macOS Payloads | 7 Prevalent and Emerging Obfuscation Techniques

In our recent post, 7 Ways Threat Actors Deliver macOS Malware in the Enterprise, we discussed some of the popular mechanisms currently in use by threat actors to achieve initial compromise on a macOS system. In this post, we continue our exploration of modern macOS malware by looking at different kinds of payloads that are either common or are emerging, with an emphasis on those that attempt obfuscation and evasion.

We take a look at scripts, the SHC shell script compiler, obfuscated Python, Go implants as well as some rare sightings of obfuscated Cobalt Strike beacons seen in some recent macOS-targeted campaigns.

1. Hidden Scripts

A method first popularized by Shlayer malware, commodity adware and PUP platforms continue to leverage shell scripts delivered in disk images, often through content lures.

Some malware families use the script as an executable in an app bundle, such as this one.

/Volumes/Player/Player_253.app/Contents
/MacOS/MUwj3QKorpMfT39foaHiE5Cf6oBSVw

Bundlore script

Others drop the script directly into a disk image file and encourage the user to execute it through an alias. The sample 2070b149b7d99cd4b396a8b78de5a28c1f2b505a provides a representative example.

macos malware script hidden in disk image

On mounting the disk image, the user is presented with a two-step graphical instruction on how to open the malware and bypass the built-in macOS Gatekeeper restriction.

Gatekeeper bypass

Examining the disk image in the Finder with hidden files displayed, it’s clear that the Install PKG icon the user is urged to right-click on is an alias to a shell script file located in a hidden directory called, appropriately enough, .hidden.

The script is lightly obfuscated. After creating a directory inside /tmp with a random 12-character name, it ultimately decrypts, runs and deletes an executable extracted from the data file located in the same directory.

/bin/bash -c eval '$(echo 'openssl enc -aes-256-cbc -d -A -base64 -k '$archive' 
-in '$appDir/$archive' -out '$tmpDir/$binFile' xattr -c '$tmpDir/'* chmod 777 
'$tmpDir/$binFile' '$tmpDir/$binFile' && rm -rf $tmpDir')'

The malware queries a number of system and environment variables to ascertain if it is running in a virtual machine. It also reads the local LSQuarantine file to check the source of the downloaded disk image, searching for URLs containing %s3.amazonaws.com%, suggesting that this version of Bundlore is using AWS to deliver the first stage disk images.

sh -c sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 
'select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString 
like '%s3.amazonaws.com%' order by LSQuarantineTimeStamp desc limit 5'

This information is next posted to a C2 and a further payload is returned, mounted and launched.

SentinelOne detects such script-based malware, with this particular payload identified as Bundlore.E, a well-known commodity adware and PUP delivery platform.

2. Shell Script Compiler

Shell Script Compiler is a Github repo known as SHC for short, which takes a script and produces obfuscated C source code. The source code is then compiled and linked to produce a stripped binary executable. Although these binaries aren’t entirely independent – they still require the execution environment to have available the shell specified in the shebang – if the script uses a shell that is found by default on the target OS (e.g., /bin/sh/ on macOS), execution should not be an issue.

SHC shell script compiler XCSSET neurobin

SHC comes with some compilation options that are useful to malware authors. The -U option attempts to make the binary untraceable with ptrace. The -e option allows the author to set an expiry date after which the program won’t run. One useful side-effect of this is that the same script will produce binaries with different hashes if compiled with different values for -e.

SHC source code

SHC was heavily used by XCSSET malware and has been seen more recently obfuscating Linux payloads. It’s great advantage from an attacker’s point of view is it makes it extremely simple to write malicious scripts which cannot be read via static analysis and which, thanks to the -e option, can have endlessly different hash values. The only way to discover what an SHC-compiled binary does is to detonate it in a sandbox and observe its behavior.

SHC payload executed by XCSSET macOS malware

SHC compiled binaries can be detected statically and marked as suspicious, as the compiler produces a distinctive string signature. However, only behavioral solutions will be able to distinguish between benign code and those with malicious intent.

3. Python Obfuscators

Apple removed support for Python 2.7 on macOS devices running Monterey 12.3 and later in 2022, and as a result the language has become a less attractive option for attackers than it once was.

However, there are still plenty of enterprise environments where some local version of Python will be installed as it remains hugely popular with developers of all stripes, and there is a ‘back catalog’ of Python-based attack frameworks such as Meterpreter and Empyre that are still favored by both attackers and red teams.

Packaging Python scripts into .pyc compiled Mach-Os is also still a viable attack option, but more commonly frameworks like Meterpreter will be base64 encoded multiple times to obfuscate their true payload. Many of these remain undetected by static engines but are recognized by behavioral solutions like SentinelOne on execution.

obfuscated python malware on virus total
deobufscated python Meterpreter

4. Obfuscated Cobalt Strike

Widely-seen in malware targeting the Windows world, Cobalt Strike is less common in Mac malware campaigns, but not unheard of. SentinelLabs observed two ostensibly unrelated campaigns dropping Cobalt Strike beacons in obfuscated Go binaries.

The OSX.Zuru campaign in September 2021 involved a supply-chain style attack that used trojanized versions of popular enterprise apps including iTerm2, MS Remote Desktop for Mac, SecureCRT and Navicat 14. These trojans were seen delivering a heavily obfuscated Mach-O to the victim device at /private/tmp/GoogleUpdate.

The file is packed with UPX and unpacks into a 5 MB Mach-O written in C. This executable is heavily obfuscated and contains over 40,000 functions of almost entirely junk code. The same obfuscation technique was later seen in the pymafka attack on PyPI, which dropped a ~3 MB Mach-O executable at /private/var/tmp/zad.

The obfuscation technique is recognizable from the entropy and md5 hashes of the binary sections. In particular, the __cstring section will have the md5 value of c5a055de400ba07ce806eabb456adf0a.

obfuscated cobalt strike on macOS Mach-O

Section entropy can also be used to recognize these binaries statically.

Obfuscated Cobalt Strike section entropy pymafka

5. Obfuscated AppleScripts

AppleScript has a long and somewhat underrated history of malicious use on OSX and macOS systems, in part because of its longevity (it’s been around longer than Python) and in part because until recent years Apple paid little attention to its security implications. It remains an incredibly powerful tool for both legitimate and malicious purposes, despite Apple’s attempts to rein it in with use of TCC and other restrictions.

