Russian Hacker “Wazawaka” Indicted for Ransomware

A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.

An FBI wanted poster for Matveev.

Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.

The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.

Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia.

In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.

“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”

In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).

A month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”

Prosecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

Previous reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”

As noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.

In thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate after five days.

Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.

Further reading:

Who is the Network Access Broker “Wazawaka?”

Wazawaka Goes Waka Waka

The New Jersey indictment against Matveev (PDF)

The indictment from the U.S. attorney’s office in Washington, D.C. (PDF)

Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors

The red-teaming and attack simulation tool Cobalt Strike has a long and widely observed history of abuse by threat actors targeting Windows platforms, but it has only occasionally been seen used against macOS devices. That, however, appears to be changing with the development of a Go implementation of Cobalt Strike called ‘Geacon’.

We have observed a number of Geacon payloads appearing on VirusTotal in recent months. While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks. In this post, we highlight two recent Geacon samples and describe their delivery mechanisms and main characteristics. A list of IoCs is provided to aid threat hunters and security teams identify Geacon payloads.

What is Geacon?

Geacon is a project that first appeared four years ago on Github as a Go implementation of Cobalt Strike Beacon. Despite being widely forked, it was not something that SentinelOne had observed being deployed against macOS targets until recently.

Analysis of the payloads we have observed on VirusTotal suggests that what appears to have changed is the popularity of two Geacon forks developed by an anonymous Chinese developer using the handle “z3ratu1”. In a blog post in late October 2022, z3ratu1 states that “one day I just went shopping and saw this project geacon, so this toy project and its development guide appeared”. The first Mach-O Geacon payload was submitted to VirusTotal not long after, on November 10 last year.

By April this year, the public geacon_plus and the private (possibly for-sale) geacon_pro projects developed by z3ratu1 had “earned close to 1k stars” and were added to the 404 Starlink project, a public repo of open source red-team and penetration tools maintained by the Zhizhi Chuangyu Laboratory. The same month also saw two different Geacon payloads submitted to VirusTotal that drew our attention, with one in particular bearing hallmarks of a genuine malicious campaign.

Xu Yiqing’s Resume_20230320.app

Xu Yiqing’s Resume_20230320.app was submitted to VirusTotal on 5th April. This AppleScript applet uses a compiled, run-only AppleScript to call out to a remote C2 and download a Geacon payload.

Geacon AppleScript applet

The application is ad-hoc codesigned and compiled for both Apple silicon and Intel architectures. Analysis of the run-only script shows that it contains logic to determine the current architecture and download a Geacon payload specifically built for the target device.

Geacon dropper C2 strings
Geacon dropper C2 strings

The unsigned Geacon payload is retrieved from an IP address in China. Before it begins its beaconing activity, the user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named “Xu Yiqing”.

Geacon Decoy PDF
Geacon Decoy PDF

Below we present details of the x86 Intel payload, named simply amd (bef71ef5a454ce8b4f0cf9edab45293040fc3377).

The embedded PDF is called from the main.makewordfile function.

The compiled Geacon binary has a multitude of functions for tasks such as network communications, encryption, decryption, downloading further payloads and exfiltrating data.

Main functions of a Geacon payload
Main functions of a Geacon payload

The C2 in both the first and second stage is a Chinese IP address at 47.92.123.17, which is associated with other malicious samples targeting Windows machines.

Files communicating with IP 47.92.123.17 (source: VirusTotal)
Files communicating with IP 47.92.123.17 (source: VirusTotal)

The source indicates that this sample was compiled from the free geacon_plus source code.

User strings in Geacon binary

SecureLink.app and SecureLink_Client

A second Geacon payload also appeared on VirusTotal on April 11th. In this instance, the payload, fa9b04bdc97ffe55ae84e5c47e525c295fca1241, is embedded in a trojan masquerading as SecureLink, an enterprise-level application for secure remote support.

The trojan is a barebones, unsigned application built from an Automator workflow rather than a Script Editor applet and bearing the bundle identifier com.apple.automator.makabaka. The binary only targets Intel devices.

SecureLink trojan

The Info.plist reveals that the application was built on a macOS Ventura 13.1 device and targets macOS versions from OS X 10.9 Mavericks onwards. It also requires that the user grant access to the device’s camera, microphone and administrator privileges, as well as to data such as contacts, photos and reminders that would otherwise be protected by TCC.

Geacon app Info plist

The application’s main executable is a Geacon payload built from the private geacon_pro project.

The user’s path to Geacon_Pro source remains embedded in the binary
The user’s path to geacon_pro source remains embedded in the binary

In this sample, the C2 is a Japanese IP address at 13.230.229.15, widely recognized as a Cobalt Strike server on VirusTotal.

We have no indication that this sample is operationally connected to the Xu Yiqing resume.app, but this is not the first time we have seen a trojan masquerading as SecureLink with an embedded open-source attack framework: a Sliver implant was being distributed as a fake SecureLink app in September of 2022, a reminder to all that enterprise Macs are now being widely targeted by a variety of threat actors.

How to Stay Safe From Geacon Payloads

The SentinelOne platform identifies Geacon payloads as malicious and kills them on-write (in Protect mode) or on-execution (in Detect mode).

SentinelOne detecting Geacon payloads

For security teams in organizations not protected by SentinelOne, a list of indicators is provided at the end of this post to aid detection and threat hunting.

Conclusion

Enterprise security teams can make good use of attack simulation tools like Cobalt Strike and its macOS Go adaptation, Geacon. It is quite likely that some of the activity we are observing around this tool is legitimate red team use, but it is also likely that genuine threat actors will make use of the public and possibly even the private forks of Geacon now available to them. The uptick in Geacon samples over the last few months suggests that security teams should be paying attention to this tool and ensuring that they have protections in place.

Indicators of Compromise

Geacon SHA1s
6831d9d76ca6d94c6f1d426c1f4de66230f46c4a
752ac32f305822b7e8e67b74563b3f3b09936f89
bef71ef5a454ce8b4f0cf9edab45293040fc3377
c5c1598882b661ab3c2c8dc5d254fa869dadfd2a
e7ff9e82e207a95d16916f99902008c7e13c049d
fa9b04bdc97ffe55ae84e5c47e525c295fca1241

Observed Geacon C2s
47.92.123.17
13.230.229.15

BundleIdentifiers
com.apple.ScriptEditor.id.1223
com.apple.automator.makabaka

Suspicious File Paths
~/runoob.log

Celebrating Mothers of SentinelOne

As I prepare to celebrate my third Mother’s Day with two kids under three, I wonder how the time moves so fast. It seems like only yesterday I was waiting for my daughter Luna to arrive. Two years later, Lukasz made us a party of four. As I work to balance it all – kids, work, home, family and friends – I have realized it’s more of a blend. Priorities shift and change in the moment, and somehow, it all works. For me, it’s the flexibility at work that makes it so.

