The Good | Authorities Sentence 2020 Twitter Hacker For SIM Swap & Crypto Theft Schemes

Joseph James O’Connor (aka PlugWalkJoe) was sentenced this week to five years in prison for various cybercrimes including his role in the 2020 Twitter Hack. O’Connor is charged with stealing cryptocurrency, money laundering, cyberstalking, and unauthorized access to Twitter, TikTok, and Snapchat accounts. Further, he is ordered to return the $749,000 stolen from a New York-based cryptocurrency firm.

According to the DoJ, O’Connor and his co-conspirators conducted a mass SIM swap attack in 2019 to steal from a targeted cryptocurrency firm. In SIM swap attacks, a threat actor gains control of a victim’s mobile phone number by linking it to an SIM card controlled by the actors. The victim’s calls and messages are then routed to the actor-controlled device and used to access accounts registered with the victim’s number. Using this technique, O’Connor and his associates successfully targeted three of the cryptocurrency firm’s executives and obtained access to the company’s internal accounts and system.

In the 2020 Twitter Hack, O’Connor and his associates again used SIM swaps, along with social engineering tactics, to gain access to Twitter’s back-end tools and transfer control of high-profile accounts to various unauthorized users. While some accounts were hijacked by the actors themselves, O’Connor sold the access rights of several well-known accounts. Using similar techniques, O’Connor also hijacked TikTok and Snapchat accounts to participate in online extortion, harassment, and cyber stalking.

These attacks on social media platforms underscore the impact that cyber attacks have on everyday users. As the rate of digital identity theft skyrockets and threat actors continue to eye up popular apps and services, implementing strong identity-based controls remains a high-priority task for organizations in all industries.

The Bad | New Infostealer Malware Dubbed “ThirdEye” Targets Windows Devices

A newly discovered Windows-based infostealer dubbed “ThirdEye” has been spotted in the wild, harvesting sensitive data from infected hosts. Security researchers this week reported on an executable masquerading as a PDF file which hosts the info-stealing malware. While the arrival vector for the malware isn’t yet known, researchers believe it is used in phishing campaigns.

Based on an earlier version of ThirdEye that was uploaded to VirusTotal in early April, the infostealer is evolving and now shows capabilities of gathering system metadata such as BIOS release dates and vendors, total and free disk space on C: drives, volume information, and registered usernames. Details collected are then transmitted to a command-and-control (C2) server.

Though the malware is not considered technically sophisticated, researchers warn that its purpose-built design allows malicious users to gather critical information for use in future attacks. In the case of ThirdEye, the information stolen could be used by attackers as a way of narrowing down potential targets and planning unique campaigns.

There are no current indications that ThirdEye has been used in the wild. However, given the fact that the infostealer artifacts were uploaded to VirusTotal from Russia, researchers speculate that any malicious activity leveraging the malware is likely being aimed at Russian-speaking organizations. ThirdEye is the latest to make an appearance following a marked surge of infostealer malware being sold on Russian darknets.

As more infostealers become readily available, enabling cybercriminals to launch their ransomware campaigns, organizations should invest in machine learning algorithms and analytics to identify patterns indicating suspicious activity in real-time.

The Ugly | Emerging 8Base Ransomware Group Responsible For Uptick In Ransomware Attacks

First appearing in March, the emerging ransomware group called 8Base has accelerated its activity over the past two months, targeting small to medium-sized businesses worldwide in double extortion “name and shame” attacks. According to security analysts, ransomware attacks have spiked in May and June so far, up respectively 24% from this April and 56% compared to the same period last year. 8Base claims a significant role in this surge, responsible for more than 15% of all ransomware victims recorded last month.

In double extortion attacks, threat actors exfiltrate and encrypt all of a victim’s sensitive data, giving them extra leverage when demanding ransom payments. Actors then threaten to release or sell the data onto the dark web unless payment is made.

Like many other groups in the threat landscape though, 8Base accepts ransom payments in Bitcoin only and claims on its leak site to be “honest and simple pentesters”. The group employs multiple streams of communication, including an active Twitter profile and several encrypted Telegram channels. Latest findings on the group note that 8Base has compromised businesses across a large span of industries but has not shown allegiance to any one particular methodology or source of motivation.