Until very recently, one of AppleScript’s best kept secrets was its ability to produce almost irreversible compiled code by means of the ‘run-only’ option. Run-only AppleScripts and a method to reverse them were discussed in detail in the SentinelLabs post here, but among the techniques discovered in the wild was a particularly clever one of embedding one run-only script inside another using four-byte hex character encoding.

obfuscated AppleScript malware

Such scripts cannot be decompiled with the built-in tool osadecompile and require either dynamic analysis in a sandbox or significant reverse engineering effort. Static detection can be used to detect the presence of embedded hex characters and the unique AppleScript magic FADE DEAD that marks the end of an AppleScript block.

AppleScript FADE DEAD

Who Needs Python? GO For the Win

In part due to Apple’s removal of a default Python script interpreter, many malware authors have been turning to Google’s Golang. Mach-O binaries written in Go have the advantage of containing the Go runtime environment within the executable, a feature that makes execution guaranteed but produces an unusually large file size. This file size can work both for and against threat actors: on the one hand, large binaries are easy to spot, both to solutions and to users. On the other hand, their large size can present difficulties to some security solutions and sandboxes, which may limit the maximum size they ingest for performance reasons.

Go binaries also present challenges to analysts and reverse engineers, who must develop new tools and methods for separating out the malicious code from the masses of Go imports, runtime functions and third-party packages. They also need to develop an effective way of dealing with strings, as strings in Go binaries are not delimited by a terminating null character.

The final two examples of payloads we will look at are both Go-based and serve as good examples of why this language has become popular among malware authors.

6. Poseidon Implants

Poseidon is a Golang agent for the red-teaming framework Mythic that ‘beacons’ back to an operator and allows various functionality on the infected machine.

Poseidon source code and disassembly

The image above depicts the source code on the left and disassembly on the right for various goroutines that allow the operator to perform different tasks. Goroutines provide performative concurrent execution and, in Poseidon, are used for things like sending and receiving files between the victim’s device and the operator.

Poseidon also allows the attacker to log keystrokes, take screen captures, install persistence and other backdoor functionality. A recent high-profile use of Poseidon in the wild was the CrateDepression supply chain attack against the Rust development community.

Detecting Poseidon payloads is reasonably straightforward once they are unpacked as the strings in compiled Poseidon binaries have a distinctive signature. The source code is also available online.

7. Sliver Implants

Another open-source attack framework that has been gaining increasing use in in-the-wild campaigns, Sliver is a C2 system that can manage multiple implants through a central server by one or more operators. It offers attackers callback protocols over DNS, HTTPS, Mutual TLS and Wireguard to help evade domain detection and blocking.

A Sliver binary will weigh in at around 10 MB or more, making it important that security teams have solutions that can handle large executables. The Sliver project does not itself support further obfuscation or packing, but in the wild samples may be found with off-the-shelf or custom UPX packing.

Sliver has been seen in recent macOS malware that masquerades as an Apple softwareupdate binary and installs persistence in the user’s Library LaunchAgents folder. That campaign was interesting in its avoidance of any Apple proprietary software (such as Xcode) and its employment of free and readily available tools including UPX, MacDriver and Platypus.

Sliver data section

Somewhat like Poseidon, Sliver is fairly straightforward to detect with a simple file signature so long as the binary size does not present a problem as there are many characteristic strings in the __DATA section. The source code is available here.

Conclusion

The payload types and obfuscation mechanisms we’ve discussed above are by no means the only ones we see on macOS – adware like Pirrit and Adload, which we have discussed elsewhere, continue to evolve their techniques in this regard, and to leverage cross-platform languages like Go and Kotlin. Malware like SilverSparrow and others have found interesting ways to disguise and deliver payloads inside package installers.

Threat actors of all stripes have and still do rely on curl to deliver second and third-stage payloads. However, as Apple continues its own attempts to block downloads that bypass its Gatekeeper security settings, we expect to see more malware embed later-stage payloads in the initial infection and to evolve their obfuscation and evasion efforts to make these successful.

We hope this brief overview of some of the techniques we observe in current malware families may help defenders to better protect their organizations and their users.

If you would like to learn more about how SentinelOne Singularity and its native architecture agent can protect your macOS fleet, contact us or request a free demo.

The Good, the Bad and the Ugly in Cybersecurity – Week 4

The Good

The tables have turned for Hive ransomware group. This week, FBI and international partners shared news of their successful sting operation; a “hack of the hackers” resulting in the seizure of two of the group’s servers and one virtual private server. The FBI also revealed that it was able to burrow deep into the group’s infrastructure and gather intelligence prior to dismantling the operation.

Hive is among the world’s most prolific ransomware networks, which has long beleaguered critical infrastructures such as governments and hospitals. Initially spotted in July 2021 during the height of the COVID-19 pandemic, the syndicate is known for its Ransomware-as-a-Service (RaaS) model. Hive ransomware group has extorted more than $100 million from 1500 organizations across at least 80 countries.

According to the DOJ, the month-long operation came to a head in July of last year when the FBI quietly accessed Hive’s control panel and obtained the software keys shared with the syndicate’s partners used to perform double extortion attacks. While no arrests have been made yet, officials announced that they were building a map of associated administrators, software, and affiliates based on the seized servers. Officials have been helping recent victims regain access to their networks, saving almost 300 organizations over $130 million in what would have been ransom payments.

The dismantling of Hive is one of the first big crackdowns of 2023; a concerted effort across various law enforcement groups in the effort to slow the ransomware epidemic. While the ransomware economy continues to be a lucrative one for attackers, these sting operations are hitting them where it hurts most – their earnings. Officials are now offering rewards for information linking Hive to foreign governments.

The Bad

Alleged Chinese-speaking threat actors are upping their evasion game through a little-known open source SparkRAT and Golang malware. In an analysis by SentinelLabs this week, a recent cluster of attacks dubbed DragonSpark has been observed employing uncommon tactics to sidestep security layers. DragonSpark attacks have so far victimized organizations in China, Taiwan, Hong Kong, and Singapore.

Initial access involves the compromise of vulnerable, internet-exposed web servers and MySQL servers to drop a ‘China Chopper’ web shell. After gaining that foothold, DragonSpark attacks use lateral movement techniques paired with privilege escalation and malware deployment to root deeper into a victim’s environment.

Once lateral spread is underway, actors use a cross-platform remote access trojan called SparkRAT to conduct a host of malicious activities such as manipulating system files, stealing information, and running additional PowerShell commands. SparkRAT is based in Golang and can run on Windows, macOS, and Linux. Other malicious tools observed in DragonSpark attacks have all been open sourced tools such as SharpToken, BadPotato, and GotoHTTP.

