The Good, the Bad and the Ugly in Cybersecurity – Week 23

The Good | SEC Gets Tough With ‘Wild West’ Crypto

Whatever its merits, it’s fair to say that the boom in cryptocurrency has helped fuel the rampant cybercrime and ransomware scene organizations face today, as well as help fund certain nation-state threat actors. Good news, then, that the SEC is starting to flex its muscles and hold crypto firms accountable to the same rules and standards of good governance expected elsewhere in our financial system.

On Monday, the SEC filed charges against Binance, the world’s largest cryptocurrency exchange, and its founder, Changpeng Zhao, and by Tuesday brought further charges seeking to freeze the company’s U.S. assets. The initial charges alleged that Binance and Zhao had defrauded investors, operated as an unregistered broker and improperly commingled investor and Binance’s funds. The charges saw investors pull almost $800 million from the firm in 24 hours.

The SEC followed its actions against Binance with charges against Coinbase for operating as an unregistered securities exchange, broker and clearing house, as well as for the unregistered sale of its crypto asset staking-as-a-service program. The action was followed by Moody’s downgrading its rating of Coinbase to ‘negative’ and other financial services firms saying that shares in the company were ‘uninvestable’ in the short term.

“The whole business model is built on a noncompliance with the U.S. securities laws and we’re asking them to come into compliance,” the SEC said in a statement. Both companies deny the charges.

The Bad | Clop Gang Hits Hundreds of Orgs via MOVEit Bug

Cl0p (aka Clop) ransomware gang has claimed responsibility this week for breaches of multiple organizations after exploiting a now-patched bug (CVE-2023-34362) in the MOVEit file transfer application.

Aer Lingus, British Airways, Boots and the BBC are among hundreds of organizations the gang say they have stolen data from and are threatening to leak unless the victims pay a ransom. No fixed sum has been demanded by the attackers, who insist victims need to contact them and begin negotiations.

clop ransomware BA Boots MOVEit
Source: BleepingComputer

The mass scale of the attack appears to have been facilitated by a supply chain attack on payroll services firm Zellis, used by many of the victims. Technical details of the attack were published by SentinelOne on Wednesday. The attacks are conducted against Windows servers running a vulnerable version of the MOVEit file transfer application, specifically one of the following versions:

  • MOVEit Transfer 2023.0.0 (patched in 2023.0.1)
  • MOVEit Transfer 2022.1.x (patched in 2022.1.5)
  • MOVEit Transfer 2022.0.x (patched in 2022.0.4)
  • MOVEit Transfer 2021.1.x (patched in 2021.1.4)
  • MOVEit Transfer 2021.0.x (patched in 2021.0.6)

The vulnerability allows an unauthorized attacker to inject SQL commands and conduct an arbitrary file upload. The final payload is a minimal webshell that queries information about the database configuration, enabling the actor to connect to specified SQL databases and exfiltrate the contents of files hosted by MOVEit Transfer and, where connected, files in Azure’s blob storage service.

Organizations are urged to ensure that any instances of MOVEit Transfer are patched without delay. SentinelOne has provided hunting queries and a script to scan for potential exploitation of the MOVEit Transfer vulnerability here.

The Ugly | Suspected Nation State Targets US Aerospace

An unknown threat actor infiltrated a U.S. defense contractor it was revealed this week, using a combination of WMI and PowerShell to evade detection in a novel RAT dubbed ‘PowerDrop’.

According to researchers, PowerDrop is not particularly sophisticated but its focus on obfuscation and evasion, along with the targeting of an aerospace contractor point the finger at a nation-state actor. The malware takes the form of a single command line argument containing base64-encoded PowerShell script passed to wmic.exe for execution.

The script reaches out as a beacon to a hard-coded IP address every 120 seconds over an ICMP Echo Request message and then waits 60 seconds for a response from the C2.

PowerDrop Backdoor RAT
Source: Adlumin

The remote operators can then task the backdoor via a 128-bit AES encrypted payload. PowerDrop decrypts the command, runs it and returns the results to the C2. The researchers say that PowerDrop uses the strings “DRP” and “OCD” to indicate the start and end of the response content unless it is split into multiple messages, in which case all messages have the “DRP” string prefix, and only the final message contains both the “DRP” prefix and “ORD” suffix.

The discovery is yet another reminder of the ongoing threat to our critical infrastructure and the need for organizations to ensure they have a robust cyber defense posture

macOS 14 Sonoma | Toughening up macOS for the Enterprise?

At WWDC23 this week, Apple made some big announcements across its product lines and maintained its annual ritual of upgrading macOS, now to version 14 and tagged as macOS Sonoma. At SentinelOne, we’re already busy testing the new operating system and preparing for macOS 14 support.

With Apple’s mixed AR/VR kit Vision Pro predictably grabbing most of the headlines, the latest developments in macOS might have seemed a little underwhelming. However, our early look at the Sonoma beta suggests Apple has given the operating system and supporting services some much needed attention that should be welcome news to enterprise users.

Here’s a quick round-up of what’s new in the early preview released this week.

Sonoma Specs | macOS 14 Hardware Requirements

Apple continues its migration away from Intel architecture with macOS Sonoma dropping support for another year’s worth of hardware. Last year, Ventura dropped support for models earlier than 2017. This year, with the exception of the iMac 2017, Sonoma requires a Mac manufactured in or after 2018.

Sonoma supported Mac

Notably, Sonoma drops support for the 2017 line of Intel MacBook Pros and iMacs. The ill-fated MacBook, first introduced in 2015 and not updated since 2017, is now entirely cut off from further macOS upgrades.

As for the rest of the Intel line, last updated in 2019, it’s not unimaginable that Sonoma could be the end of the line. Certainly, support for Intel Macs is unlikely to extend beyond next year’s macOS 15 as the company completes its ARM64 transition.

Safari Profiles | Apple Taking Work Seriously

In Safari 17, users can now take advantage of Profiles to help maintain that work-life separation, something that is increasingly important as more organizations move towards allowing hybrid use of “mobile” devices – think laptops not just smartphones – in the workplace.

Profiles macOS 14 Sonoma Safari 17

Users can make as many Profiles as they wish – work, education, social, hobbies – and each gets its own bookmarks, favorites, history, cookies, and extensions. Identification of which profile you’re in is accomplished by a simple dropdown menu in the toolbar.

Video Conferencing | Zoom In on the Details

The pandemic unarguably changed the nature of work with video conferencing software suddenly becoming a necessity for pretty much everybody in the enterprise. Recognizing the centrality of video conferencing software to people’s workday, Sonoma introduces some enhancements that will work across third party apps. These include “Presenter Overlay” that allows the speaker to move independently of a display of their screen, allowing them to highlight different details.

Sonoma video conferencing
Source: Apple

The newly-introduced screen sharing picker will also ease fears about sharing unwanted details inadvertently. Instead of having to pick an entire display to share to the audience, Sonoma will allow the user to pick just the view from a particular app, multiple apps or an entire screen.

Passwords and Passkeys | Making Theft Harder, Sharing Simpler

Apple had previously announced Passkeys in Ventura as a long-term solution and replacement for passwords, but in Sonoma there’s a new emphasis on using passkeys in the workplace to help protect against cyber attacks from vectors such as phishing, credential theft and 2FA bypasses.

With Sonoma, passkeys are now supported across Managed Apple IDs. Moreover, admins can now control which devices users can sign in with and ensure that passkeys stay on work devices only.

