The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good

The latest dose of justice in the cyber threat landscape: U.S. authorities this week seized 48 internet domains selling “booter” and “stresser” services used by low-level hackers to launch powerful Distributed Denial of Service (DDoS) attacks. The DOJ has charged six individuals with computer crimes for their alleged relations to these services.

DDoS attacks are designed to overwhelm websites with fake traffic until the intended target, ranging from individuals and websites to entire network providers, is eventually rendered offline. According to the DOJ, the services in this action reportedly attacked victims in both the U.S. and abroad, including government agencies, educational institutions, gaming platforms, and millions of individual users.

In a sly effort to offload legal ramifications, the booter websites had attempted to hide behind lengthy terms and conditions which required customers to agree that services would only be used for network stress-testing purposes. The DOJ, however, has dismissed those claims using communications between site administrators and their customers as evidence of their intended malicious use.

Cybercrime-as-a-Service models have multiplied in the threatscape resulting in the number of DDoS attacks climbing in recent years. Booter services especially have created a low barrier to entry to cybercrime. The seized domains allowed purchasers to choose the volume of fake traffic to be sent as well as the number and duration of synchronized attacks that follow. Such services give non-technical users the ability to bombard essential services and critical infrastructure, draining their victims of time and money, as well as causing reputational harm.

Law enforcement have responded with Operation PowerOff; an ongoing coordination between internal agencies to dismantle DDoS-for-hire administrators and users. The takedown this week preempts a new wave of DDoS attacks as cyber criminals often favor the holiday season to launch.

The Bad

Notorious LockBit ransomware group has claimed a cyberattack on the California Department of Finance this week. While LockBit’s leak site posits that they made away with several gigabytes’ worth of confidential data, databases, and both financial and IT documents, California Office of Emergency Services (Cal OES) only confirmed the security intrusion and stated that “no state funds have been compromised”. Officials have given no further specifics except that state and federal security partners are working with threat hunting experts to continue the investigation.

The cyberattack on the Californian finance sector follows the DOJ’s recent arrest of accused LockBit threat actor, Mikhail Vasiliev. The Russian-Canadian’s capture from just last month was the result of a two-year FBI investigation into LockBit’s operations and related ransomware attacks on the U.S. and organizations across several other countries.

LockBit has been described by the DOJ as “one of the most active and destructive ransomware variants in the world.” LockBit associates have, since their first appearance in early 2020, extracted tens of millions of dollars from at least 1000 victims in various countries.

Though LockBit’s claim of this week’s attack on the State of California was reportedly accompanied by screenshots of stolen files and a file directory, the ransomware group has been known to fake breaches.

Back in June, LockBit’s claims to have breached cybersecurity firm Mandiant were dismissed after the firm’s internal investigation found no evidence of breach or LockBit ransomware. What is now widely understood to be a PR stunt by LockBit shows that ransomware operators are going to extensive lengths to support their criminal operations, even using public relation plays to adapt and persist in an evolving threat landscape.

The Ugly

PyPI and NPM code repositories are under active attack by malware. This week, software supply chain firm Phylum reported a campaign targeting Python and JavaScript developers after it identified several suspicious Python requests packages. Through the use of fake modules and typosquatting, the campaign is luring victims into downloading malicious pieces of code. PyPI is a prominent code repository for Python programming language hosting over 350,000 software packages while its JavaScript counterpart, NPM, is the hub for more than one million such packages.

The cyber criminals behind the campaign have been reported to leverage typosquatting, a technique that involves delivering malware from files that have been named very similarly to legitimate pieces of code. So far, the typosquatted Python packages are:

dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests

Typosquatted JavaScript modules in NPM have been identified as:

discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, discord-selfbot-v13, discord-all-intents-default, telnservrr. 

The typosquatting used in the campaign leads to packages embedded with Golang binaries detected as malware. Once unsuspecting developers execute the binaries, the malware encrypts files in the background, and updates the device’s desktop background with an image impersonating the CIA that instructs the victim to pay for a decryption key.

Phylum notes that attacks have continued throughout this week and that a newer version of the attacker’s ransomware has been released since the initial discovery. This attack on PyPI and NPM is the latest in a string of software supply chain attacks this year and is a trend that is likely to continue into 2023.

Feature Spotlight | Announcing General Availability (GA) of Linux and K8s Agents v22.3 for Cloud Workload Security

SentinelOne is pleased to announce general availability of version 22.3 of our Linux and Kubernetes Cloud Workload Security (CWS) agents.

Our Linux and Kubernetes agents are specifically architected for the unique needs of cloud workloads. Our agents operate entirely in user space, making use of eBPF (Extended Berkeley Packet Filter) probes for visibility into the kernel without the hassles of kernel dependencies that would needlessly complicate deployment, impede agility, and consistently cause downtime and loss of business continuity from alternative solutions that use kernel modules.

eBPF is a powerful framework for the monitoring of traffic at the kernel level without the complication of kernel modules. As such, eBPF can be used to collect cloud workload telemetry and feed it to an XDR system for real-time detection of suspicious or malicious activity. This is precisely the SentinelOne approach for cloud workload security, which in turn is augmented by machine-speed response capabilities within the Singularity XDR Platform.

From an architectural perspective, the choice of eBPF is more stable, scalable, and performant than those which rely upon kernel modules. In this way, DevOps are free to innovate quickly, updating host OS images when they see fit and without fear of conflict between an agent version and Linux distribution/version combination.

Moreover, we have made a number of advancements that further enhance performance and detections, including:

  • Resource efficiency gains
  • Crypto mining detections
  • Detection of local privilege escalation
  • Detection of ransomware encryption

Outstanding Performance With Half the Resources

For any SentinelOne customers still running Linux or K8s agent v21.x, the resource efficiency gains alone are compelling reasons to upgrade your cloud workload protection agent to v22.1 or higher. We’ve been working with some forward-leaning customers, taking their feedback and further extending our resource efficiency. As a result, v22.1 (and higher) improves performance in 2 dimensions compared to version 21.x: 40-50% improvement in memory usage, and 40-50% improvement in CPU usage.

We would be remiss if we did not take the opportunity to thank those customers for taking this journey with us. Together, we achieved these results without sacrificing a single inch of detection performance. In fact, quite the opposite: we raised the bar on Linux detections.

The resource efficiency story is even more compelling for Kubernetes customers. A single, specialized Singularity Cloud Workload Security for Kubernetes agent protects the host OS of the K8s worker node, all its pods, and all their containers. It does so with no container sidecar or usage of kernel modules, and with complete visibility into and runtime security for Kubernetes workloads. This architectural approach is very compelling for digital natives running workloads at scale.

