ubuntu distro vulnerable to the OpenSSL vulnerability.
An Ubuntu distro vulnerable to the OpenSSL vulnerability.

Conclusion

Organizations and IT teams can become weary of patch warnings. Vulnerability discovery is at an all time high, and despite the evidence that attackers routinely exploit flaws in popular software and operating systems, patch management doesn’t always get the time and resources it should.

Even so, a critical vulnerability in a software library like OpenSSL, which is so widely in use and so fundamental to the security of data on the internet, is one that no organization can afford to overlook or delay, as many learned in the wake of the Heartbleed bug.

As further details emerge over the coming days, SentinelOne will update this post. What organizations can do now is determine how much exposure they have to OpenSSL 3 and allocate the necessary resources to update to 3.0.7 as soon as possible.

Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion

A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular “malware-as-a-service” offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.

Ukrainian national Mark Sokolovsky, seen here in a Porsche Cayenne on Mar. 18 fleeing mandatory military service in Ukraine. This image was taken by Polish border authorities as Sokolovsky’s vehicle entered Germany. Image: KrebsOnSecurity.com.

The U.S. Attorney for the Western District of Texas unsealed an indictment last week that named Ukrainian national Mark Sokolovsky as the core developer for the Raccoon Infostealer business, which was marketed on several Russian-language cybercrime forums beginning in 2019.

Raccoon was essentially a Web-based control panel, where — for $200 a month — customers could get the latest version of the Raccoon Infostealer malware, and interact with infected systems in real time. Security experts say the passwords and other data stolen by Raccoon malware were often resold to groups engaged in deploying ransomware.

Working with investigators in Italy and The Netherlands, U.S. authorities seized a copy of the server used by Raccoon to help customers manage their botnets. According to the U.S. Justice Department, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) stolen with the help of Raccoon.

The Raccoon v. 1 web panel, where customers could search by infected IP, and stolen cookies, wallets, domains and passwords.

The unsealed indictment (PDF) doesn’t delve much into how investigators tied Sokolovsky to Raccoon, but two sources close to the investigation shared more information about that process on condition of anonymity because they were not authorized to discuss the case publicly.

According to those sources, U.S. authorities zeroed in on an operational security mistake that the Raccoon developer made early on in his posts to the crime forums, connecting a Gmail account for a cybercrime forum identity used by the Raccoon developer (“Photix”) to an Apple iCloud account belonging to Sokolovsky. For example, the indictment includes a photo that investigators subpoenaed from Sokolovsky’s iCloud account that shows him posing with several stacks of bundled cash.

A selfie pulled from Mark Sokolovsky’s iCloud account. Image: USDOJ.

When Russia invaded Ukraine in late February 2022, Sokolovsky was living in Kharkiv, a city in northeast Ukraine that would soon come under heavy artillery bombardment from Russian forces. Authorities monitoring Sokolovsky’s iCloud account had spent weeks watching him shuttle between Kharkiv and the Ukrainian capital Kyiv, but on Mar. 18, 2022, his phone suddenly showed up in Poland.

Investigators learned from Polish border guards that Sokolovsky had fled Ukraine in a Porsche Cayenne along with a young blond woman, leaving his mother and other family behind. The image at the top of this post was shared with U.S. investigators by Polish border security officials, and it shows Sokolovsky leaving Poland for Germany on Mar. 18.

At the time, all able-bodied men of military age were required to report for service to help repel the Russian invasion, and it would have been illegal for Sokolovsky to leave Ukraine without permission. But both sources said investigators believe Sokolovsky bribed border guards to let them pass.

Authorities soon tracked Sokolvsky’s phone through Germany and eventually to The Netherlands, with his female companion helpfully documenting every step of the trip on her Instagram account. Here is a picture she posted of the two embracing upon their arrival in Amsterdam’s Dam Square:

Authorities in The Netherlands arrested Sokolovsky on Mar. 20, and quickly seized control over the Raccoon Infostealer infrastructure. Meanwhile, on March 25 the accounts that had previously advertised the Raccoon Stealer malware on cybercrime forums announced the service was closing down. The parting message to customers said nothing of an arrest, and instead insinuated that the core members in charge of the malware-as-a-service project had perished in the Russian invasion.

“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the team announced Mar. 25. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the WORLD comes to everyone.”

Sokolovsky’s extradition to the United States has been granted, but he is appealing that decision. He faces one count of conspiracy to commit computer fraud; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering, and one count of aggravated identity theft.

Sources tell KrebsOnSecurity that Sokolovsky has been consulting with Houston, Tx.-based attorney F. Andino Reynal, the same lawyer who represented Alex Jones in the recent defamation lawsuit against Jones and his conspiracy theory website Infowars. Reynal was responsible for what Jones himself referred to as the “Perry Mason” moment of the trial, wherein the plaintiff’s lawyer revealed that Reynal had inadvertently given them an entire digital copy of Jones’s cell phone. Mr. Reynal did not respond to requests for comment.

If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.

The Justice Department has set up a website — raccoon.ic3.gov — that allows visitors to check whether their email address shows up in the data collected by the Raccoon Stealer service.

The Good, the Bad and the Ugly in Cybersecurity – Week 44

The Good

This week, U.S. law enforcement charged a Ukrainian national for his alleged participation in an international cybercrime operation known as Raccoon Infostealer. Authorities say the MaaS (Malware-as-a-Service) infostealer has infected millions of computers worldwide.

Mark Sokolovsky, 26, is currently being held in the Netherlands and is awaiting extradition to the U.S. Sokolovsky was arrested by Dutch police after fleeing Ukraine in March, reportedly in a Porsche Cayenne.

raccoon stealer

Raccoon Stealer is advertised in cybercrime market places and offers its services to other criminals for a subscription of $200 per month. The MaaS allows users access to the malware, which they subsequently deploy on victims’ computers via cracked software and email phishing infection vectors.

After Sokolovksy’s arrest, authorities were able to temporarily take down the infrastructure supporting Raccoon Stealer and identified over 50 million unique credentials including bank accounts, cryptocurrency addresses, credit card numbers and other forms of identification stolen by the operators, many of which belong to U.S. citizens. The FBI has set up a website for any individuals wishing to check if their email address appears in the cache of stolen data.

If found guilty, Sokolovsky, who allegedly used various online nicknames including Photix, raccoonstealer and black21jack77777, faces a maximum penalty of 20 years in prison for wire fraud and money laundering.

Unfortunately, despite Sokolovsky’s arrest and the subsequent dismantling of Raccoon Stealer infrastructure, other members of the gang remain undeterred and have since stood up a new version of the infostealer, continuing to promote it in underground cybercrime forums. The FBI, the Department of Army Criminal Investigation Division (Army CID) and other law enforcement agencies continue to investigate the case.

