$10M Is Yours If You Can Get This Guy to Leave Russia

The U.S. government this week put a $10 million bounty on a Russian man who for the past 18 years operated Try2Check, one of the cybercrime underground’s most trusted services for checking the validity of stolen credit card data. U.S. authorities say 43-year-old Denis Kulkov‘s card-checking service made him at least $18 million, which he used to buy a Ferrari, Land Rover, and other luxury items.

Denis Kulkov, a.k.a. “Nordex,” in his Ferrari. Image: USDOJ.

Launched in 2005, Try2Check soon was processing more than a million card-checking transactions per month — charging 20 cents per transaction. Cybercriminals turned to services like this after purchasing stolen credit card data from an underground shop, with an eye toward minimizing the number of cards that are inactive by the time they are put to criminal use.

Try2Check was so reliable that it eventually became the official card-checking service for some of the underground’s most bustling crime bazaars, including Vault Market, Unicc, and Joker’s Stash. Customers of these carding shops who chose to use the shop’s built-in (but a-la-carte) card checking service from Try2Check could expect automatic refunds on any cards that were found to be inactive or canceled at the time of purchase.

Many established stolen card shops will allow customers to request refunds on dead cards based on official reports from trusted third-party checking services. But in general, the bigger shops have steered customers toward using their own white-labeled version of the Try2Check service — primarily to help minimize disputes over canceled cards.

On Wednesday, May 3, Try2Check’s websites were replaced with a domain seizure notice from the U.S. Secret Service and U.S. Department of Justice, as prosecutors in the Eastern District of New York unsealed an indictment and search warrant naming Denis Gennadievich Kulkov of Samara, Russia as the proprietor.

Try2Check’s login pages have been replaced with a seizure notice from U.S. law enforcement.

At the same time, the U.S. Department of State issued a $10 million reward for information leading to the arrest or conviction of Kulkov. In November 2021, the State Department began offering up to to $10 million for the name or location of any key leaders of REvil, a major Russian ransomware gang.

As noted in the Secret Service’s criminal complaint (PDF), the Try2Check service was first advertised on the closely-guarded Russian cybercrime forum Mazafaka, by someone using the handle “KreenJo.” That handle used the same ICQ instant messenger account number (555724) as a Mazafaka denizen named “Nordex.”

In February 2005, Nordex posted to Mazafaka that he was in the market for hacked bank accounts, and offered 50 percent of the take. He asked interested partners to contact him at the ICQ number 228427661 or at the email address polkas@bk.ru. As the government noted in its search warrant, Nordex exchanged messages with forum users at the time identifying himself as a then-24-year-old “Denis” from Samara, RU.

In 2017, U.S. law enforcement seized the cryptocurrency exchange BTC-e, and the Secret Service said those records show that a Denis Kulkov from Samara supplied the username “Nordexin,” email address nordexin@ya.ru, and an address in Samara.

Investigators had already found Instagram accounts where Kulkov posted pictures of his Ferrari and his family. Authorities were able to identify that Kulkov had an iCloud account tied to the address nordexin@icloud.com, and upon subpoenaing that found passport photos of Kulkov, and well as more photos of his family and pricey cars.

Like many other top cybercriminals based in Russia or in countries with favorable relations to the Kremlin, the proprietor of Try2Check was not particularly difficult to link to a real-life identity. In Kulkov’s case, it no doubt was critical to U.S. investigators that they had access to a wealth of personal information tied to a cryptocurrency exchange Kulkov had used.

However, the link between Kulkov and Try2Check can be made — ironically — based on records that have been plundered by hackers and published online over the years — including Russian email services, Russian government records, and hacked cybercrime forums.

NORDEX

Kulkov posing with his passport, in a photo authorities obtained by subpoenaing his iCloud account.

According to cybersecurity firm Constella Intelligence, the address polkas@bk.ru was used to register an account with the username “Nordex” at bankir[.]com, a now defunct news website that was almost standard reading for Russian speakers interested in news about various Russian financial markets.

Nordex appears to have been a finance nerd. In his early days on the forums, Nordex posted several long threads on his views about the Russian stock market and mutual fund investments.

That Bankir account was registered from the Internet address 193.27.237.66 in Samara, Russia, and included Nordex’s date of birth as April 8, 1980, as well as their ICQ number (228427661).

Cyber intelligence firm Intel 471 found that Internet address also was used to register the account “Nordex” on the Russian hacking forum Exploit back in 2006.

Constella tracked another Bankir[.]com account created from that same Internet address under the username “Polkas.” This account had the same date of birth as Nordex, but a different email address: nordia@yandex.ru. This and other “nordia@” emails shared a password: “anna59.”

NORDIA

Nordia@yandex.ru shares several passwords with nordia@list.ru, which Constella says was used to create an account at a religious website for an Anna Kulikova from Samara. At the Russian home furnishing store Westwing.ru, Ms. Kulikova listed her full name as Anna Vnrhoturkina Kulikova, and her address as 29 Kommunistrecheskya St., Apt. 110.

A search on that address in Constella brings up a record for an Anna Denis Vnrhoturkina Kulkov, and the phone number 879608229389.

Russian vehicle registration records have also been hacked and leaked online over the years. Those records show that Anna’s Apt 110 address is tied to a Denis Gennadyvich Kulkov, born April 8, 1980.

The vehicle Kolkov registered in 2015 at that address was a 2010 Ferrari Italia, with the license plate number K022YB190. The phone number associated with this record — 79608229389 — is exactly like Anna’s, only minus the (mis?)leading “8”. That number also is tied to a now-defunct Facebook account, and to the email addresses nordexin@ya.ru and nordexin@icloud.com.

Kulkov’s Ferrari has been photographed numerous times over the years by Russian car aficionados, including this one with the driver’s face redacted by the photographer:

The Ferrari owned by Denis Kulkov, spotted in Moscow in 2016. Image: Migalki.net.

