Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family

In recent years, efforts to apprehend threat groups and shrink their operating landscape have gone international. As authorities across multiple countries continue to implement sanctions and openly communicate current trends to the public, threat groups increasingly resort to rebranding or creating similar variants under different names to sidestep crackdowns and obfuscate their identities.

In a February 2023 blog post, Ahnlab described a new ransomware campaign affecting South Korean organizations which deployed a malware they dubbed “TZW” ransomware. Our research links TZW ransomware to a known malware family called GlobeImposter (sometimes referred to as LOLNEK or LOLKEK). Close inspection of host origins and prominent file similarities used in both TZW and GlobeImposter campaigns suggest that actors behind GlobeImposter are updating their payloads and obfuscating their infrastructure in a manner consistent with a rebrand effort.

Overview of GlobeImposter & New Variant TZW

GlobeImposter has a long and winding history. First observed in-the-wild in 2016, the name “GlobeImposter” is based on the ransomware’s mimicry of Globe ransomware payloads. Multiple new versions and variations of GlobeImposter have appeared in the years since. Frequently, these have been referred to by their extension (e.g., .DREAM, .Nutella, .NARCO, .LEGO). However, these are all part of the same umbrella malware family. In that same year, Emisoft released a decryption tool for early versions of GlobeImposter. Shortly after, the malware authors responded with an updated version for which no decryption tools are available.

Since 2017, campaigns delivering GlobeImposter have continued to proliferate even though the ransomware has only evolved slightly. The ransomware has also been used in conjunction with some well-documented high-end cybercriminal groups. For example, in 2017 TA505 (also known as G0092, GOLD TAHOE) began using GlobeImposter in replacement of Jaff, GandCrab, and Snatch to extend the reach and effectiveness of their campaigns.

GlobeImposter’s Delivery Methods Explained

GlobeImposter is most often delivered via phishing email as an attachment or a link to a malicious attachment. The payloads are typically distributed via 7zip or traditional zip file archives. The archives often include a JavaScript (.js) file that downloads and executes the GlobeImposter payload.

More recent campaigns from within the past three years still tend to follow this formula.

GlobeImposter has also been distributed as a later-stage infection within some well-known botnets. For example, in 2017 GlobeImposter was distributed via the Necurs botnet. This occurred as part of multiple spam campaigns that also included 7zip archives and followed the execution flow previously described.

Linking TZW Attacks to GlobeImposter

AhnLab’s research revealed a ransomware campaign they referred to as “TZW” with victims in South Korea. The name is derived from the first 3 characters of the TOR-based victim portal. A closer look suggests that “TZW” samples represent a new variant of the GlobeImposter family.

The pre-TZW GlobeImposter ransom notes follow the same template as the current TZW samples. Ransom note similarities are far from reliable, but it’s worth noting their likenesses.

Example of a GlobeImposter ransom note.
Example of a GlobeImposter ransom note.
Example of a TZW variant GlobeImposter ransom note.
Example of a TZW variant GlobeImposter ransom note.

Once a machine is infected, more concrete markers indicate a deeper level of similarity. One such marker is the “CRYPTO LOCKER” string appended to the tail of the encrypted files. This is a known marker present across GlobeImposter variants.

Examples of CRYPTO LOCKER markers at EOF (TZW and LOLKEK variants).
Examples of CRYPTO LOCKER markers at EOF (TZW and LOLKEK variants).

GlobeImposter has the ability to delete volume shadow copies, thereby inhibiting the recovery of data. There are clear similarities around the methodology of the VSS removal.

GlobeImposter shadow copy removal highlights.
GlobeImposter shadow copy removal highlights.
GlobeImposter vs TZW variant shadow copy removal procedure.
GlobeImposter vs TZW variant shadow copy removal procedure.

Code and functionality, by and large, are identical across GlobeImposter payloads pointing to obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.] onion and those pointing to the newer tzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion.

A thorough comparison of the two respective samples shows there are only minor differences.

Zoomed-out view of GlobeImposter (hex) compared against the TZW variation.
Zoomed-out view of GlobeImposter (hex) compared against the TZW variation.

AhnLab’s research describes artifacts from a specific sample within a specific campaign. We have seen the newer TZW variations vary somewhat with regards to file metadata.

Two TZW payloads, varied file metadata
Two TZW payloads, varied file metadata

A majority of the TZW variant samples that we have analyzed resemble the version on the left hand side. The version on the right was seen in the samples noted by AhnLab.

Understanding TZW and GlobeImposter’s Shared Infrastructure

Previous GlobeImposter payloads directed victims to a TOR-based portal at obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.]onion.

GlobeImposter Victim Portal 1.
GlobeImposter Victim Portal 1.

Beginning in late 2022, we start to see victims also being directed to tzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion. The interfaces and required steps are identical:

GlobeImposter Victim Portal 2 from late 2022 onward.
GlobeImposter Victim Portal 2 from late 2022 onward.

At the time of writing, both victim portals remain active. In addition, we can confirm the relationship between these via the publicly-viewable Apache Server Status Page.

This Apache status screen is visible as a result of a misconfiguration on the Apache server, allowing us to see all the active vhosts (virtual hosts) present there.

Apache Status page - GlobeImposter victim portal.
Apache Status page – GlobeImposter victim portal.

Through this view we see that the following vhosts are active on the device.

obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.]onion
tzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion
linux[.]3bcd0a[.]com
Vhosts on GlobeImposter victim portal.
Vhosts on GlobeImposter victim portal.

This evidence of shared infrastructure suggests that the newly rebranded TZW ransomware samples are likely being operated by the same group that was pushing recent waves of GlobeImposter malware.

How to Protect Against GlobeImposter and TZW Ransomware

SentinelOne Singularity™ protects against malicious behaviors and malware associated with GlobeImposter and TZW.

With the site policy set to Protect, GlobeImposter ransomware is detected and prevented automatically. In Detect-only mode, analysts can observe the malware’s behaviour and file encryption attempts, rolling back the device to a clean state on completion of the test.

Conclusion

Based on our analysis, the TZW ransomware recently documented by AhnLab is yet another example of the threat actors behind GlobeImposter pivoting their TTPs alongside a rebrand, including a new but related Onion address. We also show that the old “LOLNEK” Onion address and the Onion address within the TZW variant are hosted on the same server as two vhosts.

