Endpoint, Identity and Cloud | Top Cyber Attacks of 2023 (So Far)

2023 has been no stranger to cyber threats and both the rates and sophistication of attacks launched have only continued on their upward trajectories. Based on findings from a recent Cyber Threat Intelligence Index report, threats like ransomware, data breaches, and software vulnerabilities have all made major impacts on the landscape this year. As global enterprises have scaled up the amount of data they produce and store, threat actors have kept a watchful eye for new opportunities for attack.

In this post, learn about some of the most pressing cyber threats seen targeting the endpoint, identity, and cloud surfaces from the first three quarters of this year. By dissecting the causes and impacts of these notable attacks, enterprise and security leaders can better secure their data, systems, and networks against advanced threats down the line.

Endpoint-Based Attacks

Endpoint attacks have evolved into a critical concern, posing substantial threats to businesses across all industry verticals. As the amount of endpoints multiply and remote work opportunities continue to be the norm, the endpoint attack surface expands and leaves organizations vulnerable to a range of threats.

Attacks on endpoints exploit vulnerabilities within privileged computers, smartphones, and internet of things (IoT) devices. Major threats that loom over the endpoint attack surface include ransomware, phishing scams, zero-day exploits, fileless malware, and Denial-of-Service (DoS) attacks.

Ransomware Attacks

In the first three quarters of 2023, ransomware has targeted multiple critical infrastructure and major companies, including those listed below:

  • San Francisco’s Bay Area Rapid Transit (Vice Society) – San Francisco’s BART was hit in January by a ransomware attack claimed by the Vice Society group. While no service disruption occurred, stolen data was posted online. BART confirms no impact on services or internal systems, but concerns from the incident have arisen due to potential backdoor access to critical systems.
  • Reddit (BlackCat Ransomware) – ALPHV ransomware group, also known as BlackCat, claimed responsibility for a February cyberattack on Reddit. The attack, initiated through a successful phishing campaign, resulted in the theft of 80GB of data, including internal documents, source code, and employee and advertiser information. The group had announced its intent to leak the stolen data after failed attempts to extort $4.5 million from Reddit for its deletion.
  • Dole Food Company – Dole Food Company confirmed a ransomware attack that occurred in February, which compromised an undisclosed number of employee records. While the impact was limited, production plants in North America were temporarily shut down due to the attack. The incident affected Dole’s workforce data, as reported in their annual filing with the SEC.
  • United States Marshals Service (USMS) – Described as a major incident, the ransomware attack on the US Marshals Service, a federal law enforcement agency within the Department of Justice, compromised sensitive law enforcement data, including legal process returns, administrative data, and personally identifiable information (PII) of subjects associated with USMS investigations, third parties, and certain USMS employees.
  • City of Oregon (Royal Ransomware) – In May, the City of Oregon encountered a ransomware attack when county data was encrypted. Election and 911 dispatch remained under control, but all other government operations were impacted. Restoring systems were calculated at the cost of millions for software reloads and network reconstruction. Claimed by Royal Ransomware, the attackers demanded a ransom for data access, with the specific amount not disclosed by county officials.
  • Enzo Biochem – The New York-based biotech company suffered a ransomware attack in April compromising test data and personal information of approximately 2.5 million individuals. Names, test data, and 600,000 social security numbers were accessed. The attack on Enzo closely followed a separate attack on pharmacy giant, PharMerica, in May that saw the sensitive data of nearly 6 million people exposed.

So far, the FBI, CISA, and NSA, in partnership with other enforcement agencies, have issued the following joint cybersecurity advisories on the following ransomware in the past three quarters:

  • Royal – Cybercriminals have targeted US and international organizations with Royal ransomware since September 2022. After infiltrating networks, they disable antivirus and exfiltrate data before deploying ransomware. Ransom instructions come after encryption via a .onion URL, demanding varied amounts from $1M to $11M in Bitcoin. Royal ransomware has been observed targeting critical sectors like manufacturing, communications, healthcare, and education.
  • LockBit 3.0 – LockBit 3.0 (aka LockBit Black) operations follow a Ransomware-as-a-Service (RaaS) model and is a more evasive and modular continuation of its predecessors LockBit and LockBit 2.0. Affiliates that use LockBit 3.0 have been seen employing a variety of TTPs to attack a wide range of businesses in critical infrastructure sectors.
  • BianLianBianLian is a cybercriminal group conducting ransomware attacks on US and Australian critical infrastructure since June 2022. Known for ransomware development, deployment, and data extortion, they often exploit valid Remote Desktop Protocol (RDP) credentials, utilize open-source tools for reconnaissance, and exfiltrate data using FTP, Rclone, or Mega. In 2023, BianLian shifted from using a double-extortion model to exfiltration-based extortion, threatening to release data if ransom isn’t paid. They have targeted professional services and property development sectors in previous campaigns.
  • Cl0p – Since emerging in February 2019, CL0P ransomware has evolved and now operates as a Ransomware-as-a-Service (RaaS), initial access broker (IAB) selling access to compromised networks, and a large botnet operator targeting the financial sector. Initially known for double extortion, they changed tactics in 2021 to focus on data exfiltration. Cl0p has compromised over 3,000 U.S. and 8,000 global organizations.
  • QakBot – Also known as Qbot, Quackbot, Pinkslipbot, and TA750, Qakbot has caused numerous global malware infections since 2008. Initially a banking trojan, it evolved into a versatile botnet and malware variant used for reconnaissance, data exfiltration, lateral movement, and delivering ransomware. It targets various sectors, including financial and emergency services, commercial facilities, as well as the election infrastructure subsector, selling compromised device access to further affiliate threat actors’ goals.

3CX Supply Chain Attack

In a supply chain attack discovered in March dubbed “SmoothOperator”, actors associated with the North Korean regime compromised the infrastructure of the 3CX Private Automatic Branch Exchange (PABX) platform. The VoIP software development company is used by more than 600,000 globally and has over 12 million daily users including organizations across the automotive, food and beverage, hospitality, managed information technology service provider (MSP), and manufacturing industries.

The actors used this access to insert malicious code into the 3CX endpoint clients, which were downloaded as updates by victims using the software. The backdoored version applied stealthy steganography by encoding a payload stub in an .ico image file hosted on a public code repository hosted at github[.]com/IconStorages/images, which let the malware obtain the active C2 server address. Long-reaching software supply chain attacks like these demonstrate how threat actors work innovatively to exploit network access and distribute malware.

ESXi & Linux Ransomware

Ransomware groups such as AvosLocker, Black Basta, BlackMatter, Hello Kitty, LockBit, RansomEXX, REvil, and the now-defunct Hive have all continued to target VMware ESXi servers throughout 2023. Since 2021, organized ransomware groups have expanded targeting to include Linux systems thanks to the high likelihood of critical services or sensitive data. Disruption of Linux systems can lead to service outages, placing increased pressure on victims to pay a ransom.

These attacks often target the intersection of endpoint and cloud services, including on-premises Linux servers and hypervisors like VMWare ESXi. SentinelLabs’ research found that the availability of Babuk ransomware source code has made an outsized impact on the ESXi threat landscape. Many other Linux families are proliferating, including recent Linux additions by actors behind Abyss, Akira, Monti, and Trigona.

Identity-Based Attacks

Targeting the core of digital trust and authentication, identity-based attacks continue to rise in the cyber threat landscape. These attacks exploit weaknesses in user identities, credentials, and authentication processes and seek to gain unauthorized access to sensitive data and systems.