As the title of this story suggests, the hard part for Western law enforcement isn’t identifying the Russian cybercriminals who are major players in the scene. Rather, it’s finding creative ways to capture high-value suspects if and when they do leave the protection that Russia generally extends to domestic cybercriminals within its borders who do not also harm Russian companies or consumers, or interfere with state interests.

But Russia’s war against Ukraine has caused major fault lines to appear in the cybercrime underground: Cybercriminal syndicates that previously straddled Russia and Ukraine with ease were forced to reevaluate many comrades who were suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those was Mark Sokolovsky, a 26-year-old Ukrainian man who operated the popular “Raccoon” malware-as-a-service offering; Sokolovsky was apprehended in March 2022 after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam last year was Vyacheslav “Tank” Penchukov, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram

Recent weeks have seen a number of macOS-specific infostealers appear for sale in crimeware forums, including Pureland, MacStealer and Amos Atomic Stealer. Of these, Atomic Stealer has offered by far the most complete package, promising cybercriminals a full-featured if not particularly sophisticated infostealer. Atomic can grab account passwords, browser data, session cookies, and crypto wallets, and in the version being advertised on Telegram, threat actors can manage their campaigns through a web interface rented out from the developer for $1000 per month.

The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.

How is Atomic Stealer Distributed?

Cybercriminals are currently being offered “Amos Atomic MacOS Stealer” via a dedicated Telegram channel. In the channel, which was opened on April 9th, the author offers to rent access to a web panel and provide a disk-image based installer for $1000/month.

Atomic Stealer as advertised on Telegram
Atomic Stealer as advertised on Telegram

Payload distribution is left up to the crimeware actor renting the package, so methods vary, but so far observed samples have been seen masquerading as installers for legitimate applications like the Tor Browser or pretending to offer users cracked versions of popular software including Photoshop CC, Notion, Microsoft Office and others.

Atomic MacStealer masquerades as legitimate applications
Atomic MacStealer masquerades as legitimate applications

Malvertising via Google Ads has also been noted privately among researchers as a distribution vector for Atomic Stealer.

Some Atomic Stealer ITW URLs (Source: VirusTotal)
Some Atomic Stealer ITW URLs (Source: VirusTotal)

The Atomic Stealer channel currently has over 300 subscribers, with some posts – possibly planted – appearing to endorse the efficacy of the malware.

A Telegram message seems to endorse Atomic MacStealer
A Telegram message seems to endorse Atomic MacStealer

A Google translation of the Russian text reads “The build works, the logs go, it robs clearly. Of all the poppy stealers that I used, this one is better in terms of a grabber, and most importantly, grandmas do not steal)”.

Anatomy of Atomic MacOS Stealer Variant A

These fake applications are made with a fork of Appify, a legitimate script that can be found on Github for making a barebones macOS application. All Atomic infostealers currently contain the same Go-based main executable that weighs in at around 51.5MB as a Universal binary targeting both Intel and arm64 architectures.

Anatomy of the Atomic Stealer binary (variant A)
Anatomy of the Atomic Stealer binary (variant A)

Despite the heft, no attempt has been made to deliver a working copy of the spoofed apps. Aside from the Appify README, the Bundle contains nothing more than the Go infostealing binary, an icon file and a Info.plist.

Anatomy of an Atomic Stealer application bundle
Anatomy of an Atomic Stealer application bundle

The application bundles currently being distributed are all built with the default Appify bundle identifier, Appify by Machine Box.My Go Application, potentially a deliberate ploy by the author in the hope that detections might be considered false positives.

Execution Behavior of Variant A

Atomic does not attempt to gain persistence, an increasing trend since Apple added login item notifications in macOS Ventura, relying instead on a one-hit smash and grab methodology.

Atomic Stealer uses a crude but effective means of extracting the user’s login password via AppleScript spoofing.

This involves creating a dialog box with osascript and passing the hidden answer parameter to the display dialog command. These dialog boxes contain an ordinary text field, but the parameter displays the user’s typed characters as dots in the text field similar to a genuine authentication dialog. However, the password remains captured in plain text and can be seen in the system logs as such  – a good reason why legitimate software developers should never use this insecure method to actually obtain user credentials.

display dialog "MacOS wants to access System Preferences

You entered invalid password.

Please enter your password." with title "System Preferences" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:ToolbarAdvanced.icns" default answer "" giving up after 30 with hidden answer ¬

The dialog box message contains grammatical and syntactic errors, suggesting the developer’s first language is not English. The dialog box is generated using an infinite loop: Clicking the “Cancel” button simply pops the dialog box again. If the “OK” button is clicked, the malware checks to see that the user entered a valid password via /usr/bin/dscl utility and the -authonly option.

The dialog box repeatedly pops until the correct password is supplied. All of this occurs via the command line utility osascript, so it is easily visible to defenders monitoring command line activity.

SentinelOne console reveals Atomic Stealer command line activity
SentinelOne console reveals Atomic Stealer command line activity

Amos Atomic is hardcoded to throw the user an error message after it has stolen the user’s password and gone about its business of stealing various credentials. Here and elsewhere, the malware author’s lack of familiarity with English and AppleScript provide clues that should raise suspicions: namely, the misspelling of “occurred” and the fact that a genuine error message shouldn’t contain a ‘Cancel’ button.

Amos Atomic throws an error message and quits after successfully stealing user data
Amos Atomic throws an error message and quits after successfully stealing user data

Written in Go, the disassembled source code reveals a comprehensive suite of functions to achieve the infostealers primary aim: financially-motivated cybercrime.

