The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good | Authorities Sentence 2020 Twitter Hacker For SIM Swap & Crypto Theft Schemes

Joseph James O’Connor (aka PlugWalkJoe) was sentenced this week to five years in prison for various cybercrimes including his role in the 2020 Twitter Hack. O’Connor is charged with stealing cryptocurrency, money laundering, cyberstalking, and unauthorized access to Twitter, TikTok, and Snapchat accounts. Further, he is ordered to return the $749,000 stolen from a New York-based cryptocurrency firm.

Source: Reuters

According to the DoJ, O’Connor and his co-conspirators conducted a mass SIM swap attack in 2019 to steal from a targeted cryptocurrency firm. In SIM swap attacks, a threat actor gains control of a victim’s mobile phone number by linking it to an SIM card controlled by the actors. The victim’s calls and messages are then routed to the actor-controlled device and used to access accounts registered with the victim’s number. Using this technique, O’Connor and his associates successfully targeted three of the cryptocurrency firm’s executives and obtained access to the company’s internal accounts and system.

In the 2020 Twitter Hack, O’Connor and his associates again used SIM swaps, along with social engineering tactics, to gain access to Twitter’s back-end tools and transfer control of high-profile accounts to various unauthorized users. While some accounts were hijacked by the actors themselves, O’Connor sold the access rights of several well-known accounts. Using similar techniques, O’Connor also hijacked TikTok and Snapchat accounts to participate in online extortion, harassment, and cyber stalking.

These attacks on social media platforms underscore the impact that cyber attacks have on everyday users. As the rate of digital identity theft skyrockets and threat actors continue to eye up popular apps and services, implementing strong identity-based controls remains a high-priority task for organizations in all industries.

The Bad | New Infostealer Malware Dubbed “ThirdEye” Targets Windows Devices

A newly discovered Windows-based infostealer dubbed “ThirdEye” has been spotted in the wild, harvesting sensitive data from infected hosts. Security researchers this week reported on an executable masquerading as a PDF file which hosts the info-stealing malware. While the arrival vector for the malware isn’t yet known, researchers believe it is used in phishing campaigns.

Based on an earlier version of ThirdEye that was uploaded to VirusTotal in early April, the infostealer is evolving and now shows capabilities of gathering system metadata such as BIOS release dates and vendors, total and free disk space on C: drives, volume information, and registered usernames. Details collected are then transmitted to a command-and-control (C2) server.

Though the malware is not considered technically sophisticated, researchers warn that its purpose-built design allows malicious users to gather critical information for use in future attacks. In the case of ThirdEye, the information stolen could be used by attackers as a way of narrowing down potential targets and planning unique campaigns.

There are no current indications that ThirdEye has been used in the wild. However, given the fact that the infostealer artifacts were uploaded to VirusTotal from Russia, researchers speculate that any malicious activity leveraging the malware is likely being aimed at Russian-speaking organizations. ThirdEye is the latest to make an appearance following a marked surge of infostealer malware being sold on Russian darknets.

As more infostealers become readily available, enabling cybercriminals to launch their ransomware campaigns, organizations should invest in machine learning algorithms and analytics to identify patterns indicating suspicious activity in real-time.

The Ugly | Emerging 8Base Ransomware Group Responsible For Uptick In Ransomware Attacks

First appearing in March, the emerging ransomware group called 8Base has accelerated its activity over the past two months, targeting small to medium-sized businesses worldwide in double extortion “name and shame” attacks. According to security analysts, ransomware attacks have spiked in May and June so far, up respectively 24% from this April and 56% compared to the same period last year. 8Base claims a significant role in this surge, responsible for more than 15% of all ransomware victims recorded last month.

In double extortion attacks, threat actors exfiltrate and encrypt all of a victim’s sensitive data, giving them extra leverage when demanding ransom payments. Actors then threaten to release or sell the data onto the dark web unless payment is made.

Like many other groups in the threat landscape though, 8Base accepts ransom payments in Bitcoin only and claims on its leak site to be “honest and simple pentesters”. The group employs multiple streams of communication, including an active Twitter profile and several encrypted Telegram channels. Latest findings on the group note that 8Base has compromised businesses across a large span of industries but has not shown allegiance to any one particular methodology or source of motivation.

Based on the speed and effectiveness shown in recent attacks, security researchers believe this denotes a well-established and mature operation, indicating 8base may be comprised of members of some previously successful ransomware group. Malware research site vx-underground has compared 8Base’s recent attacks to those of the “Big 3”; namely, Conti, LockBit, and ALPHV ransomware groups. SentinelOne customers are autonomously protected from 8Base ransomware attacks.

Russian Cybersecurity Executive Arrested for Alleged Role in 2012 Megahacks

Nikita Kislitsin, formerly the head of network security for one of Russia’s top cybersecurity firms, was arrested last week in Kazakhstan in response to 10-year-old hacking charges from the U.S. Department of Justice. Experts say Kislitsin’s prosecution could soon put the Kazakhstan government in a sticky diplomatic position, as the Kremlin is already signaling that it intends to block his extradition to the United States.

Nikita Kislitsin, at a security conference in Russia.

Kislitsin is accused of hacking into the now-defunct social networking site Formspring in 2012, and conspiring with another Russian man convicted of stealing tens of millions of usernames and passwords from LinkedIn and Dropbox that same year.

In March 2020, the DOJ unsealed two criminal hacking indictments against Kislitsin, who was then head of security at Group-IB, a cybersecurity company that was founded in Russia in 2003 and operated there for more than a decade before relocating to Singapore.

Prosecutors in Northern California indicted Kislitsin in 2014 for his alleged role in stealing account data from Formspring. Kislitsin also was indicted in Nevada in 2013, but the Nevada indictment does not name his alleged victim(s) in that case.

However, documents unsealed in the California case indicate Kislitsin allegedly conspired with Yevgeniy Nikulin, a Russian man convicted in 2020 of stealing 117 million usernames and passwords from Dropbox, Formspring and LinkedIn in 2012. Nikulin is currently serving a seven-year sentence in the U.S. prison system.

As first reported by Cyberscoop in 2020, a trial brief in the California investigation identified Nikulin, Kislitsin and two alleged cybercriminals — Oleg Tolstikh and Oleksandr Vitalyevich Ieremenko — as being present during a 2012 meeting at a Moscow hotel, where participants allegedly discussed starting an internet café business.

A 2010 indictment out of New Jersey accuses Ieremenko and six others with siphoning nonpublic information from the U.S. Securities & Exchange Commission (SEC) and public relations firms, and making $30 million in illegal stock trades based on the proprietary information they stole.

[The U.S. Secret Service has an outstanding $1 million reward for information leading to the arrest of Ieremenko (Александр Витальевич Еременко), who allegedly went by the hacker handles “Zl0m” and “Lamarez.”]

Kislitsin was hired by Group-IB in January 2013, nearly six months after the Formspring hack. Group-IB has since moved its headquarters to Singapore, and in April 2023 the company announced it had fully exited the Russian market.

In a statement provided to KrebsOnSecurity, Group-IB said Mr. Kislitsin is no longer an employee, and that he now works for a Russian organization called FACCT, which stands for “Fight Against Cybercrime Technologies.”

“Dmitry Volkov, co-founder and CEO, sold his stake in Group-IB’s Russia-based business to the company’s local management,” the statement reads. “The stand-alone business in Russia has been operating under the new brand FACCT ever since and will continue to operate as a separate company with no connection to Group-IB.”

FACCT says on its website that it is a “Russian developer of technologies for combating cybercrime,” and that it works with clients to fight targeted attacks, data leaks, fraud, phishing and brand abuse. In a statement published online, FACCT said Kislitsin is responsible for developing its network security business, and that he remains under temporary detention in Kazakhstan “to study the basis for extradition arrest at the request of the United States.”

“According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than 10 years ago when Nikita worked as a journalist and independent researcher,” FACCT wrote.

From 2006 to 2012, Kislitsin was editor-in-chief of “Hacker,” a popular Russian-language monthly magazine that includes articles on information and network security, programming, and frequently features interviews with and articles penned by notable or wanted Russian hackers.

“We are convinced that there are no legal grounds for detention on the territory of Kazakhstan,” the FACCT statement continued. “The company has hired lawyers who have been providing Nikita with all the necessary assistance since last week, and we have also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan to assist in protecting our employee.”

FACCT indicated that the Kremlin has already intervened in the case, and the Russian government claims Kislitsin is wanted on criminal charges in Russia and must instead be repatriated to his homeland.

“The FACCT emphasizes that the announcement of Nikita Kislitsin on the wanted list in the territory of the Russian Federation became known only today, June 28, 6 days after the arrest in Kazakhstan,” FACCT wrote. “The company is monitoring developments.”

