XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App

XLoader is a long-running malware-as-a-service infostealer and botnet that has been around in some form or another since 2015. Its first macOS variant was spotted in 2021 and was notable for being distributed as a Java program. As we noted at the time, the Java Runtime Environment hasn’t shipped by default on macOS since the days of Snow Leopard, meaning the malware was limited in its targeting to environments where Java had been optionally installed.

Now, however, XLoader has returned in a new form and without the dependencies. Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’.

In this post, we examine how this new variant works and provide indicators for threat hunters and security teams. SentinelOne customers are automatically protected from this new variant of XLoader.

XLoader Distribution

The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg. The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).

The application was signed on 17 July, 2023; however, Apple has since revoked the signature. Despite that, our tests indicate that Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing.

OfficeNote app
OfficeNote’s revoked Apple Developer signature.

Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild.

XLoader submissions to VirusTotal July 2023
XLoader submissions to VirusTotal July 2023

Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months. Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months.

XLoader Dropper and Persistence Module

When executed, the OfficeNote application is hardcoded to throw an error message indicating that the application is non-functional. Meanwhile, the malware drops its payload and installs a persistence agent, behavior that is immediately detected by the SentinelOne agent.

XLoader is immediately detected as a threat by the SentinelOne agent
XLoader is immediately detected as a threat by the SentinelOne agent

This error message is hardcoded using a stack string technique, typical of previous versions of XLoader.

Hardcoded error message constructed on the stack
Hardcoded error message constructed on the stack

At this point, however, the malware has already been busy dropping the payload and LaunchAgent. The payload is deposited in the user’s home directory as ~/73a470tO and executed. It creates a hidden directory and constructs a barebones minimal app within it, using a copy of itself for the main executable. Although the name of the payload is hardcoded into the dropper, the names of the hidden directory, app and executable are randomized on each execution.

Execution of OfficeNote and creation of a hidden application
Execution of OfficeNote and creation of a hidden application as seen in the SentinelOne console

Meanwhile, a LaunchAgent is also dropped in the User’s Library folder. This agent is similar to that used in the previous version of XLoader, providing a start value to the executable. This ensures that the binary can distinguish between its first run and subsequent runs.

XLoader LaunchAgent for persistence
XLoader LaunchAgent for persistence

XLoader Payload Behavior

As in previous versions, the malware attempts to steal secrets from the user’s clipboard via the Apple API NSPasteboard and generalPasteboard. It targets both Chrome and Firefox browsers, reading the login.json file located in ~/Library/Application Support/Firefox/Profiles for Firefox and ~/Library/Application Support/Google/Chrome/Default/Login Data for Chrome. As with other infostealers we’ve observed recently, Safari is not targeted.

XLoader uses a variety of dummy network calls to disguise the real C2. We observed 169 DNS name resolutions and 203 HTTP requests. Among the many contacted hosts the malware reaches out to are the following suspicious or malicious IP addresses.

23[.]227.38[.]74
62[.]72.14[.]220
66[.]29.151[.]121
104[.]21.26[.]182
104[.]21.32[.]235
104[.]21.34[.]62
137[.]220.225[.]17
142[.]251.163[.]121

XLoader also attempts to evade analysis both manually and by automated solutions. Both the dropper and payload binaries attempt to prevent debuggers attaching with ptrace’s PT_DENY_ATTACH (0x1f).

XLoader attempts to prevent analysts reverse engineering the malware
XLoader attempts to prevent analysts reverse engineering the malware

On execution, the malware executes sleep commands to delay behavior in the hope of fooling automated analysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.

The XLoader binaries exhibit high entropy in the __text section
The XLoader binaries exhibit high entropy in the __text section

Conclusion

XLoader continues to present a threat to macOS users and businesses. This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise.

IT and security teams are advised to deploy a trusted third party security solution to prevent and detect malware such as XLoader. To see how SentinelOne can help protect the macOS devices in your fleet, contact us or request a free demo.

Indicators of Compromise

SHA1 Description
26fd638334c9c1bd111c528745c10d00aa77249d Mach-O Payload
47cacf7497c92aab6cded8e59d2104215d8fab86 Mach-O Dropper
5946452d1537cf2a0e28c77fa278554ce631223c Disk Image
958147ab54ee433ac57809b0e8fd94f811d523ba Mach-O Payload

FilePaths
~/73a470tO

Developer ID
MAIT JAKHU (54YDV8NU9C)

Network Communications

23[.]227.38[.]74
62[.]72.14[.]220
66[.]29.151[.]121
104[.]21.26[.]182
104[.]21.32[.]235
104[.]21.34[.]62
137[.]220.225[.]17
142[.]251.163[.]121
www[.]activ-ketodietakjsy620[.]cloud
www[.]akrsnamchi[.]com
www[.]brioche-amsterdam[.]com
www[.]corkagenexus[.]com
www[.]growind[.]info
www[.]hatch[.]computer
www[.]kiavisa[.]com
www[.]lushespets[.]com
www[.]mommachic[.]com
www[.]nationalrecoveryllc[.]com
www[.]pinksugarpopmontana[.]com
www[.]qhsbobfv[.]top
www[.]qq9122[.]com
www[.]raveready[.]shop
www[.]spv88[.]online
www[.]switchmerge[.]com

The Good, the Bad and the Ugly in Cybersecurity – Week 33

The Good | DigiHeals Aims to Boost Resilience of Healthcare Sector to Fight Off Cyber Attacks

The healthcare sector has borne a particularly tough brunt of attacks over the last few years as ransomware-wielding cybercriminals have sought easy-pickings from often-under-resourced public services. Good news this week, then, as the Biden-Harris administration’s ARPA-H project has launched a digital health security initiative to help ensure patients continue to receive care in the wake of a medical facility cyberattack.

The initiative, dubbed DigiHeals, aims to encourage proposals for proven technologies developed for national security and apply them to civilian health systems, clinical care facilities, and personal health devices.

The aim is to focus on cutting-edge security protocols, vulnerability detection, and automatic patching in order to limit the ability for threat actors to attack digital health software, with the ultimate objective being to ensure continuity of care for patients in the wake of a cyberattack on a medical facility.

Aside from a lack of cybersecurity resources, healthcare services present unique problems for digital defense, as medical facility networks are typically made up of a vast patchwork of disparate devices, systems, and services. The DigiHeals project hopes to encourage submissions from researchers, both amateur and professional, from a wide range of fields and expertise. Accepted proposals related to vulnerability detection, software hardening, and system patching, as well as the expansion or development of security protocols, will receive funding and further support from the project.

The Bad | Actively Exploited Citrix Vulnerabilities May Pose Threat Evan After Patching

Bad news for Citrix users this week as CISA are warning that cyber adversaries are making widespread use of two n-day vulnerabilities, CVE-2023-24489 and CVE-2023-3519. Neither are new, but in-the-wild exploitations are on the rise, with some admins having patched their systems but failing to check whether they had already been breached.

CVE-2023-3519 is a vulnerability in Citrix’s networking product NetScalers, first disclosed last month. Researchers say that almost 70% of patched NetScalers still contain a backdoor, indicating that admins applied the patch after the bug had been successfully exploited and did not check or discover the compromise.

According to the researchers, it appears an adversary exploited the bug in an automated fashion in mid-July, dropping webshells on vulnerable systems. The webshells allow for the execution of arbitrary commands, even if the NetScaler is subsequently patched or rebooted.

Equally concerning, CVE-2023-24489 is a bug with a CVSS score of 9.1 out of 10 affecting the Citrix Content Collaboration tool ShareFile. Exploitation allows an unauthenticated attacker to remotely compromise customer-managed ShareFile storage zones controllers.

CISA advised on Wednesday that the bug was being actively exploited. Researchers at GreyNoise reported a steep spike in attacker activity around CVE-2023-24489 after the advisory went public, indicating that attackers are racing against time to exploit vulnerable instances before security teams plug the gap.

Researchers believe there are anywhere between 1000-6000 vulnerable instances that are accessible from the public internet.

In both cases, admins are urged both to patch without delay and to investigate whether a compromise may have already occurred.

The Ugly | Free Cloud Storage Services Abused By Threat Actors Phishing for Microsoft Credentials

Cloud security is in the spotlight again this week as cloud storage service Cloudflare R2 has reportedly seen a 61-fold increase in hosted phishing pages in the last six months. R2, which offers a similar service to Azure blob and AWS S3, is being used for campaigns that primarily phish for Microsoft login credentials, although Adobe, Dropbox and other cloud apps’ login pages have also been targeted.

The massive increase may relate to the fact that R2, a relatively new entrant in the field of cloud storage, offers some free services to attract customers that threat actors have found useful to abuse. First, fake login pages are hosted on a free subdomain that can be reused without limit. The domains all have the pattern:

https://pub-.r2.dev

Second, Cloudflare offers a free CAPTCHA service called Turnstile to help legitimate websites reduce spam. The threat actors have deployed Turnstile to prevent URL scanners and internet analyzers from examining the phishing pages’ content and marking them as dangerous. The use of the CAPTCHA has the added bonus of making the site seem more legitimate to unsuspecting users.

In addition, victims are redirected to the phishing pages from other malicious websites, and the former only serve up the fake login pages if the referring sites are recognized as the source. Researchers say that referring web pages include a timestamp after a hash (#) symbol in the URL. If the URL parameter is missing, the visitor is instead redirected to Google’s home page, helping to ensure only intended victims can see the phishing content.