Users can also create groups for passwords and passkeys such that they can be shared securely with others in the group. While this is touted primarily as a “family and friends” feature, it also has obvious benefits for small teams that need to share credentials for some common resources.

Safari 17 | Create a Web App from Any Webpage

Sonoma web apps

In Sonoma, Safari adds the ability for users to create a web app from any web page simply by browsing to the site and choosing ‘Add to Dock’ from Safari’s File menu.

The web app isn’t just a short link to open the site in the browser – it’s a completely browser-independent application. Internal links will open within the web app, though this and some other ways the web app behaves can be customized by web site devs. By default, users should remain logged in to any accounts associated with the site, but there are some gotchas for devs to look out for. More information can be found here, but web apps could be a great feature for enterprises that want to provide a unique experience for either employees or customers.

For Mac Admins | Declarative Device Management

Away from the user interface, Apple is making improvements to the way IT admins manage their fleet of Macs with further development of “DDM” – Declarative Device Management. DDM works with the existing MDM (Mobile Device Management) but is ultimately intended to replace it.  DDM brings greater support for enforcing software updates, managing applications and securing devices through task monitoring and lockdown of system services. More information about DDM can be found in the WWDC session here.

Security and Privacy | Application Data Protection

macOS Sonoma brings some under the hood changes to data security which we will be keenly testing over the beta period. Among these are new restrictions designed to protect application data such as session cookies and other sensitive files like databases from messaging apps (e.g., Telegram, Signal, WhatsApp and others) that can be stolen by malware.

Up to now, sandboxing has been a one-way affair – sandboxed apps are prevented from reaching out to access data elsewhere, but there’s nothing to stop unsandboxed apps from reaching in to grab data held in a sandboxed app’s container.

In macOS 14, Sonoma requires user consent before any application can access data in a data container from a different developer. This protection only applies to apps that are sandboxed, so any unsandboxed app is still wide open for data theft from other unsandboxed applications or processes. Given that this entire process is an extension of Apple’s much-troubled TCC controls, we’ll be keeping a close eye on how this develops.

Meanwhile, Apple has also extended privacy protections in Safari 17’s Private Browsing mode, offering additional privacy by discarding history of visited pages, searches and AutoFill information when the private tab is closed – you’d be forgiven for thinking that it should have already been doing that. Alongside that, Safari in Sonoma now prevents known tracking and fingerprinting resources from being loaded during private browsing.

Finally, Apple announced a much-welcome improvement in App Extension privacy. Browser extensions can now be managed with more granularity, with users able to choose which webpages an extension can access on a per-site basis rather than having to grant wholesale access to every site or none at all.

SentinelOne Support for macOS Sonoma

Our dedicated Mac development team is already busy working on support for macOS 14 Sonoma. We will be announcing the release of Agent version 23.1 GA in the coming weeks for customers who wish to test Apple’s beta versions of Sonoma.

As always, we will officially support the new version of macOS after final testing of the public release later this year. In line with Apple’s own guidelines, SentinelOne recommends users not to test beta software in a production environment as beta versions can be unstable from one version to another.

Conclusion | “So That’s Sonoma”

Integration has been a theme of macOS development for some years now – making Macs work more seamlessly with iOS and other elements of Apple’s ecosystem – and much of that focus has been related to the idea of Macs being used in the home and for entertainment purposes. While Apple has a long history of marketing its line of computers to both enterprise and educational audiences, support for features that such users typically need hasn’t always been top of mind.

With Sonoma, Apple has put some much needed attention on to the fact that Macs are widely used in workplace and educational settings as well as for personal use. If Sonoma doesn’t bring any headline grabbing changes to “wow” new users, it nevertheless does a lot of good work around the edges and between the cracks to firm up the operating system as fit for use in professional settings.

From shared passkeys and smarter video conferencing to web apps and better device management, macOS Sonoma looks like Apple has understood and reacted to its ever increasing presence in the workplace. We look forward to testing Sonoma as it develops over the summer and we’ll be back with our final verdict when the public release drops later in 2023.

Barracuda Urges Replacing — Not Patching — Its Email Security Gateways

It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

The Barracuda Email Security Gateway (ESG) 900 appliance.

Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organization’s network and scan all incoming and outgoing email for malware.

On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).

In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022.

But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace — not patch — affected appliances.

“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company’s advisory warned. “Barracuda’s recommendation at this time is full replacement of the impacted ESG.”

Rapid7‘s Caitlin Condon called this remarkable turn of events “fairly stunning,” and said there appear to be roughly 11,000 vulnerable ESG devices still connected to the Internet worldwide.

“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” Condon wrote.

Barracuda said the malware was identified on a subset of appliances that allowed the attackers persistent backdoor access to the devices, and that evidence of data exfiltration was identified on some systems.

Rapid7 said it has seen no evidence that attackers are using the flaw to move laterally within victim networks. But that may be small consolation for Barracuda customers now coming to terms with the notion that foreign cyberspies probably have been hoovering up all their email for months.

Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI), said it is likely that the malware was able to corrupt the underlying firmware that powers the ESG devices in some irreparable way.

“One of the goals of malware is to be hard to remove, and this suggests the malware compromised the firmware itself to make it really hard to remove and really stealthy,” Weaver said. “That’s not a ransomware actor, that’s a state actor. Why? Because a ransomware actor doesn’t care about that level of access. They don’t need it. If they’re going for data extortion, it’s more like a smash-and-grab. If they’re going for data ransoming, they’re encrypting the data itself — not the machines.”

In addition to replacing devices, Barracuda says ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.

MOVEit Transfer Exploited to Drop File-Stealing SQL Shell

By Alex Delamotte and James Haughom

SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS .aspx payload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.

In this post, we provide technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit Transfer vulnerability.

Overview

Through the last week of May and early June 2023, SentinelOne observed active exploitation of Windows servers running a vulnerable version of Progress Software’s MOVEit Transfer file server application. The attack delivers a minimal webshell that the attacker can use to exfiltrate the contents of files, including files hosted in Microsoft Azure when the targeted MOVEit instance is configured to use Azure’s blob storage service. As of June 5, the Cl0p ransomware group claimed responsibility for these campaigns.

While exploitation is likely opportunistic, SentinelOne observed attacks against more than 20 organizations in the following sectors, with Managed Security Service Providers (MSSP) and Managed Information Technology Service Providers (MSP) impacted most frequently:

  • Aviation, Transportation & Logistics
  • Entertainment
  • Financial Services & Insurance
  • Healthcare, Pharmaceuticals & Biotechnology
  • Managed Information Technology Service Providers (MSP)
  • Managed Security Service Providers (MSSP)
  • Manufacturing & Building Materials
  • Mechanical Engineering
  • Print & Digital Media
  • Technology
  • Utilities & Public Services

The vulnerability impacts the following versions of MOVEit Transfer:

  • MOVEit Transfer 2023.0.0: fixed in 2023.0.1
  • MOVEit Transfer 2022.1.x: fixed in 2022.1.5
  • MOVEit Transfer 2022.0.x: fixed in 2022.0.4
  • MOVEit Transfer 2021.1.x: fixed in 2021.1.4
  • MOVEit Transfer 2021.0.x: fixed in 2021.0.6

Technical Details

These attacks are conducted against Windows servers running a vulnerable version of the MOVEit file transfer application, which attackers can identify through port scanning or internet indexing services like Shodan.