Regardless of the name or brand, GlobeImposter continues to pose a threat to enterprises. Ensuring good user hygiene, along with strong, properly-configured, and robust security controls will go a long way to prevent these attacks from affecting your environment.

SentinelOne Singularity™ protects against malicious behaviors and malware associated with GlobeImposter and TZW.

Indicators of Compromise

SHA1

4585da0ff7a763be1a46d78134624f7cd13e6940
14be1c43fbfb325858cda78a126528f82cf77ad2
dc98b516c9c589c2b40bc754732ad5f16deb7c82
d034880d1233d579854e17b6ffad67a18fb33923
858f3f7f656397fcf43ac5ea13d6d4cbe7a5ca11
9a080cd497b8aa0006dc953bd9891155210c609c
8c64e820a4c5075c47c4fbaea4022dc05b3fd10b
3326708ba36393b1b4812aa8c88a03d72689ac24
cf5ab37612f24ed422a85e3745b681945c96190e
cf21028b54c4d60d4e775bf05efa85656de43b68

Onions

tzw7ckhurmxgcpajx6gy57dkrysl2sigfrt6nk4a3rvedfldigtor7ad[.]onion
obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd[.]onion

MITRE ATT&CK

T1005 – Data from Local System
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1070.004 – Indicator Removal: File Deletion
T1112 – Modify Registry
T1012 – Query Registry
T1083 – File and Directory Discovery
T1027.002 – Obfuscated Files or Information: Software Packing
T1082 – System Information Discovery
T1490 – Inhibit System Recovery
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Microsoft Patch Tuesday, February 2023 Edition

Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.

Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.

“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”

The zero-day CVE-2023-21715 is a weakness in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”

“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”

The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is another elevation of privilege weakness — this one in the Microsoft Windows Graphic component. Researchers at cybersecurity forensics firm Mandiant were credited with reporting the bug.

Kevin Breen, director of cyber threat research at Immersive Labs, pointed out that the security bulletin for CVE-2023-21823 specifically calls out OneNote as being a vulnerable component for the vulnerability.

“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen said. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”

Microsoft fixed another Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that can lead to remote code execution — even if a booby-trapped Word document is merely viewed in the preview pane of Microsoft Outlook. This security hole has a CVSS (severity) score of 9.8 out of a possible 10.

Microsoft also has more valentines for organizations that rely on Microsoft Exchange Server to handle email. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are remote code execution flaws that are likely to be exploited.

Microsoft said authentication is required to exploit these bugs, but then again threat groups that attack Exchange vulnerabilities also tend to phish targets for their Exchange credentials.

Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 released an update for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open source browser engine. Johannes Ullrich at the SANS Internet Storm Center notes that in addition to the WebKit problem, Apple fixed a privilege escalation issue. Both flaws are fixed in iOS 16.3.1.

“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.

On a lighter note (hopefully), Microsoft drove the final nail in the coffin for Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a Microsoft Edge update.

“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft explained. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” release) scheduled for June 13, 2023.”

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

ITDR For the Win | Moving Beyond IAM and PAM to Protect Digital Identities

In today’s modern work landscape, digital identities have become a record of trust, access, and relationship management for businesses. Regardless of their size and industry, organizations rely on digital identities to operate.

With a massive growth in the number of digital identities though, opportunistic threat actors have latched on to this expanding surface as a means for attack. Identity-based cyberattacks have accelerated and conventional identity management tools such as Identity Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) are no longer enough on their own to shield organizations from advancing cyber threats on both digital and machine identities.

Identity protection and management has increasingly become a topic of focus for many security leaders who now look towards a combination of identity threat detection and response (ITDR) strategies to reduce risk and protect the enterprise. In this post, we explore how ITDR can help protect against threat actors’ growing interest in attacking identity and set up organizations for long-term success.

What Does the Threat Landscape Look Like for Identity?

Data leaks, phishing and social engineering campaigns, supply chain, and golden ticket attacks have all made global headlines over the past few years with, seemingly, no end in sight. Threat actors are after sensitive data and the volume of attacks on identity has grown significantly.

At the start of last year, for example, attackers impersonated the U.S. Department of Labor in a phishing campaign aimed at stealing Office 365 credentials. The emails asked recipients to submit bids and utilized an entire network of phishing sites to target unsuspecting users. This particular attack showed a high level of sophistication in the convincing setup of spoofed pages and the well-crafted, typo-free content found within the emails.

Fraud alert
Fraud Alert from the Office of Inspector General at the U.S. Department of Labor (Source).

Later in 2022, authentication services provider Okta suffered a supply chain attack when a laptop belonging to a subprocessor support engineer was compromised. During the 5-day period of unauthorized access, the threat actors were able to access Okta’s customer support panel and internal Slack server. The compromised account held ‘super admin’ access capable of initiating password resets of Okta’s end customers.

Rounding up the tail end of 2022, multinational fintech company PayPal notified thousands of its users after their accounts and personal data were accessed by way of a credential stuffing attack. In this type of attack, threat actors rely on bots to pair massive lists of known usernames and passwords together to then ‘stuff’ into login portals. The breach impacted nearly 35,000 account holders with threat actors having accessed their full names, birthdays, mailing addresses, social security numbers, and tax identification numbers.

Identity-based attacks accounted for much of the reported security incidents from 2022. Attackers continue to exploit this attack surface, posing a direct risk to enterprises as they meet a surge in digital identities and remote workers.

Accelerated Attention on the Identity Attack Surface

The 2022 Trends in Security Digital Identities report from the Identity Defined Security Alliance (IDSA) noted the following key findings:

  • 84% of respondents experienced an identity-related breach in the past year
  • 96% reported that said breaches could have been minimized or even prevented by identity-focused solutions
  • 78% reported direct business impacts such as reputational damage and the cost of recovery post-breach

The causes for this accelerated attention on identity can be attributed to two main factors.

First, the rising use of third-party technology and services, internet of things (IoT) connections, and cloud-based apps have all increased the number of digital identities – both human and machine. Each identity is another possible attack vector, and with so many in existence, more than a few are bound to be less protected or monitored as they should. Such low hanging fruit is a tantalizing ‘in’ for threat actors.

Second, securing new working spaces has become increasingly complex. The perimeters of work have extended far beyond physical offices or small numbers of off-site workers. Accelerated by a global pandemic, work-from-home policies have settled into many organization’s very infrastructure. These allowances have also allowed vendors, partners, contractors, and third-party service providers to all remotely access network resources as needed.

