Thinking of Hiring or Running a Booter Service? Think Again.

Most people who operate DDoS-for-hire businesses attempt to hide their true identities and location. Proprietors of these so-called “booter” or “stresser” services — designed to knock websites and users offline — have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasn’t avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services.

And then there are booter store operators like John Dobbs, a 32-year-old computer science graduate student living in Honolulu, Hawaii. For at least a decade until late last year, Dobbs openly operated IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania.

Dobbs, in an undated photo from his Github profile. Image: john-dobbs.github.io

The only work experience Dobbs listed on his resume was as a freelance developer from 2013 to the present day. Dobbs’s resume doesn’t name his booter service, but in it he brags about maintaining websites with half a million page views daily, and “designing server deployments for performance, high-availability and security.”

In December 2022, the U.S. Department of Justice seized Dobbs’s IPStresser website and charged him with one count of aiding and abetting computer intrusions. Prosecutors say his service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.

The government seized four-dozen booter domains, and criminally charged Dobbs and five other U.S. men for allegedly operating stresser services. This was the Justice Department’s second such mass takedown targeting DDoS-for-hire services and their accused operators. In 2018, the feds seized 15 stresser sites, and levied cybercrime charges against three men for their operation of booter services.

Dobbs’s booter service, IPStresser, in June 2020. Image: archive.org.

Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the government’s core claim — that operating a booter site is a violation of U.S. computer crime laws — wasn’t properly tested in the courts until September 2021.

That was when a jury handed down a guilty verdict against Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged in the government’s first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.

Prosecutors said Gatrel’s booter services — downthem[.]org and ampnode[.]com — helped some 2,000 paying customers launch debilitating digital assaults on more than 20,000 targets, including many government, banking, university and gaming websites.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.

Now, it appears Dobbs is also planning to take his chances with a jury. On Jan. 4, Dobbs entered a plea of not guilty. Neither Dobbs nor his court-appointed attorney responded to requests for comment.

But as it happens, Dobbs himself provided some perspective on his thinking in an email exchange with KrebsOnSecurity back in 2020. I’d reached out to Dobbs because it was obvious he didn’t mind if people knew he operated one of the world’s most popular DDoS-for-hire sites, and I was genuinely curious why he was so unafraid of getting raided by the feds.

“Yes, I am the owner of the domain you listed, however you are not authorized to post an article containing said domain name, my name or this email address without my prior written permission,” Dobbs replied to my initial outreach on March 10, 2020 using his email address from the University of Hawaii at Manoa.

A few hours later, I received more strident instructions from Dobbs, this time via his official email address at ipstresser[.]com.

“I will state again for absolute clarity, you are not authorized to post an article containing ipstresser.com, my name, my GitHub profile and/or my hawaii.edu email address,” Dobbs wrote, as if taking dictation from a lawyer who doesn’t understand how the media works.

When pressed for particulars on his business, Dobbs replied that the number of IPStresser customers was “privileged information,” and said he didn’t even advertise the service. When asked whether he was concerned that many of his competitors were by then serving jail time for operating similar booter services, Dobbs maintained that the way he’d set up the business insulated him from any liability.

“I have been aware of the recent law enforcement actions against other operators of stress testing services,” Dobbs explained. “I cannot speak to the actions of these other services, but we take proactive measures to prevent misuse of our service and we work with law enforcement agencies regarding any reported abuse of our service.”

What were those proactive measures? In a 2015 interview with ZDNet France, Dobbs asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

Dobbs told KrebsOnSecurity his service didn’t generate much of a profit, but rather that he was motivated by “filling a legitimate need.”

“My reason for offering the service is to provide the ability to test network security measures before someone with malicious intent attacks said network and causes downtime,” he said. “Sure, some people see only the negatives, but there is a long list of companies I have worked with over the years who would say my service is a godsend and has helped them prevent tens of thousands of dollars in downtime resulting from a malicious attack.”

“I do not believe that providing such a service is illegal, assuming proper due diligence to prevent malicious use of the service, as is the case for IPstresser[.]com,” Dobbs continued. “Someone using such a service to conduct unauthorized testing is illegal in many countries, however, the legal liability is that of the user, not of the service provider.”

Dobbs’s profile on GitHub includes more of his ideas about his work, including a curious piece on “software engineering ethics.” In his January 2020 treatise “My Software Engineering Journey,” Dobbs laments that nothing in his formal education prepared him for the reality that a great deal of his work would be so tedious and repetitive (this tracks closely with a 2020 piece here called Career Choice Tip: Cybercrime is Mostly Boring).

“One area of software engineering that I think should be covered more in university classes is maintenance,” Dobbs wrote. “Projects are often worked on for at most a few months, and students do not experience the maintenance aspect of software engineering until they reach the workplace. Let’s face it, ongoing maintenance of a project is boring; there is nothing like the euphoria of completing a project you have been working on for months and releasing it to the world, but I would say that half of my professional career has been related to maintenance.”

Allison Nixon is chief research officer at the New York-based cybersecurity firm Unit 221B. Nixon is part of a small group of researchers who have been closely tracking the DDoS-for-hire industry for years, and she said Dobbs’s claim that what he’s doing is legal makes sense given that it took years for the government to recognize the size of the problem.

“These guys are arguing that their services are legal because for a long time nothing happened to them,” Nixon said. “It’s difficult to argue something is illegal if no one has ever been arrested for it before.”

Nixon says the government’s fight against the booter services — and by extension other types of cybercrimes — is hampered by a legal system that often takes years to cycle through cybercrime cases.

“With cybercrime, the cycle between the crime and investigation and arrest can often take a year or more, and that’s for a really fast case,” Nixon said. “If someone robbed a store, we’d expect a police response within a few minutes. If someone robs a bank’s website, there might be some indication of police activity within a year.”

Nixon praised the 2022 and 2018 booter takedown operations as “huge steps forward,” but added that “there need to be more of them, and faster.”

“This time lag is part of the reason it’s so difficult to shut down the pipeline of new talent going into cybercrime,” she said. “They think what they’re doing is legal because nothing has happened, and because of the amount of time it takes to shut these things down. And it’s really a big problem, where we see a lot of people becoming criminals on the basis that what they’re doing isn’t really illegal because the cops won’t do anything.”

In December 2020, Dobbs filed an application with the state of Hawaii to withdraw IP Stresser Inc. from its roster of active companies. But according to prosecutors, Dobbs would continue to operate his DDoS-for-hire site until at least November 2022.

Two months after our 2020 email interview, Dobbs would earn his second bachelor’s degree (in computer science; his resume says he earned a bachelor’s in civil engineering from Drexel University in 2013). The federal charges against Dobbs came just as he was preparing to enter his final semester toward a master’s degree in computer science at the University of Hawaii.

Nixon says she has a message for anyone involved in operating a DDoS-for-hire service.

“Unless you are verifying that the target owns the infrastructure you’re targeting, there is no legal way to operate a DDoS-for-hire service,” she said. “There is no Terms of Service you could put on the site that would somehow make it legal.”

And her message to the customers of those booter services? It’s a compelling one to ponder, particularly now that investigators in the United States, U.K. and elsewhere have started going after booter service customers.

“When a booter service claims they don’t share logs, they’re lying because logs are legal leverage for when the booter service operator gets arrested,” Nixon said. “And when they do, you’re going to be the first people they throw under the bus.”

Gotta Catch ‘Em All | Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures

Researchers at ASEC recently reported on a NetSupport RAT campaign that utilizes Pokemon as the social engineering lure. Threat actors staged a malicious website, hosting a Pokemon-based NFT game, offering both a fun and financially rewarding experience. In reality, those drawn into the site are coerced into downloading the trojanized NetSupport RAT client, allowing attackers full access to their device.

NetSupport RAT has been observed in numerous attacks on enterprise environments over the years, and Pokemon is just the latest in a long line of creative lures used to distribute and drop NetSupport RAT. It is frequently used by cybercriminals as a ‘quick solution’ in lieu of implementing something more bespoke.

