The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good

The Biden administration signed a new executive order this week; the latest in an effort to prohibit U.S. government agencies from buying and using commercial spyware operationally. Targeting spyware’s increasing threat to national security and its implication in human rights abuse, the President called for an international coalition focused on combating spyware as a whole.

Governments across the globe have been known to collect troves of sensitive data for law enforcement and intelligence purposes. As use of spyware grew to meet these needs, the tools have inevitably been made available to opposing entities who have used them to meet their goals of abuse and oppression.

Spyware has long been marked as a high-level issue. The order emphasized that commercial spyware poses counterintelligence and security risks to the U.S. government if used by foreign governments or persons to gain access to U.S. computers and its data without authorization. Further, spyware is often used to collect information on political figures, dissents, activists, academics, journalists, or members of marginalized communities for the purpose of intimidation.

While President Biden’s executive order does allow some exceptional use cases, it represents a clear step towards the clamp down on using commercial spyware for non-testing purposes. The impact of modern-day technology on government systems and human rights continues to grow and it is likely that more issues will arise from these intersections and highlight the continued need to regulate, oversee, and audit new advancements in technology.

The Bad

A new comprehensive toolset is being sold to threat actors through private Telegram channels, SentinelLabs researchers reported this week. Dubbed ‘AlienFox’, this toolset enables actors to perform scans for misconfigured servers and extract API keys and secrets from AWS, Google, and Microsoft.

Analyzing three versions of AlienFox, researchers noted that the malware is being used to enumerate misconfigured hosts through security scanning services such as LeakIX and SecurityTrails. The AlienFox operators search for vulnerable services that are associated with widely-used frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Finally, the operators leverage various scripts provided in the toolset to harvest credentials and sensitive data from configuration files that are exposed on compromised servers of cloud-based email platforms.

Currently, the most recent version of the toolset has been able to establish persistence on a compromised Amazon Web Services (AWS) account, escalate privileges, and automate a spam campaign. This version also has added an account-checking capability along with an automated cryptocurrency wallet seed cracker for Ethereum and Bitcoin.

Wallet seed generation in ETH.py
Wallet seed generation in ETH.py

The cyber defense community continues to see a rise in attacks on cloud services, particularly for the purpose of expanding subsequent threat campaigns. This is reflected in AlienFox’s highly modular nature, which is observed to be accommodating new features and improvements to attract new buyers and secure renewals from existing ones. Organizations can defend themselves from AlienFox tools by establishing strict configuration management and least privilege practices. Leveraging a Cloud Workload Protection Platform (CWPP) on virtual machines and containers is also key in detecting suspicious activity with the OS before full compromise can occur.

The Ugly

An ongoing cyberattack has occupied the emergency response of international VoIP software developer, 3CX, for the past week as threat actors leverage a trojanized version of their 3CX DesktopApp. The full impact of the continuing attack is unknown so far, though 3CX’s suite of products service over 12 million users in 190 countries with big names like the UK’s National Health Service, Ikea, and American Express as part of their clientele.

A report published by SentinelLabs researchers explains that use of the trojanized 3CX DesktopApp is just the first stage in the multi-stage supply chain attack currently tracked under the campaign name, SmoothOperator.

Infection begins with an MSI installer being downloaded from the official 3CX website or a user pushes an update to an already-installed desktop application. Following initial infection, the actors behind SmoothOperator take advantage of a DLL side-loading technique designed to pull icon file (ICO) payloads appended with Base64 data from GitHub. The malware uses these Base64 strings to download the final payload which then steals credentials and sensitive data housed in popular browsers.

3CX has since released a security alert announcing the imminent release of a new build. In the meantime, the company advises its users to uninstall the desktop app or switch over to the PWA agent in the meantime. In a blog post by 3CX posted the same day, the company divulged that the issue was seemingly associated with one of the bundled libraries compiled into the Electron Windows App via GIT.

The SmoothOperator supply chain campaign is a developing story and more details may come to light in coming days. SentinelOne customers are protected against SmoothOperator with no additional action required.

German Police Raid DDoS-Friendly Host ‘FlyHosting’

Authorities in Germany this week seized Internet servers that powered FlyHosting, a dark web offering that catered to cybercriminals operating DDoS-for-hire services, KrebsOnSecurity has learned. FlyHosting first advertised on cybercrime forums in November 2022, saying it was a Germany-based hosting firm that was open for business to anyone looking for a reliable place to host malware, botnet controllers, or DDoS-for-hire infrastructure.

A seizure notice left on the FlyHosting domains.

A statement released today by the German Federal Criminal Police Office says they served eight search warrants on March 30, and identified five individuals aged 16-24 suspected of operating “an internet service” since mid-2021. The German authorities did not name the suspects or the Internet service in question.

“Previously unknown perpetrators used the Internet service provided by the suspects in particular for so-called ‘DDoS attacks’, i.e. the simultaneous sending of a large number of data packets via the Internet for the purpose of disrupting other data processing systems,” the statement reads.

News of a raid on FlyHosting first surfaced Thursday in a Telegram chat channel that is frequented by people interested or involved in the DDoS-for-hire industry, where a user by the name Dstatcc broke the news to Fly Hosting customers:

“So Flyhosting made a ‘migration’ with it[s] systems to new rooms of the police ;),” the warning read. “Police says: They support ddos attacks, C&C/C2 and stresser a bit too much. We expect the police will take a deeper look into the files, payment logs and IP’s. If you had a server from them and they could find ‘bad things’ connected with you (payed with private paypal) you may ask a lawyer.”

An ad for FlyHosting posted by the the user “bnt” on the now-defunct cybercrime forum BreachForums. Image: Ke-la.com.

The German authorities said that as a result of the DDoS attacks facilitated by the defendants, the websites of various companies as well as those of the Hesse police have been overloaded in several cases since mid-2021, “so that they could only be operated to a limited extent or no longer at times.”

The statement says police seized mobile phones, laptops, tablets, storage media and handwritten notes from the unnamed defendants, and confiscated servers operated by the suspects in Germany, Finland and the Netherlands.

KrebsOnSecurity has asked the German police for more information about the target of their raids. This post will be updated in the event they respond.

The apparent raids on FlyHosting come amid a broader law enforcement crackdown on DDoS-for-hire services internationally. The U.K.’s National Crime Agency announced last week that it’s been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen DDoS-for-hire domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services.

SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack

By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom & SentinelLabs

Executive Summary

  • As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.
  • Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
  • The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
  • At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks.
  • The compromise includes a code signing certificate used to sign the trojanized binaries.
  • Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters.