Infostealing functions in Amos Atomic
Infostealing functions in Amos Atomic

The malware contains logic to steal the user’s keychain and crypto wallet contents, including those for Atomic, Binance, Electrum and Exodus. A process called ‘unix1’ is spawned in memory to obtain the keychain. Atomic stealer also targets both Chrome and Firefox browsers and has an extensive hardcoded list of crypto-related browsers names to attack. A detailed walk through of the functions above has been previously described here.

Atomic Stealer execution chain
Atomic Stealer execution chain

Atomic Stealer Variant B

Pivoting off the IP address 37.220.87.16 seen in some Atomic Stealer samples leads to another variant of the stealer, c70fdf4362eb56032793ab08e6aeb892f1bd4a9b, currently undetected on VirusTotal, masquerading as a Game Installer.

A previously undiscovered variant of Atomic Stealer
A previously undiscovered variant of Atomic Stealer

This version is not distributed in an application bundle, but rather as a raw Go binary. The unsigned “Game Installer” Mach-O was uploaded to VirusTotal on April 13th and is contained in a disk image called “ALMV_launcher”. The DMG mounts with the name “Game Installer” and contains a binary of the same name, displaying an icon showing the text “Start Game”.

Background image of the ALMV_launcher.dmg
Background image of the ALMV_launcher.dmg

As the universal binary is unsigned, it will need to be manipulated by the user on both Intel and arm64 architectures in order to run.

Variant B’s list of Go main functions differs from the version being packaged and sold on Telegram and shows a larger number of functions focusing on Firefox and Chromium browsers. Variant B also targets Coinomi wallets.

Atomic Stealer variant B primary functions
Atomic Stealer variant B primary functions

Both variant A and B utilize the /usr/bin/security utility to find Chrome passwords.

security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}
Atomic Stealer B calls the /usr/bin/security utility to find Chrome passwords
Atomic Stealer B calls the /usr/bin/security utility to find Chrome passwords

In Variant B, the user name “administrator” appears from the development machine; this differs from variant A, which included the username “iluhaboltov”. The string “ATOMIC STEALER COOCKIE” is also found in variant B but not A.

The “ATOMIC STEALER” string is hardcoded into the malware
The “ATOMIC STEALER” string is hardcoded into the malware

Unlike the package offered in the Atomic Telegram channel, this version of Atomic stealer is more selective in the information it tries to steal and seems to be aimed specifically at games and users of cryptocurrency.

An associated Youtube channel by user @Crypto-ALMV was created on April 29th, apparently advertising a product that offers cryptowallet access within a game. The channel, user, and video appear to be in the early stages of development and may indicate a campaign that is yet to be launched.

How to Protect Against Atomic Stealer

SentinelOne customers are protected against all known versions of Atomic Stealer. When the agent is set to ‘Protect’ mode, Atomic Stealer is prevented from executing.

In Detect Only mode, the malware’s execution causes an alert and behavioral and threat indicators are available in the console.

Threat hunters and security teams not protected by SentinelOne are encouraged to review the list of Indicators of Compromise provided at the end of this post.

Conclusion

Infostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached widespread use in organizations, both for work and personal use. As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals.

Atomic Stealer’s advertised price suggests there is money to be made by “selling shovels” as cybercrime actors rush for the ‘Gold’ of data that can be harvested by tricking users into running untrustworthy software. However, the existence of a second variant that appears to be aimed at infecting users first-hand suggests the threat actor isn’t averse to a bit of gold digging, too.

Indicators of Compromise

Communications
amos-malware[.]ru/sendlogillegal
37[.]220.87[.]16:5000/sendlog

SHA1 Variant A Mach-O 
0db22608be1172844c0ebf08d573ea4e7ef37308
24c9f5c90ad325dae02aa52e2b1bac2857ae2faf
2681a24f0ec0b1c153cc12d5d861c0c19c8383ea
36997111b5e7aa81b430a72df9f54bac2a9695ba
385b9cc7d3147f049e7b42e97f242c5060fc9e97
46426409b9e65043b15ce2fcddd61213ff4e5156
48a0a7d4f0ae4b79b4f762857af3bbb02e8ab584
4f25d1a1aa18c8d85d555cd7a8f1cf2cf202af8c
58a3bddbc7c45193ecbefa22ad0496b60a29dff2
5d2e995fa5dce271ac5e364d7198842391402728
79007aabf9970e0aff7df52fd1c658b69f950c6f
793195d48cce96bb9b4fc1ee5bac03b371db75f7
82f4647e6783b012fc9a1f86108c644fcf491cf6
849cde22d1d188cc290bb527bbd7252ad07099af
9058ab6e05cb1f9ce77e4f8c18324a6827fb270d
97b19a82a32890d5ddaecac5a294cc3384309ea9
98f98a737a26c9dd1b27c474715976356ea4e18b
aab3a2897950e85a2b957f77d2f100e61e29061c
b42243d72765f142953bb26794b148858bff10a8
ca05f80fe44174d1089077f4b2303c436653226f
d5db5a11b9605d54cf66a153b0112b91c950d88f
d9d46ecfc1100d2b671ad97dc870e879d2634473
de465aad6cde9f0ce30fce0157bc18abf5a60d40
e114f643805394caece2326fb53e5d3a604a1aa9
f28025717f9db8a651f40c8326f477bf9d51a10f

SHA1 Variant B Mach-O 
a02730f734032ed0f3b3705926b657aa4b88d720
c70fdf4362eb56032793ab08e6aeb892f1bd4a9b
e951b889aabca7ee5b0ff9d06a057884ed788b70

7 Practical Solutions for Modern Businesses Combating Cloud-Based Attacks

With cloud services, modern businesses have been able to scale up their operations, meeting changing market conditions, customer demand and improving both flexibility and productivity. As more businesses move their operations to the cloud, robust security for cloud environments has proved more critical than ever. Cloud security is now a non-negotiable; a top priority for many Chief Information Security Officers (CISOs) who take proactive measures to safeguard their organization’s data and assets from potential threats.