The Bad

Vice Society, a threat actor group which has been disproportionately targeting the U.S. education sector, continues to be a mounting concern as the threat actor adopts multiple extortion techniques.

A report this week details the TTPs used by this threat actor as it continues its campaigns against school and colleges. The group variously deploys BlackCat, HelloKitty, QuantumLocker and custom versions of Zeppelin ransomware. In some intrusions, Vice Society demands a ransom without deploying ransomware, instead threatening victims with exposure of the leaked data.

vice society ransomware

As described in a recent report authored by SentinelLabs researchers, data extortion has now evolved into a spectrum of TTPs; Vice Society is just the latest example of a threat actor occupying a fluid position across that spectrum, adapting their approach according to the target.

The researchers note how Vice Society switches between deploying RaaS payloads such as BlackCat to “wholly-owned malware” like Zeppelin and even their own custom variants in different intrusions. In one intrusion, the operators exfiltrated hundreds of gigabytes of data by staging a malicious PowerShell script on a network share.

The threat actors abuse registry commands to disable Windows Defender and often prefer comsvcs.dll and MiniDump over Mimikatz for credential dumping. Vice Society has also been observed exploiting PrintNightmare to elevate privileges in a domain.

Security teams working in the education sector are urged to review Vice Society TTPs as well as bolster their cyber defenses more generally by deploying a robust EDR, reviewing regularly exploited vulnerabilities, and using device discovery to find unmanaged devices on the network.

The Ugly

This week, hacktivists have been busy causing disruption, dismay and offense in two unrelated intrusions. On Thursday, the New York Post reported that it had been the victim of a hack which took over its website and Twitter account. The attackers used their unauthorized access to post offensive content relating to various U.S. politicians, including President Biden and New York Rep. Alexandria Ocasio-Cortez.

Details of the attack so far remain sparse, but it’s not the first time New York Post’s owner, News Corp, has been targeted. A breach in January 2022 was speculatively attributed to a Chinese-linked APT, though it remains unclear at this time whether the cases are connected.

The Iranian Atomic Energy Organization (AEOI) is also investigating a breach apparently in support of the recent nationwide protests following the death of Mehsa Amini in police custody. A hacktivist group calling itself ‘Black Reward’ has leaked 85000 sensitive email messages stolen from servers belonging to one of the AEOI’s subsidiaries. The group says the leaked content contains details of passports and visas of Iranians and Russian nationals who work with the AEIO, as well as contracts, power plant status and technical reports.

black reward hacktivist

Iranian authorities, meanwhile, say that the attackers were from “a specific foreign country” and the purpose was “to attract public attention, create media atmospheres, and psychological operations”, implying that Black Reward is less of a real hacktivist group and more of a state-sponsored knock-off. We’ll have to await further details to emerge before that becomes clear.

Cloud Computing Is Not New | Why Secure It Now?

Cloud computing has seen multiple iterations since its inception in the 1960s and has empowered modern day enterprises, becoming integral to operations and how solutions are delivered. While the development of cloud computing spanned the last sixty odd years, at what point in time did businesses start factoring in its security?

This post examines a timeline of contributing factors that have led to the security issues many hybrid and cloud-based organizations are facing today. While attacks on the growing cloud surface will continue to evolve, organizations can learn how to put up the right defenses to start safeguarding one of the most business-critical platforms in use today.

How Cloud Computing Came to Be

Slowly entering a post-pandemic world, more businesses than ever are making the move from solely on-prem environments to either cloud or hybrid ones. Use of the cloud is unprecedented and our reliance on it has become a lucrative target for opportunistic attackers.

While cloud computing is seemingly ubiquitous now, its precursor dates back to the 1950s and 60s. Of military origins, a mainframe was first developed to connect computer terminals across an internal matrix to lower the cost of buying and maintaining individual terminals. Developing a technology to provide shared access to a single resource became the ancestor of cloud computing as a technical concept.

The 1970s saw many more advancements in operating systems, storage, and networking. By this time, multiple operating systems could be run in an isolated environment, changing the way operators interacted with data. Moving away from punch cards and teletype printers, they could interact with screen terminals that connected to the mainframe computer for a dedicated network.

By the 1990s, the adoption for non-local storage technology exploded in line with the arrival of the World Wide Web. Huge (by then standards) numbers of personal computers were connected, technology became more widely affordable, and companies began to offer applications over the internet, paving the way for the inception of Software-as-a-service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).

Though available bandwidth was paltry at first, businesses began to embrace the web and the infrastructure hosting industry was born. The need for data centers boomed and many businesses began to rely on shared hosting and dedicated servers to run their operations. In the 90s, the term “cloud” was used to describe this new, virtual environment and a race was about to begin between technology giants such as Google, Microsoft, and Amazon.

The Tech Giants Enter the Race

In the early 2000s, everyone was accessing the cloud, including governments, financial institutions, healthcare providers, and more. This was the cultural shift that catalyzed a tech-giant arms race with the end goal of gaining more market share in the cloud provider space.

First to hit the scene was Amazon Web Services (AWS) with the launch of their public cloud in 2002. The public cloud was a boon to a generation of small to mid-sized businesses, alleviating their burdens of costly server maintenance and upfront investments on hardware computing resources while helping them solve issues of efficiency and scalability.

The emerging success of AWS spurred Microsoft and Google into action. Google responded by launching Google Docs services, and later, Microsoft with their Azure infrastructure and Office 365 packages. Every tech giant brought unique offerings to the table and each continued in the race to become the new standard for cloud services.

The Afterthought: What About Security?

Security became an afterthought in the race to develop new features and claim space in the cloud provider market, most clearly demonstrated by the sheer volume and only-increasing severity of cyberattacks on the cloud surface.

Features that make cloud services beneficial to businesses are the same features that are often targeted for malicious use by threat actors. Cloud services, while offering significant advances in scaling and efficiency, are particularly susceptible to misconfigurations, insider threats, supply chain attacks, and Active Directory-related weaknesses. Consider the following statistics from the 2022 Thales Cloud Security Report:

  • Multi-cloud adoption has accelerated with 72% of organizations using multiple IaaS providers versus the 57% recorded in 2021.
  • Almost two-third of businesses store up to 66% of their company’s critical data in their cloud.
  • 45% of businesses have experienced a cloud-based data breach in the past 12 months, increasing from 40% the year before.
  • 51% of IT professions share common concerns about the increasing complexity of cloud services and agree that it is more complex to manage privacy and data protection in the cloud.