8base ransomware group has exploded in victim postings. Their output rivals the big 3.

Prediction: in the coming months they will become a big player in the ransomware scene.

— vx-underground (@vxunderground) June 29, 2023

Based on the speed and effectiveness shown in recent attacks, security researchers believe this denotes a well-established and mature operation, indicating 8base may be comprised of members of some previously successful ransomware group. Malware research site vx-underground has compared 8Base’s recent attacks to those of the “Big 3”; namely, Conti, LockBit, and ALPHV ransomware groups. SentinelOne customers are autonomously protected from 8Base ransomware attacks.

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware operation. Despite the developer’s partial implementation of some features, the group emerged onto the scene at the end of May with a high-profile attack against the Chilean Army, continuing the ongoing trend of ransomware groups targeting Latin American government institutions. On June 15, the group leaked the files stolen from the Chilean Army.

In this post, we provide a high-level overview of Rhysida ransomware activity and present technical details of the malware payloads, along with hunting rules and IoCs to aid threat hunters and security teams.

Recent Attacks Attributed to Rhysida

On May 29 2023, the Chilean Army reported that it had been the target of a cyberattack affecting the organization’s internal network on Saturday, May 27. The attack was later attributed to Rhysida.

Strategically, the Rhysida group’s attack against the army of Chile distinguishes this newcomer from the sea of ransomware newcomers. It should be noted that Rhysida is an apparently independent ransomware group: SentinelOne has not observed any overt connections to existing ransomware operations. As such, any potential geopolitical ramifications from attacking Chile’s government are as yet unclear. This is not the first time a Chilean governmental organization has been compromised by a new ransomware family, as demonstrated by the ARCrypter attack in November 2022.

The attack was followed by the leaking of data belonging to the army on June 15th. Through the week of June 19 2023, Rhysida’s leaks page displayed an influx of further victims, including multiple organizations in each of the following sectors:

• Education
• Government
• Manufacturing
• Technology and Managed Service Providers (MSP)

Victims are distributed throughout Western Europe, North & South America, and Australia, loosely aligning the group’s targeting with many ransomware operations that avoid targeting countries in Eastern Europe and Central Asia’s Commonwealth of Independent States. There are no Asian organizations posted at this time.

Operational Overview

The Rhysida ransomware group was first observed in May of 2023, following the emergence of their victim support chat portal, hosted via TOR (.onion).  The name “Rhyshida” refers to a specific genus of centipede.  This is also reflected in the ‘branding’ on their victim blog.

An Apache configuration status page reveals that the web server hosting the portal was first set up in March 2023. The group has since migrated their blog to a more ‘hardened’ instance of nginx, and these server configuration details and status are no longer visible. This move may have been prompted by the original IP address being exposed across various underground forums and markets.

Rhysida is a privately marketed RaaS without known forum presence. The group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the potential ramifications of the involved security issues. The group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups.

The groups website also serves as a portal for Rhysida-centric news and media coverage, as well as details on how to contact the group should journalists, recovery firms or “fans” be inclined to do so.

Victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier provided in the ransom notes. Rhysida accepts payment in Bitcoin only, providing information on the purchase and use of BTC on the victim portal as well. Upon providing their unique ID to the payment portal, an additional form is presented that allows victims to provide additional information to the attackers, such as authentication and contact details.

Technical Details

Rhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC. In each sample analyzed, the application’s program name is set to Rhysida-0.1, suggesting the tool is in early stages of development.

A notable characteristic of the tool is its plain-text strings revealing registry modification commands.

Rhysida Encryption & File Processing

For encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. Its main function initializes the ransomware’s overall runtime, including encryption specifics. The main function contains several nested if-else conditions that handle arguments that specify different encryption implementations. The processFileEnc function contains code blocks for other encryption methods, including Rijndael, though the preceding functions are prefixed “test”.

processFileEnc calls init_prng, which initializes the encryption routine’s pseudo-random number generator that is passed to the chacha_crypt function.