Understanding the Growing Digital Identity Crisis

Digital identities for both humans and machines are an integral part of how we operate on a day-to-day basis. Vulnerable to attackers, what’s emerged is a high-stakes digital identity crisis that affects everyone. Top challenges businesses face in securing digital identities include:

  • A lack of investment for identity management systems – Cloud-based identity architectures are enjoying a boom in adoption, but many small to medium-sized businesses still show resistance to migrating due to budgetary constraints, concerns about onboarding delays, lack of change management processes, and more.
  • Fractured ownership for identity in many organizations – Identity management and security is often a responsibility divided amongst the executive leadership and multiple teams like IT, human resources, or sales, for example.
  • Fluctuating data privacy regulations and controls – Digital identity management is made complex by the moving goal posts issued by regulatory bodies. Inevitably, identity and data privacy overlap, so organizational leaders must ensure that the data surrounding digital identities comply with mandates such as the European Union’s GDPR, the NIST Privacy Framework, ISO/IEC 27701:2019, and the Personal Information Protection and Electronic Documents Act (PIPEDA).
While organizations contend with the above challenges, the task of securing digital identity lags behind new threats and many traditional means of protection are no longer able to meet developing attack vectors head on.

Password-based authentication systems, for example, are well known for the inherent risks they bring. Hackers can employ brute force, password spraying, and credential stuffing attacks on these systems to steal passwords. Organizations that don’t design and enforce strict password hygiene processes are vulnerable to user-generated threats stemming from the recycling of the same passwords across multiple accounts, forgetting passwords, and storing passwords in unsafe places.

Threat groups also target unsecured cloud users via cloud solution providers (CSPs) through credential theft techniques, phishing attacks, and conducting malicious activities to obtain usernames and passwords.

Legacy multi-factor authentication (MFA) protocols have also come under attack with threat actors targeting a number of big names in 2022 alone, among them Twilio/Okta, Microsoft Teams, Dropbox, and Cisco. While MFA is a commonly recommended and good security best practice, it is only as strong as its weakest link and implementing it alone is not sufficient to protect organizations from identity-based attacks.

In understanding the growing digital identity crisis, security leaders recognize the dire need for robust identity management solutions that combine proactive endpoint defense, real-time and managed response, zero-trust infrastructure, and domain protection.

Understanding the Limitations of Legacy Identity Management Tools

Existing identity protection solutions such as Identity Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) generally focus on making sure people have access to only what they need. Authorization and authentication are the main pillars covered by these types of solutions, but they are unable to provide visibility into key factors in identity breaches: credential misuse, exposures, and privilege escalation activities from the endpoint into cloud and Active Directory (AD) environments.

Security for identities isn’t only managing user access, policing governance, or locking down exclusive privileges – organizations are now looking to assess security gaps from an identity standpoint. This means proactively looking at root causes and thwarting identity-based threats before they become full scale security events.

Since identity is one of the most attacked perimeters enterprises now face, the importance of looking beyond simply managing access and moving towards a proactive defense of the entire infrastructure has come to the fore. Threat detection solutions can be geared specifically towards identity-related indicators of compromise, stopping threat actors before they can gain unauthorized access or raise their privileges in a victim’s network.

How ITDR Sets Up an Organization for Success

To secure the infrastructure in which identities are managed and used, identity threat detection and response (ITDR) has come to the forefront as an adjacent framework to advanced security solutions like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR). ITDR works to fill a significant gap in the threat landscape, focusing on protecting credentials, privileges, cloud entitlements, and all the systems that manage them.

With ITDR in place, organizations are set up to:

  • Proactively detect and prevent identity-based threats – ITDR actively looks for attacks targeting identity vectors, detecting credential theft, signs of privilege misuse, and malicious actions on AD. Singularity™ Hologram, for example, can detect phishing attacks targeting victim identity information.
  • Thwart attack progression – ITDR solutions add an additional layer of protection in an environment by redirecting attackers to pre-set decoys, automatically isolating affected systems, and stopping them from moving laterally into other networks. Singularity™ Identity detects advanced attack techniques that threat actors use to move laterally inside an organization’s network, data center, cloud environment, remote site, or branch offices.
  • Build long-term cyber resilience – ITDR brings value to forensic data collection as it gathers key telemetry on processes used in attacks. Collected threat intelligence can be used by technical teams to strengthen weak policies and processes.
  • Extend protection to cloud environments – Clouds can often encourage permissions sprawl, overwhelming many teams with too many applications, containers, and servers to manage. ITDR solutions extend to cloud environments by delivering visibility into risky entitlements that may give way to opportunistic attackers.

Conclusion

As identity-based threats continue to strike across all global industries, business leaders are doubling down on reducing risk during a digital identity crisis. Organizations can move towards cybersecurity strategies and solutions with identity protection at its center to ensure protection against mounting attacks, manage machine and user identities at scale, meet regulatory compliance needs, and build client trust.

Digital identities are the foundation of many organizations and SentinelOne’s Identity Suite delivers robust defenses to defend the infrastructure that houses them. Whether organizations are on-prem or in the cloud, Singularity ends credential misuse through deception-based protections executed in real-time.

Learn more about how Singularity furthers identity-leading cybersecurity strategies by booking a demo or visiting Singularity™ Identity.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

The Good, the Bad and the Ugly in Cybersecurity – Week 6

The Good

Seven individuals were sanctioned this week for their involvement with the notorious TrickBot cyber gang. Authorities have sanctioned a formal block on all U.S.-based property and funds belonging to Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. Of the seven, one has been identified as a senior figure within the gang while others were involved in ransomware development, money-laundering, and day-to-day administration.

TrickBot malware transitioned from banking trojan to a full-blown malware designed to break into corporate networks in advanced ransomware operations. The Russian-based cybercrime gang is also tied to the development of multiple malware strains such as BumbleBee, BazarBackdoor, and Anchor. TrickBot is no stranger to news headlines – in just the last three years, the malware was leveraged in a major attack on the Costa Rican government and targeted large hospitals and healthcare services across Ireland and the U.S., particularly during the COVID-19 pandemic.