Enterprises around the world have exponentially grown the number of digital identities used in day-to-day operations, each one widening this attack surface. These identities are most vulnerable to threats such as phishing (and all of its variations), credential stuffing, identity theft, (fueled by social engineering), and attacks on single-sign-on (SSO) systems and multi-factor authentication (MFA) protocols.

Microsoft Exchange Online & Azure AD Vulnerability

This summer, details emerged on attacks against several US government agencies by an actor tracked as STORM-0558, a China-aligned espionage-motivated actor. The attacks abused several components to Microsoft permissions, including broad application scopes and a stolen signing key, which enabled the actors to mint session tokens to affected organizations’ Microsoft services. The original reports suggested only Exchange Online was impacted, though researchers found the flaw impacted other types of Azure Active Directory applications, including all applications that support individual (non-organization) account authentication.

BingBang

BingBang is an issue in Azure Active Directory (AD) application scopes where the default configuration may expose applications to undesired access. Researchers found that the default configuration for many Azure applications meant that any Azure AD user could access applications.

To remediate the issues outlined in BingBang, organizations using Azure AD authentication should verify what levels of access are delegated to applications, focusing first on sensitive and critical applications.

Cloud-Based Attacks

Cloud-based attacks continue to be a prominent and concerning trend, targeting vulnerabilities within cloud technologies and infrastructures. These attacks aim to compromise sensitive data housed by enterprise businesses, disrupt operations, or gain unauthorized access.

Cloud environments are vulnerable to threat actors working to exploit weak access controls to infiltrate cloud repositories. Distributed-Denial-of-Service (DDoS) attacks, capable of overwhelming cloud servers and causing widespread service disruptions, are also a major threat to modern clouds. Most notably in 2023, there has been a significant increase in cloud infostealers where financially motivated tools steal data from vulnerable or misconfigured cloud environments.

Cl0p Ransomware

In May 2023, the Cl0p (aka Clop) ransomware group made waves by exploiting a zero-day vulnerability in the MOVEit file transfer server application, which runs on Windows servers. The exploit chain delivers a Microsoft Internet Information Services (IIS) .aspx webshell to the server’s MOVEitTransferwwwroot directory, which steals files from the server as well as connected Azure Blob Storage. SentinelOne’s report provides queries that organizations can use to identify potential exploitation by the Cl0p group.

The attack demonstrated a significant shift where traditionally endpoint-focused ransomware actors wrote code specifically to target cloud storage services. The impact was massive, with more than 500 organizations and the data of 34 million individuals compromised, making it one of the biggest threat campaigns of 2023.

Cloud Infostealers

Throughout 2023, there has been a consistent rise in prevalence of cloud infostealers, which seek credentials from misconfigured or vulnerable cloud services. Some notable examples include:

  • AlienFox – AlienFox is a comprehensive tool built on Androxgh0st code snippets and sold through Telegram channels. Attackers run the modular, Python-based toolset remotely against exposed cloud services. AlienFox primarily targets credentials that attackers can abuse to conduct spam attacks, API keys, and secrets from popular services including AWS SES and Microsoft Office 365. A comprehensive breakdown of targeted services can be found in SentinelLabs’ full report.
  • Legion – An offshoot from the same code origin as AlienFox, Legion shares much of the same, spam-centric features. Like AlienFox, Legion is distributed to buyers who frequent Telegram channels.
  • TeamTNT Doppelgänger – The infamous TeamTNT seemingly returned in 2023 with a cloud stealer that targets credentials from a variety of popular cloud and development services. While attribution remains difficult with publicly available tools like these, the actor behind recent campaigns has demonstrated active development and adaptation to new attack surfaces, such as Google Cloud and Azure service account credentials. These recent campaigns use dynamic DNS hosting provider AnonDns for command-and-control (C2). Most of the tools are Bash or Shell scripts, though the group occasionally leverages binaries, such as a Golang executable (SHA1: 2ed9517159b89af2518cf65a93f3377dea737138) that enables propagation. The recent campaigns suggest the actor may have different motives. While the original TeamTNT prolifically delivered cryptocurrency mining malware with a minor focus on credential harvesting, the newer campaigns conduct more credential harvesting and environment enumeration than cryptomining.

Conclusion | How SentinelOne Measures Up to 2023 Cyber Attacks

Instability within the geopolitical and economic landscape have all led to significant challenges in securing global enterprises this year. What’s clear from the attacks listed in this blog post is that transnational and organized cyber criminals continue to develop their threat operations to execute high-impact attacks by extorting ransoms, disrupting governments and critical services, and exposing sensitive data. Continuing to share threat intelligence on past and ongoing threats allows security and enterprise leaders to better understand where their gaps and weaknesses are so as to prepare for similar attacks in the future.

Facing these challenges, business leaders this year are much more aware of their organizations’ cyber risks than they were in 2022 and, most importantly, more willing to address them. Leaders are focused on minimizing business disruption and reputational damage and devoting more resources than before to bolstering day-to-day cyber defenses. This encompasses the strengthening of controls around third-party access, establishing cyber risk management and accountability, as well as investing in advanced cybersecurity solutions.

SentinelOne is trusted by enterprises in every industry vertical, providing the protection they need to stay ahead of modern threat actors. In one platform, SentinelOne’s Singularity XDR unites endpoint, identity, and cloud protection into an efficient cybersecurity solution. Request a demo or contact us to learn more about how Singularity leverages the power of AI to detect and respond to today’s threats.

Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak

Good Day ransomware, a variant within the ARCrypter family, was first observed in-the-wild in May of 2023. Between June and August of 2023, we observed an uptick in Good Day ransomware campaigns and a proliferation of new ransom note samples in public malware repositories. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.

In this post, we expand on several unique Good Day ransom notes and victim portals and share our analysis of a sample associated with a URL leading to a known Cloak extortion site. By tying these recent Good Day campaigns to victims listed on the Cloak site, we can associate the Cloak data sales and leaks with Good Day through publicly viewable chats on the group’s TOR-based victim portals.

The discovery of such connections helps us chart the ever-dynamic relationships between existing and new vulnerabilities and threat actors. The more we can tie together these moving parts, the better chance that security practitioners have of reducing risk within their organizations.

Good Day Victim Portals Linked To Cloak Extortion Site

In July and August of 2023, we observed multiple new TOR-based URLs being staged for use by the Good Day group. Each portal is intended for a corresponding attack and specific victim. Similarly, each Good Day payload points to a specific victim portal.

Good Day (ARCrypter) victims are greeted with a ‘Good day’ welcome message when following the instructions provided in their ransom notes and opening the portal tied to the payload that encrypted their devices.

Standard Good Day victim portal
Standard Good Day victim portal

Some of the portals have been revealed in previous research by Cyble. However, analysis of a series of new ransom notes reveal that Good Day victims are also listed on the Cloak extortion blog site.

In particular, we found a series of ransom notes that all include the email address MikLYmAklY555[@]cock[.]li, which was also previously seen in AstraLocker campaigns.

Example of a Good Day ransom note seen in Aug. 2023
Example of a Good Day ransom note seen in Aug. 2023

At the time of writing, victim chats on the Good Day portals remain publicly accessible. Within these publicly accessible chats, we can see the threat actors communicating data to the victim.

In the case of sample d5fba798bb2a0aaca17f17fa14f2ff240be8d34d (associated ransom note: 7cf3b23cdb8c5fd74b094f76eb4ffc38e18bd58a) the threat actor communicates the URL of the blog where they intend to leak the victim’s data, which turns out to be the URL of the Cloak blog site. They also mention specific company names that can be found on the Cloak blog site.