Background

3CXDesktopApp is a voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX, a business communications software company. The company website claims that 3CX has 600,000 customer companies with 12 million daily users. 3CX lists customer organizations in the following sectors:

  • Automotive
  • Food & Beverage
  • Hospitality
  • Managed Information Technology Service Provider (MSP)
  • Manufacturing

The 3CX PBX client is available for Windows, macOS, and Linux; there are also mobile versions for Android and iOS, as well as a Chrome extension and a Progressive Web App (PWA) browser-based version of the client.

PBX software makes an attractive supply chain target for actors; in addition to monitoring an organization’s communications, actors can modify call routing or broker connections into voice services from the outside. There have been other instances where actors use PBX and VOIP software to deploy additional payloads, including a 2020 campaign against Digium VOIP phones using a vulnerable PBX library, FreePBX.

Campaign Overview

As others have noted, SentinelOne began automatically detecting and blocking the activity over the span of the week, prior to our active investigation of the campaign.

As we actively analyze the malicious installer, we see an interesting multi-stage attack chain unfolding. The 3CXDesktopApp application serves as a shellcode loader with shellcode executed from heap space. The shellcode reflectively loads a DLL, removing the “MZ” at the start. That DLL is in turn called via a named export ‘DllGetClassObject’ with the following arguments:

1200 2400 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) 3CXDesktopApp/18.11.1197 
Chrome/102.0.5005.167 Electron/19.1.9 Safari/537.36”

as well as the size of this User-Agent string.

This stage will in turn download icon files from a dedicated Github repository:

https://github[.]com/IconStorages/images

These ICO files have Base64 data appended at the end. That data is then decoded and used to download another stage. At this time, the DLL appears to be a previously unknown infostealer meant to interface with browser data, likely in an attempt to enable future operations as the attackers sift through the mass of infected downstream customers. We have issued a takedown request for this repository.

The final stage (cad1120d91b812acafef7175f949dd1b09c6c21a) implements infostealer functionality, including gathering system information and browser information from Chrome, Edge, Brave, and Firefox browsers. That includes querying browsing history and data from the Places table for Firefox-based browsers and the History table for Chrome-based browsers.

Infostealer strings used to query for History and Places tables
Infostealer strings used to query for History and Places tables

SentinelOne Protects Against SmoothOperator

Recommendations

For SentinelOne customers, no action is needed. We’ve provided technical indicators to benefit all potential victims in hunting for the SmoothOperator campaign.

Indicators of Compromise

URL github[.]com/IconStorages/images
Email cliego.garcia@proton.me
Email philip.je@proton.me
Domain akamaicontainer[.]com
Domain akamaitechcloudservices[.]com
Domain azuredeploystore[.]com
Domain azureonlinecloud[.]com
Domain azureonlinestorage.com
Domain convieneonline[.]com
Domain dunamistrd[.]com
Domain glcloudservice[.]com
Domain journalide[.]org
Domain msedgepackageinfo[.]com
Domain msstorageazure[.]com
Domain msstorageboxes[.]com
Domain officeaddons[.]com
Domain officestoragebox[.]com
Domain pbxcloudeservices[.]com
Domain pbxphonenetwork[.]com
Domain pbxsources[.]com
Domain qwepoi123098[.]com
Domain Soyoungjun[.]com
SHA-1 20d554a80d759c50d6537dd7097fed84dd258b3e
SHA-1 bf939c9c261d27ee7bb92325cc588624fca75429
SHA-1 cad1120d91b812acafef7175f949dd1b09c6c21a

Meeting the TSA Cybersecurity Requirements for Airports and Aircraft with SentinelOne Singularity XDR

The recent announcement by the Transportation Security Administration (TSA) mandating new cybersecurity requirements for airports and aircraft highlights the need for robust cybersecurity measures in the aviation industry. These requirements apply to all U.S. airports and airlines that operate commercial flights, with non-compliance resulting in penalties, legal action, and reputational damage.

This post delves deeper into the new TSA cybersecurity requirements and how SentinelOne Singularity XDR can help enterprises and federal agencies meet these requirements.

The New TSA Cybersecurity Requirements

The new cybersecurity amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.

The amendment emphasizes performance-based measures, requiring impacted entities to assess the effectiveness of these measures proactively.

The TSA cybersecurity requirements aim to strengthen the security of aviation systems and protect against cyber threats. The requirements include:

  • Stronger access controls
  • Regular vulnerability assessments
  • Incident response plans
  • Adoption of cybersecurity best practices, such as encryption and multi-factor authentication
  • Micro-segmentation to reduce the attack surface

The emergency amendment mandates the following actions for impacted TSA-regulated entities:

  • Develop network segmentation policies and controls to ensure that operational technology systems can continue to operate safely in the event that an information technology system has been compromised, and vice versa
  • Create access control measures to secure and prevent unauthorized access to critical cyber systems
  • Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations
  • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology

The new requirements highlight the need for a comprehensive and proactive cybersecurity approach. By leveraging solutions such as SentinelOne Singularity XDR, enterprises in the aviation industry can improve their security posture, meet the new TSA cybersecurity requirements, and ensure compliance.

SentinelOne Singularity XDR for Meeting the TSA Cybersecurity Requirements

SentinelOne Singularity XDR is a comprehensive solution that can help enterprises in the aviation industry improve their security posture, meet the new TSA cybersecurity requirements, and ensure compliance.

The following are the key functionalities of SentinelOne Singularity XDR and their business outcomes that can help enterprises meet these requirements:

Scalability and Manageability

SentinelOne’s firewall control solution is highly scalable and easy to manage. It has a central management architecture that simplifies policy management and ensures consistency, making it easier to meet the TSA’s requirements. Unlike Microsoft solutions, which can be difficult to manage, SentinelOne supports cross-OS management, enabling enterprises to manage micro-segmentation policies dynamically across multiple operating systems, including Windows, macOS, and Linux.

Business Outcomes:

  • Reduced operational overheads
  • Improved security posture
  • Simplified policy management

Easy-to-Implement Micro-Segmentation

Micro-segmentation is critical to reducing the attack surface in enterprise environments.

SentinelOne Singularity XDR provides easy-to-implement micro-segmentation, which improves visibility and strengthens overall security posture.

Business Outcomes:

  • Reduced attack surface
  • Improved visibility
  • Strengthened overall security posture

Dynamic Policy Assignment Based on Endpoint Tags and Location Awareness

Dynamic policy assignment based on endpoint tags and location awareness is essential to managing micro-segmentation effectively. SentinelOne Singularity XDR enables enterprises to dynamically and automatically determine what firewall policies to assign to specific machines based on location, simplifying policy management and enhancing security.

The tagging of policy assignments across different scopes and the ability to assign policies per application instead of per machine makes SentinelOne Singularity XDR a highly scalable solution.