Cloud security is a significant concern for organizations of all sizes, and there are many challenges that businesses need to address to ensure that their cloud environment remains secure. This post explores the main cloud security challenges facing modern businesses and provides practical solutions to help mitigate these risks and secure their cloud infrastructure.

1. Defend Against Data Breaches and Cyber Attacks

Attackers are constantly on the lookout for vulnerabilities in cloud-based systems, and they can gain access to sensitive information through various means, such as phishing attacks and ransomware. In fact, IBM’s Cost of a Data Breach 2022 latest insights on breaches found that 45% started with a cloud-based cyber attack.

Cloud-based cyberattacks have become a leading cause for data breaches due to several reasons. As more businesses move their data and applications to the cloud, cybercriminals have shifted their focus to target these platforms. Since cloud providers store vast amounts of data from multiple clients on the same infrastructure, they are – to cyber criminals – a springboard to many lucrative assets in one source.

Cloud-based cyber attacks are often highly sophisticated, and cybercriminals are continually developing new tactics and techniques to infiltrate cloud environments. They can exploit vulnerabilities in cloud applications, manipulate system settings, and steal login credentials to gain unauthorized access to sensitive data.

Attacks on clouds can be difficult to detect, and businesses may not realize they have been breached until significant damage has been done. Threat actors can remain undetected for weeks or even months, quietly siphoning off data and stealing valuable information before causing devastating consequences for the victims including downtime, lost productivity, and reputational damage.

How to Mitigate the Risk

To mitigate the risk of cloud-based cyberattacks, businesses can adopt a comprehensive security strategy centered around continuous monitoring, threat detection, and a strong incident response plan. Implementing strong access controls, encrypting sensitive data, segmenting their networks, and regularly backing up critical information are all proactive approaches CISOs can take to fortify their cloud security, better protect their data, avoid costly data breaches, and maintain their customers’ trust.

2. Tackle the Risk of Insider Threats

Insider threats pose a significant risk to cloud environments, making them vulnerable to attacks. Unlike external threats, insider threats come from individuals who have authorized access to the cloud infrastructure – trusted employees, contractors, or even third-party vendors are all considered insider risks when it comes to cloud security.

Whether through malicious intent, or causing security breaches due to lack of training or accident, those with trusted access to sensitive data may expose it by leaving their login credentials in plain sight. Insiders with administrative access to cloud systems can make unauthorized changes to configurations, misconfigure security settings, or bypass security controls, creating pathways for attackers to exploit.

A significant challenge for CISOs facing inside threats is how hard they are to detect. Once users have legitimate access to the cloud environment, they can easily bypass basic security measures.

How to Mitigate the Risk

To address the risk of insider threats, businesses should implement strict access controls, regularly monitor cloud environments for suspicious activities, and provide regular security training to employees. Regular employee training and education programs can help raise awareness of the risks of insider threats and help employees understand their shared role in maintaining the organization’s security.

3. Meet Compliance and Regulatory Requirements

The regulatory landscape is often a tricky one for CISOs to navigate on their own as it is constantly changing, meaning businesses must keep up with the latest laws and regulations to ensure compliance. Varying across different industries, geographies, and even the type of data being stored or processed in the cloud, these requirements can be a complex and time-consuming process, requiring significant resources and expertise. Different data protection regulation means businesses need to ensure that their cloud infrastructure meets all relevant compliance standards.

Furthermore, compliance is not a one-time event but an ongoing process that requires regular audits, assessments, and reporting. Businesses must ensure that they have proper documentation and evidence to demonstrate their compliance. Failure to comply with regulatory requirements can result in significant penalties, fines, and legal consequences, including reputational damage.

How to Mitigate the Risk

To address this challenge, businesses should thoroughly assess their compliance and regulatory requirements and work with their cloud service provider (CSP) to ensure that their infrastructure meets these standards. Regular compliance audits, risk assessments, and compliance monitoring can also help ensure ongoing compliance with relevant laws and regulations.

4. Mitigate the Risks of Integration and Interoperability

Interoperability, or the ability of different systems and technologies to work together seamlessly, can have a significant impact on cloud security. Cloud environments often consist of multiple cloud providers, platforms, and applications, each with its own security protocols and configurations. These disparate systems can make it difficult to manage security effectively, leading to vulnerabilities and gaps that can leave businesses vulnerable to attack.

Say one cloud application has weak security controls or is misconfigured. This could spell a potential pathway for attackers to access other connected systems or data. Additionally, if cloud platforms and applications cannot communicate with each other, security teams may not be able to detect and respond to security incidents in real-time.

How to Mitigate the Risk

Mitigating the risk of interoperability on cloud security starts with business leaders implementing a robust security framework that includes a unified approach to security across different platforms and applications. This can involve establishing standardized security protocols, implementing encryption and access controls, and conducting regular vulnerability assessments and penetration testing.

When working with cloud providers, CISOs will be looking for built-in security measures that can seamlessly integrate with other systems and applications. By adopting an interoperable approach to cloud security, businesses can better protect their data, mitigate risks, and ensure compliance with regulatory requirements.

5. Shine a Light on Shadow IT

Shadow IT refers to the use of unsanctioned cloud services by employees who need the knowledge or approval of the IT department. This can pose a significant security risk as these services may not meet the organization’s security standards and can expose sensitive data to potential threats.

Shadow IT increases cloud security risks as it creates unmanaged and unmonitored access points into the cloud environment, while also being inherently exposed to risk as its applications can be misconfigured, outdated, or lack the necessary security controls to defend against attack.

How to Mitigate the Risk

To address the risk of shadow IT, businesses should implement clear, company-wide policies and procedures that govern employees’ use of cloud services and applications. This can include educating employees on the risks of using unsanctioned services, providing secure alternatives for approved services, and monitoring network activity to identify any unauthorized use of cloud services.