The Cloak leak site first appeared in August of 2023 and currently lists 23 victims. Many of these victims are marked as “sold” and their respective data is not currently accessible on the surface.

Cloak victim blog
Cloak victim blog
Individual victim listing on Cloak blog
Individual victim listing on Cloak blog

Our analysis shows that Good Day ransomware victims are being threatened with having their data leaked or sold on the Cloak website. This intimidation tactic is amplified by the daunting list of “sold” victim companies that currently appear on the site. The threat actors leverage this and other intimidation tactics to coerce the victim into paying the ransom.

Regarding targeting, we also note that victims listed on the Cloak leak site indicate some amount of geographical focus. The main countries targeted are Germany, Italy, Taiwan, and France.

Good Day Ransomware Sample Analysis

In sample d5fba798bb2a0aaca17f17fa14f2ff240be8d34d, the ransom instructions point to a TOR-based victim portal at

47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd[.]onion.

This sample masquerades as a Microsoft Windows Update executable (WindowsUpdate.exe). The ransomware is designed to be launched via a dropper or script, aligning it with past ARCrypter activity. The /START parameter is required to fully launch the ransomware.

Good Day masquerading as a legitimate Microsoft utility
Good Day masquerading as a legitimate Microsoft utility

The identifying strings that we expect to see in the ARCrypter family are also visible in this sample.

ARCrypt’s “tell” strings

This particular payload issues a User Access Control (UAC) prompt in order to elevate privileges when launched.

UAC Prompt from ransomware payload
UAC Prompt from ransomware payload

Once running, the malware will attempt to enumerate all local volumes to encrypt. This includes the use of wNetOpenEnum to identify available shares. In addition, the malware will enumerate all running processes.

Volume enumeration in Good Day
Volume enumeration in Good Day

The ransomware attempts to remove volume shadow copies (VSS) using the following command:

vssadmin.exe delete shadows /all /quiet
Volume Shadow Copy (VSS) Removal in Good Day
Volume Shadow Copy (VSS) Removal in Good Day

Affected files are renamed with the .crYptA or .crYptB extensions post-encryption. This pattern can extend up to .crYptE following the alphabet in series with the final letter in the extension.

Encrypted files with .crYptA extension

The Good Day ransomware then delays execution of the payload via the following hidden command:

¬/c TIMEOUT /T 2>NUL&START /b "" cmd /c DEL "C:Windowsexplorer.exe" &DEL "WindowsUpdate.exe.exe" &EXIT
Storyline™ view of calls to timeout.exe (delayed execution/evasion)
Storyline™ view of calls to timeout.exe (delayed execution/evasion)

The ransomware also attempts to determine whether it is running in a specific debugger. The search list includes S-Ice.exe, ImmunityDebugger.exe, x64dbg.exe and others.

Good Day debugger search list
Good Day debugger search list

The malware contains a hardcoded list of folders and files that are to be excluded from encryption.

Good Day Exclusions list
Good Day Exclusions list

SentinelOne Protects Against Good Day (ARCrypter) Ransomware

The SentinelOne Singularity™ Endpoint platform detects and prevents malicious behaviors and artifacts associated with Good Day/ARCrypter ransomware.

Conclusion

Tracking the inputs and outputs of extortion groups is a significant part of the puzzle as we continue to research the growing web of threat actors. It always helps to be able to tie pieces together where they are not directly apparent.

Observing the URLs found in ransom notes and the existing structure of the victim blog sites, we are able to firmly establish the nature of the tie between Good Day and the Cloak leak site. The latest payloads for Good Day have yet to build on their ARCrypter roots, but we will continue to monitor this group and their payloads.

To learn about how SentinelOne can help protect the devices in your fleet from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Payload
d5fba798bb2a0aaca17f17fa14f2ff240be8d34d

Ransom Notes
7cf3b23cdb8c5fd74b094f76eb4ffc38e18bd58a
7ef712604fca6ad5a368745a015354aba74f5f61
a3ff2d575adc8edb088706e1de1a18a2d789cd73
c374252e4cff08e3abcda06503998cd3d3ef8322

URLs

cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd[.]onion
dcpuyivlbzx56hqwsvey33bxobxw3timjgljjy3index6qvdls5bjoad[.]onion
wwwieqvblhnel7wsb6jpxeen3dbmsqyozj2gzl2oyn6swrkq27jtusqd[.]onion
47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd[.]onion
zxzs677rphmjznqgqzlsmjtqwqlydq47rwjesrt4dkkh6cc2ftlfhuqd[.]onion

U.S. Hacks QakBot, Quietly Removes Botnet Infections

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.

Dutch authorities inside a data center with servers tied to the botnet. Image: Dutch National Police.

In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Qakbot/Qbot was once again the top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.

Further reading:

The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)
The search warrant application connected to QakBot server infrastructure in the United States (PDF)
The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)
A technical breakdown from SecureWorks

Public Sector Cybersecurity | Why State & Local Governments Are at Risk

State and local governments have increasingly fallen prey to cybercriminals seeking to exploit often outdated technology systems and limited cybersecurity resources. Their vital role in delivering essential public services, coupled with the vast amounts of sensitive citizen data they store, makes them attractive targets. Attacks on government institutions not only disrupt crucial services but also compromise the personal information of countless individuals.

As nation-states and cybercriminals increasingly target state and local governments, the need for both practical cybersecurity strategies and collaborative federal and international-level intervention is clear.

This post dives into the driving factors behind the targeting of this sector at state and local-levels, the consequences they pose, and what government entities can do to safeguard themselves from cyber threat actors.

Examining the Risks | Why State & Local Governments Are a Target

Too frequently burdened by limited security budgets, aging technology, and small IT departments, state and local governments have emerged as prime targets for cyberattacks.

From social security numbers to tax information and voting records, state and local entities operate as the storehouses for all sensitive citizen data within their jurisdiction. Since they provide such a wide array of public services, including healthcare, education, transportation, and public safety, they are an essential link between individual citizens and critical infrastructure of the private sector.

To complicate matters, state and local governments often rely on outdated, legacy technology and systems that are often susceptible to exploits of known vulnerabilities. With budget constraints and bureaucratic challenges, the lower branches of government face challenges in managing core cybersecurity tasks such as timely updates and patches. It is also rare for local entities to have a team of cybersecurity specialists managing their systems – small, in-house professionals are tasked with all IT matters. Cyber attackers often see these institutions as soft targets with weaker defenses compared to organizations within the private sector.

Already strapped by a lack of funding and cybersecurity expertise, state and local governments further contend with massive volumes of sensitive data that are incredibly appealing to cyber criminals. Personal information, financial records, and even election data can be used for identity theft, fraud, and espionage.

Disrupting their operations can cause widespread chaos and stolen data of this nature is considered a hot commodity across the dark web. Attacks on government entities not only compromise individual citizens but can also be exploited for larger-scale campaigns, influencing political and economic outcomes in more extensive, future attacks.

The Challenge of Ransomware | How State & Local Governments Are Impacted

Ransomware has been around for three decades, but recent years have changed the public’s perception of how much a successful attack can affect their day-to-day lives. Prominent examples such as the attacks on Colonial Pipeline, JBS Foods, and more recent ones like the disruption of Dallas’s 911 computer system, water systems, and court services put a magnifying glass on just how wide-spread the aftermath can be for citizens. Other than disrupting daily operations, assaults on local government entities can amass recovery expenses reaching millions, regardless of whether  ransoms are paid or not.

A recent study found that ransomware attacks in both state and local-level governing bodies have increased again from 58% in 2022 to 69% in 2023. These numbers top the global cross-sector trend that tracks ransomware attacks at an average of 66%. Now at its highest point in three years, more than three quarters of all ransomware attacks are focused on the lower branches of government with the end goal being data encryption and theft by threat actors.

