Ten Questions a CEO Should Ask About XDR (with Answers)

As a CEO, staying informed about the latest security technologies and approaches to protect your organization from cyber threats is important. A technology that has recently gained significant attention is XDR, or Extended Detection and Response. 

XDR provides a comprehensive and integrated approach to security, combining multiple technologies and data sources to detect and respond to threats more effectively than traditional AVs, EPP or EDR security solutions.

In this post, we provide ten key questions that CEOs should ask about XDR to help understand the benefits and potential drawbacks of implementing this technology in organizations.

What Problem Does XDR Solve?

XDR solves the problem of inadequate and fragmented security solutions. Traditional security solutions often focus on a single technology or data source, such as antivirus software or intrusion detection systems. This can leave gaps in an organization’s security posture and make it difficult to detect and respond to threats effectively.

XDR addresses this problem by combining multiple security technologies and data sources to provide a more comprehensive and integrated view of an organization’s security posture. This enables organizations to detect and respond to threats more quickly and effectively, improving their detection accuracy. This can help organizations reduce the impact of security incidents and minimize their potential losses from security breaches.

What Are the Challenges Organizations Face When Implementing XDR?

There are several challenges organizations may face when implementing XDR, including:

  1. Cost and complexity: XDR solutions can be more expensive and complex than traditional security solutions, requiring time, money, and expertise to implement and manage effectively.
  2. Integration with existing security technologies and processes: XDR benefits from integrating with an organization’s existing security technologies and processes, which can be challenging and require effort and resources to implement.
  3. Expertise and training: XDR may require a high level of expertise and training for staff to use and manage effectively, which can be challenging for organizations with limited security resources or expertise.
  4. Resistance to change: Implementing XDR may require significant changes to an organization’s security infrastructure and processes, which can be met with resistance from staff or other stakeholders.

To overcome these challenges, CISOs should plan and prepare for an XDR implementation, engage and communicate with all relevant stakeholders to gain support and buy-in for the XDR implementation, and provide training and support to ensure that staff is equipped to use and manage the XDR solution effectively.

Five Things to Look For in an XDR Solution

When evaluating XDR solutions, there are several key factors to consider, including:

  1. Comprehensive coverage: An XDR solution should comprehensively cover an organization’s security posture, combining multiple security technologies and data sources to provide a more complete and integrated view of potential threats and vulnerabilities.

    Look for solutions that provide open XDR, like SentinelOne. Open XDR provides organizations with the flexibility and control they need to customize and optimize their security posture and enables them to combine SentinelOne’s advanced XDR capabilities with their existing security tools and processes. This allows organizations to integrate their security technologies and data sources with SentinelOne’s XDR solution.

  2. Real-time visibility and response: An XDR solution should provide real-time visibility into security incidents and threats, enabling organizations to respond more quickly and effectively to potential threats.

    SentinelOne’s XDR solution uses machine learning and other advanced technologies to give organizations real-time visibility into their security posture and the ability to detect and respond to threats more effectively. This can help organizations reduce the impact of security incidents and minimize their potential losses from security breaches.

  3. Improved threat detection accuracy: An XDR solution should use advanced technologies, such as machine learning and data analysis, to improve threat detection accuracy and reduce false positives.

    SentinelOne’s XDR solution uses machine learning and data analysis to identify potential threats and anomalies and filter out false positives. This can help organizations improve the accuracy of their threat detection and focus their resources on the most serious threats. SentinelOne’s XDR solution also includes behavior analysis, which can provide organizations with additional insights and context to help them identify and respond to potential threats more effectively.

  4. Streamlined incident response: An XDR solution should be able to integrate with an organization’s existing incident response processes and procedures to enable more efficient and effective threat response.

    SentinelOne’s XDR solution includes incident response automation and data breach detection features, which can help organizations respond more quickly and effectively to potential threats and incidents.

  5. Scalability and flexibility: An XDR solution should be scalable and flexible to support an organization’s growth and evolving security needs. It should also be able to integrate with an organization’s existing security technologies and processes to provide a seamless and integrated security solution.

    SentinelOne’s XDR solution is designed to support organizations’ growth and evolving security needs and can be easily scaled up or down to meet changing requirements. SentinelOne’s XDR solution is also open and flexible, allowing organizations to integrate their existing security technologies and data sources with SentinelOne’s XDR capabilities. This enables organizations to customize and optimize their security posture and provides them with the control they need to ensure the security and resilience of their critical assets and data.

Ten Questions a CEO Should Ask About XDR (with Answers)

1. What is XDR, and how does it differ from traditional security solutions?

XDR is a new approach to security that combines multiple security technologies and processes to provide a more comprehensive and integrated approach to visibility, threat detection and response across your entire estate.

This differs from traditional security solutions, which typically focus on a single security technology or processes, such as antivirus software or intrusion detection systems. XDR provides a more holistic view of an organization’s security posture by combining multiple data sources and security technologies to identify and respond to threats more effectively.

2. How does XDR integrate with our existing security infrastructure and processes?

XDR is designed to integrate seamlessly with an organization’s existing security infrastructure and processes. This typically involves integrating XDR with existing security technologies and data sources, such as firewalls, endpoint protection, and network security tools, to provide a more comprehensive view of an organization’s security posture.

XDR can also be integrated with existing incident response processes and procedures to enable more effective and efficient threat response. Additionally, XDR can be integrated with security operations centers (SOCs) and other security teams to provide real-time visibility and actionable insights into security threats and incidents.

3. How does XDR help us detect and respond to security threats more effectively?

XDR helps organizations detect and respond to security threats more effectively by combining multiple security technologies and data sources to provide a more comprehensive view of an organization’s security posture. This allows XDR to identify potential threats that may be missed by traditional security solutions that focus on a single technology or data source.

Further, XDR provides real-time visibility into security incidents and threats, enabling security teams to respond more quickly and effectively. XDR also uses machine learning and other advanced technologies to improve threat detection accuracy and reduce false positives, helping organizations focus their resources on the most serious threats.

4. What are XDR’s key features and capabilities, and how do they benefit our organization?

XDR’s key features and capabilities include:

  1. Multi-technology integration: XDR combines multiple security technologies and data sources to provide a more comprehensive view of an organization’s security posture.
  2. Real-time visibility and response: XDR provides real-time visibility into security incidents and threats, enabling security teams to respond more quickly and effectively.
  3. Improved threat detection accuracy: XDR uses machine learning and other advanced technologies to improve the accuracy of threat detection and reduce false positives.
  4. Streamlined incident response: XDR can be integrated with existing incident response processes and procedures to enable more efficient and effective threat response. These features and capabilities can benefit organizations by providing a more comprehensive and integrated approach to security, enabling them to detect and respond to threats more quickly and effectively and improving the accuracy of their threat detection. This can help organizations reduce the impact of security incidents and minimize their potential losses from security breaches.

5. How does XDR help us reduce false positives and improve the accuracy of our threat detection?

XDR uses machine learning and other advanced technologies to improve threat detection accuracy and reduce false positives. By combining multiple security technologies and data sources, XDR can provide a more comprehensive view of an organization’s security posture and identify potential threats that may be missed by traditional security solutions that focus on a single technology or data source.