As a representative example, if a typical sidecar agent takes 128 MB of memory per container, and each worker node has, on average, 30 containers, then the overhead of a sidecar architecture amounts to nearly 4 GB of additional memory per worker node. Multiply that by the number of worker nodes in each K8s cluster, and then again by the number of clusters running workloads across your DEV and PROD cloud accounts, and the operational overhead that the customer pays quickly stacks up. In stark contrast, SentinelOne provides industry-leading performance with half that memory and CPU.

Customers have done the napkin math themselves and drawn their own conclusions. We even have a business value calculator which takes this into account, to help our prospective customers build their own business case specific to their needs, and to share with their upper management because securing limited budget dollars in the current economic context requires rigorous cash flow analysis.

Enhanced Detection and Protection

Operational efficiency matters, but the primary job of a runtime agent is workload protection. To borrow from an F1 racing analogy, this is truly where “the rubber meets the road.” The Linux agent v22.3 brings enhanced detections of cryptomining earlier in the chain, local privilege escalation, and ransomware. These gains extend our performance leadership as evidenced by the MITRE ATT&CK benchmark testing, which for the last 2 years has included Linux.

Cryptomining Detections

Cryptomining malware is a nuisance and financial drain, quietly siphoning off costly compute cycles from workloads. We have made even further advancements in the Singularity Cloud Workload Security ability to detect cryptomining malware. We detect the invocation of cryptominers associated with known suspicious wallets and/or URLs.

With v22.3, we detect cryptominer setup activity before mining even begins. By detecting the configuration and preparation activities, the SentinelOne agent stops cryptomining before it hits the organization’s cloud bill and bogs down workload operations.

Local Privilege Escalation

The SentinelOne Linux v22.3 agent also alerts on suspicious attempts to escalate local privilege via a SUID binary exploit.

Ransomware

We’ve seen an increase in ransomware attempts targeting cloud infrastructure, implementing new techniques and methods to compromise workloads. To address it, we enhanced our ransomware detection, identifying file encryption activity via common Linux utilities such as OpenSSL. Ransomware attacks on cloud workloads represent a potentially devastating risk to those businesses that rely upon the integrity and availability of their workloads.

SentinelOne K8s Agent Now Supports Graviton-backed Amazon EC2

The SentinelOne Kubernetes agent now supports the AWS Graviton-based EC2 instances. Our Linux agent achieved the AWS Graviton Ready Service Designation back in July 2022. Extending that support to Kubernetes clusters was a logical next step. The arm64 architecture of Graviton brings with it some compelling efficiency gains which make it very attractive to compute-intensive workloads. Singularity Cloud Workload Security for Kubernetes stands ready to deliver runtime workload protection to your Graviton-based clusters.

Conclusion

The SentinelOne eBPF-powered CWS agent is architected for the unique needs of cloud infrastructure. By operating entirely in user space, kernel dependency hassles are eliminated, thereby simplifying deployment and maintenance while simultaneously delivering complete runtime visibility and security across the hybrid cloud enterprise. Moreover, DevOps can update their host OS image without fear of agent conflict, so that business agility is supported, not impeded.

To learn more, visit the Singularity Cloud Workload Security for Server/VMs or Kubernetes product page. There, you can find customer case studies, product information, and much more. If you are an existing CWPP customer, please contact your SentinelOne account team to discuss a planned upgrade to the latest version of the Singularity agent.

Singularity Cloud
Singularity Cloud Workload Security. Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

SentinelOne’s Cybersecurity Predictions 2023 | What’s Next?

2022 was a sobering year for us all. Riding on the back of the COVID pandemic of the previous two years, we entered a new reality with war returning to Europe in a way not seen since 1945. And yet along with tanks, missiles, and the targeting of civilians and civilian infrastructure came a new battlefront: cyber warfare with wipers being used to hit targets inside and outside the physical battleground.

Meanwhile, new attack surfaces came to the fore, as cybercriminals began to understand how to exploit identity for access and cloud workloads for assets, privilege escalation and lateral movement.

It’s not been all bad. Evolving security technologies like XDR are helping organizations to fill the gaps in visibility, join the dots in defense, and hunt for hidden threats in the enterprise. Law enforcement at home and abroad has been capturing and incarcerating more cybercriminals than ever before, while also closing the doors on some of the darknet’s worst illicit markets.

But defenders are still playing catch up, a point not lost on our experts who, below, offer their predictions for what we can expect in cybersecurity 2023. Our predictions last year weren’t far off the mark, so as we look forward to another year in the trenches of cybersecurity, here’s what our researchers and thought leaders see in their crystal balls.

Driving Painful Lessons Home

2022 has been a year of painful lessons precisely because the most intense threats weren’t technically advanced or mind-bending feats of cyber wizardry. Instead, they were mundane, pragmatic, and wildly successful. This year was largely populated by asymmetrical threat actors– hacktivists of all stripes, youthful petty criminals, and an increasingly fragmented ransomware ecosystem.

Infosec dark humor held that ransomware groups were ‘technical debt collectors’– attaching an eye watering price tag to unpatched systems, misconfigurations, and generally underserved networks. It seems that we collectively underestimated the true depth and breadth of that technical debt as a wider swath of lower tier threat actors show us the results of living on a diet of fruit so low-hanging as to have rotten on the pavement.

Cells of youthful SIM swappers and source code hoarders, best referred to as ‘disorganized crime’, have successfully hacked their way across scores of noteworthy well-resourced companies. They’ve embraced a pragmatic approach to operations– abusing the nebulous web of dubious ‘trusted’ parties that serve the customer-facing requirements of larger corporations. Whether through social engineering, stolen and borrowed credentials, or the financially-motivated shortrun insider, attackers have enjoyed all that excessive privileges across unsegmented service VPNs can net them.

The cumulative effect? A near endemic failure of SMS 2FA as a security measure. As we enter 2023, we need to accept that hardware multi-factor authentication, short lived sessions, and severely curtailed account privileges aren’t nice-to-have paranoid bells and whistles. They are now the entry threshold of the aspirational standard of corporate security.

The ransomware ecosystem continues to shift, experiment, and fracture. The most notable incident is the ‘Conti Rica’ affair, where a ransomware group held an entire government for ransom. In 2023, our tracking will have to become more granular– moving away from the notion of monolithic ransomware cartels to acknowledge the prevalence of smaller affiliate groups (often engaged with multiple RaaS brands).