Business Outcomes:

  • Improved efficacy of security policies
  • Reduced time spent managing endpoint policies
  • Enhanced security posture

Advanced Multi-Tenancy and Inherited Policies

SentinelOne Singularity XDR’s advanced multi-tenancy provides a centralized console for managing security policies, alerts, and incidents for multiple customers, making it ideal for enterprises with multiple sub-agencies, such as federal agencies. Additionally, SentinelOne Singularity XDR supports inherited policies, which are dynamically assigned per application, making it easier to manage policies across large-scale environments.

Business Outcomes:

  • Streamlined security operations
  • Simplified policy management
  • Reduced operational overheads

Conclusion

The TSA cybersecurity requirements mandate robust cybersecurity measures to protect against cyber threats in the aviation industry. SentinelOne Singularity XDR can help enterprises meet these requirements by providing advanced multi-tenancy, dynamic policy assignments based on endpoint tags, and easy-to-implement micro-segmentation.

By leveraging these functionalities, enterprises can improve their security posture, reduce the risk of cyber attacks, and ensure compliance with the new TSA cybersecurity requirements.

To learn more about how SentinelOne https://www.sentinelone.com/platform/singularity-xdrSingularity XDR can help your enterprise meet compliance, contact us or request a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

UK Sets Up Fake Booter Sites To Muddy DDoS Market

The United Kingdom’s National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services.

The warning displayed to users on one of the NCA’s fake booter sites. Image: NCA.

The NCA says all of its fake so-called “booter” or “stresser” sites — which have so far been accessed by several thousand people — have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.

“However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators,” reads an NCA advisory on the program. “Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement.”

The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990.

“Going forward, people who wish to use these services can’t be sure who is actually behind them, so why take the risk?” the NCA announcement continues.

The NCA campaign comes closely on the heels of an international law enforcement takedown involving four-dozen websites that made powerful DDoS attacks a point-and-click operation.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen booter business domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services. In connection with that operation, the NCA also arrested an 18-year-old man suspected of running one of the sites.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The United Kingdom, which has been battling its fair share of domestic booter bosses, started running online ads in 2020 aimed at young people who search the Web for booter services.

As part of last year’s mass booter site takedown, the FBI and the Netherlands Police joined the NCA in announcing they are running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

The First Line of Defense | Crafting an Impactful Incident Response Plan

Cybersecurity incidents are no longer black swan events in today’s world. In recent decades, they have become so common that few organizations are spared from the rippling effects of successful cyberattacks.

Having a strong incident response strategy is a crucial line of defense organizations have against threat actors. Depending on the type of incident and how impactful it is on the targeted organization, there are a large number of moving parts that make up the incident response process.

This blog post describes the essential elements of an effective cyber incident response plan. While there is no one way to build a cyber incident response plan, there are many key elements that security leaders can include to lead their organizations towards cyber preparedness.

The Importance of Having an Incident Response Plan

At its core, the incident response cycle involves detecting and identifying cyber threats followed by mitigation or containment, analysis, and lessons learned. Every cyber incident is different, and each one should be treated as a learning experience for the cyber incident response team.

If cyber incidents are not properly contained, they have the potential to cause significant impacts on the organization. Impacts can linger after the initial attack causing, in severe cases, loss of new business, damage to the organization’s reputation and branding, complex lawsuits, and even bankruptcy.

Treat Cyber Risk As A Strategic Risk

When planning cyber incident response, understanding the ‘why’ behind cybersecurity makes for a stronger foundation upon which leaders can build strategies, policies, and processes. As an example, let’s use Simon Sinek’s Golden Circle to frame out their approach to incident response. Sinek’s model consists of the following three questions in this order: Why? How? What?

  1. Why do we need cybersecurity in the organization? Leaders may answer that they must protect the confidentiality, integrity, and availability of their organization’s information and resources.
  2. How can we do that? Many organizations approach cybersecurity holistically, focusing on people, processes, and technology.
  3. What does that do to business? Senior leadership may tie security to meeting their mission and objectives as it helps them serve their customers and protect their stakeholder’s interests with trust and transparency.

When organizational leaders treat cyber risk as a strategic risk, it sets the tone within the organization to think about security before carrying out any task. In the case of cyber incident response, starting with ‘why’, empowers teams to take a proactive approach to incident response rather than a reactive approach.

Lay Out The Responsibilities of the Incident Response Team

The collective goal of a cybersecurity incident response team is to minimize the disruption and losses by identifying the incident in a timely manner and effectively mitigating the incident as quickly as possible.

Such a team commonly comprises experts from various business units. A collaborative effort is then coordinated to bring an incident to a quick resolution before the organization suffers from financial and reputational losses.

Though incident response teams will look different based on the size, industry, and needs of the business, they are typically responsible for the following key tasks:

  • Establishing Processes, Plans & Procedures – The incident response team takes into consideration the ‘why’ that leaders have defined. Processes are then tailored to meet that ‘why’ and identify clearly what an incident means to the organization. Using this, incident prioritization matrices and playbooks can be created based on likely security scenarios relevant to the business and industry.
  • Upkeeping An Incident Response Inventory – Incident response teams need to be aware of trending cyber threats and keep themselves updated on all critical assets within the organization. The availability of incident analysis resources such as network diagrams, contacts lists, and application inventory is a key success factor for incident response.
  • Incident Analysis – Incident response teams regularly evaluate and monitor for indicators of compromise and perform data collection activities for analysis. During active incidents, the team is responsible for determining if third-party support is needed to contain the threat. A security operations center (SOC) team plays a key role in this arena by identifying the incident indicators and responding to the incident timely. In recent times, organizations are using AI technology in their security stack to reduce mean-time-to-containment and respond to cyber threats effectively.
  • Communications & Reporting – Incident response teams follow predetermined channels for communications during and after a security incident. These channels will have outlined what needs to be reported, when it needs to be reported, and to whom it needs to be reported. As per the defined responsibilities, internal and external communications can be handled by the incident response team with direction from legal and PR teams. Notifying the appropriate cyber insurance providers, third party incident support, legal, and regulatory authorities as required can save organizations from liabilities and financial burdens.

Depending on the organization’s size, maturity, and industry, some roles within an incident response team can be overlapped. This is why defining responsibilities for each of the roles within the incident response plan is crucial to its success.

Determine Involvement From Internal & External Parties

A common misconception is that incident response is limited to IT and security teams, and no other parties are actively involved in dealing with a cyber incident. For a strong and cohesive incident response effort, incident response teams work best by knowing when to involve key contacts from other departments to carry out the plan.

Internal Dependencies

Incident response is a shared responsibility and champions from each department will need to be informed and trained in how best to support the incident response team during an active security event.