The Golang malware ‘m6699.exe’ executes code from embedded Go scripts in the malware binaries – a technique for hindering static analysis and evading detection. The malware then opens a reverse shell allowing the threat actors to begin remote code execution (RCE).

SentinelLabs analysts hypothesize that multi-platform, feature-rich tools like SparkRAT will continue to appear in future attacks by attackers known to favor open source software in their campaigns.

The Ugly

A new warning from CISA, the NSA, and Multi-State Information Sharing & Analysis Center (MS-ISAC) dropped this week detailing attacks against multiple federal civilian executive branch (FCEB) agencies through the use of legitimate remote monitoring and management (RMM) software.

Malicious activity against many FCEB networks was executed through callback phishing campaigns. Threat actors sent spoofed help desk emails to federal staffers’ personal and government email addresses. Emails were found to contain a link to a first-stage domain and encouraged targeted users to call the attackers who then posed as help desk technicians.

After the ‘technicians’ convinced the caller to visit the domains, malware would be downloaded automatically, connecting the target to a second-stage domain with downloads for AnyDesk and ScreenConnect – popular RMM tools used by remote workers globally – after which the attacker had full access to the victim’s device.

Weaponizing legitimate remote software continues to be attractive to threat actors as an effective means of establishing local user access – all without needing any admin permissions. The joint warning released this week highlights the increased spike in social engineering and phishing attacks combined with the use of legitimate software for access.

This follows on from a recent case in which attackers hosted an online Pokémon-based NFT game, luring fans of the franchise to download remote access trojans (RATs) on the site. Efforts like this are considered ‘quick wins’ for threat actors as they get the access they want without spending time or resources on developing bespoke attacks. CISA’s official warning includes a list of preventative measures organizations can take to avoid social engineering attacks and reduce the risk of RMM software misuse.

WatchTower | Trends and Top Cybersecurity Takeaways from 2022

Gathering information about cyber attacks is only half of the battle – the other half lies in curating the raw data into original insights about major vulnerabilities, cybercrime toolkits, and ransomware groups.

In this blog post, SentinelOne’s WatchTower team reflects on a year’s worth of threats observed and investigated across every geography and industry our partners operate in. Based on telemetry from tens of millions of endpoints protected by Singularity XDR platform, here’s a review of the top cyber attack trends from 2022 and their significance in the fluctuating threat landscape.

Trends In the Landscape | 2022 Top Cybersecurity Takeaways

Findings from 2022 show the top ransomware variants, initial infection vectors, and emerging malware that organizations from all sectors contended with.

Ransomware Findings

Over the course of last year, ransomware showed no signs of slowing down. Faced with federal level sanctions, the act of rebranding is now a widespread strategy ransomware groups use to obfuscate their identities and sidestep crackdowns. Several new ransomware groups emerged in 2022 and existing ones rebranded before showing their faces in the threat landscape once more.

Ransomware authors have also widely adopted both Rust and Golang in their efforts to evade detection. BlackCat, Hive and a host of other ransomware families made the switch. taking advantage of their fast file encryption capabilities and wide-ranging cryptographic libraries.

Growing Infection Vectors

2022 saw a steep increase in supply chain attacks, SEO poisoning/malvertising, and cracked software. The growing theme in attacks from last year saw threat actors steering towards the path of least resistance for greater rewards.

Through software supply chain attacks, actors exploit weaknesses in a vendor’s development cycle to inject malicious code into a certified application. While many organizations have worked to monitor and detect such threats since the attack on SolarWinds in 2020, threat actors are still leveraging open-source modules for initial intrusion. Identity management giant, Okta for example, found themselves the target of a supply chain attack last year when its 2FA provider, Twilio, was breached.

SEO poisoning has also risen to the top as a way for threat actors to take advantage of existing infrastructure for malicious purposes. By poisoning the mechanisms that influence search engine optimization (SEO), attackers have been able to quickly lure and infect unsuspecting users with commodity malware. Cracked software follows the same theme, banking on victims to download unlocked, illegal software which is embedded with dangerous malware.

Malware Innovations

Attackers were observed attempting to neutralize and sidestep endpoint detection and response (EDR) tools over the past year, using bypass techniques and known vulnerabilities. In February 2022, the FBI and United States Secret Service (USSS) released a joint cybersecurity advisory warning against BlackByte ransomware group known for using a “Bring Your Own Driver” technique to circumvent various EDR products available on the market today.

A table of ransomware groups that created modules attempting to kill EDR solutions in 2022 is provided below. SentinelOne offers robust anti-tamper capabilities to protect against these attacks.

ransomware edr bypass

The threat intelligence community observed new wiper malware samples and ransomware strains circulating in Ukrainian organizations. The malware was distributed  with the goal of rendering their computer systems inoperable. HermeticWiper and PartyTicket ransomware were among the novel threats that prefaced the unprovoked Russian invasion of Ukraine that have since evolved to produce several new malware variants. SolarMarker infostealer, Bumblebee downloader, and the Raspberry Robin worm (aka QNAP worm, or LNK worm) also emerged as popular tools for cyberattackers in 2022.

2022 Most Used Commodity Tooling & Techniques

Attackers will always look for opportunities to do less work for more damage. They don’t always use sophisticated and customized malware and often rely on the same public tools used by network administrators and security professionals.

The most notable commodity tooling observed in 2022 by threat tactic are as follows:

  • Reconnaissance – Ipconfig, Net.exe, Netstat, Nslookup, arp.exe, WMI, Impacket, Cobalt Strike, Whoami, ADFind, ADRecon.py, Advanced Port Scanner, IP Scanner, PingCastle, Powerview, and Winrm
  • Credential TheftMimikatz, Meterpreter, Cobalt Strike, BloodHound, SharpHound, ProcDump, Process Hacker, ninjacopy, NirSoft, Lazagne, and PassView
  • Lateral Movement – Psexec, PDQ Install, Winrm, SMB, WMI, RDP, SSH
  • Remote Access – TeamViewer, AnyDesk, Splashtop, ZohoAssist, ConnectWise, VNC, BeyondTrust, GoToAssist, RemotePC, TightVNC, RDP(mstsc), Registry terminal server enable
  • Defense Evasion – Gmer, Icesword, Regedit (reg.exe), Process Hacker driver, Powershell, WMI, Service Kill (bat file), Process Kill (bat file)
  • StagingSCCM, Group Policy, Psexec, Powershell Remote, ConnectWise
  • Data Exfiltration – RClone, FileZilla, Winscp, cloud services such as MegaSync and megacloud)

The most commonly observed MITRE ATT&CK techniques over the last 12 months were:

MITRE TTPS 2023

Notable Cybercrime Toolkits of 2022

This section expands on the threat groups last year that have developed or modified malware as an advanced means of evading and disabling detection and response mechanisms.