In addition, XDR uses advanced algorithms and data analysis techniques to identify and filter out false positives, helping security teams focus on the most serious threats. This can help organizations reduce the time and resources spent on investigating false positives and enable them to respond more effectively to real threats.

6. What is the total cost of implementing and maintaining an XDR solution, and what is the expected return on investment?

The cost of implementing and maintaining an XDR solution will vary depending on factors such as the size and complexity of an organization’s security infrastructure, the number and types of security technologies and data sources integrated with XDR, and the level of support and services required from the XDR vendor.

In general, XDR solutions can be more expensive than traditional security solutions due to their advanced technologies and capabilities. However, organizations can expect a return on investment from XDR through improved threat detection and response, reduced losses from security incidents, and increased compliance with industry regulations and standards.

With SentinelOne, you can calculate your expected value from implementing XDR. This is done by answering a few questions: how many analysts do you directly employ? How many security incidents per year does your organization respond to? What is your mean time to investigate and remediate an incident? How many user endpoints, physical servers, and virtual servers does your organization manage, and more.

Find the calculator here: https://www.sentinelone.com/lp/value-calculator/

7. How does XDR support compliance with industry regulations and standards?

By combining multiple security technologies and data sources, XDR can provide organizations with the visibility and control needed to meet various regulations and standards requirements. XDR can also provide organizations with real-time visibility and incident response capabilities to quickly and effectively respond to security incidents and prevent data breaches. This can help organizations avoid the financial and reputational risks associated with non-compliance with industry regulations and standards.

SentinelOne Singularity XDR provides organizations with the comprehensive and integrated security capabilities they need to meet the requirements of various industry regulations and standards. The solution combines multiple security technologies and data sources, including endpoint protection, network security, and cloud security, to give organizations real-time visibility into their security posture and the ability to detect and respond to threats more effectively.

SentinelOne XDR also includes incident response automation, data breach detection, and regulatory compliance reporting, which can help organizations meet the requirements of regulations and standards such as HIPAA, PCI DSS, and GDPR.

These features and capabilities can help organizations avoid the financial and reputational risks associated with non-compliance with industry regulations and standards.

8. What expertise and training are required for our staff to effectively use and manage an XDR solution?

The expertise and training required for staff to effectively use and manage an XDR solution will depend on the specific solution and the organization’s security infrastructure and processes.

In general, XDR solutions are designed to be user-friendly and require minimal training for staff to use and manage. Most XDR vendors offer training and support services to help organizations get up and running with their XDR solution and ensure that their staff is properly trained and equipped to use the solution effectively.

Many XDR solutions include features such as threat intelligence feeds, automated incident response, and intuitive user interfaces, which can help reduce the level of expertise and training required for staff to effectively use and manage the solution.

9. How do XDR support collaboration and information sharing between different teams and departments in our organization?

XDR can support collaboration and information sharing between different teams and departments in an organization by providing a centralized platform for managing and sharing security information.

XDR solutions typically include security dashboards, reporting, and alerting, which can provide different teams and departments with the information they need to collaborate and respond to security threats and incidents more effectively.

Additionally, XDR solutions can be integrated with other security and IT systems, such as SIEMs and ticketing systems, to enable seamless information sharing and collaboration across different teams and departments. This can help organizations improve their overall security posture and reduce the impact of security incidents.

10. Are there any potential drawbacks or limitations to implementing XDR, and how do we mitigate these risks?

There are potential drawbacks and limitations to implementing XDR, including the cost and complexity of the solution, the level of expertise and training required for staff to use the solution effectively, and potential integration challenges with existing security technologies and processes.

To mitigate these risks, organizations should carefully evaluate their security needs and requirements and choose an XDR solution that suits their specific needs and infrastructure. Organizations should also ensure they have the expertise and resources necessary to effectively implement and manage an XDR solution and plan for any potential integration challenges.

Organizations should carefully evaluate the vendor and support options available for their chosen XDR solution and ensure they have access to the training and support services needed to effectively use and manage the solution.

Schedule A Demo
SentinelOne XDR encompasses AI-powered prevention, detection, response and hunting. Set up a XDR demo.

Conclusion

As a CEO, it’s important to stay up-to-date on the latest security technologies that can help protect your organization from cyber threats. XDR provides a more comprehensive and integrated approach to security by combining multiple technologies and data sources to detect and respond to threats more effectively.

If you’re considering implementing XDR in your organization, be sure to ask about the potential benefits and drawbacks. By combining endpoint, network, and application telemetry, XDR can provide security analytics to win that race through enhanced detection, triage, and response. If you’d like to know more about SentinelOne’s Singularity Platform, contact us or request a demo.

New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

S Ventures Invests in Vaultree to Revolutionize Data Encryption 

In today’s modern economy, data can unlock the full potential of businesses in just about any industry. Coined as “the new gold,” data is being collected, processed and consumed at an unprecedented pace, enabling visibility and new revenue streams for the next generation of businesses.

While data presents massive opportunities, it also has become a growing target for cyber attackers: Data breaches and the costs associated with them continue to rise, with no slowdown in sight. In the U.S alone, there were nearly 2,000 data breaches incidents in 2021, representing a 70% growth year-over-year, and the average global cost of a data breach reached $4.35 million in 2022.

With GDPR and other privacy laws imposing penalties on the exposure of sensitive data, the protection of data remains a fundamental challenge faced by organizations today. Security practitioners must continuously invest in their data security strategy, looking for solutions that will provide for better security but without decreasing the usability of data and hindering business performance.

We at SentinelOne understand the significance of harnessing the power of data and keeping it secure—it’s fundamental to the success and sustainability of any business, including our own. This is why we are excited to announce our investment in Vaultree.

Headquartered in Ireland with presence across North America, the E.U., and Latin America, Vaultree’s global and diverse team has an ambitious goal in mind: to develop an encryption solution that enables customers with an easily integrated, highly performant, and scalable way to keep their data secure.

“Vaultree’s vision can fundamentally change the encryption paradigm, by providing customers a novel data-in-use encryption  solution without settling for sub-par performance or complex deployment” – Mike Petronaci, VP Product Platform of SentinelOne

Vaultree’s flagship product is a database encryption solution that leverages data-in-use encryption concepts. Traditional encryption security controls that encrypt data-at-rest or data-in-transit leave data significantly vulnerable to attacks. In order to process data in the database, it must be decrypted once received or retrieved from storage to allow any type of computation to be performed. This means that data is completely exposed when unauthorized access is caused by access to the database machine, database vulnerabilities, cloud misconfigurations, or leaked and stolen credentials. So far, efforts in the industry to encrypt data-in-use have resulted in limited usability, poor performance, or complex deployment.

Vaultree has developed a data-in-use encryption solution that leaves data always encrypted in the database or server, enabling customers to work with fully encrypted data without the need to ever decrypt plaintext data in order to process it. The company employs a unique combination of patented Searchable Encryption (SE) and Fully Homomorphic Encryption (FHE) for greater performance and scalability and enabling more flexible deployment.

Since launching its beta product earlier this year, Vaultree already supports and integrates with several popular database technologies, and is engaging with large financial and healthcare customers across the globe.

S Ventures is always on the lookout for founders who take on significant challenges experienced by modern enterprises by building unique, market-changing technologies. Vaultree’s dedication to addressing the pervasive pain points of securely processing, searching, and querying encrypted data aligns with our mission to accelerate and nurture security & data solutions with wide-reaching potential for impact.