Perhaps at that level of observability, we’ll be quicker to note attempts to use ransomware as a flimsy cover for nation-state activity– as in the case of Iran ‘ransoming’ Albanian governmental institutions. This last facet jives with the abuse of an increasingly populated field of hacktivists (of varying degrees of authenticity) emerging to represent different sides of hot conflicts and societal tensions via overrated DDoSes and underrated hack-and-leak ops whose long-term effects are entirely unforeseeable.

The cybersecurity industry enjoys cutting its teeth on advanced threats and sophisticated techniques that challenge the collective braintrust to find new solutions. But 2022 has forced us to pay attention to the state of disrepair of our networked fabric. Without a sizable, conscientious collective effort, we should brace ourselves for a 2023 that drives those painful lessons well beyond our tolerance.
Juan Andres Guerrero-Saade, Sr. Director of SentinelLabs

Cybersecurity Only Works When “It Just Works”

2022 has been a year where, compared to previous years, the cybersecurity market has adapted not just to the threat landscape but perhaps more strongly to how security teams want to use cyber-security products. This is something I expect to see much more of in 2023.

Consolidation, But Not At All Costs

The sheer number of cyber-security products covering different surfaces and use cases means that customers are looking to consolidate when and where possible. With that said, there are many sides to consolidation – security teams will not satisfied with just “buying more products from the same vendor vs multiple vendors” or “pushing everything to one data-lake” – they will demand holistic workflows, unified agents and cross-product synergies that actually deliver value that is greater than the sum of its parts when consolidating around a platform as opposed to endless point solutions.

Demand for More Vendor Collaboration

As much as we expect consolidation, customers will always end up using more than one vendor. We’re already seeing security teams demand more integration and more value from the collaborations between vendors. Gone are the days when a “technological alliance” could mean little more than a shared video. In 2023 this will range from a demand for integration across more types of use-cases and standardization of data models to a very legitimate expectation that every new vendor will not only provide value on its own but also help extract more value from the existing products in the security stack

Data Retention Needs to Be Simpler, More Affordable

Despite sounding like an oxymoron – it actually makes a lot of sense. There’s no argument about the importance of data. Between compliance regulations, low-and-slow attacks and the overall increase in analyst skill-level – most customers can and need to do more with security data.

The historical price and complexity of facilitating that is where change is going to come. SOCs will start looking for alternative solutions for Analytics and Data Storage that make more sense in terms of cost, scale, performance and ease-of-use. They’ll be looking for improvements across the board – from “How we get the data in” to “How we can access historical data”, “How fragmented the data will be” and ultimately “How much does it cost”.
Yonni Shelmerdine, VP Products, SentinelOne

No One Gets to Opt Out of Cybersecurity in 2023

If there is one thing that we learned from 2022, it is that no one is immune from cyber threats. We’ve seen many breaches in 2022 – Lapsus$ alone breached Okta, Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, and Uber. It’s hard to believe that behind these breaches, there were no well-sponsored nation-states or global cybercrime syndicates but (allegedly) a group of young hackers who met online and collaborated, not even financially motivated.

This creates a new paradigm to think about. I am not a fan of zero trust, as it is tough for organizations to implement and leaves cracks for adversaries to exploit, but trusting no one makes more sense when you look at 2022. So what should we expect in 2023? There are a few moving parts to consider.

Cost Will Be a Driving Force

The economic turmoil will pressure enterprises and organizations to save on costs and be more effective. As a result, expect more consolidation of pinpoint tools and teams and more utilization of growth and efficacy enablers like moving to the cloud.

Prediction: With less security budget, efficiency-driven products will strive. The cost will become the main consideration for cybersecurity programs.

Attacks Will Be Bigger, Louder, Faster

The attacks we’ve seen in 2022 are more significant than those we witnessed in 2021. This is not just a trend; the reasons remain: Vulnerable products (led by Microsoft as an operating system provider and a security vendor), the means of communication, and the speed it takes a zero-day to become an exploit.

Prediction: More organizations will be breached, more critical infrastructure will be impacted, and the cybercrime economy will continue to thrive.

We Are Entering A Golden Era of Social Engineering

As we’ve seen in the Cisco breach, it’s enough to compromise a user to gain access to the entire network. With social networks, multi-tasking, and the evolution of devices around us, it just makes sense for adversaries to keep investing in social engineering.

Prediction: Phishing is a problem that is not solved and will continue to be a leading factor in compromising identities.
Migo Kedem, VP Growth, SentinelOne

The Disruptors Are Here, And They Aren’t Going Away

2022 has been the year of disruption by non-traditional threat actors. Flaws in how teenagers exploited the way the traditional cybersecurity establishment thinks. Advances in computing power and AI will transform the effectiveness of social engineering, fraud, and active measures (information/influence operations). As governments try to get a handle on asymmetric threats, new ways of attacking the global problem will have to be used.

Deep Fakes Will Enhance Social Engineering

As we get better at defending the endpoints, threat actors will need to up their game in order to penetrate harder targets. Social engineering remains a popular vector of attack, especially as workforces continue to remain decentralized and remote. Increases in computing power and availability of AI/ML engines will accelerate the effectiveness and authenticity of social engineering attacks through audio and video.

Increased Targeting of Vaccine R&D by China

The unthinkable has happened in China–widespread dissent that is becoming more vocal and violent. Aggressive lockdowns have not made the expected impact in the spread of COVID, and the Chinese vaccines are significantly less effective than international options. For President XI Jinping, an attractive option is to enhance the efficacy of their vaccines through more aggressive theft of R&D and medical intellectual property.

Lapsu$ Shows Flaws in Adult Thinking

Migo Kedem laid out the impact of Lapsu$ and the disruption they caused. This was a group of 16-21 year olds who out thought and outwitted some of the most sophisticated cybersecurity defenses and professionals in the world. How? Because it doesn’t matter how we look at the problem. It only matters how our adversaries look at the problem. Expect more attacks and disruption by younger threat actors who refuse to limit their thinking to the proverbial way of doing business.

Retasking of Intelligence Priorities

According to testimony before Congress during hearings on the SolarWinds compromise, it was estimated at last one thousand engineers and intelligence officers were involved in the design and execution of the operation. And yet there is no evidence any intelligence agency outside of Russia was able to discover this long-term campaign.