The processFileEnc function contains code that lists files and parses the current file name. Following encryption, Rhysida appends the .rhysida extension to the name of encrypted files.

After the encryption details are established, Rhysida enumerates files and folders connected to the system. The main function ends by calling PowerShell to delete the binary after encryption has completed.

Rhysida uses a file exclusion list to avoid encrypting certain files. This check occurs in the isFileExcluded function, which compares the current file extension against exclude_extensions, an array that contains the following excluded file extensions:

[ bat, bin, 
  cab, cmd, com, cur, 
  diagcab, diagcfg, diagpkg, drv, dll, 
  exe, 
  hlp, hta, 
  ico, ini, iso, 
  lnk, 
  msi, 
  ocx, 
  ps1, psm1, 
  scr, sys,  
  Thumbs-db, 
  url 
]

This function initializes two variables, exclude_i as 0 and exclude_c as 11, which iterate through the array of 27 excluded file extensions and the length of the current file name.

Extended features, beyond encrypting files, are still not present in current variations of Rhysida. The most recent of analyzed samples continue to lack commodity features like VSS Removal, multiple persistence mechanisms, process termination or unhooking.

Ransom Note & Victim Notification

Rhysida generates the ransom note as a PDF document. The content of the doc is embedded in the binary in clear text. This is a missed opportunity for the actors: PDF is a powerful document format that enables data to be encoded in many ways, often not in clear text. If the developer embeds the PDF object within the binary instead of constructing the PDF at runtime from unencrypted strings, Rhysida would evade string-based detection based on ransom note language.

Rhysida’s setBG function is designed to create a new image, write it to C:UsersPublicbg.jpg, and run registry modifications via cmd.exe to change the wallpaper and prevent the victim’s ability to change it. During SentinelOne’ analysis, this process did not execute successfully and the JPG is not written to disk.

The setBG function pulls elements from the PDF ransom note and allocates them to a buffer, which then is inserted into a new JPG image. The developer misspelled Control Panel as Conttol Panel in two of the registry modification commands. We patched the binary to correct the spelling, but the wallpaper still did not change.

It is of note that this misspelling flaw persists across versions of Rhysida. Original versions (example: 69b3d913a3967153d1e91ba1a31ebed839b297ed) compiled on May 15, 2023 as well as the sample associated with the Chilean Army attack (338d4f4ec714359d589918cee1adad12ef231907, compiled on May, 27, 2023) each contain this issue.

SentinelOne Protects Against Rhysida Ransomware

The SentinelOne Agent detects Rhysida ransomware and prevents execution and file encryption.

For details about Rhysida and other ransomware families, visit SentinelOne’s Ransomware Anthology page.

Conclusion

Rhysida represents an unusual combination of techniques that suggest the developer is thinking outside the confines of contemporary ransomware. Features like the PDF ransom note could be leveraged for enhanced stealth, while the wallpaper changing feature is quite obtrusive, though not yet functional.

There are hallmarks of a less seasoned actor, such as the unobfuscated registry modification and PowerShell commands seen throughout the program. However, these are cosmetic fixes. Time will tell whether the developer’s choice to omit ubiquitous features, such as VSS copy deletion, will pay off or be supplemented through tools outside of the Rhysida application.

Indicators of Compromise (IOC)

YARA Hunting Rule

SentinelOne is providing the following YARA rule that defenders can use to identify Rhysida ransomware binaries.

rule rw_rhysida {

	meta:
		author = "Alex Delamotte"
		description = "Rhysida ransomware detection."
		sample = "69b3d913a3967153d1e91ba1a31ebed839b297ed"
		reference = "https://s1.ai/rhys"
	strings:
		$typo1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6E 74 74 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 }
		$cmd1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 41 63 74 69 76 65 44 65 73 6B 74 6F 70 }
		$cmd2 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 53 79 73 74 65 6D 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 22 43 3A 5C 55 73 65 72 73 5C 50 75 62 6C 69 63 5C 62 67 2E 6A 70 67 22 20 2F 66 }
		$byte1 = { 48 8D 05 72 AA 05 00 48 8B 00 8B 95 }
		$byte2 = { 48 8D 15 89 CF 03 00 48 89 C1 E8 F9 1C 03 00 44 }
	condition:
		2 of them
}

The Good | Rewards for Justice Offers $10 Million Bounty on Cl0p Gang

The crimeware scene has often been likened to the Wild West, so it’s no surprise that just as outlaws run amok in the digital world, bounty hunters will be offered incentives to aid law enforcement. This week, the Department of State put out a bounty of up to $10 million reward for information on the Cl0p ransomware gang and other malicious cyber actors.