Source: Netskope

The news comes as the same researchers report that the number of cloud apps being abused to deliver malware has increased to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly topping the list. Amazon AWS login pages were also recently targeted in a cloud phishing campaign using Google ads, underlying the efforts attackers are now making to capitalize on the rise of cloud services in the enterprise.

Karma Catches Up to Global Phishing Service 16Shop

You’ve probably never heard of “16Shop,” but there’s a good chance someone using it has tried to phish you.

A 16Shop phishing page spoofing Apple and targeting Japanese users. Image: Akamai.com.

The international police organization INTERPOL said last week it had shuttered the notorious 16Shop, a popular phishing-as-a-service platform launched in 2017 that made it simple for even complete novices to conduct complex and convincing phishing scams. INTERPOL said authorities in Indonesia arrested the 21-year-old proprietor and one of his alleged facilitators, and that a third suspect was apprehended in Japan.

The INTERPOL statement says the platform sold hacking tools to compromise more than 70,000 users in 43 countries. Given how long 16Shop has been around and how many paying customers it enjoyed over the years, that number is almost certainly highly conservative.

Also, the sale of “hacking tools” doesn’t quite capture what 16Shop was all about: It was a fully automated phishing platform that gave its thousands of customers a series of brand-specific phishing kits to use, and provided the domain names needed to host the phishing pages and receive any stolen credentials.

Security experts investigating 16Shop found the service used an application programming interface (API) to manage its users, an innovation that allowed its proprietors to shut off access to customers who failed to pay a monthly fee, or for those attempting to copy or pirate the phishing kit.

16Shop also localized phishing pages in multiple languages, and the service would display relevant phishing content depending on the victim’s geolocation.

Various 16Shop lures for Apple users in different languages. Image: Akamai.

For example, in 2019 McAfee found that for targets in Japan, the 16Shop kit would also collect Web ID and Card Password, while US victims will be asked for their Social Security Number.

“Depending on location, 16Shop will also collect ID numbers (including Civil ID, National ID, and Citizen ID), passport numbers, social insurance numbers, sort codes, and credit limits,” McAfee wrote.

In addition, 16Shop employed various tricks to help its users’ phishing pages stay off the radar of security firms, including a local “blacklist” of Internet addresses tied to security companies, and a feature that allowed users to block entire Internet address ranges from accessing phishing pages.

The INTERPOL announcement does not name any of the suspects arrested in connection with the 16Shop investigation. However, a number of security firms — including Akamai, McAfee and ZeroFox, previously connected the service to a young Indonesian man named Riswanda Noor Saputra, who sold 16Shop under the hacker handle “Devilscream.”

According to the Indonesian security blog Cyberthreat.id, Saputra admitted being the administrator of 16Shop, but told the publication he handed the project off to others by early 2020.

16Shop documentation instructing operators on how to deploy the kit. Image: ZeroFox.

Nevertheless, Cyberthreat reported that Devilscream was arrested by Indonesian police in late 2021 as part of a collaboration between INTERPOL and the U.S. Federal Bureau of Investigation (FBI). Still, researchers who tracked 16Shop since its inception say Devilscream was not the original proprietor of the phishing platform, and he may not be the last.

RIZKY BUSINESS

It is not uncommon for cybercriminals to accidentally infect their own machines with password-stealing malware, and that is exactly what seems to have happened with one of the more recent administrators of 16Shop.

Constella Intelligence, a data breach and threat actor research platform, now allows users to cross-reference popular cybercrime websites and denizens of these forums with inadvertent malware infections by information-stealing trojans. A search in Constella on 16Shop’s domain name shows that in mid-2022, a key administrator of the phishing service infected their Microsoft Windows desktop computer with the Redline information stealer trojan — apparently by downloading a cracked (and secretly backdoored) copy of Adobe Photoshop.

Redline infections steal gobs of data from the victim machine, including a list of recent downloads, stored passwords and authentication cookies, as well as browser bookmarks and auto-fill data. Those records indicate the 16Shop admin used the nicknames “Rudi” and “Rizki/Rizky,” and maintained several Facebook profiles under these monikers.

It appears this user’s full name (or at least part of it) is Rizky Mauluna Sidik, and they are from Bandung in West Java, Indonesia. One of this user’s Facebook pages says Rizky is the chief executive officer and founder of an entity called BandungXploiter, whose Facebook page indicates it is a group focused mainly on hacking and defacing websites.

A LinkedIn profile for Rizky says he is a backend Web developer in Bandung who earned a bachelor’s degree in information technology in 2020. Mr. Rizky did not respond to requests for comment.

The New Frontline of Geopolitics | Understanding the Rise of State-Sponsored Cyber Attacks

The rise of nation-state cyber attacks has become a defining feature of modern geopolitics. With blurred lines between advanced persistent threats (APTs) and cybercrime, understanding this complex landscape has become a critical element in building a strong cybersecurity strategy. According to recent reports on the rise of state-sponsored cyber attacks, nation-state actors targeting critical infrastructures have doubled from 20% to 40% in the past two years alone. As for the costs? Organizations are estimating a total of $1.6 million per cyber incident.

Not only is the frequency and financial consequences of such attacks accelerating, the threat landscape in which these nation-state actors now operate is also shifting. Cyber warfare and the use of cyberweapons in the ongoing Russo-Ukrainian war, for example, have magnified the intersection of conflict across geopolitical and digital surfaces.

The challenge is that nation-state threat actors are well-funded and possess specialized skills, focusing their attacks on high-value targets including government and military entities, think tanks, universities, and those providing critical infrastructure services.

This post explores how nation-state sponsored attacks have evolved over recent years to become a threat not just to individual targets but to all organizations, as well as to the civil, economic and political fabric of our society. Sharing our collective knowledge on how such groups operate and the impacts they have can help the cyber defense community better understand and mitigate these sophisticated threats.

A Shadowy Threat | A Brief History of Cyber Espionage & Nation-State Attacks

Cyber espionage, a stealthy practice dating back to the very beginnings of internet connectivity, has undergone substantial changes in recent years, fueled by rapid advancements in technology and evolving global dynamics.

The origins of cyber espionage trace back to the 1980s when the French intelligence agency, led by the “Farewell Dossier”, exploited a KGB officer’s computer to gather critical information on Soviet activities. At the same time, a German hacker group known as the Chaos Computer Club exposed vulnerabilities in government and military systems. These incidents marked the inception of digital espionage and highlighted the potential of exploiting interconnected networks to gather intelligence. These early instances foreshadowed the evolution of cyber espionage into a formidable global concern in the decades that followed.

Cyber espionage has since evolved into a potent tool for nation-state threat actors and a critical security issue for organizations, with implications sounding across political, economic, and societal domains.

Subsequently, state-sponsored hacking campaigns, corporate espionage, and intellectual property (IP) theft have become rampant, with the potential to disrupt critical service industries and compromise national security. The interconnected nature of the modern world amplifies this impact as a breach in one corner of the globe can trigger far-reaching consequences.

As nations, corporations, and civilians have become increasingly reliant on digital infrastructure, the stakes have escalated, making targeted, state-sponsored cyber attacks a top-tier and global security concern. To safeguard against this escalating threat, international cooperation, robust cybersecurity measures, and innovative defense strategies are crucial in this new era of digital spycraft.

The Big Players | Navigating The Complex Landscape of APTs

By some estimates, there could be over a hundred different APT groups worldwide, but when we look at where most activity that threatens our interests originates from, there are four major nation-states that have been in the game longer than the rest.

Between them, China, Russia, North Korea and Iran have developed some of the most sophisticated and comprehensive threat activity and cyber tradecraft that businesses in all sectors have to face today.

China

China’s cyber threat is not only broad and persistent but also evolving. The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment paints a clear picture of the cyber threat posed by the People’s Republic of China (PRC), noting that:

“China’s cyber espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.”

The annual report contains a stark warning.

“China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”

Emerging in the early 2000s, Chinese-based threat groups rapidly matured in terms of tactics, techniques, and targets. The infamous Titan Rain campaign of the mid-2000s marked a watershed moment, exposing China’s cyber capabilities as it targeted U.S. defense and technology sectors. This trend continued with APT1, linked to the Chinese military, launching widespread attacks on various industries.

As time progressed, the Chinese cyber espionage ecosystem diversified. From 2006 to the present day, APT10 (aka Red Apollo/Stone Panda) has been reported targeting a wide-range of companies across multiple continents, including healthcare, defense, aerospace and government sectors. APT17 (DeputyDog) is a threat group sponsored by the Jinan bureau of the Chinese Ministry of State Security. First seen in 2009, it was attributed for the Operation Aurora and CCleaner supply chain attacks in 2017. APT41 (aka Winnti Group) was first seen in 2012 and combines financially-motivated cybercrime with information theft and espionage.

In general, Chinese APT groups have been known to use tactics like living-off-the-land (LOTL), where they abuse native tools like PowerShell and WMI to evade detection, and to develop comprehensive programs for vulnerability research and exploitation.

Most recently, Chinese threat groups are known to be disguising traffic to malicious servers through botnets of compromised IoT devices and to use DNS, HTTP and TCP/IP hijacking. Security researchers have found that Chinese threat groups tend to focus on security, networking and virtualization tools to obtain and maintain stealthy access to targeted organizations’ internal networks.

