3CX Breach Was a Double Supply Chain Compromise

We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.

Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.

In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.

3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.

Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.

“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.

Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.

Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.

The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.

Meanwhile, the security firm ESET today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.

As reported in a recent series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.

Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by ClearSky Security, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.

Microsoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty.

Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “Diamond Sleet.”

The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise Linux operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.

“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers Peter Kalnai and Marc-Etienne M.Leveille. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”

ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.

Kim Zetter, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.

“Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X_Trader software was downloaded by people at other software firms.

If there’s a silver lining here, the X_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.

“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.

How to Understand and Implement CISA’s Zero Trust Maturity Model

Current and emerging cyber threats continue to show global enterprises why traditional security measures are no longer adequate defenses. To help enterprises pave a clearer path forward in building cyber resilience, the Cybersecurity and Infrastructure Security Agency (CISA) recently released its Zero Trust Maturity Model (ZTMM).

The ZTMM provides a framework for business in all industries as they implement zero trust policies into their day-to-day operations and overarching security strategies. Zero trust has rapidly become an essential element in crafting a strong security posture capable of staving off modern adversaries.

In this post, we explore the key elements of CISA’s recommendations for zero trust and how SentineOne’s AI-powered XDR platform empowers enterprises to meet the challenge of embracing zero trust in today’s digital landscape.

Understanding CISA’s Approach to Implementing Zero Trust

CISA’s ZTMM provides guidance in the development of effective and actionable zero trust strategies and solutions. Their approach to zero trust revolves around the reduction of cyber risk, increasing speed and agility to stay paces ahead of adversaries, and improving enterprises’ overall security defenses and resilience.

The premise of zero trust adheres to a strategy where no user or asset is to be implicitly trusted in an environment. This involves adopting an ‘assume breach’ mentality and works by making continuous verification of each user, device, and application mandatory. Zero trust as a whole requires enterprises to evolve their greater security philosophy, culture, and policies.

While the ZTMM is specifically tailored for federal agencies, businesses in all verticals can benefit from these recommendations and use them to safeguard against industry-specific risks.

What Are the Five Pillars of ZTMM?

CISA’s ZTMM is comprised of five main pillars: Identity, Devices, Networks, Applications and Workloads, and Data.

  • Identity – This pillar focuses on authenticating and authorizing users and devices before granting access to resources. It involves creating a unified identity and access management (IAM) system and implementing multi-factor authentication (MFA) for all users.
  • Devices – This pillar focuses on securing all IoT devices that connect to an organization’s network. It involves creating a comprehensive inventory of all devices and implementing endpoint detection and response (EDR) solutions.
  • Networks – This pillar focuses on securing all network traffic, regardless of the user’s location or resource. It involves implementing network segmentation and micro-segmentation to limit resource access and use secure communication protocols such as Transport Layer Security (TLS).
  • Applications and Workloads – This pillar focuses on securing all applications and workloads, whether they’re hosted on-premises or in the cloud. It involves implementing application-level access controls and using secure coding practices to prevent vulnerabilities.
  • Data – This pillar focuses on securing all data, whether it is at rest or in transit. It involves implementing encryption and access controls to prevent unauthorized access to sensitive data.

Essential Capabilities for Effective Zero Trust

In CISA’s zero trust framework, three cross-cutting capabilities can be used by enterprises on their journey to adopting zero trust: Visibility and Analytics, Automation and Orchestration, and Governance. These capabilities support the interoperability of functions across the pillars.

  • Visibility and Analytics – Focusing on data analysis allows enterprises to better inform policy decisions, action response activities, and build out risk profiles so security teams can proactively take measures before incidents occur.
  • Automation and Orchestration – In a zero trust model, automated tools and workflows support security response functions while maintaining oversight, security, and interaction of the development process for such functions, products, and services.
  • Governance – This refers to the definition and enforcement of cybersecurity policies, procedures, and processes. Senior leadership in an enterprise holds accountability in managing and mitigating security risks in support of zero trust principles from the top down.
Source: CISA

Implementing these pillars can be a complex process requiring significant organizational planning and coordination. However, the benefits of implementing zero trust are substantial, improving security posture, reducing risk of data breaches, and increasing visibility into network activity.

How SentinelOne Supports Successful Zero Trust Adoption

Implementing zero trust requires a comprehensive approach that covers all aspects of an organization’s cybersecurity strategy. Enterprises worldwide trust the SentinelOne platform to enable their ongoing journey in adopting zero trust policies that work for their businesses.

The SentinelOne platform helps streamline and action many of the recommendations from CISA’s ZTMM by extending visibility, analytics, and response capabilities across endpoint, identity, cloud, and network surfaces.

Identity Pillar | Advanced Identity Protection & Threat Response

SentinelOne provides comprehensive identity and access management (IAM) capabilities, including MFA and single sign-on (SSO). Going a step further than traditional IAM, SentinelOne’s identity protection solution proactively reduces the identity infrastructure attack surface by closing gaps in commonly exploited Active Directory and Azure AD environments and thwarting attack progress through misdirection tactics

Devices Pillar | Autonomous Prevention, Detection & Response

SentinelOne’s EDR capabilities provide real-time visibility into endpoint activity, allowing organizations to detect and respond to threats rapidly. Since endpoints remain a key attack vector for threat actors, SentinelOne combines static and behavioral detections to neutralize known and unknown threats.

Networks Pillar | Powerful Network Detection Response & Micro-Segmentation

Lack of visibility due to legacy network controls breeds gaps and inconsistencies that threat actors can exploit. SentinelOne’s platform gives enterprises full visibility and control of their network, allowing security teams to monitor and isolate compromised devices and stop lateral movement. SentinelOne agents also create detailed network topology to support forensic investigations, decision making processes, and micro-segmentation policy creation.

Applications & Workloads Pillar | Complete Runtime Control & Workload Protection

Cloud computing and hybrid workspaces are commonplace now for the worlds’ businesses. As cloud-based attacks rise in number and complexity, SentinelOne combats threats on this attack surface by providing application-level access controls and uses secure coding practices to prevent vulnerabilities. Businesses can manage and secure hybrid, private, and multi-cloud workloads from a single console with a single agent.

Data Pillar | Shifting Away From Perimeter-Based Security

In the past, enterprises stored sensitive data behind their corporate networks. As more make the move over to cloud applications, simply defending the perimeter against external threats is not enough. SentinelOne’s platform provides encryption and access controls to prevent unauthorized access to sensitive data from the inside out.

Conclusion

The zero trust philosophy presents a shift from a location-centric model to an identity, context, and data-centric approach with fine-grained security controls between users, systems, applications, data, and assets that change over time. In CISA’s latest Zero Trust Maturity Model (ZTMM), enterprises are reminded of the “never trust, always verify” tenet that protects environments from both external and internal cyber threats.

As steady transformation in remote work policies and the rise of cloud adoption present new challenges for security defenders, SentinelOne is committed to helping enterprises implement zero trust architectures effectively. The Singularity platform is designed to provide comprehensive visibility and control over all endpoints, users, and networks in a single agent, allowing security teams to achieve optimal zero trust elements across all pillars of the ZTMM.

