A Myth or Reality? Debunking (Mis)Conceptions Surrounding Cloud Ransomware

With the rise of cloud computing, businesses can store troves of data online and access it from anywhere at any time. However, this convenience comes with a price. Cybercriminals are always looking for vulnerabilities in the cloud and one of the most alarming threats to emerge is cloud ransomware.

Cloud ransomware is malware that targets cloud-based storage systems and encrypts data held in the cloud, making it inaccessible unless the compromised party agrees to pay the ransom in exchange for a decryption key. While some experts argue that cloud ransomware is a myth, others insist that it is a real threat that businesses must take seriously.

This blog post explores the reality of cloud ransomware and debunks the most common myths surrounding this threat.

Defining Cloud Ransomware

Cloud ransomware works much like a traditional ransomware. First, cybercriminals infect the victim’s system, typically through a social engineering tactic such as phishing emails or by exploiting vulnerabilities in a cloud provider’s security systems. Once inside, the cloud ransomware spreads throughout the infrastructure, infecting all connected devices and cloud storage systems.

The attacker uses an encryption algorithm to scramble the victim’s files, rendering them unreadable without a decryption key. This key is often a private key held by the attacker, who offers to provide it to the victim after they have paid a ransom. In addition, threat actors will attempt to exfiltrate data in order to use it for further leverage, a technique widely referred to as “double extortion”.

Is Cloud Ransomware Relevant for Kubernetes?

Concern for cloud ransomware attacks continues to grow amongst organizations worldwide, particularly as more businesses take on digital transformation projects and move their data and applications to the cloud. With the rise of Kubernetes (K8s) as a leading container orchestration platform in these transformations, many organizations wonder if they risk falling victim to cloud ransomware attacks.

The short answer is ‘yes’. K8s can be particularly vulnerable to ransomware attacks due to their distributed nature, making it challenging to detect and contain an attack.

Ransomware attacks on K8s can occur in a few different ways. Common methods include Kubernetes API server vulnerabilities, which allow attackers to gain unauthorized access to the cluster and its resources. Once inside, attackers can launch a ransomware attack, encrypting files and demanding payment in exchange for the decryption key.

Other potential entry points for ransomware attacks on K8s are vulnerabilities and misconfigurations. If an attacker can access an unsecured container image, they can insert ransomware into the image and then launch the attack when the image is deployed to the K8s cluster.

To protect against cloud ransomware attacks on K8s, it is important to implement a comprehensive security strategy that includes regular vulnerability assessments and penetration testing. It is also essential to ensure that all components of the K8s cluster are properly secured and that access is limited to only those who need it.

Other best practices for protecting against cloud ransomware attacks on K8s include:

  • Implementing strong access controls, including multi-factor authentication and role-based access control (RBAC).
  • Ensuring that all container images are scanned for vulnerabilities and only trusted images are used.
  • Regularly monitoring the K8s cluster for suspicious activity, such as unusual file access or changes to configuration files.
  • Keeping all K8s components updated with the latest security patches and updates.
  • Implementing a disaster recovery plan that includes regular backups of critical data and applications.

While K8s can be vulnerable to cloud ransomware attacks, organizations can take steps to protect themselves and minimize the risk of falling victim. By implementing a comprehensive security strategy and following best practices for securing K8s, organizations can reduce the likelihood of a successful ransomware attack and ensure that their data and applications remain safe and secure.

Myth #1 | “Cloud Ransomware Is Not a Real Threat”

Reality: Cloud ransomware is a real and growing threat. As more businesses move their data to the cloud, cybercriminals develop new techniques to attack cloud-based systems.

According to the latest forecast in cloud computing from Gartner, businesses globally are set to increase their spending on cloud services by 20.7% making the total amount spent just over $590 billion in 2021 up from $490 billion the year before. These days, cloud services and applications are increasingly mission-critical for day-to-day operations and security.

Threat actors have followed these trends for cloud adoption and are now targeting this attack surface with a new generation of ransomware specially crafted to spread through cloud infrastructures and encrypt data stored within them. Since clouds support mass numbers of both users and sensitive information, they have become high-value targets for threat actors.

Myth #2 | “Cloud Service Providers Are Solely Responsible for Securing Your Data”

Reality: While cloud service providers have security measures in place, it is ultimately the user’s responsibility to secure their own data. Cloud providers usually offer basic security measures like firewalls, but it is up to the user to configure these settings properly and implement additional security measures like multi-factor authentication (MFA) and encryption.

Cloud service providers are responsible for ensuring the security of their infrastructure and the applications they provide to their customers. This includes implementing security measures such as firewalls, antivirus software, and encryption protocols to protect their systems from cyber threats. They also provide secure storage, network access, and data transmission. However, they do not have full responsibility for securing a business’ data.

The Cloud Shared Responsibility Model

Cloud security is a shared responsibility between the cloud service provider and the customer. The provider ensures the security of the infrastructure including the physical data centers, networking, and server hardware. In tandem, the customer is responsible for securing their data. The customer’s responsibilities include securing their account access, configuring their security settings, managing their data, and monitoring their activity.

The Cloud Shared Responsibility Model has become a critical tool in cloud security as it helps businesses and cloud service providers clarify who is responsible for what and ensure effective cloud security. Without such a model, responsibilities are often miscommunicated and misunderstood, leading to gaps in security coverage and duplication of efforts.

A Customer’s Responsibility for Securing Their Cloud Data

The customer is responsible for securing their data while it is in storage, in transit, and while it is being used. This includes implementing access controls, encryption, and monitoring for any unauthorized activity. Customers should also ensure that their data is backed up and stored in a secure location. Failure to secure data can lead to data loss, theft, or a data breach.

Myth #3 | “Backing Up Your Data Is Enough Protection Against Cloud Ransomware”

Reality: Backing up sensitive data is a first step in protecting against any kind of service outage, including malicious attacks from malware including ransomware. However, since at least 2020, ransomware threat actors began to pivot to using double-extortion techniques to counteract victims trying to restore their data from backups and security software that could rollback infected machines to a pre-infected state. Threatening to leak or sell stolen data is now a widespread tactic in use by many ransomware gangs.

In addition, should a business fall victim to an attack, security leaders and technical teams must restore their data from a clean backup, which can be time-consuming. Depending on the severity of the attack, it may take days, weeks, or even months to restore data from a backup. During this time, the organization may be unable to operate normally, resulting in lost productivity and revenue.

Having multiple backups in different locations and testing them regularly is important to ensure they will work correctly in times of need. If the backup process is not comprehensive or if backups are not taken regularly, there may be gaps in the data that is recoverable. In such cases, some data may be lost forever.

Cybercriminals are constantly evolving their tactics, and newer forms of ransomware can also target backups or corrupt them. In such cases, the data may not be recoverable even with the backups.

Myth #4 | “Cloud Ransomware Only Affects Large Corporations”

Reality: Cloud ransomware can affect anyone who stores data in the cloud, regardless of the business size. In fact, some cybercriminals choose to target small and medium-sized businesses (SMBs) due to their less experienced security posture and lack of dedicated security resources.

SMBs also hold valuable data such as customer data, financial data, and intellectual property to, potentially, a large number of local clients. Ransomware operators know that if they can successfully encrypt this data, they can demand a ransom to release it, potentially causing significant disruption to the business.

Locked into the potential for quick payouts, ransomware operators often see SMBs as easier targets as they may be more likely to pay the ransom quickly to avoid business disruption. Larger businesses and global enterprises in contrast may have more resources to recover from a ransomware attack without having to pay the ransom.

Myth #5 | “Paying the Ransom Will Ensure Return of Your Data”

Reality: To help meet the risks of ransomware incidents head on, CISA launched an ongoing, comprehensive campaign called Stop Ransomware to arm businesses with critical best practices and knowledge about the threats that face them.

One of the most important reminders coming from this campaign has been to strongly discourage businesses from paying ransoms in the case of an attack. From the campaign resources, “Since ransomware payments do not ensure data will be decrypted or systems or data will no longer be compromised, federal law enforcement do not recommend paying ransom. In addition, the Treasury Department warns these payments run the risk of violating Office of Foreign Assets Control (OFAC) sanctions. Therefore, prevention is key.”

Additionally, there is no guarantee that the attacker provides their victims with the decryption key even if the ransom is paid. Having data backups and working with cybersecurity experts during active incidents ensures file recovery without the need to pay out.