In this post, we provide an overview of NetSupport RAT and discuss the technical details of a recent campaign.

Background

NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes in ways similar to TeamViewer. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the target device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads). In addition, the software allows at least the following:

  • Real-time screen monitoring, optimized for monitoring multiple devices
  • Taking control or redirect user screens
  • Capturing screenshots, audio, video

Malicious versions are constantly being sold or rented out via underground crime marketplaces.

NetSupport Manager RAT offered for rental
NetSupport Manager RAT offered for rental

As NetSupport Manager is a legitimate tool that has a long history of development, it is highly attractive to attackers as it can be relied on to work ‘out of the box’. Additionally, it is thoroughly documented and actively supported: benefits that are less likely with custom-built malware that provides similar functionality such as Andromeda, Nanocore, CirenegRAT, Dark Comet and others.

Malicious use of NetSupport Manager (aka NetSupport RAT) has been observed since at least late 2017. The use of “legitimate” or COTS (Commercial off the Shelf) tools is highly beneficial to attackers when attempting to achieve the greatest degree of stealth. Custom-written malware can often be detected by some layer of protection, such as EPP and EDR tools, so it is often advantageous to utilize a legitimate tool, even if it takes some creativity to deliver the remote software client.

ASEC reported that the NetSupport RAT droppers were delivered via phishing emails that entice targets to install a “Pokemon card game”. On doing so, the victim unknowingly installs the NetSupport RAT, a doctored version of the NetSupport Manager client (client32.exe) that gives the attacker immediate and direct control of the infected device. While this specific attack was centered around the Pokemon theme, other phishing lures are known to be used.

Some recent NetSupport RAT campaigns utilize .ISO files as droppers. This allows the attackers to evade certain types of detection. This technique has been used by ransomware actors as well such as by both Maze and Ragnar Locker.

When opened, the ISO files will contain either the NetSupport RAT installer (with configs/support files) or a .LNK file redirecting the victim to said installer.

Technical Details

A typical example of this kind of .ISO file is the sample CLF_security.iso (288603f501926756c236e368a1fdc7d128f4f9a1).

NetSupport RAT ISO file

This particular .ISO contains an embedded .EXE file (CLFSECUR.EXE) which is then utilized to drop and execute the installer for NetSupport RAT.

Sample 4233ff7941da62b86fc2c2d92be0572c9ab534c8 has been observed in multiple ISO files masquerading as legitimate software, including:

  • CodeTwo Exchange Manager
  • PCFresh 2022 SDK Tools
  • Google Chrome
  • Google Crash Handler
  • Steelray Project Setup
  • BrowserRenew.iso
  • CLFsecurity.ISO
  • Cloudflare_security_setup.iso

The RAT installation is disguised to look similar to a Google Chrome installation.

NetSupport RAT Install disguised as Google Chrome setup.
NetSupport RAT installer disguised as Google Chrome setup.

The sample is obfuscated via the Babadeda crypter. When executed, a base64 encoded string is used to specify various parameters including sessionID and other critical values to the NetSupport connection.

Base64 encoded RAT execution command
Base64 encoded RAT execution command

The command decodes to look similar to the following:

NetSupport RAT decoded command
NetSupport RAT decoded command

Persistence for the RAT is achieved via registry entry, and a shortcut to the installed RAT executable is written to the Startup folder. For example:

~AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupNetSupport.url

In this case, the shortcut links to AppDataRoamingSteelray Project Viewer. In addition, the sample generates a scheduled task with multiple triggers.

NetSupport RAT Persistence via Scheduled Task
NetSupport RAT Persistence via Scheduled Task
Install directory of NetSupport RAT
Install directory of NetSupport RAT

The RAT performs a number of discovery operations to understand its host environment. Network adapter details are pulled via GetAdaptersAddresses. Additional data is gleaned via WMI queries such as:

SELECT * FROM Win32_ComputerSystem
SELECT * FROM Win32_SystemEnclosure

The malware deploys some anti-analysis measures such as attempting to detect the presence of a debugger via IsDebuggerPresent, and all running processes are enumerated and logged via EnumProcesses (32-bit processes). Launch behavior, including delays in execution or outgoing connection, can be controlled by the attacker. For example, Sleep statements may be used to delay execution by hours in order to trick sandboxes used in malware analysis or simply to disguise the association between the infection and the social engineering event from the user.

Network requirements vary across different NetSupport Manager configurations and sessions. In the analyzed sample, the client opens a port on TCP 50275 to receive network connections.

NetSupport RAT has the ability to drop and execute additional components. In this particular campaign, system/log data and executable code is dropped into %temp%.

NetSupport RAT data in %temp%
NetSupport RAT data in %temp%.

Data files and executables are also written to ~Program Files (x86) GoogleTemp. These files are all self-deleted after launch or full installation of the attacker configuration. A large number of legitimate Google Chrome support files are also written to this location. These are used by the malware in order to facilitate the fake Google Chrome installation.

Conclusion

NetSupport Manager is a long-standing tool which, like TeamViewer, has unfortunately attracted ample use by cybercriminals. NetSupport RAT, once installed, is very robust and powerful, and threat actors are able to masquerade the dropper or installer in any way they see fit. In addition, threat actors using this tool are very quick to update their lures and find ways to entice their victims into installing the malicious remote control software.

SentinelOne Singularity™ provides protection against malicious behaviors associated with NetSupport RAT.

Indicators of Compromise

SHA1 Samples

593966f38d6b062bec8534ec070a194ac3a3c3d8
3a511941b09fdfed1b53bd89e55be7a3211b19c2
16cf01d8e0753e4b6fac781266d033996af6731d
f1c454645ab0adec41765f29861a5b5dd9bda313
0ef99e15452154c240f80c874384d04c46b154a0
ec7e8093b8d35a0e6fbf7b1869d685f0be0e8108
dfc9b696267ae466c6ffa44e63e314df79264afd
4c5771b7fb683b160cb1f7396d39dd706aa7021d
ee3c0579cbcdb5f50ff8cd750a59d89d7757d7a4
288603f501926756c236e368a1fdc7d128f4f9a1
06906aee0ddba30e560e4b60e140e0c098519bb2
7c090065de1090fa92ff01f06739fbca04e6936d
61679dbe1d13d9c25000142fd51b9f4e952a7098
2d6b1900e093c9c8bcce642792e3fadc90b3b0ac
171692daf0a136154edde6e22c791d238ae8c1d0
4233ff7941da62b86fc2c2d92be0572c9ab534c8

DNS/Domains

she32rn1[.]com

MITRE ATT&CK

T1219 – Remote Access Software
T1053.005 – Scheduled Task/Job: Scheduled Task
T1047 – Windows Management Instrumentation
T1564.001 – Hide Artifacts: Hidden Files and Directories
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1564.003 – Hide Artifacts: Hidden Window
T1036 – Masquerading
T1112 – Modify Registry
T1406.002 – Obfuscated Files or Information: Software Packing
T1049 – System Network Connections Discovery
T1083 – File and Directory Discovery
T1057 – Process Discovery
T1012 – Query Registry
T1571 – Non-Standard Port

The Good, the Bad and the Ugly in Cybersecurity – Week 2

The Good

The Federal Communications Commission (FCC) has proposed a number of reforms to breach reporting requirements for U.S. telecoms providers to better protect customers and reduce the impact of security incidents.

With the severity and frequency of data breaches up since the rules were last updated in 2007, the new ones would eliminate the seven-day timeframe for reporting breaches, moving instead to reports filed within a 24 to 72 hour window. Further, providers would need to send data breach reports to agency staff as well as the FBI and Secret Service.

The proposed updates follow several cyber intrusions on leading global telecoms providers. In 2022 alone, Australian telecoms giant, Optus, disclosed a data breach in which customer data was stolen, Comcast Xfinity faced their second data breach within a two-year span, and Verizon notified their prepaid customers of account breaches leading to SIM swapping and unauthorized changes on their credit cards. The year before saw T-Mobile suffer a major breach that affected 77 million individuals and resulted in more than 100 million private records posted for sale in underground forums.