Taking a closer look, the stats show that the leading causes of these ransomware attacks stem from exploited vulnerabilities (38%), compromised credentials (30%), and business email compromise (BEC) at 25%.

Other Cyber Risks Faced By The Public Sector

Phishing Attacks

Like many other organizations, state and local governments face the daily onslaught of phishing attacks. Cybercriminals craft malicious emails and leverage victims’’ trust in official-like communications. Given the decentralized nature of government structures, security awareness training is typically inconsistent across various entities, making it easier for threat actors to trick privileged users into revealing sensitive information or launching malware.

Business Email Compromise (BEC)

State and local governments’ extensive networks and financial transactions present lucrative opportunities for threat actors running business email compromise (BEC) schemes. Cybercriminals impersonate officials to manipulate employees into transferring funds or sensitive information. The high level of trust among colleagues can make it challenging to detect fraudulent requests, highlighting the need for robust authentication and communication protocols.

Known Vulnerabilities In Unpatched Software & Outdated Code

Limited budgets and bureaucratic red tape often hinder the process for patch management in state and local governments. This results in unpatched and outdated code, creating a fertile ground for cyber vulnerabilities. Attackers exploit known weaknesses to breach networks and compromise data, taking advantage of the interconnected nature of government operations to reach more associated networks.

Building A Stronger Cybersecurity Posture In The Public Sector

For municipal-level governments, constrained financial resources frequently dictate limits on their ability to maintain their cyber defenses. With multiple vendors offering specialist tools to solve specific problems, a limited budget can soon become exhausted as inexperienced teams try to manage both technical debt and the rise in adversary tradecraft.

The public sector can take a leaf out of the private sector’s book to help manage the cybersecurity budget, choosing solutions that both allow integration of existing tools and which offer a platform-approach to securing the entire organization. Alongside delivering more ‘bang for your buck’, a consolidated approach reduces pressure on the IT or security teams as there are fewer tools to learn and administer.

At the same time, leaders in state and government institutions responsible for allocating budgets are now being encouraged to follow the Biden-Harris administration’s lead in prioritizing cybersecurity as an essential service that must be delivered. The cost of failing to do so far outweighs the cost of consolidating multiple tools into a single platform.

It is also important to improve cyber hygiene to build up a stronger security posture. This can be achieved through a combination of up-to-date training, regular review of a security policy, and the use of a shared responsibility model that outlines the importance of security for all roles.

Leaders of state and local governments can action the following to improve their defenses:

  • Create a Security Policy – Cybersecurity needs to be viewed as a shared responsibility rather than being relegated to IT teams. A trickle-down policy communicated by leaders can help employees adopt a digital security mindset.
  • Implement a Patch Management Schedule – Ensure the prompt update of all systems, applications, and platforms to their latest versions on a regular basis. Follow CISA guidelines on known exploited vulnerabilities and leverage existing security technology to ease the pain.
  • Understand the importance of Identity Security – user accounts can provide points of entry for adversaries, and organizations need to think beyond traditional endpoint and network security to include protection of user identities. As a minimum this might include Identity and Access Management but more comprehensive security should include Identity Threat Detection and Response (ITDR).
  • Foster Cybersecurity Training Programs – A well-rounded cybersecurity training program equips employees with the knowledge and skills to identify and mitigate cyber threats such as spoofing, social engineering, malicious links, and more.
  • Design a Cyber Disaster Recovery Plan – Cyber disaster recovery plans ensure quick and effective responses to cyber incidents and minimized downtime. Begin by conducting a thorough risk assessment, identifying critical systems and data. Then, develop a comprehensive plan that outlines roles, responsibilities, communication protocols, and recovery procedures.
  • Establish Routine Data Backups – Having consistent backups helps entities recover more efficiently in the case of a cyber incident. Identify critical datasets, systems, and applications that demand regular backups. Then, select a secure, off-site storage solution and establish a well-defined backup schedule that accommodates any changes and updates to data.

Conclusion | Ongoing Support To Protect State & Local Governments

In 2022, the Biden-Harris Administration committed to directing $1 billion in funding toward state and local cybersecurity initiatives over the next four years. The grant program aims to bolster the establishment of critical governance frameworks that will focus on pinpointing key vulnerabilities, determining mitigation strategies, and addressing cyber workforce recruitment needs, including the placement of qualified individuals like Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), and Chief Technology Officers (CTOs).

This program is the latest example of a unified strategy between the Department of Homeland Security (DHS), the Federal Emergency Management Agency (FEMA), and CISA to provide the resources and cutting-edge technology that state and local governments can deploy to build a proactive defense against evolving threats.

Autonomous detection and response mechanisms play a vital role in this long-term program. Using the power of artificial intelligence and machine learning, advanced solutions like eXtended Detection and Response (XDR) can rapidly identify anomalies, unusual activities, and potential threats across vast networks. XDR solutions also give governments unrestricted visibility into their various systems, allowing for real-time responses to security events before they can lead to data encryption and critical infrastructure downtime.

Learn how SentinelOne’s leading Singularity platform can help state and local governments build cyber resilience. Contact us or book a demo today.

The Good, the Bad and the Ugly in Cybersecurity – Week 34

The Good | Lapsus$ Teen Members Found Responsible for High-Profile Cyber Crime Spree

This week, a London jury found 18 year-old Arion Kurtaj of Oxford, UK to be responsible for a series of cyberattacks against major firms, including Uber, Nvidia, and Rockstar Games. Additional charges include computer intrusion, fraud, and the demand for millions of US dollars in ransom backed by the threat of leaking sensitive information.

Kurtaj holds several online aliases, including teapotuberhacker, White, and Breachbase and is estimated to have made over 300 BTC from various illicit activities. Much of these ill-gotten profits, however, were reportedly lost to rival hackers and gambling. Alongside Kurtaj, a second teenager has been convicted for their association with Lapsus$ and breaching several companies.

Described by the court as a loose and unorganized collective of young “digital bandits”, Lapsus$ is thought to have members operating within the UK and possibly Brazil. Over the years, the group has targeted multiple high-profile organizations such as Microsoft, Okta, Cisco, T-Mobile, and Samsung. Since their emergence in December of 2021, members have been observed attacking government, technology, telecom, media, retail, and healthcare sectors for both notoriety and financial gain.

According to reports, Kurtaj and the unnamed 17 year-old first met online and committed cyber trespassing, sneaking into cellphone network operator servers. This soon escalated to ransoms and the use of swiped data to break into several cryptocurrency wallets. Prosecutors have noted the groups’ juvenile desire to defy and taunt victims, often leaving offensive messages after infiltrating systems. Kurtaj, who is autistic and deemed not fit to stand trial, did not appear in court to give evidence. Jurors were asked to determine whether the teen committed the alleged acts rather than to determine if he did so with criminal intent. These cases have simultaneously highlighted the vulnerability of teenage hackers and the need to enhance cyber defenses across the web.

The Bad | macOS Malware “XLoader” Returns Disguised As Productivity App

A new variant of the macOS malware known as “XLoader” has been discovered, now masquerading as an office productivity app called “OfficeNote”. In findings published this week, SentinelOne found that this version of XLoader is hidden within an Apple disk image named OfficeNote.dmg and signed with the developer signature “MAIT JAKHU (54YDV8NU9C).” Initially identified in 2020, XLoader functions as an information stealer and keylogger, operating under the Malware-as-a-Service (MaaS) model and succeeding the infamous Formbook malware.