Some notable recent case studies of Chinese-based APT groups and campaigns include:

  • Aoqin Dragon – Operating since 2013, Aoqin Dragon targets government, education, and telecommunication organizations in Southeast Asia and Australia. Their tactics include document exploits and fake removable devices. They seek initial access through document exploits and use techniques like DLL hijacking and DNS tunneling to evade detection.
  • WIP19 Espionage – This Chinese-speaking threat group has been targeting telecommunications and IT service providers in the Middle East and Asia, using stolen certificates to sign novel malware such as SQLMaggie and ScreenCap.
  • Operation Tainted Love – An evolution of tooling associated with Operation Soft Cell, Chinese cyber espionage groups attacked telecommunication providers in the Middle East using well-maintained, versioned credential theft capability and a new dropper mechanism.

Russia

In the late 2000s, the notorious APT28 (Sofacy) and APT29 (NobleBaron, The Dukes) threat groups gained notoriety for their state-sponsored activities such as targeting government agencies, think tanks, and critical infrastructures worldwide. These groups have since been implicated in high-profile incidents, including mass supply chain attacks and interference in U.S. presidential elections. The U.S. government has noted that such activity is an extension of Russia’s larger geopolitical goals.

“Moscow has conducted influence operations against U.S. elections for decades, including as recently as the U.S. midterm elections in 2022. It will try to strengthen ties to U.S. persons in the media and politics in hopes of developing vectors for future influence operations.”

The Russian APT landscape evolved with groups like Turla, whose history of activity has been suggested to span almost 30 years, beginning with Moonlight Maze in 1996. Later, APT28 (linked to Russia’s GRU military intelligence unit) and APT29 (now understood to be operated under the auspices of Russia’s Foreign Intelligence Service, SVR) continued their activities, adapting their tactics and diversifying their targets to encompass sectors beyond politics. APT groups like Gamaredon and Sandworm have also emerged, exhibiting a blend of cyber espionage and disruptive operations.

As geopolitical tensions continue to heighten, Russian APT groups have become increasingly adept at utilizing supply chain attacks, zero-day exploits, and deception techniques. They have also exploited global events, such as the COVID-19 pandemic, to launch tailored and themed attacks.

Presently, Russian-based APT groups continue to engage in a broad spectrum of cyber operations, spanning espionage, disinformation, and potential sabotage. Russia’s focus on targeting critical infrastructure, including underwater cables and industrial control systems, has been noted in intelligence assessments.

“Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”

Some notable case studies of Russian APT groups and campaigns include:

  • HermeticWiper Malware – This destructive malware was used against Ukrainian organizations, manipulating the MBR to cause boot failure. This attack reflects Russia’s willingness to deploy destructive tools against neighboring countries.
  • APT28 (Sofacy) – Known for its espionage and influence capabilities, APT28 has been particularly focused on targeting critical infrastructure, including underwater cables and industrial control systems in the U.S. and allied countries through the use of malware like X-Agent.
  • APT29 (Nobelium/NobleBaron) – Involved in the 2014 White House attack, this group has targeted various government, military, energy, and media organizations, using tools like CozyDuke. In 2021, the group was attributed with being behind the Solarwinds supply chain attack.
  • Snake Implant – A sophisticated cyber espionage tool created and deployed by Russia’s Federal Security Service, FSB. Found in over 50 countries including the U.S., Snake malware is used to collect sensitive intelligence from high priority targets.

North Korea

North Korea’s cyber program poses a sophisticated threat, adapting to global trends in cybercrime as a whole. Their journey began in the early 2000s with the Lazarus group,  which has operated since 2009 and is responsible for some of the most notorious cyberattacks in history, including the 2014 hack on Sony Pictures and the 2017 outbreak of WannaCry. They added stealing cryptocurrency to their bow in 2017. At the end of 2019, SentinelLabs connected the Lazarus and TrickBot groups, showing how the DPRK was extending to collaborate with cybercrime groups and take over funds to support their government.

Lazarus and its subgroups like BlueNoroff, APT38 and Andariel (Silent Chollima), continue to evolve, demonstrating a growing sophistication in their tactics and techniques. They have expanded their target scope beyond high-profile attacks to include financial institutions, cryptocurrency exchanges, and global infrastructure. BlueNoroff, in particular, has become notorious for conducting large-scale heists to fund the regime’s activities, with attacks on ATMs and banks using the SWIFT messaging system.

In recent years, North Korean APT groups have further diversified, with increasing focus on supply chain attacks, cryptocurrency theft, and the exploitation of zero-day vulnerabilities. The evolution of North Korean APTs highlights their adaptability and the intertwining of cyber operations with broader geopolitical strategies.

Other North Korean subgroups include ScarCruft (aka Inky Squid, APT37, or Group123) and Kimsuky.  Some notable case studies of North Korean-based APT groups and campaigns include:

  • ScarCruft & Lazarus Group – SentinelLabs identified a North Korean intrusion into a Russian missile engineering organization, NPO Mashinostroyeniya. This case involved two instances of compromise, including the use of a Windows backdoor dubbed OpenCarrot.
  • Kimsuky’s Reconnaissance Capabilities – Utilizing a new malware component called ReconShark, North Korean APT Kimsuky has targeted organizations across Asia, North America, and Europe.
  • JumpCloud Intrusion – This intrusion into the cloud-based IT management service JumpCloud is linked to North Korean APT activity, showcasing the DPRK’s focus on supply chain targeting.

Iran

Iran-based APT groups have steadily gained prominence in the realm of cyber espionage. Their beginnings date back to the late 2000s, when groups like APT33 (Elfin) and APT34 (OilRig) first emerged onto the scene. These early campaigns were characterized by targeting foreign governments, critical infrastructure, and regional rivals such as the Shamoon wiper attacks of 2012 conducted against Saudi Aramco and Rasgas.

As the years progressed, Iranian APT groups increased in sophistication and breadth. APT34, for instance, diversified its focus to include industrial espionage, particularly targeting sectors like energy and telecommunications. The group’s activities revealed Iran’s intent to bolster its domestic industries and capabilities. MuddyWater (aka TA450) likely began its earliest operations around 2017 with a focus on espionage attacks on Middle Eastern targets initially but later expanding to Belarus, Turkey and Ukraine.

In a geopolitical context, tensions spurred Iran-based APT groups to engage in more aggressive and disruptive activities. APT33, in particular, was implicated in destructive attacks against targets in the Middle East and beyond. The emergence of APT35 (Charming Kitten), for instance, signaled a shift towards influence operations and spear phishing campaigns against political dissidents, journalists, and human rights organizations.

Iranian APT groups have showcased their adaptability by incorporating innovative tactics such as domain spoofing, social engineering, and leveraging cloud infrastructure for command and control. This agility has enabled them to effectively navigate the evolving cybersecurity landscape and continue their operations despite international scrutiny.

Today, Iran-based APT groups remain a significant player in the world of cyber espionage, combining state-sponsored activities with disruptive operations that incorporate tactics such as domain spoofing, social engineering, and leveraging cloud infrastructure for command and control. Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a significant threat. Recent Iranian state-sponsored activities include destructive malware and ransomware operations.

Some notable recent case studies of Iranian-based APT groups and campaigns include:

  • APT33 – Known for destructive malware and ransomware operations on the aerospace and energy sectors, Iran’s cyber capabilities have grown significantly. They are known for their use of tools like DropShot to conduct campaigns against organizations in Saudi Arabia and the US, in particular.
  • TunnelVision – An Iranian-aligned threat actor operating in the Middle-East and the U.S. using timely-exploitation of recent vulnerabilities such as Log4j and ProxyShell.
  • MuddyWater – Uses a suite of open-source malware and DNS Tunneling to conduct espionage and other malicious activity. Believed to be sponsored by the Iranian Ministry of Intelligence (MOIS).

Counting the Cost | The Widespread Impact of State-Sponsored Cyber Attacks

Nation-states, driven by political agendas, have harnessed cyber espionage as a powerful tool to gather intelligence, influence events, and undermine rivals. This has led to a heightened sense of vulnerability among nations and catalyzed international tensions. Cyber attacks sponsored by nation states have had a profound impact across various aspects of global security, economy, and geopolitics.

Industry & Sector-Specific Impacts

Over the years, there have been many reported cases of government agencies, energy grids, financial institutions, and healthcare systems falling prey to targeted attacks, jeopardizing both economic stability and public safety. Some examples include:

  • Healthcare – North Korean ransomware campaigns against healthcare organizations during the COVID-19 pandemic underscore the willingness of nation-state actors to target essential services.
  • Telecommunications – Chinese APTs targeting telecom providers in the Middle East and Asia reveal a strategic interest in monitoring communications and gathering intelligence.
  • Defense – The compromise of Russian defense companies by North Korean actors illustrates the global reach and strategic focus of state-sponsored cyber espionage.

Economic Impacts

Cyber espionage’s impact on the global economy has redefined the dynamics of trade, innovation, and security. Businesses lose billions annually when intellectual property is compromised and the increasing number of supply chain attacks disrupt manufacturing and distribution networks to an alarming degree.

  • Financial Losses – Cyber espionage activities have led to billions of dollars in financial losses.
  • Intellectual Property Theft – China’s cyber espionage campaigns have reportedly stolen intellectual property worth hundreds of billions of dollars annually from U.S. companies.
  • Cryptocurrency Heists – North Korea’s cybercrime activities, including cryptocurrency heists, have reportedly generated funds that support the regime’s military programs.

Security & Geopolitical Impacts

Nation-states exploit digital vulnerabilities to influence elections, gather classified intelligence, and disrupt rival activities. This has blurred the traditional boundary between physical and virtual warfare and reshaped power dynamics in the cyber arena, allowing smaller nations to wield disproportionate influence far beyond their physical borders.

