The Best, The Worst and The Ugliest in Cybersecurity | 2022 Edition

Looking back at 2022, we’ve reported on positive strides and wins seen across our community as well as some seriously heinous threats to the digital landscape. The Good, Bad and the Ugly series takes this week’s edition to rewind and revisit the best, the worst, and the ugliest from the past 12 months.

The Best

Throughout 2022, law enforcement groups across the globe made a sweeping number of arrests – many the result of international collaborations between agencies. Crackdowns this year saw the arrests of key members from infamous cyberthreat gangs such as JabberZeus and LockBit, as well as the shuttering of multiple darknet marketplaces and malicious domains.

From a policy standpoint, the U.S. government made good on their pledge to harden the country’s cyber posture by implementing the Digital Services and Digital Markets Acts, publishing new guidelines for securing supply chain operations, and adding key cybersecurity hires to their Crypto Assets and Cyber Units.

SentinelOne’s focus on technical innovations, partnership, and sharing security intel was best highlighted by the successful launch of LABScon this September. At this inaugural security conference, SentinelLabs hosted a gathering of the most prominent speakers and researchers from the infosec community with the goal of advancing cybersecurity research for the benefit of a collective digital defense.

The Worst

Despite the wins, threat actors were busy across the year attacking targets old and new.

At the beginning of the year, a Red Cross contractor suffered a large-scale cyberattack exposing the personally identifiable information (PII) of over half-million individuals. In April, a ransomware attack on the Costa Rican government triggered a national emergency that took over a month to remediate. In July, it was revealed that a Conti attack on a healthcare debt collection firm impacted more than 1.91 million patients and 650 medical providers.

As students returned to education in September, the Los Angeles school district supporting over 640,000 students disclosed a data breach on their IT systems.

Cybercrime-as-a-Service has introduced a new wave of low and medium-level cyber criminals to more complex and devastating attack methods. Services like Caffeine, for example, allow anyone on the internet to pay for customized phishing kits and URLs for hosting malware payloads.

Threat groups such as Vice Society were reported in October to be taking on a fluid approach to the spectrum of data extortion. Adapting different tactics based on their targets, some groups have been known to demand ransoms without deploying ransomware, instead threatening victims with exposure of the leaked data. Public exposure of sensitive data can be catastrophic for some organizations, while for others, just the cost of returning to normal operations can put an organization out of business entirely.

Attacks on enterprise cloud surfaces have also become an increasingly worrisome vector throughout 2022, with breaches of major companies such as Twilio, Okta, NetStandard, and LastPass raising fears that even as businesses have understood the need to harden endpoint security, cloud workloads and user identities remain easy targets.

The Ugliest

Amidst an ongoing economic downturn, active warfare, and civil unrest, the ugliest moments of 2022 showed that cybersecurity and cybersecurity awareness is a challenge for society across the board.

A feature of some of 2022’s worst moments was the increasing awareness of how governments around the world are using private espionage companies to throttle dissent and attack civilians including journalists, lawyers and civil rights protesters. In February, SentinelLabs reported on ModifiedElephant, an APT that has been targeting activists by planting false digital evidence.

A private sector offensive actor based in Austria was uncovered in July, while Spain-based IT company Variston were outed in early December as trading in commercial spyware.

Of course, the dominant news of 2022 centered around Ukraine. As the conflict in Ukraine unfolded in the early months of the year, banks, major websites, and other public services in Ukraine were hit with distributed denial-of-service (DDoS) attacks leading up to Russia’s invasion.

In February, SentinelOne researchers reported on HermeticWiper, a new custom wiper malware circulating in Ukrainian organizations in an effort to break down the country’s information systems. Shortly after, another wiper attack on Ukraine dubbed AcidRain hit satellite modems in neighboring countries.

The traffic wasn’t all one way: Russian courts and mayoral offices were targeted with CryWiper. Elsewhere, wipers were deployed by Iranian-linked APT Agrius on targets in Hong Kong, Israel and South Africa. Unlike ransomware, these wipers do not attempt to extort the victim; their intent is only to destroy the victim’s ability to operate, and collectively may be the most nefarious of cyber threats we’ve seen over the last year.

Conclusion

2022 was a year in which cybersecurity headlines reached out into the mainstream media and public consciousness more so than ever. We can hope that this increased awareness will pay dividends in 2023, as public and private organizations, and indeed individual users, develop a greater understanding of cyber risk and how to mitigate it.

Our regular weekly roundups will return next Friday. Meanwhile, find our predictions for 2023 here, and from all of us at SentinelOne, have a happy and very safe New Year.

SentinelOne is VB100 Certified | Maximizing Protection Against the Evolving Threat Landscape

Introduction

SentinelOne is committed to providing our customers with the highest level of protection against the ever-evolving threat landscape. Our comprehensive platform is designed to detect, prevent, and respond to today’s sophisticated cyber threats.

Powered by artificial intelligence, machine learning, and behavioral analytics, SentinelOne detects and responds to threats in real-time. We also offer a range of advanced features, such as automated remediation, threat hunting, and incident response, so businesses can quickly and easily protect their networks and data.

We are proud to announce that we have recently achieved VB100 certification. This certification is awarded to vendors who demonstrate the highest levels of accuracy and reliability in their antivirus products. This certification is a testament to our commitment to providing our customers with the best protection against the latest threats.

At SentinelOne, we understand the importance of protecting our customer’s data and networks. We are proud to have achieved VB100 certification and look forward to continuing to provide our customers with the best possible protection against the latest threats.

What is VB100 Certification?

VB100 tests the efficacy of Windows endpoint security products and their ability to protect against common, file-based Windows threats without creating excessive false alarms for legitimate programs. The certification is only awarded to products that meet the strict perimeters of the test – that it can detect no less than 99.5% of malware samples listed as ‘In the Wild’ by the WildList Organization and generate no more than 0.01% false positives when scanning a test set of clean sample files.

The testing process first involves the download of each sample test set. Then, a scan-on-demand action is performed by the product under test for the downloaded samples. Any remaining samples are finally inventories and their integrity verified. Test case sets are collected frequently to include fresh samples and are divided into three subsets:

  • Certification Set: This set is compiled of prevalent Windows malware recently observed in the wild. The size of this set will vary, generally including 1000 to 2000 purely Windows PE-type cases.
  • Clean Set: This set comprises widely and less widely used legitimate program files. This set contains 100,000 samples selected randomly from a much larger repository of samples and includes both PE (minimum of 25%) and miscellaneous file types.
  • Diversity Set: This set comprises assorted malicious Windows executables, including less clear-cut cases and more obscure threats. It will contain predominantly PE file types and typically includes 1000 samples selected randomly from a larger repository.

After the testing, the product’s responses are categorized into true positives and negatives and false positives and negatives. True positives and negatives indicate corrected detected malware and the treatment of legitimate files as such. False positives and negatives indicate missed malware detection and false alarms on legitimate files.

SentinelOne Singularity Platform VB100 At a Glance - SentinelOne VB100SentinelOne VB100 - TEST SET COMPOSITION DETAILED TEST RESULTS SentinelOne VB100

Importance of VB100 Certification

Virus Bulletin (VB) is an independent testing and certification body based in the UK. For the past two decades, VB has built a rich history in establishing a highly-regarded industry benchmark for security solutions used by the infosec community. Any product awarded VB100 certification is regarded as having met a strict quality standard regarding malware detection.

Achieving VB100 certification is widely recognized in both antivirus and malware communities, known for its stringent testing requirements. The certification demonstrates a product’s ability to stop common threats and minimize alert fatigue, marks its resilience against developing cyber threats, and helps many enterprises meet federal guidelines for broader security measures. VB100 certification can be earned and maintained through frequent testing and a product retains its certification status for 180 days since the last successfully passed the test.