The Kremlin followed a similar playbook in the case of Aleksei Burkov, a cybercriminal who long operated two of Russia’s most exclusive underground hacking forums. Burkov was arrested in 2015 by Israeli authorities, and the Russian government fought Burkov’s extradition to the U.S. for four years — even arresting and jailing an Israeli woman on phony drug charges to force a prisoner swap.

That effort ultimately failed: Burkov was sent to America, pleaded guilty, and was sentenced to nine years in prison.

Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Image: Andrei Shirokov / Tass via Getty Images.

Arkady Bukh is a U.S. attorney who has represented dozens of accused hackers from Russia and Eastern Europe who were extradited to the United States over the years. Bukh said Moscow is likely to turn the Kislitsin case into a diplomatic time bomb for Kazakhstan, which shares an enormous border and a great deal of cultural ties with Russia. A 2009 census found that Russians make up about 24 percent of the population of Kazakhstan.

“That would put Kazakhstan at a crossroads to choose between unity with Russia or going with the West,” Bukh said. “If that happens, Kazakhstan may have to make some very unpleasant decisions.”

Group-IB’s exodus from Russia comes as its former founder and CEO Ilya Sachkov remains languishing in a Russian prison, awaiting a farcical trial and an inevitable conviction on charges of treason. In September 2021, the Kremlin issued treason charges against Sachkov, although it has so far refused to disclose any details about the allegations.

Sachkov’s pending treason trial has been the subject of much speculation among denizens of Russian cybercrime forums, and the consensus seems to be that Sachkov and Group-IB were seen as a little too helpful to the DOJ in its various investigations involving top Russian hackers.

Indeed, since its inception in 2003, Group-IB’s researchers have helped to identify, disrupt and even catch a number of high-profile Russian hackers, most of whom got busted after years of criminal hacking because they made the unforgivable mistake of stealing from their own citizens.

When the indictments against Kislitsin were unsealed in 2020, Group-IB issued a lengthy statement attesting to his character and saying they would help him with his legal defense. As part of that statement, Group-IB noted that “representatives of the Group-IB company and, in particular, Kislitsin, in 2013, on their own initiative, met with employees of the US Department of Justice to inform them about the research work related to the underground, which was carried out by Kislitsin in 2012.”

Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army 

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware operation. Despite the developer’s partial implementation of some features, the group emerged onto the scene at the end of May with a high-profile attack against the Chilean Army, continuing the ongoing trend of ransomware groups targeting Latin American government institutions. On June 15, the group leaked the files stolen from the Chilean Army.

In this post, we provide a high-level overview of Rhysida ransomware activity and present technical details of the malware payloads, along with hunting rules and IoCs to aid threat hunters and security teams.

Recent Attacks Attributed to Rhysida

On May 29 2023, the Chilean Army reported that it had been the target of a cyberattack affecting the organization’s internal network on Saturday, May 27. The attack was later attributed to Rhysida.

Strategically, the Rhysida group’s attack against the army of Chile distinguishes this newcomer from the sea of ransomware newcomers. It should be noted that Rhysida is an apparently independent ransomware group: SentinelOne has not observed any overt connections to existing ransomware operations. As such, any potential geopolitical ramifications from attacking Chile’s government are as yet unclear. This is not the first time a Chilean governmental organization has been compromised by a new ransomware family, as demonstrated by the ARCrypter attack in November 2022.

The attack was followed by the leaking of data belonging to the army on June 15th. Through the week of June 19 2023, Rhysida’s leaks page displayed an influx of further victims, including multiple organizations in each of the following sectors:

  • Education
  • Government
  • Manufacturing
  • Technology and Managed Service Providers (MSP)

Victims are distributed throughout Western Europe, North & South America, and Australia, loosely aligning the group’s targeting with many ransomware operations that avoid targeting countries in Eastern Europe and Central Asia’s Commonwealth of Independent States. There are no Asian organizations posted at this time.

Operational Overview

The Rhysida ransomware group was first observed in May of 2023, following the emergence of their victim support chat portal, hosted via TOR (.onion).  The name “Rhyshida” refers to a specific genus of centipede.  This is also reflected in the ‘branding’ on their victim blog.

The genus Rhysida and the Rhysida ransomware logo
The genus Rhysida and the Rhysida ransomware logo

An Apache configuration status page reveals that the web server hosting the portal was first set up in March 2023. The group has since migrated their blog to a more ‘hardened’ instance of nginx, and these server configuration details and status are no longer visible. This move may have been prompted by the original IP address being exposed across various underground forums and markets.

Rhysida RaaS: Leakage of original blog IP address
Rhysida RaaS: Leakage of original blog IP address

Rhysida is a privately marketed RaaS without known forum presence. The group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the potential ramifications of the involved security issues. The group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups.

The groups website also serves as a portal for Rhysida-centric news and media coverage, as well as details on how to contact the group should journalists, recovery firms or “fans” be inclined to do so.

Rhysida’s ‘communication portal’
Rhysida’s ‘communication portal’

Victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier provided in the ransom notes. Rhysida accepts payment in Bitcoin only, providing information on the purchase and use of BTC on the victim portal as well. Upon providing their unique ID to the payment portal, an additional form is presented that allows victims to provide additional information to the attackers, such as authentication and contact details.

Rhysida portal’s additional details form
Rhysida portal’s additional details form

Technical Details

Rhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC. In each sample analyzed, the application’s program name is set to Rhysida-0.1, suggesting the tool is in early stages of development.

A notable characteristic of the tool is its plain-text strings revealing registry modification commands.

Rhysida Encryption & File Processing

For encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. Its main function initializes the ransomware’s overall runtime, including encryption specifics. The main function contains several nested if-else conditions that handle arguments that specify different encryption implementations. The processFileEnc function contains code blocks for other encryption methods, including Rijndael, though the preceding functions are prefixed “test”.

processFileEnc calls init_prng, which initializes the encryption routine’s pseudo-random number generator that is passed to the chacha_crypt function.

The processFileEnc function contains code that lists files and parses the current file name. Following encryption, Rhysida appends the .rhysida extension to the name of encrypted files.

After the encryption details are established, Rhysida enumerates files and folders connected to the system. The main function ends by calling PowerShell to delete the binary after encryption has completed.

Rhysida main function encryption checks
Rhysida main function encryption checks

Rhysida uses a file exclusion list to avoid encrypting certain files. This check occurs in the isFileExcluded function, which compares the current file extension against exclude_extensions, an array that contains the following excluded file extensions:

[ bat, bin, 
  cab, cmd, com, cur, 
  diagcab, diagcfg, diagpkg, drv, dll, 
  exe, 
  hlp, hta, 
  ico, ini, iso, 
  lnk, 
  msi, 
  ocx, 
  ps1, psm1, 
  scr, sys,  
  Thumbs-db, 
  url 
]

This function initializes two variables, exclude_i as 0 and exclude_c as 11, which iterate through the array of 27 excluded file extensions and the length of the current file name.

Rhysida's isFileExcluded function
Rhysida’s isFileExcluded function

Extended features, beyond encrypting files, are still not present in current variations of Rhysida. The most recent of analyzed samples continue to lack commodity features like VSS Removal, multiple persistence mechanisms, process termination or unhooking.

Ransom Note & Victim Notification

Rhysida generates the ransom note as a PDF document. The content of the doc is embedded in the binary in clear text. This is a missed opportunity for the actors: PDF is a powerful document format that enables data to be encoded in many ways, often not in clear text. If the developer embeds the PDF object within the binary instead of constructing the PDF at runtime from unencrypted strings, Rhysida would evade string-based detection based on ransom note language.

Rhysida ransom note, CriticalBreachDetected.pdf
Rhysida ransom note, CriticalBreachDetected.pdf

Rhysida’s setBG function is designed to create a new image, write it to C:UsersPublicbg.jpg, and run registry modifications via cmd.exe to change the wallpaper and prevent the victim’s ability to change it. During SentinelOne’ analysis, this process did not execute successfully and the JPG is not written to disk.

Rhysida's setBG function
Rhysida’s setBG function

The setBG function pulls elements from the PDF ransom note and allocates them to a buffer, which then is inserted into a new JPG image. The developer misspelled Control Panel as Conttol Panel in two of the registry modification commands. We patched the binary to correct the spelling, but the wallpaper still did not change.

It is of note that this misspelling flaw persists across versions of Rhysida. Original versions (example: 69b3d913a3967153d1e91ba1a31ebed839b297ed) compiled on May 15, 2023 as well as the sample associated with the Chilean Army attack (338d4f4ec714359d589918cee1adad12ef231907, compiled on May, 27, 2023) each contain this issue.