The joint sanction effort by authorities in the U.S. and United Kingdom follows a significant leak last year of Conti and TrickBot internal conversations, source code, and personally identifiable information. The ‘ContiLeaks’ resulted in a rare look into the operational infrastructures and identities of key members across both groups, with Conti having acquired TrickBot earlier last year.

Though Conti has disbanded after the leaking of their source code, individuals from the group have likely all transferred to other ransomware gangs, or started new operations. This fact alone makes collaborative efforts to impose sanctions on cybercriminals that much more necessary. Deployment of sanctions make it much harder for threat actors to launder their money, cutting them off from their financial gains and leaving less room for them to operate in.

The Bad

This week, SentinelLabs researchers reported on a new variant of Cl0p ransomware targeting Linux devices, noting its appearance as part of a larger trend amongst ransomware groups creating new variants of their respective strains.

Cl0p ransomware may have only just branched out into targeting Linux devices, widely used by enterprises as servers and cloud workload hosts, but the group itself has been around since 2019. They have been known to target critical infrastructure around the world but focus especially on large enterprises, financial institutions, and schools. So far, the Linux variant has been seen targeting educational institutions, including a university in Columbia late December.

Despite the concerns this development raises, the report highlights a small silver lining. SentinelLabs researchers found a flaw in the Linux variant, enabling them to create a decryptor tool. Victims of the Linux variant can decrypt any encrypted data without having to pay the ransom. The report explains that unlike the Cl0p Windows ransomware variant, which uses asymmetric encryption and a private key only known to the attackers, the Linux variant uses a symmetric encryption algorithm with the key needed for decryption hardcoded into the malware itself. This makes it possible for analysts to reverse the encryption based on code found in the sample.

The discovery of a Linux variant of Cl0p ransomware demonstrates once again that ransomware groups will continue to seek new targets and methods to maximize their profits. Linux, which is widely used in many enterprise environments, offers up a rich pool of potential victims in the eyes of threat actors. With more operations shifting towards cloud computing and virtual environments, there’s no doubt that Linux has become increasingly attractive to actors in search of easier targets and higher rewards. It is likely that the malware authors will fix the flaw in future iterations and organizations should take steps to protect themselves from ransomware.

The Ugly

A wave of new ESXiArgs ransomware attacks was reported this week, encrypting extensive amounts of data on various servers across the US, Canada, and Central Europe. While ongoing investigations indicate that the servers were compromised by way of a two-year-old VMware Service Location Protocol (SLP) vulnerability tracked as CVE-2021-21974, some victims are reporting that they still experienced breach and encryption even though SLP was disabled in their environments.

Since the first wave of the ransomware campaign earlier this week, the ESXiArgs attacks have targeted over 3800 victims by encrypting the configuration files on vulnerable, unpatched VMware ESXi servers and rendering the virtual machines potentially unusable. Investigative findings so far show the ransomware encrypting .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem files on compromised servers. To date, CISA and the FBI have jointly released an advisory and recovery script for victims available on GitHub. The advisory encourages enterprises with affected servers to update to the latest version of ESXi, disable the SLP service, and remove any exposure of the ESXi hypervisor to the public internet.

Security researchers believe these attacks have been so rampant due to the sheer volume of vulnerable targets: At least 12% of all existing VMware ESXi servers remain unpatched against CVE-2021-21974, making them a vulnerable target to ESXiArgs ransomware. Highly-focused ransomware campaigns like ESXiArgs may not be particularly sophisticated, but they can be thoroughly damaging. Such a widely exposed attack surface underscores the criticality of upholding regular patch management, especially for internet-facing devices. This is a developing story and the operators behind ESXiArgs have yet to be attributed.

U.S., U.K. Sanction 7 Men Tied to Trickbot Hacking Group

Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating “Trickbot,” a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities.

Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into “a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the Treasury Department said.

A spam email from 2020 containing a Trickbot-infected attachment. Image: Microsoft.

“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the sanctions notice continued. “In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”

Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly “Bentley” Kovalev.

A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive “money mule” scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot.

BOTNET, THE MOVIE

In 2015, Kovalev reportedly began filming a movie in Russia about cybercrime called “Botnet.” According to a 2016 story from Forbes.ru, Botnet’s opening scene was to depict the plight of Christina Svechinskaya, a Russian student arrested by FBI agents in September 2010.

Christina Svechinskaya, a money mule hired by Bentley who was arrested by the FBI in 2010.

Svechinskaya was one of Bentley’s money mules, most of whom were young Russian students on temporary travel visas in the United States. She was among 37 alleged mules charged with aiding an international cybercrime operation — basically, setting up phony corporate bank accounts for the sole purpose of laundering stolen funds.

Although she possessed no real hacking skills, Svechinskaya’s mugshot and social media photos went viral online and she was quickly dubbed “the world’s sexiest computer hacker” by the tabloids.

Kovalev’s Botnet film project was disrupted after Russian authorities raided the film production company’s offices as part of a cybercrime investigation. In February 2016, Reuters reported that the raid was connected to a crackdown on “Dyre,” a sophisticated trojan that U.S. federal investigators say was the precursor to the Trickbot malware. The Forbes.ru article cited sources close to the investigation who said the film studio was operating as a money-laundering front for the cybercrooks behind Dyre.

TREASON

But shifting political winds in Russia would soon bring high treason charges against three of the Russian cybercrime investigators tied to the investigation into the film studio. In a major shakeup in 2017, the Kremlin levied treason charges against Sergey Mikhaylov, then deputy chief of Russia’s top anti-cybercrime unit.

Also charged with treason was Ruslan Stoyanov, then a senior employee at Russian security firm Kaspersky Lab [the Forbes.ru report from 2016 said investigators from Mikhaylov’s unit and Kaspersky Lab were present at the film company raid].

Russian media outlets have speculated that the men were accused of treason for helping American cybercrime investigators pursue top Russian hackers. However, the charges against both men were classified and have never been officially revealed. After their brief, closed trial, both men were convicted of treason. Mikhaylov was given a 22 year prison sentence; Stoyanov was sentenced to 14 years in prison.

In September 2021, the Kremlin issued treason charges against Ilya Sachkov, formerly head of the cybersecurity firm Group-IB. According to Reuters, Sachkov and his company were hired by the film studio “to advise the Botnet director and writers on the finer points of cybercrime.” Sachkov remains imprisoned in Russia pending his treason trial.