“We’re excited to partner with SentinelOne and S Ventures and find ways to provide value to customers in the intersection between security and data. “ – Ryan Lasmaili, CEO & Co-founder of Vaultree

Please visit www.vaultree.com and the S Ventures page to learn more.

S Ventures Invests in Drata to Take Security Compliance to the Next Level

As the age of modern software and cloud-native applications enters its third decade, user experience and performance are now joined by security and compliance as top priorities. Add in the mounting pressure from governments and regulating bodies, enhanced public scrutiny, increased frequency and cost of security incidents such as data breaches, and you end up with a critical, enterprise scale challenge. Because security and compliance is of paramount concern to not just SentinelOne’s long term success, but to the success and longevity of businesses everywhere, S Ventures is excited to announce our investment in Drata—the leader in compliance automation and continuous monitoring.

“Partnering with a leading XDR platform is another step in our efforts toward bridging the gap between security and compliance, and serving as the trust layer between our customers and those they do business with. We’re confident that our work with SentinelOne and S Ventures will deliver innovative solutions that provide real, tangible value for our customers.” – Adam Markowitz, Co-Founder & CEO of Drata

Traditional security checklist approaches to maintaining compliance are too rigid and manual, and don’t scale well. This pain point is exacerbated as companies scale and become more complex whilst adding and managing more types of compliance frameworks, standards, and regulations. Key tasks like developing policies and procedures, conducting risk assessments, inventorying all company assets, and collecting artifacts place an undue burden on already constrained engineers, security analysts, and other teams. Instead of being in a state of continuous compliance, efforts are focused on the re-audit towards the end of every compliance cycle.

Enter Drata’s purpose-built, next-gen compliance automation platform which provides visibility, analytics, automation, and 75+ native integrations to enable continuous control monitoring at scale. Within minutes, Drata can connect data from all relevant systems, providing a unified view of compliance against SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and others, saving companies hundreds of hours per year.

In addition to compliance, Drata’s platform provides public security posture reporting via Trust Center, Risk Management (access reviews, scoring and testing), and GRC (questionnaires and vendor risk) capabilities—a true system of record for real-time security compliance posture.

“At SentinelOne, we believe compliance and security go hand-in-hand. Compliance is the codification of security best practices, providing a framework to measure and standardize. A key part of the S Ventures mandate is to get behind category-leading companies, and it’s clear Drata is a trailblazer taking share from both legacy and other next-gen compliance solutions. We are happy to be a part of Drata’s next phase of growth and excited for what’s to come.” – Rob Salvagno, SVP Corporate Development & Ventures at SentinelOne

Drata’s product innovation and category leadership is best captured by its hypergrowth, positive customer feedback, and as a leader on G2’s Top 20 Cloud Compliance Software ranking. Customers applaud its enterprise-grade features including advanced automation, UI/UX, deep/native integrations, and best-in-class customer support. It’s clear the team at Drata share our vision of building category-defining technologies that solve big problems and accelerate security and productivity.

S Ventures looks forward to partnering with Drata in their next phase of hypergrowth and executing on furthering the mission to put security and compliance on autopilot.

Top 10 macOS Malware Discoveries in 2022

2022 saw a number of significant malware campaigns targeting the macOS platform and the emergence of ten new malware strains or campaigns targeting Apple Mac users.

In this post, we review the essential behavior of each threat, offer primary IOCs for defenders, and provide links to further insights and analyses on each malware discovery.

Summary of Key Trends Emerging During 2022

Mac malware across 2022 has shown some interesting consistencies in approach from threat actors: heavy use of backdoors, cross-platform attack frameworks, and a preference to use Go as a development language.

Supply-chain attacks and targeted espionage are the two most common objectives. Perhaps most significant is the number of campaigns that are not targeted solely at macOS users but which now include a macOS component alongside the more usual Windows and Linux payloads.

1. Alchimist

Alchimist is a cross-platform attack framework first reported by Cisco Talos in October 2022. Discovered among the artifacts were a Mach-O binary and Mach-O library built in Go. The main function of the malware appears to be to provide a backdoor onto the target system. The malware attempts to bind a shell to a port in order to give the operators a remote shell on the victim machine.

The attack framework used for controlling the implanted malware uses a web interface written in Simplified Chinese. From the interface, the operator can generate configured payloads, establish remote sessions, deploy payloads and task active implants with various actions such as taking screenshots and executing arbitrary commands.

Cisco also reported that the Mach-O payload contains a privilege escalation exploit for CVE-2021-4034, a vulnerability in a 3rd party Unix tool called pkexec.

Since this tool is rarely found on Macs but is widely in use across various Linux distributions, this is likely an artifact of the cross-platform nature of the programming. Alternatively, it could indicate a payload configured for a highly-specific target.

Primary IoCs

43742fc8ab890fb9a19891f2eff09eaa7a540c6a
3f617411977fd6a14a91c3fa9d4ff821c012e212

2. ChromeLoader

ChromeLoader (aka ChromeBack, Choziosi Loader) was first reported in January 2022 and became widespread throughout the first half of this year through malverts and malspam. The malware takes the form of a DMG containing a shell script – a common infection method for adware and bundleware loaders since the success of OSX.Shlayer. The installer also attempts to “help” the victim override the built-in macOS security technology with a low-quality animated image.

The Bash script installs a Chrome browser extension that is either encoded in a separate file in the DMG or retrieved remotely from a hardcoded URL. The extension has the ability to steal information, hijack the victim’s search engine queries, and serve adware.

Researchers at Palo Alto reported that ChromeLoader installs a listener to intercept outgoing browser traffic. If the URL request is to a search engine, the search details are sent to the attackers C2.

Primary IoCs

823abcc291c1b2d32ea4ebe483a4e2d8a8e7e08b
0bb37356f6913ef70e055f973ec3c6da18e87dcc
13a23639be3a74dfbbeffba31d033c7b116bcd85
dc7c3f9bd94f7b36204a830c3e78512f76df8393
b67b80437339701747863b47ce48f89621c72443
/Volumes/Application Installer/ChromeInstaller.command

3. CloudMensis macOS spyware

First reported by ESET in July 2022, CloudMensis is a spyware downloader and implant that uses public cloud storage services such as Dropbox, Yandex Disk and pCloud to communicate with its C2 via access tokens.

Written in Objective-C, the downloader, execute, contains now-redundant code that suggests it has been around for several years. The backdoor implant, Client, contains code that supports features such as list running processes, list email messages and attachments, list file on external storage, run arbitrary commands, exfiltrate files and take screenshots.

The screen capture functionality requires CloudMensis to bypass TCC restrictions, which it attempts by exploiting CVE-2020-9934. This is a rather old bypass and may indicate that the targets were known to be running macOS Catalina 10.5.6 or earlier.

Primary IoCs

~/Library/Preferences/com.apple.iTunesInfo29.plist
~/Library/Preferences/com.apple.iTunesInfo28.plist
~/Library/Preferences/com.apple.iTunesInfo.plist
d7bf702f56ca53140f4f03b590e9afcbc83809db (execute)
0aa94d8df1840d734f25426926e529588502bc08 (Client)
c3e48c2a2d43c752121e55b909fc705fe4fdaef6 (Client)

4. CrateDepression

Reported on by SentinelLabs in May, CrateDepression was a supply chain attack on the Rust development community which dropped Poseidon payloads on its victims. Threat actors had hosted a malcious crate named ‘rustdecimal’ on crates.io, a typosquat of the genuine crate, rust_decimal.