While businesses and end users benefitted from the tech giant’s race to become the new cloud provider standard, threat actors noted the increasing popularity and reliance on this technology and began to capitalize on it. Each of the tech giants had claimed that their cloud products were secure while, in reality, they were still trying to solve the problem as it came. Microsoft later began to push their Azure Sentinel services, Amazon AWS acquired a number of security firms, and Google launched Chronicle, their security arm which later merged into Google Cloud.

Shared Responsibility and Security in the Cloud

Though each of these tech giants and other cloud service providers have tried their hand at adding cloud security to their product offerings, this approach has introduced major risks to businesses as it narrows everything down to dependance on a single vendor.

Selling productivity, collaboration, and now security has increased the odds in favor of threat actors who need only one successful attack vector to affect all capabilities of the cloud service provider.

Some cloud vendors themselves have recognized that their responsibility for security cannot extend beyond securing their own infrastructure and that cloud customers must take care of securing what they put in the cloud. This model of shared responsibility means cloud customers are responsible for managing the operatings systems, application software and utilities on their cloud instances. The cloud customer also must secure the network configuration of each cloud instance as well as the data and assets they store in the cloud.

As more organizations make the shift over to hybrid and cloud environments and understand the need to own the security of their cloud instances, security professionals are looking for more advanced means of keeping their cloud workloads safe from cyber threats. Other than adopting basic cybersecurity best practices, cloud security also emcompasses security measures for serverless workloads and Kubernetes, containers, and virtual machines too.

Successful cloud security strategies require professionals to look at their enterprise environment and understand the risks from across all parts of the whole. This is why enterprises are increasingly turning to extended detection and response solutions to secure their clouds.

The Emergence of XDR to Secure the Cloud

Choosing the right security solution for the cloud is a task made up of several parts. The right solution must be easy to manage, scalable, and able to defend against complex and novel cloud-related threats. An end-to-end cloud security solution should fulfill the following key requirements:

  • Automated Detection & Response – Threat actors count on one thing most during their attack – time. The more time they have, the higher their rate of success is in meeting their goal. This makes detection and response speed paramount to the defense of an environment. Before actors can establish a foothold and damage the cloud, having a quick detection time makes all the difference.
  • Visibility for Assets & Configurations – Clouds are popular with organizations because of their ability to scale up to growing data volumes over time. However, lack of visibility and misconfiguration can leave cloud workloads exposed to potential weaknesses. Having deep visibility in a cloud can help eliminate unnecessary risks and limit the level of exposure.
  • Integration with Existing Tech Stack – While infrastructure vendors do hold some responsibility in providing security, many security professionals will introduce a separate security solution to their tech stack for advanced protection. It is vital this security solution is compatible with other tools and software so that data flows seamlessly between all platforms.

The concept of an open XDR (eXtended Detection and Response) platform provides advanced security coverage where traditional single-point solutions do not. Single-point solutions are those that solve only one problem at a time. In contrast, an open XDR platform can integrate existing solutions, analyze incoming data, receive alerts in real-time, and automatically send responses as needed.

A fully-integrated, open XDR leverages the power of artificial intelligence (AI) and machine learning (ML) against threat actors targeting the cloud surface. By interpreting attack signals and autonomously prioritizing alerts and security incidents, AI and ML provides for an adapted response based on the specific characteristics of the attacker. Behavioral AI and ML have the capability to detect unknown cloud-based threats such as zero-day exploits and indicators of compromise that are similar to novel ransomware strains.

Summary

Cloud computing has undergone nearly seven decades of transformation. Starting from the first mainframe computers of the 1950s, then accelerating during the race for tech giants to become the next standard in cloud provision, cloud technology is now ever-prevalent in all critical sectors, modern workspaces, and our homes.

Cloud security may have been neglected during the unprecedented advancements of the early 2000s, but it has been driven to the forefront of every cloud-related discussion now. As organizations continue to adopt novel advancements in cloud technologies, security solutions need to be able to evaluate risk across the entire cloud surface as well as any digital entities connected to it.

SentinelOne’s Singularity™ Cloud ensures organizations get the right security in place to continue operating in their cloud infrastructures safely. Contact us today or book a demo to see how we can help improve your cloud defenses and fuse autonomous threat hunting, EDR capability, and security together to fit your business.

Singularity™ Cloud
One home to secure VMs, servers, containers, and Kubernetes clusters across multi-cloud and datacenters. Prevent, detect, investigate, and respond to threats in the cloud in real time—without sacrificing performance.

V for Ventura | How Will Upgrading to macOS 13 Impact Organizations?

This Monday saw Apple release its next OS upgrade, macOS 13 Ventura. Apple took the unusual step of pre-announcing the release date last week, perhaps in recognition of the calamities caused with Catalina a couple of years ago. Then, as now, SentinelOne was ready with a supported agent (more details below) to ensure all enterprises can upgrade while remaining protected against the latest macOS malware threats.

For organizations, upgrading a major OS can be a fretful experience. In our previous post on Ventura, we covered seven new security changes coming in macOS 13. In this post, we’ll discuss some of the wider impacts of upgrading to macOS 13 on users, admins and security teams.

macOS 13 | Unlucky for Some?

Arguably the most significant change for existing macOS users is the number of models that macOS 13 doesn’t support, and for enterprises looking to upgrade to the latest and most secure version of macOS that could mean an upgrade of their Apple hardware.

Ventura requires a Mac that was manufactured no later than 2017. For MacBook Airs and Mac Minis the minimum is a 2018 model, and the 2019 model or later is required for the Mac Pro.

Users with hardware older than that are out of luck, although for personal devices projects like OpenCore Legacy Patcher can revitalize aging hardware. Security implications (not to mention licensing) rule that out in organizational settings.

Accessory Security | Not Quite Device Control

Like most recent Apple OS iterations, Ventura brings with it a new set of user ‘consent and control’ alerts. With macOS 13, this is primarily centered around USB and Thunderbolt peripherals that users plug into their Macs. These new controls, which ask users to approve or reject a new device via a dialog alert box, are intended to help protect users against malicious wired accessories, or what Apple calls “close-access attacks”.

Organizations using MDM solutions can choose to bypass user authorization via the allowUSBRestrictedMode restriction key, and other MDM options are available to control which devices a managed Mac can pair with.

There are, however, a number of caveats to bear in mind. The Accessory alert is triggered by the cable that is plugged in to the port, but after approval, users can change what device sits on the other end of a cable without causing a further prompt. In the case where the user has a USB hub or dock attached to the computer,  plugging a thumb drive into an approved hub will not trigger an alert. The other major caveat to bear in mind is the more general one with TCC (aka UAC) alerts: if the user unknowingly plugs in a malicous flash drive, they are almost certainly going to approve the device if an alert pops up, since this was their intent when plugging it in.