A WELL-OILED CYBERCRIME MACHINE

Trickbot was heavily used by Conti and Ryuk, two of Russia’s most ruthless and successful ransomware groups. Blockchain analysis firm Chainalysis estimates that in 2021 alone, Conti extorted more than USD $100 million from its hacking victims; Chainalysis estimates Ryuk extorted more than USD $150 million from its ransomware victims.

The U.S. cybersecurity firm CrowdStrike has long tracked the activities of Trickbot, Ryuk and Conti under the same moniker — “Wizard Spider” — which CrowdStrike describes as “a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.”

“CrowdStrike Intelligence has observed WIZARD SPIDER targeting multiple countries and industries such as academia, energy, financial services, government, and more,” said Adam Meyers, head of intelligence at CrowdStrike.

This is not the U.S. government’s first swipe at the Trickbot group. In early October 2020, KrebsOnSecurity broke the news that someone had launched a series of coordinated attacks designed to disrupt the Trickbot botnet. A week later, The Washington Post ran a story saying the attack on Trickbot was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the U.S. National Security Agency (NSA).

Days after Russia invaded Ukraine in February 2022, a Ukrainian researcher leaked several years of internal chat logs from the Conti ransomware gang. Those candid conversations offer a fascinating view into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. They also showed that Conti enjoyed protection from prosecution by Russian authorities, as long as the hacker group took care not to target Russian organizations.

In addition, the leaked Conti chats confirmed there was considerable overlap in the operation and leadership of Conti, Trickbot and Ryuk.

Michael DeBolt, chief intelligence officer at cybersecurity firm Intel 471, said the leaked Conti chats showed Bentley oversaw a team of coders tasked with ensuring that the Trickbot and Conti malware remained undetected by the different antivirus and security software vendors.

In the years prior to the emergence of Trickbot in 2016, Bentley worked closely on the Gameover ZeuS trojan, a peer-to-peer malware threat that infected between 500,000 and a million computers with an automated ransomware strain called Cryptolocker, DeBolt said.

The FBI has a standing $3 million bounty offered for the capture of Evgeny “Slavik” Bogachev, the alleged author of the Zeus trojan. And there are indications that Bentley worked directly with Bogachev. DeBolt pointed to an October 2014 discussion on the exclusive Russian hacking forum Mazafaka that included a complaint by a Russian hosting firm against a forum user by the name “Ferrari” who had failed to pay a $30,000 hosting bill.

In that discussion thread, it emerged that the hosting company thought it was filing a complaint against Slavik. But the Mazafaka member who vouched for Ferrari’s membership on the forum said they knew Ferrari as Bentley the mule handler, and at some point Slavik and Bentley must have been sharing the Ferrari user account.

“It is likely that Slavik (aka. Bogachev) and Bentley (aka. Kovalev) shared the same ‘Ferrari’ handle on the Mazafaka forum circa 2014, which suggests the two had a working relationship at that time, and supports the recent US and UK Government announcements regarding Kovalev’s past involvement in cybercrime predating Dyre or the Trickbot Group,” DeBolt said.

CrowdStrike’s Meyers said while Wizard Spider operations have significantly reduced following the demise of Conti in June 2022, today’s sanctions will likely cause temporary disruptions for the cybercriminal group while they look for ways to circumvent the financial restrictions — which make it illegal to transact with or hold the assets of sanctioned persons or entities.

“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name,” Meyers said.

The prosecution of Kovalev is being handled by the U.S. Attorney’s Office in New Jersey. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).

Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins

Advertising is an integral part of the modern digital economy, providing businesses with the opportunity to reach a large and diverse audience. However, malicious actors are taking advantage of the ubiquity of online advertising to spread malware, phishing scams, and other forms of malicious content. In recent weeks, Google Ads, one of the largest online advertising platforms, has become a popular target for these types of attacks.

In this analysis, we examine recent malicious Google Ads targeting Amazon Web Services (AWS) logins through fraudulent credential phishing websites.

Overview

From a high level, the workflow of the malvertising campaign followed a unique pattern, providing yet another example of the evolving malvertising campaigns ongoing through Google search results. In the case of AWS credentials targeting discussed here, we perform a normal Google search for “AWS”, which returns the malicious ad among the results.

The ad itself goes to a hop domain, which is an actor-controlled blogger website. This first hop then redirects to the actual credentials phishing page hosted on a second domain. After the victim submits their credentials, a final redirect sends the victim to the legitimate AWS login page. The redirect represents an effort to evade detection by cautious users, but more importantly to evade automated detection of the phishing websites and malicious ad monitors. The various hops and content included in the webpages of each domain add to the complexity of automated detection in such attacks.

Google Malvertising AWS Phishing Workflow
Google Malvertising AWS Phishing Workflow

Malicious Ads

The malicious advertisements we observed occurred on January 30th and 31st 2023. These ads were most easily identified by searching “aws” in Google. Initially, the phishing domain was the ad itself; however, the attacker later shifted to a proxy ad through a blogspot.com website. As the image below shows, the attacker made use of us1-eat-a-w-s.blogspot[.]com as the destination for malicious ads. This is likely an effort to evade automated detection by Google of suspicious ad destination content.

Google Malvertising AWS Phishing Ad
Google Malvertising AWS Phishing Ad

The content of the us1-eat-a-w-s.blogspot[.]com website is a copy of a legitimate vegan food blog. However, the page loads a second domain, aws1-console-login[.]us/login, through an HTML window.location.replace action. Note, the blogger page was shut down less than a day after its creation.

Malicious Blogspot Webpage Redirect
Malicious Blogspot Webpage Redirect

Following the automated redirect to the aws1-console-login[.]us/login destination, the target is finally presented with a spoofed AWS login prompt. The login process appears legitimate to unsuspecting targets.

Fake AWS Login Page - Email
Fake AWS Login Page – Email
Fake AWS Login Page - Password
Fake AWS Login Page – Password

After the user enters their credentials, the final zconfig01.php page is loaded. This  contains a single line of code to direct victims to the legitimate AWS login page.

Redirect to Legitimate AWS Login After Credential Submission
Redirect to Legitimate AWS Login After Credential Submission

Recently, Permiso’s P0 Labs conducted a review of an AWS phishing site related to the same attacker. Based on our analysis, we attributed it to the same attacker continuing their campaign on new ads with a few technical adjustments.