If you’re interested in learning more about how SentinelOne can help your business achieve the ideal level of zero trust maturity, contact us today or book a demo here.

SentinelOne for Zero Trust
Extend visibility, analytics, and response capabilities across endpoint, identity, cloud, and network, enabling rapid adoption of a Zero Trust security model

LockBit for Mac | How Real is the Risk of macOS Ransomware?

On April 16th, Twitter user @malwrhunterteam tweeted details of a sample of the LockBit ransomware compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and news that one of the major cybercrime outfits in the ransomware landscape was now targeting macOS devices has predictably raised concerns about the ransomware threat on Mac devices.

In this post, we explore both the details of the LockBit sample uncovered and the larger question of how real is the risk of ransomware on macOS endpoints.

LockBit for Mac | Testing, Testing, 1 2 3

The sample of LockBit ransomware for Mac was discovered on VirusTotal on April 16th, and according to @vxunderground may have been compiled as early as 17th November 2022.

lockbit ransomware variants for macOS
Source: vxunderground

A further sample was uploaded to VirusTotal on the 8th December, 2022.

lockbit for macOS on VirusTotal
Source: VirusTotal

The macOS samples are compiled solely for the Apple ARM M1/M2 (aka Apple silicon) architecture. No macOS Intel sample is known at this time.

Importantly for concerned users, no occurrences of LockBit for Mac have yet been reported in the wild, no victims claimed, and no distribution method is known to be associated with the malware. However, early claims that the sample was non-functional were incorrect.

LockBit 3.0 typically requires a unique password to execute; in the case of the Mac sample, the hardcoded password is “test” – one of several clues as to the current state of development of the threat.

The Mac variant is a direct descendant of the LockBit for Linux variant first spotted in Jan 2022, and contains much the same code.

The ransomware functions as intended to encrypt targeted files, which are subsequently appended with the .lockbit extension. The locker also deposits a rather lengthy ransom note in the parent folder with the name !!!-Restore-My-Files-!!!.

<img loading="lazy" class="size-full wp-image-79820" src="https://www.sentinelone.com/wp-content/uploads/2023/04/lockbit_macOS_2.jpg" alt="The ransom note is encrypted in the locker_Apple_M1_64
The ransom note is encrypted in the locker_Apple_M1_64 binary

The ransom note gives a clear indication of the intended victims.

Opening paragraph of the LockBit for Mac ransom note
Opening paragraph of the LockBit for Mac ransom note

LockBit is known for attacking and extorting organizations rather than random individuals on the internet, and the aim of the developers is to make large profits from locking and stealing business data.

The Mac sample does not appear to implement any functionality for exfiltrating the data it locks, nor does it have any method of persistence: more clear signs that this is a “work in progress” and not a genuine payload intended for use in the wild.

LockBit for Mac | Execution and Encryption

Despite the underdeveloped nature of the samples, it is clear that the authors are experimenting with similar functionality seen in lockers for other platforms. The malware is intended to be executed by a human operator or configuration file and offers a number of different encryption options. These mirror those seen in the Linux version noted above.

Command line options that can be passed to the malware on execution
Command line options that can be passed to the malware on execution

These can be seen reflected in the methods seen in the code.

Encryption functions in the LockBit for Mac ransomware sample
Encryption functions in the LockBit for Mac ransomware sample

Although there is a list of hardcoded extension names, many of which are not applicable to macOS, the locker is not restricted to encrypting only files with those extensions. As noted above, an operator may specify a particular destination and attempt to encrypt all files in that destination, partially or entirely.

LockBit is not restricted to the list of hardcoded extensions
LockBit is not restricted to the list of hardcoded extensions

Much of the code and methods apply to non-macOS platforms such as Windows, ESXi and Linux, indicating that the samples were likely compiled from the same cross-platform source code.

A lot of the LockBit code is redundant for macOS targets
A lot of the LockBit code is redundant for macOS targets

On execution on an Apple M1 or M2 device, the LockBit ransomware queries for the model name via sysctl hw.model, likely as part of anti-analysis measures.

Encryption takes advantage of the publicly available library Mbed TLS. Interestingly, there appear to be no cross-references to the functions intended to decrypt locked files.

Multiple cross-references appear for encryption functions, but none for decryption
Multiple cross-references appear for encryption functions, but none for decryption

According to one media report, the public-facing representative of LockBit, known as LockBitSupp, said that the Mac encryptor is “actively being developed”. Perhaps more complete samples may be over the horizon with the missing functionality.

Is Ransomware a Real Risk on macOS Today?

Due to the rampant nature of the ransomware threat on other platforms, it is only natural to wonder how safe Macs are from ransomware actors. While some security vendors have incorrectly made much of it in the past, the reality is that there is no publicly recorded case of any business ever paying a ransom demand as a result of macOS ransomware. This is not surprising when you look at the history of attempts to build ransomware on macOS to date.

The most recent known Mac ransomware prior to the LockBit sample found this week was EvilQuest (aka ThiefQuest). SentinelLabs analysis of the threat and subsequent publication of a decryptor revealed that the actual ransomware component was unfit for purpose. Despite garnering headlines like “New Mac Ransomware Is Even More Sinister Than It Appears”, not only was the encryption weak, the ransom note did not include a way for intended victims to contact the threat actors to exchange their money for a decryption key: It merely included a crypto wallet address and a demand for the princely sum of $50.

Ransom note from EvilQuest/ThiefQuest
Ransom note from EvilQuest/ThiefQuest

Unsurprisingly, that wallet remains empty today, having never received a single transaction. Though EvilQuest was certainly a real threat and continued to infect devices over the following 12 months or so, its infostealing and keylogging capabilities were likely the real reward for the threat actors: As ransomware, it failed entirely.

EvilQuest / ThiefQuest wallet shows no one ever paid a ransom to this address
EvilQuest / ThiefQuest wallet shows no one ever paid a ransom to this address

Prior to 2020, the next most recent macOS ransomware attempt was Patcher, discovered by ESET in 2017. Patcher (aka FindZip) was distributed in cracked apps on torrent sites and, much like EvilQuest, never recorded a single transaction to its bitcoin address.

Ransom note from Patcher aka FileCoder
Ransom note from Patcher malware

Patcher was preceded in 2016 by KeRanger, a functional ransomware distributed through a trojanized version of the popular Transmission bittorrent client. KeRanger appears to have been precisely $3.02 more successful than either EvilQuest or Patcher ransomware: Its bitcoin wallet shows exactly one transaction – not necessarily from a victim – of that value.

We have to go back to 2014 to find the next occurrence of macOS ransomware. FileCoder was discovered on VirusTotal and was said to have been lying around on the site for two years. Unfinished and unworkable, FileCoder was a POC that did not actually encrypt the user’s files but demonstrated encryption and decryption of a sample file included with the malware. It is thought to be the precursor to the Patcher/FindZip malware discussed above.

In short, the history of ransomware on macOS to date shows that there has yet to be a viable threat or any ransomware that has financially impacted any individuals or organizations.