Black Basta Ransomware & Ties to FIN7

Ransomware-as-a-Service (RaaS) group, Black Basta, is well known for launching double extortion attacks through customized tools. During analysis of their toolkit, SentinelLabs researchers found that the group had worked with a developer associated with Carbanak/FIN7​​ – a threat gang specializing in targeting U.S. retail and hospitality sectors. Uncovering possible connections between threat groups lends cybersecurity analysts better visibility into a wider net of threat operators’ infrastructures.

Transformers | Bumblebee Downloader, IcedID and Qakbot

First identified in March 2022, the Bumblebee downloader has been adopted by multiple threat groups as a sophisticated initial access facilitator. Bumblebee allows threat actors to gain initial access to enterprise environments and launch advanced cyberattacks. This downloader also shares the same infection chain as Qakbot – another toolkit that appeared multiple times in the past year – and IcedID malware.

common chain iced Qakbot Bumblebee

Targeting Ukraine Using Royal Road Document Builder

The Russian invasion of Ukraine created major shifts in the 2022 threat landscape, including the increased use of wiper malware. Widely impacting Ukrainian citizens as well as organizations based outside of Ukraine was the Royal Road Document Builder.

SentinelLabs’ analysis indicates that the threat actors behind these cyberattacks are part of a Chinese state-sponsored cyber espionage group which uses phishing emails to deliver these malicious documents and exploit the Bisonal backdoor.

Bisonal backdoor spread through phishing campaign

Raspberry Robin Worms Its Way Through 2022

2022 saw, threat actors leveraging Raspberry Robin to deliver multiple types of malware and ransomware to infected endpoints. Also known as the QNAP or LNK worm, Raspberry Robin is a self-propagating worm used in attacks throughout last year as a delivery mechanism for second stage malware. Its usage amongst threat actors spiked in the latter half of 2022 making it the fastest growing threat families of last year.

Raspberry Robin distribution

SocGholish Expands and Diversifies

Highly active throughout the past 12 months, SocGholish has undergone a marked diversification, with expanding infrastructure to contend with known defenses. Across 2022, SocGholish averaged 18 malware-staging servers being unveiled each month. Threat groups use a JavaScript-based framework to gain initial access to targeted systems in campaigns that primarily revolve around social engineering tactics. SocGholish has been able to persist in the threat landscape, emphasizing the need for enterprises to regularly audit the integrity of their web servers, websites, and DNS records.

DLL Sideloading Attacks Continue to Menace

Major threat groups or malware families including Qakbot, Sliver Framework, Temp.Hex, FIN7, and LockBit led the uptick in sideloading DLL files to execute malicious payloads in attacks from 2022. This tactic allows cyber criminals to sidestep first-generation EDR solutions and legacy antivirus products while installing malware on targeted devices.

WatchTower | 2022 in Review
Lessons Learned from Our Threat Hunters & DFIR Investigators

Conclusion

2022 showed that threat actors continue to use what works while investing in novel techniques in response to countermeasures by security teams and security software.

Identifying and sharing trends in new vulnerabilities, attack vectors, and malware strains are key to staying steps ahead of cyberattackers. Though new threats will undoubtedly continue to emerge, there are many ways enterprises can mitigate risk and harden their defenses. The more information that is shared about past, current, and emerging threat actors, the better enterprises can implement the people, processes, and technology needed to combat cybersecurity challenges.

Looking ahead to 2023, threat actors will continue to upgrade their methods and tools of attack, innovating on attack vectors and finding new vulnerabilities. Establishing an effective response strategy and deep, continuous monitoring can help augment a business’ in-house team’s defenses with robust detection and response capabilities.

Webinar: WatchTower | 2022 in Review
Get key takeaways from SentinelOne’s threat hunts and investigations in 2022 and tips for protecting your organization in 2023.

Experian Glitch Exposing Credit Files Lasted 47 Days

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.

Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.

Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).

Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.

“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.

It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.

It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.

After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?

Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.

As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.

If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.

For thoughts on what you can do to minimize your victimization by and overall worth to the credit bureaus, see this section of the most recent Experian story.

Administrator of RSOCKS Proxy Botnet Pleads Guilty

Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.

First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.

Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.

Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.

In June 2022, authorities in the United States, Germany, the Netherlands and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet. But that action did not name any defendants.

Inspired by that takedown, KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Kloster. The blog featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”

RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.

Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.

Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted community where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.

A Google-translated version of the Rusdot spam forum.

Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server.”

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.

It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.

Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.

Dollar Signs in Attackers’ Eyes | How to Mitigate CVE-2022-26923

Microsoft released a Windows security update in May 2022, disclosing CVE-2022-26923 Active Directory Domain Services Elevation of privilege vulnerability. The CVE-2022-26923 allows a lower privileged user to acquire a certificate from Active Directory Certificate Services (AD CS) and escalate privileges to the domain controller. However, issues with the update may have prevented some organizations from updating at the time, while others may have been unable to update due to local dependency or compatibility reasons.

In this post, we discuss AD CS misconfigurations that allow attackers to exploit this flaw and describe how security teams can mitigate this vulnerability.

Dollar Signs in Attackers' Eyes How to Mitigate CVE-2022-26923 (2)

What Is CVE-2022-26923?

According to Microsoft’s advisory, CVE-2022-26923 is one of three CVEs relating to an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. On unpatched systems, certificate-based authentication fails to account for a dollar sign ($) at the end of a machine name, allowing related certificates to be spoofed in various ways.

What Is AD CS and Why Is It Important?

Before we dig deeper into the exposure, we will revise what Active Directory Certificate Services (AD CS) is and what it offers.

AD CS is an identity technology in Windows Server that offers Public Key Infrastructure (PKI) functionality to facilitate capabilities such as Encrypting File System (EFS), domain authentication, digital signatures, and email security. AD CS is the Server Role that allows an organization to build Public Key Infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities.

While organizations plan to implement PKI by deploying AD CS in an Active Directory environment, they must manage configurations properly for issuing and revoking certificates, including ensuring that appropriate certificate trusts are in place.

Windows Server administrators are responsible for designing the certification authority hierarchy, implementing it, and managing the process of issuing and revoking certificates. It is essential to ensure that appropriate certificate trusts are in place. Any misconfigurations in AD CS role services can expose them to cyber attacks such as privilege escalation, Golden Ticket Attacks, and AD Domain dominance.