I joined SentinelOne when I was seven-months pregnant with Luna, embarking on two new and challenging journeys simultaneously. I am grateful that I became a mom in a post-pandemic world, working remotely for a company that honors family first. All of this starts with gender-neutral parental leave.

Any Sentinel who welcomes a new child into the family regardless of gender or birthing status receives 16 weeks of fully paid parental leave and 2 weeks of part-time pay to ease the transition back to work. Being able to unplug and fully embrace the joy and shock of caring for a tiny human without the worry of pausing my career progression was a true gift; one that all parents deserve. Those first few months are precious, marked by constant fear and intense joy, and should be embraced fully without having to balance the blend of home and work life.

According to the State of Motherhood Report 2023, not all U.S. moms have the support at home and work to make it all work. 49% of the 10,000 women surveyed reported feeling burned out by motherhood and 58% identified being primarily responsible for managing both household and children. As many work to fill the literal plates of their family, their figurative plates are spilling over.

Making the workplace inclusive for working Moms is not just the right thing to do, it’s good for the business. Mothers have a skill set that transfers well into the workplace, particularly in leadership. We are extremely efficient, great at multitasking, strong negotiators, and effective communicators. We weren’t all born with an abundance of patience and empathy, but being a mother provides the best on-the-job training in those areas too!

My motherhood journey has been enriched by my time and team at SentinelOne; a company that puts people first. It’s no longer enough to have a generous leave policy. Leaders must ensure that there are practices in place to ensure women have a seat at the table AND a place in the pick up line. Working the needs of a family and the demands of our business into each day is not only accepted at SentinelOne – it’s admired.

In celebration of Mother’s Day, I spoke to fellow Sentinel Moms from around the globe to learn about their families and how they blend the demands of work and home.

Melissa and Luna

Meet Alamelu Seshadri, Senior Analyst, Internal Audit

Alamelu joined SentinelOne two years ago, and she welcomed her son Dehaleesh one year later. Since becoming a mother, she feels her time management and prioritization skills have greatly improved.

“I bring skills such as empathy, multi-tasking, and resilience to my professional role,” said Alamelu. “This allows me to navigate the challenges of balancing work and family responsibilities gracefully and efficiently.”

Working remotely out of her home in Chennai, India, Alamelu feels very supported by her peers from Internal Audit.

“My entire team is so understanding and supportive of my dual roles of professional and parent,” said Alamelu. “This is instrumental in helping me manage my responsibilities effectively.”

When asked how she has changed since becoming a mother, Alamelu said she’s more focused, adaptable, and compassionate. Her advice to new working moms is simple: Do not hesitate to ask for help.

“Enjoy each day as it passes,” said Alamelu. “These little munchkins grow faster by the day!”

Alamelu and Dehaleesh

Meet Drea London Petter, AVP of Vigilance, DFIR

Based out of Orlando, Florida, the world’s best playgrounds are in Drea’s backyard! You won’t hear her daughter Jordi (5) complain about a slow business day.

“I block calendar slots to pick up Jordi from school, and I hold myself accountable for one evening activity each day,” said Drea. “On a slow day, we might visit the mouse. On busy days we walk to the playground or take a trip to the library.”

Drea has been with SentinelOne for two years and said being a working mother has changed the way she approaches her career.

“I have become an ‘integrator’ of work and life,” said Drea. “After bedtime, I often pickup where I left off with work. My calendar fits together like a puzzle. It may look complicated, but it works for me.”

Drea specializes in crisis management and has never had a traditional 9-5 work schedule. Much like the team in Internal Audit, Drea’s team is also supportive of her role as a parent. She describes the culture of her group as family-centric.

“We understand the demands on both sides and cover for each other when someone has bath time or bedtime during a client call,” said Drea. “We share and treasure moments of our children with each other through many pictures and videos.”

Drea’s advice to working moms is not to be too hard on yourself and she encourages all people to lead with compassion in the workplace.

“Folks have a life. They have moments, they have pains, they have baggage,” said Drea. “Being a parent requires grace. You need to give grace, and sometimes you need to ask for it. Perfection is impossible.”

Drea and Jordi

Meet Elena Doron, Director of Security Research

Elena has three children, Yair (8), Lia (6), and Ayala (1), and makes her home in Israel. She joined SentinelOne five months ago and is no stranger to the work-life blend. As Elena’s family grew and changed, so did her career.

“After each child, I was happy to make career choices and adjustments,” said Elena. “We change as our families grow, and our work needs to reflect that one way or another.”

“One of the hardest things for a working mom is time management,” said Elena. “Since becoming a mom, I am better at managing my time and much more effective during the time I have to work.”

Elena appreciates the flexibility of working from home, helping her with balance during her longer working days. Her advice to working moms is to ditch the guilt and to consider the upside.

“I always think about not being able to take them to their favorite places after school or not inviting friends over because it’s a long day at work,” said Elena “The bright side is, I am able to show them hard work, relentlessness, and ambition. I am happier because I follow my dreams and I want that for my kids too.”

Elena, Yair, Lia, and Ayala

Anastasija Frizenova, Manager, Technical Recruitment

Three years ago, Anastasija became a mom to her daughter Freya. Two years ago, she joined SentinelOne to manage a team of four recruiters in the Czech Republic focused on finding the next generation of Sentinels.

“It took me a while to accept the fact that the concept of a ‘supermom’ is really a fictionalized character,” said Anastasija. “I have never met a working mother who has everything put together. It’s impossible to be perfect on all levels.”

Being a working mother changed her approach to everything in life, and Freya is an inspiration for Anastasija to find her best self at work.

“My daughter is my compass – her existence navigates me towards more meaningful work and bigger challenges,” said Anastasija. “She inspires me to be a better version of myself every day, and I want her to be proud of me.”

In addition to being a great inspiration, Freya helped Anastasija develop skills she can leverage in the workplace.

“I have really changed,” said Anastasija. “Today I am more likely to get an endorsement on Linkedin for organizational and multitasking skills. But there is a lot I can work on, and I’m glad that my need for perfection has dulled a bit.”

Anastasija believes the skills that come with parenthood can be very valuable in the workplace.