How to Stay Safe from LockBit macOS Ransomware

At the present time, SentinelOne does not consider LockBit a serious threat for macOS endpoints. As noted above, the known samples are very much a Proof-of-Concept and not suitable for deployment by threat actors in their current state. However, news outlets have reported that LockBit developers do consider a Mac file locker an active project, meaning that this situation may change in the near future.

As a precaution, the SentinelOne agent detects LockBit for Mac and protects macOS endpoints from executing the sample.

The SentinelOne Agent on macOS detects the LockBit ransomware
The SentinelOne Agent on macOS detects the LockBit ransomware

macOS security teams whose organizations are not protected by SentinelOne may refer to the Indicators of Compromise below for threat hunting and detection.

Conclusion

Are the big game hunters coming to a macOS endpoint near you? Not yet, but that doesn’t mean they won’t. The development of a Mac-specific ransomware variant suggests that the thought has obviously occurred to some threat actors sufficiently to invest time in producing a test sample, but that sample is far from ready for use against real targets. More importantly, from a threat actor’s point of view, locking files on Macs is not really a viable use case, though it may create some headlines, since service disruption in many cases is not likely to be severe – few organizations use Mac servers for essential services. In addition, worming from one Mac to another in the way Windows malware often does is exponentially more difficult on Macs. Consequently, the return on investment for a ransomware actor in deploying file locking malware on a Mac endpoint is likely to be substantially lower than similar attacks on Windows and Linux servers

Stealing data, however, is very much a viable use case for threat actors targeting Macs. As ransomware actors in general have transitioned to extorting enterprises to prevent stolen data being leaked, it should not come as a surprise if LockBit and other cybercrime outfits begin turning their attention to ways to achieve the same on macOS. Indeed, infostealers are very much a concern on the platform and security teams are advised to review our recent publications on these and on how threat actors can compromise Macs in the enterprise. If LockBit and other ransomware actors are coming for enterprises with macOS devices, it is the theft of data rather than the locking of files that will provide them with the most lucrative rewards.

Indicators of Compromise

File name SHA1
locker_Apple_M1_64 2d15286d25f0e0938823dcd742bc928e78199b3d
locker_Apple_M1_64 864f56b25a34e9532a1175d469715d2f61c56f7f
!!!-Restore-My-Files-!!! ef958f3cf201f9323ceae9663d86464021f8e10d

YARA Hunting Rule

private rule Macho {
	meta:
		description = "private rule to match Mach-O binaries"

	condition:
		uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca

}

rule LockBit_for_Mac {

	meta:
		author = "Phil Stokes, @philofishal"
		description = "Rule to detect LockBit sample with Arm64 architecture for Apple M1"
		date = "18 April 2023"
		sha1_a = "2d15286d25f0e0938823dcd742bc928e78199b3d"
                sha1_b = "864f56b25a34e9532a1175d469715d2f61c56f7f"

		ref = "https:/s1.ai/LockBit-Mac"
	strings:
		$ransom = { 58 5b 55 5c 19 4b 58 57 4a 56 54 4e 58 4b 5c 19 } // encrypted ransom note string
		$sysctl = { 4a 40 4a 5a 4d 55 19 51 4e 39 5e 4b 5c 49 19 51 } // encrypted sysctl hw grep string
		$label = "bSelfRemove"

	condition:
		Macho and all of them

}

Giving a Face to the Malware Proxy Service ‘Faceless’

For the past seven years, a malware-based proxy service known as “Faceless” has sold anonymity to countless cybercriminals. For less than a dollar per day, Faceless customers can route their malicious traffic through tens of thousands of compromised systems advertised on the service. In this post we’ll examine clues left behind over the past decade by the proprietor of Faceless, including some that may help put a face to the name.

The proxy lookup page inside the malware-based anonymity service Faceless. Image: spur.us.

Riley Kilmer is co-founder of Spur.us, a company that tracks thousands of VPN and proxy networks, and helps customers identify traffic coming through these anonymity services. Kilmer said Faceless has emerged as one of the underground’s most reliable malware-based proxy services, mainly because its proxy network has traditionally included a great many compromised “Internet of Things” devices — such as media sharing servers — that are seldom included on malware or spam block lists.

Kilmer said when Spur first started looking into Faceless, they noticed almost every Internet address that Faceless advertised for rent also showed up in the IoT search engine Shodan.io as a media sharing device on a local network that was somehow exposed to the Internet.

“We could reliably look up the [fingerprint] for these media sharing devices in Shodan and find those same systems for sale on Faceless,” Kilmer said.

In January 2023, the Faceless service website said it was willing to pay for information about previously undocumented security vulnerabilities in IoT devices. Those with IoT zero-days could expect payment if their exploit involved at least 5,000 systems that could be identified through Shodan.

Notices posted for Faceless users, advertising an email flooding service and soliciting zero-day vulnerabilities in Internet of Things devices.

Recently, Faceless has shown ambitions beyond just selling access to poorly-secured IoT devices. In February, Faceless re-launched a service that lets users drop an email bomb on someone — causing the target’s inbox to be filled with tens of thousands of junk messages.

And in March 2023, Faceless started marketing a service for looking up Social Security Numbers (SSNs) that claims to provide access to “the largest SSN database on the market with a very high hit rate.”

Kilmer said Faceless wants to become a one-stop-fraud-shop for cybercriminals who are seeking stolen or synthetic identities from which to transact online, and a temporary proxy that is geographically close to the identity being sold. Faceless currently sells this bundled product for $9 — $8 for the identity and $1 for the proxy.

“They’re trying to be this one-stop shop for anonymity and personas,” Kilmer said. “The service basically says ‘here’s an SSN and proxy connection that should correspond to that user’s location and make sense to different websites.’”

MRMURZA

Faceless is a project from MrMurza, a particularly talkative member of more than a dozen Russian-language cybercrime forums over the past decade. According to cyber intelligence firm Flashpoint, MrMurza has been active in the Russian underground since at least September 2012. Flashpoint said MrMurza appears to be extensively involved in botnet activity and “drops” — fraudulent bank accounts created using stolen identity data that are often used in money laundering and cash-out schemes.

Faceless grew out of a popular anonymity service called iSocks, which was launched in 2014 and advertised on multiple Russian crime forums as a proxy service that customers could use to route their malicious Web traffic through compromised computers.

Flashpoint says that in the months before iSocks went online, MrMurza posted on the Russian language crime forum Verified asking for a serious partner to assist in opening a proxy service, noting they had a botnet that was powered by malware that collected proxies with a 70 percent infection rate.

MrMurza’s Faceless advertised on the Russian-language cybercrime forum ProCrd. Image: Darkbeast/Ke-la.com.

In September 2016, MrMurza sent a message to all iSocks users saying the service would soon be phased out in favor of Faceless, and that existing iSocks users could register at Faceless for free if they did so quickly — before Faceless began charging new users registration fees between $50 and $100.

Verified and other Russian language crime forums where MrMurza had a presence have been hacked over the years, with contact details and private messages leaked online. In a 2014 private message to the administrator of Verified explaining his bona fides, MrMurza said he received years of positive feedback as a seller of stolen Italian credit cards and a vendor of drops services.

MrMurza told the Verified admin that he used the nickname AccessApproved on multiple other forums over the years. MrMurza also told the admin that his account number at the now-defunct virtual currency Liberty Reserve was U1018928.