Internal dependencies refer to communications between the incident response team and representatives from IT, Physical Security, Legal, Risk Management, Human Resources, Public & Media Relations, Board of Advisors, and any other applicable head of department.

External Dependencies

External dependencies involve non-employees and non-owners of the company. This group refers to customers, vendors, third-party incident response partners, cyber insurance providers, legal representation, regulatory agencies, and law enforcement. The messaging to customers and vendors must be carefully directed by the Public & Media Relations team in consultation with the Legal team to ensure an approved and unified message is delivered across the board.

Involving cyber insurance providers and any third-party response partners is key from a financial perspective and from a response perspective. Often, incident response team members, including defined point of contacts, are responsible for notifying the proper regulatory bodies and law enforcement as legally required to avoid fines.

Define The Scope for Future Improvement

While it is important to document processes and policies before cyberattacks occur, incident response teams are also integral in improving them in the case of an incident. The team ensures that senior leadership makes time to evaluate lessons learned after incidents and close the loop on any identified gaps and remediation tasks.

By holding lessons learned sessions, incident response teams can help leaders evaluate performance effectiveness, identify systemic challenges, and improve capabilities going forward. This is an invaluable element in improving an organization’s security posture over time that is often overlooked. Defining the scope for future improvement looks like:

  • Post Incident Activities – It is important to understand what worked and what did not during the incident response process. Any suggestions to streamline the process or plan can help improve the overall incident response plan for future, similar events. Keeping a log of the incidents may also prove valuable to organizations to approach response in a more structured and streamlined manner as it creates a measurable benchmark teams can reference again.
  • Actionable Metrics – Defining metrics around incident categories allows organizations to take a look at their risk assessment process, which can help senior leaders iterate required controls and mitigation measures. Tracking similar types of incidents and understanding if the time per incident has decreased are strong indicators that prove the current incident response is working.
  • Updated Training & New Exercises – Carrying cross-functional periodic training and tabletop exercises can help the teams to prepare better and aid in identifying the gaps. Most importantly, it allows teams to understand how they need to communicate with each other and collaborate during the incident.

Conclusion

Successful incident response requires collaboration across an organization’s internal and external parties. As cyber incident response teams work on reducing the time-to-containment, it is essential for organizations to think about incident response holistically. A top-down approach where senior leadership encourages a culture of strong security encourages every department to do their part to support in case of an incident.

Security leaders from all industry verticals have partnered with SentinelOne to augment their security vision and safeguard their company’s critical data. As incident response teams and leaders work together to build security resilience and implement long-term initiatives, SentinelOne’s industry experts are on hand to assist organizations as they stand up their new strategies. Contact us for more information, or sign up for a demo today.

The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good

Dark forum site operator, ‘Pompompurin’, was arrested this week by U.S. law enforcement on the charge of conspiracy to commit access device fraud. One Conor Brian Fitzpatrick was arrested in his home where he admitted this alias and to owning and administrating the website, BreachForums, well-known across the cybercrime ecosystem for hosting stolen databases and selling personal data for fraudulent activities. Officials reported that Fitzpatrick had been under close investigation for over a year before the arrest.

Source

After the DoJ announced the successful seizure of the RaidForums website in April of 2022, it was widely speculated that Fitzpatrick created BreachForums as its successor. Since then, BreachForums has gained notoriety for being one of the most active hacker forums available to cybercriminals.

Under the Pompompurin alias, Fitpatrick quickly filled in the gap of selling and leaking sensitive information through social media, propelling the site to becoming one of the largest data leak forums of its kind. Fitzpatrick has also been connected to various high-profile cyberattacks, including those involving the FBI, Twitter, and popular online stock trading platform, Robinhood. At the time of its takedown, BreachForums had more than 330000 members, 47000 threads, and almost one million posts.

Though the site is now defunct, these seizures remain critical in the uphill fight against increasingly sophisticated cybercrime syndicates. BreachForums was just one of many leak sites and dark marketplaces causing ongoing damage to government organizations and enterprises of all industries. Just as BreachForums rose from the ashes of RaidForums, it is vital for businesses to remain vigilant with protecting their data from opportunistic threat actors as new forums inevitably continue to propagate.

The Bad

A new Go-based, DDoS-focused malware dubbed ‘HinataBot’ hit the scene this week, taking its name from the popular anime series, Naruto. According to researchers, the threat actors behind the new malware were first observed in December of last year and have since started to develop their own malware approximately two months ago. Current indications point to the malware’s active evolution as it is updated by its authors and operators.

HinataBot is written in Golang and is the latest in emerging Go-based threats that continue to proliferate in the cyber underground. Go is increasingly in use by attackers for its high performance and support for multiple architectures. Security researchers have noted that Go-based malware presents extra challenges to analyze and reverse engineer.

So far, samples of the malware have been discovered in HTTP and SSH honeypots, where they have been observed abusing weak credentials and old remote code execution (RCE) vulnerabilities from as far back as nearly a decade ago. Analysis on the infection process for HinataBot has shown exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), as well as exposed Hadoop YARN servers.

The discovery of HinataBot brings to light the responsibilities of organizations to deepen their visibility surrounding deployed services as well as weak spots in their overall infrastructure. In this case, nearly 10-year old vulnerabilities are still being exploited as threat actors continue to use overlooked or low-hanging resources to evade detection, build on new functionalities, and get a high return on through small investments.

The Ugly

In a joint technical report released this week by SentinelLabs researchers and QGroup GmbH, telecom providers in the Middle East have become the latest target in a long-running cyberattack campaign dubbed Operation Tainted Love. Based on the investigations, this campaign has been attributed to Chinese-based cyber espionage threat actors.

Initial attack vectors observed in the string of cyberattacks began with the infiltration of Internet-facing Microsoft Exchange servers to deploy web shells for command execution. After securing a foothold, the attacker conducted a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

In the latest attacks on Middle Eastern telecom providers, the actors have been seen deploying a custom variant of Mimikatz called mim221 to facilitate lateral movement techniques and privilege escalation as well as all-new anti-detection and credential theft capabilities. Special-purpose modules like these underscore the threat actor’s drive to advance their toolset with a marked focus on stealth. Techniques noted by SentinelLabs researchers included in-memory mapping of malicious images to evade EDR API hooks and file-based detections, the termination of Event Log threads instead of the host process to inhibit logging without raising suspicions, and staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.

mim221 execution overview
mim221 Execution Overview

Telecom providers find themselves frequently in the crosshairs of attack for the large amounts of personal client data they hold and sensitive information transmitted. This campaign is expected to continue as the Chinese-linked threat actors upgrade their malware and zero in on strategic targets in the Middle East.

Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.