“I’m amazed at how much patience and empathy parents can develop from raising a kid,” said Anastasija. “I have a huge respect for my teammates and candidates that are on a similar parental journey.”

Anastasija and Freya
Anastasija and Freya

Happy Mother’s Day From SentinelOne!

Having a truly inclusive workplace means fostering a culture where working mothers can make a significant impact on the business while achieving a work-life blend. I am grateful for the support of SentinelOne, my manager, and my colleagues. The flexibility and support I receive at work enables me to provide Luna and Lukasz a beautiful childhood while remaining true to my goal of enjoying a challenging and rewarding career.

To learn more about our award-winning culture and job opportunities, visit our careers page.

The Good, the Bad and the Ugly in Cybersecurity – Week 19

Data Protection | Google Takes on Apple in Privacy Wars

When tech companies are battling it out to be better than their competitors at securing our private data on mobile and computing devices, then everyone’s a winner. Hence, great news this week as Google announced a raft of new data privacy features across a number of its products in an attempt to rival Apple’s perceived lead in that particular slice of the market.

Google will be hoping that its implementation of better transparency, consent and control (TCC) around what user data applications have access to on Android devices fares better than Apple’s troubled TCC implementation on iOS and macOS. The headline feature will allow Android users to control location sharing and to prevent apps sharing information with 3rd parties for advertising purposes.

Beyond mobile, all Gmail users can now look forward to a previously subscription-only feature called Dark Web Scan Report, which provides alerts if sensitive PII (personally identifiable information) is found circulating on the darknet. Such information is routinely traded on underground forums and markets and is a prime-enabler of phishing attacks on individuals and enterprises.

With deepfakes from AI-powered engines like Midjourney and others now widely available, Google is also introducing a new tool called “About This Image” to help users evaluate the provenance of visual media returned in Google search results.

Source: Google

Android privacy protections are included in Android 14, while Dark Web Scan Report and About This Image will be rolled out in the coming weeks and months, Google said at its annual developer conference.

Virtual Ransomware | VMware’s ESXi Targeted By Slew of New Lockers

Multiple different ransomware gangs have been taking advantage of leaked Babuk (aka Babyk, Babak) source code to build file lockers for VMware’s ESXi hypervisors, researchers revealed this week.

A new report from SentinelLabs said that at least 10 different ransomware groups had been building payloads for ESXi systems based on the 2021 leak of Babuk source code. Hypervisors provide an attractive target to threat actors due to their prevalence in on-prem and hybrid enterprise networks.

Babuk source code was leaked in 2021 by one of the group’s developers, who published the builder source code for Babuk’s C++-based Linux Executable & Linkable Format (ELF) ESXi, Golang-based Network Attached Storage (NAS), and C++-based Windows ransomware tooling.

According to the report, there are strong overlaps between the leaked source code and lockers attributed to the former Conti and REvil gangs. However, other threat actor groups appeared largely uninterested in the availability of source code targeting Linux systems until this year.

find_files_recursive in Baseline Babuk (left) and SearchFiles in Conti POC
Code overlaps seen in samples of Babuk (left) and Conti (right)

Throughout 2023, however, lockers targeting ESXi have been increasing. The researchers noted Mario, Play and XVGV ransomware samples were all derived from the same Babuk source code, adding to others previously known including Dataf, BabLock and RTM Locker. Babuk-derived payloads aren’t the only ransomware targeting the VMware format either: ALPHV, Black Basta, Hive and Lockbit all appear to be unique ESXi lockers.

The SentinelLabs research also found no similarity between Babuk code and that used in the February 2023 ESXiArgs campaign, which had been said incorrectly to be derived from the leaked ransomware builder in some reporting.

The research suggests that the leaked Babuk code is particularly attractive to less well-resourced or skilled cybercriminals, who tend to only make minor modifications to the original code, making it easier for analysts to attribute the source. With so many diverse cybercriminal groups now showing an interest in targeting VMware’s ESXi platform, users should be on alert and ensure that they are deploying effective security measures to protect these assets.

SchoolDude Breach | User Data Goes Absent Without Leave

Educational enterprise asset management outfit SchoolDude reported a data breach this week in which an unauthorized user obtained access to account owner names, email addresses, passwords and phone numbers.

SchoolDude claims to have more than 6000 public and private schools, colleges and universities as its customers. The cloud-based SaaS platform offers streamlining of educational operations including management of maintenance, energy, technology and more, allowing educational staff to submit orders for IT, field trips and inventory. The SchoolDude community boasts a membership of over 1 million educational professionals.

SchoolDude owners Brightly advised this week that a security incident had occurred which affected current and former SchoolDude users. As the data breach involved the theft of passwords, the company took the proactive step of resetting all user passwords, meaning all users will now have to choose “Forgot Login Name or Password” when trying to access the online portal and follow the procedures sent by email for resetting the password.

In addition, users are advised that if they reused the same password as used on SchoolDude.com on other sites, that those should be changed too, as threat actors will rapidly use stolen usernames and passwords in credential stuffing attacks.

Brightly says that it has engaged incident response services to investigate and remediate the breach and has notified appropriate law enforcement agencies. Users are advised to be on heightened alert for phishing attacks and scams.

Securing the Supply Chain | Managing the Risk of Open Source Software

Popular for being cost-effective and ready-made, open source software (OSS) has earned a spot in enterprise tech stacks, from SMBs to the largest of corporations.

As more businesses increase their reliance on open source software and threat actors show increased focus on supply chain attacks, security leaders are making the effort to better understand what it is their teams are using, what benefits they bring, and any security risks related to their use. This post provides guidelines on how organizations choosing to use these tools can do so both effectively and safely.

Why Open Source Software Is Everywhere

When organizations invest in their security tech stack, open source solutions are a rising choice, providing scalability and cost-effectiveness tailored to the unique needs of their business. Findings from the 2023 edition of the Open Source Security and Risk Analysis (OSSRA) report confirmed the staying power of open source use in today’s industries. Of those surveyed, 96% of scanned codebases contained open source and 76% of code in codebases was open source.

Open source resources are also widely adopted for being highly customizable, allowing users to adapt them to their specific needs. This flexibility can be particularly useful for businesses building a cybersecurity strategy, where organizations often need to tailor their tools to address threats specific to their industry, legal requirements, and client base.

Other than being budget-friendly and extremely accessible, open source resources have also climbed in popularity for their ability to foster innovation in dev teams since new features and capabilities are being added regularly.