  • Critical Infrastructure Attacks – Nation-state actors have targeted critical infrastructure, such as energy grids and transportation systems. Iran’s attack on Saudi Aramco in 2012 is a prime example.
  • Election Interference – Russian interference in U.S. elections through cyber means including the 2016 U.S. Presidential Election has been well-documented, highlighting the potential for cyber espionage to influence democratic processes.
  • Supply Chain Compromises – The SolarWinds attack, attributed to Russia, affected thousands of organizations, including U.S. government agencies, demonstrating the vulnerability of global supply chains.

Blurring the Lines | Overlaps Between APTs & Cybercrime

The lines between APT and cybercrime have become increasingly vague. This shift has been influenced by a combination of factors, including the increasing sophistication of cybercriminals, evolving motivations, and the lucrative nature of certain cyber activities.  While APTs were historically associated with state-sponsored espionage and sophisticated attacks on political or strategic targets, they now exhibit a broader range of activities resembling cybercrime tactics.

Motivations have diversified, with state-backed groups engaging in cybercriminal activities to generate revenue and fund their ongoing operations. Some APT groups have embraced ransomware attacks, sometimes exploiting the profitability of extorting victims for financial gain but also as a technique of misattribution, disguising stealthy nation-state activity behind a front of common cybercrime. In this context, it is worth noting that cyber criminals themselves have learned from the APT playbook, displaying more advanced and targeted techniques akin to APTs, reflecting their growing ability to source advanced tools and breach high-profile targets.

The availability of advanced tooling through leaks such as Shadow Brokers has also played a pivotal role, enabling cybercriminals to harness APT-like tools and tactics. Access to sophisticated malware, zero-day exploits, and advanced social engineering toolkits and services through dark markets has empowered threat actors of all stripes to execute attacks once the exclusive domain of state-sponsored actors.

The blurring of these lines underscores the complex and dynamic nature of the cyber threat landscape. Traditional distinctions between APTs and cybercrime are changing and this crystallizes the challenge of the cybersecurity community to adopt a more holistic and adaptive approach to defense.

Conclusion | Guarding Against State-Sponsored Cyber Attacks

State-sponsored cyber attacks have evolved into a critical, global issue due to their potential to disrupt economies, compromise national security, and manipulate geopolitical dynamics. A cyber attack in one corner of the world can quickly reverberate across borders, affecting governments, industries, and individuals worldwide.

In response, various international policies and agreements have been established such as the Paris Call for Trust and Security In Cyberspace. The United Nations (UN) has also discussed norms of responsible state behavior in cyberspace, encouraging cooperation and restraint. Additionally, regional organizations and alliances, such as the European Union (EU) and NATO, have developed cyber defense strategies and mechanisms for organizations to share critical information.

Governments have also intensified their efforts to prevent and mitigate cyber espionage risks. The private sectors are investing heavily in cybersecurity measures, including threat intelligence sharing and vulnerability management. Various countries have implemented laws and sanctions to deter cyber espionage, promising to take legal action against state-sponsored cyber activities.

Enterprises facing the rippling effects of cyber espionage must adopt a multi-layered defense approach. Investing in robust cybersecurity measures, such as advanced, autonomous detection and response solutions, encryption, and regular security assessments, is crucial.

Outside of choosing the right tech, collaboration with cybersecurity partners and industry peers to share threat intelligence and best practices helps to enhance the community’s overall resilience. As technology continues to evolve, an adaptive mindset, continuous monitoring, and a commitment to cybersecurity readiness can safeguard enterprises against the far-reaching impacts of cyber espionage.

Enterprises worldwide have turned to SentinelOne’s Singularity™ Platform to proactively resolve modern risks at machine speed. Learn how SentinelOne works to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more. Contact us or book a demo today.

Announcing Threat Detection for Amazon S3 | AI-Powered Data Protection

SentinelOne recently announced the launch of the new Singularity™ Cloud Data Security product line to help customers gain visibility and provide protection for their cloud data, storage, downstream applications, and users from risks associated with unscanned files. Threat Protection for NetApp provides protection for NetApp arrays, and Threat Detection for Amazon S3, which will be highlighted here, provides protection for S3 buckets. Both services provide powerful, low-latency security for cloud storage in a highly efficient and simple user experience.

Why Does Amazon S3 Require Protection?

Amazon S3 is one of the most commonly used AWS services. Due to its flexible, scalable, and available nature, it is possible to store and access nearly any object type from anywhere. With this flexibility, there are a variety of use cases for the service, but in today’s environments, we see Amazon S3 being used more by applications than by humans looking for storage. S3 buckets being used by applications house critical application data for apps themselves but also sensitive data. Uptime and performance are mission critical.

Earlier this year, Amazon S3 turned 17 years old, and AWS shared that it currently holds more than 280 trillion objects and has an average of over 100 million requests per second. As part of the shared responsibility model, AWS ensures that the infrastructure itself is secure, and even ensures data integrity within S3. However, the security of what is in the bucket and its potential spread to downstream applications or workflows is the responsibility of the customer.

Many Amazon S3 users and security teams think of configuration management as the primary security challenge, and this used to be a bigger issue with buckets with sensitive data accidentally made public. AWS, though, has implemented new measures to encourage proper configuration. To combat this data loss risk,  many organizations use a Cloud Security Posture Management (CSPM) solution to scan for potential misconfigurations, which is an important element of a defense-in-depth strategy. However, CSPM alone is not enough to prevent S3 from being an attack surface.

The sheer volume of data stored in S3, most of it unscanned and accessible to downstream applications and workflows (including user endpoints), poses a security risk to organizations in terms of malware, ransomware, remote access trojans (RATs), supply chain attacks, and more. Without additional protection, an organization’s S3 buckets can become an accidental staging area for malware.

Threat Detection for Amazon S3

With Threat Detection for Amazon S3, organizations can decrease risk and increase visibility when it comes to the objects in their buckets. Reducing risk is important and so is meeting compliance requirements including data sovereignty. The solution was designed to meet the business, security, and cloud architecture needs of customers, focusing on the following features:

  • AI-Driven Threat Detection – Powerful, AI-driven threat detection goes beyond traditional signature-based approaches, which are easily evaded, and protects the organization from threats faster.
  • Automation, Flexibility, and Scalability – Scan new files added to buckets automatically. Inventory and protect buckets, including new buckets automatically as they are created, based on configurable policy based approaches.
  • High Performance, Low Overhead – Easily deploy into cloud-native architectures using CloudFormation Templates with low ongoing overhead and minimal additional compute costs. Files are scanned quickly, keeping applications running smoothly.
  • Compliance-Ready – Scanning completed in customer cloud; no sensitive data or files leave the organization’s cloud environment.
  • Centralized Management Experience – Delivered in a simple, unified management experience within the SentinelOne console, where customers can also manage the protection of cloud workloads, endpoints, and identity.

Existing solutions in the market have left many customers frustrated due to poor security performance such as a signature-only approach and a lack of visibility into the resources and their protection status. Other challenges include sluggish scanning or unnatural deployment patterns that slow applications down, or require time consuming re-architecture.

Easy Deployment & Ongoing Security Without Maintenance

Getting Started

Threat Detection for Amazon S3 is centrally managed in the SentinelOne management console. To get started, onboard an AWS account or organization and create a Stackset to deploy and create an ARN role for SentinelOne to access your cloud environment.

The next step is to select the relevant CloudTrail that will be used by SentinelOne to analyze your cloud environment data and provide an inventory of your S3 buckets. Once done, users will receive multiple CloudFormation templates to be deployed, one for each region that the account’s S3 buckets reside in. Once deployed, the admin can then configure the policy to select which buckets will be protected for malware or fully scanned. Admins can also invoke an ad-hoc scanning of a bucket.

Scanning and Policy Configuration

In a true “set it and forget it” approach, scanning of S3 buckets is triggered by configuring a cloud policy that will automatically scan every file added to the indicated bucket according to a predefined rule. For example, all buckets tagged as production should be automatically scanned and monitored for new files.

Configuring policy or rules is done in the SentinelOne management console. Policies can filter resources based on any AWS metadata such as tags, regions, “name contains”, OU, org, etc. There are a variety of policy based options available. For example, organizations could choose to apply scanning to new files, and quarantining of all suspected malicious files to all “production” tagged buckets, or to all buckets in a specific region due to compliance requirements. By using a tag-based approach, users save time by automating the policy application vs. applying policies to each bucket by name.

A policy-based approach makes it easy to apply protection and remediation rules

These options are configured at the policy level. When a suspicious or malicious file is identified in a bucket with a “Quarantine” policy enabled, the service will encrypt the file and move it to a customer-defined quarantine bucket. The file is also removed from the original bucket. If the policy is set not to quarantine, the service will tag the malicious file and create a threat in the SentinelOne management console.

Once the scanning service is done, it reports the findings into the SentinelOne Singularity™ console incidents page. If a file needs to be unquarantined, a user with appropriate privileges can unquarantine with one click, and also add an exclusion to the file for future scans.

Status of all connected Amazon S3 buckets is easy to see in the SentinelOne console

Autoscaling & High Volume Scanning

Whether you are scanning a high-volume of files entering your S3 bucket or performing an on-demand scan, this solution has a built-in, auto-scaling feature to ensure files are being scanned for malware as quickly as possible while minimizing cost.