SentinelOne Protects Against Rhysida Ransomware

The SentinelOne Agent detects Rhysida ransomware and prevents execution and file encryption.

For details about Rhysida and other ransomware families, visit SentinelOne’s Ransomware Anthology page.

Conclusion

Rhysida represents an unusual combination of techniques that suggest the developer is thinking outside the confines of contemporary ransomware. Features like the PDF ransom note could be leveraged for enhanced stealth, while the wallpaper changing feature is quite obtrusive, though not yet functional.

There are hallmarks of a less seasoned actor, such as the unobfuscated registry modification and PowerShell commands seen throughout the program. However, these are cosmetic fixes. Time will tell whether the developer’s choice to omit ubiquitous features, such as VSS copy deletion, will pay off or be supplemented through tools outside of the Rhysida application.

Indicators of Compromise (IOC)

SHA1 Description
69b3d913a3967153d1e91ba1a31ebed839b297ed Rhysida PE first reported by MalwareHunterTeam
338d4f4ec714359d589918cee1adad12ef231907 Rhysida PE used in attack against Chilean Army
b07f6a5f61834a57304ad4d885bd37d8e1badba8 Rhysida PE, crashes during analysis

YARA Hunting Rule

SentinelOne is providing the following YARA rule that defenders can use to identify Rhysida ransomware binaries.

rule rw_rhysida {

	meta:
		author = "Alex Delamotte"
		description = "Rhysida ransomware detection."
		sample = "69b3d913a3967153d1e91ba1a31ebed839b297ed"
		reference = "https://s1.ai/rhys"
	strings:
		$typo1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6E 74 74 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 }
		$cmd1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 41 63 74 69 76 65 44 65 73 6B 74 6F 70 }
		$cmd2 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 53 79 73 74 65 6D 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 22 43 3A 5C 55 73 65 72 73 5C 50 75 62 6C 69 63 5C 62 67 2E 6A 70 67 22 20 2F 66 }
		$byte1 = { 48 8D 05 72 AA 05 00 48 8B 00 8B 95 }
		$byte2 = { 48 8D 15 89 CF 03 00 48 89 C1 E8 F9 1C 03 00 44 }
	condition:
		2 of them
}

JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware

Recent reports from researchers at BitDefender and Elastic have exposed an active adversary deploying novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their fleets. Although the number of known victims at this time is small, the nature of the tooling suggests that the threat actors have likely targeted other organizations.

In this post, we review the key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.

QRLog | Suspected Infection Vector

There is little information about how initial compromise was achieved in the known compromises, but analysis of the known components provide a strong link to a trojanized QR code generator discovered in the wild in February 2023.

According to researcher Mauro Eldritch, QRLog is a trojanized QR code generator written in Java that opens a reverse shell on the host device, allowing the attacker privileged access. The malicious code is hidden inside a file QRCodeWriter.java, buried in an otherwise legitimate open source QR code project.

Base64 blob is an encoded Java file
Base64 blob is an encoded Java file

After determining the host device’s operating system, QRLog decodes an embedded base64 blob and writes it out to a temporary directory and executes it.

QRLog changes the path separator to suit Windows or Posix-compatible systems like Linux and macOS
QRLog changes the path separator to suit Windows or Posix-compatible systems like Linux and macOS

The decoded blob is a .java file that reaches out to a C2 at hxxps[:]//www[.]git-hub.me/view.php. This is the same C2 as used in the compromise reported by BitDefender (see below).

QRLog uses the same C2 seen in an ITW JokerSpy intrusion
QRLog uses the same C2 later seen in an ITW JokerSpy intrusion

If the QRLog malware receives the right response from the C2, it then writes two further files – p.dat and a Java executable prefTmp.java – to the temp directory and executes the latter, which now opens the reverse shell from the victim to the attacker.

The prefTmp.java files opens a reverse shell to the attacker
The prefTmp.java files opens a reverse shell to the attacker

Shared.dat & sh.py | Cross-Platform Python Backdoors

In the intrusions seen to date, researchers identified two Python backdoors, shared.dat and sh.py. The former uses a simple rot13 string obfuscation technique.

Deobfuscated strings found in shared.dat backdoor
Deobfuscated strings found in shared.dat backdoor

The script’s behavior depends on the response from the server, whose address is hardcoded in plain text. In the intrusion seen by BitDefender, the C2 matched that seen in the QRLog malware. shared.dat also uses the same strings found in QRLog to identify packets sent and received from the C2, namely “GITHUB_RES” and “GITHUB_REQ”.

C2 in shared.dat is the same as noted in QRLog malware
C2 in shared.dat is the same as noted in QRLog malware

A simple conditional parses the responses.

Parsing commands from the C2 in the shared.dat backdoor
Parsing commands from the C2 in the shared.dat backdoor

If the device is identified as a macOS device, the malware downloads and executes the next stage to /Users/Shared/AppleAccount.tgz, which in turn decodes a further stage to /Users/Shared/TempUser/AppleAccountAssistant.app.

The sh.py backdoor is also multi-platform and requires a separate configuration file stored at ~/Public/Safari/sar.dat, likely containing the C2 as well as other parameters. The C2 observed by Elastic in an attack on an unnamed Japanese cryptocurrency exchange was app.influmarket[.]org.

The backdoor is capable of surveilling the host device and executing commands, exfiltrating data and deleting files.

The sh.py script is a cross-platform backdoor
The sh.py script is a cross-platform backdoor

Depending on the value received from the configuration file, the backdoor will beacon out to the C2 at regular intervals, the default being 5 seconds. Information sent to the attacker includes:

  • Current working directory
  • Username
  • Hostname
  • Domain name
  • OS version
  • Python version
  • Path to sh.py

According to researchers at Elastic, the sh.py script was seen dropping the open-source macOS red-teaming tool SwiftBelt to the file path /Users/shared/sb and writing out to a file sb.log in the same directory.

/bin/sh -c /users/shared/sb > /users/shared/sb.log 2>&1

JokerSpy | macOS Spyware Stager

In both intrusions seen to date, a further macOS only component was observed. The file, named “xcc”, attempts to hide as an XProtect component, and uses the Launch Services identifier com.apple.xprotectcheck.

Identifier=XProtectCheck-55554944f74096a836b73310bd55d97d1dff5cd4
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=911 flags=0x2(adhoc) hashes=17+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89706d1258b6f1c165ff8d1d6d13346e02b48e22
CandidateCDHashFull sha256=89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2
Hash choices=sha256
CMSDigest=89706d1258b6f1c165ff8d1d6d13346e02b48e22d1a741ff451d1cb6ba81bab2
CMSDigestType=2
Launch Constraints:
    None
CDHash=89706d1258b6f1c165ff8d1d6d13346e02b48e22
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
# designated => cdhash H"89706d1258b6f1c165ff8d1d6d13346e02b48e22" or cdhash H"9860c28299d58e71540c64e56c709aa619cfac27"

The binary is ad hoc signed and is built for both Apple silicon and Intel architectures. On execution, it runs through several functions with the purpose of determining:

  • Device Idle Time
  • Active (Frontmost) App
  • Screen status (locked or unlocked)
  • Full Disk Access of the active app
  • Screen Recording permissions of the active app
  • Accessibility (e.g., control other apps) permission of the active app
Output to stdout from executing xcc binary
Output to stdout from executing xcc binary

Threat hunters should note that these are somewhat noisily printed out to stdout, so will appear in system logs.

The inclusion of the SystemIdleTime() function is interesting and not something commonly seen in macOS malware. This may indicate the threat actor intends to establish a pattern of behavior as to when the user is inactive in order to time attacks. The function itself uses Apple’s IOServiceMatching() api and the now deprecated IOHIDSystem class to query for the HIDIdleTime value, a timer which tracks the last time the user interacted with the mouse, trackpad or keyboard, among other things.

Calls made by the SystemIdleTime() function
Calls made by the SystemIdleTime() function

At the time of writing, it’s not clear how the xcc binary relates to the other components, other than that they have been observed together in both instances. xcc itself provides functionality for system discovery and it is likely there are further associated spyware and backdoor components that remain to be discovered.

Elastic observed xcc being executed by three different processes:

  • /Applications/IntelliJ IDEA.app/Contents/MacOS/idea
  • /Applications/iTerm.app/Contents/MacOS/iTerm2
  • /Applications/Visual Studio Code.app/Contents/MacOS/Electron

The researchers suggest that initial access may have been provided via a malicious plugin or dependency that may have been trojanized in a similar way to QRLog mentioned above.

SentinelOne Detects JokerSpy

The SentinelOne agent protects customers from JokerSpy, QRLog and other malicious components identified in these attacks.

SentinelOne detects JokerSpy

Security teams not protected by SentinelOne are advised to refer to the list of indicators below for threat hunting and detection.