In tandem with establishing security policies and employee awareness programs, businesses should monitor their cloud environments for unauthorized access and take immediate action to remediate any identified risks or vulnerabilities.

6. Dig in Against DDoS Attacks

Distributed denial-of-service (DDoS) attacks are another common threat to cloud infrastructure. When a victim organization comes under an active DDoS attack, their cloud service is purposefully flooded with arbitrary traffic and requests, sent by the attackers to overwhelm the system and cause system crashes for legitimate users. They can cause significant disruption to businesses by overwhelming their network and rendering their applications and services unavailable.

Based on recent research, DDoS attacks have been on the increase since 2020, and increased 109% in the last year, with more cases of hyper-volumetric DDoS appearing in recent months alone.

Cloudflare reported in February the case of a massive attack where attackers sent 50-70 million requests per second making it one of the latest HTTP DDoS attacks on record – 54% higher than the previously reported attack of 46 million requests per second back in June of last year.

How to Mitigate the Risk

Faced with increasingly powerful attacks and the rising ease of availability of DDoS-for-hire services on dark forums, businesses should ensure they have implemented robust network security protocols, such as firewalls, intrusion detection and prevention systems, and content filtering. Additionally, companies should work with their cloud service provider to implement DDoS mitigation strategies, such as traffic filtering and load balancing.

7. Stop Cryptominers in Their Tracks

Cryptocurrency mining uses cloud computing resources to validate transactions to generate new units of cryptocurrency such as Monero and Bitcoin. Attackers have leveraged this technology in recent years to steal computing resources and, in the case of cloud, perform unauthorized activity in cloud environments.

One of the main risks of cryptomining to cloud security is its potential impact on performance and availability. Since cryptomining uses significant amounts of computing resources, this means a slow down in cloud-based applications and services, affecting user experience and increasing costs for cloud providers and customers. Security experts have also noted that attackers can use cryptomining to cover up other malicious activities including network infiltration, data theft, malware installs, or the launch of botnet operations.

How to Mitigate the Risk

To mitigate the risks of cryptomining in cloud environments, security teams often focus on implementing monitoring tools, access controls, network segmentation, and the use of intrusion detection and prevention systems. The cloud environment itself can also be hardened against the risks of cryptomining. Security teams can implement usage controls and rate limiting, as well as work with their CSP to monitor the environment proactively for suspicious activity.

Conclusion

Modern cloud problems require modern cloud security solutions. With cloud operations now critical for businesses across various industries, the cloud surface is an attractive target for opportunistic and targeted attackers. Since threat actors count on cloud networks to be large, complex, and requiring in-depth management and regular maintenance, it is key for CISOs to choose the right cloud security platform to support their cloud security strategy.

CISOs focused on bolstering their cloud security understand that their strategy should be adaptive and agile, encompassing risks from across all surfaces including identity, email, endpoint, and network. Getting ahead of cloud-based attacks means having deep visibility across all vulnerable surfaces associated with the cloud and evaluating risks across the board.

SentinelOne’s Singularity™ Cloud ensures organizations get the right security in place to continue operating in their cloud infrastructures safely. Contact us today or book a demo to see how we can help improve your cloud defenses and fuse autonomous threat hunting, EDR capability, and security together to fit your business.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Promising Jobs at the U.S. Postal Service, ‘US Job Services’ Leaks Customer Data

A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network’s chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016.

The website FederalJobsCenter promises to get you a job at the USPS in 30 days or your money back.

KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS.

Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card “registration deposits” to ensure that one’s application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources.

FederalJobsCenter’s website is full of content that makes it appear the site is affiliated with the USPS, although its “terms and conditions” state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga.

“US Job Services provides guidance, coaching, and live assistance to postal job candidates to help them perform better in each of the steps,” the website explains.

The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process.

But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly.

The U.S. Federal Trade Commission (FTC) has sued several times over the years to disrupt various schemes offering to help people get jobs at the Postal Service. Way back in 1998, the FTC and the USPS took action against several organizations that were selling test or interview preparation services for potential USPS employees.

“Companies promising jobs with the U.S. Postal Service are breaking federal law,” the joint USPS-FTC statement said.

In that 1998 case, the defendants behind the scheme were taking out classified ads in newspapers. Ditto for a case the FTC brought in 2005. By 2008, the USPS job exam preppers had shifted to advertising their schemes mostly online. And in 2013, the FTC won a nearly $5 million judgment against a Kentucky company purporting to offer such services.

Tim McKinlay authored a report last year at Affiliateunguru.com on whether the US Job Services website job-postal[.]com was legitimate or a scam. He concluded it was a scam based on several factors, including that the website listed multiple other names (suggesting it had recently switched names), and that he got nothing from the transaction with the job site.

“They openly admit they’re not affiliated with the US Postal Service, but claim to be experts in the field, and that, just by following the steps on their site, you easily pass the postal exams and get a job in no time,” McKinlay wrote. “But it’s really just a smoke and mirrors game. The site’s true purpose is to collect $46.95 from as many people as possible. And considering how popular this job is, they’re probably making a killing.”

US JOB SERVICES

KrebsOnSecurity was alerted to the data exposure by Patrick Barry, chief information officer at Charlotte, NC based Rebyc Security. Barry said he found that not only was US Job Services leaking its customer payment records in real-time and going back to 2016, but its website also leaked a log file from 2019 containing the site administrator’s contact information and credentials to the site’s back-end database.

Barry shared screenshots of that back-end database, which show the email address for the administrator of US Job Services is tab.webcoder@gmail.com. According to cyber intelligence platform Constella Intelligence, that email address is tied to the LinkedIn profile for a developer in Karachi, Pakistan named Muhammed Tabish Mirza.