Progress Software recently published an advisory detailing a vulnerability in MOVEit Transfer that could enable privilege escalation and unauthorized access to the targeted environment. The advisory details the issue as a SQL injection vulnerability-reported as CVE-2023-34362–which can allow an unauthorized attacker to inject SQL commands and obtain information from the targeted database.

The attack chain leverages this vulnerability to conduct an arbitrary file upload via the moveitsvc service account to the server’s MOVEitTransferwwwroot directory. The system’s svchost.exe process launches w3wp.exe, a Microsoft Internet Information Service (IIS) worker process, which then writes several files to a new working directory in Temp. The working directory and subsequent files share the same 8-character, pseudo-random naming syntax, with one example writing the following files:

C:WindowsTemproyq2cir
C:WindowsTemproyq2cirroyq2cir.tmp
C:WindowsTemproyq2cirroyq2cir.0.cs
C:WindowsTemproyq2cirroyq2cir.dll
C:WindowsTemproyq2cirroyq2cir.cmdline
C:WindowsTemproyq2cirroyq2cir.out
C:WindowsTemproyq2cirroyq2cir.err

The w3wp.exe process launches csc.exe to compile the C# code into the payload, which is saved as human2.aspx. The payload is a minimal webshell that queries information about the database configuration, enabling the actor to:

  • Connect to specified SQL databases
  • Exfiltrate the contents of files hosted by MOVEit Transfer
  • When MOVEit Transfer is connected to Azure blob storage, exfiltrate contents of specific files in Azure’s blob storage service

To exfiltrate files, the attacker can specify the targeted object’s File ID and Folder ID in HTTP headers of a request made to the webshell. The shell then returns the specified file’s content as a Gzip object in the server’s HTTP response. The shell also deletes the existing user named “Health Check Service” and creates a new user with the same username, likely as a means of persistence.

At the time of writing, SentinelOne has not observed subsequent activity following placement of the webshell.

Mitigation & Prevention

Organizations using MOVEit Transfer should upgrade affected systems immediately. In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Ensure your security team can access and analyze application logs from servers that run MOVEit Transfer, including Microsoft IIS logs.

Because exploitation occurs through interaction with MOVEit Transfer at the application level, detection opportunities for Endpoint Detection & Response (EDR) tooling are limited to later-stage activity. SentinelOne notes that each payload is dynamically compiled at runtime, resulting in a unique hash for each victim. While we are providing a list of hashes associated with payloads delivered through these campaigns, organizations should not rely on hashes alone to detect these attacks.

We recommend that organizations using MOVEit Transfer conduct threat hunts and log analysis using the resources provided below.

Hunting Queries

SentinelOne is providing the following queries that organizations can use to hunt for activity associated with these attacks. While these queries are not necessarily inclusive of all attack scenarios, the results should be investigated and triaged. Additionally, defenders should look for unusual activity initiated by the MOVEit Transfer service account: the default value is moveitsvc, though some instances may have a custom account name.

Query Description
S1QL: SrcProcName = “w3wp.exe” AND TgtProcName = “csc.exe” AND SrcProcCmdLine Contains Anycase “moveitdmz pool” Identify instances of the compilation of DLLs related to MOVEit’s app pool
S1QL: IndicatorName = “LoadUnreleatedLibrary” AND IndicatorMetadata Contains “w3wp.exe” AND SrcProcName StartsWith “DMZ” Identify potential anomalous library loads by IIS worker process
S1QL: EventType In (“File Creation”, “File Modification”) AND SrcProcName Contains Anycase “w3wp.exe” And TgtFilePath RegExp “moveit[^]+” And TgtFilePath Contains Anycase “wwwroot” And TgtFileExtension = “aspx” Identify IIS worker process writing a new or modifying an existing ASPX file in the MoveIT web folder
S1PQ: src.process.parent.name = “w3wp.exe” AND src.process.parent.cmdline contains “moveit” AND src.process.name = “csc.exe” AND src.process.cmdline contains “Temporary ASP.NET Files” AND (tgt.process.name = “cvtres.exe” OR tgt.file.path matches ‘.*?App_Web_[a-z0-9A-Z]{1,40}.dll$’) Indicates the presence of a compiled backdoor

In addition to these queries, SentinelOne is providing a script to scan for potential exploitation of the MOVEit Transfer vulnerability.

Conclusion

Based on the activity observed by SentinelOne, we believe the attacker’s goal is to establish access to as many victim environments as possible to conduct file exfiltration at scale.

While the Cl0p ransomware group claimed credit for these attacks, SentinelOne notes that these techniques align with a broader trend of financially motivated attacks against web servers running vulnerable file transfer software. This category of activity includes attacks against Aspera Faspex software that delivered IceFire ransomware earlier in 2023, as well as attacks attributed to Cl0p that exploited a 0-day flaw in the GoAnywhere managed file transfer (MFT) application. Based on the relative increase in file transfer server attacks that use 0-day and N-day exploits, there is likely an abundant exploit development ecosystem focused on enterprise file transfer applications.

The actor’s choice to use the MOVEit flaw to target files in Azure cloud storage is notable, if this activity is solely associated with the Cl0p ransomware group. Cloud-focused extortion actors like Bianlian and Karakurt use multipurpose file management tools like Rclone and Filezilla. A bespoke webshell designed to steal Azure files through SQL queries specific to the targeted environment represents a notable departure from this established norm and suggests the tooling was likely developed and tested well in advance of ITW attacks.

Indicators of Compromise

Files associated with exploitation of vulnerable MOVEit Transfer instances include the following.

SHA1
d013e0a503ba6e9d481b9ccdd119525fe0db7652
34d4b835b24a573863ebae30caab60d6070ed9aa
c8e03cb454034d5329d810bbfeb2bd2014dac16d
eee9451901badbfbcf920fcc5089ddc1ee4ec06d
73f19114d61bd09789788782f407f6fe1d6530b9
7d91f5b03932793ff32ad99c5e611f1e5e7fe561
a2f74b02f29f5b1a9fe3efe68c8f48c717be45c2
c756c290729981d3804681e94b73d6f0be179146
11608a031358817324568db9ece1f09e74de4719
b8704c96436ffcbd93f954158fa374df05ddf7f6

Service Rents Email Addresses for Account Signups

One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.

The service in question — kopeechka[.]store — is perhaps best described as a kind of unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.”

“Are you working on large volumes and are costs constantly growing?” Kopeechka’s website asks. “Our service will solve all your problems.”

As a customer of this service, you don’t get full access to the email inboxes you are renting. Rather, you configure your botnet or spam machine to make an automated application programming interface (API) call to the Kopeechka service, which responds with a working email address at an email provider of your choosing.

Once you’ve entered the supplied email address into the new account registration page at some website or service, you tell Kopeechka which service or website you’re expecting an account confirmation link from, and they will then forward any new messages matching that description to your Kopeechka account panel.

Ensuring that customers cannot control inboxes rented through the service means that Kopeechka can rent the same email address to multiple customers (at least until that email address has been used to register accounts at most of the major online services).

Kopeechka also has multiple affiliate programs, including one that pays app developers for embedding Kopeechka’s API in their software. However, far more interesting is their program for rewarding people who choose to sell Kopeechka usernames and passwords for working email addresses.