According to cyber intelligence firm Intel 471, the user AccessApproved joined the Russian crime forum Zloy in Jan. 2012, from an Internet address in Magnitogorsk, RU. In a 2012 private message where AccessApproved was arguing with another cybercriminal over a deal gone bad, AccessApproved asked to be paid at the Liberty Reserve address U1018928.

In 2013, U.S. federal investigators seized Liberty Reserve and charged its founders with facilitating billions of dollars in money laundering tied to cybercrime. The Liberty Reserve case was prosecuted out of the Southern District of New York, which in 2016 published a list of account information (PDF) tied to thousands of Liberty Reserve addresses the government asserts were involved in money laundering.

That document indicates the Liberty Reserve account claimed by MrMurza/AccessApproved — U1018928 — was assigned in 2011 to a “Vadim Panov” who used the email address lesstroy@mgn.ru.

PANOV

Constella Intelligence, a threat intelligence firm that tracks breached databases, says lesstroy@mgn.ru was used for an account “Hackerok” at the accounting service klerk.ru that was created from an Internet address in Magnitogorsk. The password chosen by this user was “1232.”

In addition to selling access to hacked computers and bank accounts, both MrMurza and AccessApproved ran side hustles on the crime forums selling clothing from popular retailers that refused to ship directly to Russia.

On one cybercrime forum where AccessApproved had clothing customers, denizens of the forum created a lengthy discussion thread to help users identify incoming emails associated with various reshipping services advertised within their community. Reshippers tend to rely on a large number of people in the United States and Europe helping to forward packages overseas, but in many cases the notifications about purchases and shipping details would be forwarded to reshipping service customers from a consistent email account.

That thread said AccessApproved’s clothing reshipping service forwarded confirmation emails from the address panov-v@mail.ru. This address is associated with accounts on two Russian cybercrime forums registered from Magnitogorsk in 2010 using the handle “Omega^gg4u.”

This Omega^gg4u identity sold software that can rapidly check the validity of large batches of stolen credit cards. Interestingly, both Omega^gg4u and AccessApproved also had another niche: Reselling heavily controlled substances — such as human growth hormone and anabolic steroids — from chemical suppliers in China.

A search in Constella on the address panov-v@mail.ru and many variations on that address shows these accounts cycled through the same passwords, including 055752403k, asus666, 01091987h, and the relatively weak password 1232 (recall that 1232 was picked by whoever registered the lesstroy@mgn.ru account at Klerk.ru).

Constella says the email address asus666@yandex.ru relied on the passwords asus666 and 01091987h. The 01091987h password also was used by asus666@mail.ru, which also favored the password 24587256.

Constella further reports that whoever owned the much shorter address asus@mail.ru also used the password 24587256. In addition, it found the password 2318922479 was tied to both asus666@mail.ru and asus@mail.ru.

The email addresses asus@mail.ru, asus2504@mail.ru, and zaxar2504@rambler.ru were all used to register Vkontakte social media accounts for a Denis ***@VIP*** Pankov. There are a number of other Vkontakte accounts registered to asus@mail.ru and many variations of this address under a different name. But none of those other profiles appear tied to real-life identities.

A mind map simplifying the research detailed here.

PANKOV

Constella’s data shows the email addresses asus2504@mail.ru and zaxar2504@rambler.ru used the rather unique password denis250485, which was also used by the email address denispankov@yandex.ru and almost a dozen variations at other Russian-language email providers.

Russian vehicle registration records from 2016 show the email address denispankov@yandex.ru belongs to Denis Viktorovich Pankov, born on April 25, 1985. That explains the “250485” portion of Pankov’s favored password. The registration records further indicate that in 2016 Pankov’s vehicle was registered in a suburb of Moscow.

Russian incorporation records show that denispankov@yandex.com is tied to IP Pankov Denis Viktorovich, a now-defunct transportation company in the Volograd Oblast, a region in southern Russia that shares a long border with western Kazazkhstan.

More recent records for IP Pankov Denis Viktorovich show a microenterprise with this name in Omsk that described its main activity as “retail sale by mail or via the Internet.” Russian corporate records indicate this entity was liquidated in 2021.

A reverse password search on “denis250485” via Constella shows this password was used by more than 75 email addresses, most of which are some variation of gaihnik@mail.ru — such as gaihnik25@mail.ru, or gaihnik2504@rambler.ru.

In 2012, someone posted answers to a questionnaire on behalf of Denis Viktorovich Pankov to a Russian-language discussion forum on Chinese crested dog breeds. The message said Pankov was seeking a puppy of a specific breed and was a resident of Krasnogorsk, a city that is adjacent to the northwestern boundary of Moscow.

The message said Pankov was a then 27-year-old manager in an advertising company, and could be reached at the email address gaihnik@mail.ru.

GAIHNIK

Constella Intelligence shows gaihnik@mail.ru registered at the now-defunct email marketing service Smart Responder from an address in Gagarin, which is about 115 miles west of Moscow.

Back in 2015, the user Gaihnik25 was banned from the online game World of Tanks for violating the game’s terms that prohibit “bot farming,” or the automated use of large numbers of player accounts to win some advantage that is usually related to cashing out game accounts or inventory.

For the past few years, someone using the nickname Gaihnik25 has been posting messages to the Russian-language hacking forum Gerki[.]pw, on discussion threads regarding software designed to “brute force” or mass-check online accounts for weak or compromised passwords.

A new member of the Russian hacking forum Nohide[.]Space using the handle Gaihnik has been commenting recently about proxy services, credential checking software, and the sale of hacked mailing lists. Gaihnik’s first post on the forum concerned private software for checking World of Tanks accounts.

The address gaihnik@mail.ru shows how so many email addresses tied to Pankov were also connected to apparently misleading identities on Vkontakte and elsewhere. Constella found this address was tied to a Vkontakte account for a Dmitriy Zakarov.

Microsoft’s Bing search engine says gaihnik@mail.ru belongs to 37-year-old Denis Pankov, yet clicking the Mail.ru profile for that user brings up a profile for a much older man by the name Gavril Zakarov. However, when you log in to a Mail.ru account and view that profile, it shows that most of the account’s profile photos are of a much younger man.

Many of those same photos show up in an online dating profile at dating.ru for the user Gaihnik, a.k.a “Denchik,” who says he is a 37-year-old Taurus from Gagarin who enjoys going for walks in nature, staying up late, and being on the Internet.

Mr. Pankov did not respond to multiple requests for comment sent to all of the email addresses mentioned in this story. However, some of those addresses produced detailed error responses; Mail.ru reported that the users panov-v@mail.ru, asus666@mail.ru, and asus2504@mail.ru were terminated, and that gaihnik25@mail.ru is now disabled.

Messages sent to many other email addresses connected via passwords to Pankov and using some variation of asus####@mail.ru also returned similar account termination messages.

Mastering the Art of SOC Analysis Part 1 | Fundamental Skills for Aspiring Security Operations Center Analysts

As cybersecurity threats increase in sophistication and frequency, the demand for skilled Security Operations Center (SOC) analysts continues to rise. In tandem with defensive strategies and advanced security software, SOC analysts fill a critical role in keeping enterprises safe from attacks.