The actual files never leave the organization’s AWS accounts. This service sends metrics, metadata, and logs from your AWS accounts to Singularity™ Cloud. Once a malicious file is detected, the file name, path, and the relevant user ID that uploaded the file are sent to the Singularity™ Cloud console for display. This ensures all compliance and data sovereignty requirements are met with respect to hosting your data in your environment.

Scanning Existing Files

After deploying the solution and configuring the policy definition, the appropriate policy will be applied to the buckets in the inventory: new file scanning, existing file scanning, both, or no scanning. An ad hoc scan on existing files can easily be initiated on demand from the Singularity console.

Simple, Powerful Security For Simple Storage Service

Configuration scanning is not enough – danger resides in the data itself, being passed downstream. The popularity and flexibility of Amazon S3 leads to a potentially broad attack surface for many organizations that have not begun scanning and securing the data residing in their buckets. Regardless of cloud maturity or S3 use cases, organizations now have a simple and scalable solution to protect their data, their users, and their businesses with Threat Detection for Amazon S3.

Simple deployment, powerful AI-driven threat detection and response with in-line and in-bucket scanning will enable customers to protect their Amazon S3 buckets, critical business applications, and users from malware, ransomware, remote access trojans (RATs) and more.

To learn more about Threat Detection for Amazon S3, read the solutions brief, request a demo, or contact us today.

Understanding XDR | A Guided Approach for Enterprise Leaders

Cyber adversaries operate with a level of finesse and precision that can catch organizations off guard. In seconds, they can lure unsuspecting employees or partners with malicious files, exploit existing vulnerabilities to breach a network, and start moving laterally within a system to up their credentials.

The impact of ransomware attacks extends beyond mere disruption; they come with a hefty price tag. According to IBM “Cost of a Data Breach Report 2023,” businesses are losing a staggering $4.45 million; a 15% increase over the past 3 years. The substantial challenge for organizations lies in their security infrastructure, which is often an assortment of disparate platforms and multiple isolated solutions. Having a disjointed setup leads to a fragmented view of the organization’s unique risk and threat profiles.

This is where the concept of eXtended Detection and Response (XDR) emerges as a solution. XDR offers a novel approach to mitigating threats by gathering and harmonizing data across endpoints and diverse security solutions. This results in comprehensive visibility and enables automated responses, accelerating how organizations combat cyber threats.

In this post, we outline the essential ways XDR works and explore its transformative potential on the security strategies of modern enterprise businesses. Tailored to address the complex and interconnected nature of today’s threat landscape, XDR presents an opportunity for security leaders to enhance their organization’s security posture.

What Makes XDR Right For Modern Businesses?

Expanding on the foundations of traditional Endpoint Detection and Response (EDR) capabilities, eXtended Detection and Response (XDR) takes a progressive leap by automating and seamlessly integrating insights from an array of supplementary security tools. This fusion, which encompasses network and user analytics solutions, facilitates the correlation of threats across an organization’s entire network. Data is amalgamated and fortified by robust security analytics, serving as the catalyst for triggering automated responses to potential threats. XDR also helps security teams automate root cause analysis, equipping teams with the agility needed to respond promptly and effectively – a key factor in stopping security events from being all-out catastrophes.

Amid the landscape of remote and hybrid work arrangements, which inadvertently expand the attack surface, the role of XDR has become pivotal. Since the COVID-19 pandemic, industries have seen a heightened vulnerability stemming from increased access points and the accelerated adoption of hybrid and cloud environments. Organizations find themselves in the crosshairs of relentless attacks, making it necessary to build robust, end-to-end security defenses.

Beyond strengthening security measures, XDR also plays a pivotal role in alleviating the growing cybersecurity skills shortage. This is achieved through amplified analyst productivity via streamlined automation and a unified workflow. Implementing XDR significantly reduces the manual effort required to track threats across multiple systems, replacing it with an intuitive central console, allowing teams to holistically manage threats across their entire spectrum of solutions.

XDR vs. The Cyber Kill Chain

In the cyber kill chain (aka cyber attack lifecycle), the intrusion and enumeration phases make up the critical juncture where proactive measures are pivotal. During these stages, the threat actors haven’t yet moved deeply into the compromised network or blended in with normal network activities.

However, as the actors advance to the lateral movement phase, the task of detection becomes more challenging. At this point, threat actors often employ evasion tactics, ingraining themselves deeply within the network’s architecture. This phase is often characterized by the use of living-off-the-land techniques, where threat actors harness existing legitimate processes and tools within the environment to solidify their foothold.

Over the years, threat actors have shortened the time between intrusion and lateral movement; a testament to their increasing sophistication and resourcefulness. For cyber defenders, this means that detecting the first signs of compromise during the enumeration and intrusion stages becomes the linchpin of effective defense strategy.

Reconnaissance & Enumeration

Before initiating the attack, malicious actors choose their target and search for exploitable vulnerabilities within their operations. This includes identifying unpatched vulnerabilities, misconfigurations, exposed administrative accounts, and other potential weaknesses.

What XDR Does:

  • Comprehensive Visibility – XDR aggregates data from various sources, including endpoints, networks, cloud environments, and user behavior. By integrating insights from these diverse security solutions, XDR provides a comprehensive view of the entire IT landscape. This holistic perspective enables security teams to identify anomalous activities and potential reconnaissance attempts across multiple attack vectors.
  • Behavioral Analytics – XDR leverages advanced behavioral analytics and machine learning algorithms to establish baseline patterns of normal behavior for users, applications, and systems. When threat actors attempt reconnaissance by deviating from these established patterns, XDR can quickly detect unusual or unauthorized activities. This ensures that any deviations indicative of reconnaissance activities are promptly flagged for investigation.
  • Real-Time Monitoring – XDR continuously monitors network traffic, user interactions, and system behavior in real time. This proactive monitoring allows security teams to identify and respond to suspicious activities, including reconnaissance attempts, as they occur. Real-time alerts enable immediate action to be taken before threat actors can gather significant intelligence about the target environment.
  • Threat Intelligence Integration – XDR integrates threat intelligence feeds and databases, enabling organizations to stay updated on the latest attack trends, tactics, and techniques. This integration enhances the detection of reconnaissance activities by correlating observed behaviors with known threat actor tactics, ensuring that potential threats are recognized and addressed promptly.
  • Automated Responses – XDR’s automation capabilities empower security teams to respond rapidly to detected threats. In the case of reconnaissance attempts, XDR can automatically trigger predefined response actions, such as isolating compromised endpoints, blocking suspicious IP addresses, or initiating deception techniques to divert attackers away from critical assets.
  • Threat Hunting – XDR supports proactive threat hunting by allowing security analysts to query and investigate historical data. This capability enables the identification of subtle indicators of threat activities that might have been missed during real-time monitoring. Threat hunters can uncover patterns or anomalies that might signify ongoing or past reconnaissance attempts.

Initial Intrusion & Enumeration

Building on insights gathered during the preparation phase, threat actors tailor their intrusion techniques to capitalize on the specific weaknesses they’ve identified in their targets. Once inside the target system, threat actors move swiftly to establish their presence, gauge the extent of their current permissions, and gauge the level of privileges required for lateral movement. Time becomes a critical factor as actors strive to solidify their position and enhance their access rights.

What XDR Does:

  • Detection of Suspicious Activities – XDR continuously monitors network traffic, endpoint behaviors, user activities, and other data sources in real time. It uses advanced behavioral analytics and machine learning algorithms to establish baseline patterns of normal behavior. Any deviations from these patterns, indicative of suspicious or unauthorized activities associated with the initial intrusion, are promptly identified and flagged for investigation.
  • Real-Time Alerts – Upon detecting anomalous behaviors, XDR generates real-time alerts that notify security teams about potential intrusion attempts. These alerts provide crucial information about the nature of the threat, the affected systems, and the attack vector, enabling rapid response and mitigation.
  • Incident Prioritization – XDR’s threat detection capabilities allow it to prioritize alerts based on the severity and potential impact of the intrusion. This ensures that security teams focus their efforts on addressing the most critical threats first, minimizing the attacker’s window of opportunity.
  • Correlation of Data – XDR integrates data from various sources, such as endpoints, network logs, and cloud environments. By correlating information from multiple domains, XDR provides a comprehensive view of the attack, enabling security teams to understand the attacker’s tactics, techniques, and potential objectives.
  • Automated Response Actions– XDR’s automation capabilities come into play during the initial intrusion phase. Upon detecting a potential intrusion, XDR can automatically initiate predefined response actions. These actions may include isolating compromised endpoints, blocking suspicious IP addresses, or triggering additional security measures to prevent lateral movement.

How Enterprise Businesses Can Get Started With XDR

Implementing XDR for enterprise businesses requires a well-structured approach to ensure its effectiveness. Here are key strategies to consider when adding XDR capabilities to an existing tech stack.

1 – Define Objectives and Use Cases

Start by clearly defining the organization’s cybersecurity objectives and identifying specific use cases where XDR can provide the most value. Determine the critical assets and data that need protection and the potential threat scenarios to be addressed.

Tailor use cases to the organization’s unique risk profile and industry challenges. This strategic foundation ensures that the chosen XDR solution aligns precisely with the organizational priorities and sets the stage for a focused and effective implementation that addresses the most pressing cybersecurity concerns.

2 – Assess Current Security Landscape

Conduct a comprehensive assessment of current security infrastructure, including existing tools, technologies, and processes. Identify gaps, redundancies, and look for areas for improvement where XDR can fill in or enhance defense mechanisms.