Accessory security represents another barrier for threat actors to surmount, but it’s no replacement for proper and fine-grained device control managed by the security team.

Eyes Front | Getting Organized with Stage Manager

Ventura’s headline UI feature is Stage Manager, a “new” way to control and switch application focus. We put “new” in quote marks as it turns out the concept was actually prototyped back in 2007.

That’s a lot of baking time! While at first glance Stage Manager might seem like a merely cosmetic addition (remember LaunchPad, anyone?), it does add some practical advantages to application management. Chief among these is the ability to organize windows into groups to create restorable ‘workspaces’, a feature that’s long been missing on macOS.

Stage Manager allows users to group windows together by dropping them onto an existing window in the strip to the left (or right, if you have your Dock on the left). Clicking on a Window group switches these to centre stage, in the orientation and size that you previously had them.

Stage Manager on Ventura

What’s even nicer is that each Desktop ‘space’ has its own strip, creating lots of possibilities, particularly when combined with multiple displays.

There’s a couple of things missing with Stage Manager that would be nice to see for extra productivity: at present, adding a window to the strip is driven by drag and drop; some keyboard shortcuts would be nice. The ability to name groups would also help.

By default, Stage Manager is “off”, so turning it on requires a trip to the new System Settings.app (more on that below).

How to turn on Stage Manager in macOS Ventura

Ventura’s System Settings | Where Do You Start?

The short answer is: in the search bar! As we noted in our preview of the Ventura beta, System Preferences has now become System Settings. Discovering where things are can be challenging compared to the System Peferences.app, and the search field is now all but mandatory.

Perhaps the first and most obvious difference for security teams and admins is to update any scripts with the new name, as obviously they will fail on Ventura if they target “System Preferences”.

The settings themselves have some novelties and quirks. Persistence items are now visible and controllable to users via the General > Login Items menu item. Here, users can find a list of items that are set to run when the Mac is booted and when the user logs in to an account. Since the initial beta, this functionality has changed somewhat, and in the release version of Ventura only items that are labelled as ‘from an unidentified developer’ can be revealed in the Finder, via clicking the adjacent “i” button.

This is unfortunate, on two counts. First, since users cannot easily trace the parent application for items from identified developers, there is the risk that users will disable some essential services simply because they don’t recognize the name of the item displayed in System Settings. This is particularly problematic because the name displayed is the name of the developer rather than the name of the application.

Ventura Login Items How to find the parent

In the image above, there are Login Items belonging to BBEdit, Carbon Copy Cloner and Pacifist, but unless users are familiar with the developers’ names, their parent applications are difficult for users to identify from System Settings. Will this cause some users to toggle off services they might need? We wouldn’t bet against it, and it’s something front-line IT support teams will need to keep in mind.

Also somewhat unfortunate is that Apple’s own login items show up as “Item from unidentified developer”. Admins can expect to see plenty of users asking about these and similar items here, too.

SentinelOne, like most other security vendors on macOS, takes advantage of Apple’s ES framework to provide part of our advanced security solution, and as such requires Full Disk Access. Unfortunately, granting FDA seems to allow various other permissions on Ventura that are not required or requested and not seen in Monterey.

For example, the Developer Tools pane in Privacy and Security shows that any application using the ES Framework has permission to “run software locally that does not meet the system’s security policy”.

This wording is unfortunate and may be disconcerting to some users, but in fact it is not a material change in the SentinelOne agent. We presume this is a macOS bug and have reported it to Apple as such.

Increase Isolation | User Controlled Lockdown Mode

A headline feature for iOS and macOS over the summer was the announcement of Lockdown mode, an option that users can enable in System Settings and which restricts the device’s ability to communicate with various services. Apple says that Lockdown mode helps protect devices against extremely rare and highly sophisticated cyber attacks.

According to Apple, when Lockdown Mode is enabled:

  • Most message attachment types are blocked. Links and link previews will be unavailable.
  • Some web technologies will be blocked, which may cause some websites to fail to load, load slowly or not operate correctly.
  • Incoming FaceTime calls from unknown callers will be blocked.
  • Configuration profiles can’t be installed, and the device can’t be enrolled in MDM or device supervision while in Lockdown Mode.

Other impacts of Lockdown mode can be found in Apple’s support documentation here.

Importantly, admins and security teams should note that Lockdown cannot be prevented by MDM. Although there is some warning that Lockdown mode is enabled in Safari’s toolbar, it is not generally obvious otherwise, and users that enable Lockdown may even forget that they have done so, which raises the risk of confusing support calls about malfunctioning or unavailable services. We predict that “Is Lockdown mode enabled?” is going to be one of the first questions support teams are going to want to ask users submitting tickets about various non-functioning services.

Rapid Security Response | Where (and What) Is It?

Another Ventura feature touted at WWDC last summer was something Apple have called ‘Rapid Security Response’. In essence, this is “a mechanism for shipping security fixes to users more frequently”, though details are still scarce.

So far, Apple has only given broad details, such as that Rapid Security Responses apply only to the latest minor operating system version. To receive these, users need to ensure that “Install Security Responses & System Files” in the Advanced option of Software Update in System Settings > General is checked.

Organizations using MDM can set CriticalUpdateInstall to achieve the same effect so long as the device is on the latest minor version. MDM solutions can report on Rapid Security Responses with the Device Info and the AvailableOSUpdate queries.

At present, Apple hasn’t rolled out a Rapid Security Response and we will need to await seeing it in action in order to evaluate the impacts in practice.

SentinelOne Supports macOS 13 Ventura

SentinelOne did extensive testing of Ventura during the beta phase, and we are delighted to announce that Ventura is supported on both Intel Macs and Apple silicon Macs with agent releases 22.2.3 and later. The SentineOne agent runs natively on both Apple platforms.

Admins should ensure that the SentinelOne agent is updated to support Ventura before running the Ventura upgrade. More information can be found in the Ventura Support article in the Support portal.

SentinelOne supports macOS Ventura

Conclusion

Ventura seemed to have a much smoother beta cycle than some other recent versions of macOS, and overall our first impression of the first public release is that it is relatively stable. There are, of course, some chinks to iron out and we do expect to see users needing support from their IT teams as they experiment with some of the new options in System Settings.

Upgrading to a new OS is never a light undertaking, particularly in an organizational setting, and with Apple pushing software updates and upgrades more aggressively, we hope this post will help admins and security teams get up to speed with some of Ventura’s idiosyncracies. For more information on security changes in Ventura, also see our post here.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn more about the challenges and threats facing security and IT teams running macOS devices in the enterprise.