To keep ahead of security challenges in a changing threat landscape, enterprises have accelerated the effort of replacing their legacy antivirus solutions at scale. For many modern-day CISOs, a large part of helping their enterprise’s security programs is comparing hundreds of cybersecurity solutions that all claim to solve the problem of cyberattacks. Public testing and transparent methodologies such as Virus Bulletin’s certification allow CISOs to navigate these comparisons more effectively and choose the right solution for their organization.

SentinelOne’s Commitment to Excellence

SentinelOne is focused on defending modern enterprises faster, at greater scale, and with higher accuracy across any attack surface. Through our Singularity XDR Platform, we converge AI-powered prevention, detection, response, and threat hunting across user endpoints, containers, cloud workloads, and IoT devices.

Our VB 100 certification underscores our commitment to excellence in cybersecurity and our drive to deliver unparalleled protection for the communities we serve. We are dedicated to providing our customers with leading-edge cybersecurity protection for the changing threat landscape.

The team at SentinelOne is proud to have been recognized across the industry’s most established and rigorous standards. SentinelOne holds ISO 27001 and FEDRAMP certifications, Tevora PCI DSS and HIPAA attestation, and has been the receipt of various accolades, including:

  • Top ratings in 2022 KuppingerCole’s Leadership Compass report for Endpoint Protection, Detection & Response (EDPR)
  • Leading the 2022 MITRE ATT&CK Evaluation
  • Leading position in 2021 Gartner Magic Quadrant report for Endpoint Protection Platforms
  • Strong Performer in 2021 Forrester Wave™ Report for Endpoint Security Software-as-a-Service, Managed Detection & Response (MDR), and Endpoint Detection & Response (EDR) categories
  • AAA rating in SE Labs’s Breach Response & Enterprise Endpoint Protection Tests

Conclusion

As one of the most highly-respected antivirus software certifications, VB100 certification sets an international standard for efficacy in malware detection and response. SentinelOne is honored to be part of a community of cybersecurity providers with this certification. We take this opportunity to celebrate this achievement and congratulate the team at SentinelOne!

Through this certification, we also reaffirm our commitment to delivering industry-leading cyber protection to our trusted customers. Enterprises trust SentinelOne’s autonomous technology to empower their business to take real-time action with greater visibility of their dynamic attack surface and cross-platform security analytics.

SentinelOne is a leading choice for global enterprises as they augment their security vision and safeguard their critical data. Contact us for more information, or sign up for a demo today.

Happy 13th Birthday, KrebsOnSecurity!

KrebsOnSecurity turns 13 years old today. That’s a crazy long time for an independent media outlet these days, but then again I’m bound to keep doing this as long as they keep letting me. Heck, I’ve been doing this so long I briefly forgot which birthday this was!

Thanks to your readership and support, I was able to spend more time in 2022 on some deep, meaty investigative stories — the really satisfying kind with the potential to affect positive change. Some of that work is highlighted in the 2022 Year in Review review below.

Until recently, I was fairly active on Twitter, regularly tweeting to more than 350,000 followers about important security news and stories here. For a variety of reasons, I will no longer be sharing these updates on Twitter. I seem to be doing most of that activity now on Mastodon, which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. I will also continue to post on LinkedIn about new stories in 2023.

Here’s a look at some of the more notable cybercrime stories from the past year, as covered by KrebsOnSecurity and elsewhere. Several strong themes emerged from 2022’s crop of breaches, including the targeting or impersonating of employees to gain access to internal company tools; multiple intrusions at the same victim company; and less-than-forthcoming statements from victim firms about what actually transpired.

JANUARY

You just knew 2022 was going to be The Year of Crypto Grift when two of the world’s most popular antivirus makers — Norton and Avira — kicked things off by installing cryptocurrency mining programs on customer computers. This bold about-face dumbfounded many longtime Norton users because antivirus firms had spent years broadly classifying all cryptomining programs as malware.

Suddenly, hundreds of millions of users — many of them old enough to have bought antivirus from Peter Norton himself back in the day — were being encouraged to start caring about and investing in crypto. Big Yellow and Avira weren’t the only established brands cashing in on crypto hype as a way to appeal to a broader audience: The venerable electronics retailer RadioShack wasted no time in announcing plans to launch a cryptocurrency exchange.

By the second week of January, Russia had amassed more than 100,000 troops along its southern border with Ukraine. The Kremlin breaks with all tradition and announces that — at the request of the United States — it has arrested 14 people suspected of working for REvil, one of the more ruthless and profitable Russian ransomware groups.

Security and Russia experts dismiss the low-level arrests as a kind of “ransomware diplomacy,” a signal to the United States that if it doesn’t enact severe sanctions against Russia for invading Ukraine, Russia will continue to cooperate on ransomware investigations.

The Jan. 19th story IRS Will Soon Require Selfies For Online Access goes immediately viral for pointing out something that apparently nobody has noticed on the U.S. Internal Revenue Service website for months: Anyone seeking to create an account to view their tax records online would soon be required to provide biometric data to a private company in Virginia — ID.me.

Facing a backlash from lawmakers and the public, the IRS soon reverses course, saying video selfies will be optional and that any biometric data collected will be destroyed after verification.

FEBRUARY

Super Bowl Sunday watchers are treated to no fewer than a half-dozen commercials for cryptocurrency investing. Matt Damon sells his soul to Crypto.com, telling viewers that “fortune favors the brave” — basically, “only cowards would fail to buy cryptocurrency at this point.” Meanwhile, Crypto.com is trying to put space between it and recent headlines that a breach led to $30 million being stolen from hundreds of customer accounts. A single bitcoin is trading at around $45,000.

Larry David, the comedian who brought us years of awkward hilarity with hits like Seinfeld and Curb Your Enthusiasm, plays the part of the “doofus, crypto skeptic” in a lengthy Super Bowl ad for FTX, a cryptocurrency exchange then valued at over $20 billion that is pitched as a “safe and easy way to get into crypto.” [Last month, FTX imploded and filed for bankruptcy; the company’s founder now faces civil and criminal charges from three different U.S. agencies].

On Feb. 24, Russia invades Ukraine, and fault lines quickly begin to appear in the cybercrime underground. Cybercriminal syndicates that previously straddled Russia and Ukraine with ease are forced to reevaluate many comrades who are suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those is Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was busted in March after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam is Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

Tank, seen here performing as a DJ in Ukraine in an undated photo from social media.

Ransomware group Conti chimes in shortly after the invasion, vowing to attack anyone who tries to stand in Mother Russia’s way. Within hours of that declaration several years worth of internal chat logs stolen from Conti were leaked online. The candid employee conversations provide a rare glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also reveal how Conti dealt with its own internal breaches and attacks from private security firms and foreign governments.

Faced with an increasing brain drain of smart people fleeing the country, Russia floats a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.

Chipmaker NVIDIA says a cyberattack led to theft of information on more than 71,000 employees. Credit for that intrusion is quickly claimed by LAPSUS$, a group of 14-18 year-old cyber hooligans mostly from the United Kingdom who specialized in low-tech but highly successful methods of breaking into companies: Targeting employees directly over their mobile phones.

LAPSUS$ soon employs these skills to successfully siphon source code and other data from some of the world’s biggest technology firms, including Microsoft, Okta, Samsung, T-Mobile and Uber, among many others.

MARCH

We learn that criminal hackers are compromising email accounts and websites for police departments worldwide, so that they can impersonate police and send legal requests to obtain sensitive customer data from mobile providers, ISPs and social media companies. That story prompts revelations that several companies — including Apple, Discord and Meta/Facebook — have complied with the fake requests, and draws the attention of Congress to the problem.

APRIL

It emerges that email marketing giant Mailchimp got hacked. The unknown intruders gained access to internal Mailchimp tools and customer data by social engineering employees at the company, and then started sending targeted phishing attacks to owners of Trezor hardware cryptocurrency wallets.