Telecommunications is an oft-targeted industry by threat actors for its direct access to their clients. Providers are earmarked by nation state-backed actors seeking to conduct espionage on political critics. For cyber criminals, providers hold the keys to customer PII (personally identifiable information) that is not only valuable amongst dark marketplace buyers, but also leveraged in social engineering attacks and identity theft. The FCC’s recent proposals will be a welcome update to U.S. data breach regulations with its next steps focusing on helping telecom carriers enforce stricter data security practices and combat industry-wide vulnerabilities.

The Bad

More than 1300 domains have been compromised this week in an ongoing threat using AnyDesk’s brand name to distribute Vidar info-stealer malware. The impersonation campaign banks on the popularity of the remote desktop solution, used by IT professionals globally for remote connectivity and administrative tasks.

In this active campaign, those accessing the compromised domains are led to a fake, cloned AnyDesk site prompting them to download Vidar malware masquerading as a software installation .zip file. Then, they are redirected to a Dropbox folder which delivers the info-stealing malware payload – a technique used by the threat actor to evade detection since Dropbox is safelisted by many AV solutions.

News outlets report that many of the domains have since been taken offline and for the sites that remain online, the Dropbox links no longer work. However, given that all 1300 domains lead to the same spoof site, the threat actors can keep the campaign going by simply updating the download URL address.

Vidar malware has been around since 2018, responsible for stealing credentials, saved passwords, crypto wallet and banking information, as well as browser history. Info-stealing malware has grown in popularity with cyber criminals as a dedicated means of prying legitimate credentials and cookies out of users’ hands.

Increasingly, info-stealer source code has been placed up for sale, bought by ransomware operators for low-cost, quick access and for use in MFA-fatigue attacks. Users are best protected from the rise in info-stealing malware by downloading from trusted sites only, using an endpoint protection security solution, avoiding browser-based password managers, and regularly clearing their browser cookies.

The Ugly

This week, the pro-Russian hacktivist group known as NoName057(16) continues to launch distributed denial-of-service (DDoS) attacks against NATO countries and Ukraine.

Linking their attacks tightly to political events, the pro-Russian group has been attributed to attacking the websites of Czech presidential candidates in the country’s 2023 election, the Polish government, and Latvia’s parliament. NoName057(16)’s attacks on Poland line up with the latter’s official recognition of Russia as a state sponsor of terrorism. Lithuania being caught in a dispute with Russia over train and port usage was cause enough for the hacktivists to attack the Lithuanian cargo and shipping sector.

SentinelLabs researchers report that the group makes instant messaging app, Telegram, their home base for communications and have used GitHub to host their DDoS tool website for free before their accounts were disabled for violating the company’s acceptable use policies.

NoName057(16) employs a collaborator payment program where the group coordinates with volunteers to carry out its attacks on targets. This model is lucrative to those who are compelled to join attacks for financial gain rather than for political reasons. Top DDoS performers are rewarded in cryptocurrency and followers are encouraged to add skin to the game by contributing more technical resources for the next attack.

Though researchers say that the DDoS attacks from NoName057(16) have little to no wider consequence, volunteer-powered attacks with modelized incentive are a cause for concern as threat actors continue to take advantage of a highly volatile political landscape.

Microsoft Patch Tuesday, January 2023 Edition

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

7 Ways Threat Actors Deliver macOS Malware in the Enterprise

Our 2022 review of macOS malware revealed that the threats faced by businesses and users running macOS endpoints included an increase in backdoors and cross-platform attack frameworks. Threats like CrateDepression and PyMafka used typosquatting attacks against package repositories to infect users, while ChromeLoader and others like oRAT leveraged malvertising as an infection vector.

However, the infection vector used by many other macOS threats remains unknown. SysJoker, OSX.Gimmick, CloudMensis, Alchemist and the Lazarus-attributed Operation In(ter)ception are just some of those for which researchers still do not know how victims were initially compromised. In these and other cases, researchers happened across the malware either in post-infection analyses or by discovering the samples on malware repositories like VirusTotal, where the sample’s trajectory from threat actor through victim to discovery remains largely untraceable.

Although this gap prevents us from building a full picture of any particular attack campaign, fortunately we can as defenders enumerate the possible ways that malware can compromise a macOS system and analyze how malware has used these vectors in the past. Armed with this knowledge, we can look to build more resilient defenses and security policies to prevent threats gaining entry.

7 Ways Threat Actors Deliver macOS Malware in the Enterprise (1)

1. The Lure of Free Content

There is an abundance of macOS malware that is distributed through free content downloads sites such as torrent sites, shareware sites, cracked app sites or free 3rd party app distribution sites.

This torrent for a file utility downloads an adware installer
This torrent for a file utility downloads an adware installer

Content lures include:

  • Cracked Software
  • Live sports streaming sites
  • VPNs, adverts for ‘privacy’ & geofencing evasion
  • Movie, TV, Game and Music download sites, DRM circumvention
  • Porn and sexual services sites

Free content lures are primarily used to drive adware and bundleware infections, but cryptominers such as LoudMiner have also been distributed this way.

The most common scenario is a user being offered free or cracked versions of an application; the user initiates a download of a disk image file purporting to contain that application but on mounting it finds that it is called something like “Flash Player”, “AdobeFlashPlayer.app” or similar. These files are usually unsigned and the user is given instructions on how to override macOS Gatekeeper in order to launch them.

Lure for a cracked version of Adobe Photoshop leads to an adware installer
Lure for a cracked version of Adobe Photoshop leads to an adware installer

As shown in the above image, this is a simple trick in the Finder that even non-admin users can use to defeat the Mac’s built-in security mechanism.

Some threat actors have recently been seen directing users to the Terminal to override Gatekeeper there, presumably to workaround any additional security controls that organization admins might have deployed via MDM (mobile device management).

deployed via MDM (mobile device management)

Some users set out to seek legitimate content but are pulled into malicious sites through advertising and ‘too good to be true’ deals and offers. Anecdotal evidence suggests that there is a widespread perception among Mac users that exploring such links is not inherently dangerous because Macs are “Safe” and “Don’t get viruses”. The nature of these sites, however, and the insistent use of popups, misleading icons and redirecting links can quickly lead a user from a safe search to a dangerous download.

Although the “Flash Player” lure is largely used by adware and bundleware campaigns, it was also seen in a long-running campaign by Chinese threat actors distributing macOS.Macma. Other campaigns that have made significant use of this vector include OSX.Shlayer, Pirrit and Bundlore. These threats are well-detected by security vendors but often missed by Apple’s built in signature-based detection technology XProtect.

How To Prevent Attacks via Free Content

Mitigating infections through this vector include:

  • Controlling permissions relating to software downloads or launches via MDM and/or application allow/deny lists by a security product
  • Restricting access to the Terminal via an MDM solution or a security product
  • Restricting or preventing the execution of unsigned code with a security product
  • Using endpoint protection software to prevent and detect known malware

2. Malvertising to Mac Users

Maliciously-crafted ads on webpages can run hidden code inside the user’s browser, redirecting the victim to sites showing popups with fake software updates or virus scan warnings. In the past 12 months, known malvertising campaigns aimed at macOS users include ChromeLoader and oRAT.

ChromeLoader, also known as Choziosi Loader or ChromeBack, takes the form of a malicious Chrome extension that hijacks the user’s search engine queries, installs a listener to intercept outgoing browser traffic, and serves up adware to victims.

oRAT is a backdoor implant written in Go and is downloaded to the victim’s machine as an unsigned disk image (.dmg) masquerading as a collection of Bitget Apps. The disk image contains a package with the name Bitget Apps.pkg and the distribution identifier com.adobe.pkg.Bitget.

name Bitget Apps.pkg and the distribution identifier com.adobe.pkg.Bitget.