Advisory from @CISAgov, @FBI: https://t.co/jenKUZRZwt

Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government?

Send us a tip. You could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA

— Rewards for Justice (@RFJ_USA) June 16, 2023

The reward is being offered for information on the identification or location of any person participating in attacks against U.S. critical infrastructure on behalf of foreign governments.

The bounty follows on from CISA’s and the FBI’s recent advisory that Cl0p has been exploiting the MOVEit Transfer vulnerability to target multiple organizations, including The Department of Energy and numerous other federal agencies.

The Rewards for Justice program is run by the Department of State’s Bureau of Diplomatic Security with the remit to combat international terrorism including malicious cyber activity and election interference. Cl0p aren’t the first ransomware gang to be singled out for attention by RfJ: a similar bounty was put on the heads of the now defunct Conti gang as well as Sandworm APT and REvil, all of whom researchers have attributed various attacks on U.S. critical infrastructure to.

The Bad | Apple Security Under Increasing Scrutiny After More 0-days Patched

Apple released emergency patches this week for three zero days across its operating system platforms, including macOS, iOS, iPadOS and WatchOS. Two of the bugs, the company said, were known to be actively exploited in the wild against versions of iOS released prior to iOS 15.7.

CCVE-2023-32434 is an integer overflow vulnerability that could be exploited to execute arbitrary code with kernel privileges, while CVE-2023-32435 is a WebKit memory corruption vulnerability that could allow arbitrary code execution when processing maliciously-crafted web content. Both flaws were reported by researchers at Kaspersky, who published details of an espionage campaign targeting iOS said to have been active since 2019. Analysis of the malware used in the campaign suggests the threat actor may also be targeting macOS.

A third bug, CVE-2023-32439, is a type confusion issue that may lead to arbitrary code execution when processing maliciously-crafted web content. Apple also says this may have been exploited in the wild though it appears unconnected at this time with the campaign reported by Kaspersky.

The bugs come on the heels of three Apple WebKit zero days patched last month, each of which was also said to be actively exploited in the wild, and takes the number of Apple zero days patched in the first half of 2023 to nine.

Given the increasing interoperability and code-sharing between Apple’s various platforms, it’s no surprise that exploitable bugs in one platform represent security risks in others. IT and security teams are urged to treat all their OSs equally in terms of risk and ensure adequate protections and mitigations are in place across all devices in their fleets.

The Ugly | Microsoft Teams Bypass Allows External Accounts to Drop Malware

Microsoft has said that a bypass that can allow malware to be delivered to any Teams account from external accounts did not ‘meet the bar for immediate servicing’. The response may come as an unwelcome surprise to IT and security teams as researchers have showed this week that all MS Teams accounts running in the default configuration are susceptible to the attack.

According to an advisory published on Wednesday, the client-side security controls which are supposed to prevent external tenants sending files can be bypassed simply by switching the internal and external recipient ID on the POST request, a trick which fools the system into treating the external user as an internal one.

#Advisory: IDOR in Teams Allows for new Payload Delivery Avenue! @CorbridgeMax and @tde_sec from our #redteam recently discovered an #IDOR vulnerability in Teams which opens the door to a novel #payload delivery avenue.

Check it out! https://t.co/658nhzm3b3#C2 #microsoft

— Jumpsec Labs (@JumpsecLabs) June 21, 2023

The researchers note that the technique circumvents anti-phishing security controls and training advice. In particular, employees are now widely taught to avoid clicking email links, but a phishing email making use of this attack would appear to contain a file rather than an external link.