Myth #6 | “Cloud Ransomware Is Easy to Prevent”

Reality: Cloud ransomware can be difficult to prevent if the organization does not have proper security controls in place. Once an attack takes hold, it can spread rapidly through an organization as it often operates silently in the background, encrypting critical data without disrupting day-to-day workflows and processes. Security teams must regularly monitor their cloud-based systems for any unusual activity and cloud workload protection on associated devices in the cloud.

By nature, cloud environments are highly dynamic, with resources being created, destroyed, and moved constantly. This can make it difficult to establish a baseline of normal activity, making it harder to identify abnormal behavior associated with ransomware.

Also, cloud environments work through multiple layers of abstraction, which can cause security teams issues in maintaining full visibility into the underlying infrastructure. For example, virtual machines may be running on physical servers that are managed by a cloud provider, making it difficult to detect ransomware that is running within a virtual machine.

Myth #7 | “Preventing Cloud Ransomware Is Too Expensive”

Reality: While implementing security measures like encryption and MFA can come with a larger, upfront cost, the cost of a ransomware attack is sure to be much higher. In IBM’s Cost of a Data Breach report, the average cost of a data breach in the United States cost businesses $9.44 million – $5.09 million more than the global average cost. The report noted that ransomware attacks have grown more destructive and that nearly half of all data breaches happen in the cloud.

Post-attack costs are often not considered when organizations push back on implementing new security measures. After data breaches, companies face long-term financial losses that are often irreversible and, if severe enough, can put the company at risk of foreclosure. Common costs that pile up after severe cyberattacks include:

  • Financial Losses – Data breaches can result in financial losses for the affected individuals or organizations. These losses can result from theft of financial information, fraud, or loss of business due to damage to the organization’s reputation.
  • Reputational Damage – A data breach can damage an organization’s reputation, resulting in a loss of customer trust and loyalty. This damage can be long-lasting and difficult to repair. Losses also include any prospective customers and future business opportunities.
  • Legal Issues – Data breaches can result in legal issues, such as lawsuits from affected individuals or regulatory fines for non-compliance with data protection regulations.
  • Increased Security Costs – Following a data breach, an organization may need to increase its security measures to prevent future breaches. This can result in increased costs for security personnel, software, and hardware.
  • Identity Theft – If personal information such as Social Security numbers or credit card information is stolen in a data breach, affected individuals may be at risk of identity theft for years to come.

Conclusion

Attracted to the mounds of sensitive data stored in clouds and a wide-spread adoption of cloud computing in recent years, threat actors are evolving their ransomware to target cloud infrastructures and services especially. Cloud ransomware is a growing threat that can affect any who choose to store their data in the cloud.

When it comes to securing the cloud surface, SentinelOne enables organizations to protect their endpoints across all cloud environments, public, private, and hybrid, through Singularity Cloud. Singularity Cloud works by extending distributed, autonomous endpoint protection, detection, and response to compute workloads running in both public and private clouds, as well as on-prem data centers. Contact us today or book a demo to see how Singularity Cloud brings agility, AI-powered security, and compliance to organizations globally.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

The Good, the Bad and the Ugly in Cybersecurity – Week 14

Operation Cookie Monster | Genesis Market Bites the Dust

This week, cyber cops from multiple countries took down another major marketplace that traded stolen credentials and other sensitive information, known as Genesis market. According to the DoJ, Genesis offered access to over 1.5 million compromised devices worldwide and was a key enabler of ransomware.

Operation Cookie Monster involved law enforcement agencies from the Australia, Canada, Germany, Poland, Sweden, the U.K and the U.S. Aside from the dismantling of the site, authorities arrested 120 people known to be regular users of the site and conducted 200 searches across a number of countries.

Genesis offered criminals a variety of stolen data, including session cookies (hence the operation name) and other metadata criminals could use to access victim’s personal and business accounts even when those were protected by MFA.

The DoJ said that credentials and other data found on the site included those belonging to victims associated with the White House, Department of State, Justice Department, the IRS, the Department of Energy, the U.S. Postal Service, NASA, and the Department of Defense.

A list of compromised victims has been provided to the Have I Been Pawned (HIBP) website. Concerned readers can check with HIBP to see if their credentials have appeared in various data breaches including Operation Cookie Monster.

The seizure of Genesis follow last month’s shuttering of BreachForums and represents a significant step forward in thwarting cybercrime and bringing to justice criminals who make use of such services.

Unpatched Windows | Millions of Endpoints Vulnerable to CISA KEVs

If the first rule of cybersecurity is “Patch early, and patch often”, then it seems the owners of millions of internet-facing endpoints have yet to hear it. Researchers this week said almost 900 known exploitable vulnerabilities (KEVs) catalogued by CISA over the last decade remain unpatched on around 15 million services today.

According to the research, around 3.5 million Windows hosts reachable from the public internet are vulnerable to one or more of 137 CVEs in CISA’s KEV. 4.5 million endpoints of the 15 million total are vulnerable to KEVs discovered between 2010 and 2020. There are almost 200,000 exposed hosts that remain vulnerable to CVE-2014-0160, aka Heartbleed, disclosed nearly ten years ago. Of the more recent bugs such as ProxyShell and ProxyLogon, both of which received a deluge of media attention in 2021, there remain 14.5K and 4.9K unpatched machines exposed to the internet.

Using data from Greynoise, the researchers established that the Confluence bug CVE-2022-26134 was the most exploited, with over 800 exploitation attempts in the past month alone. The last 30 days prior to the report also showed 66 exploitation attempts of Log4Shell.

Source: Rezilion

Organizations can have multiple dependencies that make patching complex. However, the researchers report that Microsoft Windows, Internet Explorer, Microsoft Office, and Win32k along with Adobe Flash Player account for a quarter of CISA’s Known Exploited Vulnerabilities catalog. Therefore, it is advisable to patch these as a priority and/or reduce dependencies on these services where practicable.

SmoothOperator Keeps Calling | Backdoors Target Cryptocurrency Companies

Details about targets and payloads are still emerging in the wake of last week’s supply chain attack on 3CX, dubbed SmoothOperator and widely attributed to North Korean aligned threat actor Lazarus. However, researchers this week linked the campaign to a known backdoor dubbed “Gopuram”, used in attacks against cryptocurrency companies.

Gopuram was seen in an attack associated with AppleJeus as long ago as 2020, but a spike in Gopuram infections had been observed in the weeks just prior to disclosure of the 3CX compromise. These compromises subsequently turned out to be related to the SmoothOperator campaign and targeted cryptocurrency companies.

The Gopuram backdoor reaches out to a C2 server and requests tasking from the operator. Available commands include:

Command Description
Ping Pings a host specified in the argument.
Connect Connects to a given host via a socket and waits for the server to send data.
Registry Manipulates registry (lists, adds, deletes and exports keys).
Service Manipulates (creates, lists, starts, stops and deletes) services.
Timestomp Performs timestomping on files.
Inject Performs payload injections through syscalls via mapping a shellcode to a remote process and creating a remote thread.
KDU Kernel Driver Utility that allows an attacker to bypass driver signature enforcement.
Update Encrypts a provided payload and writes it to the C:WindowsSystem32configTxR.TxR.0.regtrans-ms file.
Net Partially implements features of the net command: management of users, groups, sessions and network shares.

The researchers identified the following additional indicators of compromise:

SHA1 
011660842c3299e14a6ee7122494b9c78d448388
1b204f5969eb2ec9326f27244545d1f56547b14e
c8c21c8a5d86c57650a887bf798ae83095a40e97

FILE PATHS
C:WindowsSystem32configTxR.TxR.0.regtrans-ms
C:Windowssystem32catroot2edb.chk.log

Security teams are advised to conduct additional threat hunting based on these IoCs. Further details are available from SentinelOne here and Kaspersky here.

Mastering Kubernetes Security | Top Strategies Recommended by OWASP

Kubernetes, a popular open-source container orchestration system, has gained popularity among enterprises for its ability to manage and automate large-scale containerized workloads. However, as with any technology, inherent security risks must be considered and addressed.

In this post, we explore the top ten Kubernetes security risks and provide recommendations for mitigating these risks.

What is Kubernetes?

Kubernetes, commonly referred to as “K8s”, is a container orchestration system that automates the deployment, scaling, and management of containerized workloads. It was originally developed by Google and is now maintained by the Cloud Native Computing Foundation (CNCF).

Kubernetes is a powerful tool that offers self-healing, auto-scaling, and service discovery features. In addition, it allows developers to deploy their applications as workloads that can run on any platform that supports Docker containers.