This is a glaring failure of intelligence that has become increasingly technically focused. To stop major intelligence operations, we have to develop robust HUMINT – human intelligence. And that can only come from more aggressive recruitment of agents in targeted sections of adversarial intelligence organizations. There will be retasking of intelligence priorities to identify earlier, and disrupt more aggressively, long-term operations against nations and critical infrastructure.
Morgan Wright, Chief Security Advisor, SentinelOne

No More Hiding Behind Our Macs

Indicators of what we might expect in 2023 can be read in the tea leaves of our roundup of macOS threats in 2022. The year just ending saw something rare in the macOs threat landscape become common: the inclusion of Mac payloads appearing in numerous cross-platform attack frameworks. While this wasn’t entirely unheard of in the past, it was not the norm, and Mac payloads were generally poorly written, unreliable and, frankly, unsuccessful.

What’s changed is the increasing popularity of two things: performative and stable cross-platform languages like Go, Kotlin and Rust, and Mac devices in the enterprise. The first makes it easier for threat actors to write Mac-compatible malware, the second gives them the motivation to get better at it.

Another trend that gathered pace in 2022 was the number of reported CVEs for macOS devices, many of which allow privilege escalation and some the ability to execute kernel code from user land processes. While a transparent bug reporting ecosystem is a good thing and long overdue regarding Apple operating systems, it has consequences for those that patch little, and patch late.

Threat actors, with or without the help of security researcher write-ups and PoCs, will increasingly pay attention to exploiting reported bugs (aka N-days) on enterprise users that fail to patch. It’s not for nothing that Apple has become more aggressive in trying to force enterprises to update within 90 days.

In 2023, expect to see threat actors target macOS more successfully with cross-platform malware and to expend more effort on finding windows of opportunity to compromise unpatched Macs with known bugs. More supply chain attacks on developers and shared repositories are also likely to feature in 2023.

Deploying a native Mac security solution is the default first step to combating the increased attention of threat actors on high-interest targets like developers and senior management in 2023. Enterprises that defer upgrades and minor updates need to pay particular attention to risk assessment and their overall macOS security posture.
Phil Stokes, macOS Threat Researcher, SentinelLabs

Conclusion

Threat actors have become collaborative enough and malicious software and techniques available enough to brings us to a point where attackers are now platform and technology agnostic. Where there is a weakness, there is a way.

And yet, while 2023 will undoubtedly hold surprises none of us could predict, it’s a fair bet that organizations that cover their bases, kill off the low-hanging fruit, and implement coverage across cloud, identity and endpoint will be safer than those that do not. The future is opaque to us all, but in cybersecurity we can’t afford to trust to luck.

Microsoft Patch Tuesday, December 2022 Edition

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros,
said Greg Wiseman, product manager at security firm Rapid7. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

Kevin Breen at Immersive Labs said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, Trend Micro’s Zero Day Initiative highlights CVE-2022-44713, a spoofing vulnerability in Outlook for Mac.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s Dustin Childs wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, Sophos, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group Cuba, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, Apple released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including  a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining Fortinet or Citrix remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Six Charged in Mass Takedown of DDoS-for-Hire Sites

The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The booter service OrphicSecurityTeam[.]com was one of the 48 DDoS-for-hire domains seized by the Justice Department this week.

The DOJ said the 48 domains it seized helped paying customers launch millions of digital sieges capable of knocking Web sites and even entire network providers offline.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Prosecutors in Los Angeles say the booter sites supremesecurityteam[.]com and royalstresser[.]com were the brainchild of Jeremiah Sam Evans Miller, a.k.a. “John the Dev,” a 23-year-old from San Antonio, Texas. Miller was charged this week with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). The complaint against Miller alleges Royalstresser launched nearly 200,000 DDoS attacks between November 2021 and February 2022.

Defendant Angel Manuel Colon Jr., a.k.a Anonghost720 and Anonghost1337, is a 37-year-old from Belleview, Fla. Colon is suspected of running the booter service securityteam[.]io. He was also charged with conspiracy and CFAA violations. The feds say the SecurityTeam stresser service conducted 1.3 million attacks between 2018 and 2022, and attracted some 50,000 registered users.

Charged with conspiracy were Corey Anthony Palmer, 22, of Lauderhill, Fla, for his alleged ownership of booter[.]sx; and Shamar Shattock, 19, of Margate, Fla., for allegedly operating the booter service astrostress[.]com, which had more than 30,000 users and blasted out some 700,000 attacks.

Two other alleged booter site operators were charged in Alaska. John M. Dobbs, 32, of Honolulu, HI is charged with aiding and abetting violations of the CFAA related to the operation of IPStresser[.]com, which he allegedly ran for nearly 13 years until last month. During that time, IPstresser launched approximately 30 million DDoS attacks and garnered more than two million registered users.

Joshua Laing, 32, of Liverpool, NY, also was charged with CFAA infractions tied to his alleged ownership of the booter service TrueSecurityServices[.]io, which prosecutors say had 18,000 users and conducted over 1.2 million attacks between 2018 and 2022.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

Dobbs, the alleged administrator of IPStresser, gave an interview to ZDNet France in 2015, in which he asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks.

“None of these sites ever required the FBI to confirm that it owned, operated, or had any property right to the computer that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose),” reads an affidavit (PDF) filed by Elliott Peterson, a special agent in the FBI’s Anchorage field office.

“Analysis of data related to the FBI-initiated attacks revealed that the attacks launched by the SUBJECT DOMAINS involved the extensive misuse of third-party services,” Peterson continued. “All of the tested services offered ‘amplification’ attacks, where the attack traffic is amplified through unwitting third-party servers in order to increase the overall attack size, and to shift the financial burden of generating and transmitting all of that data away from the booter site administrator(s) and onto third parties.”

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The charges unsealed today stemmed from investigations launched by the FBI’s field offices in Los Angeles and Alaska, which spent months purchasing and testing attack services offered by the booter sites.

A similar investigation initiating from the FBI’s Alaska field office in 2018 culminated in a takedown and arrest operation that targeted 15 DDoS-for-hire sites, as well as three booter store defendants who later pleaded guilty.

The Justice Department says its trying to impress upon people that even buying attacks from DDoS-for-hire services can land Internet users in legal jeopardy.

“Whether a criminal launches an attack independently or pays a skilled contractor to carry one out, the FBI will work with victims and use the considerable tools at our disposal to identify the person or group responsible,” said Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office.

“Potential users and administrators should think twice before buying or selling these illegal services,” said Special Agent Antony Jung of the FBI Anchorage field office. “The FBI and our international law enforcement partners continue to intensify efforts in combatting DDoS attacks, which will have serious consequences for offenders.”