An encrypted blob of data is appended to the malicious binary that contains configuration data such as the C2 IP address.

An encrypted blob of data is appended to the malicious binary that contains configuration data such as the C2 IP address

oRAT’s encrypted blob and the decrypted plain text
oRAT’s encrypted blob and the decrypted plain text

More details on oRAT can be found in the writeup here.

How to Prevent Attacks from Malvertising

Mitigations for threats distributed through malvertising include:

  • Using firewall control and web filters to block access to known malicious websites. In extremely sensitive cases, firewalls can restrict access to only a limited set of authorized IPs
  • Using Ad blocking software: ad blockers can prevent most adverts from being displayed, but this may have an impact on performance and access to some resources
  • Deploying endpoint protection software to prevent and detect the execution of malicious code delivered through malicious adverts

3. Poisoned Developer Projects

Developers are high-value targets for threat actors looking at mass infections, supply chain attacks, espionage and political manipulation. Undoubtedly the most successful attack on Apple developers to date was XcodeGhost, a malicious version of Apple’s Xcode IDE hosted on a server in China in 2015. A number of Chinese developers chose to download what they believed to be a local mirror of Xcode because downloading the legitimate version from Apple’s servers in the US was extremely slow.

XcodeGhost inserted malicious code into any iOS app that was built with it, and a number of infected apps were subsequently released on Apple’s App Store. The infected apps were capable of stealing sensitive information such as the device’s unique identifier and the user’s Apple ID, and executing arbitrary code on the infected iOS device.

More commonly and more recently, threat actors have sought to infect developers by means of shared code. Because developers look to increase productivity by not ‘reinventing the wheel’, they will often seek out shared code rather than attempt to write their own implementation of tricky libraries or unfamiliar API calls.

Useful code can be found in public repositories hosted on sites like Github, but these can also be laced with malware or code that opens a backdoor from the developer’s environment to the attackers. XCSSET malware and XcodeSpy have both exploited shared Xcode projects to compromise developers of macOS and iOS software.

In XCSSET, a project’s .xcodeproj/project.xcworkspace/contents.xcworkspacedata was modified to contain a file reference to a malicious file hidden in the project’s xcuserdata folder. Building the project caused the malware to be executed, which then dropped a multi-stage infection on the developer’s machine, including a backdoor.

In XcodeSpy, a threat actor distributed a doctored version of a legitimate, open-source project available on GitHub. The project’s Build Phases included an obfuscated Run Script that would execute when the developer’s build target was launched.

The project’s Build Phases included an obfuscated Run Script that would execute when the developer’s build target was launched
The obfuscated script found in an XcodeSpy sample.

The script created a hidden file at /private/tmp/.tag , which contained a single command: mdbcmd. This in turn was piped via a reverse shell to the attackers C2. The file path is linked to two custom EggShell backdoors found on VirusTotal.

On execution, the customized EggShell binaries drop a LaunchAgent either at ~/Library/LaunchAgents/com.apple.usagestatistics.plist or ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist. This plist checks to see if the original executable is running; if not, it creates a copy of the executable from a ‘master’ version at ~/Library/Application Support/com.apple.AppStore/.update then executes it.

Persistence agent used by EggShell backdoor linked to XcodeSpy
Persistence agent used by EggShell backdoor linked to XcodeSpy

How To Prevent Attacks via Poisoned Developer Project

Mitigations for threats distributed through this vector include:

  • Isolating development environments from production environments
  • Requiring all shared developer projects to be reviewed and authorized before being downloaded or built on company devices
  • Implementing secure development practices such as secure coding guidelines, code review and code buddying
  • Educating developers on the dangers of externally-sourced developer projects
  • Monitoring for suspicious and malicious code execution with endpoint protection software

4. Open Source Package Repositories

Things start to get more serious when threat actors target open source package repositories. Code shared through these is widely used across many projects in enterprises and security vetting is both weak and difficult. There are many in use across different platforms and languages including:

  • Python Package Index (PyPI)
  • Crates.io (Rust)
  • Node Package Manager (NPM)
  • Go Module Index (Go)
  • NuGet Gallery (.NET)
  • RubyGems (Ruby)
  • Packagist (PHP)
  • Chocolatey (Windows)
  • Scoop (Windows)
  • Homebrew (macOS)
  • CocoaPods (Swift, iOS)
  • Carthage (Swift, macOS)
  • Fedora Package Database (Linux)
  • CentOS Package Repository (Linux)
  • Arch Linux User Repository (Linux)
  • Ubuntu Package Repositories (Linux)
  • Alpine Package Repository (Linux)
  • Maven Central (Java)

Package repositories can be susceptible to typosquatting attacks and dependency confusion attacks. In some cases, ownership of legitimate packages has been hijacked or transferred to malicious actors.

In May 2022, a popular PyPI package ‘PyKafka’ was targeted in a typosquatting attack with a package named ‘PyMafka’. The PyMafka package contained a Python script that surveyed the host and determined the operating system.

The PyMafka package contained a Python script that surveyed the host and determined the operating system

If the device was running macOS, it reached out to a C2 and downloaded a Mach-O binary called ‘MacOs’ and wrote it to /private/var/tmp with the name ‘zad’. The binary was UPX-packed and obfuscated and dropped a Cobalt Strike beacon.

Only a week earlier, the Rust repository Crates.io had also been targeted by threat actors typosquatting the legitimate ‘rust_decimal’ package with a malicious ‘rustdecimal’ package. The latter targeted environments with GitLab Continuous Integration (CI) pipelines and dropped a Go-written macOS-compiled Poseidon payload.

As 2022 closed out, an actor who later claimed to be a ‘researcher’ targeted the PyTorch package on PyPI with a dependency confusion attack.

Dependency confusion attacks take advantage of the fact that some packages have dependencies that are hosted on private servers. By default, package managers handle a client’s request for dependencies by first searching the public repository. If the dependency package’s name doesn’t already exist in the public repo, an attacker can upload their own malicious package to the public repo and intercept the request from the client.

The malware dropped in the attack on PyTorch collected and exfiltrated a variety of sensitive data from the victim’s machine for transfer to a remote URL, including the contents of ~/.gitconfig/ and ~/.ssh/.

PyTorch is a popular open-source machine learning library for Python, estimated to have had around 180 million downloads. In the 5 days between Christmas Day and New Year’s day that the malicious package was hosted on PyPI, it achieved 2300 downloads.

How To Prevent Attacks via Package Repositories

Mitigations for threats distributed through this vector include many of the same recommendations as for protecting against malicious shared developer projects. In addition, security teams can also adopt the following recommendations:

  • Using private repositories and configuring package managers not to default to a public repository
  • verifying package authenticity through code signing
  • periodic auditing and verification of externally-sourced code

5. Trojan Applications

Attacks on package repositories can be devastating and far-reaching, but they are also noisy: they will inevitably be discovered and draw a lot of attention. In contrast, threat actors looking to deliver malware to specific targets more stealthily may prefer to trojanize popular applications.

In 2021, sponsored links in the Baidu search engine were used to spread malware via trojanized versions of the popular Terminal application,  iTerm2. Further investigation into OSX.Zuru, as it came to be known, found that the campaign also used trojan versions of Microsoft’s Remote Desktop for Mac, Navicat and SecureCRT.

The apps were codesigned with a developer signature different from the legitimate signature, primarily to ensure that they were not blocked by Gatekeeper. Aside from replacing the original code signature, the threat actor had modified the application bundles with a malicious dylib in the .app/Contents/Frameworks/ folder called libcrypto.2.dylib. Analysis of this file revealed functionality for surveilling the local environment, reaching out to a C2 server and executing remote commands via a backdoor.

The selection of trojanized apps was interesting and suggests the threat actor was targeting backend users of tools used for remote connections and business database management.