SOC teams are responsible for identifying and mitigating oncoming threats, protecting sensitive information, and ensuring the overall security of an organization’s digital assets. As demand for skilled SOC analysts climbs, aspiring analysts need to ensure they have the technical knowledge, analytical skills, and critical thinking abilities required for the job.

This post is the first of three in a series covering the essential skills aspiring analysts should master as they embark on their journey toward success. In this post, we detail the first four key areas of study that lay the groundwork for mastery in the SOC analysis field.

1. Learn Network Architecture

Understanding the fundamental networking concepts is essential for SOC analysts. Start with the Open Systems Interconnection (OSI) model and the TCP/IP protocols basics.

Networking is the backbone of any IT infrastructure. For an aspiring SOC analyst, learning networking basics means understanding how data flows across the network; a skill critical in identifying and responding to security incidents.

By building a foundational understanding of networking concepts such as IP addressing, subnets, domain name system (DNS), routing, and protocols like TCP/IP, ICMP, and UDP, a SOC analyst can identify anomalies, track down malicious activity, and create effective security policies.

Since most attackers are initiated from the network, having a good grasp of network security fundamentals, including firewalls, intrusion detection and prevention systems (IDPS), and network segmentation provide SOC analysts with an edge in responding to security incidents. Understanding network fundamentals typically includes the below areas of interest:

  • Learn networking fundamentals – Learn about network topologies, addressing, protocols, and networking devices. Resources such as the CompTIA Network+ or Cisco CCNA certifications can provide a solid foundation in fundamental networking concepts.
  • Learn network security principles – Focus on firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs).
  • Practice with hands-on labs – Use virtual labs or physical equipment to gain hands-on experience in configuring and troubleshooting networks. Examples include:
    • GNS3 – This free, open-source network simulation software allows users to design, configure, and test virtual networks.
    • Packet Tracer – This network simulation software developed by Cisco allows users to design, configure, and test network topologies.
    • EVE-NG – This network emulation software allows users to design, configure, and test virtual networks and complex network configurations.
    • TryHackMe – This platform provides guided, pre-configured labs accessible through a browser. The variety of high-quality courses and their low entry barrier allow learners to gain exposure to different tools and concepts.
  • Join networking and security communities – Connect with professionals in the networking and security industry to learn from their experience, ask questions, and gain insights into the latest trends and technologies. Online communities such as Reddit’s /r/networking or /r/netsec, or professional associations such as ISACA, ISSA, or (ISC)², can be a great resource for connecting with others in the field.
  • Stay up-to-date with industry news – Follow security and networking news sites such as Dark Reading, BleepingComputer, or SecurityWeek to stay informed on the latest security threats and trends.

2. Learn Network Analysis

Analyzing network traffic can help identify suspicious activities and potential threats. Learn to use network analysis tools like Wireshark, Network Miner, and Snort.

Network traffic analysis involves examining the packets of data transmitted between devices on a network to identify patterns, anomalies, and signs of malicious activity. SOC analysts can detect suspicious behaviors such as unauthorized access attempts, data exfiltration, malware infections, and command-and-control communication by analyzing network traffic.

They can also use network traffic analysis to trace the origin of an attack, determine the scope of compromise, and identify affected assets. Network traffic analysis skills are key for any aspiring SOC analyst looking to build proficiency in threat detection and incident response. To get started on learning how to analyze network traffic, consider the below steps:

  • Build up networking basics – Before analyzing network traffic, it is essential to have a solid understanding of networking concepts such as TCP/IP, DNS, HTTP, and SSL. Learn to interpret a packet’s structure and each header field’s role can help identify and troubleshoot network issues.
  • Use network analysis tools – Various network analysis tools can help analyze network traffic, such as Wireshark, tcpdump, and tshark. These tools can be used to capture, decode, and analyze packets in real time or from saved capture files. Using Wireshark, for example, analysts can filter traffic by IP address, protocol, port, or keyword and analyze packet contents such as payload, headers, and timestamps.
  • Practice analyzing network traffic – The best way to improve network traffic analysis skills is by practicing on real-world network traffic data. Sample capture files are obtainable from online resources such as the Wireshark Sample Captures page or by capturing traffic on a test network. Use the traffic to simulate an attack and create detection rules using a NIDS-like snort.
  • Learn from online resources – Various online resources provide tutorials, blogs, and videos on network traffic analysis, such as the Wireshark University, PacketTotal, and the SANS Institute. These resources can help budding analysts learn advanced techniques like protocol analysis, network forensics, and malware analysis.

3. Learn Log Analysis

SOC analysts deal with a large volume of logs from different sources. Understanding how to parse, search, and analyze logs is crucial. The aspiring analyst must be comfortable using log management tools such as Splunk, ELK, and Graylog.

To be effective in their role, SOC analysts need to show proficiency in log analysis. Logs are a critical information source containing a wealth of data about system and network activity, user behavior, and security events. By analyzing logs, SOC analysts can identify suspicious activity, track the spread of malware, and detect potential security incidents.

Log analysis also plays a crucial role in incident response. When a security incident occurs, SOC analysts must investigate it, determine its scope and impact, and identify the root cause. Data captured in logs can help SOC analysts reconstruct the incident timeline, identify the attacker’s entry point, and determine the extent of the compromise.

Analyzing logs will also be required for any in-depth forensic investigations. The analysis involves examining logs generated by various systems and applications to detect anomalies, suspicious activities, and signs of compromise. Experienced analysts can detect events such as failed login attempts, unusual network traffic, and system changes that may indicate a security incident. Below are some methods aspiring analysts can take to improve their log analysis skills:

  • Become familiar with log management tools – Log management tools like Splunk, ELK, and Graylog can help analysts to parse, search, and analyze logs. These tools can collect logs from different sources, apply filters and transformations, and visualize log data. Use these tools to view the organization’s security posture comprehensively.
  • Learn common log formats – Logs come in a variety of formats. Learning common log formats like Syslog, Apache, and Windows Event Logs will serve to develop a stronger understanding of log data and how to make sense of it.
  • Study log analysis, parsing, and search techniques – SOC analysts must have a wide arsenal of knowledge on log analysis techniques such as anomaly detection, correlation analysis, and threat hunting. Also, practice parsing and searching logs with different log management tools and techniques.
  • Use regular expressions (Regex) – Regular expressions (regex) are a powerful tool for parsing and searching log data, allowing analysts to extract specific information from logs quickly.
  • Filter noise – Logs may contain a lot of noise, such as debug messages, informational messages, or system messages. Filtering out noise helps analysts focus on the essential log data only.
  • Use visualization tools – Visualization tools like graphs, charts, and dashboards are useful when trying to understand log data quickly. Utilize any visualization features within log management tools to create graphs or dashboards that show trends or anomalies in log data.
  • Stay updated on threat news – Cybersecurity threats and attack techniques constantly evolve. Stay in the know with the latest cybersecurity news and trends. Follow industry blogs, attend webinars, and participate in online communities to stay informed.