XLoader was first seen targeting macOS in 2021, when it was distributed by attackers as a Java program. The new XLoader variant uses the C and Objective C programming languages to avoid the limitations caused by the requirement for Java Runtime Environment, which isn’t installed by default on Mac devices. SentinelOne noted several instances of this artifact on VirusTotal throughout July 2023, suggesting a widespread campaign.

XLoader submissions to VirusTotal July 2023
XLoader submissions to VirusTotal July 2023

The malware pretends to be an office application named OfficeNote but in reality, installs a Launch Agent in the background for persistent execution. Once active, XLoader captures clipboard data and information stored in directories linked to popular web browsers that could be exploited or sold to other threat actors. To evade analysis, XLoader employs evasion techniques against both manual and automated analysis. It also incorporates sleep commands to delay execution in an attempt to avoid detection.

SentinelOne concluded that XLoader remains a threat to macOS users and businesses, emphasizing the need for continued vigilance against such cyber threats. Customers of SentinelOne are automatically protected from this new variant of XLoader.

The Ugly | US & UK Critical Infrastructure Targeted By Lazarus Group’s New RAT

DPRK-backed Lazarus Group has exploited a patched critical security vulnerability in Zoho ManageEngine ServiceDesk Plus with the purpose of distributing a remote access trojan (RAT) named QuiteRAT. The targets of these attacks include internet backbone infrastructure and healthcare organizations in Europe and the US, according to reports by security researchers this week. Additionally, in-depth analysis of the group’s attack infrastructure uncovered a new threat called CollectionRAT.

QuiteRAT, a successor to MagicRAT and TigerRAT, exhibits similar capabilities but with a significantly smaller file size. The malware is built on the Qt framework, which adds complexity to its code and makes analysis more challenging for cyber defenders. The attacks, observed in early 2023, involved exploiting CVE-2022-47966, a vulnerability that emerged just five days before the first attack in a proof-of-concept (PoC) to deploy QuiteRAT from a malicious URL. Unlike MagicRAT, QuiteRAT lacks a built-in persistence mechanism and requires the server to issue commands for ongoing activity on compromised hosts.

The Lazarus Group is also observed incorporating open-source tools and frameworks for initial access in their attacks as opposed to using them solely post-compromise. The reports indicate the use of the open-source DeimosC2 framework and CollectionRAT for various malicious activities, such as gathering metadata, executing commands, managing files, and delivering payloads.

Operational links between the various malware implants (Source: Talos)

Despite the well-documented nature of Lazarus’s tactics, researchers noted that the groups’ continued use of the same infrastructure shows the threat actor has confidence in the continued success of their operations.

Kroll Employee SIM-Swapped for Crypto Investor Data

Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.

Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.

In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”

“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”

T-Mobile has not yet responded to requests for comment.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

SIM-swapping groups will often call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the employee to visit a phishing website that mimics the company’s login page.

Multiple SIM-swapping gangs have had great success using this method to target T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.

In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.

The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.

And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”

A phishing message targeting FTX users that went out en masse today.

A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.

Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.

Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.

The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.

If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.

Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.

Unweaving A Complex Web of Threats | Understanding Today’s Cyber Attacker Interdependency

The dynamics of cyber threats have taken on a new level of complexity, driven by the escalating interdependency among various types of threat actors. In a thriving cybercrime-as-a-service (CaaS) economy, attackers are sharing their malicious tradecraft through readily available kits and tools and collaborating efficiently by leveraging shared services conveniently accessible on the dark web.

For enterprises, growing levels of interdependence amongst cybercriminals poses new challenges on the cybersecurity front. As threat actors pool their resources and knowledge, the sophistication and scale of attacks has been seen rising exponentially. The sharing of malicious tools and services also shortens the time it takes for new threats to emerge.

In this post, we explore the complex and growing web of interconnection that links sophisticated nation-state actors, threat gangs, and all levels of cyber criminals together. Understanding the shape of today’s cyber threat landscape is an essential prerequisite for all modern cyber defenders.

How Attackers Share Knowledge & Malicious Tradecraft

In recent years, the availability of cybercrime services has become firmly established amongst various levels of cybercriminals, leading to significant specialization within criminal networks and fostering cooperation among illicit vendors.

Cybercrime-as-a-service (CaaS) models allow attackers to share technical knowledge and malicious tradecraft through dark markets. This ecosystem operates much like a legitimate business, where aspiring attackers can purchase or rent tools, techniques, and expertise to launch their own campaigns.

Illicit service providers can efficiently serve numerous criminal entities by providing obfuscation, IoT botnet rentals, phishing services, backdoor generators, and more. These offerings are frequently marketed or sold on private forums and the dark web.

Navigating the Dark Web | Breeding Grounds for A New Wave of Cybercrime

A fertile ground for modern cybercrime, the dark web serves as a hub where cybercriminals can sell and share expertise, tools, and stolen data. These illicit spaces have driven interdependency among cybercriminals and amplified the scale and complexity of cyber threats.

Most popularly powered by TOR and .onion addresses, other darknet services are out there that can support criminal enterprises, including I2P (the Invisible Internet Project) and Hyphanet. While such services also serve legitimate purposes for anonymous and private network connections, internet privacy and censorship resistance, there is no doubt that the cybercriminals have benefited hugely from their availability.

Monetizing Breaches | The Emergence of Initial Access Brokers

While dark markets facilitate the tools, code, and services needed to perform cyberattacks, Initial Access Brokers (IABs) sell unauthorized access to compromised systems, enabling buyers to initiate their attacks. Their emergence has introduced a layer of monetization to data breaches, which underscores the transformation of cyber threats into a vastly profitable commodity.

Initial Access Brokers also offer a marketplace for stolen credentials and software vulnerabilities, which empower a broader range of attackers with diverse expertise. With such ready access to potential targets, cybercriminals are able to exploit these gateways to rapidly launch new campaigns.

Outsourcing Expertise for Profit | The Role of Cyber Affiliates

The shift in how threat actors collaborate is also attributed to cyber affiliates; individuals or groups that leverage their skills to assist in cyber attacks in exchange for a share of the profits. This decentralized approach enables specialization within the criminal ecosystem, where different actors contribute their expertise to create a more diversified and potent threat ecosystem.

Affiliates serve as integral components within the ransomware-as-a-service (RaaS) framework. Affiliates leverage the specialized resources and tools provided by the RaaS platform, enabling them to launch sophisticated campaigns even without advanced technical skills.

In return for their services, affiliates share a portion of the ransom payments with the RaaS operators. This collaboration amplifies the reach and severity of ransomware attacks since affiliates operate autonomously under the RaaS umbrella, expanding the threat landscape and generating profits for both parties involved.

Behind the Scenes | The Enablers Behind Cybercriminals

Beneath the surface of the cybercrime landscape lies a network of enablers that fuel their malicious operations. Crypter developers, for example, create tools that attempt to disguise malware, in the hopes of evading detection by less-sophisticated security software.

Malware kits and droppers offer pre-packaged malicious code, further lowering the barrier to entry to cybercrime and attracting a new breed of would-be criminals with less technical knowledge.

Bulletproof hosting plays a pivotal role in interconnecting cybercriminals. This type of hosting service provides a safe haven for illegal online activities by offering infrastructure that is resistant to takedowns and law enforcement actions. Bulletproof hosting providers set up their infrastructure in jurisdictions that are known to have lenient or inadequate internet regulations in place, making it difficult for authorities to shut down or seize their servers. The hosts generally have minimal content monitoring or restrictions, allowing cybercriminals to host illegal content, malware distribution, phishing sites, and other malicious activities.