They further point out that attackers could socially engineer users via Teams calls and lure them into expecting a legitimate file. In one red team engagement, a fake IT technician asked a target to jump on a call as they needed to apply an update to critical software. Once on the call, the ‘attacker’ leveraged the Teams bypass to deliver the payload.

Organizations using Teams are advised to disable External Access in MS Teams Admin Center, if possible, or change security settings to only allow communications between certain allow-listed domains. Further mitigations and workarounds are detailed at the end of the report.

Though mass adoption has driven an increased awareness and need for cloud security, many businesses continue to make common cloud-related mistakes along their journey. Increased dependency on the cloud has presented challenges for enterprises on two fronts.

Externally, threat actors continue to sharpen their focus, developing attacks targeting organizations’ cloud footprint. From an internal standpoint, security leaders face the challenge of accelerating their business objectives, such as growth and innovation, while securing day-to-day operations and the infrastructure that supports it.

To better manage their cloud risk profile, enterprises can optimize their cloud security journeys by examining common pitfalls. In this post, learn the top eight cloud security mistakes to avoid and how to implement the right defenses in place to minimize the risk of cloud-based attacks.

Mistake #1 | Misconfigured Cloud Resources

In recent years, the sheer scale and complexity of cloud infrastructures have made it an attractive target for cybercriminals seeking to exploit vulnerabilities. The complexity is what invites the first common mistake that businesses make when adopting cloud. Since the interconnected nature of cloud services increases the potential attack surface, threat actors know that a single, successful compromise in one component can potentially impact all other interconnected systems.

When grappling with all the moving elements of cloud adoption, even one misconfiguration or a few inadequate security settings can expose sensitive data and services to the public internet. When this happens, businesses inadvertently provide an entry point for attackers.

One of the most common mistakes is leaving cloud resources, such as storage buckets or databases, publicly accessible without security controls. This can happen when cloud resources are initially set up and the default security settings are not properly configured. In addition, misconfigured security groups and network access control lists (ACLs) can lead to unauthorized access to cloud resources. As an example, a security group that permits traffic from all IP addresses can expose resources to external threats.

Sticking to best practices for securing cloud resources by configuring them appropriately is imperative to mitigate these risks. Here are some best practices to consider:

• Conduct regular security configuration reviews to ensure compliance with industry standards, identify any misconfigured security groups, ACLs, or user accounts, and take the necessary actions to remediate them.
• Implement identity and access management (IAM) to provide access to cloud resources based on users’ job responsibilities, thereby restricting access to only what is necessary for their job function.
• Use automated configuration tools to ensure consistent, proper configuration of cloud resources, saving time and resources while reducing the possibility of errors.
• Monitor cloud resources for unusual activity or unauthorized access, enabling quick identification and resolution of potential security threats.

Mistake #2 | Exposed Access Keys, Credentials, and More

Another common cloud security pitfall is related to the exposure of secrets, such as access keys that are hardcoded into code. One of the most prevalent missteps in cloud security is the storage of secrets in plain text or hard coded into code, which can result in unauthorized access to cloud resources.

For instance, if developers store access keys or other sensitive information in plain text, it can be effortlessly accessed by attackers who gain access to the code repository or when the code is deployed to a publicly accessible server. Similarly, if access keys are hardcoded into code, they can be easily exposed through source code leaks or public repositories.

The following best practices can help security teams effectively manage secrets:

• Use a secure secrets management system – Employ a secure secrets management system to store all sensitive information. This system should have proper access controls and encrypted and protected secrets.
• Avoid storing secrets in plain text – Refrain from keeping secrets in plain text or hardcoding them into code. Instead, use environment variables or configuration files to store secrets.
• Restrict access to secrets – Limit access to only those requiring it. Follow IAM best practices to grant access to secrets based on job responsibilities.
• Regularly rotate secrets – Rotate secrets, such as access keys, regularly to prevent unauthorized access. This can help limit the impact of breaches and reduce the risk of unauthorized access.
• Monitor for secret usage – Monitor secret usage to detect and prevent unauthorized access. By establishing an activity baseline for critical secrets, teams can better understand normal activity versus abnormal activity. This can help identify potential security threats and take appropriate actions to mitigate them.