4. Learn Endpoint Analysis

Endpoints are a prime target for attackers, and SOC analysts need to understand how to secure them. Learn how to use endpoint security tools like Wazuh, OSSEC, and SentinelOne.

In today’s digital landscape, cybercriminals are continually devising new ways to exploit vulnerabilities and launch attacks, and the traditional perimeter-based security model is no longer enough. Security operations centers (SOCs) are at the forefront of identifying and mitigating these threats, and SOC analysts need to be familiar with a variety of tools and techniques to protect their organization’s network and sensitive data. Among these, one of the most critical tools that SOC analysts need to master is endpoint security tools.

Endpoint security tools protect against cyberattacks, focusing on securing endpoints like laptops, desktops, mobile devices, and servers. The endpoint is where an attack usually occurs, and it’s also the entry point for malware and other cyber threats. Endpoint security tools help to identify, isolate, and remediate the threat before it can cause significant damage.

Endpoint security tools in the hands of a knowledgeable SOC analyst can do the following:

  • Protect vulnerable endpoints – Attacks on endpoints can result in data breaches, system disruption, and other security incidents. Endpoint security tools help to protect against these attacks by providing real-time visibility and control over devices.
  • Perform advanced threat detection – Endpoint security tools use advanced threat detection mechanisms like behavioral analysis, machine learning, and artificial intelligence to detect and respond to threats. These tools can identify and isolate suspicious activities, providing SOC analysts with the information they need to respond to incidents quickly.
  • Increase visibility – Endpoint security tools provide SOC analysts with a complete view of endpoint devices, including their applications and processes. This visibility allows analysts to identify vulnerabilities and misconfigurations that cybercriminals could exploit.
  • Save time – Endpoint security tools can automate and orchestrate response actions, reducing the time it takes to detect and respond to incidents. This automation helps SOC analysts to focus on high-priority incidents, improving the overall efficiency and effectiveness of the SOC.

There are several endpoint security tools that SOC analysts need to master to protect their organization’s network and sensitive data. The most important of these are:

  • Endpoint Detection and Response (EDR)EDR solutions provide real-time visibility into endpoint devices, enabling SOC analysts to quickly detect and respond to incidents. EDR solutions use advanced threat detection mechanisms like behavioral analysis and machine learning to identify and isolate suspicious activities.
  • Antivirus & Anti-Malware – These can help to protect against known threats. These tools use signature-based detection to identify and block known malware and viruses.
  • Vulnerability Scanners – These tools scan endpoint devices for vulnerabilities and provide SOC analysts with a list of vulnerabilities that need to be addressed.
  • Patch Management Tools – These are vital to keeping endpoint devices up to date with the latest security patches and updates. These tools protect endpoint devices against known or so-called “N-day” vulnerabilities.

Conclusion

The path to mastering the art of SOC analysis begins with these fundamental skills, but it does not end there. In Part 2 of this series, we will cover how analysts can develop further and explore more advanced topics including cloud computing, Active Directory, threat hunting and malware detection.

Armed with a solid understanding of these concepts, new and developing analyts can rapidly learn how to detect intrusions and isolate them before they move deep into a sensitive environment and create long-lasting damage.

A trained and experienced SOC analyst is an invaluable component of today’s cybersecurity defense. To build on the skills we’ve discussed in this post, look out for the next part of this series by subscribing to our email list or following us on social media.

SentinelOne offers robust Managed Detection & Response (MDR), Managed Threat Hunting (MTH), Compromise Assessment and Incident Response Services. To learn more contact us or visit SentinelOne Global Services.

Services & Support | At a Glance
SentinelOne offers a breadth of services to set you up for success at every step, augment your security operations with expert help, and get support when and where you need it.

The Good, the Bad and the Ugly in Cybersecurity – Week 15

CVE-2023-21554 | Windows Admins Urged to Patch RCE Bug in MSMQ Service

A critical vulnerability included in this month’s Patch Tuesday roundup has caught the eye of cybersecurity researchers for its role in exposing hundreds of thousands of systems to attack. Dubbed “QueueJumper”, CVE-2023-21554 is found in Window’s Message Queuing (MSMQ) middleware service available on all Windows operating systems.

MSMQ technology is used by applications running at different times to communicate across networks and systems that may be temporarily offline. MSMQ works by effectively routing and securing messages, guaranteeing priority-based message delivery. In the hands of an attacker, CVE-2023-21554 enables unauthenticated remote code execution (RCE) on unpatched Windows servers through specially crafted malicious MSMQ packets.

Though it is an optional Windows service not enabled by default, it is often on in the background when installing enterprise apps and remains on even after uninstalling. Researchers note that more than 360,000 Internet-exposed servers running the MSMQ service are potentially vulnerable to attack, not including those that are not connected via Internet.

Though MSMQ sees low usage and has been end-of-lifed to make way for newer products like Azure Queue, it is still easily enabled via the Control Panel or PowerShell. Given the fact that this type of vulnerability is especially attractive to threat actors, it has been given an “exploitation more likely” tag referring to Microsoft’s exploitability index. Such RCE vulnerabilities are commonly used for initial access and malware deployment so require immediate attention.

Microsoft advises Windows administrators to disable the MSMQ service until the patch can be applied. Admins can also check to see if there is a service name “Message Queuing” running and if TCP port 1801 is listening on the machine.

Credential Theft | Legion Hacking Tool Circulates on Telegram

Researchers this week have reported on a new Python-based hacking tool and credential harvester named “Legion” that is snaking its way from buyer to buyer on Telegram. According to reports, the tool allows threat actors to break into various online services for further exploitation.

The Legion splash screen (Source: Cado Security)

Reports indicate that Legion’s primary means of attack compromises misconfigured web servers running content management systems (CMS), PHP, or PHP-based frameworks. Once installed, Legion has been found to enumerate vulnerable SMTP servers, perform RCE attacks, exploit unpatched versions of Apache, brute-force cPanel and WebHost Manager (WHM) accounts, and abuse various AWS services.

The toolset then steals credentials from web services such as email providers, cloud services, server management systems, payment platforms, and databases. Other than extracting credentials, it can also implant webshells, create admin users accounts, and send SMS spam messages across customers of all U.S. telecom carriers.

Legion is also described as a modular malware, bearing resemblance to AndroxGh0st – a similar malware family first discovered in December of 2022. Security experts on the SentinelLabs team recently revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox sold to actors intent on stealing API keys and cloud service secrets.

The development and use of cloud-focused toolkits for spamming and harvesting credentials are rising in popularity with cyber attackers. Multi-purpose credential harvesting tools will continue to be a major risk for any enterprises housing misconfigured or poorly managed web servers.

Transparent Tribe | Nation-State Adversary Targets Indian Education Sector

Suspected Pakistani-based hacking group known as Transparent Tribe has been linked to a series of attacks on the Indian education sector distinguished by its use of weaponized Microsoft Office documents to stage Crimson RAT malware. Also known in the cybersecurity community as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, the group has been active since 2013 but has only recently set its sights on targeting schools since late 2021 before focusing on the Indian military and government sectors.

The Crimson RAT malware is capable of exfiltrating files and system data to servers controlled by the threat actor. Further, it captures screenshots, stops running processes, and executes additional payloads to log keystrokes and steal browser credentials. SentinelLab’s latest report details findings pertaining to the cluster of Office documents used by Transparent Tribe to contain the Crimson RAT malware.