The malware inspects infected machines for the GITLAB_CI environment variable, which is indicative of Continuous Integration (CI) pipelines used in software development. If the environment variable is present on the infected device, the malware retrieves a second-stage payload built on red-teaming post-exploitationt framework, Mythic, and writes it out to /tmp/git-updater.bin.

The executable is written in Go and is a Poseidon implant. Both macOS and Linux payloads were available to the attackers, and both contained similar functionality, including screencapture, keylogging, remote file retrieval, exfiltration, and persistence capabilities.

Primary IoCs

c91b0b85a4e1d3409f7bc5195634b88883367cad README.bin
/tmp/git-updater.bin
https://api.githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/READMEv2.bin
https://api.githubio[.]codes/v2/id/f6d50b696cc427893a53f94b1c3adc99/README.bin
api.kakn[.]li
githubio[.]codes
64.227.12[.]57

5. DazzleSpy

First spotted by ESET in late January, DazzleSpy is a highly sophisticated piece of malware that uses advanced techniques to evade detection and maintain a foothold on infected machines.

The malware comes in the form of an unsigned Mach-O file compiled for Intel x86 architecture. When the Mach-O file is executed, it installs a LaunchAgent for persistence that masquerades as an Apple launch service.

This fake service targets an executable called “softwareupdate” located in a hidden folder in the user’s home directory.

DazzleSpy contains code for searching and writing files, exfiltrating environmental info, dumping the keychain, running a remote desktop and running shell commands, among other things. Collected data is hidden in a directory at ~/.local.

Primary IoCs

ee0678e58868ebd6603cc2e06a134680d2012c1b	server.enc
~/Library/LaunchAgents/com.apple.softwareupdate.plist
~/.local/softwareupdate
~/.local/security.zip
~/.local/security/keystealDaemon
88.218.192[.]128:5633

6. Gimmick

In late 2021, SentinelLabs reported on macOS.Macma, a backdoor discovered by Google’s Threat Analysis Grup being used by an APT targeting pro-democracy activists in Hong Kong. In March 2022, researchers at Volexity reported a threat they called OSX.GIMMICK, related to a Chinese APT group they say is renowned for targeting minority and protest groups across Asia.

GIMMICK and Macma bear a number of indicator overlaps, including use of similar drop paths for files associated with the malware (a subfolder of ~/Library/Preferences) and similar persistence agent labels (com.*.va.plist).

GIMMICK is described as a feature rich, multi-platform malware family that takes advantage of cloud hosting services like Google Drive for its C2 communications. The macOS variant of this family is written in Objective-C and contains a suite of backdoor commands for use by the operator:

Description Additional Required Fields
0 | Transmit base system information None
1 | Upload file to C2 params
2 | Download file to client content, savepath
3 | Execute a shell command and write output to C2 params
4 | Set client Google Drive timer interval params
5 | Set client timer interval for client info heartbeat message params
6 | Overwrite client work period information params

Primary IoCs

com.CoredDRAW.va.plist
~/Library/Preferences/CorelDRAW/CorelDRAW
fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8

7. Lazarus ‘Operation In(ter)ception’

First spotted this year in August by ESET targeting Coinbase users, then again in September by SentinelOne with a new variant aimed at Crypto.com, Operation In(ter)ception is an ongoing campaign attributed to a North-Korean linked APT threat actor, more widey known as “Lazarus”.

The campaign has been using lures for attractive job offers since at least 2020, but this year novel macOS malware was discovered with embedded PDF documents advertising jobs vacancies and attempting to masquerade as legitimate processes with names such as wifianalyticsagent and safarifontsagent.

This multi-stage malware first installs a LaunchAgent for persistence in the user’s local folder, obviating the need for further permissions, although on macOS Ventura that does now at least raise an alert notification.

The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app” (“FinderFontsUpdater.app” in the Coinbase variant). with the bundle identifier finder.fonts.extractor. The second-stage extracts and executes a third-stage binary, wifianalyticsagent, which serves as a downloader for an unretrieved fourth stage from a C2 at market.contradecapital[.]com (Crypto.com variant) or concrecapital[.]com (Coinbase variant).

Primary IoCs

bffc4a7150d61b4f58eb68b5e9535b7e3cfeab06
3febc7c3949c3b9b42bbadf60153dd0b784fcfdc
605214c45f2d7ea8d41125558dd8ad3b6ae92b57
9e75039f439719dbecc28ac938e6f0ab7700c2f7
8b4a121a954945bd70340df67f895b25b3d427a9
5c6029766bc46ee6d443b5c930d054fc8d8ef60f
d342ada8a44eac08a7fa58cfa5250bdf1b2eb49e
3b1cc4c4ed604cf1fae826f0d3d742a826ddbc41
a0c31b60993253810a3ee82e932918086cde1699
06a35b8033cef57ebcc51d0be2dd5b96d2e70b65
a2a0188a6387cb9bde92ebbbdc43bf6b486fe820
market.contradecapital[.]com
~/Library/LaunchAgents/com.wifianalyticsagent.plist
~/Library/WifiPreference/WifiAnalyticsServ.app
~/Library/WifiPreference/WifiCloudWidget
~/Library/WifiPreference/wifianalyticsagent
~/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_confidential.pdf
~/Library/Fonts/Finder~/Library/Fonts/safarifontsagent

8. oRAT

In late April 2022, TrendMicro reported on an APT group they dubbed Earth Berberoka (aka GamblingPuppet) targeting gambling websites. The threat actor targets the Windows, Linux, and macOS platforms, and uses malware families previously attributed to Chinese-speaking individuals. The macOS variant, oRAT, was reported on by SentinelOne in early May.

The oRAT malware is distributed via a Disk Image masquerading as a collection of Bitget Apps. The disk image contains a package with the name “Bitget Apps.pkg” and the distribution identifier com.adobe.pkg.Bitget.

Neither the disk image nor the installer package have a valid developer signature, and the package only contains a preinstall script, whose purpose is to deliver a payload to the /tmp directory, give the payload executable permissions, and then launch it.

The payload is a UPX-packed Go binary that includes a custom package, orat_utils, containing the primary backdoor functionality.

orat/cmd/agent/app.(*App).DownloadFile
orat/cmd/agent/app.(*App).Info
orat/cmd/agent/app.(*App).Join
orat/cmd/agent/app.(*App).KillSelf
orat/cmd/agent/app.(*App).NewNetConn
orat/cmd/agent/app.(*App).NewProxyConn
orat/cmd/agent/app.(*App).NewShellConn
orat/cmd/agent/app.(*App).Ping
orat/cmd/agent/app.(*App).PortScan
orat/cmd/agent/app.(*App).registerRouters
orat/cmd/agent/app.(*App).run
orat/cmd/agent/app.(*App).Screenshot
orat/cmd/agent/app.(*App).Serve
orat/cmd/agent/app.(*App).Unzip
orat/cmd/agent/app.(*App).UploadFile
orat/cmd/agent/app.(*App).Zip

The binary contains an encrypted configuration file which tasks it to call one of orat_protocol.DialTCP, orat_protocol.DialSTCP or orat_protocol.DialSUDP to establish a connection. The TCP protocols leverage smux while the SUDP protocol leverages QUIC. The malware loops with a sleep cycle of 5 seconds as it waits for a response and further tasking from the operator.