Understanding Kubernetes Security

Teams securing Kubernetes are responsible for addressing all its various layers and services. Kubernetes security comprises three main components: securing the cluster, securing nodes, and securing applications.

Securing K8 Clusters

The Kubernetes control plane manages the cluster, including scheduling, scaling, and monitoring. Securing the cluster includes securing the control plane components, such as the API server, etcd, and Kubernetes controller manager by enabling authentication, authorization, and encryption.

Securing K8 Nodes

Nodes are the worker machines in a Kubernetes cluster that run the containers. Nodes can be secured through the host operating system, by configuring network security, and by securing the Kubernetes runtime environment. Removing unnecessary user accounts and ensuring that nothing runs as root are all best practices to consider when securing K8 nodes.

Securing K8 Applications

In Kubernetes, a pod is a container used to run an application. Securing these applications means securing the pod. Kubernetes provides several security features to help secure applications. These features can be used to limit resource access, enforce network policies, and enable secure communication between containers.

Top 10 OWASP Kubernetes Security Risks & Recommendations

The OWASP Foundation was created to improve software security through community-led, open-source software projects. Here are the top ten strategies recommended by OWASP for securing Kubernetes ecosystems.

1. Insecure Workload Configurations

Kubernetes manifests contain a plethora of configurations that can affect the reliability, security, and scalability of a given workload. These configurations should be audited and remediated continuously to prevent misconfigurations. However, some high-impact manifest configurations are more likely to be misconfigured than others. Some examples are:

  • Running application processes as root inside a container is a common misconfiguration in many clusters. Though root may be required for some workloads, it should be avoided when possible. If the container were to be compromised, the attacker would have root-level privileges, allowing actions such as starting a malicious process that otherwise wouldn’t be permitted with other users on the system.
  • To limit the impact of a compromised container on a Kubernetes node, it is recommended to utilize read-only filesystems when possible. This prevents a malicious process or application from writing back to the host system. Read-only filesystems are a key component to preventing container breakout.
  • Privileged containers should be disallowed as they can access additional resources and kernel capabilities of the host. Workloads running as root combined with privileged containers can be devastating as the user can access the host completely. This is, however, limited when running as a non-root user. Privileged containers are dangerous as they remove many of the built-in container isolation mechanisms entirely.

While many security configurations are often set in the securityContext of the manifest itself, other misconfigurations can be detected elsewhere. They must first be detected in both runtime and code to prevent misconfigurations. It is imperative to enforce that applications run as non-root users, run in non-privileged mode, and set ‘AllowPrivilegeEscalation’ to ‘False’ to disallow child processes from gaining more privileges than their parents.

Security teams can use tools such as Open Policy Agent as a policy engine to detect common misconfigurations like the ones listed above. Using the CIS Benchmark for Kubernetes is a good starting point for discovering misconfigurations. However, it is important to continuously monitor and remediate any potential misconfigurations to ensure the security and reliability of a Kubernetes workload.

2. Supply Chain Vulnerabilities

At various phases of the development lifecycle supply chain, containers take on many forms and each will present its own unique security challenge. This is because a single container may rely on hundreds of external, third-party components, diluting the level of trust at each phase. The most common supply chain vulnerabilities are below:

  • Image integrity – Container images are made up of layers, each bringing possible security risks. Since container images use third-party packages extensively, they can be dangerous to run within a trusted environment. To mitigate this, it’s important to ensure image integrity by validating software at each phase using in-toto attestations. Doing so increases the SLSA level of the build pipeline, which means it is more resilient against attacks. Additionally, using image signing and verification through cryptographic key-pairs can detect tampering with the artifacts throughout the DevOps workflow, which is an essential step in building a secure supply chain.
  • Image composition – Container images contain layers, each presenting different security implications. A properly constructed container image reduces the attack surface and increases deployment efficiency. Thus, it’s important to create container images using minimal OS packages and dependencies to reduce the attack surface, considering using alternative base images such as Distroless or Scratch to improve security posture and reduce image size. Furthermore, tools like Docker Slim are available to optimize image footprint for performance and security reasons.
  • Known software vulnerabilities – Security flaws are widespread due to the extensive use of third-party packages in container images. Image vulnerability scanning is crucial for enumerating known security issues in container images, which should be used as a first line of defense. Open-source tools such as Clair and trivy statically analyze container images for known vulnerabilities such as CVEs, and should be used as early in the development cycle as reasonably possible.

Enforcing policies to prevent unapproved images from being used is also essential. Kubernetes admission controls and policy engines such as Open Policy Agent and Kyverno can reject workload images that haven’t been scanned for vulnerabilities, use a base image that’s not explicitly allowed, don’t include an approved SBOM, or originate from untrusted registries.

3. Overly-Permissive RBAC

Role-based access control (RBAC) allows the definition of who has access to what resources in a cluster and what they can do with those resources. When configured correctly, RBAC helps prevent unauthorized access and protect sensitive data.

However, if RBAC is not configured correctly, it can lead to overly-permissive settings that allow users to access resources that they should not have access to or perform actions that they should not be able to perform. This can create serious security risks, including data breaches, data loss, and compromise.

Examples of overly-permissive RBAC include the unnecessary use of cluster-admin in Kubernetes. Granting access to this “superuser” role gives unfettered control over every resource in the cluster, which is especially dangerous when used in a ClusterRoleBinding, which grants the all-powerful cluster-admin privilege to every single Pod in the default namespace, making the entire cluster vulnerable to attack.

To prevent such an attack, it is crucial to continuously analyze RBAC configurations and enforce the principle of least privilege (PoLP). This can be achieved by reducing direct cluster access by end users, avoiding using Service Account Tokens outside of the cluster, and auditing RBAC included with installed third-party components. Moreover, deploying centralized policies to detect and block risky RBAC permissions, utilizing RoleBindings to limit the scope of permissions to particular namespaces, and following the official RBAC Good Practices is highly recommended.

4. Policy Enforcement

Policy enforcement involves the implementation of rules and regulations to ensure compliance with organizational policies. In the context of Kubernetes, policy enforcement ensures that the Kubernetes cluster adheres to the security policies set by the organization. These policies could be related to access control, resource allocation, network security, or any other aspect of the Kubernetes cluster.

Policy enforcement is essential for ensuring the security and compliance of the Kubernetes cluster. Failure to enforce policies can lead to security breaches, data loss, and other potential risks. Additionally, policy enforcement helps maintain the integrity and stability of the Kubernetes cluster, ensuring that resources are allocated effectively and efficiently.

Best Practices for Policy Enforcement in Kubernetes

It is essential to follow best practices to ensure effective policy enforcement in Kubernetes. Some of these include:

  • Defining policies that align with organizational goals and regulatory requirements.
  • Implementing policies using Kubernetes-native resources or policy controllers.
  • Regularly reviewing and updating policies to ensure they remain relevant and effective.
  • Monitoring policy violations and remediating them promptly.
  • Educating users on Kubernetes policies and their importance.

5. Inadequate Logging

Logging is an essential component of any system that runs applications. It involves collecting and storing data about the system’s behavior and its applications. Logging in Kubernetes is no different. Kubernetes logs are records of events that occur within a Kubernetes cluster.

These logs can help identify system issues and provide valuable insight into system performance, security breaches, and data loss. Various sources, including application code, Kubernetes components, and system-level processes, can generate Kubernetes logs.

Best Practices for Kubernetes Logging

  • Use a Centralized Logging System – A centralized logging system collects and stores logs from all Kubernetes components and applications in a single location. This makes it easier to identify and respond to issues with the system. There are many different centralized logging systems available for Kubernetes. Some popular options include Elasticsearch, Fluentd, and Logstash.
  • Use Standardized Logging Formats – Standardized logging formats make searching and analyzing logs from multiple sources easier. This is especially important when using a centralized logging system. Several standardized logging formats are available for Kubernetes, including JSON and syslog. Security teams will need to choose a format supported by their logging system and configure their Kubernetes components and applications to use that format.
  • Maintain Complete Logs – When it comes to Kubernetes logging, it’s important to log everything: application logs, Kubernetes component logs, and system-level logs. Logging everything ensures a complete picture of system behavior. However, logging everything can also generate a large amount of data. To manage this data, consider setting up log rotation and retention policies. Log rotation policies ensure that logs are rotated and compressed regularly to conserve disk space. Retention policies determine how long logs are kept before being deleted.
  • Use Labels and Annotations – Labels and annotations are a powerful feature of Kubernetes that can provide additional context to logs. Labels are key-value pairs that can be attached to Kubernetes objects, such as pods and services. Annotations are similar to labels but can contain larger amounts of information. Labels and annotations can filter and search logs based on specific criteria. For example, security teams can add a label to all pods that are part of a particular application and then search for logs from those pods based on the label.
  • Monitor Kubernetes Logs – Monitoring logs regularly allows security teams to identify issues with the system and respond to them quickly. There are many different tools available for monitoring Kubernetes logs. Some popular options include Prometheus, Grafana, and Kibana. These tools support log visualization where alerts can be set up based on specific criteria.
  • Set Up Auditing – Setting up auditing in Kubernetes enables teams to track changes to the Kubernetes API server and other Kubernetes components, help identify unauthorized system changes, and ensure compliance with security policies. To set up auditing in Kubernetes, configure the Kubernetes API server to log audit events. These events can then be sent to a centralized logging system for analysis.