The United Kingdom, which has been battling its fair share of domestic booter bosses, in 2020 started running online ads aimed at young people who search the Web for booter services. And in Europe, prosecutors have even gone after booter customers.

In conjunction with today’s law enforcement action, the FBI and the Netherlands Police joined authorities in the U.K. in announcing they are now running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

“The purpose of the ads is to deter potential cyber criminals searching for DDoS services in the United States and around the globe, as well as to educate the public on the illegality of DDoS activities,” the DOJ said in a press release.

Here is the full list of booter site domains seized (or in the process of being seized) by the DOJ:

api-sky[.]xyz
astrostress[.]com
blackstresser[.]net
booter[.]sx
booter[.]vip
bootyou[.]net
brrsecurity[.]org
buuter[.]cc
cyberstress[.]us
defconpro[.]net
dragonstresser[.]com
dreams-stresser[.]io
exotic-booter[.]com
freestresser[.]so
instant-stresser[.]com
ipstress[.]org
ipstress[.]vip
ipstresser[.]com
ipstresser[.]us
ipstresser[.]wtf
ipstresser[.]xyz
kraysec[.]com
mcstorm[.]io
nightmarestresser[.]com
orphicsecurityteam[.]com
ovhstresser[.]com
quantum-stresser[.]net
redstresser[.]cc
royalstresser[.]com
securityteam[.]io
shock-stresser[.]com
silentstress[.]net
stresser[.]app
stresser[.]best
stresser[.]gg
stresser[.]is
stresser[.]net/stresser[.]org
stresser[.]one
stresser[.]shop
stresser[.]so
stresser[.]top
stresserai[.]com
sunstresser[.]com
supremesecurityteam[.]com
truesecurityservices[.]io
vdos-s[.]co
zerostresser[.]com

SentinelOne Recognized Across CRN’s 2022 Products Of The Year

It’s an exciting time for SentinelOne as we celebrate being named a WINNER in CRN’s 2022 Products of the Year. The award recognizes the industry’s top partner-friendly technology products and solutions, and we are honored to lead the pack. Our Singularity XDR platform was named a winner of the Managed Detection and Response category, and Singularity for Endpoint was named a winner in the Endpoint Protection category. With today’s cyberattackers moving faster than ever, Singularity XDR is the only cybersecurity platform empowering modern enterprises to take autonomous, real-time action with greater visibility of their dynamic attack surface and cross-platform security analytics.

SentinelOne Recognized Across CRN’s 2022 Products Of The Year

At SentinelOne, our mission is to provide the most advanced and effective protection on the market. Our Singularity XDR platform unifies and extends detection and response capability across multiple security layers, providing security teams with centralized end-to-end enterprise visibility, powerful analytics, and automated response across the complete technology stack.

A core part of our Singularity XDR platform, Singularity for Endpoint, provides a flexible and robust solution to prevent, detect and respond to secure every endpoint, no matter where it is located across the globe. With Singularity XDR, we help turn disparate event data into an understandable story at machine speed – enabling enterprises to benefit from the automation, scale, and speed that we’re bringing to the XDR era.

In addition to our Singularity XDR platform, our 24/7/365 award-winning Managed Detection and Response (MDR) service, Vigilance, works for you to deliver a personalized approach to managing your security posture. Designed to supplement our endpoint security SaaS offerings, Vigilance MDR is the human side to our Singularity XDR platform – augmenting customer security organizations to provide a second set of eyes on the SentinelOne deployment and appropriate responses to contain threats.

Our mission is to enable enterprises to do more than ever through automation, data analytics, and machine speed XDR. By constantly innovating our products to stay one step ahead of the ever-evolving threat landscape, we help provide extended protection from the endpoint to beyond – with unfettered visibility, proven protection, and unparalleled response.

If you’re interested in learning more about SentinelOne and how our Singularity XDR Platform can help you stand out from the crowd, reach out to schedule your personalized demo and take advantage of the future of autonomous cybersecurity.

Building Blocks For Your XDR Journey, Part 4 | The Value of Security Data 

Welcome to Part 4 of our multi-part XDR (eXtended Detection and Response) blog series. If you haven’t read the earlier posts in this series yet, we recommend checking out the following:

  • Part 1 discusses why organizations need to extend protection beyond the endpoint to stay ahead of adversaries
  • Part 2 discusses why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy.
  • Part 3 discusses why identity security is a cornerstone of an XDR strategy

In this post, we discuss the importance and value of security data for detection and investigation.

Challenges With Security Data Visibility

In today’s landscape of increasingly sophisticated cyber threats, organizations must be able to effectively operationalize the data housed in their cybersecurity tools to maintain visibility across their networks.

However, many organizations struggle with this due to the cybersecurity tool sprawl and point products, which do not integrate well, leading to inefficiencies in visibility, detection, investigation, and hunting. An ESG study found that 66% of customers surveyed admit that “if you keep your data in multiple silos, you’re guaranteed to lack visibility and miss critical detections.”

As a result, many organizations lack the visibility they need to defend against cyber attacks. Cross-stack visibility of security data is a cornerstone of any effective cyber defense strategy, and organizations that can’t achieve it are at a disadvantage. To address this issue, organizations must focus on consolidating their tools and integrating their data, enabling teams to operationalize their tools more effectively and gain the visibility they need to protect their information assets.

Why Legacy Tools Have Failed

SIEMs have been on the market for over a decade now, and they are still failing to meet the needs of organizations when it comes to detection and response. The problem is that SIEMs are designed to be reactive, not proactive. They rely on SOC teams to manually sift through data and look for patterns of malicious activity –  a time-consuming and error-prone process that often leads to false positives or late detections. Additionally, SIEMs have very little automation, so they cannot keep up with the rapidly changing landscape of cybersecurity threats.

The security information and event management (SIEM) model is aimed to be the one-stop shop universal answer to reducing mean time to detect and respond. However, SIEM with its reliance on indexed architectures and on-premises infrastructure, is not a panacea.

Indexed architectures, while suitable for performing simple queries, struggle to keep up with the increasing volume and complexity of security logs. As a result, they often require lengthy search times and may not provide complete coverage of log types. On-premises infrastructure also brings with it concerns regarding scalability, as well as the need for physical space and maintenance resources.

The limitations of these traditional models have led many organizations to embrace modern cloud-native logging solutions. These options offer increased flexibility and scalability, allowing for rapid expansion during times of growth or additional monitoring needs. They also eliminate the need for physical hardware and maintenance costs, resulting in cost savings for the organization.