Conclusion

The JokerSpy intrusions reveal a threat actor with the ability to write functional malware across several different languages – Python, Java, and Swift – and target multiple operating systems platforms. The relative sophistication of the multiple components suggests one or more developers devoting considerable effort to the project, and we can only surmise that further victims are out there.

There are still several pieces of the puzzle missing, but the intrusion into a large cryptocurrency exchange indicates a financially-motivated threat actor. SentinelOne continues to track this threat actor and will provide updates to this post as they become available.

Indicators of Compromise

Identifiers
com.apple.xprotectcheck

Communications
45[.]76[.]238[.]53
45[.]77].]123].]18
www[.]git-hub.me
app.influmarket[.]org

Files (SHA1)
1ed2c5ee95ab77f8e1c1f5e2bd246589526c6362 – xcc
1f99081affd7bef83d44e0072eb860d515893698 – SwiftBelt
21ffda8a6a05a007ef92088f99ab54485cfe473d – xcc
2234c9fc3c3d340f0367c49c6599379b96544b5a – QRCodeWriter.java
370a0bb4177eeebb2a75651a8addb0477b7d610b – xcc
76b790eb3bed4a625250b961a5dda86ca5cd3a11 – xcc
937a9811b3e5482eb8f96832454723d59229f945 – shared.dat
bd8626420ecfd1ab5f4576d83be35edecd8fa70e – sh.py
c304aef96a783a39aedf1af30de5d5f1c33c68ca – QRLog sample.zip
c7d6ede0f6ac9f060ae53bb1db40a4fbe96f9ceb – shared.dat

Paths

$TEMP/p.dat
$TEMP/prefTmp.java
~/Public/Safari/sar.dat
/Users/shared/sb
/Users/shared/sb.log
/Users/Shared/AppleAccount.tgz
/Users/Shared/TempUser/AppleAccountAssistant.app

U.K. Cyber Thug “PlugwalkJoe” Gets 5 Years in Prison

Joseph James “PlugwalkJoe” O’Connor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But O’Connor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by “SIM swapping,” a crime wherein fraudsters trick a mobile provider into diverting a customer’s phone calls and text messages to a device they control.

Joseph “PlugwalkJoe” O’Connor, in a photo from a Globe Newswire press release Sept. 02, 2020, pitching O’Connor as a cryptocurrency expert and advisor.

On July 16, 2020 — the day after some of Twitter’s most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam —  KrebsOnSecurity observed that several social media accounts tied to O’Connor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, O’Connor was stuck on an indefinite vacation at a popular resort in Spain.

Not long after the Twitter hack, O’Connor was quoted in The New York Times denying any involvement. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldn’t be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like.

O’Connor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged O’Connor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, and cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.

In late April 2023, O’Connor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, O’Connor was sentenced to five years in prison.

PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control.

From there, the attackers can reset the password for any of the victim’s online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).

O’Connor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.

PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.

Victims who refused to give up social media accounts or submit to extortion demands were often visited with “swatting attacks,” wherein O’Connor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a target’s address.

Prosecutors said O’Connor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

In the case of the Twitter hack, O’Connor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface, on July 15, 2020.

To resolve the case against him in New York, O’Connor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.

In addition to the prison term, O’Connor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.

To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.

Three others were charged along with O’Connor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.

This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.

Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.

Looking Within | Strategies for Detecting and Mitigating Insider Threats

Over the past decade, the digital landscape has undergone a rapid transformation, reshaping the way businesses operate and interact with data. With this paradigm shift, the nature and scope of insider threats have also evolved significantly.

As cloud adoption rates and reliance on third-party vendors rise, this has widened the attack surface for malicious insiders. With greater access to internal systems, insiders are able to leverage sophisticated attack techniques, putting sensitive data and critical infrastructure at risk.

The scope of insider threats encompasses intellectual property theft, insider trading, collusion with external actors, and financial fraud. As insiders become more adept at circumventing traditional security measures, security leaders are implementing robust strategies to address these evolving risks.

This blog post expands on how insider threats have evolved over the past decade, shedding light on the emerging challenges faced by businesses worldwide. It also explores real-world examples, showing the importance of a holistic approach that combines technology, policies, and employee education to mitigate insider threats effectively.

Understanding How Insider Threats Have Evolved

Insider threats are not a new concept. In fact, they’ve been around as long as businesses have. What’s changed is the breadth and depth that a successful insider attack can cause. In today’s digital landscape, the stakes are so much higher. Consider the following:

An insider threat can be anyone within an organization who has access to sensitive information and systems. This includes privileged users and administrators, contractors, third-party vendors, and even business partners.

In their most recent Cost of Insider Threats Report, Ponemon Institute confirmed that negligent, malicious, and compromised users are a serious cyber threat, with incidents rising 44% in the last two years and costing enterprise businesses over $15 million. These figures are a stark reminder of the significant risk insider threats pose to organizations of all sizes.

Other reports suggest that more than 34% of businesses are affected by such threats yearly and that 68% of security leaders now consider insider attacks and accidental breaches to be more likely than external attacks.

The Different Faces of the “Insider” Behind the Threat

Insider threats can manifest in various forms and can be placed into one of three categories based on the intent or motive behind the insider themself.

Malicious Insiders | Yahoo’s Trade Secrets Stolen By Departing Employee

Malicious insiders purposefully act against the best interests of their organization and seek to cause harm. They may steal data to sell or use as leverage for personal gain. They could also stem from disgruntled employees, contractors, partners who wish to cause the organization reputational and financial damage. Malicious insiders, in essence, intentionally misuse their access to the organization’s systems and information.

In May 2022, a research scientist at Yahoo allegedly stole proprietary information about the company’s AdLearn product after receiving a job offer from a competitor. The malicious insider downloaded almost 570,000 pages of Yahoo’s intellectual property (IP) to their personal device including source code, ad placement algorithms, and internal strategy documents.

Negligent Insiders | Microsoft Employee Exposes Login Credentials

Negligent insiders typically describe employees, vendors, or partners who engage in risky behavior due to an overall sense of being disengaged. While they consciously decide to act inappropriately, there is no malicious intent behind their actions. Negligent insiders are users who often misplace or share sensitive credentials, ignore IT policies, use unsecured devices, and neglect their security training.

In August of 2022, a number of Microsoft employees uploaded sensitive login credentials to the company’s GitHub infrastructure, giving potential attackers access to Azure servers and other internal systems. It was discovered that all identified credentials were associated with an official Microsoft tenant ID and that some were still active at the time of discovery.

Accidental Insiders | Twitter Staff Fall Victim to Spear Phishing Campaign

Accidental or compromised insiders exhibit no conscious decision to act inappropriately. These cases are often chalked up to simple mistakes made by an employee in the course of their daily work. This may include falling for a social engineering scam, opening or forwarding phishing emails and malware, misconfiguring systems, or mishandling sensitive information.

Attackers launched a phone-based spear phishing scam on Twitter employees in July 2020, calling consumer service and tech support teams and instructing them to reset their passwords. After providing their credentials and MFA codes on an attacker-controlled site, the attackers gained access to Twitter’s internal network as well as some internal support tools. With such highly privileged access, the attackers were able to hijack several well-known accounts and spread their scam campaign.

Insider Threat Protection Starts with Effective Detection

Unlike external threat actors, insiders already have legitimate access to an organization’s systems and data, making the malicious activities more difficult to detect. In the days, weeks, or even months it can take to distinguish benign and suspicious activity, a threat could have already caused irreversible damages.

Traditional security tools are often ill-equipped to handle this type of threat, as they are primarily designed to detect known, external intrusions. Effective detection of insider threats requires tools that can track anomalous behavior such as unusual or excessive access to files, irregular data transfers, and anomalies in log-in patterns. In addition, changes in work habits and signs of disgruntlement can also provide warning signs.

Know Your People

Detecting insider threats requires organizations to be vigilant in identifying behavioral changes that may signal potential malicious intent or unauthorized activities by employees. Sudden changes in work patterns or performance, especially when accompanied by unexplained financial stress or personal issues, for example, may be signs of trouble ahead.

Insiders may also display an unusual interest in accessing sensitive information beyond their job role or exhibit excessive use of privileged access rights. They might also have a tendency to violate security policies, such as sharing passwords or bypassing security controls.

Leverage Technology

Digital indicators are critical in detecting insider threats as they provide valuable clues about potentially malicious activities or unauthorized access to sensitive information. One significant digital indicator is abnormal or suspicious login activity. This could include repeated failed login attempts, multiple login sessions from different locations simultaneously, or login activities during unusual hours.

Unusual network traffic patterns, such as large data transfers or accessing restricted areas of the network, can also serve as digital indicators of insider threats. Insiders may exhibit abnormal usage of removable storage devices, attempting to copy or transfer sensitive data outside of authorized channels.