A search on tab.webcoder@gmail.com at DomainTools.com reveals that email address was used to register several USPS-themed domains, including postal2017[.]com, postaljobscenter[.]com and usps-jobs[.]com.

Mr. Mirza declined to respond to questions, but the exposed database information was removed from the Internet almost immediately after KrebsOnSecurity shared the offending links.

A “Campaigns” tab on that web panel listed several advertising initiatives tied to US Job Services websites, with names like “walmart drip campaign,” “hiring activity due to virus,” “opt-in job alert SMS,” and “postal job opening.”

Another page on the US Job Services panel included a script for upselling people who call in response to email and text message solicitations, with an add-on program that normally sells for $1,200 but is being “practically given away” for a limited time, for just $49.

An upselling tutorial for call center employees.

“There’s something else we have you can take advantage of that can help you make more money,” the script volunteers. “It’s an easy to use 12-month career development plan and program to follow that will result in you getting any job you want, not just at the post office….anywhere…and then getting promoted rapidly.”

It’s bad enough that US Job Services was leaking customer data: Constella Intelligence says the email address tied to Mr. Mirza shows up in more than a year’s worth of “bot logs” created by a malware infection from the Redline infostealer.

Constella reports that for roughly a year between 2021 and 2022, a Microsoft Windows device regularly used by Mr. Mirza and his colleagues was actively uploading all of the device’s usernames, passwords and authentication cookies to cybercriminals based in Russia.

NEXT LEVEL SUPPORT

The web-based backend for US Job Services lists more than 160 people under its “Users & Teams” tab. This page indicates that access to the consumer and payment data collected by US Job Services is currently granted to several other coders who work with Mr. Mirza in Pakistan, and to multiple executives, contractors and employees working for a call center in Murfreesboro, Tennessee.

The call center — which operates as Nextlevelsupportcenters[.]com and thenextlevelsupport[.]com — curiously has several key associates with a history of registering USPS jobs-related domain names.

The US Job Services website has more than 160 users, including most of the employees at Next Level Support.

The website for NextLevelSupport says it was founded in 2017 by a Gary Plott, whose LinkedIn profile describes him as a seasoned telecommunications industry expert. The leaked backend database for US Job Services says Plott is a current administrator on the system, along with several other Nextlevel founders listed on the company’s site.

Reached via telephone, Plott initially said his company was merely a “white label” call center that multiple clients use to interact with customers, and that the content their call center is responsible for selling on behalf of US Job Services was not produced by NextLevelSupport.

“A few years ago, we started providing support for this postal product,” Plott said. “We didn’t develop the content but agreed we would support it.”

Interestingly, DomainTools says the Gmail address used by Plott in the US Jobs system was also used to register multiple USPS job-related domains, including postaljobssite[.]com, postalwebsite[.]com, usps-nlf[.]com, usps-nla[.]com.

Asked to reconcile this with his previous statement, Plott said he never did anything with those sites but acknowledged that his company did decide to focus on the US Postal jobs market from the very beginning.

Plott said his company never refuses to issue a money-back request from a customer, because doing so would result in costly chargebacks for NextLevel (and presumably for the many credit card merchant accounts apparently set up by Mr. Mirza).

“We’ve never been deceptive,” Plott said, noting that customers of the US Job Services product receive a digital download with tips on how to handle a USPS interview, as well as unlimited free telephone support if they need it.

“We’ve never told anyone we were the US Postal Service,” Plott continued. “We make sure people fully understand that they are not required to buy this product, but we think we can help you and we have testimonials from people we have helped. But ultimately you as the customer make that decision.”

An email address in the US Job Services teams page for another user — Stephanie Dayton — was used to register the domains postalhiringreview[.]com, and postalhiringreviewboard[.]org back in 2014. Reached for comment, Ms. Dayton said she has provided assistance to Next Level Support Centers with their training and advertising, but never in the capacity as an employee.

Perhaps the most central NextLevel associate who had access to US Job Services was Russell Ramage, a telemarketer from Warner Robins, Georgia. Ramage is listed in South Carolina incorporation records as the owner of a now-defunct call center service called Smart Logistics, a company whose name appears in the website registration records for several early and long-running US Job Services sites.

According to the state of Georgia, Russell Ramage was the registered agent of several USPS job-themed companies.

The leaked records show the email address used by Ramage also registered multiple USPS jobs-related domains, including postalhiringcenter[.]com, postalhiringreviews[.]com, postaljobs-email[.]com, and postaljobssupport1[.]com.

A review of business incorporation records in Georgia indicate Ramage was the registered agent for at least three USPS-related companies over the years, including Postal Career Placement LLC, Postal Job Services Inc., and Postal Operations Inc. All three companies were founded in 2015, and are now dissolved.

An obituary dated February 2023 says Russell Ramage recently passed away at the age of 41. No cause of death was stated, but the obituary goes on to say that Russ “Rusty” Ramage was “preceded in death by his mother, Anita Lord Ramage, pets, Raine and Nola and close friends, Nicole Reeves and Ryan Rawls.”

In 2014, then 33-year-old Ryan “Jootgater” Rawls of Alpharetta, Georgia pleaded guilty to conspiring to distribute controlled substances. Rawls also grew up in Warner Robins, and was one of eight suspects charged with operating a secret darknet narcotics ring called the Farmer’s Market, which federal prosecutors said trafficked in millions of dollars worth of controlled substances.

Reuters reported that an eighth suspect in that case had died by the time of Rawls’ 2014 guilty plea, although prosecutors declined to offer further details about that. According to his obituary, Ryan Christopher Rawls died at the age of 38 on Jan. 28, 2019.

In a comment on Ramage’s memorial wall, Stephanie Dayton said she began working with Ramage in 2006.