By providing a reliable and secure platform, bulletproof hosting providers attract a range of cybercriminals, including those involved in malware distribution, phishing campaigns, and other illicit operations. This fosters an environment where cybercriminals can collaborate, share resources, and even coordinate attacks, making their collective impact much larger than if they had operated independently.

VPNs are among the most common services used by malware operators and scammers. Criminal VPN providers work by hosting proxies that users can route their traffic through to conceal their IP address as well as the content of the traffic. These services are typically advertised specifically to attackers on the darkweb.

Anonymizing Transactions | The Role of Cryptocurrency In The Threat Arena

Behind the explosion of cybercrime in recent years is the ability of criminals to move money without oversight. Cryptocurrency like bitcoin has transformed how threat actors manage their ill-gotten gains and conduct various illegal activities. Given its decentralized nature, anonymity, and ease of use, cryptocurrency has become a unifying means of handling criminal proceeds across diverse criminal activity.

Crypto wallets securely store digital assets and enable anonymous transactions through unique addresses. Mixers, or tumblers, shuffle multiple transactions, ensuring that the origin of funds is difficult to trace. Threat actors also use crypto swappers to convert from one cryptocurrency to another, which adds an additional layer of complexity. These tools collectively help cybercriminals mask their financial activities, making the detection and tracking of illegal proceeds more challenging for authorities to pin down.

Conclusion

The increasing interdependence observed among cybercriminals reflects the intricate nature of the modern cybercrime landscape. It also demonstrates the urgency for organizations to establish end-to-end cybersecurity strategies that are capable of safeguarding various attack surfaces autonomously.

While disruption of the cybercrime ecosystem is primarily a task for collaborative law enforcement and government policy, security leaders can play their part by ensuring that their solutions provide deep visibility across all systems, detect and respond to threats in real-time, and can scale as needed as the organization grows.

SentinelOne is ready to help security leaders defend their organizations against every level of cyberattack. To learn how we can help you build a robust security posture, contact us today or book a demo.

From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families

The evolution of the ransomware landscape has seen a shift from the more traditional approach involving Windows payloads to ones targeting other platforms, most notably Linux. In this shift, ransomware operators are shortening the time gaps between different payload releases and bringing feature parity across diverse platforms.

Strategically dipping into code from well known ransomware families such as Conti, Babuk, or Lockbit, ransomware operators are reusing and modifying codebases to create novel attack techniques. As more cases of this come to light, it is critical for security teams to stay vigilant and adaptive in their defenses.

In this post, we highlight several recent ransomware families that have unleashed their Linux/ESXi-focused payloads shortly upon launch of their operations. Understanding the capabilities of these payloads is an important step in gauging future risk and key to enabling security teams to prepare their defenses accordingly.

The Rise of the Linux Ransomware Threat

Looking back just four or five years, prominent ransomware operators’ primary focus was devices running Windows. Non-Windows flavors of their payloads required extra skill and time to develop and release. Such is not the case now, with languages like Rust and Go allowing for quick multi-platform ports for eager malware developers.

The state of the threat landscape as we see it today includes ransomware operators  releasing payloads for multiple platforms simultaneously. In this approach, there are no longer significant gaps of time between the usual Windows-targeted payloads and the Linux-focused and/or ESXi payloads. In addition, it is now standard for payloads across platforms to exhibit feature parity. Out of the gate, these Linux and ESXi-focused lockers contain all the requisite functionality of their Windows counterparts.

Modern ransomware operators are also increasingly reusing builders and code (sometimes leaked) or modifying codebases to suit their needs while maintaining the primary code as a model. Security researchers note that the primary families from which these have been derived are Conti, Babuk, LockBit. These variants are capable of targeting both Linux and VMWare ESXi environments, with the aim of encrypting the virtual machines (VMs) hosted on ESXi servers that are often crucial to business operations and services.

Typically, attackers exploit vulnerabilities in ESXi, weak credentials, or other security vulnerabilities to gain access to the virtualized environment. The ability to efficiently target and encrypt virtual machines is highly attractive to ransomware operators. Fully-virtualized infrastructure can be encrypted and compromised in minutes with the right, and robust, payloads.

MONTI Locker

MONTI locker has a history going back to mid-2022, with a number of attacks on VMware ESXi servers.

The most recent versions of MONTI ESXI Ransomware support a variety of command-line arguments, many of which are carryovers from Conti, from which MONTI Locker borrows code. The operators behind MONTI Locker have shown signs of moving in a more bespoke direction as of late, however.

Researchers recently documented a sample that appears to shed the old Conti-based encryptor along with a few of the command-line parameters. These more recent samples have removed the --size, --log and --vmlist parameters.

Available command-line parameters for MONTI Locker include:

Argument Function
— path Path to file / volumes
–whitelist List of virtual machines to skip (can accept .txt file input)
–vmkill Toggle termination of virtual machines
–vmlist Accepts a list (.txt file) of virtual machine names
–detach Detach from the screen/terminal
–log Create a log file
–prockiller Toggles termination of processes with handles open on targeted files (for encryption)
–size Partial file encryption, toggles percentages between 10 and 50
–world-id= Targeting specific World IDs within VMWare
August 2023 MONTI Locker help screen
August 2023 MONTI Locker help screen

Also of note is MONTI Locker’s ability to update the MOTD file (Message of the Day) on affected servers. This file (/etc/motd) controls what users see upon login to vCenter, for example. Post-infection, servers encrypted with MONTI Locker will display the configured ransom note.

MOTD and Index.html references in MONTI Locker
MOTD and Index.html references in MONTI Locker

MONTI Locker’s overall attack volume is lower than some of the other threats in this post. Their targeting is quite selective, and they are adept at playing the long game when it comes to the overall lifespan of their infection campaigns. As we will note with Akira, it will be interesting to see how MONTI Locker evolves outside of Conti as well as how quickly those changes will come to fruition.

Akira Ransomware

Linux variants of the Akira ransomware family have been observed since June of 2023 though the broader operations go back to April. Initial delivery of Akira ransomware occurs via exploitation of vulnerable, publicly available, services and applications. The group has also been known to target weaknesses in multi factor authentication (or a lack there-of) . Akira attackers do not discriminate when it comes to victimology. As of this writing, they have targeted educational institutions as well as those in the financial, manufacturing, real estate, and medical industries.

Traditionally, Akira ransomware payloads are borrowed from Conti. The Linux versions of Akira ransomware use the Crypto++ library to handle encryption on devices. Akira provides a short command set that does not include any options to shutdown VMs prior to encryption. They do, however, allow the attacker some control over speed of encryption and the likelihood of practical recovery by the victim via the -n parameter. The greater that value, the more of the file gets encrypted, meaning slower speed and a lower likelihood of the victim recovering without proper decryption tools.

Available command-line parameters for Akira include:

Argument Function
— encryption_path, -p Path to file / folders
–encryption_percent, -n Partial encryption, sets percentage of file to be encrypted
–share_file, -s Shared-drive path (on network) to be encrypted
–fork Spawn a child process for encryption
Akira’s minimal output with EP and Path parameters
Akira’s minimal output with EP and Path parameters
Akira command-line parameters
Akira command-line parameters

Akira is often recognized by their retro-style branding and themes. The operators have past interactions with Conti and the Conti source code is peppered throughout that of Akira. It will be interesting to monitor and see how their non-Windows payloads evolve over time, and if and how much they will deviate from the Conti base.

Trigona Linux Locker

Trigona is a ransomware family first observed in June 2022. A multi-extortion group, Trigona hosts a public blog of victims as well as their stolen data. Their malware payloads have been observed on Windows and Linux.