Additionally, the presence of unauthorized software or tools on an employee’s workstation can be a potential digital indicator of malicious intent. Unusual or excessive use of administrative privileges can also be an indication of insider risk.

How Can Insider Threats Be Prevented? Best Practices for Modern Enterprises

As insider threats widen surfaces for attack, enterprise leaders can implement a holistic approach that combines security policies, continuing education, and technology to prevent and mitigate these types of attacks in the long run.

Enforce Actionable Policies Focused On Access

Limiting access to sensitive information on a need-to-know basis is a fundamental step in mitigating insider threats. This includes designing policies for:

  • Access control – Clearly define access privileges and permissions based on job roles and responsibilities. Implement least privilege principles to ensure employees have the appropriate level of access to systems, data, and resources.
  • Acceptable use – Clearly communicate acceptable use of company resources, including computers, networks, and assets. Specify prohibited activities such as unauthorized data access, sharing credentials, or using company resources for personal gain.
  • Data handling – Establish guidelines for handling sensitive information throughout its lifecycle. Specify how data should be classified, protected, transmitted, and disposed of. Enforce encryption, and data loss prevention (DLP) measures..
  • Vendor and third-party access – Establish guidelines for vetting, monitoring, and managing relationships with vendors and third-party partners who have access to sensitive information or systems. Implement appropriate contractual agreements and security measures to mitigate the risks associated with external entities.

Secure All Business-Critical Assets

Begin by identifying the most mission-critical assets including sensitive data on personnel, enterprise networks, systems, intellectual property, and proprietary software. Once these assets are identified, it becomes essential to prioritize them according to their level of criticality.

Provide Regular Training & Awareness Programs For All Employees

Employees are a first line of defense against insider threats. Regular training can help them understand the risks and recognize the signs of insider threats. Training should include a wide range of cyber-related topics such as password and authentication safety, social engineering awareness, safe internet and email practices, incident reporting procedures, whistleblower policies, and remote work and mobile device security.

Create A Welcoming Culture Centered On Trust, Transparency & Respect

Fostering a positive work environment can go a long way in mitigating insider threats. Employees who feel valued and respected are less likely to pose a threat to the organization and take more accountability in protecting its best interests.

Implement An AI and ML-Based Detection & Response Solution

Security solutions such as XDR provide a holistic view of the organization’s security posture, allowing for better detection and monitoring of insider threats. Since it aggregates and correlates data from various system sources, XDR provides a holistic view of the organization’s security posture, allowing for better detection and monitoring of insider threats.

XDR leverages contextual information, such as user roles, access privileges, and historical behavior, to provide better insights into potential insider threats. This context helps security teams make informed decisions and prioritize response efforts. By establishing baselines of normal behavior, XDR can detect suspicious activities, unauthorized data access, or unusual data exfiltration attempts by insiders. XDR uses advanced analytics, artificial intelligence (AI), and machine learning (ML) algorithms to analyze user behavior patterns and identify anomalies that may indicate insider threats.

XDR also monitors user activities across endpoints, networks, and cloud environments to identify potential insider threats. It can detect unauthorized access, abnormal file transfers, changes in privilege levels, or attempts to disable security controls. Real-time monitoring and alerts enable timely response to mitigate risks.

Conclusion

From increased connectivity to the rise of remote work, advancements in technology have presented both opportunities and vulnerabilities that insiders can exploit. To stay ahead of the curve, many businesses are turning to behavioral analytics and machine learning to detect anomalies in user behavior, enabling early detection and prevention of insider threats.

Protecting businesses from insider threats requires a multifaceted approach that combines technical measures, robust security policies, and a strong security culture. Organizations implementing advanced monitoring systems, such as XDR, are better equipped to detect anomalous behavior and potential insider threats.

With a comprehensive strategy that combines technology, policies, and employee engagement, businesses can enhance their defenses and protect themselves from the damaging impact of insider threats.

Learn how SentinelOne’s Singularity XDR can extend protection from the endpoint level, maximize visibility across full environments, and automate a powerful response against insider threats. Book a demo or contact us today to see how it works.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good | Rewards for Justice Offers $10 Million Bounty on Cl0p Gang

The crimeware scene has often been likened to the Wild West, so it’s no surprise that just as outlaws run amok in the digital world, bounty hunters will be offered incentives to aid law enforcement. This week, the Department of State put out a bounty of up to $10 million reward for information on the Cl0p ransomware gang and other malicious cyber actors.

The reward is being offered for information on the identification or location of any person participating in attacks against U.S. critical infrastructure on behalf of foreign governments.

The bounty follows on from CISA’s and the FBI’s recent advisory that Cl0p has been exploiting the MOVEit Transfer vulnerability to target multiple organizations, including The Department of Energy and numerous other federal agencies.

The Rewards for Justice program is run by the Department of State’s Bureau of Diplomatic Security with the remit to combat international terrorism including malicious cyber activity and election interference. Cl0p aren’t the first ransomware gang to be singled out for attention by RfJ: a similar bounty was put on the heads of the now defunct Conti gang as well as Sandworm APT and REvil, all of whom researchers have attributed various attacks on U.S. critical infrastructure to.

The Bad | Apple Security Under Increasing Scrutiny After More 0-days Patched

Apple released emergency patches this week for three zero days across its operating system platforms, including macOS, iOS, iPadOS and WatchOS. Two of the bugs, the company said, were known to be actively exploited in the wild against versions of iOS released prior to iOS 15.7.

CCVE-2023-32434 is an integer overflow vulnerability that could be exploited to execute arbitrary code with kernel privileges, while CVE-2023-32435 is a WebKit memory corruption vulnerability that could allow arbitrary code execution when processing maliciously-crafted web content. Both flaws were reported by researchers at Kaspersky, who published details of an espionage campaign targeting iOS said to have been active since 2019. Analysis of the malware used in the campaign suggests the threat actor may also be targeting macOS.

TriangleDB sample contains code suggesting macOS targets

A third bug, CVE-2023-32439, is a type confusion issue that may lead to arbitrary code execution when processing maliciously-crafted web content. Apple also says this may have been exploited in the wild though it appears unconnected at this time with the campaign reported by Kaspersky.

The bugs come on the heels of three Apple WebKit zero days patched last month, each of which was also said to be actively exploited in the wild, and takes the number of Apple zero days patched in the first half of 2023 to nine.

Given the increasing interoperability and code-sharing between Apple’s various platforms, it’s no surprise that exploitable bugs in one platform represent security risks in others. IT and security teams are urged to treat all their OSs equally in terms of risk and ensure adequate protections and mitigations are in place across all devices in their fleets.

The Ugly | Microsoft Teams Bypass Allows External Accounts to Drop Malware

Microsoft has said that a bypass that can allow malware to be delivered to any Teams account from external accounts did not ‘meet the bar for immediate servicing’. The response may come as an unwelcome surprise to IT and security teams as researchers have showed this week that all MS Teams accounts running in the default configuration are susceptible to the attack.

According to an advisory published on Wednesday, the client-side security controls which are supposed to prevent external tenants sending files can be bypassed simply by switching the internal and external recipient ID on the POST request, a trick which fools the system into treating the external user as an internal one.

The researchers note that the technique circumvents anti-phishing security controls and training advice. In particular, employees are now widely taught to avoid clicking email links, but a phishing email making use of this attack would appear to contain a file rather than an external link.

They further point out that attackers could socially engineer users via Teams calls and lure them into expecting a legitimate file. In one red team engagement, a fake IT technician asked a target to jump on a call as they needed to apply an update to critical software. Once on the call, the ‘attacker’ leveraged the Teams bypass to deliver the payload.

Organizations using Teams are advised to disable External Access in MS Teams Admin Center, if possible, or change security settings to only allow communications between certain allow-listed domains. Further mitigations and workarounds are detailed at the end of the report.

SMS Phishers Harvested Phone Numbers, Shipment Data from UPS Tracking Tool

The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.

In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.

The recent letter from UPS about SMS phishers harvesting shipment details and phone numbers from its website.

“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”

The written notice goes on to say UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”

As early as April 2022, KrebsOnSecurity began receiving tips from Canadian readers who were puzzling over why they’d just received one of these SMS phishing messages that referenced information from a recent order they’d legitimately placed at an online retailer.

In March, 2023, a reader named Dylan from British Columbia wrote in to say he’d received one of these shipping fee scam messages not long after placing an order to buy gobs of building blocks directly from Lego.com. The message included his full name, phone number, and postal code, and urged him to click a link to mydeliveryfee-ups[.]info and pay a $1.55 delivery fee that was supposedly required to deliver his Legos.