More recently, Chinese-linked threat actors have been found distributing trojanized versions of EAAClient and SecureLink that deliver a Sliver payload. These trojan’s are delivered without a code signature and the threat actors use techniques described above (See: The Lure of Free Content) to persuade victims to override local security settings through the Terminal.

persuade victims to override local security settings through the Terminal

Researchers have also recently found malicious versions of an open-source tool that are designed to steal the victim’s password and keychain – effectively giving the actor full access to all the user’s passwords in macOS. In this case, the tool in question, Resign Tool, is used by developers to resign apps and bundle them into ipa files for installation on iOS devices – indicating the threat actor’s clear interest in infecting developers.

How To Prevent Attacks via Trojan Applications

Mitigations for threats distributed through this vector include:

  • Verifying that all code is signed and that code signatures correspond to the appropriate known developer signature
  • Restricting or preventing the execution of unsigned code with a security product
  • Using endpoint protection software to prevent and detect suspicious or malicious code execution

6. Exploits and Watering Hole Attacks

A less common infection vector and one that requires some skill to pull off is using browser exploits to infect visitors to a poisoned website. Zero day exploits in browsers are a regular focus area for hacker competitions, including China’s annual Tianfu Cup. Even after being patched, these vulnerabilities can still be used as N-Days against organizations or users that fail to keep their browsers up to date.

In the most recent security update for macOS Ventura and Safari released on December 13, 2022, more than 30 bugs were patched, including the following browser-related vulnerabilities:

  • CVE-2022-42856: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
  • CVE-2022-42867: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2022-46691: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2022-46695: Visiting a website that frames malicious content may lead to UI spoofing.
  • CVE-2022-46696: Processing maliciously crafted web content may lead to arbitrary code execution.
  • CVE-2022-46705: Visiting a malicious website may lead to address bar spoofing.

Threat actors that have recently exploited vulnerabilities in macOS and used them in watering hole attacks include the Chinese-related APT responsible for Macma and DazzleSpy.

According to researchers at Google’s TAG, Macma combined an N-day remote code execution vulnerability in WebKit (CVE-2021-1789) and a zero day local privilege escalation in XNU (CVE-2021-30869). The chained exploits were used to load and execute a Mach-O binary in memory. The malware was able to escape the Safari sandbox, elevate privileges, and download a second stage payload from a C2.

Firefox zero days have also been used in attacks on macOS users. Coinbase reported targeted attacks via what later became known as CVE-2019-11707 in 2019, which delivered variants of Netwire and Mokes malware.

How To Prevent Attacks via Exploits and Watering Holes

Mitigations for threats distributed through this vector include:

  • Ensuring system and application software is up-to-date to prevent attacks leveraging N-day vulnerabilities
  • Deploying a behavioral AI security solution that can detect suspicious behavior used in zero day infection chains
  • Deploying a security solution that allows for threat hunting over extended periods

7. Supply Chain Attacks

Some of the infection vectors we have covered already can and have been used in attempted supply-chain attacks, particularly those involving trojan applications, shared developer code and package repositories. However, those cases all involved fake or imitation versions of legitimate code, packages and applications.

Supply chain attacks in which a threat actor compromises the legitimate code distributed by a vendor to other clients is rarer but not unheard of. Back in 2016, popular macOS torrent client Transmission was infected with a rare example of macOS ransomware. Threat actors compromised the developer’s servers and added KeRanger malware to the disk image containing the software.

More recently, in 2022, researchers discovered that APT 27 (aka Iron Tiger, LuckyMouse) had compromised the servers belonging to the MiMi chat application. A compromised MiMi installer was seen retrieving a Mach-O backdoor named ‘rshell’. Malicious JavaScript had been added to the disk image used to install the chat application. When users ran the installer, the malicious code reached out to a remote IP to retrieve the rshell binary. The malware functioned as a backdoor with the ability to fingerprint the victim device, exfiltrate data and run remote commands.

rshell contains a hardcoded IP address for its C2
rshell contains a hardcoded IP address for its C2

How To Prevent Supply Chain Attacks

Supply chain attacks can occur through many of the vectors discussed above and can occur anywhere in the supply chain, including directly within the organization’s own development and production cycles. For this reason, defending against such a compromise requires an overall security strategy that includes most of the recommendations given above, but focuses in particular on:

  • Performing due diligence on all suppliers and partners to ensure that they have good security practices in place
  • Regularly auditing and reviewing the security of the supply chain, including keeping up to date records of changes in suppliers and partners
  • Implementing robust security controls throughout the organization, including using modern endpoint, cloud and identity management security controls
  • Regularly updating software systems and patching vulnerabilities

Other Means of Compromising macOS

Notable among the absences above are two commonly used infection vectors seen, particularly, in attacks against Windows users: emails containing phishing links, and RCEs through publicly exposed internet connections.

Malicious links and attachments represent an opportunity for threat actors targeting any system, including macOS. Maldocs that determine the host system and have specific logic for macOS have been known, but they are not widely reported. Sandbox escapes for MS Office for Mac are also not unheard of.

As noted in the introduction to this post, many malware infections’ initial means of compromise remain unknown to researchers, and given the prevalence of phishing emails in compromises in general, it’s certainly a vector that defenders must consider.

Remote attacks involving unauthorized code execution tend to be common on Windows as a result of weaknesses in Microsoft software, particularly the RDP protocol. Having said that, a review of Apple’s security updates does reveal that zero day RCE vulnerabilities in macOS are possible.

Organizations can defend against the possibility of compromise through both these vectors by implementing security controls previously outlined, with an emphasis on endpoint protection and timely software updates to protect against malware executed via phishing attempts and RCEs through software and OS vulnerabilities.

Conclusion

Preventing attacks at the first stage of infection reduces the impact on both the security team and the organization. Unfortunately, there is still a widespread perception that macOS controls like codesigning, Gatekeeper and Apple’s notarization service are enough to prevent successful malware attacks, but the evidence from malware seen and discovered in 2022 alone proves otherwise. Apple itself has come out on record stating that Macs have a malware problem.

By fortifying their defenses and understanding the main infection vectors used by in-the-wild macOS malware as discussed above, security teams can better protect the organization. To see how SentinelOne can help protect the Macs in your organization, contact us or request a free demo.

The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn more about the challenges and threats facing security and IT teams running macOS devices in the enterprise.

Identity Thieves Bypassed Experian Security to View Credit Reports

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

The vulnerability in Experian’s website was exploitable after one applied to see their credit file via annualcreditreport.com.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.

The Good, the Bad and the Ugly in Cybersecurity – Week 1

The Good

It’s been a busy start to the new year for privacy regulators, who have hit both Meta (aka Facebook) and Apple with new fines.

Apple has been given an $8 million penalty by France’s CNIL for failing to obtain consent from iOS 14.6 users relating to identifiers used to present targeted ads. Meta, which had just received a fine of $170 million from the CNIL a few weeks ago, now faces a further whopping $410 million (€390 million) fine from Ireland’s Data Protection Commission (DPC).

The DPC fined Meta Ireland €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches in relation to Instagram. Both relate to complaints that users were forced to consent to personalized ads in order to use the offered services.

In better news for Meta and users of the company’s WhatsApp instant messaging service, this week saw WhatsApp roll out support for proxy servers. This allows users to connect to each other and maintain end-to-end encrypted chats even if authorities block WhatsApp’s own servers, as Iranian authorities did back in September in the wake of civil unrest.

The Bad

No sooner had we noted that supply chain attacks via public code repositories were likely to be an increasingly common feature of the 2023 threat landscape than a threat actor ran a dependency confusion attack against the PyTorch package on PyPI.

Dependency confusion attacks are different from the more common typosquatting attacks that we’ve seen used against shared repos recently like CrateDepression and pymafka. The technique takes advantage of the fact that some packages have dependencies that are hosted on private servers. However, by default, package managers that handle a client’s request for dependencies search the public code registry first for instances of the dependency. That means if the dependency package’s name is available on the public registry, an attacker can upload a malicious package to the registry and essentially intercept the dependency request from the client when users build it on their local machines.