Evaluate where XDR can integrate with current security solutions to optimize data collection and correlation across endpoints, networks, and cloud environments. This assessment provides a clear understanding of the organization’s strengths and weaknesses, enabling leaders to tailor the XDR implementation to fill critical security gaps that may have been overlooked.

3 – Plan for Deployment

Develop a comprehensive deployment plan that outlines the rollout strategy for XDR across different environments; endpoints, networks, and cloud, for example. Consider a phased approach to minimize disruptions and ensure smooth adoption. This means allocating resources for deployment, including personnel, time, and budget. Establish clear communication channels among IT, security teams, and stakeholders to ensure alignment and manage expectations.

4 – Configure, Customize & Perform Ongoing Optimization

Following the deployment of a new XDR solution, it is important to configure and customize the system to optimize its effectiveness. Begin by tailoring alert thresholds, correlation rules, and automated response actions to align with the organization’s unique security policies and priorities.

Leverage the XDR solution’s capabilities to create specific use-case scenarios and regularly review and refine configurations based on real-world insights and evolving threat landscapes. Collaboration between security analysts and IT teams ensures fine-tuning that maximizes threat detection accuracy and minimizes false positives.

Conclusion

Extended Detection and Response (XDR) has emerged as a leading solution in defending organizations against modern cyber attacks. As the cybersecurity landscape continues to shift and threat actors deploy increasingly sophisticated tactics to exploit vulnerabilities and breach defenses, a traditional, siloed approach to security is nowhere near enough. XDR’s comprehensive and integrated approach ushers in a new approach to security where data across endpoints, networks, and clouds converge to provide a holistic vantage point. This is the key vantage point in detecting the very first indications of a cyber intrusion, before the attack can even begin to escalate.

With threat actors continually evolving their tactics, organizations must remain agile and adaptive. XDR’s ability to integrate with existing security solutions and its scalability ensures that as new threats emerge, the organization can seamlessly incorporate new tools and threat intelligence feeds. By analyzing patterns and trends across diverse data sources, XDR enables organizations to fine-tune their security strategies, anticipate potential vulnerabilities, and strategically allocate resources to maximize protection.

SentinelOne offers Singularity XDR, a leading solution in the security space powered by autonomous response. Learn how Singularity leverages artificial intelligence and machine learning to respond across entire security ecosystems and protect each attack surface. Book a demo or contact us for more information.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Diligere, Equity-Invest Are New Firms of U.K. Con Man

John Clifton Davies, a convicted fraudster estimated to have bilked dozens of technology startups out of more than $30 million through phony investment schemes, has a brand new pair of scam companies that are busy dashing startup dreams: A fake investment firm called Equity-Invest[.]ch, and Diligere[.]co.uk, a scam due diligence company that Equity-Invest insists all investment partners use.

A native of the United Kingdom, Mr. Davies absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared on suspicion of murdering his third wife on their honeymoon in India.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

John Clifton Davies was convicted in 2015 of swindling businesses throughout the U.K. that were struggling financially and seeking to restructure their debt. For roughly six years, Davies ran a series of firms that pretended to offer insolvency services. Instead, he simply siphoned what little remaining money these companies had, spending the stolen funds on lavish cars, home furnishings, vacations and luxury watches.

In a three-part series published in 2020, KrebsOnSecurity exposed how Davies — wanted by authorities in the U.K. — had fled the country, taken on the surname Bernard, remarried, and moved to his new (and fourth) wife’s hometown in Ukraine.

After eluding justice in the U.K., Davies reinvented himself as The Private Office of John Bernard, pretending to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking private equity investment opportunities.

In case after case, Bernard would promise to invest millions in hi-tech startups, only to insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called The Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

Bernard found a constant stream of new marks by offering extraordinarily generous finders fees to investment brokers who could introduce him to companies seeking an infusion of cash. Inside Knowledge and The Private Office both closed up shop not long after being exposed here in 2020.

In April 2023, KrebsOnSecurity wrote about Codes2You, a recent Davies venture which purports to be a “full cycle software development company” based in the U.K. The company’s website no longer lists any of Davies’ known associates, but the site does still reference software and cloud services tied to those associates — including MySolve, a “multi-feature platform for insolvency practitioners.”

Earlier this month, KrebsOnSecurity heard from an investment broker who found out his client had paid more than $50,000 in due diligence fees related to a supposed multi-million dollar investment offer from a Swiss concern called Equity-Invest[.]ch.

The investment broker, who spoke on condition that neither he nor his client be named, said Equity-Invest began getting cold feet after his client plunked down the due diligence fees.

“Things started to go sideways when the investor purportedly booked a trip to the US to meet the team but canceled last minute because ‘his pregnant wife got in a car accident,’” the broker explained. “After that, he was radio silent until the contract expired.”

The broker said he grew suspicious when he learned that the Equity-Invest domain name was less than six months old. The broker’s suspicions were confirmed after he discovered the due diligence company that Equity-Invest insisted on using — Diligere[.]co.uk — included an email address on its homepage for another entity called Ardelis Solutions.

A corporate entity in the UK called Ardelis Solutions was key to showing the connection to Davies’ former scam investment and due diligence firms in the Codes2You investigation published earlier this year.

Although Diligere’s website claims the due diligence firm has “13 years of experiance” [sic], its domain name was only registered in April 2023. What’s more, virtually all of the vapid corporate-speak published on Diligere’s homepage is identical to text on the now-defunct InsideKnowledge[.]ch — the fake due diligence firm secretly owned for many years by The Private Office of John Bernard (John Clifton Davies).

A snippet of text from the now-defunct website of the fake Swiss investor John Bernard, in real life John Clifton Davies.

“Our steadfast conviction and energy for results is what makes us stand out,” both sites state. “We care for our clients’ and their businesses, we share their ambitions and align our goals to complement their objectives. Our clients know we’re in this together. We work in close partnership with our clients to deliver palpable results regardless of geography, complexity or controversy.”

The copy on Diligere’s homepage is identical to that once on Insideknowledge[.]com, a phony due diligence company run by John Clifton Davies.

Requests for comment sent to the contact address listed on Diligere — info@ardelissolutions[.]com — went unreturned. Equity-Invest did not respond to requests for comment.

Day 2 of Black Hat USA 2023 | Exploring The Power of a Threat Intel & AI-Driven Future

What a few days it was at this year’s BlackHat cyber event in sunny Las Vegas! The stunning SentinelOne booth welcomed thousands of visitors who came to learn about PurpleAI, our newly launched Ranger Insights console, and all the ways the Singularity™ platform helps organizations protect their endpoints, secure their cloud, and unify their data.

Day 2 of Black Hat USA 2023 Exploring The Power of a Threat Intel & AI-Driven Future

We’ve connected with so many of our customers, prospects, partners, as well as our executive and R&D teams over the last few days. For those who couldn’t join us live at the event this time around, our blog today will cover everything that happened on Day 2 of Black Hat USA 2023.

PurpleAI | AI-Driven Threat Hunting, Analysis & Response for the Modern Enterprise

On Thursday, the SentinelOne Theatre beckoned visitors for another full day of presentations and live product demonstrations. In particular, folks were drawn to our demos of PurpleAI, SentinelOne’s recently launched generative AI platform, dedicated to threat-hunting, analysis and response. PurpleAI, not surprisingly, piqued the interest of many in line with this years’ event theme surrounding Generative AI and its growing presence within the cybersecurity community.

In the packed theater, Joseph Poyner, Director of Sales Engineering and Solution Engineering at SentinelOne showcased how PurpleAI accelerates the offensive strategies and response levels of your Security Operations Center (SOC). Before presenting the PurpleAI demo, Poyner explained some of the industry problems that we set out to solve when we created PurpleAI from the ground up.

Before PurpleAI came to life, we considered some of the hard facts about the current climate. It’s been reported that our industry is millions of analysts short in dealing with the current cybersecurity workload. For the workforce we do have, they’re fighting against both new and sophisticated cyberattack TTPs, which are fueling the rise in ransomware, software supply chain attacks, and more. As single-layer, reactive security solutions are no longer enough to keep up with increasingly skilled cybercriminals, enterprises now have to stack multi-layered, proactive solutions together to build a robust defense posture.

In analyzing SentinelOne customer data and telemetry, we also found that many of the customer queries in our platform are surprisingly simple. Why aren’t people writing complicated queries, we asked? Why aren’t they pulling insights from this large pool of data? The reason, we found, is that most analysts are new to their role and still honing their skill set. Given the reality of these observations, we set about building PurpleAI, which Poyner then demoed through a Capture the Flag (CTF)-like game.

“Rather than an hour-long investigation, we’re going to cut that down to five to 10 minutes,” he explained during the CTF demo. “The other thing is [PurpleAI] never sleeps. This is going to programmatically go through your queries.”

Poyner also highlighted how PurpleAI and your queries can integrate with other popular SaaS tools like Okta.

“You don’t even have to be an analyst. You just have to understand what type of data you want. You can just ask PurpleAI those queries and supercharge your SOC.”

Test drive PurpleAI for yourself with this interactive demo. Interested in learning more? Connect with a SentinelOne expert to find out how PurpleAI can benefit your organization.

Presentation Highlight | Mandiant On Combining Cyber Threat Intel

For a second day, we also welcomed partners and fellow security leaders in our industry to give in-booth presentations. In one notable instance, Mandiant’s esteemed Head of Managed Defense Consulting, Alan White, shared his thoughts in a series of slides on why SentinelOne and Mandiant are truly better together for customers.