The Risks Behind the Use of Open Source Software (OSS)

As more organizations rely on open source frameworks, libraries, and tools in their daily operations, they can easily become keystones in business communications, software capabilities, user interactions and more. Since open source is so accessible for businesses of all sizes and industries, researchers have reported a 633% year-over-year increase in cyberattacks launched against open source software repositories.

Evidence suggests threat actors focus on open source surges. The 2020 SolarWinds attack, for example, continues to stand as a catalyst for rapid changes in how modern organizations build their security against third-party threats. Just one year after SolarWinds, the Log4j vulnerability shook the digital community when hackers began exploiting an overlooked flaw in the popular open source logging package. At the tail end of last year, threat actors bombarded open source repositories NuGet, PyPI, and npm with over 144,000 malicious packages.

Of particular concern, the OSSRA report found that 89% of codebases scanned in its survey contained open source code more than four years out-of-date.

Before deploying open source frameworks, software, and tools, it is essential for DevOps and SecOps teams to consider the risks they can bring to the organization. Open source security risks include:

  • Vulnerabilities and excessive access – True to its name, open source code is accessible by anyone. In the hands of malicious threat actors or opportunistic attackers, open source code can be manipulated and leveraged in malicious campaigns.
  • Lack of verification and immature code – Open source software does not carry a guarantee that it has been adequately tested by qualified experts. During its development, it may not have gone through the level of quality assurance needed to ensure its reliability or security.
  • Little to no dedicated support or maintenance – Some open source software does not have a dedicated support team meaning security patches and updates may be few if any at all. Without regular updates, bug fixes, and documentation, threat actors can easily exploit existing vulnerabilities to gain unauthorized access to a system.
  • Downstream effect of software supply chain attacks – When vulnerabilities exist in third-party code, organizations suddenly run the risk of introducing risks into their own environments, which then affects their clients and so on. Given how popular and widely used many open source repositories are, the U.S. federal government released a series of directives and guidelines on how to secure software development practices.

How to Implement Open-Source Tools Safely

While open source software is an excellent way for SMBs to build their security tool stack, those that err on the side of caution are wise to consider the safety and sustainability of open source tools before working them into their daily operations. Security teams play a vital role in making sure that open source software is good for long-term use by following the below best practices.

Understand the Dependencies & Components

With OSS now common in enterprise software stacks, security, IT and SecOps teams are burdened with the responsibility of investigating the software and making sure it is safe to implement. This investigation starts with managing the risks surrounding dependencies and components.

Businesses using open source libraries should be aware of all dependencies associated with those libraries. Direct dependencies are libraries that a businesses’ code calls directly. Transitive or indirect dependencies add another level – the businesses’ code calls to a library that dependencies are linked to, meaning there is a dependency of a dependency. Such nested dependencies can have several layers in large or complex frameworks. Vulnerabilities can be exposed at any level and dealing with them can become complex. Developers and security teams need to understand each level of dependency and how a security vulnerability impacts the projects they are part of.

Scanners like the OWASP dependency check tool can be helpful in exposing a businesses’ open source usage.

Lay Down Clear Policies on Open Source Usage

For top-down security, business leaders are instrumental in working with SecOps, IT teams and the organization’s security team to create strict policies and rules when it comes to using dependencies.

Developers need training on the risks associated with using open source components and should have a thorough understanding of their company’s policies on review, testing, and approval processes.

Testing the security of open source components is the most effective way to protect the safety of existing applications and assets. This requires a set schedule or process for testing and analysis of open source components, similar to proprietary code reviews.

Track & Update All Used Components

In cybersecurity, it’s often said that visibility is the key to defense. Open source resources allow users to see and modify the source code, which provides transparency and helps ensure that the software does what it claims to do. While in theory this can help identify security flaws or vulnerabilities in the code, in practice much OSS is maintained by unpaid volunteers who may have little time, expertise or inclination to conduct regular security reviews. The burden falls on the user to ensure that code used in a project is verified as trustworthy.

Software composition analysis (SCA) tools can help SecOps teams to analyze software. Creating a central, organized inventory of all open source components in use, ideally with a detailed Bill of Materials (BOM) for each piece of OSS, allows security teams to better track, access, and protect the environment. Inventories should be kept up-to-date and include all current open source projects, regularly-used dependencies, versions in use, and download locations. Inventories are crucial in protecting both code and assets.

To ensure safe and sustainable use, select open source components that have an active development or support community. When security issues and bugs affect components, the open source developers community will often identify and report valuable details and fixes that should be applied immediately. Leaving components unpatched severely heightens the risk of exploitation. In the same vein, the more unsupported or expired libraries that a business decides to use, the harder it is for security teams to keep track of all dependencies, incoming fixes, and newly identified vulnerabilities.

Understand the Risks of Private versus Public Repositories

Once a piece of OSS has entered the organization’s software stack as verified and trusted by the SecOps or DevOps teams, consideration needs to be given to how that code will be maintained and updated.

Package management repositories such as NPM, PyPi, and Crate.io provide great convenience but are also targets for supply chain attacks. To mitigate this, developers can fork implementations and use private repositories to update software components. However, it is important to be aware that these also carry risks: dependency confusion attacks can occur if package managers are configured to default to a public repository and the developers use a package name that can be claimed by an attacker, as happened in the PyTorch attack in early 2023. These kind of risks can be mitigated by following best practices such as:

  • Ensure package managers call private repositories and are not configured to default to a public repository
  • Verify package authenticity through code signing
  • Periodically audit and verify externally-sourced code

Conclusion

Demand for business innovation, scalability, and ease of use have all enabled the variety and growth of open source software. With more organizations adopting OSS into their internal processes and their lines of products and services, threat actors have begun to set their sights on targeting exploitable vulnerabilities that exist within open source code and tools.

To safeguard the use of these accessible and cost-effective resources, businesses continue to rely on autonomous, AI-driven cybersecurity platforms like SentinelOne for all-around protection. Whether the code in your network is open source or proprietary, learn how SentielOne’s Singularity™ XDR defends across all possible attack surfaces by contacting us today or booking a demo.

Understanding Cloud Incident Response | Developing Best Practices to Protect Your Enterprise

Enterprise leaders responsible for managing incidents in the cloud are widely encouraged to craft their security strategy through a proactive approach, but in current times while contending with sophisticated threat actors, malware, and tools, what does a proactive approach really mean?

As more enterprises adopt cloud technology for its scalability, flexibility, and cost-efficiency, threat actors see these reasons as opportunities to exploit and attack. As much as enterprises are moving towards cloud as part of their digital transformations, all industries are also seeing a growing rise in cloud data breaches, ransomware attacks, and insider threats.