Primary IoCs

/tmp/darwinx64
3f08dfafbf04a062e6231344f18a60d95e8bd010    bitget-0.0.7 (1).dmg
9779aac8867c4c5ff5ce7b40180d939572a4ff55    Bitget Apps.pkg
911895ed27ee290bea47bca3e208f1b302e98648    preinstall
26ccf50a6c120cd7ad6b0d810aca509948c8cd78    darwinx64 (packed)
9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6    darwinx64 (unpacked)

9. Pymafka

A week after the CrateDepression attack on the Rust development community, researchers from Sonatype reported on a supply chain attack via a malicious Python package called pymafka targeting the popular PyPI registry. The package attempted to infect users by means of typosquatting: hoping that victims looking for the legitimate ‘pykafka’ package might mistype the query and download the malware instead.

The pymafka package contains a Python script that surveils the host and determines its operating system.

If the device is running macOS, it reaches out to a C2 and downloads a Mach-O binary called ‘MacOs’, which is then written to the /var/tmp with the filename “zad”.

The dropped file is UPX-packed. After unpacking, SentinelLabs recognized that the malware was obfuscated in the same way as the payload from the OSX.Zuru campaign. Both ‘zad’ and OSX.Zuru payloads have __cstring and __const sections that are not only the same size but also have the exact same hash values.

The two executables also display very similar entropy across all Sections. Both, it appears, are obfuscated Cobalt Strike payloads. That does not necessarily mean the campaigns are linked; it is possible that different actors have coalesced around a set of similar TTPs and are using a common tool or technique for obfuscating Cobalt Strike payloads.

Primary IoCs

/var/tmp/zad
c41e5b1cad6c38c7aed504630a961e8c14bf4ba4    pymafka-1.0.tar.gz
7de81331ab2638956d93b0874a0ac5c741394135    setup.py
d4059aeab42669b0824757ed85c019cd5036ffc4    MacOs (UPX packed)
8df6339297d14b7a4d9cab1dfe1e5e3e8f9c6262    zad (unpacked)

10. VPN Trojan

In July, SentinelOne reported on a VPN Trojan being used to drop two malicious binaries, named ‘softwareupdated’ and ‘covid’. The malware had superficial similarities to DazzleSpy.

The VPN app which was distributed on a DMG, executes a script which drops a persistence agent with the same filename as DazzleSpy, com.apple.softwareupdate.plist, and an almost identical target executable name (DazzleSpy uses ‘softwareupdate’, rather than ‘softwareupdated’.). Like DazzleSpy, this malware writes to a hidden folder in the user’s home directory (.androids, and .local in the case of DazzleSpy).

‘softwareupdated’ is a Sliver implant written in Go that masquerades as an Apple system binary. The ‘covid’ binary is also a Go executable, this time packed with UPX. After unpacking, the binary turns out to be an NSApplication built using MacDriver, an open-source project available on Github that provides a toolkit for working with Apple frameworks and APIs in Go. The covid binary uses a “fileless” technique to execute a further payload in-memory, evidenced by the tell-tale signs of NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been seen in a few campaigns in recent years, including by North Korean-linked APT Lazarus.

The dropper script and both binaries reach out to the same C2, http[:]//46[.]137.201.254 for further tasking. As the C2 was offline at the time of the investigation, the final payload remains unknown.

Primary IoCs

~/covid
~/.androids/softwareupdated
~/Library/LaunchAgents/com.apple.softwareupdate.plist
563d75660e839565e4bb1d91bc1236f5ec3c3da7 vpn.dmg
fa2556765290b0a91df3b34e3b09b31670762628 script
0cfde0edb076154162e2b21e4ab4deb279aa9c7b script
d0eb9c2c90b6f402c20c92e2f6db0900f9fff4f7 script
b4ab73b52a42f995fbabacb94a71f963fc4cda01 covid (unpacked)
46[.]137.201.254

Also Ran | Other macOS Malware Seen in 2022

The first new Mac malware report of 2022 came courtesy of researchers at Intezer in the form of a threat they dubbed SysJoker, which comes in Windows, Linux and macOS variants.

SysJoker is a backdoor written in Objective-C and was initially distributed via an executable named types-config.ts. The dropper installs a persistence agent at ~/Library/LaunchAgents/com.apple.update.plist. This agent targets an executable at ~/Library/MacOsServices/updateMacOs.

554aef8bf44e7fa941e1190e41c8770e90f07254  updateMacOs
01d06375cf4042f4e36467078530c776a28cec05  types-config.ts

SentinelOne has more details on SysJoker here.

Last year also saw a new variant of the long-running XCSSET campaign, and a Mac version of a trojanized Chinese chat application called Mimi, a backdoor attributed to an APT group IronTiger.

In addition, adware infections from Pirrit, Bundlore and Adload continue to target users with an array of changing and sometimes challenging techniques, an updated report on which is currently in preparation.

How to Stay Safe from macOS Malware

SentinelOne’s Singularity platform defends organizations’ macOS fleets against all these and many other threats targeting Mac users.

In addition, SentinelOne and SentinelLabs have published several ebooks to help Mac admins, IT teams and security administrators further understand the risks and fortify their defenses. These include A Guide to macOS Threat Hunting and Incident Response and The Complete Guide to Understanding Apple Mac Security for Enterprise. Analysts may also wish to consult our How To Reverse Malware on macOS ebook as well as the SentinelLabs’ series of posts on reversing macOS malware with radare2.

Conclusion

In our 2021 review of macOS malware, we noted that for enterprises with macOS fleets, it was clear that threat actors had become increasingly interested in the Apple Mac platform, were more familiar with how to exploit it, and were taking an interest in high-value targets like developers and C-Suite executives, both of whom often choose Macs.

Those trends continue with the ever more common inclusion of macOS components in cross-platform attack frameworks and with the use of languages like Go that allow threat actors to care little about what OS victims might choose. As we’ve noted before, choice of OS is not a security measure, and business users today need a fully capable endpoint protection platform regardless of whether they’re working on Linux, Windows or indeed macOS devices.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn how to secure macOS devices in the enterprise with this in-depth review of the strengths and weaknesses of Apple’s security technologies.

If you would like to learn more about how SentinelOne can help protect your Mac fleet, contact us for more information or request a free demo.

5 Cyber Scams to Watch Out for This Holiday Season

With the holiday season now in sight, businesses and consumers alike have begun to prepare for the annual shopping and gift giving frenzy. Prices are seeing a much-needed plunge, but this is also the time of year where cybersecurity hygiene tends to drop, too.

As inboxes flood with messages about markdowns galore, opportunistic cyber criminals use this time to step up their holiday scams. This post covers why seasonal retail is under attack by cyber criminals, five common holiday season scams, and what businesses and shoppers can do to keep up their cyber defenses.

Why Seasonal Retail Is Under Attack

From late November through to the end of the year, consumers across the globe rack up billions of dollars shopping holiday deals and giving generously to charities. When the COVID-19 pandemic first made its impact across the world in early 2020, online shopping surged, and now more people than ever make purchases virtually.