“From searching the text of this phishing message, I can see that a lot of people have experienced this scam, which is more convincing because of the information the phishing text contains,” Dylan wrote. “It seems likely to me that UPS is leaking information somehow about upcoming deliveries.”

Josh is a reader who works for a company that ships products to Canada, and in early January 2023 he inquired whether there was any information about a breach at UPS Canada.

“We’ve seen many of our customers targeted with a fraudulent UPS text message scheme after placing an order,” Josh said. “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”

Pivoting on the domain in the smishing message sent to Dylan shows the phishing domain shared an Internet host in Russia [91.215.85-166] with nearly two dozen other smishing related domains, including upsdelivery[.]info, legodelivery[.]info, adidascanadaltd[.]com, crocscanadafee[.]info, refw0234apple[.]info, vista-printcanada[.]info and telus-ca[.]info.

The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.

Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox) revealed the first stage of this smishing attack. As Josh mentioned, what first popped up was a CAPTCHA; after the visitor solved the CAPTCHA, they were taken through several more pages that requested the user’s full name, date of birth, credit card number, address, email and phone number.

A smishing website targeting Canadians who recently purchased from Adidas online. The site would only load in a mobile browser.

In April 2022, KrebsOnSecurity heard from Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story. Alex reached out when he began receiving the smishing messages almost immediately after ordering two sets of Airpods directly from Apple’s website.

What puzzled Alex most was that he’d instructed Apple to send the Airpods as a gift to two different people, and less than 24 hours later the phone number he uses for his Apple account received two of the phishing messages, both of which contained salutations that included the names of the people for whom he’d bought Airpods.

“I’d put the recipient as different people on my team, but because it was my phone number on both orders I was the one getting the texts,” Alex explained. “That same day, I got text messages referring to me as two different people, neither of whom were me.”

Alex said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. He said the wording of UPS’s response misleadingly suggests the smishing attacks were somehow the result of hackers randomly looking up package information via the company’s tracking website.

Alex said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of application programming interface (API) that UPS Canada makes or made available to its biggest retail partners.

“It wasn’t like I put the order through [on Apple.ca] and some days or weeks later I got a targeted smishing attack,” he said. “It was more or less the same day. And it was as if [the phishers] were being notified the order existed.”

The letter to UPS Canada customers does not mention whether any other customers in North America were affected, and it remains unclear whether any UPS customers outside of Canada may have been targeted.

In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.

“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from Brian Hughes, director of financial and strategy communications at UPS.

“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said. “We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”

Are You Making One of These 8 Cloud Security Mistakes?

Though mass adoption has driven an increased awareness and need for cloud security, many businesses continue to make common cloud-related mistakes along their journey. Increased dependency on the cloud has presented challenges for enterprises on two fronts.

Externally, threat actors continue to sharpen their focus, developing attacks targeting organizations’ cloud footprint. From an internal standpoint, security leaders face the challenge of accelerating their business objectives, such as growth and innovation, while securing day-to-day operations and the infrastructure that supports it.

To better manage their cloud risk profile, enterprises can optimize their cloud security journeys by examining common pitfalls. In this post, learn the top eight cloud security mistakes to avoid and how to implement the right defenses in place to minimize the risk of cloud-based attacks.

Mistake #1 | Misconfigured Cloud Resources

In recent years, the sheer scale and complexity of cloud infrastructures have made it an attractive target for cybercriminals seeking to exploit vulnerabilities. The complexity is what invites the first common mistake that businesses make when adopting cloud. Since the interconnected nature of cloud services increases the potential attack surface, threat actors know that a single, successful compromise in one component can potentially impact all other interconnected systems.

When grappling with all the moving elements of cloud adoption, even one misconfiguration or a few inadequate security settings can expose sensitive data and services to the public internet. When this happens, businesses inadvertently provide an entry point for attackers.

One of the most common mistakes is leaving cloud resources, such as storage buckets or databases, publicly accessible without security controls. This can happen when cloud resources are initially set up and the default security settings are not properly configured. In addition, misconfigured security groups and network access control lists (ACLs) can lead to unauthorized access to cloud resources. As an example, a security group that permits traffic from all IP addresses can expose resources to external threats.

Sticking to best practices for securing cloud resources by configuring them appropriately is imperative to mitigate these risks. Here are some best practices to consider:

  • Conduct regular security configuration reviews to ensure compliance with industry standards, identify any misconfigured security groups, ACLs, or user accounts, and take the necessary actions to remediate them.
  • Implement identity and access management (IAM) to provide access to cloud resources based on users’ job responsibilities, thereby restricting access to only what is necessary for their job function.
  • Use automated configuration tools to ensure consistent, proper configuration of cloud resources, saving time and resources while reducing the possibility of errors.
  • Monitor cloud resources for unusual activity or unauthorized access, enabling quick identification and resolution of potential security threats.

Mistake #2 | Exposed Access Keys, Credentials, and More

Another common cloud security pitfall is related to the exposure of secrets, such as access keys that are hardcoded into code. One of the most prevalent missteps in cloud security is the storage of secrets in plain text or hard coded into code, which can result in unauthorized access to cloud resources.

For instance, if developers store access keys or other sensitive information in plain text, it can be effortlessly accessed by attackers who gain access to the code repository or when the code is deployed to a publicly accessible server. Similarly, if access keys are hardcoded into code, they can be easily exposed through source code leaks or public repositories.

The following best practices can help security teams effectively manage secrets:

  • Use a secure secrets management system – Employ a secure secrets management system to store all sensitive information. This system should have proper access controls and encrypted and protected secrets.
  • Avoid storing secrets in plain text – Refrain from keeping secrets in plain text or hardcoding them into code. Instead, use environment variables or configuration files to store secrets.
  • Restrict access to secrets – Limit access to only those requiring it. Follow IAM best practices to grant access to secrets based on job responsibilities.
  • Regularly rotate secrets – Rotate secrets, such as access keys, regularly to prevent unauthorized access. This can help limit the impact of breaches and reduce the risk of unauthorized access.
  • Monitor for secret usage – Monitor secret usage to detect and prevent unauthorized access. By establishing an activity baseline for critical secrets, teams can better understand normal activity versus abnormal activity. This can help identify potential security threats and take appropriate actions to mitigate them.

Mistake #3 | Not Using Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is an essential security measure that should be considered, especially when securing cloud resources. Without MFA in place, an attacker only needs to compromise a user’s password to gain unauthorized access to cloud resources. This can happen through various means, such as phishing attacks, malware, or other methods.

Enabling MFA significantly strengthens the security posture of cloud environments by requiring an additional layer of verification, reducing the risk of account compromises, unauthorized access, and data breaches. It adds an extra barrier for attackers, making it harder for attackers to gain control over user accounts and access sensitive resources.

Following the best practices for using MFA are essential for warding off unauthorized access.

  • Enable MFA for all user accounts – It is crucial to enable MFA for all user accounts, including administrators and privileged users. This can help prevent unauthorized access to cloud resources and ensure that all users are subject to the same level of security measures.
  • Use a trusted MFA solution – A trusted MFA solution compatible with the organization’s cloud infrastructure can help ensure that MFA is correctly integrated and configured. This will make it easier to manage and monitor MFA usage and increase the overall security of the organization’s cloud resources.
  • Educate users on MFA – It is essential to educate users on the importance of using MFA and how to use it effectively. This can help ensure that all users understand the benefits of MFA and are using it correctly. It is also essential to provide regular training and support to ensure users know any updates or changes to MFA policies.
  • Monitor MFA usage – Monitoring MFA usage can help detect and prevent any unauthorized access attempts. This will enable security and IT admin teams to identify potential threats and take appropriate actions to mitigate them.
  • Regularly review and update MFA policies – It is essential to regularly review and update MFA policies to ensure they are aligned with industry best practices and updated to address new threats. This will help to maintain the effectiveness of MFA and ensure that it continues to provide the necessary level of security for cloud resources.

Mistake #4 | Lack of Proper Access Controls

Effective management of cloud resources requires a clear and well-defined access control policy. When organizations fail to establish such a policy, this can render cloud resources vulnerable to unauthorized access, potentially leading to data breaches, compromised sensitive information, and other long-lasting damages.

  • Identify and classify resources – Begin by identifying and classifying the cloud resources within the environment. This includes data, applications, virtual machines, storage buckets, databases, and any other relevant assets.
  • Define access control objectives – Then, determine the specific access control objectives based on the organization’s security requirements and regulatory compliance needs. This could include principles such as least privilege, separation of duties, and need-to-know access.
  • Conduct a user access audit – Perform a comprehensive audit of existing user accounts, roles, and permissions within the cloud environment. This assessment will help identify any inconsistencies, unnecessary privileges, or potential security gaps.