“Our friendship far surpassed a working one, we had a very close bond and became like brother and sister,” Dayton wrote. “I loved Russ deeply and he was like family. He was truly one of the best human beings I have ever known. He was kind and sweet and truly cared about others. Never met anyone like him. He will be truly missed. RIP brother.”

The FTC and USPS note that while applicants for many entry-level postal jobs are required to take a free postal exam, the tests are usually offered only every few years in any particular district, and there are no job placement guarantees based on score.

“If applicants pass the test by scoring at least 70 out of 100, they are placed on a register, ranked by their score,” the FTC explained. “When a position becomes open, the local post office looks to the applicable register for that geographic location and calls the top three applicants. The score is only one of many criteria taken into account for employment. The exams test general aptitude, something that cannot necessarily be increased by studying.”

The FTC says anyone interested in a job at the USPS should inquire at their local postal office, where applicants generally receive a free packet of information about required exams. More information about job opportunities at the postal service is available at the USPS’s careers website.

Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

“To learn more about employment with USPS, visit USPS.com/careers,” Martel wrote. “If you are the victim of a crime online report it to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report.”

According to the leaked back-end server for US Job Services, here is a list of the current sites selling this product:

usjobshelpcenter[.]com
usjobhelpcenter[.]com
job-postal[.]com
localpostalhiring[.]com
uspostalrecruitment[.]com
postalworkerjob[.]com
next-level-now[.]com
postalhiringcenters[.]com
postofficehiring[.]com
postaljobsplacement[.]com
postal-placement[.]com
postofficejobopenings[.]com
postalexamprep[.]com
postaljobssite[.]com
postalwebsite[.]com
postalcareerscenters[.]com
postal-hiring[.]com
postal-careers[.]com
postal-guide[.]com
postal-hiring-guide[.]com
postal-openings[.]com
postal-placement[.]com
postofficeplacements[.]com
postalplacementservices[.]com
postaljobs20[.]com
postal-jobs-placement[.]com
postaljobopenings[.]com
postalemployment[.]com
postaljobcenters[.]com
postalmilitarycareers[.]com
epostaljobs[.]com
postal-job-center[.]com
postalcareercenter[.]com
postalhiringcenters[.]com
postal-job-center[.]com
postalcareercenter[.]com
postalexamprep[.]com
postalplacementcenters[.]com
postalplacementservice[.]com
postalemploymentservices[.]com
uspostalhiring[.]com

Mastering the Art of SOC Analysis Part 2 | Top Areas for Aspiring Analysts to Develop & Explore

As cybersecurity threats increase in sophistication and frequency, the demand for skilled Security Operations Center (SOC) analysts continues to rise. In tandem with defensive strategies and advanced security software, SOC analysts fill a critical role in keeping enterprises safe from attacks.

They are responsible for identifying and mitigating oncoming threats, protecting sensitive information, and ensuring the overall security of an organization’s digital assets. Demand for skilled SOC analysts climbs so aspiring defenders need to ensure they have the technical knowledge, analytical skills, and critical thinking abilities required for the job.

This is part two of a three-part blog post series covering the top tips and skills that aspiring analysts will need to master as they begin their journey toward success in the SOC analysis field. In this second post, learn about the top four topics significant to building an understanding of security platforms and tools needed in SOC analysis. Read Part One of the blog series here.

1. Know Your Cloud

Understanding how cloud computing works and its security risks are becoming increasingly important. Learn cloud concepts and best practices for Incident Response.

In today’s digital world, businesses of all sizes rely heavily on technology to operate efficiently. Effective SOC analysts strive for a deep understanding of the latest technologies and tools used in cybersecurity. One area that is becoming increasingly important is cloud computing.

Cloud computing refers to the delivery of computing services over the internet. Instead of hosting software applications and data on local servers or personal devices, users can access these resources remotely over the internet. Cloud computing services can include infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Essential cloud concepts for SOC analysts include cloud service models, deployment models, security controls, compliance frameworks, and incident response.

There are many benefits to using cloud computing, such as cost savings, scalability, and flexibility. However, potential risks also need to be considered, such as data security and compliance. As a SOC analyst, it is important to understand cloud computing basics to monitor and respond to security incidents effectively.

Cloud computing has fundamentally changed how IT infrastructure is designed, implemented, and secured. With the adoption of cloud services, traditional security measures such as firewalls and intrusion detection systems are no longer sufficient to protect against modern cyber threats. SOC analysts must now be able to monitor and analyze data from cloud environments and traditional on-premises systems.

One challenge in cloud computing is the shared responsibility model. Cloud providers are responsible for the security of the underlying infrastructure, while the customer is responsible for securing their own data and applications. This means that SOC analysts should understand the cloud provider’s and the customer’s security controls to detect and respond to security incidents effectively.

2. Know Your Active Directory

Active Directory (AD) is the backbone of most organizations’ identity and access management systems. A good SOC analyst will thoroughly understand AD concepts like domains, users, groups, and permissions.

Active Directory (AD) is a centralized database that stores information about users, groups, computers, and other resources. It’s the backbone of most organizations’ identity and access management systems and is critical in securing access to sensitive data. Active Directory naturally presents an attractive target for attackers.

To effectively monitor and secure AD, SOC analysts must understand its key concepts, including domains, users, groups, and permissions. Domains are logical groupings of computers and other resources managed as a single unit. Users are individual accounts that are granted access to resources within the domain. Groups are collections of users or computers that are assigned common permissions, and permissions define what actions users can perform on specific resources.

SOC analysts must be able to effectively monitor and manage AD to identify and respond to security incidents. They should thoroughly understand AD security best practices, such as implementing strong password policies, restricting administrative access, and regularly auditing AD activity.