Kopeechka means “penny” in Russian, which is generous verbiage (and coinage) for a service that charges a tiny fraction of a penny for access to account confirmation links. Their pricing fluctuates slightly based on which email provider you choose, but a form on the service’s homepage says a single confirmation message from apple.com to outlook.com costs .07 rubles, which is currently equal to about $0.00087 dollars.

The pricing for Kopeechka works out to about a fraction of a penny per confirmation message.

“Emails can be uploaded to us for sale, and you will receive a percentage of purchases %,” the service explains. “You upload 1 mailbox of a certain domain, discuss percentage with our technical support (it depends on the liquidity of the domain and the number of downloaded emails).”

We don’t have to look very far for examples of Kopeechka in action. In May, KrebsOnSecurity interviewed a Russian spammer named “Quotpw who was mass-registering accounts on the social media network Mastodon in order to conduct a series of huge spam campaigns advertising scam cryptocurrency investment platforms.

Much of the fodder for that story came from Renaud Chaput, a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput told KrebsOnSecurity that his team was forced to temporarily halt all new registrations for these communities last month after the number of new registrations from Quotpw’s spam campaign started to overwhelm their systems.

“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”

After that story ran, Chaput said he discovered that the computer code powering Quotpw’s spam botnet (which has since been released as open source) contained an API call to Kopeechka’s service.

“It allows them to pool many bot-created or compromised emails at various providers and offer them to cyber criminals,” Chaput said of Kopeechka. “This is what they used to create thousands of valid Hotmail (and other) addresses when spamming on Mastodon. If you look at the code, it’s really well done with a nice API that forwards you the confirmation link that you can then fake click with your botnet.”

It’s doubtful anyone will make serious money selling email accounts to Kopeechka, unless of course that person already happens to run a botnet and has access to ridiculous numbers of email credentials. And in that sense, this service is genius: It essentially offers scammers a new way to wring extra income from resources that are already plentiful for them.

One final note about Quotpw and the spam botnet that ravaged Chaput’s Mastodon servers last month: Trend Micro just published a report saying Quotpw was spamming to earn money for a Russian-language affiliate program called “Impulse Team,” which pays people to promote cryptocurrency scams.

The crypto scam affiliate program “Project Impulse,” advertising in 2021.

Websites under the banner of the Impulse Scam Crypto Project are all essentially “advanced fee” scams that tell people they have earned a cryptocurrency investment credit. Upon registering at the site, visitors are told they need to make a minimum deposit on the service to collect the award. However, those who make the initial investment never hear from the site again, and their money is gone.

Interestingly, Trend Micro says the scammers behind the Impulse Team also appear to be operating a fake reputation service called Scam-Doc[.]com, a website that mimics the legitimate Scamdoc.com for measuring the trustworthiness and authenticity of various sites. Trend notes that the phony reputation site routinely gave high trust ratings to a variety of cryptocurrency scam and casino websites.

“We can only suppose that either the same cybercriminals run operations involving both or that several different cybercriminals share the scam-doc[.]com site,” the Trend researchers wrote.

The ScamDoc fake reputation websites, which were apparently used to help make fake crypto investment platforms look more trustworthy. Image: Trend Micro.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

Compliance in the Cloud | Navigating the Complexities of Cloud Security Regulations

Enterprise businesses continue to undergo digital transformations, finding new ways to connect with their client base, embracing hybrid and work-from-home strategies, and scaling their operations through innovative technologies. Though cloud adoption has been a key driver for these transformations, the unique challenges of securing cloud environments remains a top concern amongst enterprise leaders and security professionals.

Most recently, Fortinet’s 2023 Cloud Security Report found that most global respondents across various industries expressed a moderate to high level of concern regarding cloud security. 43% of those surveyed believed that risks associated with using a public cloud far surpassed those tied to traditional, on-prem environments. One of the top risks identified highlighted the unique challenge of meeting cloud-specific compliance requirements.

This post provides an overview of the various regulations and requirements that impact cloud security and focuses on practical cyber best practices enterprises can implement to ensure compliance and continue benefiting from the cloud.

Changing Landscapes | How Cloud Security Needs Are Evolving

In a report covering data security in an era of hybrid work, ransomware, and accelerated cloud transformation, researchers examined the momentum that cloud adoption continues to see. Of those surveyed, a third of companies stated that they had 41% to 60% of all their corporate data stored in an external cloud. Another 22% of those participants indicated that over 60% of their business critical data was based in the cloud.

With so much of the world’s data now held in the cloud, enterprises are expected to meet set standards for cloud usage and security in accordance with industry-specific guidelines as well as local, state, federal, and international laws. Regulations and compliance controls serve to protect businesses and their clients; however, shifts in the greater threat landscape mean that they are frequently subject to change.

Even in terms of obtaining cyber liability insurance coverage, modern enterprises based in the cloud must be certain that their cloud infrastructure meets all applicable controls and regulations. Insurance carriers, particularly those that serve high risk industries like IT, finance, and healthcare, all require advanced cybersecurity measures in order to bind their insurance policies. Since the cloud surface is faced with many inherent risks, security strategies are now a hard requirement for any kind of coverage.

Addressing the Challenges of Securing Modern Clouds

Cloud computing has long evolved from just a means of storing data. The past decade has seen cloud bloom into a full-scale computing solution and enable an entire generation of organizations to share, optimize, manage, and scale information like never before.

Though powerful and very beneficial, the features that make cloud services so useful to enterprises are the same ones that make data in the cloud a challenge to regulate and secure. Security leaders defending their organization’s cloud environment take into consideration the following dimensions of cloud security:

  • Data security – Cloud infrastructures and the use of multiple cloud services leave a wide surface for cyberattack. As vast amounts of sensitive data and workloads continue to be deployed to the cloud, the task to secure them all grows.
  • Automated and continuous monitoring – Some security regulations and laws require cloud-based enterprises to monitor their cloud infrastructure. Depending on what solutions an enterprise uses for threat monitoring, this can create a large burden on small, in-house security teams or organizations that are still building up their security staff.
  • Network visibility – For those who have deployed a hybrid network, establishing full network visibility can be daunting. Security teams working in hybrid networks face a more complex challenge since they need to keep eyes on a range of topologies, varying features, and data discrepancies.
  • Fleet visibility – Similar to network visibility, cloud environments pose a unique challenge for asset and inventory monitoring. The different composition of cloud assets, from virtual machines to containerized workloads or the orchestration services that host them, are inherently more difficult to track than physical assets.
  • Multi-cloud workflows – Multi-cloud architectures allow enterprises to stay agile, but they make workflow management more complex. The more workflows there are, the harder it is to ensure compliance across them all since there are many people making changes and accessing data.

How to Build a Stronger Cloud Security Compliance Posture

Cloud compliance describes the process and act of meeting regulatory standards, industry guidelines, and applicable legal requirements for using cloud technology. Compliance in cloud environments starts in the planning and initial deployment stage with the right settings, policies, and best practice frameworks in place to guide ongoing use.

Since many cyberattacks on the cloud surface are the result of poor implementation of cloud security measures, insider threats, and misconfigurations, focusing on cloud compliance management can help security leaders prioritize what needs to be done to achieve a stronger security posture.

1 – Get to Know the Compliance Security Frameworks

The following is a list of the most widely-used government and industry-specific security regulations that pertain to cloud-based organizations.