How Do Attackers Abuse AD CS and Exploit CVE-2022-26923?

Several security risks exist with AD CS misconfigurations. Let us discuss a couple of them. After running the command certsrv.msc, right-click on the Certification Authority (CA) object, select Properties and navigate to the Security tab.

Note that the “Request Certificates” permission is enabled by default. This setting will allow an authenticated user to request certificates from the AD CS server. As with the CVE-2022-26923, an authenticated user could manipulate attributes on computer accounts they own or manage and acquire a certificate from AD CS that would allow elevation of privilege to Domain Controller.

Another vulnerable misconfiguration exists with enrollment permissions of certificate templates. In Windows environments, certificate templates are stored as objects in the Active Directory and used by Microsoft enterprise CAs. A certificate template defines the content and purpose of a digital certificate, including issuing certificate policies and enrollment permissions. Enrollment permissions define the rules by which a certification authority (CA) will issue or deny certificate requests.

A standard User Certificate template may grant the Domain Users group with “Enroll“ permissions, as shown below.

A standard User Certificate template may grant the Domain Users group with “Enroll“ permissions

Also, there are Enroll and Autoenroll permissions that are specific to certificate template objects, for example, the Workstation Authentication certificate template, as shown in the next image.

An attacker can abuse these permissions on objects. If an attacker gains access to any template, it can be reconfigured to issue certificates and compromise the entire domain.

Detection and Mitigation Factors for CVE-2022-26923

Singularity™ Ranger® AD continuously monitors risks associated with misconfigurations, weak policies, credential harvesting, and privilege escalations at the domain, user, and device levels. The solution prevents attacks that attempt to exploit CVE-2022-26923 by detecting and remediating Active Directory Certificate Services exposures. As a mitigation strategy, the following best practices outline how to protect AD CS services from the exploitation of CVE-2022-26923.

Exposure #1: Dangerous Access Rights That Expose Certificate Templates

Misconfigured permissions on certificate templates can allow an attacker to modify or request a certificate, and an attacker could use the certificate to elevate privileges.

Dangerous Access Rights That Expose Certificate Templates

To mitigate this:

  1. Open the Certificate Authority Manager MMC from “Administrative Tools” or run the command “certsrv.msc”.
  2. Expand the Certificate Authority.
  3. Right Click “Certificate Templates” and Click “Manage”.
  4. Select the Certificate Template listed in the Exposure.
  5. Right Click on the Certificate Template and select “Properties”.
  6. Select the “Security” tab.
  7. Verify and remove the permissions listed in the exposure by Singularity™ Ranger® AD.
  8. Click “Apply” and “Ok”.
  9. Repeat the steps from 4 to 8 until all the templates are corrected.
  10. Delete the template from the “Certificate Templates” Container and Re-Publish the certificate to Issue.
    1. To publish the Certificate, right-click “Certificate Templates” and Click “New”.
    2. Click “Certificate Template to Issue”.
    3. Select all the required Certificate Templates and Click “Ok”.
  11. Re-Run the assessment to check exposure is remediated.

Exposure #2: Dangerous Access Rights Delegation on Critical Objects

Attackers can compromise user accounts with access rights on critical AD objects and take complete AD domain compromise.

Dangerous Access Rights Delegation on Critical Objects

To mitigate this:

  1. Remove all standard & non-privileged users from the Critical Objects listed in the detection.
  2. View the assigned permissions on an Organizational Unit (OU) in the graphical user interface. You can also use the Active Directory Users and Computers console with Advanced Features enabled in the View menu.
  3. After enabling, right-click on OU (for example, OU=NewYork) and select Properties.
  4. Select the Security tab, then click the “Advanced” button. You can see ACE lists in the Permissions tab (alternate name – “Discretionary Access Control List – DACL”).
  5. Select the ACE you want to remove and click “Remove”.

Exposure #3: Regular users can add new computers into AD domain

Attackers can also compromise endpoints and attempt to add new computers to the Active Directory Domain without Administrative access.

Regular users can add new computers into AD domain

To mitigate this:

  1. Open Group Policy Management Console ( Start -> Run -> gpmc.msc).
  2. Locate Domain Controllers OU and find Default Domain Controllers Policy.
  3. Edit Default Domain Controllers Policy.
  4. Expand Computer Configuration-> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
  5. From the right pane, right-click on Add workstations to domain ->Properties ->Remove Authenticated Users and Add the User or Group that you are delegating domain joining permissions.
  6. Click Apply and then OK to close the Properties window.

Other services offered by AD CS such as “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service” are also potentially vulnerable. Attackers can exploit these settings to perform a classic NTLM Relay Attack called PetitPotam. It allows an attacker to take over Windows domain controllers or other Windows servers.

Patching CVE-2022-26923

As CVE-2022-26923 carries the highest Common Vulnerability Scoring System (CVSSv3) base score of 8.8, it is highly recommended that organizations prioritize the deployment of a patch for CVE-2022-26923 to reduce the possibility of an attacker exploiting this vulnerability.

If certificate-based authentication relies on a weak mapping that cannot be moved from the environment, admins can place domain controllers in Disabled mode using a registry key setting. According to the Microsoft’s documentation, KB5014754—Certificate-based authentication changes on Windows domain controllers, Enablement Phase starts with the February 14, 2023 updates for Windows, which will ignore the Disabled mode registry key setting.

Conclusion

It is of paramount importance that administrators implement all mitigation factors to protect their AD CS servers from such attacks. Organizations deploying Singularity Ranger® AD solutions can remediate the AD CS exposures discussed that will no longer allow attackers to exploit CVE-2022-26923. For more information, please visit Singularity Ranger AD.

Singularity™ Ranger AD
Singularity™ Ranger AD is a cloud-delivered solution designed to uncover vulnerabilities in Active Directory and Azure AD.

The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good

The U.S. Department of Justice this week arrested and charged Anatoly Legkodymov, a 40-year old Russian national, with offenses related to processing more than $700 million of illicit funds, including ransomware proceeds.

Legkodymov, who also went by the online names of ‘Gandalf’ and ‘Tolik’, was a senior executive and majority shareholder of Bitzlato, a cryptocurrency exchange that authorities say knowingly aided ransomware actors and other cybercriminals to process illicit funds.

Legkodymov bitzlatoSource

According to court documents, Bitzlato marketed itself as requiring minimal identification from users, specifying that “neither selfies nor passports [are] required” and knowingly fostered the perception that it was a safe haven for funds used for and resulting from criminal activities.