Of all the families discussed here, Trigona had the longest gap between releases of their original Windows payloads and the Linux-focused versions of their ransomware. While Trigona has the widest gap between releases of their Windows and Linux payloads, they are in no way behind other ransomware families.

Trigona’s Linux-focused payloads are lean and efficient and they include the most robust logging and testing-output options across the families discussed in this post. The group is aggressive with their campaigns and demands and we continue to monitor as the group updates their tools for these and potentially other platforms.

The /erase option with Trigona is available on both Windows and Linux variants. This option is oft-overlooked, yet it perhaps should not be. Security teams should be aware that this option allows for the ransomware to function as a wiper of sorts.

With the Trigona payloads, the /erase option will fully delete the file, making it essentially non-recoverable. This behavior is somewhat tailorable with the combined use of the /full option. Without the latter, only the first 512KB of a given file will be overwritten with NULL bytes. When combined with the /full parameter, the entire contents of the file will be overwritten. Files affected as such will be given the ._erased extension as opposed to the usual ._locked extension.

Available command-line parameters for Trigona include:

Argument Function
/full Full file encryption (as opposed to the first 512KB)
/sleep Sets number of seconds to wait before full execution
/fast Partial encryption
/erase Overwrite data (wipe).
/is_testing Sets testing/debugging flag
/test_cid Force use of specific Computer ID (for testing and debugging)
/test_vid Force use of specific Victim ID (for testing and debugging)
/allow_system Toggle encryption of system paths
/shdwn Force the shutdown of system once encryption completes
/path Required – Sets target path to encrypt
/log Specify path for log file
Trigona launched with basic /path parameter
Trigona launched with basic /path parameter
Trigona’s final log
Trigona’s final log
Trigona command-line parameters
Trigona command-line parameters

Abyss Locker

Abyss Locker ransomware operations emerged in March 2023, aggressively targeting VMware ESXi environments. Initial delivery of Abyss Locker payloads occurs through various means including phishing email or exploitation of vulnerable, publicly available services and applications.

Abyss Locker payloads for Linux, are derived from the Babuk codebase and function in a very similar fashion. In addition, the encryption features in Abyss are based on those found in HelloKitty ransomware. At this time, it is not known how formal cooperation occurs between Abyss Locker, HelloKitty, and Vice Society. Abyss Locker contains calls specific to the esxcli command-line tool which is used for management of virtual devices.

VMware ESXi commands in Abyss Locker
VMware ESXi commands in Abyss Locker

Abyss Locker uses the esxcli command-line tool and allows for multiple modes of virtual machine and process termination.

esxcli vm process list
esxcli vm process kill -t=force -w=%d
esxcli vm process kill -t=hard -w=%d
esxcli vm process kill -t=soft -w=%d

These commands affect how ‘graceful’ the shutdown of targeted VMs will be. As per VMware’s documentation, the soft option is typically most desired. The hard option performs an immediate shutdown (assuming privilege) while the force option should only be used as a last resort. Abyss will make use of any and all of these if needed.

Available command-line parameters for Abyss Locker include:

Argument Function
-m Partial encryption (5-10-20-25-33-50)
-v verbose
-d Switch to daemon
Start Path to start encryption in

-v creates a verbose “work.log” file showing the chosen encryption modes and benchmarks around the timing of encryption for each file encountered.

Abyss Locker’s work.log file
Abyss Locker’s work.log file
Abyss Locker Command Options
Abyss Locker Command Options

Abyss Locker’s payloads are speedy and efficient in terms of just how quickly the devices are encrypted overall. As this group continues to tweak their payloads, we expect to see more of them appearing in custom-branded, Vice Society-style campaigns.

Conclusion

In this post, we have examined several prominent Linux and VMWare ESXi-focused ransomware families, diving into the usage and command-line syntax of the specific payloads. By highlighting the understood lineage where possible and focusing on the parameters available, security teams can get a “hands-on, look and feel” for the payloads, enhancing their threat detection capabilities.

The divergence of attacks using Windows payloads to those targeting other platforms signals how the ransomware landscape continues to evolve. As threat actors continue to iterate on their strategies to evade detection, it is critical for security leaders to stay ahead of these trends.

Enterprises globally trust SentinelOne for strong preventative and detection controls required to combat increasingly sophisticated threats. SentinelOne’s Singularity™ Platform is capable of both detecting and preventing the malicious behaviors associated with the threats described in this post. To learn more about Singularity™, contact us today or book a demo to see it in action.

Linux Ransomware File Samples

MONTI Locker
a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef
f1c0054bc76e8753d4331a881cdf9156dd8b812a
Akira
9180ea8ba0cdfe0a769089977ed8396a68761b40
Trigona
0144800f67ef22f25f710d181954869f1d11d471
55f47e767dd5fdd1a54a0b777b00ffb473acd329
62e4537a0a56de7d4020829d6463aa0b28843022
Abyss Locker
40ceb71d12954a5e986737831b70ac669e8b439e

Cyber Attacks on Financial Institutions | Why Banks Are Caught in the Crosshairs

In recent years, there has been a significant uptick in the frequency and sophistication of attacks on the financial and banking industry. The following statistics illustrate the current breadth and depth of cyber attacks by various types of threat actors on financial entities:

  • Financial institutions were the second most impacted sector based on the number of reported data breaches last year. Institutions in the U.S., Argentina, Brazil, and China were most affected. As of December 2022, finance and insurance organizations globally experienced 566 breaches, leading to over 254 million leaked records.
  • Ransomware attacks on financial services have increased from 55% in 2022 to 64% in 2023, which is nearly double the 34% reported in 2021. Only 1 in 10 attacks were stopped before encryption took place, making a total of 81% of organizations a victim of data encryption.
  • Data breaches cost the finance sector the second highest costs amongst all others at $5.9 million.

This blog explores the rise in cyber attacks on the banking and financial industries, their far-reaching consequences, and what these high-target entities can do to protect against the evolving tactics of threat actors.

Understanding the Risks Faced by the Financial Sector

In their 2022 Cybersecurity and Financial System Resilience report, the Federal Reserve Board actively notes all potential risks and emerging threats that affect the state of the U.S. economy. At no surprise, cybersecurity concerns topped the list, calling out Ransomware-as-a-Service (RaaS) and sophisticated Distributed Denial of Service (DDoS) attacks as the biggest risks to financial institutions’ ability to operate and safeguard customer data.

  • RaaSRaaS is characterized by heightened sophistication, rapid proliferation, and difficulty of attribution. RaaS empowers threat actors to establish templates that could be considered “franchised” threats. Accomplished threat actors license their software to other malicious parties, typically in exchange for a portion of the ransom proceeds. This threat model provides less advanced threat actors with many more ways of disrupting businesses. Victims that decline ransom payment often find themselves with the burden of reconstructing their infrastructure in order to reinstate normal business operations.
  • DDoS Attacks – In sophisticated DDoS attacks, the attacker aims to render a machine or network resource unavailable to legitimate users by overwhelming the target or its surrounding infrastructure with traffic. The United States’ financial services sector has long been a target of DDoS attacks, which has also affected associated external entities and other stakeholders.

An excerpt from the Federal Reserve Board’s report highlights this concern, amplified through the lens of current geopolitics:

The rising number of advanced persistent threats increases the potential for malicious cyber activity within the financial sector. These threats may result in incidents that affect one or more participants in the financial services sector simultaneously and have potentially systemic consequences. Such incidents could affect the ability of targeted firms to provide services and conduct business as usual, presenting a unique challenge to operational resilience. These incidents can also threaten the confidentiality, integrity, and availability of the targeted firm’s data.