How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security

Modern technology has transformed the workplace, changing how people access data and operate in tandem with various software. The past few years especially have accelerated these changes as organizations adjusted their operations to support a sudden uptick in remote work. A large part of these changes involves the exponential increase in digital identities.

Digital identities allow users to identify themselves electronically and confirm who they are within the scope of an enterprise, software, or service. Through secured digital identities, enterprises standardize access management and authentication processes to ensure the right users see the right information.

As it stands, the digital identity surface is a dynamic one, still changing rapidly and requiring enterprises to adopt robust security solutions to protect user data. Taking advantage, threat actors are acutely aware of how reliant organizations are on this means of identification. With attacks targeting the digital identity surface increasing, it is important for enterprise security teams to understand common attack vectors and tactics affecting their scope of risk.

This blog post breaks down the Golden Ticket attack, an identity-based attack that exploits weaknesses in the Kerberos authentication protocol. Learn how this type of attack works, associated indicators of compromise, and how best to mitigate and protect against it.

Innocent Name, Powerful Attack | Golden Ticket Attacks Explained

The moniker “Golden Ticket” hails from Roald Dahl’s Charlie and the Chocolate Factory, a children’s tale in which a young boy finds a highly-coveted golden ticket pass, granting him access into Willy Wonka’s heavily guarded chocolate factory.

Despite the name’s innocent roots, a Golden Ticket attack can be devastating for the targeted enterprise if successfully carried out. Golden Ticket attacks give a threat actor unrestricted access to nearly everything in the targeted domain, including devices, folders, files, and domain controllers (DC). This type of attack exploits a weakness in the Kerberos authentication protocol, which is commonly used across global digital workforces.

According to the MITRE ATT&CK framework, these attacks involve the use of a Golden Ticket which, in this case, is a forged Kerberos ticket-granting ticket (TGT) to generate ticket granting service (TGS) tickets for any account in Active Directory.

Kerberos Communication Process | Understanding the Attack Vector

When threat actors carry out Golden Ticket attacks, they begin by logging onto a domain-joined computer with compromised user credentials and target the Kerberos communication process. It is important to understand the communication process before analyzing the methodology of the attack.

Under normal circumstances, the Kerberos authentication protocol allows users to authenticate themselves through a trusted third-party authentication service called the Kerberos Key Distribution Center (KDC). This service is typically run in each domain controller within an Active Directory (AD) domain. The Kerberos communication process follows the below steps:

  1. The system converts a user’s password to a NTLM hash, encrypts a timestamp with the hash and sends it to the Key Distribution Center (KDC) as an authenticator in the authentication ticket (TGT) request. The Domain Controller (KDC) checks the user information such as login restrictions and group membership, and creates a TGT.
  2. The newly-created TGT is encrypted and signed with a special account on the domain controller known as the Kerberos service (KRBTGT). Only the KRBTGT in the domain can open and read TGT data. The domain controller then grants the TGT and delivers it to the user.
  3. The user presents the TGT and requests a Ticket Granting Service (TGS) ticket. The domain controller validates the presented TGT and creates the TGS ticket.
  4. The domain controller encrypts the TGS using the target service account’s NTLM password hash and sends it to the user.
  5. The user connects to the application server hosting the service on the appropriate port and presents the TGS. The service opens the TGS ticket using its NTLM password hash.

Golden Ticket Attack vector

KRBTGT Account Hashes | Understanding Golden Ticket Attacks in Action

A threat actor with a valid KRBTGT account hash can create a forged Golden Ticket using an open-source tool such as Mimikatz. Actors may also use DCSync, a Mimikatz feature, to obtain the security identifier (SID) of the KRBTGT account and NTLM hash using the

lsadump::dcsync /user:krbtgt

command. Alternatively, threat actors use Mimikatz to retrieve the hash of the KRBTGT account from the Local Security Authority (LSA) by executing Mimikatz commands privilege::debug and lsadump::lsa /inject /name:krbtgt on the DC.

The credentials section above shows valuable information like the SID and NTLM hashes. Threat actors then use these hashes to create their Golden Ticket and potentially run a Pass the Ticket (PtT) attack, moving laterally within an organization’s AD environment, as per the following code.

kerberos::golden /user:/domain:/sid:S-1-5-21-2087032555-2209862856-1647013465 /krbtgt:38fb5559b8b79e3657cbf45f7165a0c5 /ptt

Some commands, such as kerberos::list and kerberos::tgt, are also supported in the Mimikatz module to retrieve all the available Kerberos tickets submitted for the current user session.

Once attackers have injected the Golden Ticket, they have unfettered network access to the entire domain controller. The following command can confirm the listing of DC admin share (C$).

Enterprise Best Practices | How to Reduce the Active Directory Attack Surface

As part of continuous security assessments, enterprise security professionals should perform thorough assessments of Active Directory and invest in comprehensive reports on AD attacks. Regular assessments are critical in detecting vulnerable KRBTGT accounts and alerting on potential pass-the-ticket attacks. Enterprises that can detect unauthorized queries and hide their critical AD objects from threat actors can greatly reduce their digital identity attack surface.

In terms of a long-term mitigation strategy:

  • Resetting the KRBTGT account password twice in a year helps minimize the chances of compromising the entire domain.
  • Security admins can also restrict domain administrators from logging on to any computer other than the domain controllers.
  • Organizations should implement comprehensive AD protection solutions to avoid attackers forging tickets and taking over complete domain dominance.

Conclusion

In today’s fast-paced working environment, users are expected to use their digital identities to transact quickly and securely. To keep up with ongoing technological changes, the digital identity landscape and methods of securing also need to be adaptable. Identity-based security needs to be an integral part of an enterprise’s cybersecurity strategy as threat actors continue to exploit attack methods like the Golden Ticket attack.

Enterprises bolstering their identity-based security trust SentinelOne to reduce their AD attack surface and protect against credential misuse through real-time infrastructure defense.

  • Singularity™ Ranger AD is purpose-built to uncover vulnerabilities in Active Directory environments. It analyzes configuration changes and eliminates excessive privileges that are often a part of identity-based attacks.
  • Singularity™ Identity is designed to defend Active Directory, AD domain controlled, and domain-joined assets from threat actors aiming to gain unauthorized privileges. It detects unauthorized queries, hides critical AD objects from the results, and inserts deceptive data in their place to lead attackers away from critical assets.

To learn more about how to protect your enterprise from identity-based threats, sign up for a free Active Directory assessment here.

Free Singularity Ranger® AD Assessment
Cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD.

The Good, the Bad and the Ugly in Cybersecurity – Week 43

The Good

Officials have busted two SIM hijackers for a six-month cyber crime spree which stripped a total of $550,000 from prominent cryptocurrency figures across the U.S. This week, Eric Meiggs (24) and Declan Harrington (22) were charged with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft, earning them each two year sentences.

The DoJ reports that Meiggs and Harrington used SIM swapping and hacking tactics to take over their targets’ email addresses, social media handles, and cell phone numbers linked to cryptocoin accounts. The scheme included sending hostile messages to the targets, sometimes threatening their family members if they did not comply with the demands. The pair focused their sights on cryptocurrency executives and blockchain-based business owners.

SIM Swapping

SIM swapping exploits the process in which cell phone providers assign numbers to new devices. Threat actors pose as the victim to convince the provider to reassign the number from the victim’s original SIM card to one controlled by the actor. This method allows threat actors to divert password reset links and authentication codes to their own device so they can later break into crypto exchanges, online banking accounts, and email and social media accounts.

Threat actors are escalating their use of SIM swapping to target early adopters of cryptocurrency and heavy investors. The FBI have implored users to be on high alert and to avoid posting any personal data or information about their financial assets online. They also recommend users to remove sensitive documents from email accounts and to add PINs to mobile phone accounts. As the cryptocurrency space is still a relatively young one, the need for digital identity protection continues to be significant in guarding against developing crypto-related threats.

The Bad

URSNIF (aka ISFB) malware has had a makeover, and it’s still not pretty. The one-time banking trojan has shed its origins and has been revamped into a generic backdoor built to enable ransomware or data theft extortion operations. Researchers this week published an analysis on the malware’s milestone shift, hypothesizing that the change was to stay consistent with the broader changes in the crimeware landscape.

Prestige ransomware

The new variant, dubbed LDR4, was first seen in a recent attack chain where fake invoices and job postings were emailed to unsuspecting users to lure them to visit a legitimate domain. Then, interaction with the CAPTCHA would prompt a download of a Microsoft Excel spreadsheet hiding the malware payload.

LDR4 leaves behind many features characteristic of previous URSNIF forms such as the FJ.exe steganography tool used to hide payloads in files. All banking features have been removed and its new set of commands are capable of loading DDL modules, starting and stopping cmd.exe reverse shells, running arbitrary commands, and terminating processes.

URSNIF has seen a fragmented timeline of changes prior to its latest transformation. The latest change trails the footsteps of other malware families that also had roots in banking fraud like Trickbot, Emotet, and Qakbot. More widely, threat actors are continuing to evolve their approach in extorting money from organizations, with many now shifting to pure data extortion without ransomware or adopting techniques such as partial encryption.

The Ugly

Private Ukrainian and Polish transportation and logistics companies are finding themselves the target of a novel ransomware strain dubbed Prestige. Only seen in the wild as of last Tuesday, researchers have already found that Prestige shares victimology with recent Russian state-aligned activity. Perhaps not surprisingly, Prestige ransomware victims overlap with those of another malware, HermeticWiper, which had been detected in hundreds of computers in Ukraine just hours before Russia launched a full-scale military invasion on the country.

The researchers state that the initial access vector in the recent string of attacks is still unknown, but in all instances the attack timeline began with the theft of highly privileged credentials such as Active Directory admin accounts. Tracked by Microsoft as DEV-0960, the threat actors behind Prestige ransomware have been observed using tools such as winPEAS, comsvcs.dll, and ntdsutil.exe to access the credentials needed to facilitate the deployment. Remote execution utilities were also noted in the campaign including RemoteExec, a tool often used for agentless software execution, and impacket WMIexec, an open-source and script-based solution used to manipulate network protocols.

While the new ransomware seems to be operating independently of known threat actor groups, concerns of the strain spreading to other countries are rising. Just earlier this year, President Biden released a statement warning firms to be on guard for potential malicious cyber activity backed by the Russian government as a response to the economic sanctions the U.S. has imposed upon Russia. As the cyber threat landscape further develops, the emergence of new malware strains and TTPs will remain a regular theme.  SentinelOne’s full response to the situation in Ukraine can be found here.

Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn

On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users.

Jay Pinho is a developer who is working on a product that tracks company data, including hiring. Pinho has been using LinkedIn to monitor daily employee headcounts at several dozen large organizations, and last week he noticed that two of them had far fewer people claiming to work for them than they did just 24 hours previously.

Pinho’s screenshot below shows the daily count of employees as displayed on Amazon’s LinkedIn homepage. Pinho said his scraper shows that the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop:

The number of LinkedIn profiles claiming current positions at Amazon fell 33 percent overnight. Image: twitter.com/jaypinho

As stated above, the number of LinkedIn profiles that claimed to work at Apple fell by approximately 50 percent on Oct. 10, according to Pinho’s analysis:

Image: twitter.com/jaypinho

Neither Amazon or Apple responded to requests for comment. LinkedIn declined to answer questions about the account purges, saying only that the company is constantly working to keep the platform free of fake accounts. In June, LinkedIn acknowledged it was seeing a rise in fraudulent activity happening on the platform.

KrebsOnSecurity hired Menlo Park, Calif.-based SignalHire to check Pinho’s numbers. SignalHire keeps track of active and former profiles on LinkedIn, and during the Oct 9-11 timeframe SignalHire said it saw somewhat smaller but still unprecedented drops in active profiles tied to Amazon and Apple.

“The drop in the percentage of 7-10 percent [of all profiles], as it happened [during] this time, is not something that happened before,” SignalHire’s Anastacia Brown told KrebsOnSecurity.

Brown said the normal daily variation in profile numbers for these companies is plus or minus one percent.

“That’s definitely the first huge drop that happened throughout the time we’ve collected the profiles,” she said.

In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.

A day after that second story ran, KrebsOnSecurity heard from a recruiter who noticed the number of LinkedIn profiles that claimed virtually any role in network security had dropped seven percent overnight. LinkedIn declined to comment about that earlier account purge, saying only that, “We’re constantly working at taking down fake accounts.”

A “swarm” of LinkedIn AI-generated bot accounts flagged by a LinkedIn group administrator recently.

It’s unclear whether LinkedIn is responsible for this latest account purge, or if individually affected companies are starting to take action on their own. The timing, however, argues for the former, as the account purges for Apple and Amazon employees tracked by Pinho appeared to happen within the same 24 hour period. Read more

Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber Extortion

Much like legitimate businesses, ransomware operators adjust their operational strategies to achieve results while managing time and resources, and defenders are required to track these shifting strategies to maintain effective protection. Presently, we are observing an evolution in how cyber criminals approach the business of extorting money from organizations.

Ransomware actors have turned toward data theft instead of time-expensive encryption, and importantly, the anatomy of modern extortion attacks involves operators taking different approaches to data destruction from full encryption to partial encryption to no encryption – and, thus, no ransomware – at all. What the cybersecurity industry generally refers to as ‘ransomware operators’ must now be thought of as a subset of a larger group of data extortion actors who occupy different positions on this spectrum of data destructiveness.