The FBI warns about a massive surge in victims from “pig butchering” scams, in which flirtatious strangers online lure people into investing in cryptocurrency scams. Investigative reports reveal pig butchering’s link to organized crime gangs in Asia that attract young job seekers with the promise of customer service jobs. Instead, those who show up at the appointed time and place are kidnapped, trafficked across the border into neighboring countries like Cambodia, and pressed into a life of indentured servitude scamming others online.

The now-defunct and always phony cryptocurrency trading platform xtb-market[.]com, which was fed by pig butchering scams.

MAY

KrebsOnSecurity reports that hackers who specialize in filing fake police requests for subscriber data gained access to a U.S. Drug Enforcement Administration (DEA) portal that taps into 16 different federal law enforcement databases.

The government of Costa Rica is forced to declare a state of emergency after a ransomware attack by Conti cripples government systems. Conti  publishes nearly 700 GB worth of government records after the country’s leaders decline to pay a $20 million ransom demand. Read more

Why Governments and Agencies Are Targeted by Cyber Attacks | A Deep Dive into the Motives

Cyberattacks documented throughout this year have shown an increasing interest in targeting global governments and agencies. Fraught with hit after hit, governing bodies were not spared by ransomware operators in 2022 even though, out of all other sectors, they are least likely to pay out ransom demands.

Threat actors are typically driven by financial gain, but with many states considering no-ransom bills and official directives from the FBI reminding governments to refrain from paying ransom demands, what could be the motives behind the rise in public sector-focused attacks?

This blog post explores why more cyber attacks are directed at the public sector and what defenses government agencies can implement to protect against them.

Why Governments and Agencies Are Targeted by Ransomware Attacks A Deep Dive into the Motives (9)

Attacks on the Rise | Government Is Amongst Top-Targeted Sectors

Government agencies are responsible for mass amounts of sensitive data ranging from personal information about citizens to classified information pertaining to national security. In our data-centric world, information remains a hot commodity in dark marketplaces and thus paints a target on its custodians.

While attacks on businesses, healthcare providers, and educational and financial institutions make news headlines regularly, governments and their agencies have risen to the top as one of the most targeted sectors. Research in Q3 said that the government was the second most attacked industry with an attack average sitting at 1564 cases each week. This marks a 20% increase compared to the same period last year.

Some of the top cyberattacks on governments have occurred throughout 2022.

  • January – In a cyberattack targeting the Ukrainian government, malicious software was deployed to damage dozens of computers in government-run agencies. The Informatic Directorate of the Greek Parliament identified an attempt to compromise 60 parliamentary email accounts. Threat actors breached the Canadian Foreign Ministry, disrupting the operation of some internet-connected services.
  • February – Cybercriminals breached the networks of the U.K. Foreign Office and an Iranian-linked group conducted cyber operations, including espionage against local and federal governments. A Pakistani-linked group deployed a remote access trojan (RAT) to spy on the Indian military and diplomatic persons of interest. As a precursor to the Russian invasion of Ukraine, the latter’s Defense Ministry suffered DDoS attacks and the websites of the Ukrainian Cabinet of Ministers and Ministries of Foreign Affairs, Infrastructure, and Education experienced major disruptions.
  • March – Governing entities of at least six U.S. states were hacked by a Chinese-backed group. In Canada, the country’s largest state-funded research agency declared it suffered a data breach. Greenland’s parliamentary authority reported an apparent espionage operation, which slowed social benefit payments. Actors linked to the Pakistani government targeted Indian government employees using fake websites to deliver malware.
  • April – Ukrainian government officials were targeted on their Telegram accounts through a phishing campaign. Websites belonging to the Finnish Ministries of Defense and Foreign Affairs were hit with a DDoS attack and the U.S. announced sanctions against a DPRK-based hacking group after it attacked their Treasury Department’s Office of Foreign Assets Control. Cyber researchers discovered a new Russian-linked campaign using phishing emails to deliver malware to diplomats and embassy officials from Portugal, Poland, France, and more.
  • May – A phishing campaign launched against the Jordan Ministry of Foreign Affairs was attributed to an Iranian cyber espionage actor. Russian-linked threat actors hit Italian websites with a DDoS attack, which included the sites for the Senate, Ministry of Defense, and the National Health Institute.
  • June – A DDoS attack hit Norwegian public institutions with the specific intent to disrupt government websites. Actors breached Chinese government networks to find and leak evidence of human rights abuse committed against the Uyghur population. Isreali officials, military personnel, and a former U.S. Ambassador to Israel were targeted by attackers through phishing emails. A Russian-based group claimed responsibility for attacking Lithuania’s government ministries and state-run airport, railway, and media companies.
  • July – Threat actors disrupted access to public services in Albania and took down websites belonging to the Albanian Prime Minister’s Office and the Parliament. A state-owned energy provider in Lithuania suffered a targeted DDoS attack.
  • August – Both government and private Estonian institutions reported a DDoS attack on their government websites. Russian-linked groups were formally suspected of being responsible for a breach of Montenegro’s government institutions. DDoS attacks temporarily took down the Taiwanese presidential website and attempted the same on the Taiwanese Foreign Ministry’s main portal. Threat actors targeted the Ukrainian government’s state energy agency responsible for the country’s nuclear power plants.
  • September – ‘Anonymous’ group claimed responsibility for a series of cyberattacks against the Iranian government. The Mexican Defense Ministry reported that six terabytes of internal communications, criminal data, and citizens’ personal health information was accessed in an attack. Main state websites and government information platforms in Montenegro were targeted as was the state-level parliamentary website of Bosnia and Herzegovina.
  • October – Government websites across Colorado, Kentucky, and Mississippi were taken offline by pro-Russian hackers. Another Russian-linked hacking group claimed responsibility for targeting Bulgarian sites belonging to its presidential administration, Defense Ministry, Interior Ministry, Justice Ministry, and Constitutional Court.

Data Is The Prize | Why Governments Are In the Crosshairs

This year, it was reported that only 32% of state and local governments paid out cybercriminals to restore their encrypted data; a marked decrease from 42% in 2020. Compared across all other sectors which averaged at 46% in 2022, this was the lowest reported rate. Though less government bodies are paying ransoms, the number of threat campaigns is still rising, indicating that threat actors have their eyes on goals other than monetary gain.

Government entities sit atop a wealth of data due to the many services provided by the state to businesses and citizens. Even one successful breach on a government could result in leaked state-level intelligence, classified assets, and personal identifiable information (PII) to cyber criminals. In dark marketplaces, the stolen data is often sold to create forged documents, steal identities, gain initial access to organizations, or take over privileged accounts.

The Threat of Hacktivism & Cyber Terrorism

State-sponsored threat actors are motivated by special causes other than financial gain. Other than selling stolen data, sometimes their goal is to disrupt essential services, destroy national assets, encourage protests, expose political-level wrongdoing, or simply erode trust and provoke embarrassment.

Considered ‘soft targets’ by threat actors, state and local governments often run on small, publicly-funded budgets that save little room for robust cybersecurity programs. Government agencies may not employ dedicated security professionals and rely mainly on general-service IT or small SOC teams. Legacy technology used by this level of government may not be advanced enough to contend with the large-scale ransomware threats they are up against.

If breached, government institutions could potentially become a gateway for cyber threat actors to access thousands of other enterprises, third-party vendors, and significant amounts of the civilian population. Successful attacks on governments can have profound effects and destabilize the people they govern.

Attacking government entities can be a valuable tactic for hostile state-sponsored threat actors in political cyber warfare. Undertaking an ‘influence operation’ through malicious cyber techniques allows actors to position false narratives in the public domain and amplify a story in line with their goals.

Digital Security Red Flags in Governmental Infrastructure

Many government IT systems are three for three when it comes to digital security red flags:

  • They are widely trusted by users and reach a large audience. Researchers this year noted that attackers were leveraging legitimate government domains to distribute malware to many at once since site visitors implicitly trust them.
  • Systems can be complex, housing large amounts of sensitive information and shared with multiple third parties and contractors. This complexity and access increase the external risk the governing body bears.
  • State and local governments are less funded than their federal counterparts. This often means they are forced to make do with outdated software incapable of standing up against modern, advanced cyber threats.