They should also be familiar with AD security tools, such as Microsoft’s Active Directory Users and Computers (ADUC) console, which allows them to manage users, groups, and other AD objects. Another tool, Active Directory Domain Services (ADDS), is used to manage domain controllers and replication. SOC analysts use AD to perform the following functions:

  • Centralized Identity and Access Management – Active Directory is Microsoft’s centralized identity and access management tool, which enables system administrators to manage user accounts and access resources across an entire organization. This is critical for SOC analysts because they must quickly identify who has access to what resources to investigate security incidents properly.
  • Log Analysis – AD logs can provide valuable insights into the behavior of users and systems within an organization. SOC analysts need to be able to analyze these logs to detect anomalies and identify potential security threats.
  • Group Policy – Active Directory Group Policy allows system administrators to enforce security policies across an organization’s IT infrastructure. This is crucial for SOC analysts because they must quickly identify any security policy violations that could lead to a security incident.
  • Attack Surface Reduction – Active Directory includes tools such as Group Policy and security baselines that can be used to reduce an organization’s attack surface. SOC analysts must deeply understand these tools to analyze and mitigate security incidents effectively.

Active Directory Tools and Concepts to Master for SOC Analysis

  • Domain Controller – The domain controller is the heart of AD and is responsible for authenticating users, storing user account information, and enforcing security policies. SOC analysts must understand how domain controllers work to investigate security incidents properly.
  • LDAP – Lightweight Directory Access Protocol (LDAP) is used to access and manage directory services. SOC analysts need to be able to use LDAP to query AD and obtain valuable information for security analysis.
  • PowerShellPowerShell is a powerful command-line tool that can be used to manage AD. SOC analysts need to deeply understand PowerShell to automate tasks and perform advanced security analysis.
  • Security Baselines – AD security baselines are recommended security settings that can be applied to an organization’s IT infrastructure. SOC analysts must deeply understand these security baselines to configure and monitor an organization’s security posture properly.

3. Detect & Hunt for Threats

Writing filters that are used to hunt or detect threats is a foundational part of most analysts’ skills set.

Threats float in and out of visibility and may not leave a network, log or endpoint footprint. Additionally, there is a chance you’re not collecting or monitoring one of the mentioned data sources. Brute force attack detections need to be made for each source; if it’s targeting your SSO, it may not have a network or host footprint. The same can be said for other attacks.

Within SOCs, this creates an exponential amount of detections to be made. SOCs can often suffer from alert fatigue, trying to detect suspicious activity across multiple applications. This creates the need for high quality detections. To detect and identify malicious activity without burying yourself in noise.

Creating high quality detections is a skill, and similar to languages, once learned can be applied across platforms and technologies. An example of a more advanced detection could be one that identifies a user’s most common historical IP addresses for Okta. This can then facilitate alerting on activity that was previously too noisy. Being able to operationalize and improve the efficiency of alerts makes you a force multiplier within SOCs.

Similarly, threat hunting is also a skill. Often, you’ll be pivoting in the tool that you’ll be making a rule in, aggregating data together, slicing it, performing long tail analysis and investigating telemetry alerting. It is vital to develop the ability to visualize data in a way that produces high quality threat hunting leads, identifying and bringing obscure activity front and center.

Platforms for Threat Hunting & Detection Creation

  • SentinelOne XDR – XDR allows for the ingestion of various sources.
  • ELK Stack – Source available logstash can allow you to ingest multiple sources.
  • Splunk – Log management platform and observability platform

4. Operate With A Tool-Agnostic Mentality

SOC analysts use a variety of tools for different purposes. Learn to be flexible and adapt to different tools instead of relying on one particular tool.

SOC analysts must be proficient in various tools and technologies used in cybersecurity. However, becoming too reliant on a specific tool or technology can hinder SOC analysts’ ability to analyze and respond to security incidents effectively.

Being overly reliant on a specific tool or technology can lead to several risks for SOC analysts. First, analysts may not be able to see the complete picture of their organization’s security posture if they only rely on a specific tool or technology. This can result in missed security incidents and vulnerabilities. Using multiple tools that need to be integrated is a common cause of inefficiencies in SOC analysts’ workflows. This can result in delayed incident response times and increased workload. Relying too heavily on a specific vendor’s tool can result in vendor lock-in, making switching to a different tool or vendor difficult if necessary.

To effectively master the art of SOC analysis and be tool agnostic, SOC analysts should follow these best practices:

  • Develop a deep understanding of different tools and technologies used in cybersecurity
  • Focus on tool integration to reduce workflow inefficiencies and improve visibility
  • Use a mix of commercial and open-source tools to reduce the risk of vendor lock-in
  • Regularly evaluate and update the toolset to meet the organization’s evolving security needs

As the threat landscape evolves, SOC analysts must remain agile and adaptable to effectively detect, respond to, and mitigate security incidents. Being tool agnostic is a crucial component of this adaptability, enabling SOC analysts to select and use the best tool for the job, regardless of vendor or technology.

Conclusion

As more data breaches and ransomware occupy news headlines worldwide, enterprise leaders understand the absolute need for robust cybersecurity services such as security operation centers (SOCs).

Investing in aspiring security professionals means operational teams can detect intrusions and rapidly isolate them before they move deep into a sensitive environment and create long-lasting damage. SOC analysts are an essential part of this defense, proactively monitoring for early indicators of threat, providing real-time responses to security events, triaging actions, recovering assets, and triggering incident recovery mechanisms.

For aspiring SOC analysts, a combination of technical knowledge, analytical skills, and critical thinking abilities ensure they can truly understand the digital environment they are protecting. Together with the right stack of security tools, cybersecurity strategy, and top-down support from enterprise leadership, SOC analysts can keep their businesses safe from evolving threats in the cyber landscape.

If you enjoyed this post don’t forget to check out Part One and follow us to find out when the third and final part of the series is published.

Contact us today or book a demo to learn more about how SentinelOne can augment your business’s cybersecurity posture against even the most sophisticated threats, tactics, and techniques used by threat actors today.