In this post, we describe this emerging spectrum of data-focused threat actors to help defenders better understand the continuing development of data extortion tactics, techniques, and procedures (TTPs).

Data Destructiveness | A Growing Spectrum

Starting first from opportunistic attempts for easy profit, ransomware has morphed into full-scale cybercrime syndicates targeting governments and critical infrastructures globally. Ransomware-as-a-Service (RaaS) programs are now prolific on the dark web, connecting low to mid-level actors with ransomware developers. Not only are these programs easy to access and cheap, they are also mature, operating like any other legitimate organization by offering technical support and flexible service models.

Thinking of ransomware as simple encryption of randomly stolen data, however, is not an accurate representation of the plethora of data extortion strategies we see today. Trends now indicate that full encryption of victim data is often too arduous and slow for many threat actors, and increases the risk of detection. With double and triple extortion becoming standard in the ransomware scene – the stolen data being the pivotal element  –  we see threat actors occupying different positions on a spectrum of data destructiveness.

At one end of the spectrum are threat actors that do not destroy data at all and therefore spend no time on this activity – they only steal data that is valuable to victims as a means to extort them. At the other end of this spectrum are actors that use traditional ransomware to do full, but relatively slow, encryption to destroy data completely. The rest of the spectrum is populated by actors that steal data and either partially or fully destroy it to damage their victim’s infrastructure, thus gaining additional leverage over them.

Data Destructiveness Spectrum
The data destructiveness spectrum

Ransoms Without Ransomware

This strategy is exemplified by two relatively recent threat groups, Karakurt and Lapsus$. Both leverage data extortion-only methods in their campaigns. Neither group deploys ransomware on compromised systems. Instead, they exfiltrate data and use the stolen data as leverage, joining the ranks of groups such as Marketo and Bl@ckT0r.

The Twitter profile @Mannus Gott introducing Marketo (source: Digital Shadows)
The Twitter profile @Mannus Gott introducing Marketo (source: Digital Shadows)

Karakurt typically gains access to networks through initial access brokers (IABs) or by exploiting vulnerabilities in internet-exposed network services such as outdated Fortinet FortiGate SSL VPN appliances. The threat group is considered to be the data extortion arm of the now defunct Conti syndicate. Karakurt has targeted victims across all industries and geographical regions.

Karakurt sends victim-specific emails to employees revealing that data has been stolen while threatening that the data will be leaked to competitors or auctioned online. The extortion note contains employee names and indicates that Karakurt has spent a considerable amount of time locating data that is valuable to the victim organization to ensure the group’s extortion leverage.

Karakurt extortion note
Karakurt extortion note (trimmed for brevity)

In contrast to Karakurt, Lapsus$ uses stolen credentials and phishing to gain initial access to networks. The group then uses SIM-swapping, social engineering, and solicitation methods to bypass multi-factor authentication (MFA).

Lapsus$ has recently targeted victims in the high-tech industry, notably Nvidia, Samsung, Okta, Microsoft, and Ubisoft. The threat group is also known to attack organizations specifically to gain access to their customers. Such has been the case with the Okta breach in early 2022. It is interesting to note that Lapsus$ conducts data extortion campaigns not only for financial gains, but also to increase their notoriety.

Extortion Through Data Corruption

Some ransomware operators are now implementing data destruction techniques that are more lightweight and time-efficient than data encryption. Through data corruption,  operators are capable of driving urgency in their victims as well as escalating their ransom request.

Exemplifying this is the new version of the Exmatter data exfiltration tool which corrupts data by replacing a data chunk of a file with a data chunk from another file. This change in the implementation of Exmatter strongly suggests the beginning of a new trend in ransomware operations where threat actors seek to corrupt data instead of encrypting it.

Exmatter corrupts a file
Exmatter corrupts a file (source: Stairwell)

Data corruption is faster than full encryption and the code is significantly easier to develop, since there is no need to worry about reversing the damage after the victim pays up. Data corruption further eliminates the possibility of security researchers developing decryptors that exploit flaws in ransomware encryption schemes, such as occurred with the Lorenz and MafiaWare666 ransomware strains. In short, corruption allows threat actors to save time and effort while improving their chances of a successful payout.

The Growing Trend of Partial Encryption

An increasing number of ransomware operations have joined the trend of partial or intermittent encryption that the LockFile ransomware started in mid-2021. A previous SentinelLabs article reviewed recent ransomware families that conduct intermittent encryption, such as BlackCat, BlackBasta, Agenda, and Qyick.

Royal ransomware is a new member of the ransomware scene which employs partial file encryption methods. This ransomware skips the encryption of file content blocks 10 times – the total number of the encrypted bytes between the blocks which amounts to the percentage that the ransomware operator has configured through the ep command-line parameter.

The new Royal ransomware conducts intermittent encryption (the null bytes represent non-encrypted file content)
The new Royal ransomware conducts intermittent encryption (the null bytes represent non-encrypted file content)

Partial encryption allows ransomware actors to destroy data faster than with full encryption. The gains in time are especially noticeable when it comes to encrypting large files, where the time spent on encryption per file is reduced in the order of minutes.

Partial encryption may also help threat actors to evade security mechanisms that detect ransomware by monitoring the intensity of file IO operations or by evaluating the similarity between non-encrypted and encrypted versions of a given file, for example, based on Chi-squared or data entropy measures.

What’s Next for Data Extortion?

Changes in the threat landscape have created differing trends in how data is leveraged to increase the chance of successful ransom. We predict that data extortion actors, including ransomware operators, will continue to occupy different positions on the data destructiveness spectrum.

Ransomware actors that steal data to extort their victims also aim to gain additional leverage by damaging the targeted infrastructure, disrupting business services and causing both reputational harm and financial loss. This type of actor will likely continue to resort to a combination of data destruction techniques, corrupting or partially encrypting large files where speed is of the essence, but continuing to fully encrypt others. Some actors may focus more on corruption to avoid potential implementation flaws in encryption schemes.

Meanwhile, extortion actors that seek to use the value of stolen data without conducting any encryption at all are set to gain further momentum within the threat landscape.

We also anticipate the emergence of a hybrid model amongst threat actors that will allow them to switch between conducting data theft only and using a more traditional data-destructive ransomware approach. At the core of this model is the value of the stolen data. Depending on its value, threat actors will evaluate whether or not it is sufficient as the only means of extortion leverage.