Mistake #3 | Not Using Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is an essential security measure that should be considered, especially when securing cloud resources. Without MFA in place, an attacker only needs to compromise a user’s password to gain unauthorized access to cloud resources. This can happen through various means, such as phishing attacks, malware, or other methods.

Enabling MFA significantly strengthens the security posture of cloud environments by requiring an additional layer of verification, reducing the risk of account compromises, unauthorized access, and data breaches. It adds an extra barrier for attackers, making it harder for attackers to gain control over user accounts and access sensitive resources.

Following the best practices for using MFA are essential for warding off unauthorized access.

• Enable MFA for all user accounts – It is crucial to enable MFA for all user accounts, including administrators and privileged users. This can help prevent unauthorized access to cloud resources and ensure that all users are subject to the same level of security measures.
• Use a trusted MFA solution – A trusted MFA solution compatible with the organization’s cloud infrastructure can help ensure that MFA is correctly integrated and configured. This will make it easier to manage and monitor MFA usage and increase the overall security of the organization’s cloud resources.
• Educate users on MFA – It is essential to educate users on the importance of using MFA and how to use it effectively. This can help ensure that all users understand the benefits of MFA and are using it correctly. It is also essential to provide regular training and support to ensure users know any updates or changes to MFA policies.
• Monitor MFA usage – Monitoring MFA usage can help detect and prevent any unauthorized access attempts. This will enable security and IT admin teams to identify potential threats and take appropriate actions to mitigate them.
• Regularly review and update MFA policies – It is essential to regularly review and update MFA policies to ensure they are aligned with industry best practices and updated to address new threats. This will help to maintain the effectiveness of MFA and ensure that it continues to provide the necessary level of security for cloud resources.

Mistake #4 | Lack of Proper Access Controls

Effective management of cloud resources requires a clear and well-defined access control policy. When organizations fail to establish such a policy, this can render cloud resources vulnerable to unauthorized access, potentially leading to data breaches, compromised sensitive information, and other long-lasting damages.

• Identify and classify resources – Begin by identifying and classifying the cloud resources within the environment. This includes data, applications, virtual machines, storage buckets, databases, and any other relevant assets.
• Define access control objectives – Then, determine the specific access control objectives based on the organization’s security requirements and regulatory compliance needs. This could include principles such as least privilege, separation of duties, and need-to-know access.
• Conduct a user access audit – Perform a comprehensive audit of existing user accounts, roles, and permissions within the cloud environment. This assessment will help identify any inconsistencies, unnecessary privileges, or potential security gaps.

For businesses operating in the cloud, implementing IAM allows the right users and service principals to access cloud resources based on the user’s job responsibilities or a service principal’s role within the environment. Control is granular in this case, only giving identities access to the resources necessary to perform their role. Additionally, the principle of least privilege (PoLP) should be applied, limiting access to the minimum level required for a user to perform their job.

After implementing regular access control, scheduled reviews should be conducted to ensure alignment with current best practices. This includes gathering access logs that must be monitored regularly, with any unauthorized access attempts promptly identified and mitigated.

Comprehensive access control policy is a critical component when it comes to safeguarding cloud resources against unauthorized access. Having these policies in place ensures that only those who require access have it and that sensitive data’s confidentiality, integrity, and availability are preserved.

Mistake #5 | Failing to Backup Data

Not having a backup strategy in place is a common cloud security mistake, leaving businesses vulnerable to data loss in the event of a cyberattack or system failure. In the event of data loss with no backups available, businesses are faced with extended downtime as they scramble to recover or recreate lost data. This downtime can disrupt business operations, impact employee productivity, and result in missed deadlines or customer service interruptions.