A major issue plaguing SIEMs is that they simply ingest alerts without any context among the atomic data points. For example, a single alert or threat may comprise thousands of pieces of telemetry. When looking at only alerts, analysts can be blind to additional activity and indicators that may be linked to a larger scope of malicious activity. While this approach may be suitable for high-level monitoring or compliance, telemetry is far superior to enable security teams to threat hunt and perform analytics effectively.

Telemetry includes data such as raw network flows, endpoint, and cloud activity that can provide context to the alerts being generated and give analysts the ability to quickly determine whether an alert warrants further investigation. Additionally, analysts can use this extra data to detect sophisticated attacks that may appear benign in isolation. However, feeding this essential security data into a SIEM for analytics can be prohibitively expensive, particularly for small and medium-sized businesses.

For SIEM deployments, time to value can often be a struggle. The implementation process may involve collecting and normalizing data from multiple sources, setting up alerts and dashboards, and fine-tuning configurations. This can stretch the deployment timeline and delay the realization of benefits such as improved visibility into network activity and threat detection.

According to the Panther.io State of SIEM 2021, over 18 percent of the IT security professionals surveyed indicated that the time it took to receive high-value alerts — from deployment to implementation — was 12 months or longer. Additionally, over 40 percent said their organization was overpaying for their SIEM relative to the system’s capabilities.

Unifying Security Data with XDR

To create human-understandable context among the alerts and logs flowing into traditional SIEM, most organizations build rules, dashboards, and playbooks on top of alert data. However, this approach needs more visibility into the underlying endpoint devices or cloud workloads. Looking only at summary-level data in a SIEM can make it difficult to centralize triage and investigation, making it more likely that threats will go undetected.

Collecting and storing this data is only half the battle – the real challenge lies in making sense of it all. EDR vendors have recognized this problem and are increasingly offering powerful cloud-native logging and analytics tools to ingest and analyze security and IT telemetry. This is where correlation comes in.

By looking at how different data sets relate to one another, analysts can uncover patterns and trends that would otherwise be hidden. For example, by correlating network traffic data with employee login records, it may be possible to detect unusual activity that could indicate a security breach. By simplifying access to relevant data sets like logs and indicators of compromise from other tools, security teams can gain a complete view of their organization’s security posture.

As the amount of data generated by enterprise infrastructure continues to grow, many security vendors are turning to artificial intelligence (AI) to help make sense of it. AI can be used to detect suspicious and malicious behaviors, and it can also help to identify anomalous activity that might otherwise go unnoticed.

Endpoint Detection and Response (EDR) vendors have expertise in developing behavioral AI models and performing large-scale analytics on telemetry sourced from native endpoint agents. It’s only natural that Extended Detection and Response (XDR) is an evolution of EDR that brings the same visibility, analytics, and response to any attack surface.

XDR solutions extend the core EDR platform, providing visibility into native endpoint, cloud, network, and identity telemetry and making it easier to detect and respond to threats in real time. This approach is more economical and can provide better visibility into potential threats because they can operationalize consolidated telemetry in a single console without needing to export the data to a SIEM for analysis.

XDR platforms powered by machine learning, like SentinelOne Singularity, produce correlated alerts that provide the precise context analysts need to make informed decisions, saving valuable time during endpoint triage and response. AI and automation, such as Singularity Storyline, remove the heavy lifting of data analysis and bring high-fidelity signals through the noise.

SentinelOne patented Storyline technology provides real-time, automated machine-built context and correlation across the enterprise security stack to transform disconnected data into rich stories and lets security analysts understand what happened in their environment. Storyline automatically links all related events and activities together in a storyline with a unique identifier. High-fidelity alerts allow security teams to see the full context of what occurred within seconds rather than spending hours, days, or weeks correlating logs and linking events manually.

Singularity XDR provides a single, unified platform for extended threat detection, investigation, response, and hunting with:

  • Single source of prioritized alerts that ingests and contextualizes massive quantities of data across multiple native EDR data sources.
  • Direct integration with other best-of-breed platforms like Zscaler, Okta, and Mimecast for the purpose of automatically enriching alerts
  • Single consolidated view to quickly understand the progression of attacks across security layers.
  • Single platform to rapidly respond and proactively hunt for threats

Conclusion

If you want to improve your organization’s current XDR strategy, you should focus on utilizing your organization’s security data. By doing so, you can more accurately detect and respond to threats. A modern XDR solution will integrate this data to give you a comprehensive view of your organization’s security posture. Request a demo today to see how our platform can help you implement an effective XDR strategy.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.

The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.

“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.

In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.

“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.

USDoD’s InfraGard sales thread on Breached.

USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth  and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.

The CEO in question — currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application.

USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address that they controlled — but also the CEO’s real mobile phone number.

“When you register they said that to be approved can take at least three months,” USDoD said. “I wasn’t expected to be approve[d].”

But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved (see redacted screenshot to the right). While the FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email.

“If it was only the phone I will be in [a] bad situation,” USDoD said. “Because I used the person[‘s] phone that I’m impersonating.”

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other.

USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.

“InfraGard is a social media intelligence hub for high profile persons,” USDoD said. “They even got [a] forum to discuss things.”

To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct note through InfraGard’s messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread.

That InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD’s message but asked to remain anonymous for this story.

USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields — like Social Security Number and Date of Birth — are completely empty.

“I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,” they explained.

While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders.

USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal. USDoD shared the following redacted screenshot from what they claimed was one such message, although they provided no additional context about it.

A screenshot shared by USDoD showing a message thread in the FBI’s InfraGard system.

USDoD said in their sales thread that the guarantor for the transaction would be Pompompurin, the administrator of the cybercrime forum Breached. By purchasing the database through the forum administrator’s escrow service, would-be buyers can theoretically avoid getting ripped off and ensure the transaction will be consummated to the satisfaction of both parties before money exchanges hands.

Pompompurin has been a thorn in the side of the FBI for years. Their Breached forum is widely considered to be the second incarnation of RaidForums, a remarkably similar English-language cybercrime forum shuttered by the U.S. Department of Justice in April. Prior to its infiltration by the FBI, RaidForums sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches.

In November 2021, KrebsOnSecurity detailed how Pompompurin abused a vulnerability in an FBI online portal designed to share information with state and local law enforcement authorities, and how that access was used to blast out thousands of hoax email messages — all sent from an FBI email and Internet address.

Update, 10:58 p.m. ET: Updated the story after hearing from the financial company CEO whose identity was used to fool the FBI into approving an InfraGard membership. That CEO said they were never contacted by the FBI.

Update, 11:15 p.m. ET: The FBI just confirmed that it is aware of a potential false account associated with the InfraGard portal. The story now includes their full statement.

This is a developing story. Updates will be noted here with timestamps. 

The Dangers of Social Engineering | How to Protect Your Organization

It’s no secret that social engineering is a powerful tool in a cybercriminal’s arsenal. Threat actors use psychological manipulation to convince unsuspecting users to hand over their passwords, personal information, or money. To date, social engineering attacks have served as the most common tool to gain initial foothold and perform lateral movement in the network.

In this post, we discuss the dangers of social engineering and how to combat them. We cover common social engineering techniques used by cybercriminals, uncover real-world social engineering-based attack paths, and explain what organizations can do to decrease the risk.

Prominent Types of Social Engineering Attack Techniques

There are several social engineering attack techniques. However, those who are the most frequently seen as part of cyber-attacks that target enterprises are:

Phishing

One common social engineering technique is phishing. This is where cybercriminals send out emails that appear to be from a legitimate source, such as a bank or an online retailer.

Be very cautious of the email on a Friday evening at 4 PM, when you are about to leave for the weekend, from your e-commerce company asking you to click on the link to process your refund, to check some unusual activity or open some attachment. Other good examples of common phishing tricks can be found here.

Microsoft Tech support scam
Source

The email may contain a link that leads to a fake website that looks identical to the real one. Once the user enters their login details, the cybercriminal can access their account.

Real-World Attack Example

In May 2021, with the ransomware attack on the Colonial Pipeline, millions of Americans experienced first-hand the impact of cyber attacks. During that cyber attack, the company was forced to stop all operations after its network got compromised. Cybercriminals were able to breach Colonial Pipeline through a targeted phishing campaign that gave them access to an employee’s user credentials which allowed them to start their ransomware attack from within the enterprise network.

Baiting

Another social engineering technique is baiting. This is where the cybercriminal leaves a USB drive or other types of storage devices in a public place, such as a parking lot. When someone finds the device and plugs it into their computer, the device will trigger specific actions targeted at the organization systems, infecting them with malware that eventually will lead to allowing attackers to gain access, or simply launch a destructive attack

Real-World Attack Example

The Federal Bureau of Investigation (FBI) recently warned that cybercriminals are performing so-called ‘BadUSB’ attacks. Malicious USB thumb drives are sent through the United States Postal Service and United Parcel Service, impersonating the US Department of Health and Human Services, claiming to be COVID-19 infection warnings.

Whaling / Business Email Compromise (BEC)

Phishing attacks that are targeted to high profile employees in an organization such as C-suite, VP, etc, is known as Whaling. Business email compromise (BEC), on the other hand, looks to impersonalize company executives to trick a normal user into performing certain activities. Both whaling and BEC require planning and study of the normal behavioral patterns and potentially result in much higher value outcomes.

Social engineering can also take place over the phone. This is known as vishing. The caller pretends to be a legitimate executive of an organization (BEC) and tries to trick the user into revealing sensitive information, such as credit card numbers or social security numbers.

Real-World Attack Example

A Chief Executive Officer (CEO) of a UK-based organization received a phone call from someone who sounded just like the CEO of the parent company, whereas the cybercriminal asked the victim to transfer $243,000 to a supplier. This was possible as the cybercriminal leveraged Artificial Intelligence to mimic the chief executive’s voice. With that in mind, it’s clear that vishing has evolved, and it’s no longer just the random scam calls that defenders must consider a threat.

Protection Against Social Engineering

As with anything with cyber security, it is always a fine balance between people, processes, and technology. Social engineering is the art of psychological manipulation.

Most victims fall prey to social engineering attacks unmindfully without having any malafide intentions. However, social engineering attacks are evolving to lure people into mindfully clicking on certain links or sharing confidential information.

As such, organizations must start with the people aspect and build a security-aware culture by investing in end-user cyber awareness. Naturally, as organizations build a formal end-user awareness program, the next center of focus will be on processes. Employees must know how to report social engineering attacks to the security teams.

Security teams need technologies that help them protect, detect, and respond to these attack techniques, which often span across email, identity, and the endpoint. In practice, all this is achieved through a comprehensive cyber security program that acknowledges the risk associated with social engineering.

Defense Begins with Awareness and Training

When an employee receives an email that looks suspicious, it is imperative to train them to recognize such emails and not to click on links or open attachments but instead report it to the security team.

Staff should be made aware of threat actor tactics such as calls that impersonate a supplier, colleague, or manager and ask for personal information or organizational details. Training employees to understand how to identify a potential phishing attack and how to report it can prevent a serious compromise.

Similarly, unidentified USB drives lying around in public places, in the corporate parking lot and elsewhere have been used in real-world and simulated attacks. Ensure employees understand they shouldn’t plug unknown devices into their endpoints, and instead turn them over to the IT or Security team. Device control can also help mitigate this kind of behavior.

Employee education is critical. Organizations should provide regular training covering social engineering techniques and how to spot them.

These proactive measures help in building the foundational resilience against phishing attacks. However, this should be taken a level higher by imbibing the sense of responsibility among the employees by empowering them and letting them use cyber judgment. Helping them understand and implement ‘If you see something, say something’ to be the eyes and ears on-ground and they are equally important for securing the organization & its mission.

Empower Users with Clarity and the Confidence to Report Suspicious Activity

Organizations should have policies and procedures in place for dealing with suspicious emails, phone calls, and other communications. Providing employees with a simple, clear process for reporting social engineering attempts so that they can be investigated and stopped before any damage is done is a fundamental to enterprise security.

Cybersecurity teams should give clear and uncomplicated instructions to prevent any delay or unwillingness to report suspicous activity, and a firm When in doubt, Stop and Report It’ message should be communicated frequently to staff. Give assurance to the employees that they won’t be penalized for a delay in action or for reporting something they find suspicous, even if it may be determined as non-malicious later. Fostering the cyber empowerment culture is hugely important.

Testing the resilience against phishing attacks is equally important; hence, it is important to conduct phishing simulation exercises to assess the level of readiness in the organization. Phishing simulations are a useful assessment tool to evaluate employee’s resilience against phishing emails, but the same tool won’t be effective for intentional clicks by employees.

Simulation tests should only be done after you have attained a certain level of maturity in imparting cyber training and awareness among the employees and simulation isn’t used to name and shame the employees who may fail the test. The test should be followed by a training to close the loop.