The documents have been seen making use of OLE embedding to stage the malware. Needing users to double-click a malicious element in the document, the documents distributed by Transparent Tribe trick users to perform the action by displaying a ‘View Document’ prompt, as if to unlock the document’s content. Double-clicking then activates the OLE package that stores and deploys the Crimson RAT, which is masqueraded as an update.

Transparent Tribe malicious document
Transparent Tribe malicious document

Based on the associated domains and use of Crimson RAT, cyber researchers at SentinelLabs note that the recent series of attacks on the Indian educational vertical are likely part of a previously reported campaign by the same actors. This suggests that Transparent Tribe is a highly motivated and persistent threat actor that operates by regularly updating their targeting strategies, malware arsenal, and operational playbook.

Why is ‘Juice Jacking’ Suddenly Back in the News?

KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.

On April 6, 2023, the FBI’s Denver office issued a warning about juice jacking in a tweet.

“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver office warned. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”

Five days later, the Federal Communications Commission (FCC) issued a similar warning. “Think twice before using public charging stations,” the FCC tweeted. “Hackers could be waiting to gain access to your personal information by installing malware and monitoring software to your devices. This scam is referred to as juice jacking.”

The FCC tweet also provided a link to the agency’s awareness page on juice jacking, which was originally published in advance of the Thanksgiving Holiday in 2019 but was updated in 2021 and then again shortly after the FBI’s tweet was picked up by the news media. The alerts were so broadly and breathlessly covered in the press that a mention of juice jacking even made it into this week’s Late Late Show with James Corden.

The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default.

Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place.

On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks.

Probably the best known example is the OMG cable, a $180 hacking device made for professional penetration testers that looks more or less like an Apple or generic USB charging cable. But inside the OMG cable is a tiny memory chip and a Wi-Fi transmitter that creates a Wi-Fi hotspot, to which the attacker can remotely connect using a smartphone app and run commands on the device.

The $180 “OMG cable.” Image: hak5.org.

Brian Markus is co-founder of Aries Security, and one of the researchers who originally showcased the threat from juice jacking at the 2011 DEFCON. Markus said he isn’t aware of any public accounts of juice jacking kiosks being found in the wild, and said he’s unsure what prompted the recent FBI alert.

But Markus said juice jacking is still a risk because it is far easier and cheaper these days for would-be attackers to source and build the necessary equipment.

“Since then, the technology and components have become much smaller and very easy to build, which puts this in the hands of less sophisticated threat actors,” Markus said. “Also, you can now buy all this stuff over the counter. I think the risk is possibly higher now than it was a decade ago, because a much larger population of people can now pull this off easily.”

How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023.

“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”

What can you do to avoid juice jacking? Bring your own gear. A general rule of thumb in security is that if an adversary has physical access to your device, you can no longer trust the security or integrity of that device. This also goes for things that plug into your devices.

Juice jacking isn’t possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present. If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in.

Defending Your Digital Fort | The Importance of Strong Authentication in Preventing Cyber Attacks

In today’s threat landscape, where cyber attacks have emerged as a potent threat to individuals, businesses, and governments, cybercriminals have become adept at exploiting vulnerabilities and exposing and compromising systems. As organizations look to improve their cyber resilience, one of the first steps to effectively protect against cyber attacks is the implementation of robust authentication protocols.

Implementing strong authentication techniques can help organizations prevent unauthorized access to systems and protect sensitive information from falling into the wrong hands. As highlighted by the Cloud Security Alliance in a recent blog post, the adage “Attackers don’t hack, they log in” bears a great deal of truth. According to the 2022 Verizon Data Breach Investigations Report, the misuse of credentials was among the top causes of data breaches,  highlighting the need for businesses to prioritize the implementation of strong authentication measures.

This post explains the need for strong authentication, outlines best practices, and highlights the primary security risks associated with authentication protocols and how to mitigate them.

What is Authentication?

Authentication is verifying the identity of a user or device before granting access to a system or network. It is typically achieved by requiring users to provide some form of identification, such as a username and password. However, given the well-documented problems users have in following password best practices, along with the fact that whether via a data leak, brute force or social engineering, a single factor authentication method such as a password can easily be stolen and used by others, organizations have in recent years realized the need for further authentication methods, widely referred to as MFA or multi-factor authentication.

Some MFA methods in common use today involve a biometric factor such as a fingerprint or facial recognition scan. Authenticator apps that generate unique, time-based codes and hardware USB keys are also becoming increasingly popular among security-conscious enterprises.

Why is Strong Authentication Important?

Strong authentication is crucial for protecting against cyber attacks, particularly those that rely on stolen credentials. As noted above, cybercriminals are adept at devising new ways to steal login credentials, whether through phishing emails, social engineering tactics, or brute-force attacks. Once they have obtained valid credentials, they can gain unrestricted access to a system or network, putting sensitive data and resources at risk.

Robust authentication protocols which add further layers of authentication, such as multi-factor authentication (MFA), can significantly reduce the risk of unauthorized access. Simply knowing or obtaining a user’s login credentials will not be sufficient to gain access when a biometric factor or other factor is required. MFA, when implemented with best practices in mind, is a simple but very effective countermeasure to one of the main routes of compromise in use by threat actors.

Best Practices for Strong Authentication

Implementing strong authentication protocols is a critical step in protecting against cyber attacks. Here are some best practices for ensuring strong authentication:

  1. Use Multi-Factor Authentication: As mentioned earlier, MFA is one of the most effective ways to protect against unauthorized access. Implementing MFA can greatly reduce the risk of stolen credentials.
  2. Enforce Strong Password Policies: Passwords are still one of the most common forms of authentication, so it’s important to ensure that users use strong passwords. Enforce password policies that require users to use complex passwords and encourage them to use password managers to store their passwords securely.
  3. Implement Biometric Authentication: Biometric authentication, such as fingerprint or facial recognition scans, can greatly enhance the security of authentication. These methods are much harder to replicate than passwords and can provide additional protection.
  4. Monitor and Analyze Authentication Logs: Monitoring authentication logs can help detect and prevent unauthorized access attempts. Analyzing authentication logs can also provide valuable insights into potential security vulnerabilities.

How Cyber Attackers Bypass MFA

Strong authentication is an essential part of good enterprise security, but alone it will not prevent determined and persistent attackers. As more organizations have understood the need for multi-factor authorization, threat actors have consequently sought ways to bypass or work around the associated technologies. Understanding both the strengths and weaknesses of MFA is an important part of managing this essential security measure.

MFA Fatigue

Some forms of MFA require the user to approve access on another device or in an authenticator app and typically work by pushing notifications on the nominated device. If an attacker has already compromised the user’s credentials such as through a phishing attack, they can trigger the notification repeatedly in the hope that the user simply approves the request or that they approve the request mistakenly.

Pass-the-Cookie Attacks

Many popular workplace applications that require authentication – think Slack or Teams, for example – work by placing session cookies on the user’s device after successful authentication. These cookies may have a session time limit measured in hours or days, and in some cases the application may use never-expiring cookie sessions.