These red flags are typically the result of a weak IT and cybersecurity infrastructure – a common problem that plagues poorly-funded government agencies. Though the public sector is often the victim of opportunistic attacks, governments are also being targeted by sophisticated attackers who are abusing their weak infrastructures to deploy malware, lateral movement tools, ransomware, and phishing.

The Critical Need for Cybersecurity Professionals

The global shortage of cybersecurity expertise is compounding the issue of weak government IT systems. Based on a recent study released by The International Information System Security Certification Consortium, known as (ISC)², the current cybersecurity workforce gap amounts to 3.4 million open roles needing to be filled. The study described today’s threat landscape as being a volatile one; directly shaped by this year’s macroeconomic and geopolitical turbulence.

As state and local governments work around tighter budgets, this usually means there are scarce (if any) cybersecurity resources dedicated to supporting agencies. Lack of security expertise leaves the agencies susceptible in the long run. Without cybersecurity expertise embedded in leadership and collaborating with technical teams, poorly-funded governments face the risks of:

  • Falling behind in adopting emerging technologies,
  • Missing changes in regulatory requirements and/or critical trends in tactics, techniques, and procedures (TTPs), and
  • Mishandling security incidents and post-incident processes.

What’s Next for Government Security Strategies?

Governments offer many public services, which all feed into the complexity and size of their attack surface. For governing bodies to continue providing those services safely, CISOs need to consider leveraging a simple, streamlined, end-to-end security strategy that can cover all of the inherent risks they face in the current landscape.

Following the conflict between Ukraine and Russia, the CISA issued a Shields Up alert warning all “within and beyond the region” to be prepared and responsive to disruptive cyber incidents. The warning cites the “economic costs imposed on Russia by the U.S. and our allies and partners” as a potential reason for the Russian government to consider escalating its actions to nations outside of Ukraine. Shields Up recommends actions such as:

  • Improving immediate detection capabilities through logging, anti-malware software, and traffic isolation if working with third-party vendors.
  • Planning ahead for incident response, such as designating a crisis-response team, ensuring the availability of key personnel, and conducting tabletop exercises often to review roles and responsibilities.
  • Hardening cyber resilience by testing backup procedures, isolating backups from network connections, and testing manual controls should a network become unavailable.

Identity Security | The New Perimeter in Building Cyber Resiliency

President Biden’s national security memorandum from last summer underscored the need for building cyber-resilient infrastructure and systems. In response to this release, NIST and CISA  jointly released new Cybersecurity Performance Goals (CPGs) to help critical infrastructure sectors kickstart their security efforts. Described by CISA as a minimum set of best practices, the CPGs provide actionable goals on the topics of account, device, and data security.

At the root, account, device, and data security all start at the identity surface. As more high-value sectors move towards remote workforces and create digital identities to share information and collaborate, that surface widens, leaving them vulnerable to identity-based exploitation. By looking at identity as the new network perimeter, enterprises can scale down that attack surface by detecting threats in their earliest stages.

Before the data loss stage, enterprises that can identify over-privileged users, cached credentials, and other identity-related cyber hygiene issues can prevent the initial breach from happening at all. The importance of identity threat detection and response will only grow as threat actors leverage weak endpoints and social engineering tactics to find their way into networks.

Governments managing immense databases especially need to reduce the changes of cyber intrusion by implementing identity authentication security solutions (e.g., MFA), endpoint detection and response (EDR), remote access validation, privileged account audits, and stringent password policies.

Conclusion

Advanced cyber threats such as ransomware, phishing and whaling campaigns, and DDoS attacks have beleaguered governments globally in 2022, taking malicious advantage of their sluggish policies and departmental silos. Up against uniquely motivated threat hacktivists and data-hungry cybercriminals, governments have found themselves at the number two spot in most attacked sectors this year.

Reported attacks from this year alone clearly indicate that this critical sector needs to advance its cyber resiliency and implement cybersecurity best practices to reduce its attack surface. Solutions that provide complete visibility are most effective, given the breadth of data networks managed and processed by governments and agencies.

Solutions should leverage identity-based security tools capabilities leveraging artificial intelligence (AI) and machine learning (ML) to fight back against ransom operators and sophisticated social engineering schemes. Removing limited network visibility ensures governments can monitor endpoints and data more effectively while detecting and responding in real-time to security events before they can lead to catastrophe.

While no entity is immune from cyber attacks, governments can examine the top attacks reported in 2022 through an educational lens to secure better the data of those relying on their services. Learn how SentinelOne can help enterprises build cyber resilience through autonomous endpoint protection by contacting us today.

12 Months of Fighting Cybercrime & Defending Enterprises | SentinelLabs 2022 Review

2022 has been another eventful year for the SentinelLabs research team, with events in Ukraine dominating and directing a large portion of our research output. We also hosted the first ever LABScon, bringing together top tier researchers and thought leaders from across the industry, and found time to investigate a number of supply chain attacks, adversaries, macOS, Linux and Windows malware, and exploitable vulnerabilities.

We’ve seen a shift in ransomware TTPs with increasing use of hybrid and partial encryption and a greater focus from threat actors on stealing data for ransom as well as – and sometimes instead of – using file lockers.

All our research and threat intelligence posts can be found on the SentinelLabs home page, but for a quick recap of the year’s main highlights, take a scroll through the 2022 timeline below.

12 Months of Fighting Cybercrime & Defending Enterprises SentinelLabs 2022 Review

January

In January, we identified new variants of the PowGoop malware belonging to Iranian-linked threat actor MuddyWater. We described how this adversary used tunneling tools and likely exploited CVE-2020-0688 on Exchange servers to compromise governmental organizations in the Middle East. Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups but continues to be successful through its use of publicly available offensive security tools and exploitation of unpatched vulnerabilities.

Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor

January also saw SentinelLabs post research on threat hunting for macOS adware infections, recent hacktivist campaigns, and analyses of BlackCat ransomware, and CVE-2021-45608 – a flaw in NetUSB affecting millions of routers.

February

The Russian invasion of Ukraine in February 2022 was an event that had, and continues to have, a global impact. It was widely expected that the Russian campaign would be swift and decisive, and accompanied by an equally destructive cyber warfare campaign. Those expectations turned out to be far from correct. While the resolve of the Ukrainians took both the Russians and many observers by surprise, the cyber campaigns associated with the war also had an unexpected dimension. In February, the first of these was a new destructive wiper that SentinelLabs dubbed Hermetic Wiper, a signed driver targeting Windows devices in Ukrainian organizations.

This month, SentinelLabs also exposed a decade-old state-sponsored adversary named ModifiedElephant targeting human rights activists, lawyers, academics and others involved in civilian dissent in India. The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.

SentinelLabs also reported on an Iranian threat actor, TunnelVision, exploiting the Log4j2 and other vulnerabilities against Middle East and US targets.

March

As the war in Ukraine gathered pace, so did the cyber attacks: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero were all reported on across the industry, but AcidRain saw a new development. An attempt to take out Ukrainian military command-and-control capabilities by hindering satellite connectivity spilled over to affect German infrastructure with remote monitoring and control of almost 6000 Enercon wind turbines disrupted by an attack on Viatsat modems.

It turns out it hasn’t only been the Russians targeting Ukraine, either. In March, SentinelLabs reported on a Chinese threat actor Scarab APT attempting to infect organizations in Ukraine with HeaderTip malware. Meanwhile, multiple critical severity flaws in Microsoft Azure’s Defender for IoT were disclosed by SentinelLabs that could allow unauthenticated attackers to remotely compromise devices.