For businesses operating in the cloud, implementing IAM allows the right users and service principals to access cloud resources based on the user’s job responsibilities or a service principal’s role within the environment. Control is granular in this case, only giving identities access to the resources necessary to perform their role. Additionally, the principle of least privilege (PoLP) should be applied, limiting access to the minimum level required for a user to perform their job.

After implementing regular access control, scheduled reviews should be conducted to ensure alignment with current best practices. This includes gathering access logs that must be monitored regularly, with any unauthorized access attempts promptly identified and mitigated.

Comprehensive access control policy is a critical component when it comes to safeguarding cloud resources against unauthorized access. Having these policies in place ensures that only those who require access have it and that sensitive data’s confidentiality, integrity, and availability are preserved.

Mistake #5 | Failing to Backup Data

Not having a backup strategy in place is a common cloud security mistake, leaving businesses vulnerable to data loss in the event of a cyberattack or system failure. In the event of data loss with no backups available, businesses are faced with extended downtime as they scramble to recover or recreate lost data. This downtime can disrupt business operations, impact employee productivity, and result in missed deadlines or customer service interruptions.

With a backup strategy, businesses have a much higher chance in achieving service continuity as they lean on good-quality backup data. Here are some best practices to help secure cloud resources with proper data backup:

  • Identify critical data – Identify essential data that needs to be backed up, such as customer data, financial records, system configurations, and intellectual property. This can help ensure that the most critical data is always available when it is needed.
  • Use a reliable backup solution – Use a reliable backup solution compatible with the organization’s cloud infrastructure. This can help ensure that backups are appropriately integrated and configured.
  • Regularly test backups – Regularly test backups to ensure that they are working correctly and that data can be recover when needed. This can help admins identify any backup issues and take appropriate actions to mitigate them.
  • Encrypt backups – Encrypted backups protect sensitive data when it is stored or transmitted. This can help prevent unauthorized access to company data and ensure it is always secure.

Mistake #6 | Neglecting to Patch & Update Systems

Outdated systems are more susceptible malware infections and often have known vulnerabilities that can be exploited by attackers. Cybercriminals actively scan for outdated software and exploit these vulnerabilities to gain unauthorized access, launch malware attacks, or steal sensitive data.

In many industries, there are regulatory requirements regarding the maintenance and patching of systems to protect sensitive data. Neglecting to patch and update systems can result in legal and financial consequences. Customers seeing these results may lose confidence in the organization’s ability to protect their data, resulting in a loss of business and a negative impact on brand reputation.

Without the right strategy, patch management can become an intensive and difficult task. NIST reported that more than 24,000 common vulnerabilities and exposures (CVEs) were added to the National Vulnerability Database (NVD) in 2022, breaking the previous record of 20,000 from the year before.

As the number of CVE is expected to increase in 2023, organizations can follow the below best practices to build an actionable patch management process:

  • Take a risk-based approach to patch management – Patching every incoming CVE is not feasible. By taking a calculated approach to managing patches, organizations can apply updates most critical to their security posture. Patch management is essential to mitigating business risks and should be aligned with the organization’s overall risk management strategy. Once the C-suite executives and security leaders assess and identify the critical risks specific to their identity and business, security teams can more effectively prioritize patches. Some key considerations for leaders are:
    • The criticality of affected systems
    • The exploitability of the CVE
    • The potential impact of the exploitation
    • Wat alternative options there are to patching
  • Establish a baseline inventory – Security teams need to keep an updated inventory of all software to understand where the environment stands. This includes determining the version of all operating systems and applications in use, and any third-party apps. Understanding the baseline helps teams pay attention to CVEs most critical to operations.
  • Categorize and group assets by priority and risk – Not all patches will impact a unique environment the same way, so establishing a way to categorize them will help teams streamline the patching process. Patches can be divided into categories such as:
    • Critical-level patches – These require immediate attention and should be deployed immediately.
    • Approval-based patches – These require approval from the necessary stakeholders to avoid disruptions to day-to-day operations.
    • Low risk-level patches – These can be deployed on an as-needed basis.

Mistake #7 | Lack of Continuous Monitoring for Unusual Activity

Cybercriminals are skilled at circumventing detection measures, making identifying and stopping attacks challenging. The lack of continuous monitoring in cloud security poses significant risks for organizations. Without continuous monitoring, potential security incidents and vulnerabilities can go unnoticed for extended periods, allowing attackers to exploit weaknesses undetected.

24/7/365 monitoring capability provides real-time visibility into a cloud environment, making sure security teams can rapidly detect suspicious activities, unauthorized access attempts, or system anomalies. It allows for immediate response and remediation, minimizing the impact of security incidents.

Organizations can improve their posture against lurking cyber threats by implementing these best practices:

  • Implement extended detection and response (XDR) – Deploy an XDR solution to detect and respond to potential cyber threats in real time, enabling businesses to identify unusual activity and take immediate action.
  • Monitor logs and events – Scrutinize logs and events to identify any irregular activity or anomalies that may indicate potential security threats and act accordingly.
  • Set up alerts – Establish automated alerts to promptly notify security teams of any unusual activity or suspicious events, enabling quick and effective responses.
  • Leverage artificial intelligence (AI) and machine learning (ML) – Utilize advanced technologies, such as artificial intelligence and machine learning, to analyze data and detect unusual patterns or behavior that traditional monitoring tools may otherwise go unnoticed.
  • Build a mature threat detection program – Organizations need to be proactive in identifying and mitigating potential risks. Having a threat detection program in place plays a crucial role in safeguarding sensitive data, preserving customer trust, and ensuring business continuity. Programs will include capabilities for monitoring network traffic, analyzing system logs, and employing advanced algorithms to take immediate action in the event of a cyberattack.

Mistake #8 | Failing to Encrypt Sensitive Business Data

Threat actors with their eyes on clouds particularly like to target data during transit. If this data was unencrypted, it can introduce serious consequences for the business. Unencrypted data is highly susceptible to unauthorized access. If an attacker gains access to unencrypted data, they can easily read, copy, or modify it without leaving any trace. This can lead to data breaches, exposing sensitive information such as customer data, financial records, intellectual property, or trade secrets.

Unencrypted data is vulnerable to unauthorized modifications during transmission or storage. This compromises the integrity and reliability of the data, making it difficult to trust its accuracy and authenticity. Organizations need to ensure the integrity of their data to maintain trust with customers, business partners, and stakeholders.

For businesses following General Data Protection Regulation (GDPR), Payment Card Industry (PCI), or the Health Insurance Portability and Accountability Act (HIPAA) frameworks, storing and processing unencrypted data in the cloud can put organizations at risk of non-compliance and potential legal consequences, including fines, penalties, and legal actions.

The below best practices help security teams protect sensitive data; ensuring continued confidentiality, integrity, and compliance in cloud environments:

  • Encryption In Transit – Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocols are used to provide encryption for data transmitted over networks, but may contain implementation gaps and vulnerabilities, particularly in older versions of SSL. Organizations should focus on encrypting data in transit through internal network endpoints.
  • Server-Side Encryption (SSE) – Many cloud service providers offer server-side encryption options. With SSE, the cloud provider handles the encryption and decryption processes. Businesses can choose from options like SSE-S3, SSE-KMS, or SSE-C, depending on the specific cloud platform they are using.
  • Client-Side Encryption – In client-side encryption, data is encrypted by the client before it is uploaded to the cloud. The encrypted data is stored in the cloud, and only the client possesses the encryption keys required for decryption. This approach provides an additional layer of control and security.
  • Database-Level Encryption – Businesses can implement encryption at the database level to protect sensitive data stored in cloud databases. This involves encrypting or tokenizing values from specific columns or tables containing sensitive information, such as personally identifiable information (PII) or financial data.
  • Application-Level Encryption – Encryption can be incorporated into the application logic itself. This means that the application handles encryption and decryption of data before it is stored or retrieved from the cloud. Application-level encryption allows for more granular control and customization based on specific business requirements.

Singularity Cloud | How SentinelOne Helps Customers Secure the Cloud

SentinelOne helps organizations protect their workloads across all cloud environments, public, private, and hybrid, through its real-time cloud workload protection platform (CWPP), Singularity Cloud Workload Security. Designed to protect workloads wherever they run – in data centers, AWS, Azure, or Google Cloud, VMs, containers, or Kubernetes clusters – Singularity Cloud delivers real-time detection and response to runtime threats like ransomware, zero-days, and cryptoming malware. It also acts as a flight data recorder for hybrid cloud workloads, for deep OS process-level visibility, maximum operational stability, and superior performance in low overhead.