Phishing Page Characteristics

Several characteristics unique to the phishing pages are noteworthy, including the layout, design, and efforts to hinder analysis as well as the developers’ spoken language.

A JavaScript function disables the right-click context menu and middle mouse button click on the web page. The function sets the oncontextmenu event to return false, effectively disabling the right-click context menu. It also sets the onmousedown event to call the clickNS function for non-IE browsers, which checks for middle mouse button clicks and returns false if either is detected. The clickIE function does the same for Internet Explorer. The purpose of this code is likely to prevent users from copying content from the web page using the right-click context menu or middle mouse button.

Mouse Click Disable
Mouse Click Disable

More JavaScript code adds several keyboard shortcuts that, when pressed, will redirect the user to “#”. This does not correspond to a specific page on the website and in effect serves to disable the keyboard shortcuts while the page is active.

Shortcut Key Combo Disable
Shortcut Key Combo Disable

All comments, variable names, and other bits of language are written in Portuguese. Additionally, one unused function included maskaraCPF. It’s possible that this function could be used to format and display personal information, such as a Brazilian CPF number, in a way that makes it appear legitimate to the user.

maskaraCPF Function
maskaraCPF Function

Throughout the various web pages the attacker made for this campaign, such as the blogspot and phishing pages, repeated use was made of source code copied from unrelated and legitimate websites. For example, the root page of the blogger domain mimics a legitimate Brazilian dessert business. The /login file on this site loads the AWS phishing page.

Legitimate Website - source of copied code
Legitimate Website – source of copied code
Home of Malicious Website
Home of Malicious Website

Infrastructure Analysis

The phishing domain aws1-console-login[.]us was registered through Sav, and then protected under CloudFlare on 2023-01-31, the same day it was being used in malicious ads. aws1-us-west[.]info was registered the day prior, and aws1-ec2-console.com on January 21, 2023.

For the aws1-console-login[.]us, the attacker did not protect the WHOIS details, providing yet another interesting link to Brazil.

  • City: sao luis
  • State/Province: ma
  • Postal Code: 65076170
  • Country: BR
  • Phone: +55.99991638370
  • Email: pedrolimasantos065@gmail[.]com

CloudFlare were quick to confirm and responded by shutting down the account for service abuse. Due to this fast action, in some cases ads may be present on Google while the site is actually offline.

Following the removal of the phishing domains from CloudFlare services, we can see the web servers true hosting location through PDNS telemetry, which leads us to additional domains. As it turned out, the actors phishing for credentials with phony AWS Login pages hosted these malicious websites on AWS itself.

For example, aws1-console-login[.]us was hidden behind 172.67.159.93 (Cloudflare). Following its removal from the service, immediate response then resolved to 54.214.158.248 (AWS). This occurred for other associated domains as well, leading us to aws2-console-login[.]xyz.

Conclusion

The proliferation of malicious Google Ads leading to AWS phishing websites represents a serious threat to not just average users, but network and cloud administrators. The ease with which these attacks can be launched, combined with the large and diverse audience that Google Ads can reach, makes them a particularly potent threat.

Indicators of Compromise

Indicator Description
us1-eat-a-w-s.blogspot[.]com Malicious Blogger site. Destination of advertisement, redirects to active phishing domain
aws1-console-login[.]us AWS Phishing Domain
aws2-console-login[.]xyz AWS Phishing Domain
aws1-ec2-console[.]com AWS Phishing Domain
aws1-us-west[.]info AWS Phishing Domain
54.214.158.248 Legitimate Amazon Web Services Hosting Phishing Pages
35.167.172.179 Legitimate Amazon Web Services Hosting Phishing Pages
pedrolimasantos065@gmail[.]com Phishing domain registrant email

KrebsOnSecurity in Upcoming Hulu Series on Ashley Madison Breach

KrebsOnSecurity will likely have a decent amount of screen time in an upcoming Hulu documentary series about the 2015 megabreach at marital infidelity site Ashley Madison. While I can’t predict what the producers will do with the video interviews we shot, it’s fair to say the series will explore compelling new clues as to who may have been responsible for the attack.

The new docuseries produced by ABC News Studios and Wall to Wall Media is tentatively titled, “The Ashley Madison Affair,” and is slated for release on Hulu in late Spring 2023. Wall to Wall Media is part of the Warner Bros. International Television Production group.

“Featuring exclusive footage and untold firsthand interviews from those involved, the series will explore infidelity, morality, cyber-shaming and blackmail and tell the story of ordinary people with big secrets and a mystery that remains unsolved to this day,” reads a Jan. 12, 2023 scoop from The Wrap.

There are several other studios pursuing documentaries on the Ashley Madison breach, and it’s not hard to see why. On July 19, 2015, a hacker group calling itself The Impact Team leaked Ashley Madison internal company data, and announced it would leak all user data in a month unless Ashley Madison voluntarily shut down before then.

A month later, The Impact Team published more than 60 gigabytes of data, including user names, home addresses, search history, and credit card transaction records. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. It’s impossible to say how many users lost their jobs or marriages as a result of the breach.

I’m aware that there are multiple studios working on Ashley Madison documentaries because I broke the story of the breach in 2015, and all of those production houses approached me with essentially the same pitch: It would be a shame if your voice wasn’t included in our project.

What stood out about the inquiry from Wall to Wall was that their researchers had already gathered piles of clues about the breach that I’d never seen before.

I’d assumed that participating in their documentary would involve sitting for a few interviews about known historical facts related to the breach. But when Wall to Wall shared what they’d found, I was hooked, and spent several weeks investigating those leads further.

The result was a collaborative research effort revealing key aspects of the breach that have somehow escaped public notice over the years.

I won’t go into detail on what we discovered until the Hulu series is ready for release. Also, I am not privy to what they will produce with the interviews I gave. I can’t say that what we found untangles everything about the breach that was previously unknown, but it sure explains a lot.

CFO Insights | Exploring the Financial Benefits of Adopting Endpoint Security

Over the past two-and-a-half years while I’ve served as Chief Financial Officer at SentinelOne, one thing has become glaringly apparent; the increasing role that Chief Financial Officers (CFOs) now play in staunching the rise in cybersecurity threats.

As technological infrastructures grow, increasing numbers and severity of attacks have put organizations across every industry at severe risk. A CFO’s main responsibility is to maximize their organization’s value, and increased risk threatens that value. Even one successful attack on a business can negatively impact revenues, expenses, and cash flows.