HIPAA (Health Insurance Portability & Accountability Act) federal standards seek to protect sensitive health information from being disclosed without the knowledge and consent of the patient it belongs to. The HIPAA Security Rule is a subset of requirements that supports these standards and covers all individually identifiable health information created, received, maintained, or transmitted in electronic form.

Organizations that create, receive, maintain, and or transmit electronic protected health information (e-PHI) through a cloud platform must:

  • Ensure the confidentiality, integrity, and availability of all e-PHI
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
  • Certify compliance by their workforce
  • Use PHI-compliant vendors for services that may expose PHI

SOX (Sarbanes-Oxley Act) is a federal law enforcing auditing and financial regulations upon public companies to improve the reliability of their financial reporting and foster investor confidence in the age of high-profile corporate crime. To comply with SOX, companies are required to:

  • Implement strong digital safeguards in place to prevent data tampering
  • Have verifiable controls to monitor all data access
  • Establish policies to disclose data breaches to SOX auditors and other applicable parties

Public companies adhering to SOX guidelines are only permitted to work with cloud service providers that themselves follow the Statement on Auditing Standards No. 70 or the Statement on Standards for Attestation Engagements No. 16 auditing guidelines.

PCI DSS (Payment Card Industry Data Security Standard) was developed to protect all payment account data throughout the payment lifecycle. Any organization, merchant, service provider, or institution that processes card payment transactions are required to abide by PCI DSS controls. These controls focus on building and maintaining a secure network and system to protect cardholder data through robust access controls.

Cloud-specific PCI DSS controls to be followed include:

  • Physical firewalls and network segmentation at the infrastructure level
  • Firewalls at the hypervisor and VM level
  • VLAN tagging or zoning in addition to firewalls
  • Intrusion-prevention systems at the hypervisor and/or VM level to detect and block unwanted traffic
  • Data-loss-prevention tools at the hypervisor and/or VM level
  • Controls to prevent out-of-band communications occurring via the underlying infrastructure
  • Isolation of shared processes and resources from client environments
  • Segmented data stores for each client
  • Strong, two-factor authentication (MFA/2FA)
  • Separation of duties and administrative oversight
  • Continuous logging and monitoring of perimeter traffic, and real-time response

The NIST (National Institute of Standards & Technology) framework is a risk-based approach to managing cybersecurity risks through a repeatable and measurable process. NIST Special Publication 800-144 (“Guidelines on Security and Privacy in Public Cloud Computing) outlines recommendations organizations can follow when outsourcing data, applications, and infrastructure to a public cloud environment. Other special publications geared specifically towards cloud computing include:

  • NIST SP 500-291 – Compiles available cloud computing standards and identifies gaps.
  • NIST SP 500-293 – Provides a detailed cloud infrastructure security framework for government use.
  • NIST SP 800-53 Rev. 5 (2020) – A commonly used information system security standard, also relevant to cloud environments.
  • NIST SP-800-210 (2020) – Details cloud security and access controls, providing guidance to help secure Paas and IaaS services.

ISO 27001 is recognized internationally as an information security standard for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving Information Security Management Systems (ISMS).

Under this main umbrella of standards, ISO 27017 is a set of security controls specific to cloud computing and ISO 27018 set of privacy controls for managing personal data in cloud environments.

FedRAMP (Federal Risk & Authorization Management Program) is a federally recognized and government-wide compliance program promoting the adoption of secure cloud services. It standardizes the security assessment and authorization of any cloud products and services used by U.S. federal agencies.

2 – Understand Roles & Responsibilities of Cloud Service Providers

The responsibility of securing a cloud environment is not shifted from an enterprise to their cloud service provider (CSP) – rather, it is shared. This starts with an understanding between all associated parties with access to the cloud through frameworks such as the Cloud Shared Responsibility Model.

The model clearly defines the areas of control and protection that each party must handle to ensure a secure and reliable cloud environment. In this model, the CSP is responsible for securing the underlying cloud infrastructure, including servers, networks, and physical facilities. On the other hand, the enterprise is accountable for managing their data, applications, user access, and configurations.

The significance of the Cloud Shared Responsibility Model lies in establishing clear boundaries and expectations for both CSPs and customers. It helps organizations understand the division of responsibilities and assists in making informed decisions about implementing additional security measures to protect their data and applications. By clarifying the shared responsibilities, the model promotes collaboration, risk mitigation, and effective security management in the cloud.

3 – Lay Down Corporate Cloud Policies & Cloud Governance

Developing cloud security policies that make sense for a unique business begins with assessing risks. Since there are inherent risks to consider, security leaders will need to look at what information is shared to the cloud, how it is being stored, and what requires business-critical levels of control and access.

Post risk assessment, design policies and controls around the cloud risks and then establish cloud governance to disseminate and manage those policies to the rest of the organization. Having a formal governance model in place reduces friction between various teams when the new cloud policies are implemented and refined. Both cloud adoption and governance champions should be in regular contact to evaluate and adjust corporate cloud policies to fit the evolving needs of the business.

Source: Microsoft

4 – Establish Cloud-Related Change Management

In cloud computing, changes to the systems, services, or configurations will need to be tightly controlled involving workflows to review, approve, and even document any modifications and updates made to any part of the cloud infrastructure or applications.

While cloud solutions and services enable flexibility and speed, these benefits can also make managing change a challenge for security teams. Improperly established change control can result in misconfigurations early on in the cloud deployment process, leaving the environment exposed to opportunistic threat actors.

To establish proper change management processes for cloud:

  • Continuously monitor any administrator and root accounts for indications of unauthorized access.
  • Implement role-based access and group-level privileges. Only grant access based on an individual’s tasks and workflows and work off of a least privilege principle for all users in the cloud.
  • Offboard dormant or obsolete accounts to remove the changes of account takeover by threat actors.
  • Enable logging on critical resources held in the cloud and protect logs through encryption.

Conclusion

Growing cloud adoption rates reaffirm its popularity amongst organizations of all sizes. Used to increase scalability, flexibility, and operational efficiency, cloud computing has risen as a driving force behind many modern businesses. As more businesses migrate to cloud as part of their ongoing digital transformations, cloud compliance will remain a keystone within the overarching cybersecurity strategy.

Building a strong cloud strategy focused on achieving compliance means understanding what legal and regulatory requirements are required for specific industries and locations of operation. Also, taking time to perform a detailed risk assessment allows security teams to design policies and governance models that are streamlined to the business and support the ongoing use of innovative cloud technologies.

Learn about how SentinelOne’s Singularity™ Cloud solution protects the cloud surface from advanced cyberattacks, allowing business leaders to focus on their operations and clients. Improve your cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Contact us today or book a demo for more details.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

The Good, the Bad and the Ugly in Cybersecurity – Week 22

Breached | Data of 478,000 RaidForum Users Exposed Online

The tables turned on cybercriminals this week when private user information from the notorious RaidForums was leaked online to another hacker forum. This newer forum called “Exposed” was launched just earlier this month, making the news of this data leak their first big splash in the darknet ecosystem.

RAID Forums breach

Though RaidForums was infamously frequented by cybercriminals, threat gangs, and other such unsavory parties, it was also accessed by a wide range of hackers and, of course, law enforcement. The leaked database reportedly contained the registration information of just over 478,000 members including signup dates, emails, hashed passwords, and usernames. It is currently unknown why the leaked data, in the form of a single SQL file, was generated in the first place.