In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.

Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question.

On Feb. 28, 2023, researchers at the Chinese security firm DarkNavy published a blog post purporting to show evidence that a major Chinese ecommerce company’s app was using this same three-exploit chain to read user data stored by other apps on the affected device, and to make its app nearly impossible to remove.

The three Samsung exploits that DarkNavy says were used by the malicious app. In November 2022, Google documented these three same vulnerabilities being used together to compromise Samsung devices.

DarkNavy likewise did not name the app they said was responsible for the attacks. In fact, the researchers took care to redact the name of the app from multiple code screenshots published in their writeup. DarkNavy did not respond to requests for clarification.

“At present, a large number of end users have complained on multiple social platforms,” reads a translated version of the DarkNavy blog post. “The app has problems such as inexplicable installation, privacy leakage, and inability to uninstall.”

On March 3, 2023, a denizen of the now-defunct cybercrime community BreachForums posted a thread which noted that a unique component of the malicious app code highlighted by DarkNavy also was found in the ecommerce application whose name was apparently redacted from the DarkNavy analysis: Pinduoduo.

A Mar. 3, 2023 post on BreachForums, comparing the redacted code from the DarkNavy analysis with the same function in the Pinduoduo app available for download at the time.

On March 4, 2023, e-commerce expert Liu Huafang posted on the Chinese social media network Weibo that Pinduoduo’s app was using security vulnerabilities to gain market share by stealing user data from its competitors. That Weibo post has since been deleted.

On March 7, the newly created Github account Davinci1010 published a technical analysis claiming that until recently Pinduoduo’s source code included a “backdoor,” a hacking term used to describe code that allows an adversary to remotely and secretly connect to a compromised system at will.

That analysis includes links to archived versions of Pinduoduo’s app released before March 5 (version 6.50 and lower), which is when Davinci1010 says a new version of the app removed the malicious code.

Pinduoduo has not yet responded to requests for comment. Pinduoduo parent company PDD Holdings told Reuters Google has not shared details about why it suspended the app.

The company told CNN that it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” and said there were “several apps that have been suspended from Google Play at the same time.”

Pinduoduo is among China’s most popular e-commerce platforms, boasting approximately 900 million monthly active users.

Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — Google Play.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” a Google spokesperson said in a statement to Reuters, adding that the Play version of the app has been suspended for security concerns.

However, Google Play is not available to consumers in China. As a result, the app will still be available via other mobile app stores catering to the Chinese market — including those operated by Huawei, Oppo, Tencent and VIVO.

Google said its ban did not affect the PDD Holdings app Temu, which is an online shopping platform in the United States. According to The Washington Post, four of the Apple App Store’s 10 most-downloaded free apps are owned by Chinese companies, including Temu and the social media network TikTok.

The Pinduoduo suspension comes as lawmakers in Congress this week are gearing up to grill the CEO of TikTok over national security concerns. TikTok, which is owned by Beijing-based ByteDance, said last month that it now has roughly 150 million monthly active users in the United States.

A new cybersecurity strategy released earlier this month by the Biden administration singled out China as the greatest cyber threat to the U.S. and Western interests. The strategy says China now presents the “broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

Session Cookies, Keychains, SSH Keys and More | 7 Kinds of Data Malware Steals from macOS Users

The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.

However, the idea of stealing valuable data and then monetizing it in nefarious ways is a tactic that is now common across platforms. On macOS, threat actors will quietly exfiltrate session cookies, keychains, SSH keys and more as malicious processes from adware to spyware look to harvest data that can be recycled and sold on various underground forums and marketplaces, or used directly in espionage campaigns and supply chain attacks.

In recent posts, we have looked at how threat actors deliver payloads to macOS targets and how they attempt to evade detection. In this post, we look at the data assets targeted by macOS malware in some of the most recent in-the -wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.

1. Session Cookies

One of the top targets for observed macOS malware are session cookies stored on user’s devices. For convenience and productivity, browsers and many enterprise apps that are designed to work across devices, such as Slack, TeamViewer, Zoom and similar, allow the user to remain logged in until they explicitly log out.

The Slack App allows infinite sessions until the user explicitly logs out
The Slack App allows infinite sessions until the user explicitly logs out

This is achieved by storing a session cookie on the device. In the event that a process or user copies and steals those cookies, they can use them on a different device to log in without authentication.

The theft of session cookies from a Mac computer was implicated in the recent CircleCI breach. According to CirlceCI’s public statement:

“To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.

Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys”.

Session cookies can be stored anywhere, but typically they are in locations which can be accessed by the user or a process running as the user. Some locations, such as the User’s Library Cookies folder, may be restricted by TCC unless the parent process has Full Disk Access or uses one of the many known TCC bypasses. Real world attacks (e.g., XCSSET) and researchers have consistently shown that TCC, while often a nuisance to users, does not present a significant obstacle to attackers.

Here are some common examples of locations that store session cookies on macOS:

~/Library/Cookies/*.binarycookies

Chrome:  ~/Library/Application Support/Google/Chrome/Default/Cookies
Firefox: ~/Library/Application Support/Firefox/Profiles/[Profile Name]/
Slack :  ~/Library/Application Support/Slack/Cookies (file) 
	 ~/Library/Application Support/Slack/storage/*
         ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storage

An excellent post on abusing Slack and session cookies for offensive security was written by Cody Thomas here.

In addition, encrypted and unencrypted databases associated with enterprise software can also be targeted by criminals and crimeware. Weakly encrypted databases may be decryptable with a little work and knowledge of the user’s password, often scraped by malware installers upon initial compromise. Zoom’s encrypted database, for example, is targeted by the Pureland infostealer.

Pureland Infostealer searches for Zoom encrypted database, among other items
Pureland Infostealer searches for Zoom encrypted database, among other items
~/Library/Application Support/zoom.us/data/zoomus.enc.db
Pureland Info Stealer hosted on Dropbox (Source: VirusTotal)
Pureland Info Stealer hosted on Dropbox (Source: VirusTotal)

2. Login Keychain

Perhaps prized above all data on a user’s Mac is the user’s keychain, an encrypted database used to store passwords, authentication tokens and encryption keys. The keychain uses strong encryption that can’t be broken simply by stealing the database or even accessing the computer. However, the weakness of the keychain is that its secrets can all be unlocked if the attacker knows the user’s login password. If that password is weak, easily guessable, or – as is most common – voluntarily given up to a malicious process by request, the strength of the keychain’s encryption is entirely irrelevant.

Unsurprisingly, malware authors are known to target exfiltrating the keychain database. Recent examples include DazzleSpy and a threat that was initially reported on by researchers at Trend Micro last November and dubbed, appropriately enough, KeySteal. Apple belatedly added detections for KeySteal in XProtect v2166 and XProtectRemediator released in March 2023.

KeySteal targets files with the .keychain and keychain-db file extensions in the following locations:

/Library/Keychains/
~/Library/Keychains/
The deviceIdentityServerVerify function serves to enumerate keychains on the victim device
The deviceIdentityServerVerify function serves to enumerate keychains on the victim device

The keychain is then base64-encoded and encrypted by means of an open-source Chinese crypto library called JKEncrypt, a “home-rolled” cryptographic function that uses the legacy (and largely discouraged) 3DES (triple DES) algorithm.

3. User Login Password

As noted, a user’s login keychain is of little use to an unauthorized party unless they also possess the login user’s passwords, and as login passwords serve as either necessary or sufficient authentication for almost every other operation on a Mac device, they are highly sought after by threat actors.

Password theft can be accomplished in a number of ways: through spoofing, through keylogging or simply by asking for authorization for some trivial task and using that authorization for something more nefarious.

Malware will typically ask a victim to elevate privileges so that it can install a privileged executable that will subsequently run as root and accomplish whatever tasks the attacker has in mind; often, LaunchDaemons are used for this. A good example of this TTP is seen in the CloudMensis/BadRAT spyware discovered independently by both ESET and Volexity.

CloudMensis/BadRAT achieves privilege escalation by requesting permissions from the user on install (source: VirusTotal)
CloudMensis/BadRAT achieves privilege escalation by requesting permissions from the user on install (source: VirusTotal)

In the case of Pureland InfoStealer, it presents the user with a dialog alert to capture the user’s password and uses that to unlock the Keychain via the SecKeychainUnlock API.

Pureland Infostealer grabs the user’s password to unlock the keychain
Pureland Infostealer grabs the user’s password to unlock the keychain

4. Browser Passwords & Data

Many macOS users continue to take advantage of browsers to store website login credentials and passwords. These and other useful data such as sites where the user has filled in login credentials, browser history, search history and download history are all of interest to threat actors.

Pureland infostealer provides another recent example, though XLoader, ChromeLoader and a variety of other macOS malware and adware also targets browser data. Pureland executes the following command as part of its getChromeSSPass function.

security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}' > /Users/
Strings related to Chrome data theft in Pureland Infostealer
Strings related to Chrome data theft in Pureland Infostealer

The malicious process needs to have elevated privileges and bypass the usual TCC controls in order to succeed; otherwise, the user will be alerted to the attempt by at least one authentication prompt.

The security command line tool requires authentication
The security command line tool requires authentication

5. SSH Keys

In late 2021, users of Chinese search engine Baidu were targeted with a number of trojanized versions of popular networking and admin tools, including iTerm2, SecureCRT, MS Remote Desktop for Mac and Navicat15. The malware came to be known as OSX.Zuru and included among its components a Python script that it dropped at /tmp/g.py.

Python component of OSX.Zuru (/tmp/g.py)
Python component of OSX.Zuru (/tmp/g.py)
shutil.copytree(ssh, foldername + '/ssh')

The script copied and exfiltrated a number of items, among which were any SSH keys located on the victims’ device.

In May 2022, macOS Rust developers were targeted in the CrateDepression typosquatting attack. CrateDepression involved infecting users who had the GITLAB_CI environment variable set on their devices, indicating the attacker’s interest in Continuous Integration (CI) pipelines for software development.

Successful compromise of a host device led to a Poseidon payload, which among other things, could search for and exfiltrate SSH keys.

Poseidon agent hunts for SSH and AWS keys on the compromised device
Poseidon agent hunts for SSH and AWS keys on the compromised device

It is also worth noting that aside from malware that hardcodes SSH data theft, any backdoor RAT that has the ability to execute commands and upload files to a remote server can hunt for SSH keys.

Possession of a victim’s SSH keys could allow attackers to authenticate themselves on the victim’s system. The SSH folder may also contain configuration files that allow access to other accounts on the same system or other systems on the same network.

In addition to stealing SSH keys, if an attacker can gain write access to the SSH folder, they can also drop their own authorized keys to allow backdoor remote access.

6. Serial Number, Hardware, & Other Environmental Info

A common behavior of many macOS malware threats is to query for and exfiltrate a variety of environmental data from the hosts. This can be used to fingerprint devices for a variety of reasons, including selective delivery of malware and execution of malware. For example, a C2 can be automated to deliver malware specific to a particular platform (macOS, Linux, Windows) and even to a specific version of that platform.

Custom malware can be delivered that exploits vulnerabilities in one OS version but not another. Similarly, a threat actor may distribute malware to a wide variety of victims, such as through malvertising or poisoned downloads, but only deliver the payload to very specific victims whose environment matches that the attacker is interested in (see the discussion of CrateDepression above).

If an attacker has advanced knowledge of the target’s environment, such as the device UUID or user account name, they can create a hash of that information and only execute if the infected device’s information matches. This kind of selective delivery and execution allows threat actors to spread their disposable malware droppers widely while keeping their specialized payloads out of sight.

DazzleSpy provides a good example of this technique. The malware polls its environment for a great deal of environmental data.

DazzleSpy surveils its host environment in great detail
DazzleSpy surveils its host environment in great detail
DazzleSpy Method System/API Call
method.MethodClass.getDiskSystemSize Uses NSFileManger’s defaultManager to grab NSFileSystemSize from attributesOfFileSystemForPath
method.MethodClass.getAllhardwareports Shell’s out via networksetup listallhardwareports
method.MethodClass.getIPAddress getifaddrs()
method.MethodClass.clearTrace Uses NSFileManager’s removeItemAtPath to clear various logs
method.MethodClass.serialNumber Uses IOServiceGetMatchingService and IOPlatformExpertDevice to grab kIOPlatformSerialNumberKey
method.MethodClass.getSystemVersion Uses NSDictionary(contentsOfFile: “/System/Library/CoreServices/SystemVersion.plist”) and grabs the objectForKey:”ProductVersion”
method.MethodClass.getSystemDate Retrieves the time relative to Asia_Shanghai timezone
method.MethodClass.getUserName Calls NSFullUserName()
method.MethodClass.getWifiName Uses the CWWiFiClient shared instance to get the SSID property from interface()
DazzleSpy disassembly for discovering the victim’s Wifi client SSID
DazzleSpy disassembly for discovering the victim’s Wifi client SSID

7. Pasteboard Contents

The pasteboard or clipboard as it’s more generally known, stores text, images and other data in memory when the user executes the copy function available in applications and system-wide via the keyboard hotkey “Cmd-C”.

The pasteboard is attractive to malware authors as a target for data such as passwords, cryptocurrency addresses and other data either to steal or to replace. For example, some cryptocurrency stealers will monitor for the user copying a wallet address to the pasteboard and then replace it with one belonging to the attacker.

Grabbing and writing to the pasteboard is relatively easy as Apple provides the Foundation framework NSPasteboard APIs as well as the Unix command-line utilities pbcopy and pbpaste for this very purpose.

A good example of Pasteboard leverage is provided by the EggShell RAT. This customized version was used in XcodeSpy malware.

The getPasteBoard function in the EggShell RAT used in XcodeSpy
The getPasteBoard function in the EggShell RAT used in XcodeSpy

XLoader similarly uses NSPasteboard, but attempts to hide the strings on the stack.

Stack strings seen in Xloader Info Stealer on macOS
Stack strings seen in Xloader Info Stealer on macOS

Mitigations and Opportunities for Detection

As Macs have become increasingly popular in the enterprise among leadership and development teams, the more important the data stored on them is to attackers.

Mitigations for all these kinds of attacks begin with an endpoint security solution that can both block known and unknown malware and also offer security teams visibility into what is happening on the device.

Threat hunters should regularly monitor for processes attempting to access keychain, SSH and other file paths discussed above.

SentinelOne customers can take advantage of PowerQuery and STAR rules to rapidly hunt for and alert on suspicious events relating to sensitive user data.

Although macOS’s TCC mechanism leaves much to be desired, it is nevertheless important to keep macOS endpoints up to date as Apple regularly patches TCC and other vulnerabilities reported by researchers as well as those actively seen in the wild.

Conclusion

Stealing data is not the only objective malware and malware authors may have in mind, but it is usually involved somewhere along the chain of compromise, either as a means to an end or an end in itself. On macOS, data protection has become increasingly important as the platform has gained popularity in enterprise environments.

Awareness of the kind of data recent malware targets and the ways in which that data is accessed by malicious processes is a crucial part of better equipping security teams to defend the organization’s assets.

If you would like to learn more about how SentinelOne Singularity and its native architecture agent can protect your macOS fleet, contact us or request a free demo.

Indicators of Compromise

CloudMensis/BadRAT
d7bf702f56ca53140f4f03b590e9afcbc83809db
0aa94d8df1840d734f25426926e529588502bc08
c3e48c2a2d43c752121e55b909fc705fe4fdaef6

DazzleSpy
ee0678e58868ebd6603cc2e06a134680d2012c1b

EggShell RAT
556a2174398890e3d628aec0163a42a7b7fb8ffd

KeySteal 
26622e050d5ce4d68445b0cdc2cb23f9e27318ba
3951a7bd03e827caf7a0be90fdfc245e6b1e9f8a
5a8a7e665fdd7a422798d5c055c290fa8b7356d9
749ee9eaa0157de200f3316d912b9b8d8bb3a553
79c222b00b91801bb255376c9454d5bc8079c4a9
7f537a0a77fc8d629b335d52ffef40ea376bd673
8446f80f073db57466459bcbfcaefda3c367cd52
b81bf1b65b8ec0a11105d96cc9f95bb25214add5
ca985f4395e47f1bf9274013b36a0901343fc5a5
d2314f1534ecc1ab97f03cdacf9ed05349f5c574
d4e30bce71e025594339dacf4004075fa22962ea
d85b6531843d5c29cc3bbb86e59d47249db89b9a
d8cd78c16ca865d69f2eb72212b71754f72b4479

Poseidon
cb8be6d2cefe46f3173cb6b9600fb40edb5c5248
c91b0b85a4e1d3409f7bc5195634b88883367cad

Pureland InfoStealer
0b5153510529e21df075c75ad3dbfe7340ef1f70
1eec28e16be609b5c678c8bb2d4b09b39aa35c05
2480d3f438693cf713ce627b8e67ab39f8ae6bea
308cb5cbc11e0de60953a16a9b8ad8458b5eda67
397d5edae7086bb804f9384396a03c52c2b38daa
398de17ae751f7b4171d6d88c8d29ee42af9efb5
406c7c1f81c3170771afc328ca0d3882ee790e98
411482a5cebe1fc89661cc0527047fa4596ed2d6
49d7c260e89dd5bc288111cbe2bf521e95bbe199
68be8c909a809487d2a3ae418d7ec5adf9d770cb
8baf7c147d3d54b8e2a2e6e26d852028d03ee64b
8e698a7f186b7eda34a56477d5e86e0ad778b53d
aa033e9f102bc8d98360e6079da3c8b4d7e2d3c8
acc1139ecfa0a628edf89b70a3e01a1424a00d5b
f462fa129de484b0cf09a9b4d975b168e5c69370

XLoader
7edead477048b47d2ac3abdc4baef12579c3c348
958147ab54ee433ac57809b0e8fd94f811d523ba
fb83d869f476e390277aab16b05aa7f3adc0e841

OSX.Zuru
20acde856a043194595ed88ef7ae0b79191394f9

Cloud Security | How to Successfully Manage Essential Roles and Responsibilities

Protecting company data from cyber threats is an essential and ongoing responsibility for enterprises of all sizes. As more organizations shift their operations to the cloud, establishing a reliable cloud security posture has become crucial. As a result, a team of experts, including the cloud security team, DevOps, platform engineering, and compliance, play integral roles in managing and maintaining cloud security.

Investing in a robust cloud security team equips businesses with the necessary tools to secure their operations against potential cyberattacks in a fast-paced, digital world. In this post, we explore the different roles, responsibilities and best practices for effective cloud security management.

Cloud Security Management | Building A Team to Support The Strategy

Cloud security strategies take time to develop and implement. Having the right team dedicated to cloud security ensures that any cloud-related strategies, decisions, and workflows align with the needs of the business and follow industry best practices.

Depending on their size and security maturity, organizations may choose to manage their cloud security through a Cloud Center of Excellence (CCOE) or, alternatively, build an in-house cloud security team as an extension of the larger security team.

Establishing Oversight | Cloud Centers of Excellence (CCOE)

A Cloud Center of Excellence (CCOE) is an organizational entity that has become a popular choice for many businesses to help accelerate cloud adoption. A CCOE is dedicated to the organization’s strategy for cloud, including its implementation, management, upkeep, and security.

With a CCOE in place, organizations can make business decisions with security at the forefront, rather than as an afterthought. They are also a key component in maintaining effective security for an organization’s entire cloud operations and portfolio as it continues to scale.