“We’re talking about taking really great powerful technology that SentinelOne has with a really powerful Mandiant service. Combined with that threat intelligence, it’s unstoppable,” White told us after his presentation.

Consider this: Without this SentinelOne-Mandiant advantage, organizations would face the expensive and difficult challenge of staffing a team of 24/7 security analysts to achieve the same level of protection. By leveraging SentinelOne XDR technology with Mandiant’s leading MDR service, intelligence, and expertise, customers receive around-the-clock support, proactive threat hunting, and the unification of security across their existing tools.

“You’re going to find evil quickly, you’re going to detect it quickly, and you’re going to leverage the technology to reduce the threat as fast as possible,” White told us. “At the end of the day, I can’t think of a better way to tell a client, ‘If you can’t manage your own environment 24/7, then the partnership that we bring together is the way to go.”

Learn more about how SentinelOne and Mandiant can benefit your organization here. We’re also excited to join Mandiant at its mWISE conference in Washington D.C. next month.

Noetic Cyber | Automating Asset Management With Endpoint Context

SentinelOne partner and S Ventures portfolio company, Noetic Cyber, announced on Day 2 of Black Hat the next phase of its integration with us. In their latest blog post, Noetic Cyber outlines its plans to extend its market-leading cyber asset attack surface management (CAASM) platform to support new use cases.

The company focuses on providing a proactive approach to cyber asset and controls management to help security professionals better understand the cyber risks within their environments, map the relationships between all of their assets and entities, and tie together context and insights to enable faster, more accurate decisions.

“SentinelOne is excited to expand the use cases with Noetic Cyber and the value that will deliver to joint customers,”  SentinelOne’s SVP Corporate Development & S Ventures Rob Salvagno said in a statement. “Together, we deliver a comprehensive solution to help security teams better understand their endpoint, cloud, network, and vulnerability risk.”

The integration of SentinelOne Singularity™ XDR and the Noetic Continuous Cyber Asset and Controls platform allows security teams to extend the visibility, detection, and endpoint insights of SentinelOne into a wider asset inventory and management architecture. By ingesting high-fidelity endpoint telemetry and incident data from SentinelOne, the Noetic platform can correlate with insights from other security and IT management tools to provide full visibility into all assets within an environment and the cyber relationships between them. Customers can look forward to the following updates to the bi-directional Noetic-SentinelOne Singularity Connector.

Enriched Vulnerability Findings & Prioritization

Noetic has added support for SentinelOne’s new Application Risk capability which leverages the SentinelOne agent to scan the endpoint for third-party applications and list them in the inventory. The agent then maps the inventory with vulnerability data from NIST NVD regularly, associating it with relevant applications and endpoints.

Support for Network Discovery with Singularity Ranger

Noetic’s new integration with Singularity Ranger works by ingesting the results of Ranger scans into the Noetic platform, providing vital context into Ranger-discovered devices. Security teams can quickly see whether devices are on a restricted network range or have access to sensitive datasets or which services they support, for example. This considerably reduces the analyst workload by simplifying the review process.

Extended Support for Cloud & Container Use Cases

The latest version of the Noetic connector has also added support for Singularity Cloud Workload Protection. Data collected by SentinelOne is aggregated with information from AWS, Azure, and Google Cloud, giving security teams the ability to discover security coverage gaps across containers and Kubernetes clusters so that they can drive remediation processes.

Read our joint solution brief or eBook for more information and reach out today to learn how Noetic can support any tool in your stack, driving rapid time to value.

A Peek Into the S Ventures Happy Hour

It was our thorough pleasure to co-host an exclusive happy hour for our S Ventures portfolio companies, partners, and friends in close partnership with Okta Ventures, B Capital, and SYN Ventures! More than 130 attendees gathered at Citizen Kitchen & Bar in Mandalay Bay to enjoy hors d’oeuvres, cocktails, and great conversations about the future of cybersecurity.

“Events like this showcase S Ventures and our partner’s commitment to guiding and scaling the next generation of innovative security and data companies,” said Salvagno. “By fostering connections within and across our mutual networks, we empower these companies to grow and make more of an impact across the ecosystem.”

What Can We Say…We Like To Party!

If you were at our RSAC FOMO afterparty this year, then you know that we love to throw a good party. What we love even more though is enjoying a great party thrown by our friends! To round out a full days’ worth of learning and networking, the SentinelOne team was proud to sponsor both GuidePoint Security and Optiv’s Black Hat afterparties this year.

On Tuesday, GuidePoint hosted the event of the night in the Skyfall Lounge at Mandalay Bay, taking advantage of its surreal, panoramic views of the Las Vegas Strip. Just imagine looking down at the lights and buzz of Vegas from the 64th floor of Delano. We had a great time, GuidePoint.

Thursday was the quintessential Black Hat afterparty that you’d expect when in Vegas. What we’ll say is that Optiv threw a banger of an event at DAYLIGHT beach club at Mandalay Bay complete with bubble sphere dancers in the pool, live music, and acrobatic routines performed above the party goers. What a way to close out Black Hat USA 2023. Thanks, Optiv!

Conclusion

The team at SentinelOne is so grateful for another amazing year at Black Hat USA. We’d like to thank all of the people who took time to visit our iconic Tree of Life booth and theater space and chatted with us about new ways to iterate collaboratively towards the next level of cybersecurity.

These events always renew our passion for keeping those we protect safe from advancing threats and show just how many dedicated people are out there making this happen daily. We already can’t wait for next year’s event but until then, let’s keep the energy up, the conversations flowing, and our channels of communication open for exciting ideas yet to be explored.

The Good, the Bad and the Ugly in Cybersecurity – Week 32

The Good | White House Launches AI-Centric Cybersecurity Contest to Protect US Entities

The Biden-Harris administration this week announced a new hacking challenge with the purpose of using artificial intelligence (AI) to protect critical US infrastructure from growing cybersecurity threats. In collaboration with tech companies such as OpenAI and Anthropic who are making their technology available for the competition, the “AI Cyber Challenge” (aka AIxCC) offers up to $20 million in prizes for participating hackers. AIxCC will be led by the Defense Advanced Research Projects Agency (DARPA) who have made an additional $7 million available for SMBs looking to compete. The challenge was announced at Black Hat USA 2023 cybersecurity conference in Las Vegas in line with this years’ theme of generative AI.

The challenge is a practical exercise in demonstrating the potential benefits of AI in securing various software used across all industry verticals. Described by White House officials as being a “clarion call” for organizations to strengthen the security of their critical software, AIxCC plans to leverage the winning code to protect federal and critical infrastructure immediately. As part of the administration’s 2021 executive order on improving the nation’s cybersecurity posture, AIxCC is the latest effort in exploring AI-based security and innovation to mitigate the severe damage and costs associated with modern cyber risks.

The challenge also calls to attention the notion that AI holds potential in helping security professionals remain steps ahead of increasingly sophisticated cyber threat actors only if used safely and responsibly. Earlier this year, NIST launched an AI risk management framework and last month, the administration secured voluntary commitments from leading AI companies to manage the risk posed by the budding popularity of the technology.

Semi-finalists of the challenge can expect to compete at DEF CON 2024 with the final leg of the competition to be hosted the following year at DEF CON 2025.

The Bad | High-Severity RCE Vulnerability Threatens Windows Print Management Software

Earlier this week cybersecurity researchers uncovered a critical vulnerability in a print management software for Windows called PaperCut. Tracked as CVE-2023-39143, the path traversal and file upload flaw allows potential attackers to upload, read, or delete arbitrary files leading to remote code execution (RCE) of the application server.

Exploitation of this vulnerability requires the external device integration to be enabled, which is a default configuration for specific installations of the software. According to the researcher, they estimate that the vast majority of PaperCut installations currently run on Windows with this particular setting turned on. They also note that this vulnerability, though severe, involves multiple issues that must be chained together before server compromise is successful.

The company has strongly recommended their users to patch their installations to version 22.1.3 or later. To check if a server is vulnerable to CVE-2023-39143, use the following command:

Source: Horizon3.ai

CVE-2023-39143 is the latest in a string of vulnerabilities afflicting the PaperCut software this year. In April, two similar vulnerabilities, CVE-2023-27350 (an RCE flaw) and CVE-2023-27351 (an information disclosure flaw), came under widespread use by ransomware affiliates, most notably Cl0p and LockBit, to deliver Cobalt Strike and ransomware. Nearly two weeks later, the same vulnerabilities were exploited by Iranian-backed threat actors to gain access into targeted networks and exfiltrate corporate data.

SentinelOne customers are automatically protected against both Cl0p and LockBit 2.0 and 3.0 through the Singularity XDR platform which identifies and stops any malicious activities related to either ransomware affiliate.

The Ugly | DPRK-Backed Hack Group Breaches Russian Missile Makers

North Korean state-sponsored hacking group, ScarCruft (aka APT37), has been identified as the culprit behind a cyberattack on NPO Mashinostroyeniya, a Russian organization known for designing space rockets and intercontinental ballistic missiles. Despite being sanctioned by the U.S. Department of Treasury due to its involvement in the Russo-Ukrainian war, NPO Mashinostroyeniya fell victim to the attack, which involved planting an ‘OpenCarrot’ Windows backdoor for remote network access.