Deloitte’s 2022 Holiday Retail Survey found that the online shopping trends seen during the height of the pandemic have endured. This year, the survey reported that online shopping took a 63% share; numbers that are on par with the previous two years.

Shoppers this year also note they are not “giving up the convenience of online shopping” even as they warm up to in-store visits, and 66% of retail executives expect online holiday shopping traffic to have at least single-digit growth over last year.

Those kinds of figures are naturally attractive to cyber threat actors, who hope that the dash to grab the best discounts on items with limited availability will lead buyers to fall for fraudulent activity.

Scammers take advantage of unsuspecting shoppers in multiple ways, including through the use of fake websites, discount campaigns, and even charities with the goal of obtaining personal and financial information.

Here’s five ways threat actors take advantage of the holiday season and how consumers and businesses can stay protected.

1. Fake Ads and Malicious Links

This is the time of year when scammers zero in on targets who are searching for the best markdowns and bundle promotions, trying to spread their dollars further. Scammers run fake ads showing valuable and hard-to-get items at incredible prices. To encourage shoppers to click, they often use urgent phrasing, promising attractive discounts only while supplies last, or for a limited time only.

To further increase clickability, scammers use the same marketing strategies as legitimate ads to trick shoppers who are already moving faster than usual and may have their guard down. Once an unsuspecting victim clicks the link, they are led to fraudulent sale sites with credit card skimmers embedded in the code.

How To Stay Safe:

  • Shoppers can protect themselves from fake ads and malicious links by performing a quick check on the product being advertised. See a deal too good to be true? Pull up the official website of the brand and check if the same sale prices are reflected on their product pages.
  • Don’t rely on the quality of the photos displayed in the ad. Pixelated images can be an immediate red flag, but scammers also rip off genuine photos from official brand websites.
  • If a sale site seems sketchy, check for inconsistencies in spelling and language. Confirm that the website includes comprehensive policies on shipping, returns, customer support, and privacy. A privacy policy should cover how the company collects, uses, and protects personal and transactional data.
  • Check if the site is trusted by looking for “https” at the beginning of the site’s URL and ensure there is a closed lock or unbroken key icon. These icons indicate that data submitted on the site is encrypted.

2. Fake Discounts & Coupon Code Apps

Scammers will go to great lengths to obtain sensitive information. Other than hosting fake ads with bad links, they also build fraudulent applications that claim to search for and consolidate discount codes and coupons from popular brand names.

These fake apps are usually distributed through unofficial app repositories with the intention of having users download malware onto their devices, stealing payment information, or credentials to social media or online banking accounts.

How To Stay Safe:

  • If a company name seems unfamiliar, check for community reviews and how long the app has been around. Scam apps are typically less than a few months old.
  • Shoppers should look up the details of the app’s developer. How easy is it to find out the developer’s identity? If it’s not obvious who they are and where they trade from, walk away.
  • Use a security product to check if the application is known malware, or use public malware checking sites like VirustTotal to check an application or suspicious file’s reputation (be careful not to upload personal files – anything uploaded there is shared publicly!)

3. Holiday Email Scams & Phishing Campaigns

Sometimes all it takes is an unassuming email and a clever subject line to sink the hook. The holiday season is rife with phishing scams as cyber threats actors take to hiding amongst the throngs of legitimate emails from big brands.

Some scammers create spoofs of legitimate holiday emails from established brands and lure in their target with bargain prices. Clicking the links leads shoppers to malicious websites primed to drop malware or phish for login credentials.

Other than offering special gifts, bundle pricing, and extra coupons, holiday email scams may also send shoppers invoices for items they did not purchase. These kinds of emails include deceptive links to “report a problem” or reach a customer service team member. The scammers hope that indignant shoppers will fall for the links and click, thinking they can dispute the invoice.

How To Stay Safe:

  • Defend against phishing scams by using trusted security software to block out malware.
  • Make sure your device operating system is up-to-date and your accounts are protected by Multi-factor authentication.
  • When reading emails, inspect link addresses before clicking on them. Scammers often use URLs that look similar to real ones, replacing letters and spacing with numbers and punctuation or using odd domains.
  • Shoppers can also check that their browser settings are set to show full website addresses by default and that the appropriate privacy and security settings are all turned on.

4. Fake Charity Sites & Scams

The winter holidays is often a time of paying back one’s gratitude through charity and threat actors are waiting on the side lines to exploit the season’s givings. Scammers will often take full advantage of people’s generosity during this time of year by spoofing the phone numbers of legitimate charities and impersonating the agents to ask for donations.

Some cyber scammers may send text messages, target people through social media, or set up a computerized auto dialer to deliver pre-recorded messages.

How To Stay Safe:

  • Be wary of these solicitations whether online, via phone, or even in person. The safest way to donate to a charitable organization is to reach out to them proactively, or simply donate through their official website.
  • Check that the websites have firm payment protection in place and always use a credit card rather than providing direct account information.

5. Fake Offers for Seasonal Work

Businesses often hire in advance of the busy holiday season. Consumers who have trusted known brands for years may find themselves applying for a little part-time, seasonal work only to find that they’ve given away personal information to a fraudster.

Scammers in these schemes impersonate HR representatives, recruiters, and even senior managers of real companies and post help-wanted ads via email or on social media platforms.

Usually, these open roles will include forms for the hopeful applicant to fill out and ask for intimate details such as address, tax details, social security number, work permit information, and other personally identifiable information (PII).

If the ad is not directly phishing for PII, then applicants may be led to bogus sites that scan for email addresses and passwords or even ask them to pay upfront for job supplies and training fees.

How To Stay Safe:

  • Holiday job seekers should research the company, review their website and associated channels. Check their Careers landing page to find the official job posting and ensure that the details of the role are the same.
  • Remain cautious of roles that have vague job requirements, pay an unusually high wage, or promise applicants that they will “make money fast”. Receiving a job offer right away after applying and without an interview is another common red flag.
  • Only give personal information directly related to the application process after you have met in person or over video with a member of the company’s HR department.

Cybersecurity Is Crucial For the Holidays

We’ve covered many common scams that day to day consumers face during the holiday rush, but it’s important for businesses to protect themselves and their customers from cyber threats, too. During the holiday season when threat actors are more active, businesses may equally find that they are understaffed and dealing with heavy demand.

During the holiday season, businesses should be prepared to see increases in malware campaigns, ransomware and data extortion, Distributed-Denial-of-Service (DDoS) attacks, and the possibility of data loss.

As the number of digital transactions soars during the holiday season, establishing better cybersecurity processes can help to keep businesses and their customers safe from holiday scams.

  • Establish Full Visibility & Managed Security – Consumers often favor online shopping because of the convenience of shopping 24/7. This means that malicious activity can happen at any hour of the day, even outside the business hours of a company’s IT team. Having round-the-clock protection is crucial to identifying malicious behavior in its earliest stages before lateral spread can occur.
  • Execute Pre-Seasonal Audits – Before the holiday rush, companies should perform thorough security checks to validate any recent coding changes, SaaS updates, and third-party code on payment pages especially. Check that sensitive areas of a network are adequately protected and minimize the exposure of critical data and assets.
  • Ensure & Maintain Compliance Controls – Businesses that collect payment through credit cards must be in compliance with the requirements of the Payment Card Industry Security Standards Council (PCI CSS). The council focuses its controls on protecting payment account security during digital transactions. Retail companies accepting, processing, storing, or transmitting credit card information and cardholder data must meet controls set out in the Payment Card Industry Data Security Standard (PCI DSS) framework.