In close partnership with other C-level executives, CFOs can help safeguard their business from a financial point of view by investing in the right processes and technologies. In this post, we’ll explore how a vested interest in understanding and assessing security technology helps CFOs maximize their company’s value while contending with advancing cyber threats.

The True Cost of Endpoint Data Breaches

Hybrid workspaces and soaring numbers of endpoint devices have become prime targets for cybercriminals. Used to gain access to sensitive information and disrupt business operations, risks on the endpoint surface directly affect an organization’s finances. IBM’s Cost of a Data Breach Report 2022 found the following:

  • The cost of data breaches stood at an averaged total of $4.35 million.
  • The cost of an average ransomware attack, not including the cost of the ransom, came to $4.54 million.
  • Companies that had robust incident response (IR) teams and plans saved an average of $2.66 million.

The financial loss stemming from a successful cyberattack goes beyond the immediate costs – ransom payments, extortion fees, damage to IT infrastructure – and extends into long-term ramifications too. Fallout from even one cyber attack can cost an organization months of legal fees, penalties for those in highly regulated fields, operational downtime, and a long-lasting damage of brand and reputation. Organizations that handle personally identifiable information (PII) must face drastically higher costs with affected customers filing lawsuits of their own. While media outlets focus on loss of customer data, the loss of intellectual property (IP) can also devastate a company’s projected growth.

A CFO’s Role in Cybersecurity & Endpoint Understanding

Finance departments oversee all levels of data reporting and CFOs are in tune with where sensitive information is stored, what safeguards are in place, and who has access to it. This makes the CFO a critical player in the effort to strengthen a company’s cybersecurity posture. With endpoints at the heart of every organization, CFOs can help ensure that the right security is in place by implementing endpoint security such as endpoint detection and response (EDR) and extended detection and response (XDR) solutions.

By working closely with an organization’s Chief Information Security Officer (CISO) and technical teams, CFOs can accurately assess the risks associated with their organization’s endpoint devices and determine the appropriate investment level in endpoint security. This may include setting a budget for endpoint security solutions, security staffing, and regularly reviewing the organization’s endpoint security posture to ensure it remains effective in protecting against emerging threats.

Cybersecurity systems not only ensure businesses are protected from fluctuating risks in the threat landscape, but also benefit the organizational growth in the following ways:

  • Securing current valuation: Organizations that are unprotected and unprepared will be most vulnerable to the exponential cost of an attack. Robust endpoint security solutions ensure organizations keep their risks low and can obtain cyber insurance at reasonable rates, which requires businesses to show effective security measures.
  • Establishing long-term sustainability: Building up a strong cyber resilience means continuing the success and growth of an organization. Protected organizations uphold a positive reputation within their communities and are seen as fiscally responsible, making them the ideal choice for prospective clients and partners.
  • Improving overall risk management: C-level executives are focused on business critical items affecting the organization. When cybersecurity receives buy-in from the top of the company, cyber policies and procedures are more likely to be followed and improved for ongoing risk mitigation and management.

Understanding Endpoint Security Attack Vectors

The more a CFO understands the attack vectors associated with endpoints, the better they can allocate resources to reduce risk. CFOs can unite IT staff, operations, security, and legal teams to make sure that their organization’s endpoint devices are properly secured and compliant with relevant regulations.

Securing Endpoint Users

Increasingly, the endpoint has become the forefront of information security and the true perimeter of the enterprise. Users now have more control over their endpoints than ever. Even if they can’t install their own programs, remote work allows users to choose which tools they want added to the cloud and where in the world they connect to work from. This freedom of choice means that a user’s endpoint has transformed into the most exposed target for malicious actors looking to target the enterprise.

As such, protecting endpoints at the user level is crucial to maintaining security across an organization. To protect against human errors, misconfigurations, or malicious insider threats, CFOs can collaborate with the CISO to conduct regular cybersecurity awareness training and instill the notion that endpoint protection is not an obstacle to work processes, but instead, a vital element of it.

Securing IoT Devices

Internet of Things (IoT) devices are a common attack vector in endpoint security, but organizations continue to adopt their use as a means to streamline workflows and communications. Without an endpoint detection solution in place, IoT devices may become blind spots where opportunistic attackers make their entry point. A solution such as EDR or XDR provides continuous monitoring, identifying and mitigating risks introduced by unmonitored IoT devices. By providing visibility into security gaps, having an endpoint security solution saves CFOs from needing to invest in additional scanning services.

A CFO’s Checklist | How to Assess the Cost of Endpoint Security

Cost optimization and scalability fall under the responsibility of any CFO. When assessing the upfront costs of robust endpoint security, here are some best practices CFOs can to consider when selecting the right solution to match the needs of their business:

  • Assess the financial impact of endpoint security breaches and determine the appropriate level of investment in endpoint security solutions and staff.
  • Allocate budget for endpoint security solutions and technical staff to minimize the risks associated with endpoint security.
  • Review the organization’s endpoint security posture regularly to ensure that resources are being used efficiently and effectively.
  • Evaluate the costs of implementing and maintaining endpoint security solutions such as EDR or XDR as well as the potential security breach costs.
  • Work closely with the technical leads to assess the risks associated with the organization’s endpoint devices and determine the appropriate level of investment in endpoint security.
  • Engage the Board of Directors and Audit Committee to ensure that their security expectations are being achieved.
  • Review service level agreements (SLAs) if pursuing a solution that provides managed security services and ensure they are adequate for the organization’s needs.
  • Ensure compliance with all relevant endpoint security and data protection regulations.
  • Consider the financial implications of endpoint security, taking into account the costs and benefits of different security solutions and making informed decisions about implementing endpoint security measures.

SentinelOne’s Endpoint Solution in Action | Case Studies

Hitachi Consulting Protects Their Global Remote Workforce with Endpoint Protection

Hitachi Consulting relies on robust endpoint protection to defend the digital solutions they provide for their 6500 global clients against malicious attacks. Working closely with both clients and partners alike to deliver those solutions, it was imperative for the organization to secure against threats that could impact the entire Hitachi data ecosystem.

Essential success factors for Hitachi were strong protection for the endpoint and autonomous processes. They sought an endpoint security solution that required very little administrative overhead while proving capable of eliminating threats rapidly.