Conclusion

The profitability of the ransomware industry has given way to a multitude of extortion methods. What’s emerged is a spectrum of threat actors who are moving past traditional, time-consuming encryption focused on destroying all stolen data. Now, actors are seen prioritizing faster attacks either through data extortion, where the data is more or less preserved, or only partial corruption allowing them to move quickly and demand increasingly larger ransom demands.

This spectrum of attack methods is the result of a gradual process, influenced by the development of decryption and other malware-detection capabilities as well as the professionalization of malicious actors themselves. As demonstrated by the trends outlined in this post, actors have clear ambitions and continue to adjust their methodologies and tactics to capitalize on the most likely targets and payouts.

Building Blocks for Your XDR Journey, Part 2 | Why EDR Is the Cornerstone for Great XDR 

XDR, or eXtended Detection and Response, has been gaining a lot of buzz and traction in recent years. XDR promises a comprehensive view of an organization’s security posture and the ability to quickly detect and respond to threats. This multi-part blog series provides an overview and guidance on developing a successful cybersecurity strategy for any organization implementing or planning to implement XDR.

In Part 1, we focused on why organizations need to extend protection beyond the endpoint to stay ahead of adversaries. In Part 2, we look at why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy an organization plans to implement.

Over the last few years, XDR has emerged as a simpler and more efficient way to deal with the broad array of threats that security teams currently face. It is not necessarily a product that customers buy but a strategy and a new way of managing security.

An XDR platform, in effect, aims to collect and correlate data across a broad array of network and security surfaces, including servers, endpoints, cloud workloads, network intrusion prevention systems, identity and access management products, email, and more. It analyses the data it collects, consolidates multiple alerts into a single incident, combines “weak” signals into detections, and then responds across multiple security tools.

That said, XDR is not a new idea. This is what older technologies, such as SIEM promised but were never able to truly deliver.

Why SIEM Tools Failed To Meet Expectations

SIEM tools are all about ingesting as much data as they can, often driven by compliance use cases rather than security. However, this is the very reason organizations struggle so much with SIEMs. With so much data being generated, it’s hard to sift through everything and find the needle in the haystack.

Why SIEM did not fit the bill revolves around a few key factors. Firstly, SIEM solutions are designed to ingest and aggregate log data from different sources. This data is then difficult to sift through and piece together, especially when trying to find the root cause of an issue. Secondly, some SIEM vendors have added rudimentary analytics functionality to their products, but this is not enough to address concerns accurately. Further, SIEM solutions are focused on analysis after an incident rather than detecting an incident and are often one-directional, without any ability to control or respond. Security teams are often forced to rely on manual intervention when using SIEM solutions, which can lead to errors and delays in addressing issues.

Given these challenges, it’s understandable that SIEM has failed to address modern security threat detection concerns effectively.

This is where XDR solutions come in. XDR is not about collecting as much data as possible. It’s about being strategic and only collecting the data that is most relevant. This way, you can more easily identify patterns and anomalies. Compared to older tools and technologies, XDR provides higher fidelity and confidence and allows security teams to identify and eliminate security vulnerabilities without adding extra tools or more people.

An XDR platform aims to solve the challenges of a SIEM tool by effective detection and response to targeted attacks. This is not to say that SIEM tools are not needed in an enterprise security stack. SIEMs have been and are useful in solving a number of use cases like log management, compliance, data aggregation, and analytics.

How Endpoint Threat Data Is Crucial for XDR

While XDR and SIEM are tangentially related, the new technology has more in common with EDR. In fact, XDR is an evolution of EDR that broadens the scope of detection far beyond endpoints. XDR builds on the threat detection and response capabilities of EDR and extends it across multiple security tools

“Good XDR lives and dies by the foundation of good EDR.”
Forrester Report: Adapt or Die: XDR Is on a Collision Course with SIEM and SOAR

EDR-based XDR platforms provide security teams with the visibility and analytical capabilities needed to detect and contain advanced attacks. Endpoints are a critical part of any organization’s cybersecurity posture. They are often the first point of entry for attackers and can be used to move laterally through a network.

Endpoint telemetry is, therefore, essential for detecting compromised assets, correlating threat data across domains, and isolating complex attacks. Endpoints can provide visibility into all aspects of an attack, from the initial infiltration to the final data exfiltration. In order to effectively detect and respond to threats, organizations need to have a comprehensive endpoint security solution in place.  Endpoints are also where the majority of the “response” is needed.

XDR data is gathered from a variety of sources, including endpoint devices, network traffic, and user activity. EDR solutions use this data to identify malicious activity, track the progress of an attack, and determine the root cause of an incident. This information is essential for security teams to contain and remediate attacks quickly. And it’s just as important to extend the response across the entire security stack.

A Strong XDR Builds on the Power of Strong EDR

“I want to replicate what is working with EDR to other areas in my organization.” – Cybersecurity & Technology Leader Global Pharmaceuticals

XDR is taking what works currently in organizations with endpoints and extending it to other attack surfaces. It unifies visibility and control across all connected security platforms, which provides context around potential threats that make remediation efforts easier. It also allows security teams to react faster because of the correlation of data from multiple security vectors. With improved triage and automated contextual enrichment, teams can respond more quickly before the scope of the threat broadens. Out-of-the-box integrations and pre-tuned detection mechanisms across multiple different products and platforms help improve productivity, threat detection, and forensics.

SentinelOne’s Singularity XDR lets analysts take advantage of insights from aggregated event information gathered from multiple tools and services and combine it into a single, contextualized ‘incident.’ It also provides customers with a central enforcement and analytics layer point hub for complete enterprise visibility and autonomous prevention, detection, and response, helping organizations address cybersecurity challenges from a unified standpoint.

Parting Thoughts

To get the maximum out of XDR, it needs to be part of a larger strategy to improve security outcomes. XDR is a means to an end, and as part of the XDR journey, organizations should look at what outcomes they want to achieve with XDR. At a macro level, the XDR solution should, at minimum, help to:

  • Improve your security efficacy
  • Deliver a single plane for your security needs
  • Maximize the value of your existing security investments Improve SecOps efficiency
  • Deliver measurable outcomes

XDR is the natural progression of EDR, moving beyond the endpoint to the rest of the security infrastructure, including identity and cloud security. XDR can help organizations to improve their detection and response capabilities, but only if it is implemented correctly.

When implementing XDR, organizations should focus on their specific needs and objectives and choose the vendors, products, and services that will best meet those needs. In order to get the benefit from XDR, it’s vital to have a platform that can integrate existing tools to get the benefits early. Only then will they be able to fully leverage the power of XDR. SentinelOne provides that vision and strategy to help organizations deliver on the promise of XDR and protect the whole organization.

If you would like to learn more about SentinelOne Singularity XDR platform, contact us for more information or request a free demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.