Conclusion

Sometimes, the holidays bring out the worst in people, and opportunistic scammers and attackers reserve a top spot on the naughty list. By exploiting the habits of a new wave of online consumers, cyber attackers have made it a seasonal push to target the annual increases in digital sales and donations.

While shoppers search for the best deals out there, it is important to keep up regular cyber hygiene and be wary of things that seem a little too good to be true. Practicing good online habits such as keeping personal identifiable information and payment data private and double-checking site, link, and app validity can save shoppers from much grief during what should be a joyful season.

Businesses ramping up for the annual year-end sales can also stay safe and make sure they and their customers are protected from payment data and identity theft. For expert advice on how to get 24/7 protection for your business and assets, contact us or request a demo. We hope the tips offered in this post help everyone stay safe during the festivities!

Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google

In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet’s largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for interfering in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google’s legal fees.

A slide from a talk given in Sept. 2022 by Google researcher Luca Nagy. https://www.youtube.com/watch?v=5Gz6_I-wl0E&t=6s

Glupteba is a rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

Collectively, the tens of thousands of systems infected with Glupteba on any given day feed into a number of major cybercriminal businesses: The botnet’s proprietors sell the credential data they steal, use the botnet to place disruptive ads on the infected computers, and mine cryptocurrencies. Glupteba also rents out infected systems as “proxies,” directing third-party traffic through the infected devices to disguise the origin of the traffic.

In June 2022, KrebsOnSecurity showed how the malware proxy services RSOCKS and AWMProxy were entirely dependent on the Glupteba botnet for fresh proxies, and that the founder of AWMProxy was Dmitry Starovikov — one of the Russian men named in Google’s lawsuit.

Google sued Starovikov and 15 other “John Doe” defendants, alleging violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, trademark and unfair competition law, and unjust enrichment.

In June, Google and the named defendants agreed that the case would proceed as a nonjury action because Google had withdrawn its claim for damages — seeking only injunctive relief to halt the operations of the botnet.

The defendants, who worked for a Russian firm called “Valtron” that was also named in the lawsuit, told Google that they were interested in settling. The defendants said they could potentially help Google by taking the botnet offline.

Another slide from Google researcher Luca Nagy’s September 2022 talk on Glupteba.

But the court expressed frustration that the defendants were unwilling to consent to a permanent injunction, and at the same time were unable to articulate why an injunction forbidding them from engaging in unlawful activities would pose a problem.

“The Defendants insisted that they were not engaged in criminal activity, and that any alleged activity in which they were engaged was legitimate,” U.S. District Court Judge Denise Cote wrote. “Nevertheless, the Defendants resisted entry of a permanent injunction, asserting that Google’s use of the preliminary injunction had disrupted their normal business operations.”

While the defendants represented that they had the ability to dismantle the Glupteba botnet, when it came time for discovery — the stage in a lawsuit where both parties can compel the production of documents and other information pertinent to their case — the attorney for the defendants told the court his clients had been fired by Valtron in late 2021, and thus no longer had access to their work laptops or the botnet.

The lawyer for the defendants — New York-based cybercrime defense attorney Igor Litvak — told the court he first learned about his clients’ termination from Valtron on May 20, a fact Judge Cote said she found “troubling” given statements he made to the court after that date representing that his clients still had access to the botnet.

The court ultimately suspended the discovery process against Google, saying there was reason to believe the defendants sought discovery only “to learn whether they could circumvent the steps Google has taken to block the malware.”

On September 6, Litvak emailed Google that his clients were willing to discuss settlement.

“The parties held a call on September 8, at which Litvak explained that the Defendants would be willing to provide Google with the private keys for Bitcoin addresses associated with the Glupteba botnet, and that they would promise not to engage in their alleged criminal activity in the future (without any admission of wrongdoing),” the judge wrote.

“In exchange, the Defendants would receive Google’s agreement not to report them to law enforcement, and a payment of $1 million per defendant, plus $110,000 in attorney’s fees,” Judge Cote continued. “The Defendants stated that, although they do not currently have access to the private keys, Valtron would be willing to provide them with the private keys if the case were settled. The Defendants also stated that they believe these keys would help Google shut down the Glupteba botnet.”

Google rejected the defendants’ offer as extortionate, and reported it to law enforcement. Judge Cote also found Litvak was complicit in the defendants’ efforts to mislead the court, and ordered him to join his clients in paying Google’s legal fees.

“It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” Judge Cote wrote.

Litvak has filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court.

“The judge was completely wrong to issue sanctions,” Litvak said in an interview with KrebsOnSecurity. “From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there.”

In a statement on the court’s decision, Google said it will have significant ramifications for online crime, and that since its technical and legal attacks on the botnet last year, Google has observed a 78 percent reduction in the number of hosts infected by Glupteba.

“While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them,” reads a blog post from Google’s General Counsel Halimah DeLaine Prado and vice president of engineering Royal Hansen. “And the steps [Google] took last year to disrupt their operations have already had significant impact.”

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was the biggest malware threat in 2021.

The Good, the Bad and the Ugly in Cybersecurity – Week 49

The Good

Scammers who have stolen in excess of $12.8 million were arrested this week in Madrid and Barcelona. Part of a larger cybercrime organization, the scammers had used bogus investment sites to defraud hundreds of victims across Europe. Spanish law enforcement have since charged six members of the organization with suspected fraud and money laundering.

Victims of the cybercrime group spanned across various European countries including France, Spain, Portugal, and Poland. In hopes of avoiding tracing efforts, scammers had bounced the funds through several off-shore financial institutions, and then moved the money back to the crime group’s native bank accounts in Spain.

Authorities reported that the cybercrime group relied on phishing emails to drive traffic to fake websites. Posing as banks and cryptocurrency vendors, the scammers tricked investors into making deposits using a malicious technique known as typosquatting. Typosquatting entails the registration of fraudulent domains that are very similar to the official websites of legitimate banks. In comparison to a real domain, the difference is only a few characters or a small typo. This technique takes advantage of unsuspecting users who overlook these minor differences and begin interacting with the scammer-owned site.

Researchers warn that social engineering techniques including phishing and typosquatting remain effective and that scammers will likely continue to prey on human behaviors and instincts for financial gain.

The Bad

A breach on cloud storage services this week has hit both GoTo (formerly LogMeIn) and its affiliate company, popular password management giant, LastPass. Threat actors behind the breach were able to gain access to GoTo’s development environment and third-party cloud storage service. Since the incident, GoTo has announced that they are working with industry partners and law enforcement to launch a full-scale security investigation.

GoTo provides cloud-based remote work solutions for IT management and collaboration. The company reported that they first learned of the incident after detecting abnormal activity in both their development workspace and cloud storage. LastPass, which shares the same cloud service with its affiliate, disclosed that “certain elements” of customer information were accessed by the threat actors.