SentinelOne’s single, purpose-built agent was selected to detect, prevent, and respond to advanced cyberthreats and provide the Hitachi team with complete visibility and telemetry for all their individual endpoints. The SentinelOne EPP currently protects more than 6000 endpoints for the organization and saves both time and resources, minimizing the budget once needed for extensive administration and maintenance. Read more here.

Samsung SDS Reinforces Proactive Endpoint Security

To defend against fileless malware and ransomware attacks and strengthen their network boundary security, Samsung SDS recognized the need for IP and URL analysis in response to a changing threat landscape.

After testing various EDRs, the global electronics corporation adopted SentinelOne EPP (endpoint protection platform) for its autonomous, AI-based defenses against zero-day vulnerabilities, malware, ransomware, and new attacks not solvable by next-gen antivirus software.

Post implementation, the single-agent design lessened resource impact and operating costs. By automatically and safely blocking threats without involvement from the user, the EPP minimized the use of endpoint device recourse despite providing many analysis functions. Read more here.

Morgan Sindall Uses AI Protection to Safeguard Complex Value Chain

Construction and infrastructure group, Morgan Sindall, sought to expand their endpoint protection as their work on critical national infrastructure involves sensitive data and intellectual property. The group’s required a security solution that supported their high-volume data flow while simultaneously minimizing the attack surface through effective, automatic remediation.

Fast deployment and minimal interruptions to Morgan Sindall’s 6600 users were key. Their teams worked across multiple operating system platforms and had a mixture of both Windows and Linux machines, so relied on an efficient and effective deployment process to get protection up and running quickly.

SentinelOne’s AI-based protection platform drastically reduced the onboarding time, saving resources that would have been directed to support a longer, drawn-out deployment to all endpoints that other solutions required. Further, SentinelOne’s endpoint security provided a high level of effectiveness that allowed Morgan Sindall maximum flexibility during the COVID-19 pandemic, enabling revenue generating to continue through unprecedented times. Read more here.

Conclusion

CFOs that view cybersecurity as a means of business development and long-term resilience, rather than an additional cost center, can help protect their organization from increasingly complex cyber threats. A key part in establishing a businesses’ security posture relies on CFOs identifying the financial risks associated with data leaks, insider threats, or ransomware attacks. Responsible for the financial security of an organization, CFOs need to communicate the importance of company-wide security investments and underline both the financial benefits as well as the cost of successful attacks.

Organizations across various industries trust SentinelOne to help safeguard their endpoint surface through AI-driven threat hunting and autonomous EDR capabilities. SentinelOne offers in-depth guidance on how to enhance their enterprises’ overall security posture and protect them from incoming threats, no matter how advanced. Learn more by booking a demo or contacting us today.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Finland’s Most-Wanted Hacker Nabbed in France

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

The DDoS-for-hire service allegedly operated by Kivimäki in 2012.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.

Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.

Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.

“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”

The Good, the Bad and the Ugly in Cybersecurity – Week 5

The Good

The FTC this week has handed out a $1.5 million penalty to a U.S. healthcare company that promised its customers it would “never share personal health information with advertisers or third parties” and then allegedly did precisely that.

The Department of Justice filed an enforcement action on behalf of the FTC against GoodRx under its new Health Breach Notification rule. The complaint against the company accused it of failing to notify customers about unauthorized disclosure of health PII (personally identifiable information). According to the FTC, GoodRx repeatedly shared individually identifiable health information over a four year period with Facebook, Google, Twilio, Branch, and Criteo.

The FTC went on to complain that GoodRx had uploaded contact details of its own customers to Facebook along with advertising IDs, and that it used privileged information about those customers’ previous medication purchases to target their profiles with health-related ads. In doing so, the company exposed their information to Facebook, which itself is facing multiple ongoing lawsuits related to scraping data from hospital websites for use in targeted ads.

FTC director Samuel Levine said of the action that “Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information” and that the FTC would continue to use its legal authority to protect American consumers.

The Bad

SIM swapping attacks, where a threat actor impersonates a customer of a mobile phone carrier and requests a transfer of the customer’s number to a new device, have been utilized to pull off some high profile hacks recently. This week, it’s bad news for Google Fi customers, who have been targeted by hackers that gained access to technical SIM data after breaching a Google Fi network provider.

Google’s U.S. telecommunications and mobile internet service, Google Fi, informed customers this week that personal data had been exposed after a breach of one of its network providers. Google notified customers that the incident had exposed their phone numbers, SIM card serial numbers, and other details. However, the company emphasized that there was no access to Google’s systems or any systems overseen by Google.

Users on social media, however, soon began reporting notifications from Google Fi that described SIM swapping attacks.

Google Fi hack SIM Swap

SIM swapping attacks allow the attacker to receive both phone calls and SMS text messages intended for the legitimate user and, among other things, allow attacks to intercept text-based 2FA authentication messages.

Google says its incident response team investigated the breach and implemented measures to secure data on the provider’s system and notified everyone potentially impacted. The SIM swapping attacks were temporary and Google Fi has since restored service to all customers’ registered SIM cards.

The Ugly

Threat actors have been creating malicious OAuth applications as part of a phishing campaign aimed at breaching Microsoft cloud services, it was revealed this week.

According to MSRC, threat actors ran a consent phishing campaign after impersonating companies enrolling in MCPP/MPN (Microsoft Cloud Partner Program, aka Microsoft Partner Network). Consent phishing works by tricking users into granting permissions to malicious cloud applications that can then be weaponized to compromise legitimate cloud services and access sensitive data.

Once victims granted access to the malicious OAuth apps, threat actors used them to exfiltrate email mailboxes, likely with the further objective to use the stolen data in email Reply Chain attacks, Business Email Compromises (BEC), and spear phishing attacks.

The campaign, which primarily targeted MCPP customers in the UK and Ireland, was first spotted on December 15th last year, with the actors using fraudulent partner accounts to register OAuth applications in Azure AD that appeared to be from verified publishers.

The Redwood tech giant says that all identified fraudulent applications have now been disabled and affected customers informed. Even so, it comes amid turbulent times for the company. Despite announcing security sales of over $20 billion in 2022, the company’s products across endpoint and cloud remain notorious for multiple high-impact vulnerabilities and cloud-based attack vectors.

Attacks using bogus OAuth apps have targeted Microsoft’s cloud services before, with separate threat activities seen in January 2022 and September 2022, according to reports.