6. Broken Authentication

Broken authentication is a vulnerability that allows attackers to bypass authentication and gain unauthorized access to an application or system. Authentication is verifying a user’s or system’s identity, usually by requiring a username and password. If an attacker can bypass the authentication process, they can gain access to sensitive data, systems, or applications. In Kubernetes, broken authentication can occur due to several factors, including:

  • Weak or compromised authentication credentials – If an attacker can obtain a user’s credentials, they can bypass authentication and gain unauthorized access to the Kubernetes cluster.
  • Misconfigured authentication settings – Kubernetes supports several authentication mechanisms, including X.509 certificates, static tokens, and OAuth tokens. Misconfigured authentication settings can leave the Kubernetes cluster vulnerable to attack.
  • Insecure communication channels – Kubernetes uses various communication channels, including the Kubernetes API server, kubelet, and, etcd. An attacker can intercept and manipulate traffic to bypass authentication if these communication channels are insecure.

How to Prevent Broken Authentication in Kubernetes

Preventing broken authentication in Kubernetes requires implementing several security measures, including:

  • Strong authentication credentials – Users must use strong and unique passwords or authentication tokens that are not easily guessable.
  • Secure communication channels – Communication channels between Kubernetes components must be encrypted using SSL/TLS.
  • Proper authentication configuration – The authentication mechanisms used in Kubernetes must be correctly configured to prevent unauthorized access.
  • Implementing RBAC – Role-Based Access Control (RBAC) should be used to restrict access to Kubernetes resources based on a user’s role.

7. Network Segmentation

Network segmentation divides a network into smaller subnetworks, each isolated. This is done to improve security by limiting the scope of potential attacks. By isolating different parts of the network from each other, network segmentation makes it harder for attackers to move laterally within the network and gain access to sensitive resources.

By default, any workload can communicate with another workload when no additional controls are put in place in a Kubernetes network. An attacker can leverage this default behavior by exploiting a running workload to probe the internal network, move to other running containers, or even invoke private APIs.

How to Implement Network Segmentation in Kubernetes Clusters

Isolating traffic within the context of a Kubernetes minimizes damage and loss should a container become compromised. Several techniques can be used to implement network segmentation in Kubernetes clusters to stop lateral movement and still allow valid traffic to route as normal. Two important techniques are:

  • Using Network Policies – Kubernetes supports network policies, which define how traffic flows between pods and namespaces. Using network policies controls which pods can communicate with each other and which ones are isolated from the rest of the cluster.
  • Using Network Segmentation Tools – Many third-party tools can implement network segmentation in Kubernetes clusters. The most popular ones include Calico, Weave Net, and Cilium. These tools provide advanced network segmentation capabilities, such as encryption, firewalling, and intrusion detection.

8. Secrets Management

A “secret” is an object in Kubernetes that contains sensitive data such as passwords, certificates, and API keys. Secrets store confidential data that should be inaccessible to other users and processes within the cluster. Kubernetes secrets are stored in etcd, a distributed key-value store used by Kubernetes to store all cluster data.

Kubernetes Secrets Management Best Practices

Though secrets are a very useful function in the Kubernetes ecosystem, they need to be handled with caution. Managing Kubernetes secrets can be broken down into the following steps:

  1. Deploy encryption at rest – A potential attacker can gain considerable visibility into the state of a cluster by accessing the etcd database, which contains any information accessible via the Kubernetes API. Kubernetes offers encryption at rest; a feature introduced in version 1.7 and v1 beta since 1.13. Encryption at rest safeguards secret resources in etcd, ensuring that the content of those secrets remains hidden from parties that access etcd backups. This feature is still in the beta stage, but it provides an extra layer of security in situations where backups are not encrypted, an attacker has read access to etcd.
  2. Address security misconfigurations such as vulnerabilities, image security, and policy enforcement – RBAC configuration should also be locked down, and all Service Account and end-user access should be restricted to the least privilege, especially when accessing secrets. Auditing the RBAC configuration of third-party plugins and software installed in the cluster is also necessary to ensure that access to Kubernetes secrets is not granted unnecessarily.
  3. Ensure that logging and auditing are in place – This helps detect malicious or abnormal behavior, including access to secrets. Kubernetes clusters produce useful metrics around activities that can be leveraged to detect such behaviors. Therefore, enabling and configuring Kubernetes audit records and centralizing their storage is advisable.

A few more additional tips and tricks include rotating secrets regularly to reduce the risk of secrets being compromised, auditing secret access to detect any unauthorized access to secrets, and using third-party secret management tools such as HashiCorp Vault or CyberArk Conjur to manage Kubernetes secrets.

9. Misconfigured Cluster Components

Kubernetes clusters are composed of various different components from key-value storage within etcd, the kubelet, the kube-apiserver, and more. All of the components are each highly configurable, meaning teams must implement the right security defaults to ensure their security.

Cluster compromise can happen when there are misconfigurations in core Kubernetes components. The most commonly misconfigured components on the Kubernetes control plan and nodes include the below:

  • Kubelet – Check that the configuration is set up to deny anonymous authentication. Also, when communicating with Kubelets, authorization checks should always be performed. Set the Authorization mode to anything other than ‘AlwaysAllow’ in order to block unauthorized requests.
  • Kube-apiserver – Inspect the internet accessibility of the API server in use and keep the Kubernetes API off of any public networks.

Performing CIS Benchmark scans and audits can help security teams focus on eradicating component misconfigurations. Using hosted services such as EKS, GKE, or AKS can help implement secure defaults and limit some of the options for component configuration.

10. Vulnerable Components

As Kubernetes clusters run vast amounts of third-party software, security teams will need to build a multi-tiered strategy to combat vulnerable components. Some best practices on how to do so are as follows:

  • Track CVE databases – A key element in managing known and new vulnerabilities in Kubernetes is to stay up-to-date on CVE databases, security disclosures, and community updates. Security teams can use this intel to build actionable plans to implement regular patch management processes.
  • Implement continuous scanning – Using a tool such as OPA Gatekeeper can be helpful in writing custom rules that work to uncover any vulnerable components within a Kubernetes cluster. Security teams can then track and document these findings to improve their security processes and policies.
  • Minimize third-party dependencies – Third-party software must be thoroughly audited for overly permissive RBAC, low-level kernel access, and vulnerability disclosure records before deployment occurs.

Conclusion

Though Kubernetes is powerful, its adoption comes with the inevitable introduction of new risks into an environment’s existing infrastructure and applications. Having a comprehensive approach to securing Kubernetes ensures security teams can address all types of vulnerabilities and risks that can affect the individual layers of a Kubernetes cluster.

Following the recommendations provided in this post can set businesses on the right path to hardening their Kubernetes environments and reduce its attack surface. Through best practices implementation, security teams managing Kubernetes can gain visibility into their environments and better control each layer of their Kubernetes deployment.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Integrating ChatGPT & Generative AI Within Cybersecurity Best Practices

ChatGPT has generated a tremendous buzz since it was launched in November 2022. Over the last five months, the generative artificial intelligence (AI) chatbot has become the subject of many complex and ongoing discussions on its potential to impact the infosec community and cybersecurity landscape on the whole.

For security leaders, the use of AI can be a powerful tool, helping to ensure that their business’s architecture can withstand all of the developing challenges in the threat landscape. Staying ahead of incoming threats means that leaders are looking past reactive, single-layer solutions that can no longer keep up with novel and increasingly sophisticated techniques of threat actors.