According an analysis by SentinelLabs, ScarCruft specializes in cyber espionage, targeting and exfiltrating data from various entities as part of its operations though the motives for this campaign are still unclear. The breach was initially discovered when leaked emails from NPO Mashinostroyeniya revealed suspicious network communications and a malicious DLL file installed on internal systems. This prompted further investigation by SentinelLabs, uncovering a more extensive intrusion than the missile makers initially realized.

Example of unrelated email alerts from Russian CERT to NPO Mash
Example of unrelated email alerts from Russian CERT to NPO Mash

The backdoor, ‘OpenCarrot,’ is associated with the Lazarus Group, another North Korean hacking entity. While collaboration between ScarCruft and Lazarus hasn’t been confirmed, it’s not uncommon for different North Korean threat actors to share tools and tactics. The ‘OpenCarrot’ backdoor boasts an array of functionalities, including reconnaissance, file and process manipulation, and reconfiguration of command-and-control communications.

Based on SentinelLabs’ assessment, this campaign underscores North Korea’s proactive mission to advance their mission development programs. The collaboration amongst various DPRK-based hacking groups suggests a unified strategy to continue a diverse range of threat campaigns aiming for profound and global consequences.

Day 1 of Black Hat USA 2023 | Generative AI, Automation & The Security Landscape of Tomorrow

SentinelOne has landed in Vegas for this year’s Black Hat security conference! Each year, Black Hat invites security gurus, researchers, hackers, and cyber enthusiasts from around the world to join in on two-days of keynotes by industry leaders as well as cutting-edge presentations and exclusive tech demos.

We’ll be sure to keep you in the loop on all the event activities so you don’t miss out on any thought leadership or announcements from the event. Read on for a recap of all the essentials that happened on Day 1 of Black Hat 2023.

Black Hat 2023 | Bringing Together the Cyber Community

Established in 1997, Black Hat stands as a globally recognized series of cybersecurity events, offering leading research on information security. Over the years, Black Hat has developed into an international platform for the infosec community with the gatherings serving as a trusted resource of the latest advancements and emerging patterns within the security community. At the heart of Black Hat are its briefings and trainings, tailored to meet the demands of the current security business needs.

This year, Generative AI steps into the spotlight as the main event theme, sparking discourse on the role of automation and AI in accelerating detection and response capabilities. In the nearly one year since ChatGPT and others like it exploded onto the scene, security leaders have been dedicated to understanding how AI is transforming the cyber defense landscape as well as acknowledging its benefits and challenges. At SentinelOne, we believe that generative AI has the power to generate incredible value and disrupt the way we secure our data and systems.

We’re excited to once again join up with our fellow security defenders, foster collaboration, and share knowledge to help keep businesses in every industry vertical safe.

Come Meet Team SentinelOne!

For those of you joining us in person at Vegas, come visit Booth #1520 in the BlackHat Business Hall at the Mandalay Bay Convention Center. We are excited to unveil our biggest booth yet with our legendary tree at the center of it. Our iconic neon purple tree, spruced up with a new shade of blue to it, has come to symbolize the intricate yet organized flow of data between all of cybersecurity spaces. From ceiling to floor, the tree shows the movement of data to and from various solutions into one powerful and stunning platform. Stop by to meet the team, learn more about our latest offerings including PurpleAI and Ranger Insights, and pick up some super limited event swag!

 

On both Wednesday and Thursday, the first 20 BlackHat attendees to show the below social media post to a SentinelOne team member receives a sleek rucksack as our Formula 1 friends say across the pond in Silverstone. Simply take a screenshot of the below post (formerly known as a Tweet) and follow the instructions! Note that Thursday (Day 2) is your last chance to win an Aston Martin F1 Team and SentinelOne backpack, so don’t miss out!

Big congratulations to everyone on Wednesday who went home with an Aston Martin F1 Team swag, including our first two visitors to claim their backpacks.

New Product Announcement | SentinelOne Launches Singularity™ Ranger Insights

As the number of exploitable vulnerabilities available to threat actors continue to climb, security leaders are faced with the challenge of managing them faster than ever before. To help enterprises build up their offensive capabilities, SentinelOne launched Singularity™ Ranger Insights. This innovative solution, named by CRN Wednesday as one of the 10 coolest products to be unveiled at BlackHat, is designed to remove the complexities from vulnerability management so businesses can focus on continuously discovering unmanaged assets, closing blind spots, and prioritizing incoming threats through a single console and agent.

From Lana Knop, Vice President of Product Management, Endpoint and Identity Products at SentinelOne: “More than 25% of all breaches are the result of vulnerability exploitation, and the average cost of remediating them can top $4.5 million. With Singularity Ranger Insights, security teams have a powerful tool they can use to reduce the time, cost and complexity of vulnerability management and significantly improve their security posture.”

Ranger Insights provides the following for SentinelOne customers:

  • Increased Visibility, Simplified Management – In a remote-first world, traditional network vulnerability scanners are no longer enough to keep threat actors at bay. Ranger Insights helps security teams identify and prioritize risks by deploying in minutes; all without the need for lengthy scans and network hardware.
  • Real-Time Risk & Vulnerability Insights – Real-time insights provided by the SentinelOne agent minimize reliance on network connectivity removes legacy point-in-time scans. Ranger Insights delivers continuous visibility into application and OS vulnerabilities across Windows, macOS, and Linux and shaves off precious minutes by prioritizing risks based on their likelihood of exploitation.
  • True Network Visibility & Granular Control – IT and security teams rely on accurate information to protect against incoming threats. Ranger Insights combines passive and active scanning to identify and fingerprint devices to capture the exact data you need and at the depth and breadth of your choosing.

Presentation Highlight | HypeGPT – What LLMs Really Can and Can’t Do for Security

Speaker: Juan Andres Guerrero-Saade, Sr. Director of SentinelLabs

Though large language models (LLMs) have become a useful tool for reverse engineering and educational purposes, there’s a broader discussion in our industry about their current and future role in the infosec community and how they will continue to shape modern cybersecurity capabilities. While we’re living through unprecedented breakthroughs in Generative AI and the many uses of LLMs, many continue to wade through a sea of hype and misunderstanding, bad marketing, and even worse sales tactics.

At Wednesday’s presentation, Juan Andrés Guerrero-Saade broke down the practical uses of LLMs that are actually impacting problematic areas enterprise businesses face today: reverse engineering malware, niche security tooling, and the growing security talent pipeline just to name a few.

Guerrero-Saade explained of ChatGPT, “It’s not going to solve every cybersecurity problem, but it is going to make your lives better when you learn how to use it.” The key takeaway? Spend time writing good prompts.

Some of the “real fun” of ChatGPT, he said to the crowd, is what it can do for democratizing reverse engineering; a significant and very difficult skill for malware analysis. He described how both he and the rest of SentinelLabs have experimented with ChatGPT, which you can read more about in this December blog post from Aleksandar Milenkoski and Phil Stokes.

Guerrero-Saade also emphasized how the tool can be especially beneficial for lowering the steep learning curve associated with reverse engineering. “We don’t even understand all of the uses for [ChatGPT], but it should be helping folks out that have less [reverse engineering expertise].”

To further illustrate some of the educational applications of LLMs, Guerrero-Saade described his experience teaching the very first university course to use ChatGPT as a TA. Offered through the Alperovitch Institute for Cybersecurity Studies, this malware analysis course encouraged the students to first ask ChatGPT their questions before they asked the instructors. “The beauty of ChatGPT as a teaching assistant is it has really fast and really relevant answers.” Read more about the results here.

As a parting thought, Guerrero-Saade encouraged the audience to keep experimenting and playing with ChatGPT. “These things are iterating insanely quickly and quietly.”

What’s Happening At The SentinelOne Theatre?

Wednesday was jam-packed with two dozen presentations in the SentinelOne Theater at Booth #1520. Our leaders and valued partners spoke back-to-back throughout the day, with topics ranging from “Tales from the Front Lines of Cyber Defense” to “Wiz and SentinelOne: Better Together” and “Cleaning Up ITDR Confusion”. One featured session featured our friends and partner, Netskope, hosted by their Business Information Security Officer, Damian Chung. “This integration is really important to us to drive operational efficiency,” Chung told the crowd.

Chung described how this SentinelOne-Netskope partnership brings comprehensive integration capabilities for securing remote work from endpoint to cloud. SentinelOne Singularity XDR provides leading protection for enterprise attack surfaces, including user endpoints, cloud workloads and identity infrastructure. Netskope Intelligent Security Service Edge (SSE) secures access to web, SaaS, public cloud and data center infrastructure through a converged SWG, CASB, and ZTNA suite. After his talk, Damian elaborated on how the “operational efficiency” this partnership provides analysts to “do more with less.”

“[SentinelOne is] really strong on endpoint and XDR and [Netskope is] really strong in the cloud and SaaS space. If we can marry those two things together, we cover a much wider range and that best of breed helps us sell that internally to our executives and our board, but also on the operational side it allows our analysts to be able to leverage the tools properly, not just get noise.”

“When you talk about IoC sharing, do I want an analyst to look at that and then manually map IoCs across platforms? No, we’ve got to have that automated,” continued Chung. “It’s automatically done, automatically remediated. Then, maybe there’s a ticket that gets automatically populated to say, “Look, we just found these threats in this cloud environment that maybe SentinelOne had found and we eliminated that threat that’s sitting dormant”.”

Conclusion

Day 1 of this year’s Black Hat event may be over, but we’ve got one more day ahead of us! Make sure you swing by the SentinelOne Booth #1520 and see all of our new product demos for yourself. We’ve still got some swag left to snag and our team is excited to meet you.