With a backup strategy, businesses have a much higher chance in achieving service continuity as they lean on good-quality backup data. Here are some best practices to help secure cloud resources with proper data backup:

• Identify critical data – Identify essential data that needs to be backed up, such as customer data, financial records, system configurations, and intellectual property. This can help ensure that the most critical data is always available when it is needed.
• Use a reliable backup solution – Use a reliable backup solution compatible with the organization’s cloud infrastructure. This can help ensure that backups are appropriately integrated and configured.
• Regularly test backups – Regularly test backups to ensure that they are working correctly and that data can be recover when needed. This can help admins identify any backup issues and take appropriate actions to mitigate them.
• Encrypt backups – Encrypted backups protect sensitive data when it is stored or transmitted. This can help prevent unauthorized access to company data and ensure it is always secure.

Mistake #6 | Neglecting to Patch & Update Systems

Outdated systems are more susceptible malware infections and often have known vulnerabilities that can be exploited by attackers. Cybercriminals actively scan for outdated software and exploit these vulnerabilities to gain unauthorized access, launch malware attacks, or steal sensitive data.

In many industries, there are regulatory requirements regarding the maintenance and patching of systems to protect sensitive data. Neglecting to patch and update systems can result in legal and financial consequences. Customers seeing these results may lose confidence in the organization’s ability to protect their data, resulting in a loss of business and a negative impact on brand reputation.

Without the right strategy, patch management can become an intensive and difficult task. NIST reported that more than 24,000 common vulnerabilities and exposures (CVEs) were added to the National Vulnerability Database (NVD) in 2022, breaking the previous record of 20,000 from the year before.

As the number of CVE is expected to increase in 2023, organizations can follow the below best practices to build an actionable patch management process:

• Take a risk-based approach to patch management – Patching every incoming CVE is not feasible. By taking a calculated approach to managing patches, organizations can apply updates most critical to their security posture. Patch management is essential to mitigating business risks and should be aligned with the organization’s overall risk management strategy. Once the C-suite executives and security leaders assess and identify the critical risks specific to their identity and business, security teams can more effectively prioritize patches. Some key considerations for leaders are:
  • The criticality of affected systems
  • The exploitability of the CVE
  • The potential impact of the exploitation
  • Wat alternative options there are to patching
• Establish a baseline inventory – Security teams need to keep an updated inventory of all software to understand where the environment stands. This includes determining the version of all operating systems and applications in use, and any third-party apps. Understanding the baseline helps teams pay attention to CVEs most critical to operations.
• Categorize and group assets by priority and risk – Not all patches will impact a unique environment the same way, so establishing a way to categorize them will help teams streamline the patching process. Patches can be divided into categories such as:
  • Critical-level patches – These require immediate attention and should be deployed immediately.
  • Approval-based patches – These require approval from the necessary stakeholders to avoid disruptions to day-to-day operations.
  • Low risk-level patches – These can be deployed on an as-needed basis.

Mistake #7 | Lack of Continuous Monitoring for Unusual Activity

Cybercriminals are skilled at circumventing detection measures, making identifying and stopping attacks challenging. The lack of continuous monitoring in cloud security poses significant risks for organizations. Without continuous monitoring, potential security incidents and vulnerabilities can go unnoticed for extended periods, allowing attackers to exploit weaknesses undetected.

24/7/365 monitoring capability provides real-time visibility into a cloud environment, making sure security teams can rapidly detect suspicious activities, unauthorized access attempts, or system anomalies. It allows for immediate response and remediation, minimizing the impact of security incidents.

Organizations can improve their posture against lurking cyber threats by implementing these best practices:

• Implement extended detection and response (XDR) – Deploy an XDR solution to detect and respond to potential cyber threats in real time, enabling businesses to identify unusual activity and take immediate action.
• Monitor logs and events – Scrutinize logs and events to identify any irregular activity or anomalies that may indicate potential security threats and act accordingly.
• Set up alerts – Establish automated alerts to promptly notify security teams of any unusual activity or suspicious events, enabling quick and effective responses.
• Leverage artificial intelligence (AI) and machine learning (ML) – Utilize advanced technologies, such as artificial intelligence and machine learning, to analyze data and detect unusual patterns or behavior that traditional monitoring tools may otherwise go unnoticed.
• Build a mature threat detection program – Organizations need to be proactive in identifying and mitigating potential risks. Having a threat detection program in place plays a crucial role in safeguarding sensitive data, preserving customer trust, and ensuring business continuity. Programs will include capabilities for monitoring network traffic, analyzing system logs, and employing advanced algorithms to take immediate action in the event of a cyberattack.