Within the current cyber landscape, CWPP is the last line of defense in a multi-layer cloud security strategy. Organizations rely on CWPPs like Singularity Cloud Workload Security, with its multiple AI engines onboard, to serve as their security backstop, stopping the sophisticated attacks which other security controls are not designed to do.

Conclusion

For both opportunistic and targeted attacks, the cloud remains a lucrative target as more businesses make cloud adoption a major milestone on their digital transformation journeys. Threat actors focused on cloud continue to bank on organizations to misstep and rely on the cloud’s nature of being complex and arduous to manage.

To get ahead of cyberattackers, security leaders can sidestep common cloud-based mistakes and make sure their organization has the right strategies in place for each vulnerable area. SentinelOne helps organizations improve their cloud security plan by fusing AI-powered runtime security with streamlined analysis and proactive threat hunting.

Contact us today or book a demo to see how Singularity Cloud Workload Security can create better cloud security outcomes so your organization can focus on accelerating innovation.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Why Malware Crypting Services Deserve More Scrutiny

If you operate a cybercrime business that relies on disseminating malicious software, you probably also spend a good deal of time trying to disguise or “crypt” your malware so that it appears benign to antivirus and security products. In fact, the process of “crypting” malware is sufficiently complex and time-consuming that most serious cybercrooks will outsource this critical function to a handful of trusted third parties. This story explores the history and identity behind Cryptor[.]biz, a long-running crypting service that is trusted by some of the biggest names in cybercrime.

Virtually all malware that is deployed for use in data stealing at some point needs to be crypted. This highly technical, laborious process involves iteratively altering the appearance and behavior of a malicious file until it no longer sets off alarm bells when scanned by different antivirus tools.

Experienced malware purveyors understand that if they’re not continuously crypting their malware before sending it out, then a lot more of whatever digital disease they are trying to spread is going to get flagged by security tools. In short, if you are running a cybercrime enterprise and you’re not equipped to handle this crypting process yourself, you probably need to pay someone else to do it for you.

Thanks to the high demand for reliable crypting services, there are countless cybercriminals who’ve hung out their shingles as crypting service providers. However, most of these people do not appear to be very good at what they do, because most are soon out of business.

One standout is Cryptor[.]biz. This service is actually recommended by the purveyors of the RedLine information stealer malware, which is a popular and powerful malware kit that specializes in stealing victim data and is often used to lay the groundwork for ransomware attacks. Cryptor[.]biz also has been recommended to customers of the Vidar information stealer malware family (via the malware’s Telegram support channels).

WHO RUNS CRYPTOR[.]BIZ?

As good as Cryptor[.]biz may be at obfuscating malware, its proprietor does not appear to have done a great job covering his own tracks. The registration records for the website Cryptor[.]biz are hidden behind privacy protection services, but the site’s homepage says potential customers should register by visiting the domain crypt[.]guru, or by sending a Jabber instant message to the address “masscrypt@exploit.im.”

Crypt[.]guru’s registration records also are hidden, yet passive domain name system (DNS) records for both cryptor[.]biz and crypt[.]guru show that in 2018 the domains were forwarding incoming email to the address obelisk57@gmail.com.

Cyber intelligence firm Intel 471 reports that obelisk57@gmail.com was used to register an account on the forum Blacksoftware under the nickname “Kerens.” Meanwhile, the Jabber address masscrypt@exploit.im has been associated with the user Kerens on the Russian hacking forum Exploit from 2011 to the present day.

The login page for Cryptor dot biz contains several clues about who runs the service.

The very first post by Kerens on Exploit in 2011 was a negative review of a popular crypting service that predated Cryptor[.]biz called VIP Crypt, which Kerens accused of being “shitty” and unreliable. But Intel 471 finds that after his critical review of VIP Crypt, Kerens did not post publicly on Exploit again for another four years until October 2016, when they suddenly began advertising Cryptor[.]biz.

Intel 471 found that Kerens used the email address pepyak@gmail.com, which also was used to register Kerens accounts on the Russian language hacking forums Verified and Damagelab.

Ironically, Verified has itself been hacked multiple times over the years, with its private messages and user registration details leaked online. Those records indicate the user Kerens registered on Verified in March 2009 from an Internet address in Novosibirsk, a city in the southern Siberian region of Russia.

In 2010, someone with the username Pepyak on the Russian language affiliate forum GoFuckBiz[.]com shared that they typically split their time during the year between living in Siberia (during the milder months) and Thailand (when Novosibirsk is typically -15 °C/°5F).

For example, in one conversation about the best car to buy for navigating shoddy roads, Pepyak declared, “We have shitty roads in Siberia.” In January 2010, Pepyak asked the GoFuckBiz community where one might find a good USB-based modem in Phuket, Thailand.

DomainTools.com says the email address pepyak@gmail.com was used to register 28 domain names over the years, including a now-defunct Russian automobile sales website called “autodoska[.]biz.” DomainTools shows this website was registered in 2008 to a Yuri Churnov from Sevastpol, Crimea (prior to Russia’s annexation of Crimea in 2014, the peninsula was part of Ukraine).

The WHOIS records for autodoska[.]biz were changed in 2010 to Sergey Purtov (pepyak@gmail.com) from Yurga, a town in Russia’s Kemerovo Oblast, which is a relatively populous area in Western Siberia that is adjacent to Novosibirsk.

A satellite view of the region including Novosibirsk, Yurga and Kemerovo Oblast. Image: Google Maps.

Many of the 28 domains registered to pepyak@gmail.com have another email address in their registration records: unforgiven57@mail.ru. According to DomainTools, the Unforgiven email address was used to register roughly a dozen domains, including three that were originally registered to Keren’s email address — pepyak@gmail.com (e.g., antivirusxp09[.]com).

One of the domains registered in 2006 to the address unforgiven57@mail.ru was thelib[.]ru, which for many years was a place to download pirated e-books. DomainTools says thelib[.]ru was originally registered to a Sergey U Purtov.

Most of the two-dozen domains registered to pepyak@gmail.com shared a server at one point with a small number of other domains, including mobile-soft[.]su, which was registered to the email address spurtov@gmail.com.

CDEK, an express delivery company based in Novosibirsk, was apparently hacked at some point because cyber intelligence firm Constella Intelligence found that its database shows the email address spurtov@gmail.com was assigned to a Sergey Yurievich Purtov (Сергей Юрьевич Пуртов).

DomainTools says the same phone number in the registration records for autodoska[.]biz (+7.9235059268) was used to secure two other domains — bile[.]ru and thelibrary[.]ru, both of which were registered to a Sergey Y Purtov.

A search on the phone number 79235059268 in Skype reveals these digits belong to a “Sergey” from Novosibirsk with the now-familiar username  — Pepyak.

Bringing things full circle, Constella Intelligence shows that various online accounts tied to the email address unforgiven57@mail.ru frequently relied on the somewhat unique password, “plk139t51z.” Constella says that same password was used for just a handful of other email addresses, including gumboldt@gmail.com.

Hacked customer records from CDEK show gumboldt@gmail.com was tied to a customer named Sergey Yurievich Purtov. DomainTools found that virtually all of the 15 domain names registered to gumboldt@gmail.com (including the aforementioned mobile-soft[.]su) were at one point registered to spurtov@gmail.com.

Intel 471 reports that gumboldt@gmail.com was used in 2009 to register a user by the nickname “Kolumb” on the Russian hacking forum Antichat. From Kolumb’s posts on Antichat, it seems this user was mostly interested in buying access to compromised computers inside of Russia.

Then in December 2009, Kolumb said they were in desperate need of a reliable crypting service or full-time cryptor.

“We need a person who will crypt software every day, sometimes even a couple of times a day,” Kolumb wrote on Antichat.

Mr. Purtov did not respond to requests for comment sent to any of the email addresses referenced in this report. Mail.ru responded that the email address spurtov@mail.ru is no longer active.

ANALYSIS

As KrebsOnSecurity opined on Mastodon earlier this week, it makes a lot of sense for cybersecurity researchers and law enforcement alike to focus attention on the top players in the crypting space — for several reasons. Most critically, the cybercriminals offering time-tested crypting services also tend to be among the most experienced and connected malicious coders on the planet.

Think of it this way: By definition, a crypting service scans and examines all types of malware before those new nasties are first set loose in the wild. This fact alone should make these criminal enterprises a primary target of cybersecurity firms looking to gain more timely intelligence about new malware.

Also, a review of countless posts and private messages from Pepyak and other crypting providers shows that a successful crypting service will have direct and frequent contact with some of the world’s most advanced malware authors.

In short, infiltrating or disrupting a trusted crypting service can be an excellent way to slow down or even sideline a large number of cybercrime operations all at once.

Further reading on the crypting industry:

This Service Helps Malware Authors Fix Flaws in Their Code
Antivirus is Dead: Long Live Antivirus!