This blog post examines the use of ChatGPT in the context of cybersecurity and discusses its implications on information security. It describes how generative AI tools like ChatGPT can be safely implemented within the boundaries of cybersecurity best practices and be used effectively to strengthen security strategies.

The Rise of ChatGPT | From Index-Based Searching to the Familiarity of Dialogue

Over the span of two decades, Google Search has arguably shaped the way modern internet users discovered, consumed, and maneuvered through the vast store of information on the web.

Google’s search engine provides information much like the index of a book rather than a table of contents. The search is largely manual and it is up to the user to sift through all the hits, find the accurate answer, make the connections between found information, and finally, to process how they should think about it.

Alternatively, ChatGPT’s wildfire-like popularity has been credited to its ability to ‘speak’ in a natural-sounding language. When asked a question, ChatGPT draws from a massive amount of text data, including books, articles, and web pages to generate its response. Trained to be conversational, it then uses machine learning algorithms to reply in the same context as the rest of the dialogue. As a result, the responses are human-like, giving the user a familiar sense of two-way conversation as opposed to a one-way, index-based search that internet users have adopted in the era of Google.

Multimodality of Social Media & ChatGPT in Information Search

As the newest generation of internet users emerge, research is showing their preference for multimodal forms of communication and searching for information on social apps such as TikTok and Instagram. On these apps, information seems to come from ‘first hand’ sources, building an information exchange based on conversation and casual dialogue.

Though the technology behind ChatGPT is not new, it seems to ride on the coattails of this new preference for community-centric conversations between a ‘source’ and its consumer. Perhaps ChatGPT heralds a turning point in how users think about and approach data organization. Within the first two months of its launch, the AI bot had more than 100 million users and sees more than 13 million daily visitors as of 2023.

Can ChatGPT Be Safely Integrated in Cybersecurity Strategies & Processes?

Given the popularity of ChatGPT and how it is impacting information consumers globally, security leaders are giving more attention to such tools as a way to enhance their business. Though a powerful tool, it is important to assess how it can fit into organizational workflows in a safe and effective manner.

In most cases, end users have reported a positive experience with regard to the data output by the AI chatbot. However, the bot’s parent company, OpenAI, has published various terms and safety policies, pointing users to the reality that ChatGPT currently does not offer any fact checks and responses provided should not be blindly trusted.

According to NIST’s AI Risk Management Framework, an AI system can only be deemed trustworthy if it adheres to multiple criteria. These include being valid, reliable, accountable, transparent, fair with harmful biases managed, secure and resilient, explainable, interpretable, and safe.

Securing ChatGPT From a People Perspective

ChatGPT can be used safely when an organization’s leaders and security teams work together to manage risks. From a people perspective, it is important to understand the ways that generative AI chatbots can be misused and how to defend against them.

Reduced Barriers for Entry for Adversaries

Researchers have found that ChatGPT can be leveraged by threat actors to generate malware commands or even create on-the-fly malware. While this goes strictly against OpenAI’s content policy, there is indication that actors are actively working to bypass the chatbot company’s restrictions by sharing their techniques in dark forums. Should these restrictions fall, the chatbot could be used by lower-level cyber criminals and script kiddies to generate or improve existing malicious code.

AI Phishing Emails

Given the dialogue-based nature of the chatbot, security experts hypothesize that threat actors could use ChatGPT to craft well-written phishing emails. Before, some of the common tell-tale signs of a phishing email included poor grammar, spelling mistakes, and odd or urgent tone of voice. If threat actors begin to leverage ChatGPT to create their social engineering content, they could increase their production of phishing emails and sound more convincing.

As it stands, ChatGPT is targeted just like many other platforms available on the market. Organizations can combat the potential risks that generative AI tools bring from a people-first approach. This means engaging employees in training and awareness programs on how bots like ChatGPT work, how to detect AI-generated content, and buckling down on identity-based cybersecurity measures.

Securing ChatGPT From a Process Perspective

An increasing number of business leaders are beginning to recognize that their employees need direction on how to use ChatGPT safely and how to reduce risk while doing so. To protect data privacy, many organizations are investing time in crafting ChatGPT-specific policies and processes. This may include recommendations and requirements surrounding code checking, brainstorming, content drafting, editing, and research.

These policies and processes may also cover how companies will implement quality control over content where ChatGPT has been involved in its lifecycle. Additionally, they can include any related contractual risks for using third-party generative AI tools to produce or process sensitive data and deliverables, managing inherent bias, and risks regarding privacy, consumer protection, intellectual property, and vendors.

Privacy Risks Associated with ChatGPT

Due to the capability of AI systems to aggregate information, there is a significant possibility that personally identifiable information (PII) could be used by the bot to provide outputs to the end user. End users are not restricted from inputting PII information into the AI bot, which is then used to aggregate information for future purposes.

Confidentiality Risks Associated with ChatGPT

End users might interact with the AI system by inputting confidential information of the organization and trying to gather a better understanding or output. For example, an end user can input the organization’s security policy and ask an AI to word it in simpler terms. The output might be excellent with a greater structure than before, but the AI can collect this information for future responses.

Data Integrity Risks Associated with ChatGPT

There might be cases where the AI system-generated content may give output that differs from the original view or context and can lead to an inaccurate, incomplete, and biased output. Furthermore, relying on the output as the truth can place end users to use incorrect information.

Legal and Regulatory Risks Associated with ChatGPT

Data fed to the AI might contain copyright material, trade secrets, or confidential information, and responses output by the AI do not have the data owners’ consent. End users need to consider whether they have the right to use or publish such material. There are also geographical laws and regulatory requirements that may need to be met when using data from the AI bot.

Reputational Risks Associated with ChatGPT

In the case where staff are using ChatGPT for producing content, it is important to be aware that tools are already available to recognize whether the content was produced using AI. Tools to recognize content generated by ChatGPT are not perfect yet, but utilities like OpenAI AI Text Classifier are improving rapidly and likely to become more widely adopted going forward.

Securing ChatGPT From a Technology Perspective

What makes ChatGPT appealing is the speed and the apparent sophistication of the output when posed with questions and commands. This can lead to an implicit trust of the technology underlying it. When organizations move towards using this technology in their organizations, they need to understand the dependencies in delivering the output as per their expectations, including the following areas.

Homogenization of Data Output

There is a potential that all the output produced by ChatGPT can be similar in terms of structure and writing style and the absence of human emotion in creating content. Mass production and propagation of ChatGPT output can lead to limited perspectives, dissuade users from exploring more angles and research, and discourage creative writing or more innovative problem solving.

Potential Costs

While the costs associated with tools like ChatGPT may seem attractive now as developers seek adoption, this may not remain the case in the future. Building dependencies on nascent 3rd party solutions needs to take into account the possibility that costs may rise unexpectedly in the future. Just recently, OpenAI’s CEO announced that a professional version of the tool will offer higher limits and faster performance for those subscribed.

From a technological point of view, it is critical for organizations to be clear about what AI tools like ChatGPT can and cannot do. ChatGPT holds the ability to analyze vast amounts of data and find patterns to generate responses, but it cannot reason, think critically, or understand what is best for the business. It can, however, be a very powerful addition to human intelligence. The human element in the safe use of ChatGPT remains key to organizations that are starting to leverage AI more in their day-to-day work.

Conclusion

The benefits of ChatGPT are many, and there is no doubt that generative AI tools like it have proven to augment human tasks and make workflows and content production more efficient. As companies try to maximize the advantages of ChatGPT and use it for competitive advantage, it is important to note that the use of generative AI is still in its nascent stage for large-scale adoption.

When integrating ChatGPT into a businesses’ cybersecurity strategy and processes, security leaders should consider the various risks across their people, processes, and technology. By putting the right safeguards in place, generative AI tools can be used to support existing security infrastructures.

SentinelOne continues to protect and support enterprises worldwide as they explore the benefits of innovative and new technologies. Learn more about how Singularity™ helps organizations autonomously prevent, detect, and recover from threats in real time by contacting us or requesting a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

MDR, MTH, MSSP | A Guide to Finding the Right Managed Services Option

Organizations always find it challenging to derive the maximum value from their security investment and deployment, and on top of these, different managed services options and new buzzwords in the market add to the problem. Every service provider claims to be doing everything that the organization wants, but it may not solve the problem in hand for the organization.

In this post, we explore the different services on offer and the needs that they aim to meet. We explore a framework that can help organizations understand which services are able to meet their particular requirements.