Leverage Technology To Counter Social Engineering

From a technology perspective, there are several security controls that organizations can evaluate that will reduce the risk of social engineering-based attacks:

  1. Multi-Factor-Authentication (MFA): Although MFA bypass methods exist as manipulating an employee to share their one-time password, implementing MFA can reduce the threat of social engineering-based attacks.
  2. Additional Authentication: In case of business email compromise attacks (BEC) where a high-level executive is being impersonated, double checking using an offline method such as a voice call in response to an email marking the urgency should be done before initiating the action. For this method to be successful, the executives must be receptive and welcoming to double-checking/authentication.
  3. Conditional Access (CA): By implementing CA, organizations can ensure that only trusted identities on healthy endpoints can gain temporary access to corporate resources and services as required, instead of default access to all corporate resources without any previous condition check
  4. Identity Risk Assessment (AD Assessment): With the user’s identity often being center stage in an attack, having the ability to uncover security misconfiguration in real-time, the risk level of identities and performing remediation action is critical.
  5. Identity Threat Detection and Response (ITDR): As identity-based attacks continue to increase, organizations are looking for ways to detect and respond to these types of attacks, and with that, ITDR technology is important.
  6. Endpoint Detection and Response (EDR): As the majority of cyber-attacks are happening on the endpoint, and this remains true even in the context of social engineering, having the ability to detect and automatically or with a 1-click response to these threats is critical and with that EDR technology is also essential.

Conclusion

Social engineering is a serious threat to consumers and enterprises worldwide. By increasing our awareness of these attacks, having robust procedures in place, and the right tools, as defenders, we have the opportunity to reduce the exposure risk to these attacks significantly.

The Good, the Bad and the Ugly in Cybersecurity – Week 50

The Good

When programmers make mistakes that turn into news, it’s almost invariably because some threat actor or another has weaponized that coding error into a zero-day exploit, and the rest of us are urged to rush off and patch the affected software. Good news this week, then, to see that a cryptomining botnet has effectively been made redundant due to a developer mistake.

Researchers at Akamai had previously reported on their discovery of KmsdBot, a cryptomining botnet written in Go that they said had infected unnamed brands within the gaming industry, the technology industry, and luxury car manufacturing. KmsdBot was found to be propagating by brute forcing weak SSH credentials.

This week, the same researchers observed that the botnet had a fatal flaw: the malware crashed after receiving a malformed command, and since the botnet also had no persistence capabilities, crashing it effectively removed the botnet from the infected device.

The researchers say that the malformed command likely crashed all the botnet code running on infected machines and talking to the C2, essentially, killing the botnet. The developer had failed to write error handling code to handle typos in input received from the botnet operator.

No doubt that’s a bug the botnet developer will be rushing to fix, but they’ll also have to start over from scratch in terms of infecting devices, and that’s good news for those companies that had fallen prey to KmsdBot.

The Bad

Sticking with botnets, on the flip side the bad news this week is that a recently discovered botnet called Zerobot is doing the rounds with a hardcoded list of 21 known exploits in BIG-IP, Zyxel, D-Link and other devices.

Like Kmdsbot, Zerobot is written in Go, but the developers are clearly more technically proficient. The botnet targets any of the hardcoded exploits to gain initial access and then tries to reproduce itself and infect any Windows or Linux endpoints on the network that have the known vulnerabilities.

On Windows devices, it copies itself to the “Startup” folder using the filename “FireWall.exe”; on Linux, three file paths are targeted to drop the malware: %HOME%, /etc/init/, and /lib/systemd/system/. Zerobot also attempts to protect itself by intercepting any signal sent to terminate or kill the process.

The botnet tries to communicate with its C2 over 176[.]65[.]137[.]5. However, as the malware appears to be under active development, that is sure to change, as will the list of known CVES, which currently include:

CVE ID Affected Product
CVE-2014-08361 minigd SOAP service in Realtek SDK
CVE-2017-17106 Zivif PR115-204-P-RS V2.3.4.2103 Webcams
CVE-2017-17215 Huawei HG532 Router
CVE-2018-12613 phpMyAdmin
CVE-2020-10987 Tend AC15 AC1900 Router
CVE-2020-25506 D-Link DNS-320 NAS
CVE-2021-35395 Realtek Jungle SDK
CVE-2021-36260 Hikvision product
CVE-2021-46422 Telesquare SDT-CW3B1 Router
CVE-2022-01388 F5 BIG-IP
CVE-2022-22965 Spring MVC or Spring WebFlux application (Spring4Shell)
CVE-2022-25075 TOTOLink A3000RU Router
CVE-2022-26186 TOTOLINK N600R Router
CVE-2022-26210 T otolink A830R Router
CVE-2022-30525 Zyxel USG FLEX 100(W) Firewall
CVE-2022-34538 Digital Watchdog DW MEGApix IP cameras
CVE-2022-37061 FLIR AX8 thermal sensor cameras

Organizations or individuals running any of the affected devices are urged to contact the device manufacturers’ support services and apply patches as soon as possible.

The Ugly

Things have been turning ugly for a while now in state-sponsored cyber warfare, and this week it’s the use of wiper malware that’s grabbing the headlines as two separate reports show threat actors doing their best to infect and destroy data belonging to their adversaries.

Iranian-linked APT Agrius has been actively attacking targets in Hong Kong, Israel and South Africa with a new wiper named Fantasy, hidden inside software commonly used in the diamond industry. Known targets include a diamond wholesaler, a jeweler, an IT support services firm, and an HR consulting company. Fantasy targets Windows devices and overwrites the content of files with random data. It also overwrites the master boot record, deletes itself, and reboots the system.

Fantasy is a variant of the Apostle software first identified by SentinelLabs, a wiper that was later turned into a fully functional ransomware. Unlike ransomware though, wipers are not meant to leverage the victim and are only intended to disrupt the target’s ability to operate by destroying systems, services and data.

Meanwhile, it’s also been reported this week that Russian courts and mayoral offices have been targeted with a wiper dubbed CryWiper. Researchers say that CryWiper pretends to be ransomware: it adds a .CRY extension to files and drops a ransom note with a bitcoin address and other details for payment. In reality, however, targeted files are not encrypted: they are overwritten with random data, making the originals unrecoverable.

Although these wipers are highly-targeted, malware used by APTs often finds itself in the hands of cybercriminals. Fortunately, the defence against wipers and ransomware, not to mention cryptomining botnets and other malware  is the same: a trusted endpoint security solution designed with advanced threats in mind.