An individual, who subsequently claimed to be a ‘researcher’, uploaded a malicious public version of the privately-hosted torchtriton package used by PyTorch. Users that built PyTorch between December 25th and December 30th received the fake torchtriton dependency. The malware was almost identical to the legitimate torchtriton save for the addition of a malicious binary at ./triton/runtime/triton  and code to ensure that it was executed. The triton executable collects and exfiltrates a variety of sensitive data from the victim’s machine to a remote URL including:

  • Nameservers from /etc/resolv.conf
  • Hostname from gethostname()
  • Current username
  • Current working directory
  • Environment variables
  • /etc/hosts
  • /etc/passwd
  • First 1,000 files in $HOME
  • $HOME/.gitconfig
  • $HOME/.ssh/

The malicious package has since been removed and replaced with a stub to prevent further attempts at exploiting the same trick. However, dependency confusion attacks are possible wherever private packages do not claim the same namespace in the public repository. Aside from PyPI, packages hosted on NPM and YARL are also known to be vulnerable to dependency confusion attacks.

PyTorch supply chain attackSource

It’s estimated that there were around 2300 malicious downloads during the time the malware was hosted on PyPI and PyTorch users are urged to uninstall and download the latest version if they think they might be affected. It is also recommended that credentials or keys stored in any of the locations noted above be rotated or reset.

The Ugly

In a different kind of dependency attack, DLL sideloading reared its ugly head again this week with news that threat actors are abusing Microsoft’s Windows Problem Reporting tool, WerFault.exe, to deploy Pupy RAT.

Victims receive an email with a malicious attachment. When double-clicked, the attachment mounts an ISO file containing a legitimate copy of WerFault.exe and a malicious version of a dependency, faultrep.dll. When users click the shortcut LNK file “recent inventory& our specialties.lnk” located in the mounted drive, it launches WerFault.exe, which in turn looks for and loads the DLL dependency located in the same directory.

The doctored DLL presents the user with a decoy XLS spreadsheet while in the background it loads an encrypted Pupy RAT payload into memory.

WerFault Pupy RATSource

Pupy is an open-source, cross-platform attack framework with payloads that work on Windows, Linux, Android and macOS. Its capabilities include the ability to open a backdoor, execute arbitrary code and execute further payloads.

It is not immediately clear who is behind the campaign, but based on the XLS lure targets appear to be Chinese-speaking users. Sideloading DLLs via legitimate Microsoft software continues to be an issue defenders need to take seriously: Last year, Microsoft security tool Windows Defender was found being used to sideload Cobalt Strike during LockBit ransomware incidents.

Dealing with Cyberattacks | A Survival Guide for C-Levels & IT Owners

While organizational leaders and IT owners keep a watchful eye on emerging threats and trends from the previous year, much of their cybersecurity strategy will need to be founded on how well their businesses can respond to an attack. While the risk of cyberattacks is an undeniable reality, cyber preparedness can significantly differentiate successful businesses from those struggling to manage after a cyber event.

In particular, Chief Information Security Officers (CISOs) will be building plans to ensure a quick and effective return to normal operations in the face of attack. This post covers how to evaluate the business’s current cyber preparedness, how to plan for a cyberattack and what to do after an attack has occurred. It offers guidelines on the key elements CISOs and IT leaders will need to focus on as they bolster their defense strategies in light of the current threat landscape.

Dealing with Cyberattacks A Survival Guide for C-Levels & IT Owners

The Increasing Threat of Cyberattacks to Businesses

All sectors in the last few years have grappled with the threat of cyberattacks. Healthcare, education, government, and critical infrastructure are among those that have taken the hardest hits. Targeting underprepared or poorly-funded victims has become a lucrative business model for malicious threat groups and opportunistic actors.

Modern adversaries do not discriminate targets by size or sector; consequences from one attack can affect the organization and its vendors and providers. The last 12 months have seen little respite in the wave of ransomware attacks and data breaches even as the Biden-Harris Administration’s Executive Order on Improving the Nation’s Cybersecurity and official Shields Up campaign have raised awareness of the severity of the threats facing businesses.

From an insurance standpoint, the cost to remediate attacks has increased, spiking the price of cyber insurance premiums. Insurance carriers recognizing the risk from attack have subsequently adjusted their requirements for security.

In such an environment, it makes sense for businesses to prepare for the possibility of a compromise or cyber attack. An effective incident response plan that has been openly communicated and tailored to the needs of the business increases the organization’s chances of recovery and rapid return to normal operations.

Evaluating Cyber Preparedness | Is Your Business Ready?

Cyber preparedness ensures that enterprises have a plan in place to respond to imminent threats. For small to medium sized businesses (SMBs), properly implemented incident response and emergency management can mean the difference between recovery and insolvency. While cyber risk cannot be eliminated completely, enterprises can manage risk effectively with the right people, processes, and technology.

The first step to building a strong cyber incident response plan (IRP) is evaluating the organization’s level of preparedness.

People

  • Response Team: Is it clear who the incident response team members are? Does the response team include: a technical lead, data analysts, communications/PR advisor, human resources specialist, etc.?
  • Stakeholders: Are both internal and external stakeholders clearly identified? Are key contacts for third-parties, vendors, clients, and providers identified? Are all public-facing members of the Board and C-levels all well versed in addressing the media?
  • Roles & Responsibilities: Does everyone in the organization understand their role in the IRP? Have all expectations been explained, trained, and documented?
  • Communication Matrix: Is a communications plan in place and in an easily accessible format/location should networks go down? Does it include central points of contact for each team in the organization?

Process

  • Policies: Do the incident response policies align with the organization’s overarching policies and compliance requirements? Have senior leadership reviewed, approved, and communicated to all employees?
  • Continuous Improvement & Lessons Learned: After every practice, drill, or actual incident, are takeaways and feedback documented and stored in an easily accessible platform? Are action items and deficiencies assigned and communicated to directors and managers? Are post-incident reports used for training and onboarding processes?

Technology

  • Post-Event Assessments: Is there a managed service or security operations center (SOC) that can provide in-depth incident response (IR) assessments? Do these assessments pinpoint evidence within the environment?
  • Backups: Are backups regularly scheduled, stored offline, or stored in a secure cloud? Are backups regularly reviewed and protected with passwords and encryption? Are backups accessible for modification or deletion from the primary network?
  • Data Forensics & Incident Response (DFIR): Does the organization’s security stack include digital forensics analysis, incident response, and/or security consultations in the event of an attack?
  • Contextual Information: Is the security stack capable of detailed log collection? Is log data stored read-only with standard encryption in place?

What to Do to Prepare for a Cyberattack

One of the most important things cybersecurity executives can do to prepare for a cyberattack is to establish a task force and name specific individuals responsible for responding to a breach. This task force should include key members of the organization, such as IT professionals, legal counsel, upper management, and any external partners or service providers that may need to be involved in the response.

Before a breach occurs, it’s essential to develop a comprehensive cyberattack survival protocol that outlines the steps to take during an attack. This should include information on identifying, containing, and recovering from the attack. It should also include details on communicating with relevant stakeholders, including employees, customers, and the media.

In addition to establishing a task force, there are a few other vital steps to increase preparedness for a cyberattack:

  1. Conduct regular security assessments: Regular security assessments can help identify vulnerabilities in systems and networks that attackers could exploit.
  2. Implement robust security controls: This includes network and cloud security, endpoint security software, user identity protection, and encryption to protect systems and data.
  3. Train employees: Educating employees about the importance of cybersecurity and how to identify and report potential threats can go a long way in protecting an organization from an attack.
  4. Establish incident response protocols: Having a plan in place for how to respond to a cyberattack can help minimize the damage and get systems and operations back up and running as quickly as possible.
  5. Perform a forensic incident response simulation: simulations help manage the aftermath of a cyberattack. The findings can provide valuable support in navigating the complex legal and technical challenges that often arise in the wake of a breach.