Bitzlato was heavily involved with cryptocurrency transactions through the notorious darknet market Hydra, which was taken down by cops in April 2022. It’s alleged that Bitzlato received more than $15 million in ransomware proceeds and transacted over $700 million in cryptocurrency with Hydra. The U.S. government says that after Hydra’s shuttering, Bitzlato continued to facilitate transactions for Russia-connected darknet markets such as BlackSprut, OMG!OMG!, and Mega.

Legkodymov, who was arrested in Miami on Tuesday, faces up to 5 years jail time if convicted of operating an illegal money transmitting business. As for Bitzlato, European authorities have conducted a separate operation to seize and dismantle its digital infrastructure, taking the service out of the cybercriminal ecosystem once and for all.

The Bad

Git users are being urged to update to the latest release following news of two critical remote code execution bugs this week. The RCEs could allow attackers to exploit heap-based buffer overflow flaws and execute arbitrary code.

CVE-2022-41903 and CVE-2022-23521 were patched on Wednesday, but a third Windows-specific vulnerability in the Git GUI tool, CVE-2022-41953, is still awaiting a fix. Users are being recommended not to use the tool until an update becomes available.

Mitigations for the two patched vulnerabilities for those that cannot immediately update are:

  • Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
  • If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the git config --global daemon.uploadArch false command

Git is used widely in enterprises to manage development projects. The researchers that discovered the flaws in a sponsored audit pointed out that vulnerabilities in Git could allow attackers to compromise source code repositories or developer systems and potentially result in security breaches on a large scale.

The researchers went on to say that the sheer size of the Git codebase made it challenging to address all potential instances of the issues they discovered, and they made a number of recommendations to Git’s maintainers to improve code security.

In a separate blog post, GitHub says that it scanned all repositories on GitHub.com to confirm that no evidence existed that GitHub had been used as a vector to exploit any of the discovered vulnerabilities.

The Ugly

It’s another tough week for password managers as the recent troubles faced by LastPass have been followed by news of breaches of Norton Lifelock customer accounts.

Norton’s parent company, Gen Digital, has advised customers that a likely credential stuffing attack was used to compromise thousands of customer accounts in December. Customers that use the same password for different sites and services are susceptible to credential stuffing attacks if a reused password is exposed or leaked from a breach of one of those sites.

Suspicious activity began around December 1st and was followed by a large number of failed login attempts on December 12th. On January 9th, Gen Digital sent notices to around 6,500 customers of its password manager advising customers that “an unauthorized party likely has knowledge of the email and password you have been using with your Norton account…and your Norton Password Manager”. The advisory went on to recommend customers change their passwords with Norton Lifelock and elsewhere immediately.

The company says that intruders used a list of usernames and passwords obtained from another source such as the darknet to attempt to log into Norton customer accounts. Gen Digital insist that Norton Lifelock’s own systems were not compromised

Despite the bad news, password managers remain an effective first line of defense against account takeovers and compromises so long as users follow recommended procedures. These include using unique passwords for every site, ensuring master passwords are not easily guessable, and employing 2FA authentication wherever possible.

Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results

In recent weeks there has been a noticeable increase in malicious search engine advertisements found in the wild– an attack method known as SEO Poisoning, which can be considered a type of malvertising (malicious advertising). Industry colleagues have also observed this activity, as noted by vx-underground this week. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.

In the vast majority of these cases, attackers aim to opportunistically infect unsuspecting users with commodity malware, as we will examine below. However it is important to note attackers have used this technique in a variety of ways for years. One noteworthy example is the early 2022 report of BATLOADER and Atera Agent being delivered in such ways. Ultimately, the attackers are most successful in these scenarios when they SEO poison the results of popular downloads associated with organizations that do not have extensive internal brand protection resources.

In this post, we will examine an ongoing SEO Poisoning campaign related to Blender 3D, the open-source 3D graphics software, as an example of how these attacks are used to infect users via web searches.

Blender 3D SEO Poisoning

Mimicking the actions of an unsuspecting user, we performed a routine Google search for “Blender 3D” and examined the Ad results presented at the top.

Notably, the malicious ads being delivered by this search quickly shift, highlighting how the attackers are likely automating these efforts at scale, including both the SEO poisoning and the creation of malicious domains where they lead. See screenshots others have collected for such examples of how these are not single malicious domains but rather a continuous flow of new activity after cleanup.

On January 18th we can see three malicious Blender 3D ads before the legitimate Blender.org domain is listed.

January 18th 2023 SEO Poisoning Results for Blender 3D
January 18th 2023 SEO Poisoning Results for Blender 3D

The above three malicious ads link to:

  • blender-s.org
  • blendersa.org
  • blender3dorg.fras6899.odns.fr

The top results, blender-s.org is a near exact copy of the legitimate Blender domain.

Malicious blender-s Website
Malicious blender-s Website
Legitimate blender Website
Legitimate blender Website

The malicious blender-s site contains a download link for “Blender 3.4”; however, the download is delivered through a Dropbox URL rather than blender.org, and delivers a blender.zip file.

https://www.dropbox[.]com/s/pndxrpk8zmwjp3w/blender.zip

Examining the Dropbox share details, we can see the following uploader properties:

  • Size: 1.91 MB
  • Modified: 1/16/2023, 5:00 AM
  • Type: Archive
  • Uploaded by: rays-who rays-who
  • Date uploaded: 1/16/2023, 5:00 AM

In this case, the ZIP file SHA1 hash is 43058fc2e4dfa2d8a9108da51186e35b7d49f0c6, which contains a blender.exe file (ffdc43c67773ba9d36a309074e414316667ef368).

The Blender.exe file is signed by an invalid certificate belonging to AVG Technologies USA, LLC. This same certificate has a long history of illicit crimeware use, including by Racoon Stealer.

  • Name: AVG Technologies USA, LLC
  • Thumbprint: 95AB6BCA9A015D877B443E71CB09C0ED0B5DE811
  • Serial Number: 0E 31 E4 8D 08 06 5B 09 8F 84 E7 C5 10 33 60 74

The delivered sample is recognized by multiple vendor engines, including the SentinelOne agent, as malware. We’ll release additional details on this specific malware family at a later time.

VirusTotal vendor detections for malicious blender.exe sample
VirusTotal vendor detections for malicious blender.exe sample

Examination of the malicious link to blendersa.org reveals that the site is nearly identical to the previous example, which also provides a download link to a Dropbox URL.