This post covers the key best practices that enterprise leaders and security teams can implement to set an effective cloud-based incident response plan in place, minimizing the harm caused by security incidents and accelerating the time to recovery.

Defining Cloud Incident Response

Over the last few decades, acceleration of cloud adoption has evolved incident response (IR). This global shift represents new challenges for security leaders, especially in terms of data volume, accessibility, and how fast threats can develop within cloud infrastructures.

Modern enterprises that have fully moved to the cloud or embraced a hybrid cloud adoption strategy face complex  cloud environments. Consisting of components, virtualization, storage, workloads, cloud management software and more, the cloud presents defenders with much to secure.

Cloud IR addresses all of these unique risks to the cloud and frames how enterprise leaders can identify, detain, mitigate, and respond to threats in such a rapidly changing environment. Unlike traditional IR strategies, Cloud IR requires a more nuanced approach that can account for the way cloud platforms are managed, how data is stored and accessed, and the dynamic nature of the cloud itself.

  • Managing the Cloud Platform – Each cloud platform typically has a single control center known as the administrative console, or management plane. This console allows admin users to create new identities, deploy services and updates, as well as manage configurations affecting all hosted assets within the cloud. Since this console is a converging point between the infrastructure and cloud user identities, it is a highly lucrative ‘keys to the kingdom’ target for attack by threat actors.
  • Understanding Data in the Cloud – Clouds hold data, apps, and components in external servers which, if not configured correctly or kept up to date, can serve threat actors as a main diving board to all connected assets. Other than external threats, internal threats such as misconfigurations and vulnerabilities must also be considered, since cloud networks are known for their large size and level of complexity.
  • Handling a Dynamic Cloud – Modern cloud platforms are very dynamic, meaning security teams will need to remain agile and have full visibility of all cloud services and apps to secure it. The sheer volume in the cloud alone is enough of a risk in that it can slow down threat hunting, triage, and incident investigation processes if teams are not intimately familiar with their environment.

Recognizing A Growing Need for Cloud-Specific Response

Cloud computing has introduced new security challenges and threats that require enterprises to take a different approach to security, compared to traditional on-premises infrastructure. What’s needed in today’s digital landscape to protect the cloud is a robust incident response plan capable of focusing on cloud-specific risks while also providing coverage for other major attack surfaces like endpoint and identity.

Defending the cloud surface through a strong incident response strategy involves identifying, analyzing, and responding to security incidents in a cloud environment. A robust cloud incident response plan can help businesses maintain their data’s confidentiality, integrity, and availability. By preventing breaches in the cloud, businesses are able to prevent financial loss, protect their reputation, and ensure regulatory compliance.

An effective strategy in this case requires a well-defined, regularly tested, and updated plan. Further, it should minimize the impact of security incidents and help the business recover as quickly as possible should an attack occur. A well-defined response plan is critical to effective incident response. This plan should include procedures for responding to various incidents, such as data breaches, DDoS attacks, and malware infections. It should also outline the steps to contain the incident, investigate it, and recover from it.

Best Practices | How to Master Cloud Incident Response

Assess the Risks | Know the Ins and Outs of Your Cloud

Cloud incident response starts with understanding what the scope of cloud-based risks are. The first step in mastering Cloud IR is to conduct a comprehensive risk assessment. This involves identifying potential threats, vulnerabilities, and risks to the cloud environment. The risk assessment should consider data sensitivity, legal requirements, access controls, encryption, network security, and third-party risks.

Security teams need to understand the ins and outs of their cloud infrastructure and know exactly what is in it in order to defend it. Preparation for cloud-based incidents should then be based on the unique characteristics and features of the cloud environment itself as well as any business-specific requirements and considerations.

Risk profiles that are consistently reviewed and updated mean leaders can bake situational awareness and breach readiness into company-wide policies and workflows. These in turn trickle down to how leads from each team can better prepare their response in case of a cybersecurity event.

Embrace the Details | Data in Cloud Security

Having the right data and tools can accelerate a security teams’ progress during an active security event. To detect and respond to security incidents in a timely manner, it’s essential to have monitoring and detection controls in place. These controls should include real-time monitoring of cloud resources, network traffic analysis, user activity tracking, and intrusion detection systems. In addition, automated alerts and notifications can help ensure that incidents are promptly identified and responded to.

While performing the initial triage, the response team can significantly reduce their time if proper preparation is established before attacks occur. Deploying an open XDR platform will help SOC teams ingest and make sense of large amounts of data to speed up the incident response process. Otherwise, response teams can be trained on how to identify and select the most relevant information.  When an incident occurs, response teams won’t have time to comb through mass amounts of logs to find true indicators of compromise so planning ahead is essential.

Security teams can automate their IR activities through the use of specialized tools and techniques to investigate security incidents. Since cloud architecture is so vast and often difficult to navigate quickly, investing in the right IR tools supports the response process rather than hindering it.

Aim For Efficiency | The Importance of Process & Communication

The cost of downtime kills. For cloud-based businesses under threat, security must be able to quickly collect, sort, and analyze data from across their environments to mitigate attacks and limit the spread of damage. A significant element of a Cloud IR strategy means having pre-set processes and playbooks in place to ensure work and communication behind the scenes is done efficiently.

Cloud IR involves a team effort, and it is important to define roles and responsibilities for each team member during a security event. This includes identifying who will be responsible for identifying, reporting, investigating, and resolving incidents. In addition, clear communication and collaboration between team members are critical to effective incident response.

The incident response team should be trained in IR procedures and practice responding to simulated incidents. This includes conducting regular drills and simulations to test the IR plan and identify areas for improvement. By practicing effective incident response, enterprises can better prepare themselves for handling security incidents promptly and efficiently.

Further, effective communication is essential in incident response. The Cloud IR plan should outline the communication protocols to be used in the event of a security incident, including who should be notified and how they should be notified. Communication protocols must also include communication procedures with external parties, such as customers, partners, and regulatory agencies. Clear and timely communication can minimize the impact of security incidents and maintain the trust of stakeholders.

Conclusion

The digital sky seems to be the limit when it comes to cloud adoption rates and threat actors continue to sharpen their attention on this attack surface. Enterprises that have embraced cloud technologies need to be able to quickly identify signs of cloud-based threats, mitigate the breach, and either limit or eliminate damage to the environment. Having a well-defined plan allows security teams to keep a watchful eye on their business’s cloud infrastructure and help focus their efforts on automating the response process to reduce time to resolution.

Mastering Cloud IR is critical for modern enterprises operating in the cloud. When it comes to securing the cloud surface, SentinelOne’s Singularity™ Cloud enables enterprises to protect their endpoints across all cloud environments; public, private, and hybrid. Businesses working with SentinelOne can position themselves securely in the threat landscape and continue operating in their cloud infrastructures safely through autonomous endpoint protection, detection, and response. Contact us today or book a demo to see how we can help improve your cloud defenses and fuse autonomous threat hunting, EDR capability, and security together to fit your business.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Feds Take Down 13 More DDoS-for-Hire Services

The U.S. Federal Bureau of Investigation (FBI) this week seized 13 domain names connected to “booter” services that let paying customers launch crippling distributed denial-of-service (DDoS) attacks. Ten of the domains are reincarnations of DDoS-for-hire services the FBI seized in December 2022, when it charged six U.S. men with computer crimes for allegedly operating booters.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

The websites that saw their homepages replaced with seizure notices from the FBI this week include booter services like cyberstress[.]org and exoticbooter[.]com, which the feds say were used to launch millions of attacks against millions of victims.

“School districts, universities, financial institutions and government websites are among the victims who have been targeted in attacks launched by booter services,” federal prosecutors in Los Angeles said in a statement.

Purveyors of booters or “stressers” claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — these services can be used for good or bad purposes. Most booter sites employ wordy “terms of use” agreements that require customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks. What’s more, none of the services seized by the government required users to demonstrate that they own the Internet addresses being stress-tested, something a legitimate testing service would insist upon.

This is the third in a series of U.S. and international law enforcement actions targeting booter services. In December 2022, the feds seized four-dozen booter domains and charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services. In December 2018, the feds targeted 15 booter sites, and three booter store defendants who later pleaded guilty.

While the FBI’s repeated seizing of booter domains may seem like an endless game of virtual Whac-a-Mole, continuously taking these services offline imposes high enough costs for the operators that some of them will quit the business altogether, says Richard Clayton, director of Cambridge University’s Cybercrime Centre.

In 2020, Clayton and others published “Cybercrime is Mostly Boring,” an academic study on the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. The study found that operating a booter service effectively requires a mind-numbing amount of constant, tedious work that tends to produce high burnout rates for booter service operators — even when the service is operating efficiently and profitably.

For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks, Clayton said. On top of that, building brand recognition and customer loyalty takes time.

“If you’re running a booter and someone keeps taking your domain or hosting away, you have to then go through doing the same boring work all over again,” Clayton told KrebsOnSecurity. “One of the guys the FBI arrested in December [2022] spent six months moaning that he lost his servers, and could people please lend him some money to get it started again.”

In a statement released Wednesday, prosecutors in Los Angeles said four of the six men charged last year for running booter services have since pleaded guilty. However, at least one of the defendants from the 2022 booter bust-up — John M. Dobbs, 32, of Honolulu, HI — has pleaded not guilty and is signaling he intends to take his case to trial.

The FBI seizure notice that replaced the homepages of several booter services this week.

Dobbs is a computer science graduate student who for the past decade openly ran IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania. Prosecutors say Dobbs’ service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.

Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the government’s core claim — that operating a booter site is a violation of U.S. computer crime laws — wasn’t properly tested in the courts until September 2021.

That was when a jury handed down a guilty verdict against Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged in the government’s first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.

A copy of the FBI’s booter seizure warrant is here (PDF). According to the DOJ, the defendants who pleaded guilty to operating booter sites include:

Jeremiah Sam Evans Miller, aka “John The Dev,” 23, of San Antonio, Texas, who pleaded guilty on April 6 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named RoyalStresser[.]com (formerly known as Supremesecurityteam[.]com);

Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337,” 37, of Belleview, Florida, who pleaded guilty on February 13 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named SecurityTeam[.]io;

Shamar Shattock, 19, of Margate, Florida, who pleaded guilty on March 22 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Astrostress[.]com;

Cory Anthony Palmer, 23, of Lauderhill, Florida, who pleaded guilty on February 16 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Booter[.]sx.

All four defendants are scheduled to be sentenced this summer.

The booter domains seized by the FBI this week include:

cyberstress[.]org
exoticbooter[.]com
layerstress[.]net
orbitalstress[.]xyz
redstresser[.]io
silentstress[.]wtf
sunstresser[.]net
silent[.]to
mythicalstress[.]net
dreams-stresser[.]org
stresserbest[.]io
stresserus[.]io
quantum-stress[.]org

Microsoft Patch Tuesday, May 2023 Edition

Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.

First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.

“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the attacker to disable security tooling and deploy more attacker tools like Mimikatz that lets them move across the network and gain persistence.”

The zero-day patch that has received the most attention so far is CVE-2023-24932, which is a Secure Boot Security Feature Bypass flaw that is being actively exploited by “bootkit” malware known as “BlackLotus.” A bootkit is dangerous because it allows the attacker to load malicious software before the operating system even starts up.

According to Microsoft’s advisory, an attacker would need physical access or administrative rights to a target device, and could then install an affected boot policy. Microsoft gives this flaw a CVSS score of just 6.7, rating it as “Important.”

Adam Barnett, lead software engineer at Rapid7, said CVE-2023-24932 deserves a considerably higher threat score.

“Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access,” Barnett said. “Therefore, the relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.”

Barnett said Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.

“Administrators should be aware that additional actions are required beyond simply applying the patches,” Barnett advised. “The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.”

In addition to the two zero-days fixed this month, Microsoft also patched five remote code execution (RCE) flaws in Windows, two of which have notably high CVSS scores.

CVE-2023-24941 affects the Windows Network File System, and can be exploited over the network by making an unauthenticated, specially crafted request. Microsoft’s advisory also includes mitigation advice. The CVSS for this vulnerability is 9.8 – the highest of all the flaws addressed this month.

Meanwhile, CVE-2023-28283 is a critical bug in the Windows Lightweight Directory Access Protocol (LDAP) that allows an unauthenticated attacker to execute malicious code on the vulnerable device. The CVSS for this vulnerability is 8.1, but Microsoft says exploiting the flaw may be tricky and unreliable for attackers.

Another vulnerability patched this month that was disclosed publicly before today (but not yet seen exploited in the wild) is CVE-2023-29325, a weakness in Microsoft Outlook and Explorer that can be exploited by attackers to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane.

“To help protect against this vulnerability, we recommend users read email messages in plain text format,” Microsoft’s writeup on CVE-2023-29325 advises.

“If an attacker were able to exploit this vulnerability, they would gain remote access to the victim’s account, where they could deploy additional malware,” Immersive’s Breen said. “This kind of exploit will be highly sought after by e-crime and ransomware groups where, if successfully weaponized, could be used to target hundreds of organizations with very little effort.”

For more details on the updates released today, check out roundups by Action1, Automox and Qualys, If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Mastering the Art of SoC Analysis Part 3 | Secrets of Communication and Growth for Aspiring SOC Analysts

As cybersecurity threats increase in sophistication and frequency, the demand for skilled Security Operations Center (SOC) analysts continues to rise. In tandem with defensive strategies and advanced security software, SOC analysts fill a critical role in keeping enterprises safe from attacks.

They are responsible for identifying and mitigating oncoming threats, protecting sensitive information, and ensuring the overall security of an organization’s digital assets. Demand for skilled SOC analysts climbs so aspiring defenders need to ensure they have the technical knowledge, analytical skills, and critical thinking abilities required for the job.

This is part three of a three-part blog post series covering the top tips and skills that aspiring analysts will need to master as they begin their journey toward success in the SOC analysis field. In this third post, learn about the top four skills analysts need to communicate effectively, develop critical questioning, and widen their cyber repertoire. Read parts one and two to complete this blog series.

1. Practice Effective Communication

Being able to communicate technical concepts to those in non-technical roles is critical. Practice breaking down complex ideas into straightforward terms and communicating them effectively.

The role of SOC analysts involves working with different teams and stakeholders, including IT, security, and management. Effective communication ensures that members of all teams are on the same page and working towards the same goal.

When a security incident occurs, SOC analysts need to communicate effectively to gather information, identify the scope of the incident, and respond promptly to mitigate the threat. Clear and concise communication is critical during incident response to avoid confusion and ensure everyone understands their roles and responsibilities.

SOC analysts often collaborate with different teams to gather and analyze security data, identify potential threats, and develop effective security strategies. Effective communication is crucial for establishing and promoting teamwork.

Finally, SOC analysts communicate regularly with different stakeholders, including management, customers, and partners, to provide updates on security incidents, share security reports, and discuss security policies. Effective communication is essential to build trust and maintain strong relationships with these stakeholders.

Verbal & Written Communication Tips for SOC Analysts

As a SOC analyst, you need to be proficient in verbal and written communication to communicate effectively with different teams and stakeholders.

Verbal Communication

Use clear and concise language when communicating with others. Avoid using technical jargon or acronyms that others may not understand. Active listening is the other half of effective verbal communication. Listen carefully to what others say and ask questions to clarify misunderstandings early on.

Written Communication

SOC analysts are also responsible for writing reports, creating security policies, and communicating via email or chat with others. Use simple language when writing reports or emails. Avoid using technical jargon or complex sentences that others may find difficult to understand. Use short and to-the-point sentences to convey your message and avoid using long and convoluted sentences whenever possible.

2. Develop Effective Questioning Skills

Asking the right questions is essential for gathering information and understanding issues. Practice asking targeted questions to gather more information and better understand problems.

By developing good questioning skills, SOC analysts can gather accurate and relevant information, identify patterns and trends, collaborate effectively with other teams, and identify and mitigate hidden threats. SOC analysts can become more effective and better protect their organizations through active listening, open-ended and contextual questions, and follow-up questions.

Good questioning skills enable SOC analysts to gather accurate and relevant information from various sources, including users, systems, and logs. By asking the right questions, SOC analysts can obtain the information required to understand the scope and impact of a security incident fully.

By asking targeted questions, SOC analysts can identify patterns and trends in security incidents that may not be immediately apparent through data analysis alone. This enables SOC analysts to understand a security incident’s root cause better and implement effective mitigation strategies.

Cyber attackers often use stealthy techniques to hide their activity, making it difficult for SOC analysts to detect and mitigate threats. Good questioning skills enable SOC analysts to uncover hidden threats by asking targeted questions that may reveal otherwise undetected activity.

Developing Good Questioning Skills for SOC Analysis

  • Engage and listen actively – Active listening is critical to good questioning skills. To gather accurate and relevant information, SOC analysts must be fully present and engaged when communicating with users, system administrators, and other stakeholders.
  • Ask open-ended questions – Open-ended questions encourage users and other stakeholders to provide detailed information and explanations, enabling SOC analysts to fully understand the scope and impact of a security incident.
  • Ask follow-up questions – Follow-up questions enable SOC analysts to obtain additional details and clarification, helping them to identify patterns and trends in security incidents.
  • Ask contextual questions – Contextual questions help SOC analysts understand a security incident’s bigger picture, including the business impact and related incidents or events.

3. Reinforcing Your Knowledge

As an analyst, your “pools of knowledge” expand and connect concepts together over time. The depth and breadth of these “pools” and how they connect is what defines your expertise as an analyst.

As analysts, we benefit from having a wider exposure to different tools, applications and architectures. When reviewing potentially malicious activity, we’re often identifying if confidentiality, integrity, or availability was impacted. “The Outdated Jenkins Master Server being public”, with the context of Jenkins, how it operates, and what vulnerabilities it has suffered, creates additional avenues of implication and risk that need to be assessed.

Alternatively, this also eliminates going down time-consuming rabbit holes during investigations. Every analyst has had experience tugging on a thread for hours, just to find out that the activity was benign and expected for that particular technology.

To counter this, analysts should expose themselves to as many environments, tools, and architectures as possible. Learning new concepts, how they connect, and their ability to impact one another returns exponential value within security.

This allows analysts to speed up the ability to analyze while also exposing obscure implications from activity. While no analyst can be an expert in all domains, even “puddle-deep” knowledge can be enough to connect multiple concepts together.

4. Join The Cybersecurity Community

Joining the cybersecurity community can be beneficial for SOC analysts. Participate in online forums, attend conferences, and network with other professionals to learn and share knowledge.

On the journey to gaining experience, SOC analysts often find support as part of a community of like-minded professionals who can provide guidance and insights into the latest industry trends. By joining the SOC analysis community through online communities, conferences, meetups, and certifications, SOC analysts can enhance their skills, advance their careers, and stay up-to-date with the latest industry trends. Ultimately, being part of a community of professionals can help SOC analysts become more effective and better protect their organizations.

Joining the SOC analysis community provides access to a wealth of knowledge and expertise from other professionals in the field. By sharing insights and best practices, SOC analysts can learn from others’ experiences and improve their skills and techniques.

Being part of a professional community can also help SOC analysts advance their careers by providing opportunities for networking, mentorship, and professional development. SOC analysts can gain valuable insights into the job market, career paths, and skills needed to advance in the field.