Facing the Challenge of Protecting the Enterprise

Organizations need a combination of People, Process and Technology to derive value out of their security technology investments. It is quite a common practice to buy the security technology first without understanding the need of managing and operating it, which ends up just becoming a tick in the box exercise and a lot of unrealized potential.

In the recent past, we saw organizations adopt EDR to solve the failure of legacy AV, assuming that it would work in ‘set and forget’ mode. Despite 24/7 monitoring, many organizations using EDR still aren’t engaging in active threat hunting, which leaves a lot of value and potential unrealized.

Managing and operating some security technologies has been made more challenging as a result of the skills shortage in the cybersecurity industry, which can be understood in two aspects:

  • Talent Capacity Shortage: Not having the required number of people in-house or in the team to run operations 24/7 (a numbers problem)
  • Talent Capability Shortage: Unable to find the find suitably skilled professionals to run the operations (a skills problem)

The Need for Managed Services

In such scenarios, organizations typically decide to outsource security to a third party such as Managed Security Service Providers (MSSPs). However, the service is limited to mostly management of the security technology rather than security operations. It’s very important to understand the difference between ‘security tool management’ and ‘security operations’ in the context of a SOC.

Security Tool Management – focuses on maintaining the general hygiene and administration of the security product such as policy enforcement, policy modification, setting role-based access control, changing access requirements, provisioning, and de-provisioning on the tools; in case of on-prem deployment, patching the underlying infrastructure, scaling the storage, upgrade of the application, etc. In some cases, it involves basic monitoring of alerts.

Security Operations – focuses on the use of the tool to fulfill the objective or the meet the goal for which tool was originally deployed; for example, EDR is deployed to protect and detect sophisticated attacks on endpoints and take timely response on detected attacks, so security operations would include monitoring to identify incidents, then contain, investigation and respond to the incident.

Organizations buy and deploy technology not just to manage it but to extract value out of it; hence, security operations should be at the core of investment in a security technology.

When it comes to challenges with security operations and adding the people and process part to the technology, organizations are often confused about what they need, whether they need Managed Detection & Response (MDR), Managed Threat Hunting (MTH), or Managed Security Service Provider (MSSP). Let’s explore these terms for a better understanding of what each provides.

Managed Detection & Response

MDR services perform proactive 24/7 monitoring of threat-facing security technologies and detect, investigate, and respond to attacks.

Managed Threat Hunting

MTH takes a proactive approach that goes beyond the tool alerting to detect attacks using attackers TTPs, IoAs and attacker hypothesis based on the security telemetry being collected by security technologies. This helps you in identifying attacks that are currently active and even compromise assessment.

Managed Security Service Provider

MSSPs mostly focus on the upkeep of the security technologies like firewalls, email gateways, web gateways, EDR, SIEM, and others. They provide basic alert triaging and alert an organization of a possible attack but don’t take action or consolidate various alerts into an incident. MSSP focuses on Security Tool management.

Given these differentiations, it is important to understand the organization’s context and requirements to identify the right kind of service. The following provides a helpful framework.

People and Process are essential for effective security operations and organizations should be using the framework above to understand which option is the best fit for their organization, given the context. Although the framework highlights different services such as MSSP, MDR, and MTH, these services can come from the same or multiple providers.

Type 1 Organizations

These are small and midsize organizations for which cybersecurity decisions are mostly based on compliance requirements. They also generally don’t have dedicated cybersecurity teams, heavily outsource security functions to managed security service providers (MSSP) and only have a security leader (shared capacity) to make cybersecurity decisions.

However, as the data and attack statistics suggests, ransomware threats are more actively targeting midsized organizations as they see them as low hanging fruit. A ransomware attack can result in significant business loss, and even lead to closure of the business. Hence, Type 1 organizations should look beyond just security technology management and actively invest in continuous monitoring for threats and alerts. As it is difficult for Type 1 organizations to build their own team, they should actively look at Managed Detection and Response providers (MDR) to add Security Operations Center Capabilities.

Type 2 Organizations

Type 2 organizations are mainstream and have mid to high maturity in cybersecurity. They are more likely to have a SOC in-house with some functions outsourced to an MSSP. However, the existing SOC may not be 24/7 and more likely to be focusing on compliance requirements and basic alert monitoring.

Because of their limited SOC capabilities, type 2 organizations should look at augmenting SOC capabilities with an MDR service to make the existing SOC 24/7 and add threat detection and response capabilities.

Type 3 Organizations

These are highly mature organizations and run a 24/7 SOC with dedicated analysts for threat detection and response use cases. However, because of the overwhelming nature of the SOC, scaling the SOC operations becomes difficult.

Type 2 organizations can also find it challenging to operationalise and perform continuous threat hunting. Thus, these organizations need help with MDR providers to scale their SOC operations, Managed Threat Hunting for continuous threat hunting across their environment and continuous compromise assessment. These services can provide assistance in SOC to type 3 organizations.

Incident Response Retainers (IRR)

Irrespective of Type 1, 2 and 3 organizations, every organization needs an incident response service on a retainer to help them manage a crisis situation. IRRs are available in Prepaid and Zero Dollar agreements. Though it is advisable to have a Prepaid Retainer agreement in place, organizations with limited budgets should at least have a ‘Zero Dollar’ retainer agreement to save crucial time in the event of a security incident.

It is worth noting that when buying Managed Services (MDT,MTH, etc.) from a technology vendor such as EDR, the services should be used to augment the product offerings and not complete the product offerings.

It is recommended that MSSP and MDR are from two separate service providers to avoid conflict of interest as these services focus on different objectives: MSSP provide security management and monitoring and MDR specialize in threat detection and response.

The IRR agreement can be sourced through a current MSSP/MDR provider as well given that they have expertise and the required credentials in the IR domain.

Security incidents are a matter of when and not if. When a security incident occurs, the organization’s preparedness will help prevent the incident turning into a crisis. Incident Response Retainers have evolved from just being reactive to being proactive and should also be used before an incident to prepare better for a security incident to reduce the time to detect, contain and recover from an attack.

Conclusion

It is no news that threats and their tactics, techniques and procedures are evolving fast and becoming more sophisticated.

Despite rapid advances in AI-assisted security technology, it remains the case that no technology can guarantee to detect 100% of attacks. An effective cybersecurity approach requires a human-machine teaming where the sum becomes greater than the parts.

This additional cybersecurity value will add more business value in terms of less business disruption, less compliance and regulatory fines, higher customer confidence and lower TCO of the cybersecurity investment.

SentinelOne offers robust Managed Detection & Response (MDR), Managed Threat Hunting (MTH), Compromise Assessment and Incident Response Services. To learn more contact us or visit SentinelOne Global Services.

Services & Support | At a Glance
SentinelOne offers a breadth of services to set you up for success at every step, augment your security operations with expert help, and get support when and where you need it.

FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers

Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. Sources tell KrebsOnsecurity the domain seizures coincided with “dozens” of arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data.

Several websites tied to the cybercrime store Genesis Market had their homepages changed today to this seizure notice.

Active since 2018, Genesis Market’s slogan was, “Our store sells bots with logs, cookies, and their real fingerprints.” Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials.

But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin.

The U.S. Attorney’s Office for the Eastern District of Wisconsin did not respond to requests for comment. The FBI declined to comment.

But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems.

The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom.

When Genesis customers purchase a bot, they’re purchasing the ability to have all of the victim’s authentication cookies loaded into their browser, so that online accounts belonging to that victim can be accessed without the need of a password, and in some cases without multi-factor authentication.

“You can buy a bot with a real fingerprint, access to e-mail, social networks, bank accounts, payment systems!,” a cybercrime forum ad for Genesis enthused. “You also get all previous digital life (history) of the bot – most services won’t even ask for login and password and identify you as their returning customer. Purchasing a bot kit with the fingerprint, cookies and accesses, you become the unique user of all his or her services and other web-sites. The other use of our kit of real fingerprints is to cover-up the traces of your real internet activity.”

The Genesis Store had more than 450,000 bots for sale as of Mar. 21, 2023. Image: KrebsOnSecurity.

The pricing for Genesis bots ranged quite a bit, but in general bots with large amounts of passwords and authentication cookies — or those with access to specific financial websites such as PayPal and Coinbase — tended to fetch far higher prices.

New York based cyber intelligence firm Flashpoint says that in addition to containing a large number of resources, the most expensive bots overwhelmingly seem to have access to accounts that are easy to monetize.

“The high incidence of Google and Facebook is expected, as they are such widely used platforms,” Flashpoint noted in an analysis of Genesis Market, observing that all ten of the ten most expensive bots at the time included Coinbase credentials.