If a threat actor is able to steal valid session cookies from a device, they may be able to log in as the user on another device without authentication. Session cookie theft is a primary objective of infostealers and other malware, and was implicated in the breach of CircleCI in early 2023.

Adversary-in-the-Middle Attacks

In Adversary-in-the-Middle (AiTM) (aka Man-in-the-middle (MiTM)) attacks, threat actors intercept the communication between a user and a system. By inserting a proxy server between the user and the system, attackers can gather the user’s credentials and steal the session cookie returned by the authentication system.

AiTM attacks typically begin with a phishing email sent to the target that contains a link to a phishing server posing as the legitimate service the user intends to log into. The user enters their credentials into the proxy server, which then forwards the communication to the legitimate server. The server’s response is also captured by the attacker, who now has all the information from both the user and the system to complete the authentication process.

SIM Swapping

SIM swapping exploits the process by which cell phone providers assign numbers to new devices. Threat actors pose as the victim to convince a provider to reassign the number from the victim’s SIM card to one controlled by the attacker. This allows the attacker to intercept authentication codes and other 2FA messages sent to the user.

SIM swapping was used effectively in a number of breaches throughout 2022 attributed to the Lapsus$ group.

How to Defend Against MFA Bypass Attacks

It is likely that threat actors will continue to innovate and devise new MFA bypass attacks, but the following best practices can help mitigate the risks associated with known bypasses today:

  • Limit or disable MFA push notifications
  • Ensure session cookies expire at shorter intervals
  • Use at least one form of biometric authentication
  • Consider using hardware keys for maximum security

In addition, enterprises can fortify their identity surfaces and protect credentials with ITDR (Identity Threat Detection and Response) tools that can proactively detect and prevent identity-based threats.

Conclusion

Strong authentication protocols are crucial for protecting against cyber attacks. Implementing strong authentication measures, such as MFA with biometric authentication, can greatly reduce the risk of unauthorized access and protect sensitive data and resources.

By following best practices for strong authentication, businesses and individuals can fortify their digital defenses and defend against the ever-present threat of cyber attacks.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

Feature Spotlight | Introducing RemoteOps Custom Script Actions

SentinelOne Singularity RemoteOps enables security teams to orchestrate forensics, carry out investigations remotely across multiple endpoints, and respond rapidly at scale. With RemoteOps, security teams are empowered to safeguard their enterprise from complex and time-sensitive cyber threats.

Streamline Security Through RemoteOps Scripts

The ability to run scripts allows incident response teams to efficiently modify tools and collect forensic artifacts – all accelerating the overall investigation and response workflows. The RemoteOps Script Library houses an extensive collection of out-of-the-box scripts available for all platforms including PowerShell for Windows and bash scripts for Linux and macOS.

Using this library, security teams can quickly execute remote scripts either directly from the SentinelOne console or via API to simplify and speed up investigative tasks during active events.

RemoteOps makes it easy to execute tasks via SentinelOne’s agents – at scale, for large sets of endpoints, or targeting only individual endpoints. This has many different uses:

  • Extend the SentinelOne platform with literally any custom endpoint action – if you can script it, you can automate it!
  • Collect forensic artifacts, like memory dumps or other transient state from an endpoint
  • Collect metrics for dashboarding and aggregation with SentinelOne’s PowerQuery language, like graphing the count of endpoints that currently have a process running matching a name
  • Provide a library of scripted response actions for defenders, like rolling out a particular patch to an in-house application, deleting a service that matches a name regex, etc
  • Perform endpoint scans using open source or 3rd party tools
  • Deploy custom 3rd party software or settings to Windows, Linux, or Mac endpoints

Framework Flexibility | Developing Script Actions In Singularity RemoteOps

RemoteOps is a flexible framework allowing security teams to easily create their own scripts tailored specifically for their enterprise’s machines and requirements and run scripts at scale to collect data and deploy a faster response on endpoint events.

Within Singularity, users can develop custom scripts to perform an action or collect structured (e.g., JSON/JSONL, CSV) and unstructured (e.g., files, process dumps) data to the XDR data lake. Custom actions may also include payloads such as binary, additional scripts, installer files, and configuration files.

With all capabilities available in the SentinelOne console, RemoteOps uses role-based access control (RBAC) to determine what tasks can be scheduled, where, and by whom. Further, all actions are audited to ensure the security of the environment.

Case Study | Uploading New Custom Scripts In Singularity RemoteOps

Incident response teams can run or install forensic acquisition tools of their choice when investigating an incident prevented by SentinelOne. RemoteOps allows teams to package their tools, distribute the package across selected endpoints, install, and run it easily.

The below example shows the steps for creating a custom script to deploy the popular open-source forensic tool, Velociraptor.

A PowerShell script such as

$PackageDir = if ($ENV:S1_PACKAGE_DIR_PATH) { $ENV:S1_PACKAGE_DIR_PATH } else { $PSScriptRoot }

$log = Join-Path -Path $ENV:TEMP -ChildPath "velociraptor.install.log"
$msi = Join-Path -Path $PackageDir -ChildPath "velociraptor.msi"

Write-Output "Starting install from '$msi' and logging to '$log'"
Start-Process "msiexec.exe" -ArgumentList @("/i", $msi, "/qn", "/L*v", $log) -Wait -NoNewWindow
Copy-Item (Join-Path -Path $PackageDir -ChildPath "velociraptor.yaml") "C:Program FilesVelociraptorclient.config.yaml" -Force

would deploy Velociraptor from the MSI installer to a Windows system.

Next, simply upload the custom script action and payload to the RemoteOps Script Library.

To schedule installation and execution, users can choose to use saved filters, manual selection, or live queries to run the action on any set of selected endpoints. Agents will then execute actions in parallel.

In addition to running scripts manually, security teams can also schedule script actions for automatic execution (e.g., response to a custom rule detection or threat detection) using Singularity Marketplace apps, or via SentinelOne’s console APIs using any security automation solution.

Conclusion

Delays in the investigation and remediation phase leave enterprises at a higher risk to long-term damage from cyber incidents. With the power of running scripts on millions of endpoints automatically, security teams can collect forensic artifacts valuable for incident investigations and expedite the triage and response processes. Customers can rely on Singularity RemoteOps to create and run complex scripts and commands efficiently to collect the right data and respond remotely to suspicious behaviors.

To learn more about how Singularity RemoteOps can give time back to security teams working against the clock and help alleviate the burden for remote forensic tasks, book a demo today.

Microsoft (& Apple) Patch Tuesday, April 2023 Edition

Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.

On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.

Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.

Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the Windows Common Log System File System (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.

“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said Dustin Childs at the Trend Micro Zero Day Initiative. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”

According to the security firm Qualys, this vulnerability has been leveraged by cyber criminals to deploy Nokoyawa ransomware.

“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said Bharat Jogi, director of vulnerability and threat research at Qualys.

Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.

Satnam Narang at Tenable notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.

Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.

Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” Kevin Breen at Immersive Labs zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.

“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”

Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting Windows Remote Access Servers (RAS) that also earned Microsoft’s “exploitation more likely” label.

“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”

For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.