LastPass is no stranger to cyberattack, having revealed just last quarter that threat actors accessed their internal networks and made off with source code and proprietary technical information. The company confirmed that information stolen in the August 2022 intrusion was subsequently used to pave the way for this week’s breach. Customer passwords, however, were not compromised due to their zero trust architecture.

Services for both affected companies remain fully operational, but data breaches like this are reflective of the alarming rise in cloud-based cyberattacks on large enterprises. As threat actors capitalize on the high volumes of sensitive data flowing between the organizations and the cloud, more attacks of the same nature will keep occurring. Large companies like LastPass, who claim to service 33 million global users currently, must prioritize implementing robust cloud-based security to protect themselves and their customers’ data.

The Ugly

Google researchers this week unveiled their discovery of a Spain-based IT company trading in commercial spyware. Variston IT is described as an “information security solution provider” focusing on IoT surveillance software, SCADA (supervisory control and data acquisition) technology, custom security patches, data discovery, and protocol development for embedded devices.

Researchers have found that Variston also sells advanced software frameworks that exploit known vulnerabilities in Windows Defender, Chrome, and Firefox. In the hands of a threat actor, such frameworks provide everything one would need to inconspicuously install malware and spy on targeted devices. Google’s Threat Analysis Group (TAG) explained that the malicious frameworks are built to exploit n-day vulnerabilities – flaws that have only been recently patched – allowing attackers to target those who have yet to update to the new versions.

After receiving the frameworks through an anonymous source, the researchers identified them as “Heliconia Noise”, “Heliconia Soft”, and “Files”. Heliconia Noise is capable of exploiting the Chrome renderer and escaping the Chrome security sandbox that usually isolates untrusted code from the rest of the system. Heliconia Soft is designed to exploit CVE-2021-42298, a JavaScript engine flaw within the Microsoft Defender Malware Protection product that grants high-level system privileges on Windows. Exploiting the use-after-free flaw CVE-2022-26458, the Files framework included a full-fledged exploit chain for Firefox running on Windows and Linux machines.

While Google TAG’s report on these frameworks noted that they had not detected evidence of active exploitation, they said it was likely the frameworks had been utilized as zero-days in the wild. This discovery highlights the issue of the commercial surveillance industry, which is rapidly expanding globally. Exploit sellers contribute to an accelerated rise of digital espionage, which is typically used by governments to target journalists, human rights activists, political opposition and dissidents.

ConnectWise Quietly Patches Flaw That Helps Phishers

ConnectWise, which offers a self-hosted, remote desktop software application that is widely used by Managed Service Providers (MSPs), is warning about an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link. The warning comes just weeks after the company quietly patched a vulnerability that makes it easier for phishers to launch these attacks.

A phishing attack targeting MSP customers using ConnectWise.

ConnectWise Control is extremely popular among MSPs that manage, protect and service large numbers of computers remotely for client organizations. Their product provides a dynamic software client and hosted server that connects two or more computers together, and provides temporary or persistent remote access to those client systems.

When a support technician wants to use it to remotely administer a computer, the ConnectWise website generates an executable file that is digitally signed by ConnectWise and downloadable by the client via a hyperlink.

When the remote user in need of assistance clicks the link, their computer is then directly connected to the computer of the remote administrator, who can then control the client’s computer as if they were seated in front of it.

While modern Microsoft Windows operating systems by default will ask users whether they want to run a downloaded executable file, many systems set up for remote administration by MSPs disable that user account control feature for this particular application.

In October, security researcher Ken Pyle alerted ConnectWise that their client executable file gets generated based on client-controlled parameters. Meaning, an attacker could craft a ConnectWise Control client download link that would bounce or proxy the remote connection from the MSP’s servers to a server that the attacker controls.

This is dangerous because many organizations that rely on MSPs to manage their computers often set up their networks so that only remote assistance connections coming from their MSP’s networks are allowed.

Using a free ConnectWise trial account, Pyle showed the company how easy it was to create a client executable that is cryptographically signed by ConnectWise and can bypass those network restrictions by bouncing the connection through an attacker’s ConnectWise Control server.

“You as the attacker have full control over the link’s parameters, and that link gets injected into an executable file that is downloaded by the client through an unauthenticated Web interface,” said Pyle, a partner and exploit developer at the security firm Cybir. “I can send this link to a victim, they will click this link, and their workstation will connect back to my instance via a link on your site.”

A composite of screenshots researcher Ken Pyle put together to illustrate the ScreenConnect vulnerability.

On Nov. 29, roughly the same time Pyle published a blog post about his findings, ConnectWise issued an advisory warning users to be on guard against a new round email phishing attempts that mimic legitimate email alerts the company sends when it detects unusual activity on a customer account.

“We are aware of a phishing campaign that mimics ConnectWise Control New Login Alert emails and has the potential to lead to unauthorized access to legitimate Control instances,” the company said.

ConnectWise said it released software updates last month that included new protections against the misdirection vulnerability that Pyle reported.  But the company said there is no reason to believe the phishers they warned about are exploiting any of the issues reported by Pyle.

“Our team quickly triaged the report and determined the risk to partners to be minimal,” said Patrick Beggs, ConnectWise’s chief information security officer. “Nevertheless, the mitigation was simple and presented no risk to partner experience, so we put it into the then-stable 22.8 build and the then-canary 22.9 build, which were released as part of our normal release processes. Due to the low severity of the issue, we didn’t (and don’t plan to) issue a security advisory or alert, since we reserve those notifications for serious security issues.”

Beggs said the phishing attacks that sparked their advisory stemmed from an instance that was not hosted by ConnectWise.

“So we can confirm they are unrelated,” he said. “Unfortunately, phishing attacks happen far too regularly across a variety of industries and products. The timing of our advisory and Mr. Pyle’s blog were coincidental. That said, we’re all for raising more awareness of the seriousness of phishing attacks and the general importance of staying alert and aware of potentially dangerous content.”

The ConnectWise advisory warned users that before clicking any link that appears to come from their service, users should validate the content includes “domains owned by trusted sources,” and “links to go to places you recognize.”

But Pyle said this advice is not terribly useful for customers targeted in his attack scenario because the phishers can send emails directly from ConnectWise, and the short link that gets presented to the user is a wildcard domain that ends in ConnectWise Control’s own domain name — screenconnect.com. What’s more, examining the exceedingly long link generated by ConnectWise’s systems offers few insights to the average user.

“It’s signed by ConnectWise and comes from them, and if you sign up for a free trial instance, you can email people invites directly from them,” Pyle said.

ConnectWise’s warnings come amid breach reports from another major provider of remote support technologies: GoTo disclosed on Nov. 30 that it is investigating a security incident involving “unusual activity within our development environment and third-party cloud storage services. The third-party cloud storage service is currently shared by both GoTo and its affiliate, the password manager service LastPass.

In its own advisory on the incident, LastPass said they believe the intruders leveraged information stolen during a previous intrusion in August 2022 to gain access to “certain elements of our customers’ information.”  However, LastPass maintains that its “customer passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

In short, that architecture means if you lose or forget your all-important master LastPass password — the one needed to unlock access to all of your other passwords stored with them — LastPass can’t help you with that, because they don’t store it. But that same architecture theoretically means that hackers who might break into LastPass’s networks can’t access that information either.

Update, 7:25 p.m. ET: Included statement from ConnectWise CISO.