Malicious blendersa Website
Malicious blendersa Website

The Dropbox link in this case is

https://www.dropbox[.]com/s/fxcv1rp1fwla8b7/blender.zip

and the uploader properties follow a similar pattern to the blender-s example.

  • Size: 1.91 MB
  • Modified: 1/16/2023, 5:07 AM
  • Type: Archive
  • Uploaded by: support-duck support-duck
  • Date uploaded: 1/16/2023, 5:07 AM

The files associated with this version are:

  • Blender.zip – SHA1: f8caaca7c16a080bb2bb9b3d850d376d7979f0ec
  • Blender.exe – SHA1: 069588ff741cc1cbb50e98f66a4bf9b4c514b957

The actors behind these two sites are also responsible for dozens of others themed around popular software such as Photoshop, specific financial trading tools, and remote access software. The actor’s own infrastructure was hidden behind CloudFlare, who thankfully were quick to confirm and respond by flagging the sites as malicious after we reported the service abuse. Any new visitors moving forward will receive the following warning:

Site Updated with CloudFlare Phishing Warning
Site Updated with CloudFlare Phishing Warning

The final malicious Blender 3D ad is for blender3dorg.fras6899.odns.fr, which happens to use a variety of delivery methods. For example, the download link may use a Discord URL rather than Dropbox one.

Malicious blender3dorg Website
Malicious blender3dorg Website

The specific Discord link for this example is

https://cdn.discordapp[.]com/attachments/1001563139575390241/1064932247175700581/blender-3.4.1-windows-x64.zip

This ultimately delivers blender-3.4.1-windows-x64.zip (f00c1ded3d8b42937665da3253bac17b8f5dc2d3), which is a directory containing a malicious ISO file.

The use of malicious ISO files is not new – as many have reported over the last year.
Blender-3.4.1-windows-x64.iso (53b7bbde90c22e2a7965cb548158f10ab2ffbb24) is roughly 800 MB in size, and contains a blender-3.4.1-windows-x64.exe and a large collection of suspicious XML files.

Conclusion

SEO poisoning leading to malicious advertisements are the rising star in today’s crimeware malware delivery methods. The examples above are just a few of many that can easily be found by researchers or stumbled upon by users with common and legitimate search queries. Attackers are finding a large amount of success in such attack methods, and we can expect to see this method evolving to conceal effort even further.

Indicators of Compromise

Description IOC
Malicious Domain blender-s.org
Malware Download Location www.dropbox[.]com/s/pndxrpk8zmwjp3w/blender.zip
blender.zip 43058fc2e4dfa2d8a9108da51186e35b7d49f0c6
Blender.exe ffdc43c67773ba9d36a309074e414316667ef368
C2 74.119.194.167
Malicious Domain blendersa.org
Malware Download Location www.dropbox[.]com/s/fxcv1rp1fwla8b7/blender.zip
Blender.exe 069588ff741cc1cbb50e98f66a4bf9b4c514b957
blender.zip f8caaca7c16a080bb2bb9b3d850d376d7979f0ec
Malicious Domain blender3dorg.fras6899.odns.fr
Malware Download Location cdn.discordapp[.]com/attachments/
1001563139575390241/1064932247175700581/
blender-3.4.1-windows-x64.zip
ZIP f00c1ded3d8b42937665da3253bac17b8f5dc2d3
ISO 53b7bbde90c22e2a7965cb548158f10ab2ffbb24

SentinelOne Singularity™ provides protection for endpoint, identity and cloud. To learn more about how SentinelOne can protect your organization, contact us or request a free demo.

New T-Mobile Breach Affects 37 Million Accounts

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

Image: customink.com

In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

The company said it first learned of the incident on Jan. 5, 2022, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022.

T-Mobile says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the filing reads. “We have made substantial progress to date, and protecting our customers’ data remains a top priority.”

Despite this being the second major customer data spill in as many years, T-Mobile told the SEC the company does not expect this latest breach to have a material impact on its operations.

While that may seem like a daring thing to say in a data breach disclosure affecting a significant portion of your active customer base, consider that T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket.

The settlement related to the 2021 breach says T-Mobile will make $350 million available to customers who file a claim. But here’s the catch: If you were affected by that 2021 breach and you haven’t filed a claim yet, please know that you have only three more days to do that.

If you were a T-Mobile customer affected by the 2021 incident, it is likely that T-Mobile has already made several efforts to notify you of your eligibility to file a claim, which includes a payout of at least $25, with the possibility of more for those who can document direct costs associated with the breach. OpenClassActions.com says the filing deadline is Jan. 23, 2023.

“If you opt for a cash payment you will receive an estimated $25.00,” the site explains. “If you reside in California, you will receive an estimated $100.00. Out of pocket losses can be reimbursed for up to $25,000.00. The amount that you claim from T-Mobile will be determined by the class action administrator based on how many people file a legitimate and timely claim form.”

There are currently no signs that hackers are selling this latest data haul from T-Mobile, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.

T-Mobile customers should fully expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even send messages that include the recipient’s compromised account details to make the communications look more legitimate.

Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.

Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

Healthcare Cybersecurity | How to Strengthen Defenses Against Cyber Attacks

Threat actors are no strangers to targeting critical sectors to get what they want and the healthcare industry has long worn a target on its back. Exacerbated by the COVID-19 pandemic and its subsequent variants, hospitals and clinics have seen alarming rates of attacks in recent years with more incidents directly leading to patient endangerment.

A recent study found that cyberattacks have significantly strained healthcare providers, resulting in the following:

  • More than 20% of providers surveyed reported experience with common attacks including cloud compromise, ransomware, supply chain, business email compromise (BEC), and phishing
  • Cyberattacks have caused delayed procedures and tests, increased complications in care, and longer patient stays for 57% of the providers surveyed
  • Cyberattacks have cost an average of $4.4 million in 2022 with productivity losses totalling $1.1 million

Life-critical services and patient care are at stake when threat actors take aim at healthcare organizations. This post explains why hospitals and clinics of all sizes are so susceptible to cyberattacks and what CISOs and technical leaders can do to build up their cyber defense strategies.

Understand the Shifting Nature of Ransomware

Medical service providers present two attractive opportunities to financially-motivated cybercriminals: service disruption and data theft.

Exploiting the Fear of Service Disruption

Over the past few years, ransomware attacks have been the direct cause of many major disruptions in healthcare service. By locking out medical staff from accessing their critical tools and databases, ransomware has been responsible for canceled surgeries, delayed cancer treatments, and even an ongoing lawsuit on what is being called the first death by ransomware. In November 2022, for example, the Brooklyn hospital group was thrown into chaos as services were disrupted across its patient care facilities in the wake of a cyber attack.