Before it was shut down by in an international joint operation across numerous law enforcement agencies in April 2022, RaidForums had built up a reputation as one of the top go-to forums for buying, selling, and dumping stolen data such as bank routing and account numbers, credit card information, login credentials, and social security numbers. The data leak doesn’t provide any new information to law enforcement but can prove useful to security researchers and their investigations.

Though there is a touch of poetic justice in seeing malicious hackers and cybercriminals having their data leaked onto a forum they visit, the existence of new forums like Exposed underscores how prevalent the demands are for trading in illicit and stolen data. After RaidForums was seized, another site called “BreachForums” was on track to become RaidForums’ would-be successor before it shut down in response to the arrest of their founder. As new forums like Exposed continue to quickly fill the void and gain traction, businesses must remain vigilant with protecting their sensitive data.

Malicious Python Libraries | Novel PyPi Malware Takes Aim at Digital Supply Chains

Observing a spike in malicious submissions to the PyPi (Python Package Index) repository, security researchers this week released a report on what may be the first supply chain attack to exploit Python byte code (PYC) files. Since these files can be directly executed, this novel attack method raises yet another concern in digital supply chains.

The package, called fshec2, was discovered in April and promptly removed from the repository on the same day, though the PyPi team told researchers that this type of attack was not previously seen before. According to their report, researchers were able to note a suspicious combination of behaviors from the fshec2 package which contained the following three Python source files:

  • __init__.py – the entry point of the package with the purpose of importing a function from main.py
  • main.py – container for the Python source code with the purpose of loading the compiled module in full.pyc
  • full.pyc – the malicious file capable of downloading commands from a remote server.
Loading of the compiled Python module from main.py (Source: SecurityBoulevard)

The fshec2 malware was observed using the import to trigger a novel loading technique instead of using an import directive to load a Python compiled module – a commonly detectable method seen in attacks. Upon analysis, the researchers found a number of mistakes in the malware’s initial configuration suggesting that it was not the work of advanced persistent threat (APT) groups nor a state-sponsored actor.

While this malware was spotted early, it’s a reminder that threat actors are increasingly targeting public code repositories in an effort to breach companies via third-party dependencies. Consequently, supply chain security must continue to be a main priority for enterprises.

Zero-Day Vulnerability | Flaw In Popular File Transfer Tool Used to Steal Data

MOVEit Transfer, a widely-used file transfer automation solution, disclosed a vulnerability this week that gives attackers unauthorized access to users’ systems. Designed to securely transfer data and assets between customers and their business partners through SFTP-, SCP-, and HTTP-based uploads, MOVEit is currently used worldwide by thousands of organizations. CISA warned this week that mass exploitation of the flaw has already been observed in the wild and data from a number of users’ systems has been stolen.

The zero-day, not yet assigned a CVE, is a severe SQL-injection vulnerability that allows privilege escalation and potential unauthorized access to the environment. Depending on the database engine being targeted (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can gather valuable intel about the infrastructure and the contents of the database before executing SQL statements to alter or delete the database elements. The developers of MOVEit Transfer have since released patches for the vulnerability and urged customers to patch immediately.

Webshell code used for hacking the MOVEit has zero detections on VirusTotal (Source: GrindinSoft)

News of the zero-day vulnerability in MOVEit is the latest in a rising trend of attacks on file transfer solutions such as Accellion’s File Transfer Appliance , GoAnywhere’s file transfer utility (CVE-2023-0669), and IBM’s Aspera Faspex file transfer tool to name a few. As the global managed file transfer market continues to grow in demand from a reported $1.3 billion in 2022, avenues of cyberattack for the industry will also widen with threat actors doubling down on ways to obtain unauthorized access to vulnerable systems.

Securing the Cloud in Modern Times | How Businesses Can Build Cohesive Cloud-Native Security Strategies

Cloud security remains front of mind for global enterprise leaders as more businesses migrate to public, private, hybrid, or multi-cloud environments. While the return on investment for using this technology is clear, embedding adequate security in all aspects of cloud applications, infrastructure, and data can prove to be a moving target.

The reason for this? As adoption of the cloud reaches higher rates, so too is the challenge of securing these increasingly complex cloud environments. In fact, Gartner reports that enterprises have spent more than $1.3 trillion on cloud technology and that this number could rise to $1.8 trillion by 2025. Other findings on cloud use note that over 60% of all corporate data worldwide is stored in the cloud as of 2022.

In response to this complexity, cloud-native security has emerged as a way to best secure cloud-first apps and infrastructure. This post discusses how modern businesses can best design a cloud-native security strategies and use cloud-native application protection platforms (CNAPPs) to deploy their applications at scale and securely.

The Emergence of Cloud-Native Security

Traditional security approaches were not designed to address the unique characteristics of cloud environments, including its dynamic infrastructure, microservices, and containerization.

To address this gap in protection, security practices and tools were developed to align with the cloud-native paradigm and tailored specifically for complex architectures. These practices encompassed securing containerized applications, managing access controls, implementing security automation, and leveraging cloud-native monitoring and logging solutions.

Cloud-native security refers to the set of practices, technologies, and tools designed to protect cloud-native applications and infrastructure. It focuses on securing applications and data that are built and deployed in cloud environments, such as public, private, or hybrid clouds, using the principles of cloud-native development.

Most significantly, a cloud-native security approach is one where security is not an added afterthought – it’s built directly into the application and infrastructure. It centers around a fundamental shift from traditional security strategies, which often focus on the network perimeter. Instead, a cloud-native strategy emphasizes identity and access management, container security and workload security, and continuous monitoring and response.

Cloud-Native Security Best Practices | Understanding the Three R’s

Cloud-native applications leverage serverless functions and containers, making them highly dynamic. The “Rotate, Repave, and Repair”, or “Three R’s” framework emphasizes proactive security practices, including regular credential rotation, immutable infrastructure, and rapid vulnerability management. Security teams protecting cloud-native environments use this framework to reduce the attack surface, minimizing the impact of potential compromises, and maintaining a known and secure state of infrastructure and applications.

Rotate

Security teams are tasked with regularly rotating or changing credentials, keys, and secrets used for accessing resources within the cloud environment. This involves rotating API keys, passwords, encryption keys, database credentials, and other access credentials/tokens on a predefined schedule or in response to security incidents or vulnerabilities. Regularly rotating credentials helps minimize the impact of a potential compromise by limiting the window of opportunity for unauthorized access. Since credential values are not kept for long, rotation makes it difficult for attackers to gain access or perform lateral movement.

Tip ✨: Implementing secure key management practices and leveraging automation tools can simplify the rotation process. 

Repave

This refers to the practice of rebuilding or recreating infrastructure components from scratch instead of attempting to fix or patch them when security issues arise. In the context of cloud-native security, this concept is closely tied to the concept of an “immutable infrastructure”, where infrastructure components and configurations are treated as unchanging and are replaced rather than modified.

When security vulnerabilities or incidents occur, the affected components are entirely replaced with fresh instances or containers, ensuring that any compromised or potentially compromised elements are removed.This approach helps ensure that the infrastructure remains in a known good state and reduces the risk of lingering security issues or hidden compromises.

Repair

A crucial element of a strong cloud defense is the capability of identifying and addressing security vulnerabilities in the infrastructure or applications efficiently. This involves promptly applying patches, updates, and security fixes to address known vulnerabilities. Security teams can shorten their mean time to discovery through regular security assessments, vulnerability scanning, penetration testing, and code reviews – all vital aspects in identifying areas that require repair.