Joining the SOC analysis community provides access to the latest industry trends, developments, and challenges. SOC analysts can stay up-to-date with the latest threats, technologies, and techniques and learn how others address similar challenges.

How to Get Involved in the SOC Analysis Community

  • Online Communities – Many online communities and forums are dedicated to SOC analysis, where professionals can connect, share knowledge, and collaborate on industry challenges. Some popular communities include Reddit’s “SOC” subreddit and the “SOC Talk” group on LinkedIn.
  • Conferences & Meetups – Attending industry conferences and meetups is a great way to network with other professionals and gain insights into the latest industry trends. Many conferences offer workshops and training sessions specifically for SOC analysts, providing opportunities for professional development.
  • Certifications – Earning industry certifications, such as the CompTIA Security+, Certified Information Systems Security Professional (CISSP), or GIAC Certified Incident Handler (GCIH), can also help SOC analysts become part of a larger community of professionals and gain valuable knowledge and skills.

Conclusion

As more data breaches and ransomware occupy news headlines worldwide, enterprise leaders understand the absolute need for robust cybersecurity services such as security operation centers (SOCs).

Investing in aspiring security professionals means operational teams can detect intrusions and rapidly isolate them before they move deep into a sensitive environment and create long-lasting damage. SOC analysts are an essential part of this defense, proactively monitoring for early indicators of threat, providing real-time responses to security events, triaging actions, recovering assets, and triggering incident recovery mechanisms.

For aspiring SOC analysts, a combination of technical knowledge, analytical skills, and critical thinking abilities ensure they can truly understand the digital environment they are protecting. Together with the right stack of security tools, cybersecurity strategy, and top-down support from enterprise leadership, SOC analysts can keep their businesses safe from evolving threats in the cyber landscape.

If you enjoyed this post don’t forget to check out Part One and Part Two.

Contact us today or book a demo to learn more about how SentinelOne can augment your business’s cybersecurity posture against even the most sophisticated threats, tactics, and techniques used by threat actors today.

The Good, the Bad and the Ugly in Cybersecurity – Week 18

International Seizure | Police Shutdown 9 Cryptocurrency Laundering Exchanges

A multi-level collaboration between the FBI, DoJ, and Ukrainian Cyber and National Police this week culminated in the seizure of nine cryptocurrency laundering websites. According to authorities, the sites were used mainly by cybercriminals and ransomware groups for money laundering and crypto exchange services. The joint takedown also includes all servers related to the sites.

In their press release, the FBI listed the domains 24xbtc.com, 100btc.pro, pridechange.com, 101crypta.com, uxbtc.com, trust-exchange.org, bitcoin24.exchange, paybtc.pro, and owl.gold; all of which violated virtual currency codes of conduct to create haven for criminal activities and support the greater cybercrime ecosystem. These sites had boasted lax or no Know Your Customer (KYC) and Anti-Money Laundering (AML) measures and many also advertised forums dedicated to discussing criminal activity.

Illicit websites such as these nine allow users to convert stolen cryptocurrency into coins that are harder to trace, blurring the money trail and enabling criminals to anonymously launder their wares under the radar. Reports noted that most of the sites provided live support and instructions in both English and Russian to service a wider range of customers.

Crackdowns like this one have become a primary goal across global law enforcement groups as they race to disrupt hackers’ financial infrastructures and stop the use of stolen goods that further fund malicious activity. Confiscated sites allow authorities to identify associated criminals, possibly leading to more arrests in the future or valuable intel on threat actors’ operational trends.

Kimsuky APT | New Recon Tool Expands Cyber Attacks On Global Organizations

In a new report published by SentinelLabs this week, researchers revealed that a North Korean-backed APT known as “Kimsuky” has been deploying a previously unseen spy tool in active threat campaigns against Asian, North American, and European organizations. Since 2012, activity from the threat group has indicated their focus on collecting intel through cyber espionage for the North Korean government.

Previous campaigns by Kimsuky often featured the deployment of a malware family called BabyShark. The new report by SentinelLabs highlights an expansion in the groups’ arsenal – the use of an evolved version of BabyShark that includes a reconnaissance capability. Dubbed ‘ReconShark’, this reconnaissance tool has been observed using unique execution instructions and server communication methods.

ReconShark is deployed through spear phishing emails; ones crafted to specifically target an individual directly. To increase the likelihood of success, the emails are seen to be properly formatted, branded, and abuse the names of real people associated with the email’s fake content. Kimsuky emails include links to download a lure document containing macros that activate the malware on close. Once activated, ReconShark exfiltrates running processes, battery information, and any endpoint threat detection solutions deployed on the infected platform. Additionally, the malware deploys more payloads through scripts, macro-enabled MS Office templates, or as Windows DLL files.

Malicious Document, themed to DPRK / China
Malicious Document, themed to DPRK / China

North Korean state-sponsored APTs continue to evolve their tools, tactics, and techniques to more effectively target their victims. As we see more cases of advanced social engineering and sophisticated malware attacks, organizations in all sectors should continue to take preventative measures against identity based threats, implement multi-factor authentication, and train users on the signs of phishing.

macOS Threats | Infostealer Sold on Telegram Eyes Up YouTube Campaign

Further research into Atomic Stealer this week revealed the threat actor behind the version being sold on Telegram has developed a second version that appears to be a trojan game installer looking to lure victims through YouTube.

As advertised in a Telegram channel, Atomic Stealer promises cybercriminals a full-fledged infostealer capable of grabbing keychain passwords, browser data, and session cookies. The malware is also known to steal crypto wallets, targeting numerous popular cryptocurrency extensions to nab credentials. The going price is $1000 per month and includes a ready-for-use web interface for threat campaign management.

A second version of the malware was discovered this week that appears to be associated with a YouTube channel advertising “Crypto ALMV”, supposedly a game offering with crypto wallet integration that promises “secure cryptocurrency wallet in metaverse”.

Distributed as a stand-alone executable called ‘Game Installer’, the malicious binary contains functions to steal passwords, wallets and browser secrets. Tellingly, the author left strings such as “ATOMIC STEALER” embedded in the binary. Given that the Telegram variant reached out to a URL of amos-malware[.]ru/sendlogillegal, it’s clear the author isn’t expecting much scrutiny from victims.

The increasing occurrence of macOS-targeted infostealers reflects how lucrative the OS has become as a target, both at the enterprise level and the personal level. Users would be wise to ensure that they have additional protection and visibility for their Mac devices aside from the default security protections provided by Apple.