Mistake #8 | Failing to Encrypt Sensitive Business Data

Threat actors with their eyes on clouds particularly like to target data during transit. If this data was unencrypted, it can introduce serious consequences for the business. Unencrypted data is highly susceptible to unauthorized access. If an attacker gains access to unencrypted data, they can easily read, copy, or modify it without leaving any trace. This can lead to data breaches, exposing sensitive information such as customer data, financial records, intellectual property, or trade secrets.

Unencrypted data is vulnerable to unauthorized modifications during transmission or storage. This compromises the integrity and reliability of the data, making it difficult to trust its accuracy and authenticity. Organizations need to ensure the integrity of their data to maintain trust with customers, business partners, and stakeholders.

For businesses following General Data Protection Regulation (GDPR), Payment Card Industry (PCI), or the Health Insurance Portability and Accountability Act (HIPAA) frameworks, storing and processing unencrypted data in the cloud can put organizations at risk of non-compliance and potential legal consequences, including fines, penalties, and legal actions.

The below best practices help security teams protect sensitive data; ensuring continued confidentiality, integrity, and compliance in cloud environments:

• Encryption In Transit – Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocols are used to provide encryption for data transmitted over networks, but may contain implementation gaps and vulnerabilities, particularly in older versions of SSL. Organizations should focus on encrypting data in transit through internal network endpoints.
• Server-Side Encryption (SSE) – Many cloud service providers offer server-side encryption options. With SSE, the cloud provider handles the encryption and decryption processes. Businesses can choose from options like SSE-S3, SSE-KMS, or SSE-C, depending on the specific cloud platform they are using.
• Client-Side Encryption – In client-side encryption, data is encrypted by the client before it is uploaded to the cloud. The encrypted data is stored in the cloud, and only the client possesses the encryption keys required for decryption. This approach provides an additional layer of control and security.
• Database-Level Encryption – Businesses can implement encryption at the database level to protect sensitive data stored in cloud databases. This involves encrypting or tokenizing values from specific columns or tables containing sensitive information, such as personally identifiable information (PII) or financial data.
• Application-Level Encryption – Encryption can be incorporated into the application logic itself. This means that the application handles encryption and decryption of data before it is stored or retrieved from the cloud. Application-level encryption allows for more granular control and customization based on specific business requirements.

Singularity Cloud | How SentinelOne Helps Customers Secure the Cloud

SentinelOne helps organizations protect their workloads across all cloud environments, public, private, and hybrid, through its real-time cloud workload protection platform (CWPP), Singularity Cloud Workload Security. Designed to protect workloads wherever they run – in data centers, AWS, Azure, or Google Cloud, VMs, containers, or Kubernetes clusters – Singularity Cloud delivers real-time detection and response to runtime threats like ransomware, zero-days, and cryptoming malware. It also acts as a flight data recorder for hybrid cloud workloads, for deep OS process-level visibility, maximum operational stability, and superior performance in low overhead.

Within the current cyber landscape, CWPP is the last line of defense in a multi-layer cloud security strategy. Organizations rely on CWPPs like Singularity Cloud Workload Security, with its multiple AI engines onboard, to serve as their security backstop, stopping the sophisticated attacks which other security controls are not designed to do.

Conclusion

For both opportunistic and targeted attacks, the cloud remains a lucrative target as more businesses make cloud adoption a major milestone on their digital transformation journeys. Threat actors focused on cloud continue to bank on organizations to misstep and rely on the cloud’s nature of being complex and arduous to manage.

To get ahead of cyberattackers, security leaders can sidestep common cloud-based mistakes and make sure their organization has the right strategies in place for each vulnerable area. SentinelOne helps organizations improve their cloud security plan by fusing AI-powered runtime security with streamlined analysis and proactive threat hunting.

Contact us today or book a demo to see how Singularity Cloud Workload Security can create better cloud security outcomes so your organization can focus on accelerating innovation.