CCOEs operate through three main pillars to deliver a best practice approach to driving cloud-enabled security strategies. As a centralized function, CCOEs hold the following responsibilities:

  • Establish Governance – Through the CCOE, cloud security policies are created in collaboration with cross-functional champions and in alignment with the overarching cloud strategy and any cloud management tools used.
  • Provide Brokerage – CCOEs assist senior leadership and technical teams with selecting cloud security providers and architect the cloud solution in a way that meets the unique needs of the business and any regulatory controls.
  • Build Community – Cultivate a culture of knowledge-sharing regarding cloud best practices and developing technologies. A CCOE is responsible for sharing this knowledge though easily accessible knowledge base and source code repositories as well as training opportunities.

Utilizing In-House Resources | Cloud Security Teams

An in-house cloud security team is responsible for managing the security of an organization’s cloud infrastructure, working closely with other teams in the organization to ensure that cloud security is integrated into every aspect of business operations.

This dedicated team sets up and manages security policies and access to cloud resources, then implements security controls to protect the overall cloud infrastructure. They also monitor the cloud infrastructure for security breaches and respond to incidents as they occur.

Cloud security teams hold the following responsibilities:

  • Regularly reviewing and updating security policies to reflect changes in the organization’s operations and the latest security threats.
  • Implementing multi-factor authentication (MFA) to protect against unauthorized access to cloud resources.
  • Using managed key services for key rotation and ensuring they are safely stored in a segmented area. Encryption is used to protect sensitive data while in transit and at rest.
  • Conducting regular security audits and vulnerability assessments to identify and address potential security risks.
  • Establishing incident response procedures and regularly testing them to ensure they are effective.

Organizations that opt to build cloud security teams in-house will typically appoint set cloud-based roles and responsibilities for existing C-level executives as well technical leads from IT, DevOps, and Engineering teams. These roles all satisfy particular functions of the cloud security strategy and can be broken down into a structure such as the following:

  • Cloud Security Executive – This role is usually assigned to an organization’s Chief Information Security Officer (CISO). This is the team’s C-level liaison responsible for analyzing current security demands of the business and forecasting future cloud security trends. This executive role designs the company’s security roadmap, embedding any cloud-based security requirements needed. In this role, the CISO will be accountable for overseeing the rest of the cloud security team and enforcing changes to policy and processes across the organization.
  • Cloud Security Architect – This role acts as the lead for the cloud security team and is responsible for creating and implementing new cloud security workflows and cloud-based incident response use cases. The Cloud Security Architect must have a deep understanding of their organization’s strategy and processes and ensure that any cloud security policies and processes are aligned with the rest of the business.
  • Cloud Security Engineer – Those assigned to this role are responsible for overseeing the day-to-day security operations of the cloud infrastructure. This includes monitoring for cloud-based threats and checking the performance of the IT framework.
  • Cloud Security Auditor/Tester – A significant role in the cloud security team, auditors are responsible for performing regular penetration tests on the organization’s cloud infrastructure and bypassing its defenses. This role is critical to the ongoing improvement cycle and supports the upgrade of security processes by detecting possible exploits, areas of weaknesses, and any inefficiencies.

Understanding the Role of DevOps in Cloud Security

DevOps is a software development and deployment approach emphasizing communication and collaboration between development and operations teams. In terms of cloud security, DevOps teams are responsible for developing, testing, and deploying software applications in the cloud.

DevOps teams play a critical role in the cloud security strategy by ensuring that security is integrated into the software development process. This includes identifying and addressing potential security risks during the development phase and implementing security controls to protect software applications in the cloud.

Oftentimes, the cloud security team will route their findings to the DevOps engineering team to be fixed within pre-set service level agreements (SLA). Based on the severity level of the findings, cloud security teams may run campaigns to monitor and investigate findings that exist outside of the SLAs to ensure DevOps teams are not overrun.

A best practice for the central cloud security team is to ensure that each cloud account has an accurate and updated list of contacts assigned to it. Only contacting the correct stakeholders to receive notification ensures that the routing per account is as streamlined and effective as possible. Organizations may use tools such as PagerDuty to route notifications to the correct on-call DevOps engineer.

Ways DevOps Teams Can Support Cloud Security

  • Conduct regular security training for team members to raise awareness of security risks and best practices.
  • Use automated tools to detect and address potential security vulnerabilities during development.
  • Implement security controls, such as access controls and monitoring, to protect software applications in the cloud.
  • Work closely with the cloud security team to ensure security is integrated into the software development process.

Understanding the Role of Platform Engineering in Cloud Security

Platform engineering is a technology approach designed to accelerate the delivery of applications to support the specific needs of the business. Constantly evaluating the software development lifecycle, its function improves the productivity and experience of developers so that they can move from source to production efficiently.

Their role within the greater cloud security strategy is to ensure that security is built directly into the organization’s platform. Platform engineering teams are also an essential element in ensuring that cloud infrastructure is secure and reliable. This includes implementing security controls to protect cloud infrastructure from potential security threats (e.g., ensuring that DevOps engineers can only access cloud resources with secure defaults and that cloud workload protection platform (CWPP) agents are embedded into golden images.

Ways Platform Engineering Can Support Cloud Security

  • Regularly review and update security policies to reflect changes in the organization’s operations and the latest security threats.
  • Implement security controls such as firewalls and intrusion detection systems to protect cloud infrastructure from potential security threats.
  • Conduct regular security audits and vulnerability assessments to identify and address potential security risks.
  • Work closely with the cloud security and DevOps teams to ensure security is integrated into the infrastructure and platform design process.

Understanding the Role of Compliance in Cloud Security

Compliance teams ensure that an organization meets regulatory and compliance requirements. This includes maintaining compliance with industry standards and regulations, such as PCI DSS, HIPAA, and GDPR.

Compliance in cloud security includes implementing security controls to protect sensitive data stored in the cloud and providing access to cloud resources is restricted to authorized personnel.

Ways Compliance Teams Can Support Cloud Security

  • Ensure that regular audits and assessments are conducted to ensure ongoing compliance.
  • Regularly review and update compliance policies to reflect any regulatory and compliance requirements changes relating to cloud computing.
  • Implement security controls, such as access controls and encryption within the cloud infrastructure.
  • Work closely with all teams involved with cloud security to ensure that security controls are implemented in compliance with industry regulations and standards.

Conclusion

Like other security aspects, an effective cloud security posture requires achieving a synergy between people, processes, and procedures within the organization. An essential first step toward that objective is understanding the roles and responsibilities of the cloud security team, DevOps, platform engineering, and compliance teams.

Singularity Cloud Workload Security is a runtime cloud threat protection, detection, and response for multi-cloud workloads. Whether your workloads run the on-prem or public cloud, in VMs, containers, or Kubernetes clusters, SentinelOne works alongside other security controls to do what they do not: stop runtime threats like ransomware, zero-days, and memory injection. To learn more, visit our product page to find customer testimonials, whitepapers, and more.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.