What to Do After a Cyberattack

The overall goal of the post-attack process is to mitigate any exploited vulnerabilities, ensure the threat has been neutralized or eradicated, and restore affected services to operational normalcy.

After a confirmed cybersecurity attack, the following steps will help ensure that the incident is appropriately contained and minimize data losses.

1. Assess the Extent of the Attack

The security team’s first order of business is to determine the attack’s extent and identify which systems, data and/or users have been affected. The following will help determine the type of attack and assess the extent of the damage:

  • Determine the type of attack: An effective response first needs to understand the specific kind of attack that occurred. Types of attack include phishing attempts, Denial of Service attacks, ransomware/data exfiltration and account/user takeovers. If malware was used, identify the specific kind of malware. This can often lead to a better understanding of other elements of the attack.
  • Identify the source of the attack: It is important to identify the initial vector of compromise. Threat actors may have gained a foothold or presence in other parts of the network that have not yet come to light. To do this effectively, work with a forensic incident response team to analyze the attack and trace it back to its origin. Understanding the source of the attack also helps inform the company’s security strategy so that measures can be implemented to prevent similar attacks from occurring in the future.
  • Assess the extent of the damage: Once the attack has been contained and the type of attack has been identified, it’s time to assess the extent of the damage. This may include evaluating the impact on systems and data and identifying any sensitive information that may have been compromised. Understanding the full scope of the attack will help the organization to plan an effective response.

2. Contain the Attack

The next step is to prevent attackers from gaining further access to the network. Some recommended steps are:

  • Isolate infected systems and devices: Any system or device that may have been compromised should be isolated from the rest of the network to prevent the attacker from spreading to other systems. Organizations with SentinelOne installed can use the quarantine network feature to block any other communication to and from endpoints that may have been compromised.
  • Disconnect from the network (if necessary): In some cases, it may be required to disconnect the entire network from the internet to prevent the attacker from accessing systems.
  • Shut down affected services: If certain services (e.g., email, web servers) have been compromised, it may be necessary to take these services offline across the organization to prevent the attacker from using them as a foothold.
  • Implement any necessary emergency measures: Depending on the severity of the attack, it may be required to activate the incident response plan, which should outline the steps needed to contain the attack and minimize damage.

3. Eradicate the Threat

After containment, the next step is to remove any malware or other malicious software installed during the attack and to ensure that the initial infection vector is blocked.

  • Remove malware or other malicious software: Organizations that deploy SentinelOne can set a policy that removes malware automatically, or it can be done remotely if the policy was not already set. Organizations without SentinelOne may need to manually remove malware from infected systems or rebuild the system from scratch.
  • Patch any exploited vulnerabilities: If the attacker exploited software vulnerabilities to gain access, these will need to be patched as soon as possible. This may require applying patches or software updates, reconfiguring network settings, or replacing outdated or unsupported systems. Patching vulnerabilities may involve downtime, which can be disruptive to business operations. However, it’s essential to prevent attackers from exploiting the same infection vector again and interfering with the recovery process.
  • Reset passwords: If any user accounts or service credentials were compromised before or during the attack, ensure that these are reset and that user identities are confirmed and protected using biometric keys, MFA and other authentication techniques.

4. Restore Data and Services

Once the attack has been mitigated, the next step is to restore any systems or data that were damaged or lost during the attack. This may involve restoring from backups, rebuilding systems, or recovering data using specialized software. Priority should be given to the following:

  • Restore systems and services: Bring back any systems or services that were shut down to contain the attack and any systems or services that were damaged or lost during the attack. It’s important to carefully test and validate these services to ensure that they are fully functional and secure before making them available to users again.
  • Restore lost data (if necessary): If the attack resulted in the loss of essential data, restore it as soon as possible. This may involve restoring from known clean backups, using specialized data recovery software, or manually recreating lost data.
  • Rebuild affected systems (if necessary): If the attack caused damage to systems that cannot be repaired, they may need to be rebuilt from the ground up. While this can be time-consuming, it’s necessary to ensure that all systems are secure and fully functional.

5. Report the Event

As the data forensics investigation progresses, senior leadership and other stakeholders should be kept informed of the team’s findings. When tasking the incident response team, ensure that reporting cadences are set.

During this stage, key communicators will reach out to law enforcement and insurance agencies. C-levels will work with media and public relations specialists to issue a press release and inform employees and affected clients and third-party vendors.

Organizations can maintain trust and transparency by providing regular updates on the situation and any progress made. Here are the steps to keep in mind:

  • Set a report cadence and expectations around reporting: After the attack has been contained and the incident response team has begun its investigation, establish a report cadence and set expectations around how and when the information will be shared with stakeholders. This will help to ensure that the technical team can focus on their tasks without being interrupted by communication requests, which can waste valuable resources during this critical time.
  • Identify the different reporting stakeholders: As part of the response and resolution efforts, it is important to keep employees, customers, and partners informed of the situation and any progress made. However, each stakeholder group may have different communication needs and preferences. For example, internal stakeholders may need clear, actionable feedback, while external stakeholders may require a more general update. Identify the different stakeholder groups and develop a communication plan that meets their needs.
  • Work with media and public relations specialists: To maintain trust and transparency, issuing a press release or other public statements about the attack may be necessary. C-level executives should work closely with media and public relations specialists to carefully craft this statement and ensure that it accurately reflects the situation and the organization’s response efforts.

C-levels should also ensure that they are aware of any mandatory regulations that apply to their organization in the event of an attack. Depending on industry-specific federal laws and state legislation, many organizations are legally mandated to report cyberattacks and data breaches. Those that manage, store, and transmit personally identifiable information, for example, will be bound by HIPAA and PCI-DSS requirements to notify affected individuals.

6. Hold Post-Event Lessons Learned Sessions

Holding post-event lessons-learned sessions is an integral part of the cyberattack survival process because it enables organizations to reduce the risk of future attacks and better protect themselves and their customers.

Post-event lessons learned sessions help to improve incident response processes and procedures. By examining the events leading up to, during, and after the attack, organizations can identify any bottlenecks or inefficiencies in their incident response plan and take steps to streamline and improve response efforts. This can include revising team roles and responsibilities, updating communication plans, and incorporating new security controls or procedures.

  • Learn from the attack: The investigation should have already identified what happened and how attackers gained access. Vulnerabilities should have been patched and mitigated. Ensure the findings of the investigation are used as lessons to prevent similar attacks in the future. This may also include mistakes or missteps made during the response effort.
  • Update incident response plan: Based on the lessons learned from the attack, the incident response plan and the overally company security strategy should be updated to ensure they reflect the most current best practices and consider any new threats or vulnerabilities. This may involve revising IR team roles and responsibilities, updating the communication plan, and incorporating new security controls or procedures.

Conclusion

Given the growing risk of cyber threats on businesses of all sizes and industries, building cybersecurity preparedness has become an urgent goal for many C-level security leaders and IT owners.

Dealing with cybersecurity attacks will be a trying exercise for all involved, but leaders can do much to minimize damage and make the road to recovery as smooth as possible. Planning ahead and designing an incident response plan tailored to the business’s specific needs ensures businesses can retain sensitive data, client and public trust, and credibility in the long run.

CISOs, IT owners, and technical professionals trust SentinelOne’s Vigilance Response Pro to protect their businesses from advanced threat actors. Vigilance blends 24/7/365 managed detection and response (MDR) with comprehensive digital forensics analysis and guided security consultation to offer a full-service solution for enterprises operating in today’s cyber landscape. Learn more by booking a demo or contacting us today.

Maximizing Your Impact as a CISO | Achieving Success in Today’s Threat Landscape

Cybersecurity continues to transform, leading to an evolution of what makes a successful Chief Information Security Officer (CISO). Once, the role focused on championing the implementation of digital security strategies. In today’s threat landscape, though, successful CISOs have added to their focus the mantle of risk manager and communicator. CISOs that can identify risks and share them effectively and in an actionable way can better direct their organization to a more resilient cybersecurity posture.