Tip ✨: Staying informed about security updates and advisories, and having a defined process for applying patches and updates can help in detecting and responding to security incidents, allowing for timely repairs. 

Adopting a Layered Approach | The 4 C’s of Cloud-Native Security

Cloud-native security can be represented by four core principles: cloud (servers or data centers), cluster, container, and code. These principles can be thought of as layers of a whole in which each layer informs the next. Known as the 4 C’s, they allow security teams to consider security holistically across all parts of a cloud-native environment.

The Cloud Layer

The outermost layer in this approach, the cloud layer represents the infrastructure hosting and executing the applications in the environment. Enterprises can select a reputable cloud service provider (CSP) to help them develop a structured cloud strategy. CSPs should have a strong security track record and a robust set of security features and services. To achieve cloud security:

  • The CSP and the enterprise both understand the shared responsibility model and clearly define the security responsibilities between them.
  • Implement strong access controls, enforce multi-factor authentication (MFA), and regularly review and update permissions to ensure only authorized access to cloud resources.
  • Encrypt sensitive data at rest and in transit, leveraging encryption services provided by the CSP.
  • Regularly monitor and review CSP security notifications and updates to stay informed about any changes or vulnerabilities that may impact a cloud environment.

The Cluster Layer

The cluster layer focuses on securing the container orchestration platform, such as Kubernetes, and the cluster of nodes running the containerized applications. Best practices for securing clusters are to:

  • Follow secure cluster configuration practices, such as using strong authentication mechanisms and securely managing cluster access credentials.
  • Implement network segmentation and firewall rules to restrict traffic and communication between different components of the cluster.
  • Regularly update and patch cluster components, including the control plane and worker nodes, to address known vulnerabilities.
  • Leverage secure networking and service mesh solutions to enhance network security within the cluster.
  • Implement container image scanning and runtime security measures to detect and prevent malicious activity within the cluster.

The Container Layer

The container layer consists of resources in a containerized application – one of the most critical elements in setting up a cloud-native environment. Since container images are often marred with security vulnerabilities or are associated with content from untrusted sources, being able to close security gaps at the container level keeps the greater cloud-native architecture safe. To do so:

  • Use trusted and validated container images from reputable sources, and regularly update them to include the latest security patches and fixes.
  • Employ secure container runtime configurations, such as limiting container privileges, implementing resource constraints, and utilizing namespaces and seccomp profiles.
  • Implement container isolation mechanisms, such as running containers within secure sandboxes or leveraging virtualization technologies for added security.
  • Regularly scan container images for vulnerabilities and apply appropriate remediation actions.
  • Implement secure container orchestration practices, such as pod security policies and admission controllers, to enforce security policies during container deployment.

The Code Layer

More traditional strategies are often used to secure the code layer, such as endpoint monitoring and regular scans. This layer is affected by all of its outer layers: cloud, cluster, and container. Code-based security risks grow when developers use third-party software to develop apps, have an irregular schedule for risk assessments, or allow insecure or untested code.

The code layer can provide the most granular level of security control in a cloud-native security strategy. Security teams will need to:

  • Follow secure coding practices, such as input validation, output encoding, and proper handling of sensitive data, to mitigate common application-level vulnerabilities.
  • Conduct regular code reviews and security testing to identify and address potential security issues.
  • Implement robust authentication and authorization mechanisms within your application code to ensure only authorized access to sensitive data and functionalities.
  • Use secure software development frameworks and libraries, keeping them updated with the latest security patches.
  • Leverage secure deployment pipelines, including vulnerability scanning and static code analysis, to detect and address security issues during the build and deployment process.

Unifying Cloud Security Capabilities | How Cloud-Native Application Protection Platforms (CNAPP) Come Into Play

Patchwork security solutions don’t work for securing modern, complex clouds. While some businesses may combine several separate cloud security capabilities into a working tech stack, these point solutions often create more management work for security teams, limit the team’s visibility, and sow inconsistencies in development, deployment, and runtime.

To tackle the risks associated with cloud-native apps and workloads, many modern businesses rely on a cloud-native application protection platform, or CNAPP. These end-to-end platforms are designed specifically to provide a singular, central plane that unifies multiple security measures to protect the overall cloud. CNAPPs are a combination of multiple cloud security functionalities usually found in individual tools, including:

  • CSPM (Cloud Security Posture Management) – CSPM combines two main considerations regarding how security teams monitor for, identity, and remediate cloud-based risks: code security and regulatory compliance. Here, CSPM aims to detect misconfigurations early in the software development lifecycle to prevent runtime risks. Governance helps enterprises manage compliance requirements and statuses across multi-cloud ecosystems.
  • CWPP (Cloud Workload Protection Platform) – CWPP provides holistic visibility and control over virtual machines (VMs), containers, serverless workloads, and physical machines in hybrid and multi-cloud ecosystems.
  • CIEM (Cloud Infrastructure Entitlements Management) – CIEM helps security teams mitigate the risk of data breaches through continuous monitoring of permissions and activity within the cloud.
  • KSPM (Kubernetes Security Posture Management) –  KSPM leverages security automation tools to identify human-based errors, enforce Kubernetes compliance, manage security as clusters evolve, and validate third-party configurations.

Shift Left with SentinelOne’s Cloud-Native Capabilities

Traditionally, security has been treated as a separate and isolated process that occurs towards the end of the development cycle or during the deployment phase. However, in cloud-native environments, where continuous integration and continuous deployment (CI/CD) practices are common, addressing security concerns right at the onset helps mitigate risks and ensure robust security throughout the entire application lifecycle.

By “shifting left”, businesses are able to identify and address security vulnerabilities and risks as early as possible, ideally during the development phase or even during the design phase. This is a proactive approach meaning faster detection and remediation of security issues, and significantly reducing the chances of vulnerabilities reaching production environments.

SentinelOne provides these shift-left capabilities needed to detect, prevent, investigate, and respond to cloud security threats, allowing modern business leaders to dramatically reduce their organization’s cloud-based risks.

Offering a joint cloud-native solution with Wiz, SentinelOne provides businesses with enhanced visibility and protection of their cloud workloads, streamlined procurement, and simplified deployment. This guides teams to better securing their cloud infrastructure and workloads without hampering the speed or agility of their application development teams.

Learn more about how SentinelOne’s AI-powered Cloud Workload Protection Platform (CWPP) and the Wiz Cloud-Native Application Protection Platform (CNAPP) allows businesses to improve their operations in the cloud and protect their cloud workloads from build time to run time here.

Conclusion

With so many organizations reliant on clouds to hold their sensitive data, the cloud attack surface has widened, continuing to be a critical issue for modern businesses. As threat actors hone their attacks on cloud-based enterprises, cloud-native security strategies address the unique security considerations introduced by the technology’s containerization and microservices architectures.

Building a cloud-native security strategy is a keystone in addressing modern cloud threats. By addressing container and microservices security, aligning with automation practices, facilitating both shared responsibility and rapid incident response, these strategies empower organizations to build secure, resilient, and compliant cloud-native environments in the face of rapidly evolving cloud threats.

SentinelOne can help organizations improve their cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Contact us for a demo on how to build a robust cloud security strategy today.

Singularity Cloud
Simplifying security of cloud VMs and containers, no matter their location, for maximum agility, security, and compliance.