Genesis Market has introduced a number of cybercriminal innovations throughout its existence. Probably the best example is Genesis Security, which is a custom Web browser plugin which can load a Genesis bot profile so that the browser mimics virtually every important aspect of the victim’s device, from screen size and refresh rate to the unique user agent string tied to the victim’s web browser.

Flashpoint said the administrators of Genesis Market claim they are a team of specialists with “extensive experience in the field of systems metrics.” They say they developed the Genesis Security software by analyzing the top forty-seven browser fingerprinting and tracking systems, as well as those utilized by 283 different banking and payment systems.

Cybersecurity experts say Genesis and a handful of other bot shops are also popular among cybercriminals who work to identify and purchase bots inside corporate networks, and then turn around and resell that access to ransomware gangs.

Michael Debolt, chief intelligence officer for Intel 471, said so-called “network access brokers” will scour automated bot shops for high value targets, and then resell them for a bigger profit.

“From ‘used’ or ‘processed’ logs — it is actually quite common for the same log to be used by multiple different actors who are all using it for different purposes – for instance, some actors are only interested in crypto wallet or banking credentials so they bypass credentials that network access brokers are interested in,” Debolt said. “These network access brokers buy these ‘used’ logs for very cheap (or sometimes for free) and search for big fish targets from there.”

In June 2021, hackers who broke into and stole a wealth of source code and game data from the computer gaming giant EA told Motherboard they gained access by purchasing a $10 bot from Genesis Market that let them log into a company Slack account.

One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot.

“While some infostealers are designed to remove themselves after execution, others create persistent access,” reads a March 2023 report from cybersecurity firm SpyCloud. “That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords.

SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems’ fingerprints up to date.

“According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year – and there are many other marketplaces like this one,” the SpyCloud report concludes.

This is a developing story. Any updates will be added with notice and timestamp here.

A Serial Tech Investment Scammer Takes Up Coding?

John Clifton Davies, a 60-year-old con man from the United Kingdom who fled the country in 2015 before being sentenced to 12 years in prison for fraud, has enjoyed a successful life abroad swindling technology startups by pretending to be a billionaire investor. Davies’ newest invention appears to be “CodesToYou,” which purports to be a “full cycle software development company” based in the U.K.

The scam artist John Bernard a.k.a. Alan John Mykailov (left) in a recent Zoom call, and a mugshot of John Clifton Davies from nearly a decade earlier.

Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of startups into giving him tens of millions of dollars.

John Bernard’s real name is John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice. For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago.

The Private Office of John Bernard” let it be known to investment brokers that he had tens of millions of dollars to invest in tech startups, and he attracted a stream of new victims by offering extraordinarily generous finder’s fees to brokers who helped him secure new clients. But those brokers would eventually get stiffed because Bernard’s company would never consummate a deal.

John Bernard’s former website, where he pretended to be a billionaire tech investor.

Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called The Inside Knowledge GmbH — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

A variety of clues suggest Davies has recently adopted at least one other identity — Alan John Mykhailov — who is listed as chairman of a British concern called CodesToYou LTD, incorporated in May 2022. The CodesToYou website says the company employs talented coders in several countries, and that its programmers offer “your ultimate balance between speed, cost and quality.”

The team from CodesToYou.

In response to questions from KrebsOnSecurity, CodesToYou’s marketing manager — who gave their name only as “Zhena” — said the company was not affiliated with any John Bernard or John Clifton Davies, and maintained that CodesToYou is a legitimate enterprise.

But publicly available information about this company and its leadership suggests otherwise. Official incorporation documents from the U.K.’s Companies House represent that CodesToYou is headed by an Alan John Mykhailov, a British citizen born in March 1958.

Companies House says Mykhailov is an officer in three other companies, including one called Blackstone Corporate Alliance Ltd. According to the Swiss business tracking service business-monitor.ch, Blackstone Corporate Alliance Ltd. is currently the entity holding a decision-making role in John Bernard’s fake due diligence company — The Inside Knowledge GmbH — which is now in liquidation.

A screen shot of the stock photos and corporate-speak on John Bernard’s old website. Image: Archive.org

Also listed as a partner in Blackstone Corporate Alliance Limited is Igor Hubskyi (a.k.a. Igor Gubskyi), a Ukrainian man who was previously president of The Inside Knowledge GmbH.

The CodesToYou website says the company’s marketing team lead is Maria Yakovleva, and the photo of this employee matches the profile for the LinkedIn account name “Maria Y.” That same LinkedIn profile and photo previously listed Maria by a different first and last name — Mariya Kulikova; back then, Ms. Kulikova’s LinkedIn profile said she was an executive assistant in The Private Office of Mr. John Bernard.

Companies House lists Alan John Mykhailov as a current officer in two other companies, including Frisor Limited, and Ardelis Solutions Limited. A cached copy of the now-defunct Ardelis Solutions website says it was a private equity firm.

CodesToYou’s Maria also included Ardelis Solutions in the work history section of her LinkedIn resume. That is, until being contacted by this author on LinkedIn, after which Maria’s profile picture and any mention of Ardelis Solutions were deleted.

Listed as head of business development at CodesToYou is David Bruno, a Canadian man whose LinkedIn profile says he is founder of an organization called “World Privacy Resource.” As KrebsOnSecurity reported in 2020, Bruno was at the time promoting himself as the co-CEO of a company called SafeSwiss Secure Communication AG, and the founder of another tech startup called Secure Swiss Data.

Secure Swiss Data’s domain — secureswissdata.com — is a Swiss concern that sells encrypted email and data services. According to DomainTools.com, that website name was registered in 2015 by The Inside Knowledge GmbH. In February 2020, a press release announced that Secure Swiss Data was purchased in an “undisclosed multimillion buyout” by SafeSwiss Secure Communication AG.

A cached copy of the Ardelis Solutions website, which said it was a private equity firm and included similar stock images as John Bernard’s investment website.

When reached in 2020 and asked about his relationship to Mr. Bernard, Mr. Bruno said the two were business partners and that he couldn’t imagine that Mr. Bernard would be involved in anything improper. To this day Mr. Bruno is the only person I’ve spoken to who has had anything positive to say about Mr. Bernard.

Mr. Bruno did not respond to requests for comment this time around, but his LinkedIn profile no longer makes any mention of Secure Swiss Data or SafeSwiss — both companies he claimed to run for many years. Nor does it mention CodesToYou. However, Mr. Bruno’s former company SafeSwiss is listed as one of the six “portfolio” companies whose services are promoted on the CodesToYou website.

In mid-2021, Bruno announced he was running for public office in Ontario.

“The Kenora resident is no stranger to the government as he contributed to Canada’s new Digital Charter, Bill C-11, which is a new Cyber Security policy,” reported Drydennow.com, a news website that covers Northwestern Ontario. Drydennow says the next federal election is expected to be held on or before Oct. 16, 2023.

John Clifton Davies was convicted in 2015 of swindling businesses throughout the U.K. that were struggling financially and seeking to restructure their debt. For roughly six years, Davies ran a series of firms that pretended to offer insolvency services, but instead simply siphoned what little remaining money these companies had.

The very first entity mentioned in the technology portfolio advertised on the CodesToYou website is called “MySolve,” and it purports to offer a “multi-feature platform for insolvency practitioners.”

Mr. Davies’ fourth wife, Iryna Davies, is listed as a director of one of the insolvency consulting businesses in the U.K. that was part of John Davies’ 2015 fraud conviction. Prior to his trial for fraud, Davies served 16 months in jail before being cleared of murdering his third wife on their honeymoon in India: Colette Davies, 39, died after falling 80 feet from a viewing point at a steep gorge in the Himachal Pradesh region of India.

Mr. Davies was charged with murder and fraud after he attempted to collect GBP 132,000 in her life insurance payout, but British prosecutors ultimately conceded they did not have enough evidence to convict him.

The scams favored by Davies and his alter egos are smart because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And all the best cons begin as an idea or possibility planted in the target’s mind.

It’s also a reliable scam because companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. On top of that, many victims will likely be too ashamed to admit their duping. Victims who do press their case in court and win then face the daunting challenge of collecting damages from a slew of ephemeral shell corporations.

The latest Bernard victim to speak publicly — a Norwegian company hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad. As part of that scam, Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

If you liked this story, check out my previous reporting on John Bernard/Davies:

Due Diligence That Money Can’t Buy

Who is Tech Investor John Bernard?