April

In April, SentinelLabs’ focus turned to crimeware with research on LockBit 3.0 discovering that threat actors were sideloading Cobalt Strike beacons via a signed VMware xfer logs command line utility. We subsequently discovered this technique was connected with an affiliate Microsoft tracks as DEV-0401, a threat actor that had not previously been known to use LockBit.

SentinelLabs also published on Nokoyama ransomware in April, finding that it was clearly an evolution of Karma/Nemty rather than Hive, as suggested by some earlier analyses.

May

Supply-chain attacks via shared code repositiores were flavor of the month in May. SentinelLabs reported on CrateDepression this month, a supply-chain attack against the Rust development community. This followed an advisory from the Rust Security Response Working Group announcing the discovery of a malicious crate that targeted victims using GitLab Continuous Integration (CI) pipelines. Infected CI pipelines were served a second-stage payload we identified as Go binaries built on the red-teaming framework, Mythic. Both macOS and Linux payloads were available to the threat actors.

Also in May, threat actors targeted PyPI with a malicious Python package in a typosquatting campaign. We noted how the macOS payload used a similar obfuscation technique to OSX.Zuru in 2021 to drop a Cobalt Strike beacon on infected devices.

June

June 2022 saw SentinelLabs’ research turn to focus on Chinese-linked threat activity. Our research revealed a newly-discovered APT dubbed Aoqin Dragon that had been quietly spying on government, education, and telecommunication organizations in Southeast Asia and Australia for over a decade.

We found that the threat actor had a history of using document lures with pornographic themes to infect users and typically drops one of two backdoors: Mongall and a modified version of the open source Heyoka project.

July

In July, SentinelLabs research discovered that a Chinese state-sponsored cyber espionage group had set its sights on Russian targets in the midst of the Ukraine war.

We also explored how malicious Windows applications created as APPX and MISIX packages were being used by threat actors as an alternative infection vector to Office macros. LockBit 3.0 continued to be a significant threat for many enterpriss and we published new research on LockBit’s latest anti-analysis and evasion techniques.

August

Furthering our research on alternative vectors in light of Microsoft’s announced lockdown of Office Macros, SentinelLabs published on how Windows shortcuts, LNK files, were being abused by threat actors. This detailed research was based on an analysis of over 27,000 malicious LNK file samples.

We discovered that Windows Explorer was the top LOLBin (living off the land binary) in the chain of LOLBins that threat actors use to execute malware via LNK files.

September

September was the month of LABScon, and unsurprisingly saw some big reveals from the SentinelLabs research team. First up came Metador, a mysterious threat actor that SentinelLabs found had been targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.

We also published research on Void Balaur, a cyber mercenary group running hack-for-hire campaigns throughout 2022 on targets in the United States, Russia, Ukraine, and other countries. SentinelLabs also reported on JuiceLedger, a relativey new threat actor focused on infostealing through a .NET assembly called ‘JuiceStealer’, and its phishing campaign against PyPI contributors.

October

In October, our research returned to focusing on Chinese-linked APTs with research on a new threat cluster we track as WIP19.

WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia using a stolen digital certificate signed by a company called “DEEPSoft”. The activity was notable for the fact that almost all operations performed by the threat actor were conducted in a “hands-on keyboard” manner, with the attacker foregoing using C2 channels in exchange for increased stealth.

November

As the festive and holiday season started to approach, our focus turned once again to crimeware actors that typically ramp up their activities as the year rounds to a close. Our research into SocGholish noted how the actors had significantly diversified and expanded their infrastructure for staging malware with new servers, many of which were located in Europe, with the Netherlands, the United Kingdom, and France at the top of the list.

We also covered Black Basta ransomware and were the first to note links to its tools and cybercrime gang FIN7. For those who missed out on LABScon, we began a series of posts on some of the presentations that took to the main stage.

December

SentinelLabs was as busy at the end of the year as at the beginning. In December, we published research into crimeware group Vice Society, revealing how the group had pivoted to using a custome-branded ransomware variant we dubbed ‘PolyVice’.

We also dug deeper into Metador, exploring the anti-analysis techniques used in one of the actor’s backdoors, Mafalda. In collaboration with industry partners, we published on POORTRY and STONESTOP malware, used in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.

SentinelOne was an early pioneer of the use of AI and machine learning in cybersecurity, but the technology hit public awareness in a big way with OpenAI’s release of ChatGPT 3. We found time to report on the wonders of this AI tool for the work of malware analysis and reverse engineering, and of course, we topped off the year by sharing more LABScon talks for the rest of the cybersecurity world to enjoy and learn from.

Conclusion

Throughout 2022, SentinelLabs has kept defenders informed and up-to-date on the latest developments across the crimeware ecosystem, adversaries, APTs, malware campaigns and critical vulnerabilities, and we’re not quite done yet: look out for a special LABScon talk that we’ll share before the New Year.

We’ll be back in 2023 with more security research, threat intelligence and vulnerability reporting. In the meantime, we wish all a happy, secure and peaceful New Year and 2023. Predictions for what 2023 in cybersecurity might look like from both SentinelLabs researchers and SentinelOne thought leaders can be found here.

The Good, the Bad and the Ugly in Cybersecurity – Week 52

The Good

This week, Microsoft joined Google and Meta (aka Facebook) in being the next tech giant to be slapped with a fine by French privacy watchdog CNIL for violation of Europe’s GDPR laws.

CNIL hit Google and Meta with $68 million and $170 million fines respectively earlier this year for failing to offer users of their products transparent ways to reject tracking cookies. On Thursday, Microsoft got a ticking off to the tune of around $64 million for cookies deposited by its web search engine bing.com.

According to an investigation by CNIL, when a user visited bing.com, advertising cookies were placed on their device without user consent. The site also failed to offer a button allowing users to refuse the deposit of cookies as easily as to accept them.

In addition to the fine, CNIL ordered Microsoft to obtain consent for the use of cookies and trackers of any person residing in France within 3 months or face fines of $64,000 per day of delay.

Data privacy laws in the US and Europe have gathered strength over the last few years as the potential dangers of the mass collection of data pertaining to users’ online behavior have become more apparent. While such fines have limited financial impact on giants like Microsoft, Google and Meta, they are a reminder to companies everywhere that data privacy laws have teeth and users’ rights to privacy must be respected.

The Bad

Extortion gang Vice Society, which made a name for itself attacking healthcare and education targets throughout 2021 and 2022 with off-the shelf ransomware like HelloKitty and Zeppelin, has pivoted to a new custom-branded ransomware researchers have dubbed PolyVice.

SentinelLabs revealed this week that the Vice Society group has been deploying payloads that are functionally identical to those of Chily and Sunnyday ransomware. According to their analysis, the payloads only differ in the section where the ransomware campaign details are stored, such as the encrypted file extension, ransom note, hardcoded master key, and wallpaper.

Code similarities between PolyVice and Chily Ransomware
Code similarities between Vice Society and Chily Ransomware
Code similarities between PolyVice and SunnyDay Ransomware
Code similarities between Vice Society and SunnyDay Ransomware

PolyVice ransomware uses sophisticated encryption methods, including partial encryption for large files, and a hybrid encryption scheme that combines asymmetric encryption with the NTRUEncrypt algorithm and symmetric encryption with the ChaCha20-Poly1305 algorithm.

As Vice Society has no known history of developing its own ransomware payloads, the level of sophistication along with the similarities to payloads used by other ransomware groups suggests that an individual or group with expertise in ransomware development is selling custom-branded ransomware payloads to multiple threat actors.

The ability of ransomware groups to outsource development and other services from the larger crimeware ecosystem means that new threat actor groups need little more than initial funding and some basic management capabilities to get new campaigns under way. Expect to see a proliferation of low-skilled crimeware operators picking off more schools, healthcare organizations, and others without adequate defences as we move into 2023.

The Ugly

It’s been a tough year for password manager developer LastPass, as the fallout from a breach that began back in August continued to cause worries this week to the company and its customers.

The breach earlier in the year, LastPass initially said, had been limited to a small part of the LastPass development environment and the theft of some source code and proprietary LastPass technical information. A further breach in late November leveraged data stolen in August and saw “unusual activity within a third-party cloud storage service” that allowed an unknown actor to gain access to “elements of [LastPass] customers’ information”.

This week, the company updated its advisory revealing that the threat actor had made off with “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The company was at pains to point out that LastPass customer vaults remain unaffected as LastPass does not hold copies of customers’ master passwords and vaults are encrypted with 256-bit encryption. However, LastPass users may be subject to phishing attempts and those who did not follow recommendations for creating a strong password could be susceptible to brute force attacks.

Despite the serious nature of this breach, users everywhere are reminded that password managers are an essential part of good password security.

Building Blocks for Your XDR Journey, Part 5 | Why an XDR Solution Needs to Be Open XDR

This is Part 5, the concluding part of our multi-part XDR (eXtended Detection and Response) blog series.

If you haven’t read the earlier posts in this series yet, we recommend checking out the following:

  • Part 1 discusses why organizations need to extend protection beyond the endpoint to stay ahead of adversaries
  • Part 2 discusses why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy.
  • Part 3discusses why identity security is a cornerstone of an XDR strategy
  • Part 4 discusses the importance and value of security data for detection and investigation.

In this post we discuss the importance of why an XDR solution should be Open XDR.

The State of Security Operations Center

The only constant in security is change. New exploits are met with new defenses. The more we integrate technology into society, the more opportunities attackers have to hack for power or profit and so both sides keep innovating.

When attackers took to the supply chain and to lifting legitimate credentials from phishing and breaches, defenders moved further into vulnerability management, Zero Trust, and invented new Identity Threat Detection and Response (ITDR) tools. As attackers increasingly leverage crimeware  markets to grab off-the-shelf malware and lower the skill level needed to run an attack, defenders increasingly look to smarter tools and XDR Marketplaces to integrate tools and run automation that is a force multiplier for their team, turning disparate tools into connected defense networks sharing IOCs, risk levels, and coordinated response.

In Cybersecurity, Effectiveness Counts

Before we can talk about what good Open XDR systems do, we need to acknowledge why they’re here. Behind all of this are customer buying behaviors. Some of the world’s largest tech companies have long tried to convince customers that they can get all their security software from one vendor. The market evaluated that offer and decided the compromise in quality was too great and most have continued buying best in class tools from disparate vendors.

Convenience and cost drives some buyers to reduce the number of vendors but most have put security first and that is a good thing. We are all members of banks, we are all scanning our fingers and faces to get into our phones, and we’re all online, putting our data into databases almost. As consumers and members of societies that are under constant attack, we should be happy knowing that most organizations we buy from still choose better tools over streamlined buying and support or a deeply discounted EA package.

Throughout history we see that battles are a measure of numbers, training, and equipment quality. Armies don’t win by buying planes and ships from the same vendor to get a good deal. CISOs and SOC Managers know that they can’t afford as many personnel as they need and can’t find the people with the level of training and expertise that they need. There has been a skills shortage for years and it’s not getting better. Instead, CISOs and SOCs coming up on their EPP/EDR renewal are asking questions about automation and AI. Tooling has to make the difference.

Where Open XDR Diverges from Other Security Tools Like the SIEM and SOAR

Before XDR, data often lived in two places: in the SIEM and in the EDR database. EDR data is too voluminous to send to most SIEMs without selling the headquarters to pay for it, so the data stayed separated. This meant searching, rule writing, dashboarding, and reporting all had to be done in two places.

It’s important then to realize that any SIEM that hasn’t solved the data silo issue is still just a SIEM, not XDR. If the SIEM hasn’t extended to cover all critical parts of the stack, there’s no “X”. Most XDR vendors solve the data separation issue by bringing all data to the EDR database. At the same time, some XDR vendors have acquired indexless database companies, making log ingest cheaper than it was with SIEMs.

XDR also solves the SOAR problem. SOARs were too expensive and complex for most teams so market penetration was low. XDR had to solve this because automation is the backbone of XDR. Instead of a complicated solution that requires writing a large check every year and adding headcount to build and maintain the playbooks, XDR delivers turnkey automation as part of existing or slightly higher packaging. Where SOAR was expensive shelfware, XDR is automation for the masses.

Where Open XDR Comes In

Beyond the centralized data and automation is one common thread: X. If it doesn’t extend, it’s just Detection and Response. If it’s not all the data, it’s by definition only part of the picture.

This is where XDR buyers need to look more closely and understand, is this native or open XDR? It’s important to know that behind the scenes, some vendors don’t want connected ecosystems, Native XDR vendors are focused on their portfolio. Open XDR vendors are investing in integrations with vendors that customers indicate are important. SentinelOne’s Singularity XDR has native coverage across workstation, mobile, OT, cloud, and identity but every month rolls out new integrations with third parties or updates to existing integration with security partners, many in those same areas.

This benefits customers in several ways.

  • Leverage Existing Investments: Open XDR helps maximize the value of your security investments. While a native XDR requires the vendor to supply all the required sensors for typical use cases, an Open XDR works with what’s in place today, with minimal disruption or change.
  • Vendor agnostic: With Open XDR, companies are freed from being locked into specific solutions, letting SOCs customize their stack to the tools that are best for their industry and to evolve with it as new vendors innovate and disrupt. With Open XDR it’s even easy to integrate with multiple threat intelligence vendors, multiple firewalls, multiple clouds, or all of the above.
  • Scalable Solution: Open XDR makes it straightforward to onboard new security tools and technology, as well as easily integrate and connect these tools with each other. For example, our multi-tenancy means you can install one identity integration for one part of your organization and a completely different integration for another part of your organization. Scopes make that easy. Our open IOC database means your intel can work together too. You can push in threat intel from anywhere you’d like and it’s combined into our database to use for enriching, alerting, mitigating, writing custom rules, or firing automations.

Conclusion

A successful defense cannot be won with sheer numbers, no security team has enough people for it. Even the teams with the best budgets, with the best firewalls and threat intel, are still searching for a centralized, automated, intelligent tool that’s going to continually make their teams the defenders of tomorrow. Can your threat intel trigger a detection that triggers a Slack notification? Can a high enough threat intel score trigger a true positive or kick a detection into remediation mode? Can those be enabled with a few clicks and no code? Last week OpenAI proved to the world that AI may be closer than we think. This week is a great time to ask whether your tools are built for tomorrow.

If you would like to learn more about SentinelOne Singularity XDR platform, contact us for more information or request a free demo. Also join and listen to the XDR webinar to learn more about best practices and building blocks for an enterprise looking to adopt XDR.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

The Equifax Breach Settlement Offer is Real, For Now

Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money.

One reader’s copy of their Equifax Breach Settlement letter. They received a check for $6.97.

In 2017, Equifax disclosed a massive, extended data breach that led to the theft of Social Security Numbers, dates of birth, addresses and other personal information on nearly 150 million people. Following a public breach response perhaps best described as a giant dumpster fire, the big-three consumer credit reporting bureau was quickly hit with nearly two dozen class-action lawsuits.

In exchange for resolving all outstanding class action claims against it, Equifax in 2019 agreed to a settlement that includes up to $425 million to help people affected by the breach.

Affected consumers were eligible to apply for at least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and TransUnion. Or, if you didn’t want to take advantage of the credit monitoring offers, you could opt for a cash payment of up to $125.

The settlement also offered reimbursement for the time you may have spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This was capped at 20 total hours at $25 per hour ($500), with total cash reimbursement payments not to exceed $20,000 per consumer.

Those who did file a claim probably started receiving emails or other communications earlier this year from the Equifax Breach Settlement Fund, which has been messaging class participants about methods of collecting their payments.

How much each recipient receives appears to vary quite a bit, but probably most people will have earned a payment on the smaller end of that $125 scale — like less than $10. Those who received higher amounts likely spent more time documenting actual losses and/or explaining how the breach affected them personally.

So far this week, KrebsOnSecurity has received at least 20 messages from readers seeking more information about these notices. Some readers shared copies of letters they got in the mail along with a paper check from the Equifax Breach Settlement Fund (see screenshot above).

Others said they got emails from the Equifax Breach Settlement domain that looked like an animated greeting card offering instructions on how to redeem a virtual prepaid card.

If you received one of these settlement emails and are wary about clicking the included links (good for you, by the way), copy the redemption code and paste it into the search box at myprepaidcenter.com/redeem. Successfully completing the card application requires accepting a prepaid MasterCard agreement (PDF).

The website for the settlement — equifaxbreachsettlement.com — also includes a lookup tool that lets visitors check whether they were affected by the breach; it requires your last name and the last six digits of your Social Security Number.

But be aware that phishers and other scammers are likely to take advantage of increased public awareness of the payouts to snooker people. Tim Helming, security evangelist at DomainTools.com, today flagged several new domains that mimic the name of the real Equifax Breach Settlement website and do not appear to be defensively registered by Equifax, including equifaxbreechsettlement[.]com, equifaxbreachsettlementbreach[.]com, and equifaxsettlements[.]co.

In February 2020, the U.S. Justice Department indicted four Chinese officers of the People’s Liberation Army (PLA) for perpetrating the 2017 Equifax hack. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

Equifax surpassed Wall Street’s expectations in its most recent quarterly earnings: The company reported revenues of $1.24 billion for the quarter ending September 2022.

Of course, most of those earnings come from Equifax’s continued legal ability to buy and sell eye-popping amounts of financial and personal data on U.S. consumers. As one of the three major credit bureaus, Equifax collects and packages information about your credit, salary, and employment history. It tracks how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit.

Americans currently have no legal right to opt out of this data collection and trade. But you can and also should freeze your credit, which by the way can make your credit profile less profitable for companies like Equifax — because they make money every time some potential creditor wants a peek inside your financial life. Also, it’s probably a good idea to freeze the credit of your children and/or dependents as well. It’s free on both counts.

Cybersecurity’s Biggest Mistakes of 2022

In just a few years, the world of cybersecurity has changed dramatically. New technologies and threats have emerged, old ones have fallen by the wayside, and the stakes have never been higher.

As we move into 2023, it’s important to take stock of the past year and learn from our mistakes. Here are some of the biggest cybersecurity mistakes of 2022 – and how to avoid them in the New Year.

With the increasing reliance on technology in our personal and professional lives, it is essential to have strong cybersecurity measures in place to safeguard against threats such as hackers, malware, and data breaches. Making mistakes in this area can have serious consequences, including losing sensitive information, financial damage, and damage to an organization’s reputation.

Besides implementing the right level of security (using AI), here are a few of the main mistakes we observed in 2022:

  • Failing to update software and security patches
  • Using weak and easily guessable passwords
  • Neglecting to back up important data
  • Falling for phishing scams
  • Neglecting to train employees on cybersecurity best practices
  • Relying on outdated security measures
  • No Identity protection implemented
  • No threat hunting and lack of regular monitoring for security breaches

Failing to Update Software and Security Patches

Not keeping software up to date can be risky as new security vulnerabilities are regularly identified and patched by software vendors. One example is vulnerabilities like those found in Microsoft products, designated with a CVE (Common Vulnerabilities and Exposure) label.

Zero-day vulnerabilities, where no patch yet exists from the vendor, can quickly become N-day vulnerabilities, meaning a patch has been issued but the organization has not yet applied it. N-days are potentially more dangerous than zero-days because the vulnerability’s existence is now public, and threat actors are quick to develop exploits and search for organizations who have yet to patch. The infamous WannaCry ransomware that wreaked havoc across the world was a N-day vulnerability in Microsoft’s SMBv1 server protocol, more popularly known as EternalBlue.

These kinds of scenarios provide even greater reason for organizations to keep their environment current and running the most recent versions of each product. Proactive maintenance can help protect data centers and networks against breaches and data loss.

Here’s a typical lifecycle of an attack utilizing a zero day to compromise devices:

  1. A malware author discovers a vulnerability or new attack vector.
  2. The capability is weaponized and proven to work
  3. The zero-day is kept secret and utilized by cybercriminals.
  4. Defenders discover the vulnerability.
  5. The OS vendor or application vendor delivers a patch.
  6. The zero-day becomes an N-day.

The challenge is that patching requires time. It starts with the disclosure of the vulnerable software, then there is the time it takes the vendor to create a fix, and lastly, the time it takes to deploy the fix.

Using Weak and Easily Guessable Passwords / Reusing Passwords for Multiple Accounts

Using weak and easily guessable passwords is a common mistake that can seriously affect cybersecurity. Passwords are the first line of defense against unauthorized access to an online account or device, so it is crucial to use strong and unique passwords that are difficult for others to guess or crack.

Weak passwords are short, use common words or phrases, or include easily guessable personal information such as a name or birthdate. These passwords can be easily cracked by attackers using automated tools, which can then be used to gain access to an account or device.

Using weak and easily guessable passwords puts sensitive information and the security of the account or device itself at risk. Using strong, unique passwords and avoiding using the same password for multiple accounts can help mitigate password compromises.

Maintaining a secure identity and account protection is critical for everyone in today’s connected world. Unfortunately, keeping track of multiple passwords is difficult, prompting many people to reuse the same or similar passwords on multiple accounts – a dangerous security practice that can easily lead to breaches. Organizations can take advantage of multifactor authentication (MFA) and two-factor authentication (2FA) options to help strengthen account security. Hardware security keys and biometric authentication are also recommended for extra security.

Neglecting to Back Up Important Data

Neglecting to back up necessary data is a mistake for cybersecurity because it can have severe consequences in the event of a cyber attack or other incident resulting in data loss. Backing up data regularly creates a copy of important files and information, which can be used to restore the original data if it is lost or corrupted. Without backups, recovering lost or damaged data may be impossible, leading to significant disruption, financial loss, or other negative consequences.

In addition to protecting against data loss, regularly backing up critical data can also help to restore data encrypted in ransomware attacks. Although this may not prevent attackers from attempting to extort victims with threats to leak stolen data, it can help businesses to restore essential services and minimize business disruption caused by such attacks.

Falling for Phishing Scams

In the second quarter of 2022, the Anti-Phishing Working Group (APWG) observed a record number of phishing attacks, with over 1 million instances. This marks the worst quarter for phishing that APWG has ever observed. There has also been an increase in the amount requested in wire transfer Business Email Compromise (BEC) attacks, and industries such as healthcare and transportation have seen an increase in ransomware attacks.

Threats on social media have also risen, with a 47% increase from Q1 to Q2 2022. Mobile phone-based fraud, such as smishing and vishing, has also increased. These trends highlight the ongoing and evolving nature of cybersecurity risks from phishing attacks.

Increasingly sophisticated phishing scams are an unfortunate reality of our digital world, posing a serious threat to personal and financial security. Fraudulent emails or websites appear legitimate but deceive victims into giving away sensitive information such as passwords, credit card numbers, and other details, which can be detrimental if malicious actors access them. Furthermore, these attacks often serve as entry points for malware distribution, which poses yet another risk to the victim’s device and data systems.

Neglecting to Train Employees On Cybersecurity Best Practices

Neglecting to train employees on cybersecurity best practices is a mistake because it leaves individuals within an organization vulnerable to cyber attacks. Humans are often considered the weakest link in an organization’s cybersecurity defenses, as cybercriminals can easily trick or manipulate them using phishing or social engineering tactics. If employees are not trained to recognize and prevent these attacks, they may unwittingly put the organization’s data and systems at risk.