Ask Fitis, the Bear: Real Crooks Sign Their Malware

Code-signing certificates are supposed to help authenticate the identity of software publishers, and provide cryptographic assurance that a signed piece of software has not been altered or tampered with. Both of these qualities make stolen or ill-gotten code-signing certificates attractive to cybercriminal groups, who prize their ability to add stealth and longevity to malicious software. This post is a deep dive on “Megatraffer,” a veteran Russian hacker who has practically cornered the underground market for malware focused code-signing certificates since 2015.

One of Megatraffer’s ads on an English-language cybercrime forum.

A review of Megatraffer’s posts on Russian crime forums shows this user began peddling individual stolen code-signing certs in 2015 on the Russian-language forum Exploit, and soon expanded to selling certificates for cryptographically signing applications and files designed to run in Microsoft Windows, Java, Adobe AIR, Mac and Microsoft Office.

Megatraffer explained that malware purveyors need a certificate because many antivirus products will be far more interested in unsigned software, and because signed files downloaded from the Internet don’t tend to get blocked by security features built into modern web browsers. Additionally, newer versions of Microsoft Windows will complain with a bright yellow or red alert message if users try to install a program that is not signed.

“Why do I need a certificate?” Megatraffer asked rhetorically in their Jan. 2016 sales thread on Exploit. “Antivirus software trusts signed programs more. For some types of software, a digital signature is mandatory.”

At the time, Megatraffer was selling unique code-signing certificates for $700 apiece, and charging more than twice that amount ($1,900) for an “extended validation” or EV code-signing cert, which is supposed to only come with additional identity vetting of the certificate holder. According to Megatraffer, EV certificates were a “must-have” if you wanted to sign malicious software or hardware drivers that would reliably work in newer Windows operating systems.

Part of Megatraffer’s ad. Image: Ke-la.com.

Megatraffer has continued to offer their code-signing services across more than a half-dozen other Russian-language cybercrime forums, mostly in the form of sporadically available EV and non-EV code-signing certificates from major vendors like Thawte and Comodo.

More recently, it appears Megatraffer has been working with ransomware groups to help improve the stealth of their malware. Shortly after Russia invaded Ukraine in February 2022, someone leaked several years of internal chat logs from the Conti ransomware gang, and those logs show Megatraffer was working with the group to help code-sign their malware between July and October 2020.

WHO IS MEGATRAFFER?

According to cyber intelligence firm Intel 471, Megatraffer has been active on more than a half-dozen crime forums from September 2009 to the present day. And on most of these identities, Megatraffer has used the email address 774748@gmail.com. That same email address also is tied to two forum accounts for a user with the handle “O.R.Z.”

Constella Intelligence, a company that tracks exposed databases, finds that 774748@gmail.com was used in connection with just a handful of passwords, but most frequently the password “featar24“. Pivoting off of that password reveals a handful of email addresses, including akafitis@gmail.com.

Intel 471 shows akafitis@gmail.com was used to register another O.R.Z. user account — this one on Verified[.]ru in 2008. Prior to that, akafitis@gmail.com was used as the email address for the account “Fitis,” which was active on Exploit between September 2006 and May 2007. Constella found the password “featar24” also was used in conjunction with the email address spampage@yandex.ru, which is tied to yet another O.R.Z. account on Carder[.]su from 2008.

The email address akafitis@gmail.com was used to create a Livejournal blog profile named Fitis that has a large bear as its avatar. In November 2009, Fitis wrote, “I am the perfect criminal. My fingerprints change beyond recognition every few days. At least my laptop is sure of it.”

Fitis’s Livejournal account. Image: Archive.org.

Fitis’s real-life identity was exposed in 2010 after two of the biggest sponsors of pharmaceutical spam went to war with each other, and large volumes of internal documents, emails and chat records seized from both spam empires were leaked to this author. That protracted and public conflict formed the backdrop of my 2014 book — “Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

One of the leaked documents included a Microsoft Excel spreadsheet containing the real names, addresses, phone numbers, emails, street addresses and WebMoney addresses for dozens of top earners in Spamit — at the time the most successful pharmaceutical spam affiliate program in the Russian hacking scene and one that employed most of the top Russian botmasters.

That document shows Fitis was one of Spamit’s most prolific recruiters, bringing more than 75 affiliates to the Spamit program over several years prior to its implosion in 2010 (and earning commissions on any future sales from all 75 affiliates).

The document also says Fitis got paid using a WebMoney account that was created when its owner presented a valid Russian passport for a Konstantin Evgenievich Fetisov, born Nov. 16, 1982 and residing in Moscow. Russian motor vehicle records show two different vehicles are registered to this person at the same Moscow address.

The most interesting domain name registered to the email address spampage@yahoo.com, fittingly enough, is fitis[.]ru, which DomainTools.com says was registered in 2005 to a Konstantin E. Fetisov from Moscow.

The Wayback Machine at archive.org has a handful of mostly blank pages indexed for fitis[.]ru in its early years, but for a brief period in 2007 it appears this website was inadvertently exposing all of its file directories to the Internet.

One of the exposed files — Glavmed.html — is a general invitation to the infamous Glavmed pharmacy affiliate program, a now-defunct scheme that paid tens of millions of dollars to affiliates who advertised online pill shops mainly by hacking websites and manipulating search engine results. Glavmed was operated by the same Russian cybercriminals who ran the Spamit program.

A Google translated ad circa 2007 recruiting for the pharmacy affiliate program Glavmed, which told interested applicants to contact the ICQ number used by Fitis, a.k.a. MegaTraffer. Image: Archive.org.

Archive.org shows the fitis[.]ru webpage with the Glavmed invitation was continuously updated with new invite codes. In their message to would-be Glavmed affiliates, the program administrator asked applicants to contact them at the ICQ number 165540027, which Intel 471 found was an instant messenger address previously used by Fitis on Exploit.

The exposed files in the archived version of fitis[.]ru include source code for malicious software, lists of compromised websites used for pharmacy spam, and a handful of what are apparently personal files and photos. Among the photos is a 2007 image labeled merely “fitis.jpg,” which shows a bespectacled, bearded young man with a ponytail standing next to what appears to be a newly-married couple at a wedding ceremony.

Mr. Fetisov did not respond to requests for comment.

As a veteran organizer of affiliate programs, Fitis did not waste much time building a new moneymaking collective after Spamit closed up shop. New York City-based cyber intelligence firm Flashpoint found that Megatraffer’s ICQ was the contact number for Himba[.]ru, a cost-per-acquisition (CPA) program launched in 2012 that paid handsomely for completed application forms tied to a variety of financial instruments, including consumer credit cards, insurance policies, and loans.

“Megatraffer’s entrenched presence on cybercrime forums strongly suggests that malicious means are used to source at least a portion of traffic delivered to HIMBA’s advertisers,” Flashpoint observed in a threat report on the actor.

Intel 471 finds that Himba was an active affiliate program until around May 2019, when it stopping paying its associates.

Fitis’s Himba affiliate program, circa February 2014. Image: Archive.org.

Flashpoint notes that in September 2015, Megatraffer posted a job ad on Exploit seeking experienced coders to work on browser plugins, installers and “loaders” — basically remote access trojans (RATs) that establish communication between the attacker and a compromised system.

“The actor specified that he is looking for full-time, onsite help either in his Moscow or Kiev locations,” Flashpoint wrote.