Victims from this sector are reportedly most likely to pay the ransom with 61% of providers having paid out compared to an average of 46% from other industry verticals. Ransomware operators know that medical facilities face devastating consequences should they lose access to their systems.

Though CISA and law enforcement groups have issued warnings against paying ransoms, each minute without access can result in extremely dangerous situations for patients needing care. As such, threat actors continue to beleaguer hospitals, long-term care facilities, private clinics and more, marking them as high-profile targets.

Medical Data Is In High Demand

Some ransomware threat actors have understood that service disruption can be minimized by organizations that implement a good backup and disaster recovery model. File-locking can be devastating to the unprepared, but it can be mitigated against with a degree of planning.

However, hospitals and clinics especially hold mass amounts of sensitive data on their clients – data that is easily sold on dark marketplaces and used for identity theft and fraud.

The high worth  of private patient information ranging from contact details and social insurance numbers to payment data and Protected Health Information (PHI) has driven up the rate of attacks on healthcare organizations.

Attacks on healthcare from a data theft point of view has become a fast growing issue, with 297 known attacks occurring last year. In one incident in October 2022, Hive ransomware operators stole sensitive files from LCMHS (Lake Charles Memorial Hospital) belonging to 270,000 patients. The stolen data included medical records, health insurance information and payment information. Some patients’ social security numbers were also exposed.

Payment data like credit card numbers can be frozen and replaced, but medical history such as test results, diagnoses, and treatment plans cannot be removed or canceled. This data, in the hands of an opportunistic threat actor, can mean long-reaching damage for affected patients. When private health data is hacked, victims may find themselves at the mercy of targeted ransom demands and blackmail attempts.

Recognizing that data extortion can be both more profitable and less resource-intensive, some threat actors have moved to extortion-only methods. Disaster recovery plans cannot mitigate this threat, and effective defense requires having trusted security software in place that can prevent and detect initial access before data is stolen.

Outdated Systems Bear Many Low-Hanging Fruits of Access

For threat actors, outdated environments and lack of advanced security features spell opportunity for breach. In a notification to medical provider leaders, the FBI highlighted the risk that older, unpatched medical devices bring to digital systems used in hospitals and clinics.

Due to the highly specialized nature of technology in healthcare, the high cost of implementing and maintaining new systems hinders many small and medium-sized providers from upgrading regularly. Many healthcare organizations must work within limited budgets and may not have prioritized the need to update older systems.

However, when the security angle is factored into the intrinsic value of such equipment, there’s a strong argument for reassessing budgetary priorities in favor of accelerating the retirement of outdated and insecure systems.

Digitalization Doesn’t Always Translate to Full Adoption

Digital transformation in the world of health care can be very disruptive. Since the health sector is characterized by a high degree of specialization, medical professionals and organizations oftentimes work in silos.

Software introduced to solve one problem at one facility may cause issues elsewhere in the workflow; especially if they are working in collaboration with a facility that is operating on an incompatible platform. A lack of integration with existing systems can create problems with patient safety and security of medical records while bringing down staff productivity.

Reducing risk from the plethora of devices, operating systems and software in use across the organization is not a simple one-step operation, but the emergence of open XDR technology is leading to answers to problems that older technologies like SIEMs and SOARs attempted but failed to address.

Regulatory Compliance Is Ever Changing

Healthcare providers shoulder a heavy responsibility when it comes to balancing the protection of patient privacy, complying with HIPAA, GDPR, and other regulatory frameworks, and providing quality care. Cyber criminals have rushed to take advantage of providers who may have few resources and budget to juggle all of these requirements on the day-to-day.

The regulatory compliance industry is often changing, and can become a complex undertaking for even the better-funded medical service providers. In recent years alone, digitalization and the reality of COVID-19 have changed regulatory requirements, adding new and updated controls that could take a healthcare organization upwards of months to years to implement properly.

As new attack surfaces and threats arise in the cyber landscape, regulatory frameworks also adjust, making compliance a moving target for organizations in the healthcare industry.

Healthcare providers now using cloud services to securely store data in a compliant way should understand the shared responsibility model and look for cloud protection solutions to ensure that no doors are being left open.

How SentinelOne Can Help Boost Medical Service Providers Defenses

Get Streamlined Security Solution on the Device Level

Having a wide array of Internet-of-Things (IoT) devices combined with lengthy patch cycles leave endpoints vulnerable to cyberattack. As the medical service industry slowly continues to modernize their systems and tools, smart devices, laptops, and machines all add to the growing attack surface available for threat actors to exploit.

SentinelOne’s Singularity Ranger offers a simple, straightforward security solution that can protect on a device or endpoint and ensure that a full inventory of everything on a network is protected in real-time.

Rely on Frictionless Security Operations & Threat Resolution

In-house cybersecurity experts are hard to come by in the healthcare provider industry. During a potential security event, having a team of experts to analyze, triage, and neutralize any threat means providers and medical staff can continue their operations with less disruption. By preventing the initial attack from occurring, providers can protect patient and staff records, avoid delays in life-saving medical care, retain patients, and ensure no reputation-damaging downtime.

Vigilance Respond is a  24/7/365 monitoring detection and response service offering an expert team to continuously monitor an environment for early indicators of compromise (IoC). Stop signs of lateral movement before it can develop into a full blown cyber crisis.

Protect Cloud Workloads

To meet the most up-to-date regulatory requirements on data protection, many healthcare providers rely on cloud environments to store, manage, and transmit their patient’s PHI.

To get ahead of threat actors, hospitals and clinics using cloud services must fully understand how the services are being implemented and maintained. Singularity Cloud ensures visibility within the cloud so providers can see how file sharing is being done, what type of data is being stored, and what applications are connected.

Conclusion

As the future of healthcare moves steadily towards the digital, threat actors have seemingly locked in their sights on medical service providers globally. Organizations can’t afford to wait for the next attack, so prevention and visibility are the main goals as CISOs in this sector set out to protect patient PHI and ensure continuous care for those in need.

The responsibility of data security, complexities of regulatory compliance, risks with IoT, and the high value of PHI place CISOs in the midst of a changing threat landscape where the consequences can, at the extreme, affect patient lives.

The state of healthcare organizations do not have to remain precarious, though, and CISOs and technical leaders can work to strengthen their cyber security posture against data breaches and ransomware attacks. By implementing a single, robust security platform, providers can ensure transparency across all their critical endpoints and protect sensitive patient data from being compromised.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.