A CISO’s capabilities directly affect the short and long-term security of their organization. To find success in this role, CISOs in the current cyber climate must find a balance between five main areas:

  • Risk management
  • Strategic communication
  • Leadership through open communication
  • Continuous learning
  • Security expertise

Maximizing Your Impact as a CISO Achieving Success in Today's Threat Landscape

How CISOs Protect Against Modern Cyber Threats

A successful CISO is a critical element of any organization’s leadership team. In today’s digital landscape, where cyber threats are constantly evolving and data breaches can have disastrous consequences, a strong and effective CISO is essential for protecting an organization’s information and assets. With the increasing prevalence and sophistication of cyberattacks, having a dedicated and skilled CISO is essential for ensuring that an organization’s sensitive data and systems are secure.

CISOs are not only instrumental in implementing and managing the organization’s cybersecurity strategy but also ensure that the organization’s employees are aware of cybersecurity best practices and protocols and are trained to identify and mitigate potential threats.

Acting as a link between employees and senior leadership and stakeholders, CISOs are responsible for communicating effectively with both groups about the organization’s cybersecurity posture. This includes providing regular updates on the effectiveness of security measures and any potential risks and vulnerabilities that may need to be addressed.

Adaptability Is Key | Why the Role of CISOs Has Changed

The role of a CISO has changed significantly in response to the evolving cyber threat landscape. In the past, CISOs focused primarily on the technical aspects of security, such as implementing and managing security technologies and protocols. However, the increasing prevalence and sophistication of cyber attacks have created a need for a broader and more strategic approach to cybersecurity.

Today, CISOs are responsible for developing and implementing the organization’s overall cybersecurity strategy, which includes anticipating and preparing for potential cyber threats. This involves conducting regular security assessments and implementing appropriate security measures, as well as staying up-to-date on the latest trends and developments in the cybersecurity field.

In addition, the role of a CISO now involves more collaboration and coordination with other departments and external partners. Cyber threats often cross organizational boundaries, and effective cybersecurity requires a coordinated response from all relevant parties.

Breaking Down the Steps to Success for CISOs

Organizations require multi-layered security strategies to combat advanced cyber threats. Bringing together all the pieces requires a CISO who deeply understands what their organization needs from a business point of view and can translate that into actionable security policies and processes.

Success for CISOs means synchronizing traditional, technical implementation with modern security analytics and continuous improvement.

1. Risk Management: Planning for Security Challenges

Through regular risk assessments, CISOs can identify and assess potential risks to the organization’s assets, such as data, systems, and networks. This includes analyzing the likelihood of a risk occurring and its potential impact on the organization.

Based on the results of the risk assessment, CISOs should focus on developing a risk management strategy to address the identified risks. This may involve implementing controls to prevent or mitigate risks, transferring risk through insurance or other means, or accepting certain risks as part of doing business.

A large part of the risk management strategy will cover how the organization will implement controls to prevent or mitigate identified risks. This may include technical measures such as firewalls and intrusion prevention systems, as well as non-technical measures such as employee training as well as defining and implementing security policies and procedures.

A strong risk management strategy will also include regular monitoring of the effectiveness of the security controls in place and review of the strategy as a whole to ensure it is still relevant and effective.

2. Strategic Communication: Bringing the Vision to All Teams

Successful CISOs exhibit stellar communication skills and prioritize sharing the organization’s cyber strategy to build trust. CISOs are also masters of knowing their audience and are able to determine who needs to be informed about the organization’s cyber risk management strategy and the measures in place to protect the organization’s assets. This may include employees, customers, partners, and regulatory bodies.

Once the players are in place, CISOs will focus on developing a communication plan and determine the best ways to reach the identified stakeholders using language that is easy to understand. Effective communication provides clear and concise information about the organization’s risk management strategy and the measures in place to protect against cyber threats.

Transparency is an important factor here. Successful CISOs are open and honest about the organization’s cyber risks and the measures being taken to manage them, and they will make themselves available to answer questions and address concerns from stakeholders. This helps to build trust across the organization and demonstrates a commitment to protecting the organization’s assets.

3. Leadership: Making the Most of Resources

Effective utilization separates the experienced CISOs from the others. Technical and IT teams will look to their CISO to implement cost-effective controls. Understanding the cost and benefits of different controls and having the ability to choose those that provide the most value for the organization is vital. This may involve finding cost-effective solutions that offer similar levels of protection as more expensive options.

Utilizing automation, artificial intelligence, and machine learning can also help to reduce the workload of security teams and free up resources for other tasks. CISOs should consider implementing automated tools for tasks such as vulnerability management and incident response.

Strong leaders will always look for ways to collaborate with other teams such as by working with the IT team to ensure that cyber risk management is integrated into the organization’s overall IT strategy. This ensures that resources are being used effectively and efficiently.

4. Continuous Cyber Learning: Improving Cyber Best Practices

CISOs that work to make cybersecurity training a top priority and allocate the necessary resources to ensure that all employees receive regular training can fortify their organization’s security posture to help protect the organization against future, advanced attacks.

It is important to offer a variety of training options such as in-person training, online courses, and webinars, to make it easier for employees to participate, and use real-world examples and case studies to illustrate the importance of cybersecurity and the potential consequences of security breaches.

Cyber learning also has its roots in making a regular process out of reviewing lessons learned. Often an overlooked element of the incident response cycle, lessons learned are a critical part of closing out the continuous feedback loop that needs to occur if security incidents have taken place.

Holding IR ‘lessons learned’ sessions helps enterprises evaluate performance effectiveness, identify systemic challenges, and improve capabilities going forward. Experienced CISOs will work with technical teams during feedback sessions to analyze findings and reports and ensure the data is used to both reset workflows and refresh any training materials.

An organization will be looking to their CISO to show a firm yet positive example of cybersecurity expectations. Cultivating a good foundation for cyber hygiene starts with leadership. To better champion security in their actions, CISOs will encourage employees to participate in training sessions actively and ask questions to understand the material better.

5. Technical Acumen & Expertise: Understanding the Details

A successful CISO must deeply understand the technology and how it is used in the organization. This includes knowledge of network architecture, cybersecurity protocols, and newer technologies such as artificial intelligence and the internet of things.

By balancing the business side of the organization – its goals, strategies, and operations – CISOs can then align security efforts with the company’s overall objectives and ensure that the security measures they implement are effective and efficient.

Since the cybersecurity landscape is constantly evolving, CISOs need the ability to adapt to new threats and technologies. Being up-to-date on the latest trends and developments in the field allows a CISO to ensure their organization’s strategy is in tune with the times. Having sound technical acumen also allows someone in the role to take calculated risks – experimenting with new approaches and tools to stay innovative and flexible enough to meet upcoming security challenges.

Conclusion

The role of the CISO is integral to building and managing the defenses of an organizations in a fluctuating threat landscape. As security experts, CISOs are responsible for leveraging their technical know-how to safeguard their organization from cyber attacks. CISOs are security leaders, using risk management to continuously improve their strategies and open communication to foster long-lasting cyber best practices in their workspaces.

A successful CISO is a highly skilled and knowledgeable leader who possesses a deep understanding of technology, as well as business acumen and strong communication and leadership abilities. They are strategic thinkers able to anticipate and mitigate risks and are adaptable to the ever-changing cybersecurity landscape. Most importantly, they must be ethical and trustworthy leaders who are committed to upholding the organization’s values.

CISOs have partnered with SentinelOne for in-depth guidance on how to enhance their enterprises’ overall security posture across all vulnerable attack surfaces including endpoint, identity, and cloud.

SentinelOne’s free ebooks, 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success, are resources available to CISOs as they implement security initiatives and new strategies. For more information on how SentinelOne can protect your organization, contact us or request a demo today.

90 Days | A CISO’s Journey to Impact