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million

Investment Scammer John Davies Reinvents Himself?

Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams

A Spectrum of Possibility | SentinelOne Celebrates World Autism Month

April is World Autism Month, dedicated to increasing understanding and acceptance of people on the spectrum. According to a new study published by Autism Research, 1 in 100 children globally are diagnosed with Autism Spectrum Disorder (ASD) and that number increases to 1 in 36 in the United States.

As we work to create a more inclusive world and workplace, customizing things like the interview process, working norms, retention strategies, and social expectations, allows us to increase the awareness and acceptance of neurodiverse individuals and uncover an amazing untapped resource of diverse talent.

SentinelOne is proud to foster a workplace culture where all people can fulfill their potential. Our advantage comes from designing with the intent to protect everyone, everywhere, and knowing that inclusion transforms the customer experience.

In this blog post, meet three Sentinels who are eager to share their personal experiences with ASD, hoping to welcome more neurodiverse candidates to join us in our mission to Secure Tomorrow™ as we determine the future of cybersecurity – together.

Meet Aubrey Robertson, People Operations Specialist

Aubrey Robertson, People Operations Specialist, has been with SentinelOne for 18 months and is based in Eugene, Oregon. As a People Operations Specialist, she handles information updates in Workday and assists in onboarding and offboarding employees, consultants, contractors, and interns.

“Being diagnosed with Autism well into my adulthood opened a door to a myriad of resources, leading me to understand my feelings and challenges more deeply,” said Aubrey. “On days where I feel overwhelmed, I analyze what triggered me to avoid that in the future.”

Aubrey believes stereotypes in the media are not accurate and create an unrealistic expectation that people with Autism all have obvious social deficits that coexist with a redeeming academic or savant quality.

“Autism in real life often doesn’t look the way it’s portrayed in popular culture,” said Aubrey. “This trope creates a real-life expectation that all autistic people are geniuses in a particular subject and socially awkward in a way that’s endearing. The expectation for an autistic person to possess these qualities can be damaging.”

Aubrey believes that the unconscious bias towards neurotypical behavior creates an implied social expectation for people with ASD to mask symptoms, causing exhaustion, burn out, and anxiety. She feels fortunate to have the self awareness and coping skills to thrive in our inclusive environment at SentinelOne.

To support someone with ASD in the workplace, Aubrey suggests trying to engage them in different ways. Instead of sitting across from one another during conversation, try sitting side by side on a sofa or a bench where it’s socially acceptable not to maintain eye contact, which does not come naturally to people on the spectrum.

“For me, worrying about what to do with my hands or my facial expressions makes me so self-conscious that I lose track of the conversation entirely,” said Aubrey. “If I have something to hold and eat, a fidget toy, or a passive card game to play while chatting, that helps keep my mind off my social quirks and allows me to be present as my authentic self.

Aubrey describes ASD as different for everyone. Things like gender, age, level of intervention, and basic personality traits make no two people alike. If you have a direct report or teammate who is open with their diagnosis, Aubrey suggests asking them what accommodations they would find helpful to be more successful and comfortable at work.

“I find large group meetings very intimidating if I don’t know what to expect,” said Aubrey. “If meetings could be prefaced with a detailed agenda at least a day in advance, that would be a dream come true.”

Aubrey also suggests inclusive strategies like using Mentimeter for group feedback, offering frequent breaks during longer group meetings, and replacing ice breakers with something less intimidating for introverted teammates.

“I can recognize when I need a break and have techniques to charge my social battery,” said Aubrey. “When I’m in a highly social situation, I’m using 80% of my energy to blend in socially and can’t efficiently access the problem-solving or creativity centers in my brain. Offering safer and more inclusive ways to share discussion feedback will ensure you’re getting everyone’s best thoughts.”

Aubrey encourages those living with ASD to be open with teammates, family, and friends about needs and share helpful strategies for success.

“Chances are, people will understand and want to accommodate your needs,” said Aubrey. “Your needs deserve equal respect. You can and should expect a reasonable amount of comfort, even when it must be achieved through extra effort.”

Meet Christof Jacques, Senior Solutions Engineer

Christof Jacques, Senior Solutions Engineer, supports sales teams in Belgium and Luxembourg by creating meaningful experiences and solutions for our customers. Christof was diagnosed with ASD at 38 years old.

“I learned from my diagnosis that it’s ok to respect my limits,” said Christof. “This mindset makes it easier for me to excel in other areas and use my energy more efficiently. I think that’s valuable advice for everyone.”

After being diagnosed with Asperger’s Syndrome, Christof learned all that he could. Reading books helped him understand himself and confirmed why some day-to-day tasks were so challenging. Social gatherings are also challenging for Christof to navigate. He said it’s not easy to explain why he won’t attend a social event, but he’s learned that it is ok to say no.

“For me, there are a lot of things that are complicated that shouldn’t be,” said Christof. “I think it’s important for employers to understand that social events can be challenging. Participating should not be a factor for promotions or recognition.”

Christof has been open and active in leading conversations about ASD at SentinelOne in the two years since he joined. When his manager learned of his diagnosis, he approached Christof to ask how he could be more accommodating.

“The question itself shows that you care,” said Christof. “It was cool that it was asked. It’s important to underline that every person is different. So, what is important to me might not be to someone else. If you work with someone with Autism, ask them what can help them.”

When asked to share insight about creating an inclusive workplace, Christof said remote work options are helpful for those who find frequent interruptions challenging. He also said clear communication with added context is also helpful.

“Be patient,” said Christof. “There may be a need to explain and re-explain. Allow teammates the opportunity to think through a problem and come back with a response. Depending on their energy level, they may need time to process.”

Meet Erin Kelly, Head of Internal Communications & Talent Brand

Erin Kelly, Head of Internal Communications & Talent Brand, has been with SentinelOne for just over a year. With 25 years of communication experience and 17 years of experience with Autism, Erin credits her ability to break down complex topics in compelling, clear, and concise ways to raising a child with communication challenges.

“When I create content, I imagine the audience to have no experience with the subject matter,” said Erin. “I strive to tell stories and deliver explanations in the right order with an appropriate level of detail – too much of anything can be overwhelming.”

Erin suspected something was different about her son’s development when he stopped using the 20 words he had racked up at two years old, and his irritability increased to an almost constant level.

“My toddler stopped talking and was super cranky,” said Erin. “About four weeks into his tantrum spell, Jack started banging his head on hard floors. I took him to Children’s Hospital of Philadelphia and waited a few weeks for doctors to tell me what I already knew. Jack had Autism.”

Erin describes the years that followed as an uphill race against time. The team of therapists sent by the state of New Jersey described Jack’s first five years as the most critical and coached her to dedicate time and resources into maximizing his potential.

Jack had 30+ hours of intervention for the better part of his childhood. He started talking again at five years old and hasn’t stopped since. Jack was mainstreamed in middle school and graduated from high school last year.

“Finding a place where Jack can feel included academically, socially, and recreationally is a challenge without end,” said Erin. “He is 19 and still struggles to find his place. While he continues to strengthen coping strategies, I would love the world to meet him halfway with greater understanding and acceptance.”

Erin believes that kindness, active listening, open communication, and structured settings can go a long way in making the workplace more inclusive for people of all abilities. Strong people practices create a better culture for all – not just those living with ASD.

“Jack has a photographic memory, an incredible attention to detail, and a great work ethic,” said Erin. “These are all awesome qualities in the workplace. That said, eye contact, social situations, and group conversations can be problematic. Making it ok to be socially different – and even distant – would be a great start.”

Having a People Business Partner who feels comfortable helping teammates navigate the world of accommodations is also critical for success. Remote work has opened a world of possibilities for those who may be perceived as introverted and excel in a smaller controlled environment.

“Investing in talented people and giving them the space and confidence to be their authentic self at work is a best practice for everyone, not just people on the spectrum,” said Erin. “People of all abilities want to make an impact and feel included at work. Fostering inclusion is good for our people and for our business.”

How Businesses Can Expand Their Spectrum of Possibility

Fostering a truly inclusive workplace means examining how we can embed awareness and acceptance of neurodiverse individuals. The key in building this space focuses on open communication, asking for suggestions and strategies, and mutual respect.

Broadening your talent base means setting up all people in a company for success where they can reach their full potential and grow with the business. SentinelOne is dedicated to the continuous growth of its inclusive workplace culture and is proud to provide a space where all Sentinels will always feel welcomed.