Employees who need to be trained on cybersecurity best practices may need to learn how to handle sensitive data properly or maintain the security of the organization’s systems, which can further increase the organization’s vulnerability to cyber-attacks. Training employees on cybersecurity best practices is essential to an organization’s overall cybersecurity strategy.

Relying on Outdated Security Measures

The problem businesses faced with the old, legacy AV solutions revolved around the fact that they were based on detecting malware files through signatures – typically a hash of the file, but later through identifying tell-tale strings contained in the binary through search methodologies like YARA rules.

This approach proved to have several weaknesses. First, malware authors began to sidestep signature-based detection simply by padding files with extra bytes to change the malware’s hash or using different ways to encrypt strings that could not be easily read by binary scanning. Second, adversaries intent on stealing company data and IP, or inflicting damage through ransomware, were no longer just trying to write malicious, detectable files to a victim’s machine. Instead, bad actors’ tactics had evolved to include in-memory “fileless” attacks, exploiting built-in applications and processes (“living off the land”) and compromising networks by phishing users for credentials or stealing resources with cryptomining. Legacy AV solutions didn’t have the resources to deal with the new wave of tactics, techniques, and procedures.

As of today, there is still a significant amount of the market relying on these products. Security teams can compare legacy AV solutions with more modern technology like SentinelOne to help understand the implications of relying on older security technologies.

No Identity Protection Implemented

Having no identity protection implemented is a problem for cybersecurity because it leaves individuals and organizations vulnerable to identity theft and other types of cyber attacks.

As we’ve seen in the Cisco breach, it’s enough to compromise a user to gain access to the entire network. With social networks, multi-tasking, and the evolution of devices around us, it just makes sense for adversaries to keep investing in social engineering.

SentinelOne’s Singularity™ Identity platform solves this problem through:

  • Identity Threat Detection and Response: The identity suite delivers holistic prevention, detection, and response. It protects in real time against credential theft, privilege escalation, lateral movement, data cloaking, identity exposure, and more, supporting conditional access and zero trust cybersecurity.
  • Identity Attack Surface Management: Identity assessment tools provides instant Active Directory visibility of misconfigurations, suspicious password and account changes, credential exposures, unauthorized access, and more, enabling identity-focused attack surface reduction.
  • Identity Cyber Deception: The network and cloud-based deception suite lures attackers into revealing themselves. Through misdirection of the attack with tactics including breadcrumbs and decoy accounts, files and IPs, organizations gain the advantage of time to detect, analyze, and stop attackers and insider threats without impacting enterprise assets.

No Threat Hunting and Lack of Regular Monitoring for Security Breaches

Not conducting threat hunting and failing to regularly monitor for security breaches is a problem for cybersecurity because it can lead to undetected or unmitigated threats and attacks.

Organization’s can implement a security strategy that involves looking for various tools and techniques to identify indicators of compromise (IOCs), such as unusual network traffic or suspicious user behavior, and investigating them to determine if they are a threat.

This is required because:

  • No security measures are 100% effective, so it is important to have multiple layers of protection in place. By conducting threat hunting and regularly monitoring for security breaches, organizations can identify potential threats and attacks as soon as possible, allowing them to take action to prevent or minimize the damage.
  • Threat hunting will enable organizations to proactively search for signs of potential security breaches or attacks within their systems and networks. This can help them to identify new indicators of compromise that their existing security measures may not detect. Organizations can improve their security posture by conducting threat hunting and better protect themselves against potential threats.

Conclusion

Are we losing the war against cybercrime? While it is true that there are constantly new threats emerging and that it can be difficult to stay ahead of these threats, it is important to remember there is much that enterprises can do to mitigate the risk, to cut off easy avenues of attack, and to harden the organization’s cybersecurity defenses.

As we look into 2023, solving the cybersecurity challenge will be a combination of deploying the right product and having the right people, processes and procedures in place to minimize the risk.

Don’t stay behind – upgrade your defenses with leading solutions from SentinelOne.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Hacked Ring Cams Used to Record Swatting Victims

Photo: BrandonKleinPhoto / Shutterstock.com

Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived.

Prosecutors in Los Angeles allege 20-year-old James Thomas Andrew McCarty, a.k.a. “Aspertaine,” of Charlotte, N.C., and Kya Christian Nelson, a.k.a. “ChumLul,” 22, of Racine, Wisc., conspired to hack into Yahoo email accounts belonging to victims in the United States. From there, the two allegedly would check how many of those Yahoo accounts were associated with Ring accounts, and then target people who used the same password for both accounts.

An indictment unsealed this week says that in the span of just one week in November 2020, McCarty and Nelson identified and swatted at least a dozen different victims across the country.

“The defendants then allegedly accessed without authorization the victims’ Ring devices and transmitted the audio and video from those devices on social media during the police response,” reads a statement from Martin Estrada, the U.S. Attorney for the Central District of California. “They also allegedly verbally taunted responding police officers and victims through the Ring devices during several of the incidents.”

James Thomas Andrew McCarty.

The indictment charges that McCarty continued his swatting spree in 2021 from his hometown in Kayenta, Ariz., where he called in bomb threats or phony hostage situations on more than two dozen occasions.

The Telegram and Discord aliases allegedly used by McCarty — “Aspertaine” and “Couch,” among others — correspond to an identity that was active in certain channels dedicated to SIM-swapping, a crime that involves stealing wireless phone numbers and hijacking the online financial and social media accounts tied to those numbers.

Aspertaine bragged on Discord that he’d amassed more than $330,000 in virtual currency. On Telegram, the Aspertaine/Couch alias frequented several popular SIM-swapping channels, where they initially were active as a “holder” — a low-level but key SIM-swapping group member who agrees to hold stolen cryptocurrency after an account takeover is completed. Aspertaine later claimed more direct involvement in individual SIM-swapping attacks.

In September, KrebsOnSecurity broke the news about a wide-ranging federal investigation into “violence-as-a-service” offerings on Telegram and other social media networks, wherein people can settle scores by hiring total strangers to carry out physical attacks such as brickings, shootings, and firebombings at a target’s address.

The story observed that SIM swappers were especially enamored of these “IRL” or “In Real Life” violence services, which they frequently used to target one another in response to disagreements over how stolen money should be divided amongst themselves. And a number of Aspertaine’s peers on these SIM-swapping channels claimed they’d been ripped off after Aspertaine took more than a fair share from them.

On April 30, 2022, a member of a popular SIM-swapping group on Telegram who was slighted by Aspertaine put out the word that he was looking for some physical violence to be visited on McCarty’s address in North Carolina. “Anyone live near here and wants to [do] a job for me,” the job ad with McCarty’s home address read. “Jobs range from $1k-$50k. Payment in BTC [bitcoin].” It’s unclear if anyone responded to that job offer.

In May 2021, KrebsOnSecurity published The Wages of Password ReUse: Your Money or Your Life, which noted that when normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Whereas, when cybercriminals reuse passwords, it often costs them their freedom.

But perhaps that story should be updated, because it’s now clear that password reuse can also put you in mortal danger. Swatting attacks are dangerous, expensive hoaxes that sometimes end in tragedy.

In June 2021, an 18-year-old serial swatter from Tennessee was sentenced to five years in prison for his role in a fraudulent swatting attack that led to the death of a 60-year-old man.

In 2019, prosecutors handed down a 20-year sentence to Tyler Barriss, a then 26-year-old serial swatter from California who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas man.

McCarty was arrested last week, and charged with conspiracy to intentionally access computers without authorization. Prosecutors said Nelson is currently incarcerated in Kentucky in connection with unrelated investigation.

If convicted on the conspiracy charge, both defendants would face a statutory maximum penalty of five years in federal prison. The charge of intentionally accessing without authorization a computer carries a maximum possible sentence of five years. A conviction on the additional charge against Nelson — aggravated identity theft — carries a mandatory two-year consecutive sentence.