Banks and financial institutions can face significant short and long-term financial damages when they experience a cyberattack. These damages can result from a variety of factors, including operational disruptions, reputational harm, legal and regulatory consequences, and increased cybersecurity investments.

Immediate & Ongoing Fees

A single, successful cyberattack can lead to immediate financial consequences that directly impact a company’s financial performance. Costs are associated with the severity of the attack and the extent of the data exposure, leading to both immediate and long-term repercussions.

  • Ransom Payments – In the scenario of a ransomware attack, the average payout cost has surged to $1.6 million on average compared to the previous year’s average of over $272,000. 43% of surveyed companies in the same report confirmed paying the ransom.
  • Forensic Analysis & Investigation Fees – Organizations often engage cybersecurity experts to identify the nature and scope of the breach, analyze the attack vectors, and trace the attacker’s activities.
  • PR & Crisis Management Fees – After a breach, organizations may engage public relations and communication experts to manage the institution’s public image and respond to media inquiries. This also involves notifying affected customers, partners, and stakeholders about the breach, potential data exposure, and recommended actions.
  • Legal Expenses – Small to medium-sized businesses with no in-house legal team may seek legal advice to navigate the legal implications of the breach, including potential liability, regulatory compliance, and contractual obligations.
  • Customer Compensations & Cost of Remediation – Depending on the information compromised during the attack, organizations may offer credit monitoring and identity protection services to affected customers to mitigate potential identity theft. This can include assisting customers in resolving fraudulent transactions or unauthorized account access for a period after the breach.
  • Increased Premiums – Post-attack, companies may be forced to pay higher premiums for their cyber insurance coverage.

Regulatory & Legal Consequences

Financial entities and banks are mandated to follow applicable compliance frameworks such as PCI-DSS. After a breach, they will be subject to paying fines imposed by regulatory authorities for non-compliance with data protection and cybersecurity regulations. Those that fall victim to a cyberattack face substantial regulatory and legal consequences. Regulatory bodies impose fines and penalties for failing to safeguard customer data, comply with industry-specific cybersecurity standards, and promptly report breaches. These financial repercussions can amount to millions of dollars, severely impacting an institution’s bottom line.

In terms of legal implications, affected parties including customers and partners may initiate lawsuits to claim damages resulting from data breaches. Legal defense costs, settlements, and potential reputational damage from such actions can lead to long-lasting financial strain.

Disruption to Business Operations & Reputational Damages

Cyber attacks disrupt services, delay transactions, and lock up day-to-day operations. The more critical the attack is on the systems, the greater the cost to operations. In the immediate aftermath of an attack, resources may need to be redirected towards remediation, taking away from core business activities. Other than direct financial losses, indirect costs while rebuilding systems and restoring data, some additional cybersecurity measures require significant investments, which can put a strain on budgets.

The value of customer trust can’t be measured and a tarnished reputation is one of the most costly consequences of a data breach. The ongoing cost of a data breach is largely reflected in the competitive landscape as the victim organizations see a decrease in their brand value and market share. For publicly traded firms, this cost is mirrored in stock price fluctuations.

As news of a data breach is reported, damage to the victim organization starts to go beyond dollars and cents. The perception of poor security measures can lead clients to doubt the organization’s ability to safeguard their sensitive information, potentially causing customer churn. From a stakeholder’s perspective, negative media coverage amplifies the impact, eroding the organization’s credibility. Extending beyond the immediate aftermath, breaches can massively influence customer decisions, partnership opportunities, and market sentiment.

Building Cyber Resilience In Big Banks & Financial Giants

To better defend the nation’s critical infrastructure from ongoing attacks, the U.S. government has implemented programs such CISA’s Shields Up!, the Office of the National Cyber Director (ONCD), and the Cyber Safety Review Board (CSRB), and most recently, the new U.S. Cyber Trust Mark.

At the enterprise-level, security leaders can use the following checklist to assess their organization’s cybersecurity posture as it stands and improve any identified gaps.

1. Response & Recovery | How fast can we regroup post-cyber attack?

Financial institutions can be susceptible to cyberattacks even with preventative controls in place. To build long-lasting resilience, security leaders are encouraged to design, maintain, and consistently review plans to ensure business continuity in the event that a threat actor succeeds. This includes:

  • Well documented incident response plans (IRP), communication matrices, and post-attack workflows. Focus on system and operations recovery and a chain of command that includes all necessary leads needed to facilitate the response plan.
  • Good relationships with federal and local law enforcement entities and any cybersecurity resources available for the specific industry.
  • Contacts for cyber forensics and any post-incident recovery experts that can be engaged as needed.
  • Implementing a regular schedule to conduct cyber recovery exercises, audits, and red team and penetration testing.
  • Consider cyber insurance as a risk management strategy to identify, measure, and monitor ongoing cyber risk exposure.

2. Network & System Security | How protected are we from cyber intruders?

Many organizations adopt an “assume breach” mentality where defenders operate under the assumption that their systems have already been compromised. This is a proactive approach which acknowledges the ever-present risk of cyberattacks and focuses on detecting and mitigating intruders as quickly as possible. By assuming a breach has occurred, defenders strategically deploy continuous monitoring, anomaly detection, and threat hunting techniques to identify malicious activities early on. In essence, “assume breach” empowers defenders to stay one step ahead of adversaries in the dynamic landscape of cybersecurity. Building up the necessary network configurations and system hardening includes the following key aspects:

  • Securing all network components to ensure that only approved ports, protocols, and services are allowed.
  • Reviewing, adjusting, and disabling (if necessary) any default user accounts and settings before system use.
  • Performing vulnerability scans to cover all network and hardware components, firmware, and operating systems.
  • Adhering to a strict patch management schedule.
  • Adding threat detection and prevention capabilities to email systems to combat common email attack vectors such as phishing, whaling, spoofing, etc.
  • Segmenting critical network components and services, particularly any business-critical and/or highly sensitive elements of the environment.

3. Identity & Access Management | How do we secure against illegitimate users?

The increase in phishing attacks and the effectiveness of threat actors in infiltrating login credentials mean that financial institutions must implement the right controls for identity and access management. This includes authentication controls for customers, employees, and any third-party access to sensitive systems. To build up a strong set of identity and access management controls:

  • Implement multi-factor authentication (MFA) policies, network segmentation, and role-based access control (RBAC). This significantly enhances security by adding an additional layer of authentication beyond just passwords and minimizes the risk of unauthorized access to critical systems and data.
  • Use the Principle of Least Privilege (PoLP), where users should be only granted the minimum level of access required to perform their responsibilities. This principle reduces the rolling impact should an account become compromised.
  • Set up means for continuous monitoring, regular account audits, and encryption protocols. Real-time monitoring of user activities and access patterns allow security teams to quickly detect and respond to potential signs of breach. Using strong encryption protocols for authentication ensures that sensitive information like passwords is transmitted securely.

Conclusion

As geopolitical and socio-economic sands continue to shift, the targeting of financial institutions and the banking sector by sophisticated and well-funded threat actors continues to be a top concern.

Threat actors continue to refine their techniques and our defense against these attacks needs to evolve in parallel. Enhancing cybersecurity measures, information sharing, and early threat detection are now pivotal to both safeguarding financial systems and mitigating geopolitical tensions.

To learn more about how SentinelOne can maximize visibility across full environments and automate a powerful response against complex threats, book a demo or contact us today.

Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders.

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which is a paid version of Thinkst that is powered by a small hardware device designed to be installed on the local network as a canary token server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens