A Closer Look at the Snatch Data Ransom Group

Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name.

According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.

The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims. GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.

The government says Snatch used a customized ransomware variant notable for rebooting Microsoft Windows devices into Safe Mode — enabling the ransomware to circumvent detection by antivirus or endpoint protection — and then encrypting files when few services are running.

“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” the FBI/CISA alert reads. It continues:

“Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption.”

New York City-based cyber intelligence firm Flashpoint said the Snatch ransomware group was created in 2018, based on Truniger’s recruitment both on Russian language cybercrime forums and public Russian programming boards. Flashpoint said Truniger recruited “pen testers” for a new, then-unnamed cybercrime group, by posting their private Jabber instant messenger contact details on multiple Russian language coding forums, as well as on Facebook.

“The command requires Windows system administrators,” Truniger’s ads explained. “Experience in backup, increase privileges, mikicatz, network. Details after contacting on jabber: truniger@xmpp[.]jp.”

In at least some of those recruitment ads — like one in 2018 on the forum sysadmins[.]ru –the username promoting Truniger’s contact information was Semen7907. In April 2020, Truniger was banned from two of the top Russian cybercrime forums, where members from both forums confirmed that Semen7907 was one of Truniger’s known aliases.

[SIDE NOTE: Truniger was banned because he purchased credentials to a company from a network access broker on the dark web, and although he promised to share a certain percentage of whatever ransom amount Truniger’s group extracted from the victim, Truniger paid the access broker just a few hundred dollars off of a six-figure ransom].

According to Constella Intelligence, a data breach and threat actor research platform, a user named Semen7907 registered in 2017 on the Russian-language programming forum pawno[.]ru using the email address tretyakov-files@yandex.ru.

That same email address was assigned to the user “Semen-7907” on the now defunct gaming website tunngle.net, which suffered a data breach in 2020. Semen-7907 registered at Tunngle from the Internet address 31.192.175[.]63, which is in Yekaterinburg, RU.

Constella reports that tretyakov-files@yandex.ru was also used to register an account at the online game stalker[.]so with the nickname Trojan7907.

There is a Skype user by the handle semen7907, and which has the name Semyon Tretyakov from Yekaterinburg, RU. Constella also found a breached record from the Russian mobile telephony site tele2[.]ru, which shows that a user from Yekaterinburg registered in 2019 with the name Semyon Sergeyvich Tretyakov and email address tretyakov-files@ya.ru.

The above accounts, as well as the email address semen_7907@mail.ru, were all registered or accessed from the same Yekaterinburg Internet address mentioned previously: 31.192.175.63. The Russian mobile phone number associated with that tele2[.]ru account is connected to the Telegram account “Perchatka,” (“glove” in Russian).

BAD BEATS

Reached via Telegram, Perchatka (a.k.a. Mr. Tretyakov) said he was not a cybercriminal, and that he currently has a full-time job working in IT at a major company (he declined to specify which).

Presented with the information gathered for this report (and more that is not published here), Mr. Tretyakov acknowledged that Semen7907 was his account on sysadmins[.]ru, the very same account Truniger used to recruit hackers for the Snatch Ransomware group back in 2018.

However, he claims that he never made those posts, and that someone else must have assumed control over his sysadmins[.]ru account and posted as him. Mr. Tretyakov said that KrebsOnSecurity’s outreach this week was the first time he became aware that his sysadmins[.]ru account was used without his permission.

Mr. Tretyakov suggested someone may have framed him, pointing to an August 2023 story at a Russian news outlet about the reported hack and leak of the user database from sysadmins[.]ru, allegedly at the hands of a pro-Ukrainian hacker group called CyberSec.

“Recently, because of the war in Ukraine, a huge number of databases have been leaked and finding information about a person is not difficult,” Tretyakov said. “I’ve been using this login since about 2013 on all the forums where I register, and I don’t always set a strong password. If I had done something illegal, I would have hidden much better :D.”

[For the record, KrebsOnSecurity does not generally find this to be the case, as the ongoing Breadcrumbs series will attest.]

A Semyon Sergeyvich Tretyakov is listed as the composer of a Russian-language rap song called “Parallels,” which seems to be about the pursuit of a high-risk lifestyle online. A snippet of the song goes:

“Someone is on the screen, someone is on the blacklist
I turn on the timer and calculate the risks
I don’t want to stay broke And in the pursuit of money
I can’t take these zeros Life is like a zebra –
everyone wants to be first Either the stripes are white,
or we’re moving through the wilds I won’t waste time.”

Mr. Tretyakov said he was not the author of that particular rhyme, but that he has been known to record his own rhythms.

“Sometimes I make bad beats,” he said. “Soundcloud.”

NEVER MIND THE DOMAIN NAME

The FBI/CISA alert on Snatch Ransomware (PDF) includes an interesting caveat: It says Snatch actually deploys ransomware on victim systems, but it also acknowledges that the current occupants of Snatch’s dark and clear web domains call themselves Snatch Team, and maintain that they are not the same people as Snatch Ransomware from 2018.

Here’s the interesting bit from the FBI/CISA report:

“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”

Avid readers will recall a story here earlier this week about Snatch Team’s leaky darknet website based in Yekaterinburg, RU that exposed their internal operations and Internet addresses of their visitors. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft TeamsAdobe ReaderMozilla Thunderbird, and Discord.

Snatch Team claims to deal only in stolen data — not in deploying ransomware malware to hold systems hostage.

Representatives of the Snatch Team recently answered questions from Databreaches.net about the claimed discrepancy in the FBI/CISA report.

“First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income,” the Snatch Team wrote to Databreaches.net in response to questions.

But so far the Snatch Team has not been able to explain why it is using the very same domain names that the Snatch ransomware group used?

Their claim is even more unbelievable because the Snatch Team members told Databreaches.net they didn’t even know that a ransomware group with that name already existed when they initially formed just two years ago.

This is difficult to swallow because even if they were a separate group, they’d still need to somehow coordinate the transfer of the Ransomware group’s domains on the clear and dark webs. If they were hoping for a fresh start or separation, why not just pick a new name and new web destination?

“Snatchteam[.]cc is essentially a data market,” they continued. “The only thing to underline is that we are against selling leaked information, sticking to the idea of free access. Absolutely any team can come to us and offer information for publication. Even more, we have heard rumors that a number of ransomware teams scare their clients that they will post leaked information on our resource. We do not have our own ransomware, but we are open to cooperation on placement and monetization of dates (sic).”

Maybe Snatch Team does not wish to be associated with Snatch Ransomware because they currently believe stealing data and then extorting victim companies for money is somehow less evil than infecting all of the victim’s servers and backups with ransomware.

It is also likely that Snatch Team is well aware of how poorly some of their founders covered their tracks online, and are hoping for a do-over on that front.

The Good, the Bad and the Ugly in Cybersecurity – Week 39

The Good | CISA Launches Public Cyber Hygiene Campaign

This week, CISA launched “Secure Our World”a new campaign aimed at improving the digital security of all by promoting awareness of cyber hygiene.

As part of its wider Cybersecurity Awareness Program, the agency kicked off the campaign on Tuesday with a PSA promoting simple ways to protect against online threats, including avoiding phishing, using strong passwords, requiring MFA and updating software. Many cyber attacks, from individual scams to high-profile business compromises, involve taking advantage of users who failed one or more of these simple cyber hygiene tasks.

Increasing public awareness of cybersecurity is a mission that CISA is undertaking alongside the National Cyber Security Alliance. The campaign reflects the Biden administration’s wider U.S. cybersecurity policy to make structural reforms across public and private domains to better defend the nation against online attacks and cybercrime.

CISA Director Jen Easterly told the media that it was critical for everyone to take responsibility for keeping themselves safe online. While employers can and should do more to enforce cyber hygiene among their staff, CISA recognizes that getting the message across to the public at different levels is an important pillar of the nation’s digital security strategy.

The Bad | Threat Actor Hot Patches Enterprise Routers to Evade Detection

China-linked threat actors are compromising routers belonging to organizations in the U.S. and modifying the devices’ firmware in order to stay undetected. The attacks, also observed targeting Japanese firms, are attributed to a group CISA called “BlackTech”.

According to a CISA advisory, BlackTech uses custom malware payloads and RATs (remote access trojans) to infect router operating systems, often deploying legitimate code-signing certificates stolen from vendors to help their malware sneak past security software.

After gaining access to a victim network and achieving administrator privileges on a router, the threat actors disable logging, make configuration changes, and modify the firmware for evasion and persistence. The actors first install old, legitimate firmware and then ‘hot patch’ it – modify it in memory – to bypass firmware signature checks that run on boot. They then install a modified version of the firmware that contains a built-in SSH backdoor.

Post-compromise, the device is used to proxy traffic and pivot to other victims on the same network. Crucially, the compromise of such edge devices allows malicious traffic to easily blend in with legitimate corporate network traffic.

Top network device CVEs exploited by PRC state-sponsored cyber actors
Top network device CVEs exploited by PRC state-sponsored cyber actors (Source: CISA)

BlackTech has been active since 2010 and involved in breaches of both government organizations and media, electronics, and telecommunications companies. CISA says the group has also attacked entities supporting the U.S. and Japan militaries. A comprehensive list of mitigations can be found in the advisory here.

The Ugly | State Department Rues Reliance on Single Vendor After Leak of 60000 Emails

A breach of U.S. government agencies through Microsoft Office 365 initially reported last July leaked some 60000 emails from 10 State Department accounts, according to new information revealed this week. The Chinese state-linked attack compromised at least 25 organizations, but it appears State Department individuals working on Indo-Pacific diplomacy were specifically targeted.

New information about the attack was provided to Reuters from an unnamed Senate staffer who attended a briefing by State Department IT officials in the wake of the breach. Ten State Department accounts were compromised, nine of which belonged to victims working on East Asia and the Pacific and one to an individual working on Europe.

The breach and new revelations have thrown light on the inherent risks involved with relying on a single vendor to provide all IT services. Microsoft in particular has a history of software products with thousands of known vulnerabilities over the years, a situation complicated by the OS and office software vendor also acting as a security solutions provider.

In the wake of the attack, the State Department has begun moving to hybrid environments and diversifying its software stack to include multiple vendors in order to avoid a ‘single point of failure’ scenario in the future. Following the government’s own best practices, it has also improved uptake of MFA, according to Reuters.

Guarding the Gates of Learning | Cyber Threats in Education and How to Defend Against Them

Schools are now back in full swing for students around the world, but unfortunately threat actors have taken their seats in the front row waiting for opportunities to attack. In recent years, cyberattacks on schools, education districts, and places of higher learning have caused major disruptions, halting classes for several days on end or, in some extreme cases, leading institutions to shutter their doors permanently.

Protecting classrooms from various cyber threats including ransomware, data breaches, and identity theft is paramount to keeping teachers, students and school data safe.

This blog post explores common attacks on the education sector and discusses security best practices to help schools fortify their defenses. By understanding the threats and adopting proactive security measures, institutions responsible for shaping the next generation can stay safe in an increasingly hostile threat landscape.

Why Educational Institutions Are Textbook Attractions to Threat Actors

Schools, colleges, and universities are attractive targets for opportunistic threat actors, checking off many of their ‘boxes’. Often, attackers look for victims that face a lack of funding and the resources needed to build a strong cyber defense posture. Limited budgets and insufficient technical staff can create a cybersecurity gap in many school systems, especially for K-12 education providers at the municipal level. Getting the necessary approval needed for a more robust cybersecurity budget can also take years to finalize.

Threat actors also target victims that regularly process and store a wealth of sensitive (and therefore valuable) data. Educational institutions are seen as digital treasure troves, leading to a vast repository of personally identifiable information (PII), financial records, and sensitive research data. PII encompasses not only student and staff personal details but also parents’ information, creating a broad range of data that can be exploited for financial gain or malicious purposes. Attackers latch on to targets that present the opportunity to ‘gain many from one’.

The ongoing menace of ransomware attacks poses a particularly potent threat to educational institutions. Malicious actors encrypt critical data, demanding substantial ransoms for decryption keys. Given the mission-critical nature of academic operations, institutions are strongly incentivized to pay these ransoms to regain access to essential systems and sensitive research data, making them attractive targets for cyber extortion.

Tracking the Evolution of Cyberattacks Facing Schools

The evolution of cyberattacks against the education sector has mirrored the digital transformation schools and institutions have taken on in the past two decades. From ransomware and extortion to IoT vulnerabilities and DDoS attacks, educational entities face a complex and evolving cybersecurity landscape.

Ransomware and Extortion Attacks

Ransomware attacks involve encrypting critical data and demanding ransoms for decryption keys. High-profile cases have garnered widespread attention, underscoring the vulnerability of schools and colleges. The potential for significant financial losses and reputational damage has made ransomware a preferred choice for cybercriminals.

Threat actors have also learned that simply locking up school systems isn’t the only way to demand money from educational organizations, whose systems are repositories for large amounts of personal and sensitive data. Threat actors who breached Minneapolis public schools in March of this year circulated caches of personal information and sensitive student files that reportedly included social security numbers, psychological reports, allegations of abuse, cases of truancy, and assault investigations. The threat actors leaked the information on their Telegram account after the schools allegedly refused to pay a $1 million ransom.

In an annual study following the state of ransomware affecting the industry, cybersecurity researchers found that:

  • The rate of ransomware attacks in education is rising. 80% of lower education providers and 79% of higher education providers were hit with such attacks, way up from the 56% and 64% recorded in 2022.
  • Data encryption continues to be prolific. The rate of encryption has gone up from 72% for lower education providers in 2022 to 81%. The increasing rates reflect the growing skill level of threat actors who are sharpening their methods.
  • 59% of higher education providers lost business revenue due to the impacts of ransomware just a little behind other widely targeted sectors like professional services, media, and entertainment.

Social Engineering Attacks

The rise of digital communication channels opened the door for social engineering attacks, particularly phishing and spear phishing. Cybercriminals craft convincing emails or messages to trick teachers, admin staff, students, and parents/guardians into revealing sensitive information, clicking on malicious links, or downloading malware. Educational institutions, with their diverse user bases, have been prime targets for these manipulative tactics, as students and staff may be more susceptible to such scams.

In early January, students in the Peel District school board (Ontario, Canada) were hit with a phishing scam involving several compromised email accounts. The emails consisted of fraudulent job posting and fake gift cards supporting a made-up cause; all topics designed to catch an unsuspecting student or their guardians off guard. Threat actors used the Peel District School Board logo and UNICEF Canada logos to make the emails look legitimate and requested the recipient to fill out their personal information in a questionnaire.

DDoS Attacks

Disrupting online learning and administrative functions, Distributed Denial of Service (DDoS) attacks have become a common threat. Cyberattackers flood networks with overwhelming traffic, rendering websites and online platforms inaccessible. This disruption not only affects the continuity of education but also poses logistical challenges for administrators in managing the attacks and restoring normalcy.

The educational ministry of Greece this May reported a nation-wide cyberattack described as the most extensive in the country’s history. The attack focused on disabling a centralized high school examination platform through a Distributed-Denial-of-Service (DDoS) attack using computers from 114 countries to cause outages and delays of the exam process. Students were left in classrooms for hours, waiting for the exams to start. The attack continued for two days as the unknown threat actors persisted in their attempts to fully disable the system.

IoT Vulnerabilities

The popular use of Internet of Things (IoT) devices in educational settings has introduced new risks. Smart classrooms equipped with IoT devices and sensors offer convenience and improved learning experiences but also present potential security vulnerabilities. If not adequately protected, these devices can serve as entry points for attackers, compromising sensitive data and network integrity.

Many schools and educational institutions monitor classrooms and school grounds for security purposes. However, camera systems are now an avenue of attack for threat actors targeting IoT devices. In 2021, cloud-based security camera company, Verkada, suffered a major breach where 150,000 company cameras situated across schools, factories, prisons, gyms, hospitals, and even police stations were compromised. The attacker was able to gain ‘super admin’ rights to Verkada’s system to access a database that included live feeds and some facial recognition technology.

Back To School Essentials | A Cybersecurity Checklist for Educational Leaders

Educational institutions have become prime targets for cyberattacks due to the valuable data they store and the increasing digitalization of learning environments. To safeguard against these evolving threats, many education providers rely on Extended Detection and Response (XDR) solutions to implement a wide range of cybersecurity measures across endpoint, cloud, and identity attack surfaces.

XDR in Defense of the Education Sector

Extended Detection and Response (XDR) is particularly useful for schools with limited budgets due to its cost-effective and comprehensive approach to providing security. XDR combines multiple cybersecurity tools into a single integrated platform. This consolidation streamlines security operations and reduces the cost of acquiring and managing individual security solutions. Schools can achieve a high level of protection without the financial burden of purchasing and maintaining multiple tools.

Small-budget schools often lack the resources, both in terms of personnel and finances, to manage complex cybersecurity infrastructures. XDR’s centralized management and automation features help maximize the efficiency of existing IT staff, ensuring that they can focus on strategic tasks rather than routine security management. XDR solutions can also be scaled up or down according to the school’s needs and budget constraints. This scalability allows schools to adapt their security posture as circumstances change, ensuring that they can maintain robust protection without overstretching their financial resources.

Knowing which IT security tools and solutions to use is the first step in building a strong, long-term cybersecurity posture against threat actors. The following best practice checklist can help school board leaders and IT teams bolster their defenses for the upcoming school year.

1 – Establish Real-Time Detection, Monitoring & Threat Response

  • Establish continuous monitoring of network traffic and system activities. Real-time monitoring allows for the immediate detection of anomalies and suspicious behavior, enabling rapid response to potential threats.
  • Investigate Extended Detection and Response (XDR) XDR platforms that offer enhanced threat detection capabilities by aggregating data from multiple security sources, such as endpoints, networks, and cloud environments. Having a holistic approach allows for a comprehensive view of the threat landscape.
  • Ensure that the chosen XDR solution incorporates automation and orchestration features, enabling fast, automated responses to detected threats. This reduces the burden on security teams and accelerates incident resolution.

2 – Obtain Full Network Visibility

  • Use Network Traffic Analysis (NTA) solutions to get deep insights into network traffic patterns and anomalies. By analyzing the flow of data, NTA tools can identify suspicious activities, unauthorized access attempts, and malware communication.
  • Implementing behavioral analysis tools can help identify deviations from normal network behavior. These tools learn what constitutes normal network activity and raise alerts when unusual patterns emerge.
  • Apply User and Entity Behavior Analytics (UEBA) to focus on monitoring user and entity behavior to detect insider threats and compromised accounts. By tracking user actions and data access, these tools can identify suspicious activities indicative of a breach.

3 – Promote User Training & Security Awareness

  • Educate all applicable users about the realities of modern cyber threats. Cybersecurity awareness training is important for students, parents/guardians, faculty, and staff members. Users should be able to recognize phishing attempts, social engineering, and other common attack vectors. Educational materials can be sent home with students, distributed by teachers, and built into Professional Development days by senior leaders.
  • Promote a security-first culture and encourage a conscious culture within the institution, emphasizing the importance of reporting security incidents promptly and following best practices for data protection.
  • Provide regular training updates. Cyber threats evolve rapidly, so ongoing training and awareness programs are essential to keep the educational community informed and vigilant.

4 – Strengthen Data Encryption & Access Control Measures

  • Implement encryption for sensitive data both in transit and at rest. This protects data even if unauthorized access occurs.
  • Enforce strict access controls and least privilege principles to limit who can access sensitive data. Regularly review and update access permissions to reflect changes in roles or responsibilities.
  • Periodically review and update access permissions to align with staff and student roles. Remove access for individuals who no longer require it, and grant access only when necessary.
  • Require multi-factor authentication (MFA) for accessing sensitive systems and data. This adds an extra layer of security, making it more challenging for unauthorized users to gain access.
  • When working with third-party vendors or service providers, review their security practices and ensure that they adhere to the institution’s access control and encryption standards.

5 – Prepare an Incident Response Plan (IRP)

  • Create a well-defined incident response plan (IRP) that outlines roles and responsibilities, communication protocols, and predefined actions for various types of incidents. This plan should be distributed amongst faculty and staff, and easily accessible as new iterations and updates are posted. Test and simulate cyber incident scenarios to ensure that the response plan is effective. This helps identify weaknesses and improve response times.
  • Regularly assess current, new, and upcoming risks that face the institution. As the institution grows and scales, its risk profile will change. Regular risk assessments ensure that the right cybersecurity measures are in place before attacks occur.
  • Establish partnerships with external cybersecurity experts and law enforcement agencies to enhance incident response capabilities.

Action from the Federal Government to Protect Schools

The Government Accountability Office (GAO), a federal watchdog agency, reported last year that more than 1.2 million students were affected by cyberattacks in 2020, experiencing gaps in their learning ranging from multiple days to weeks. This number has only grown in the last three years with recent attacks now plaguing 1,300 public school districts across the U.S. including those in Arizona, California, Washington, Massachusetts, West Virginia, Minnesota, New Hampshire, and Michigan.

This August, policymakers at the federal level held their first-ever cybersecurity summit to discuss ransomware attacks on schools in the U.S. In an initiative to bulk up the nation’s security safeguards, the Federal Communications Commission has proposed a pilot program giving K-12 schools and libraries up to $200 million over three years to reinforce their defenses. Further, CISA has committed to help train and access cybersecurity practices at 300 new K-12 schools this school year. From the FBI, educational providers can expect all new resources on how to report cybersecurity incidents.

Conclusion

Safeguarding the data, services, and individuals within educational institutions is a challenging task that demands a well-coordinated approach. Collaborating with external cybersecurity experts and adopting a trusted security solution can help effectively tackle these hurdles.

With the increasing digitization of learning environments, real-time detection and monitoring have become indispensable tools in defending schools against opportunistic threat actors. To safeguard staff, students, and data alike, many in the education sector working within limited budgets and small technical teams choose to trust leading XDR providers for their security needs.

SentinelOne’s autonomous XDR platform offers a comprehensive approach to threat detection and response for education providers, simplifying cybersecurity operations and making them more efficient and cost-effective. Many educational institutions have partnered directly with SentinelOne to take advantage of AI-powered prevention, detection, response, and advanced threat hunting capabilities. SentinelOne’s Singularity XDR platform allows faculty and students to safely use Chromebooks, Macs, Windows and Linux devices in their day-to-day learning. With Singularity, school IT teams have full network visibility, allowing them to see everything happening across their network at machine-speed and prevent malicious behavior from developing into full-out cyberattacks.

To learn more about how SentinelOne defends all those in the education sector from K-12 schools to universities and technical institutions, contact us today or book a demo to see Singularity XDR in action.

Sonoma in the Spotlight | What’s New and What’s Missing in macOS 14

Apple released macOS 14 Sonoma this week. Our review of the first beta back in June covers much of what Sonoma brings to Enterprise users and is worth reading as a preface to this post. Sonoma’s headline features are listed by Apple here, and for the first time, it has also stood up a separate “What’s New” for enterprise listing here.

In this post, we’ll supplement our earlier review and other sources with some additional thoughts about what’s new and what’s missing in macOS Sonoma from a security perspective.

Sonoma Hardware and Software Support

What’s New?

We covered this last time out and nothing has changed in the interim, but for convenience, note that Sonoma drops support for 2017 Intel MacBook Pros and iMacs, with only the iMac Pro from that year officially supported for Sonoma. Otherwise, it’s 2018 and on as a minimum hardware requirement.

Source: Apple

What’s Missing?

Although not available at the time of writing, the Open Core Legacy Patcher project is promising an update to the project for Sonoma on or around October 2nd. Not recommended in enterprise or production environments for security reasons, it nevertheless can be useful for those that want to repurpose old hardware for research or experimental purposes.

Software-wise, Sonoma drops support for the venerable PostScript language. GhostScript is widely-recognized as a reliable 3rd party alternative for those in need.

Passwords

What’s New?

Security is always top of our mind, and password security is naturally a major concern. In Sonoma’s Settings.app (previously known as System Preferences), there’s a few small but useful changes.

After unlocking the Passwords pane, a new option allows users to review recently generated passwords. Unsaved passwords will only remain for 30 days, so they need to be saved in either Apple’s own My Passwords or a third-party password manager during that time.

The Password Options pane also offers a new housekeeping task that can automatically delete verification codes in Messages and Mail after inserting with AutoFill. This mirrors a similar functionality available in iOS 17. We’d hope services are rapidly moving away from simple 2FA as a secure means of verification, but for those that haven’t, this is a nice bonus feature.

Along with other vendors, Apple began in Ventura the long process of trying to ween users of passwords as a primary authentication factor in favor of passkeys. In Sonoma, passkeys are now supported across Managed Apple IDs and can be collected, along with passwords, in groups so that they can be shared securely.

What’s Missing?

MacAdmin guru Rich Trouton has noted that for admins enforcing password policies across their fleets via MDM, the initial release of macOS Sonoma has a bug which may be triggered when deploying a configuration profile that sets password rules for local accounts. The bug causes unwanted notifications to pop up telling the user they need to update their passwords. Rich details a workaround which involves suppressing notifications for local password management until Apple fixes the issue.

Source: DerFlounder

USB Device Control

What’s New?

Sticking with the Settings.app, macOS Sonoma brings a bit more control to the rudimentary device control first added in Ventura regarding USB accessories. In the Privacy & Security pane, users can find a new preference to choose different consent policies when a USB device is connected. The options for the “Allow accessories to connect” preference are Ask Every Time, Ask for New Accessories, Automatically When Locked, and Always. Attacks via poisoned USB may seem like something from the past, but they are very much still a thing.

Rudimentary device control on macOS 14 Sonoma

What’s Missing?

More fine-grained device control is welcome, but like most of Apple’s TCC-controlled security restrictions this one is both a weak and a blunt approach. There is no option to block USBs entirely, or for a certain user, class of peripheral, or group. The strongest option is to ask the user for consent each time, which means alert fatigue or social engineering are both obvious routes that could allow a malicious device to get past this setting regardless of the option chosen.

Additionally, as a system-wide setting, it doesn’t take into account different needs for different users on Macs with multiple accounts. Full, fine-grained device control is, however, available from security solutions like SentinelOne.

Mail

What’s New?

Apple’s long-serving and generally capable email client app didn’t receive much love in Sonoma, with the one exception that Mail can now autofill those 2FA verification codes mentioned above. That means that login verification codes sent via email can be entered without the user having to leave the login form in the browser. This is a feature that’s been available via Messages for some time, and adding the parallel feature to Mail makes sense.

What’s Missing?

Source: GPGTools

Users will more likely notice Mail in Sonoma for what it lacks rather than what it adds; chiefly, this is the loss of Mail Plug-Ins. As elsewhere across the OS, plug-ins are deprecated in favour of Extensions. However, as noted by the developers of the widely-used GPG Mail plugin, the Mail Extensions API lacks some important functionality. This includes:

  • Entire message data is not always passed to the extension making processing the encrypted message impossible
  • Reliably encrypted drafts
  • Support for setting the default state of the sign and encrypt button in compose windows which can lead to dangerous side-effects
  • Sign and encrypt button could go out of sync with internal state, if keyring changes are detected

It is expected that support for the missing features may arrive in the first Sonoma update and GPG is holding off releasing a Mail Extension equivalent until the missing features become available. If you rely on GPG Mail for security, the GPGTools team is advising not to update to Sonoma for the time being.

Safari 17

What’s New?

Perhaps the biggest changes to come with Sonoma – and also backported to Ventura – are those in Safari 17. As noted in our review of Sonoma beta, Safari 17 gains quite a few features, including Web apps and Profiles. We don’t have much to say about these that we didn’t say already except that we found the former perhaps less useful in practice than the latter. Chrome has long had a Profiles equivalent, so Apple are definitely playing catch up there.

From a security (rather than productivity) point of view, the main advantage to point out with Safari Profiles is the ability to restrict extensions to a given profile. This means that you can have extensions for your personal profile that can’t access data in, say, your work profile and vice versa. That assumes, of course, that you work for a company that doesn’t mind you mixing personal and work tasks on the same device. In addition, each profile also gets separate bookmarks, favorites, history and cookies.

While we’re on the subject of extensions, its worth noting that in Safari Settings (aka Preferences), users can now choose whether the extension works in Private Browsing mode or not.

What’s Missing?

As ever, Safari remains some distance behind Chrome when it comes to extensions and Add Ons, particularly for web developers, though Apple has certainly tried to set out its case for wooing back that particular audience. The lack of scripting and customization such as you get with, say, Vivaldi, remain annoying for certain use cases in Safari, but native scripting support has been on the wane in macOS for a long time.

If you’re a Chrom(e)ium or other browser user it’s unlikely there’s anything in Safari 17 that will make you jump ship, but aside from (in our view) offering better security for things like saved passwords and better integration across the Apple ecosystem, Safari 17 at least starts to add some missing features familiar to users of other browser products. Nonetheless, it remains the case that some websites still don’t perform properly with Safari and thus a secondary browser (Firefox, here) continues to remain a necessity.

SentinelOne Supports macOS Sonoma

SentinelOne macOS Agent version 23.2 GA supports macOS Sonoma 14.0 (23A344). Customers are advised to upgrade the SentinelOne agent version prior to upgrading to macOS 14.0 Sonoma and to consult the support notes available here.

Conclusion

Sonoma, much like Ventura before it, continues Apple’s steady evolution of the platform as it transitions away from Intel-based Macs entirely. There is nothing groundbreaking here and the features added to Sonoma are more incremental than fundamental. Insofar as the platform focuses on stability and security first and features second, that will be all the more welcome by enterprise users and security vendors alike.

‘Snatch’ Ransom Group Exposes Visitor IP Addresses

The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.

First spotted in 2018, the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor.

The victim shaming website for the Snatch ransomware gang.

KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes information about the true Internet addresses of users accessing the website.

Refreshing this page every few seconds shows that the Snatch darknet site generates a decent amount of traffic, often attracting thousands of visitors each day. But by far the most frequent repeat visitors are coming from Internet addresses in Russia that either currently host Snatch’s clear web domain names or recently did.

The Snatch ransomware gang’s victim shaming site on the darknet is leaking data about its visitors. This “server status” page says that Snatch’s website is on Central European Summer Time (CEST) and is powered by OpenSSL/1.1.1f, which is no longer supported by security updates.

Probably the most active Internet address accessing Snatch’s darknet site is 193.108.114[.]41, which is a server in Yekaterinburg, Russia that hosts several Snatch domains, including snatchteam[.]top, sntech2ch[.]top, dwhyj2[.]top and sn76930193ch[.]top. It could well be that this Internet address is showing up frequently because Snatch’s clear-web site features a toggle button at the top that lets visitors switch over to accessing the site via Tor.

Another Internet address that showed up frequently in the Snatch server status page was 194.168.175[.]226, currently assigned to Matrix Telekom in Russia. According to DomainTools.com, this address also hosts or else recently hosted the usual coterie of Snatch domains, as well as quite a few domains phishing known brands such as Amazon and Cashapp.

The Moscow Internet address 80.66.64[.]15 accessed the Snatch darknet site all day long, and that address also housed the appropriate Snatch clear-web domains. More interestingly, that address is home to multiple recent domains that appear confusingly similar to known software companies, including libreoff1ce[.]com and www-discord[.]com.

This is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name — Mihail Kolesnikov, a name that is somewhat synonymous with recent phishing domains tied to malicious Google ads.

Kolesnikov could be a nod to a Russian general made famous during Boris Yeltsin’s reign. Either way, it’s clearly a pseudonym, but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victims.

DomainTools says there are more than 1,300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023. About half of the domains appear to be older websites advertising female escort services in major cities around the United States (e.g. the now-defunct pittsburghcitygirls[.]com).

The other half of the Kolesnikov websites are far more recent phishing domains mostly ending in “.top” and “.app” that appear designed to mimic the domains of major software companies, including www-citrix[.]top, www-microsofteams[.]top, www-fortinet[.]top, ibreoffice[.]top, www-docker[.]top, www-basecamp[.]top, ccleaner-cdn[.]top, adobeusa[.]top, and www.real-vnc[.]top.

In August 2023, researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojan.

But it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of information-stealing malware. In February 2023, Spamhaus warned of a huge surge in malicious ads that were hijacking search results in Google.com, and being used to distribute at least five different families of information stealing trojans, including AuroraStealer, IcedID/Bokbot, Meta Stealer, RedLine Stealer and Vidar.

For example, Spamhaus said victims of these malicious ads would search for Microsoft Teams in Google.com, and the search engine would often return a paid ad spoofing Microsoft or Microsoft Teams as the first result — above all other results. The malicious ad would include a logo for Microsoft and at first glance appear to be a safe and trusted place to download the Microsoft Teams client.

However, anyone who clicked on the result was whisked away instead to mlcrosofteams-us[.]top — yet another malicious domain registered to Mr. Kolesnikov. And while visitors to this website may believe they are only downloading the Microsoft Teams client, the installer file includes a copy of the IcedID malware, which is really good at stealing passwords and authentication tokens from the victim’s web browser.

Image: Spamhaus

The founder of the Swiss anti-abuse website abuse.ch told Spamhaus it is likely that some cybercriminals have started to sell “malvertising as a service” on the dark web, and that there is a great deal of demand for this service.

In other words, someone appears to have built a very profitable business churning out and promoting new software-themed phishing domains and selling that as a service to other cybercriminals. Or perhaps they are simply selling any stolen data (and any corporate access) to active and hungry ransomware group affiliates.

The tip about the exposed “server status” page on the Snatch darkweb site came from @htmalgae, the same security researcher who alerted KrebsOnSecurity earlier this month that the darknet victim shaming site run by the 8Base ransomware gang was inadvertently left in development mode.

That oversight revealed not only the true Internet address of the hidden 8Base site (in Russia, naturally), but also the identity of a programmer in Moldova who apparently helped to develop the 8Base code.

@htmalgae said the idea of a ransomware group’s victim shaming site leaking data that they did not intend to expose is deliciously ironic.

“This is a criminal group that shames others for not protecting user data,” @htmalgae said. “And here they are leaking their user data.”

All of the malware mentioned in this story is designed to run on Microsoft Windows devices. But Malwarebytes recently covered the emergence of a Mac-based information stealer trojan called AtomicStealer that was being advertised through malicious Google ads and domains that were confusingly similar to software brands.

Please be extra careful when you are searching online for popular software titles. Cracked, pirated copies of major software titles are a frequent source of infostealer infections, as are these rogue ads masquerading as search results. Make sure to double-check you are actually at the domain you believe you’re visiting *before* you download and install anything.

Stay tuned for Part II of this post, which includes a closer look at the Snatch ransomware group and their founder.

Further reading:

@HTMalgae’s list of the top Internet addresses seen accessing Snatch’s darknet site

Ars Technica: Until Further Notice Think Twice Before Using Google to Download Software

Bleeping Computer: Hackers Abuse Google Ads to Spread Malware in Legit Software

LABScon23 Highlights | The Cyber Talks Everyone’s Discussing

Fresh from the sun-soaked vistas of Scottsdale, Arizona, LABScon23 has just concluded, and what a phenomenal event it was! Now in its second year, the research con once again united a galaxy of the brightest minds to present ground-breaking discoveries and the latest insights in cyber threat intelligence.

We’re gearing up to showcase many of the talks from the event in our LABScon Replay series, but in the meantime some of these illuminating sessions have already made their debut on SentinelLabs and elsewhere (read on for links).

Stay with us as we journey through the standout moments of LABScon23 in this post. Make sure to follow @labscon_io and track #LABScon23 on social media for news of when further talks are publicly released.

Lawyers Behaving Badly, and Nation States in the Spotlight

After the welcome reception and fireside chats, the con got seriously underway as legal guru Elizabeth Wharton presented “Send Lawyers, ‘Garchs, and Money”. Liz explored how oligarchs leverage the power of the law to exert influence and thwart cybercrime prosecutions, employing ‘dirty tricks’ such as leaking legal discovery, twisting data privacy laws and funding Slapp libel cases.

Liz was followed by Rolling Stone’s Adam Rawnsley presenting “Meet the Iranian Company Powering Russia’s Drone War on Ukraine” and journalist Kim Zetter talking “AI, Cyber Defense and Incentivizing Innovation” with DARPA’s Perri Adams. DARPA was also the recipient of the LABScon23 “Most Valued Player” award in recognition of its work “incentivizing the bleeding edge of cybersecurity”.

SentinelLabs’ Tom Hegel was up next, presenting on how China’s offensive cyber operations are used to support its soft power agenda in Africa. Widely-covered in the cyber media, the full paper is available here.

Kristin Del Rosso and Matt Devost took to the LABScon stage next with a fascinating insight into using data leaks to learn more about adversaries in “Ghost in the Breach: Using breach intelligence to hunt hidden Russian assets”.

Danny Adamitis and Sarah Jones discussed their work tracking an elusive threat actor in “Scouring for Sea Turtles” before ESET’s Zuzana Hromcová dove into previously undocumented campaigns attributed to Iranian-aligned cyber espionage group OilRig. Zuzana’s research has been published by ESET here.

New APTs and New Vulnerabilities

SentinelLabs researchers Aleksandar Milenkoski and Juan Andres Guerrero-Saade presented new research on LUA based malware. The talk explored how a previously unknown threat actor dubbed “Sandman” has targeted telcos across the globe with malware leveraging LuaJIT. The first of two papers on the topic is published in full here, with the second soon to follow.

The afternoon continued at pace with Automox’s Jason Kitka presenting “Just Bomb it Already – Why the Grass Isn’t Always Greener on the Offensive Side” and Binarly’s Alex Matrosov on “Spectre Strikes Again: Introducing the Firmware Edition”.

Hakan Tanriverdi’s “From Vulkan to Ryazan – Investigative Reporting from the Frontlines of Infosec”, Robert Ghilduta‘s “Unmasking the Airwaves and Wireless Vulnerabilities” and Martin Wendiggensen’s “Black Magic – Influence Operations in the Open and At-Scale in Hungary” completed the day’s breathtaking list of value-packed research.

The New York Times’ Christiann Triebert closed out Day 1 with a keynote speech, which just happened to win the Best Speaker award. Way to go Christiann!

Artificial Intelligence, LLMs and Finding Novel Malware

Day 2 was split into two tracks of talks. One of the highlights included the topic at the center of almost every conversation these days, AI. Eoin Wickens provided a fascinating talk on AI tech in “Rage Against the machine (learning): A cross section of attacks on AI systems”.

Also speaking on the topic of AI and LLMs, Gabriel Bernadett-Shapiro explored the different perceptions of LLM in public discourse and how to bridge the divide in “Demystifying LLMs: Power Plays in Security Automation”.

Emily Austin from Censys dug into high profile attacks against file transfer software like MOVEit, GoAnywhere and Faspex. Emily explained why attacks using this vector are likely to become more common in the near future.

Emily Austin (Censys) at #LABScon23 with a fascinating session on malware in the world of Managed File Transfer tech

Nicole Fishbein and Ryan Robinson presented on “Cryptovirology: Second Guessing the Cryptographic Underpinning of Modern Ransomware”, exposing the cryptographic flaws inherent in many modern strains of ransomware.

Researchers from ESET took to the stage again on Friday with Filip Jurčacko’s presentation on DeadGlyph. The talk has been published by ESET here.

Proofpoint’s Greg Lesnewich stepped up onto the LABScon stage for the second year running with “Surveying Similarities in macOS Components used in North Korean CryptoHeists”, a look at how analysts can better pivot off known Mach-O samples to find novel malware. Friday also saw MJ Emanuel return to LABScon from last year’s outing with an in-depth discussion on “Where have all the APTs gone” – a discussion of tradecraft accelerationism or counter-counter intel.

Off the Record | EvilBamboo and the Youth Gangs Attacking Enterprises

In a separate track, Volexity’s Paul Rascagneres discussed threat actor EvilBamboo, aka EvilEye, and how the group is actively targeting Tibetan, Uighur and Taiwanese communities with malicious mobile appplications and fake websites. Paul’s collaborative research has been published in a blog post here.

Meanwhile, LABScon also saw the first research to accurately portray the threat group incorrectly labelled as “Scattered Spider”. LABScon researchers explained how the youth gangs behind the recent high profile breach of MGM Casinos are part of an online community of teens and young adult hackers known as “the Com”. The research findings have been discussed in more detail in the media here and here.

Want More? Yes, There’s More!

Prior to LABScon23 kicking off, we highlighted some of these talks as well as others here and here. The full list of talks is available here. We’re working hard to get as many of the talks ready to share via LABScon Replay, so don’t forget to follow us and be among the first to know when these presentations become publicly available.

Following on from last year was always going to be a tough act to follow, but there’s no doubt that LABScon23 was a great success, and it couldn’t have happened without both the participation of all our talented researchers and speakers, and the invaluable support of our sponsors, which came from a wide spectrum across the infosec industry. A huge heartfelt thanks to all, and we’ll see you next year for LABScon24!

The Good, the Bad and the Ugly in Cybersecurity – Week 38

The Good | New Working Group to Focus Efforts on Threats in Undermonitored Regions

This week at the annual LABScon cybersecurity event, SentinelLabs launched a concerted effort against state-aligned cyber activities in areas like Africa and Latin America – regions that often receive less representation within the threat intelligence industry.

Researcher Tom Hegel unveiled a new “Undermonitored Regions Working Group” (URWG), calling for security researchers worldwide to pool analytic capabilities, telemetry, resources, and local expertise to build a unified front against geopolitical cyber operations occurring in such regions.

China has a long history of using soft power diplomacy to achieve its objectives in Africa. Hegel said many African nations present a highly complex and dynamic environment caught in debt-trap diplomacy with China. Through various cyber operations designed to form a foundation of influence over the continent, these attacks have focused on government, finance, and telecommunications sectors to strengthen their foothold.

As China continues to finance large critical infrastructure projects in African countries, it is imperative for the cyber research community to better understand what will likely be a future threat arena.

Efforts like URWG aim to incentivize strategic intelligence on the state of threat operations in Africa while pointing the spotlight on how to improve the communities’ understanding of China’s geostrategic ambitions. By establishing a concentrated channel for collaboration amongst cyber threat researchers and analysts now, cross-national efforts like URWG are key to closing situational awareness gaps in the changing cyber threat landscape and addressing issues arising in less-monitored regions that are too often sidelined in wider cybersecurity discussions.

URWG is currently made up of participants from several security vendors and is recruiting new members looking to creatively disrupt current and future PRC-backed operations.

The Bad | Multiple Organizations Breached with Old Malicious Thumb Drive Trick

Further contemplating malicious activity by Chinese-linked threat actors, security researchers this week revealed that hacker group UNC53 recently attacked at least 29 organizations with a blast from the past – malware-laden USBs. Taking advantage of those in developing countries known for their continued use of older technologies, UNC53 infected dozens of networks within the African branches of US and European firms.

Thumb drive attacks are considered an old-school approach to the more technologically forward regions of the world. However, for victim organizations in Egypt, Ghana, Kenya, Madagascar, Tanzania, and Zimbabwe that appear to have overlooked the need for device control, it has proved an effective route to compromise. UNC53’s attacks involved a decade-old malware payload dubbed “Sogu” and a variant of PlugX used as a loader. The malware is spread via USB drives found amongst shared computers in local internet cafés and print shops.

China has been known to employ Sogu and PlugX over the past decade, and newer versions were noted in January of 2022 that were traced back to infected thumb drives.

According to security researchers, UNC53 may be focused on targeting African operations specifically, given their strategic and geoeconomic interest in the continent. Since the passing-along of thumb drives casts such a wide net, UNC53’s efforts could be interpreted as an indiscriminate way of conducting cyber espionage as they can then pick out high-value targets from many.

The rising reappearance of USB malware shows that even older methods of attack are still potent when used in the right environment. With many multinational operations employing remote workers in developing geographies of the world, all types of infection vectors must be considered relevant and addressed by security practitioners.

The Ugly | Sandman APT Targets Telecom Sector With LuaDream Backdoor

Researchers reported new activity by a mystery threat actor this week that has set its sights on targeting telecommunication providers across the Middle East, Western Europe, and South Asia.

Dubbed Sandman, the newly-identified threat actor has been observed deploying a rare, modular backdoor that leverages the LuaJIT platform to infect its victims. Researchers have dubbed the malware “LuaDream” and characterized it as a part of a well-executed and actively developed project of considerable scale.

Geographical distribution of victims
Geographical distribution of victims

Over several weeks in August, Sandman stole administrative credentials and performed reconnaissance using the Pass-the-Hash technique to infiltrate targeted workstations, many of which belonged to managers in the victim organizations.

After gaining access, Sandman limited its activities to deploying folders and files required for loading and executing LuaDream, refraining from any further actions. The cluster of activities attributed to Sandman were described as strategic lateral movement with minimal engagement to evade detection and analysis.

For now, the threat actor seems to be focused on targeting data-rich telecom providers, and its operations strongly indicate cyber espionage as the primary objective. The researchers speculate that the APT group may be a private contractor or mercenary group, similar to the enigmatic Metador. Both Metador and now Sandman make up an emerging class of threat actors that continue to operate in the shadows with impunity.

This recent cluster of activity throws into sharp relief the ongoing innovation and development efforts of cyber espionage-based threat actors, again underscoring the importance of collaboration and intel sharing amongst the threat research community. Indicators of compromise for LuaDream are listed here.

LastPass: ‘Horse Gone Barn Bolted’ is Strong Password

The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

LastPass sent this notification to users earlier this week.

LastPass told customers this week they would be forced to update their master password if it was less than 12 characters. LastPass officially instituted this change back in 2018, but some undisclosed number of the company’s earlier customers were never required to increase the length of their master passwords.

This is significant because in November 2022, LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.

Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

KrebsOnSecurity last month interviewed a victim who recently saw more than three million dollars worth of cryptocurrency siphoned from his account. That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password — which was just eight characters. Nor was he ever forced to improve his master password.

That story cited research from Adblock Plus creator Wladimir Palant, who said LastPass failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.

For example, another important default setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.

Palant said that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000. Still, Palant and others impacted by the 2022 breach at LastPass say their account security settings were never forcibly upgraded.

Palant called this latest action by LastPass a PR stunt.

“They sent this message to everyone, whether they have a weak master password or not – this way they can again blame the users for not respecting their policies,” Palant said. “But I just logged in with my weak password, and I am not forced to change it. Sending emails is cheap, but they once again didn’t implement any technical measures to enforce this policy change.”

Either way, Palant said, the changes won’t help people affected by the 2022 breach.

“These people need to change all their passwords, something that LastPass still won’t recommend,” Palant said. “But it will somewhat help with the breaches to come.”

LastPass CEO Karim Toubba said changing master password length (or even the master password itself) is not designed to address already stolen vaults that are offline.

“This is meant to better protect customers’ online vaults and encourage them to bring their accounts up to the 2018 LastPass standard default setting of a 12-character minimum (but could opt out from),” Toubba said in an emailed statement. “We know that some customers may have chosen convenience over security and utilized less complex master passwords despite encouragement to use our (or others) password generator to do otherwise.”

A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.

LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.

But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.

A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single high-powered graphics card about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

Image: palant.info

However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.

Meaning, LastPass users whose vaults were never upgraded to higher iterations and whose master passwords were weak (less than 12 characters) likely have been a primary target of distributed password-cracking attacks ever since the LastPass user vaults were stolen late last year.

Asked why some LastPass users were left behind on older security minimums, Toubba said a “small percentage” of customers had corrupted items in their password vaults that prevented those accounts from properly upgrading to the new requirements and settings.

“We have been able to determine that a small percentage of customers have items in their vaults that are corrupt and when we previously utilized automated scripts designed to re-encrypt vaults when the master password or iteration count is changed, they did not complete,” Toubba said. “These errors were not originally apparent as part of these efforts and, as we have discovered them, we have been working to be able to remedy this and finish the re-encryption.”

Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said LastPass made a huge mistake years ago by not force-upgrading the iteration count for existing users.

“And now this is blaming the users — ‘you should have used a longer passphrase’ — not them for having weak defaults that were never upgraded for existing users,” Weaver said. “LastPass in my book is one step above snake-oil. I used to be, ‘Pick whichever password manager you want,’ but now I am very much, ‘Pick any password manager but LastPass.’”

Asked why LastPass isn’t recommending that users change all of the passwords secured by the encrypted master password that was stolen when the company got hacked last year, Toubba said it’s because “the data demonstrates that the majority of our customers follow our recommendations (or greater), and the probability of successfully brute forcing vault encryption is greatly reduced accordingly.”

“We’ve been telling customers since December of 2022 that they should be following recommended guidelines,” Toubba continued. “And if they haven’t followed the guidelines we recommended that they change their downstream passwords.”

SentinelOne Achieves 100% Protection and Detection in the 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise

For the fourth straight year, SentinelOne Singularity Platform has consistently proven its industry-leading detection and protection capabilities in MITRE’s ATT&CK Enterprise Evaluation, scoring:

  • 100% Protection – blocked 13 out of 13 protection steps
  • 100% Detection – detected 18 of 18 detection steps
  • 100% Real-time – zero delayed detections
  • 100% Realistic – zero configuration changes
  • 96% Visibility into attack sub-steps

This year’s Evaluation focused on the adversary Turla, a Russia-based threat group known for deploying sophisticated proprietary tools and malware. Turla has infected victims in over 45 countries, spanning a range of critical industries and infrastructure since 2004.

Turla is equally adept at targeting Linux and Windows infrastructure. They are flexible, employing open-source and in-house developed malware, blending a carefully designed toolkit to evade detection and target victims of all sizes and industries. Read more about Turla and the MITRE Evaluation methodology, here.

Complete Detection and Protection, in Real Time

Our job is to protect every enterprise, no matter their size or industry. The SentinelOne Singularity Platform successfully detected and blocked at every step within the Evaluation, highlighting our abilities to protect against complex and evasive threats such as Turla.

Our approach to this year’s MITRE Evaluation reflects our philosophy on protection – that speed and autonomous operation are critical. Complex attacks can move from initial access to credential compromise, lateral movement, data encryption, and extortion in a matter of minutes. There is no time for waiting on human analysts, sandbox results, or manual workflows. There is no chance for a re-try in the real world as there is in compartmentalized tests.

Our product provides autonomous and comprehensive protection with zero delays. Unlike many participants in this test, you will see no delayed-modifiers in our results. This means that protection is automatic out of the box, and data is available in real-time. Speed matters.

We also tested with no configuration changes. MITRE provides vendors with an opportunity to re-test any step. Usually, this means entirely new data sources or detection logic were brought in by the vendor, only after they know exactly what MITRE is doing.

There are no second chances in the real world: a ransomware adversary will not let you bolster your security during an attack. When evaluating enterprise security solutions for real-world deployment, it is prudent to study a vendor’s performance without delays and configurations. You will not find any modifiers or changes in our results.

The Importance of Visibility

Understanding and visualizing the killchain and its timeline is important for a number of reasons. First, analysts have the ability to see an attack in its entirety, combining alerts and individual events into a single, comprehensive view of the incident, no matter where the data came from. Secondly, having a view into the affected assets means security professionals can ensure complete eviction of the adversary. Ransomware victims are often targeted again, therefore total removal of infected assets is imperative in mitigating lie-in-wait threats.

While some vendors might detect events and alerts, these are often visualized and displayed by the hundreds, thousands, or even hundreds-of-thousands in some cases. Sorting endless alerts makes investigation challenging and delays response time. SentinelOne’s patented Storyline technology automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents. This prioritized view reduces alert fatigue and ensures rapid, complete remediation.

Such deep context into incidents also empowers analysts with the corner-stone for threat hunting across all organizational data, enriching and enhancing investigations with telemetry from any third-party source. These insights afford a comprehensive view across the enterprise, and an opportunity to be proactive and improve security posture.

The Most Important Test is the Real World

While it’s important to evaluate technology, particularly in an area as high-stakes as cybersecurity, there is no test like that of the real world. SentinelOne is proud to undertake the MITRE ATT&CK Evaluation and excel using the exact agent, platform, and features that our customers trust us to protect them with every day. The Singularity Platform detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations, or bolt-on features.

Interpreting the MITRE Evaluation Results

As described above, we approached this test bringing the most realistic and relevant solution, one a customer could employ in the real world. MITRE organizes detections according to each substep. Each substep has a single detection category that represents the highest level of context provided to the analyst across all detections for that substep. For reference, the context provided by each detection category increases from left to right, with Technique being the highest context within the detection category diagram. “None” means no data was made available that satisfies the detection criteria, so fewer “nones” means greater visibility (Read more about the MITRE criteria here).

Below are our results across the 18 steps we were able to participate in without delayed and/or configuration change modifiers.

The charts below show how CrowdStrike and Microsoft fared in real-time across the same 18 Steps without performing after-the-fact configuration changes and without factoring in delayed detections. SentinelOne performs significantly better in overall visibility with fewer “nones” and outstanding performance in analytic detections.

For a fair comparison, we have removed Step 19 data, which is listed as “N/A” for SentinelOne with the footnote “due to extenuating circumstances, this step was not collected during evaluation.” Despite all best efforts, an issue occurred during the final testing day where the test environment related to our product made it impossible for MITRE to gather accurate initial execution data according to their procedures.

Protect Everything | All the Time

We are grateful for the opportunity to participate in the 2023 MITRE ATT&CK Evaluation. SentinelOne is committed to innovation and delivering solutions to keep our customers safe. The Singularity Platform is the first AI platform to provide enterprise-wide visibility and protection, bringing all your data together in a unified Data Lake to eliminate risk and protect the future.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.

Risks Within The Factory Lines | Examining Top Threats Facing The Manufacturing Industry

The manufacturing industry currently stands as one of the most attractive targets for cyber attackers. Often dubbed the backbone of global economies, manufacturers play a pivotal role in the production of essential goods and services. This significance makes it an alluring target for cybercriminals seeking financial gain, or nation-state threat actors conducting industrial espionage.

As manufacturing becomes increasingly digitized with the adoption of smart technologies like IoT, analytics, and AI-driven automation, the attack surface for cyber threats has expanded. Ongoing digital transformations in this sector have paved new opportunities for attackers to infiltrate systems and wreak havoc.

Modern cyber threats in this critical sector are multifaceted. Extortion and ransomware attacks have surged in recent years, disrupting industrial control systems (ICS) and leading to significant financial losses and, in some cases, plant shutdowns. The theft of intellectual property, trade secrets, and proprietary information also remains a steady cause for concern and poses a direct threat to global manufacturers as holders of sensitive data.

This post examines the reasons why threat actors continue to be drawn to the manufacturing industry, the specific risks associated with this sector, and what manufacturing leaders can do to safeguard their operations from future attacks.

Digital Evolution in Manufacturing | Navigating Benefits and Cybersecurity Challenges

Manufacturing is evolving rapidly due to data connectivity, analytics, and automation. This leap from previous computerized methods incorporates smart technologies, Internet of Things (IoT), cloud computing, artificial intelligence, and big data analytics.

Interconnectedness is pivotal in this transformation. Human-machine interactions and real-time system communications are central to the optimization of production. However, this connectivity introduces significant cybersecurity challenges.

While innovations enhance manufacturing efficiency, they also usher in vulnerabilities. Increased reliance on networked devices magnifies the potential for breaches, with threats ranging from system disruptions to data theft.

Security professionals must balance the benefits of cutting-edge technologies with robust protection against intricate cyber threats. Key cybersecurity areas include:

  • Interconnectivity – Linking devices and systems facilitates data sharing but demands stringent protection against unauthorized access to prevent data breaches.
  • Data Transparency & Analysis – Gathering and evaluating extensive data sets necessitates stringent measures like encryption to safeguard data integrity.
  • Smart Factories – Manufacturing plants using AI to create self-monitoring and self-optimizing production environments require defense against cyber threats that could disrupt operations or compromise quality control.
  • Customization & Flexibility – Cybersecurity measures are needed to ensure that systems designed for mass customization and flexiple production remain resilient in the face of evolving cyber threats, maintaining the integrity of custom products and production processes.
  • Real-Time Monitoring & Control – Constant monitoring and threat detection are critical as any cybersecurity breaches or attacks can have immediate and severe consequences.
  • Global Supply Chain Integration – Managing cybersecurity in interconnected global supply chains requires collaboration with diverse stakeholders including international partners, third-party vendors, and customers to ensure a unified front against cyber threats and data breaches.
  • Human-Machine Collaboration – As workers engage with advanced systems, it is increasingly important that they are trained to recognize, avoid and respond appropriately to potential security risks.

Examining the Rise of Attacks on the Manufacturing Sector

Over the years, cyberattacks on the manufacturing industry have evolved into highly sophisticated and widespread threats. Initially driven by opportunistic threat actors, these attacks have transformed into targeted and well-orchestrated campaigns. Malicious actors now leverage advanced techniques, including extortion with or without ransomware, supply chain compromise, and unpatched vulnerabilities. These attacks not only aim to disrupt operations but also steal valuable intellectual property and sensitive data.

The following brief timeline of cyberattacks on global manufacturers shows threat actors’ unrelenting interest in this critical sector:

  • Norsk Hydro (2019) – Norsk Hydro, one of the world’s largest aluminum producers, fell victim to a cyberattack via LockerGoga ransomware. This targeted attack disrupted the company’s global operations, forcing a shutdown of several plants and affecting both production and distribution. LockerGoga had encrypted vital data, demanding a ransom for decryption keys. Security researchers believe that the attackers initiated their campaign by using legitimate user credentials either previously stolen or bought off the dark web.
  • JBS (2021) – the multinational meat processing company became the victim in a high-profile cyberattack orchestrated by the REvil ransomware group. This attack disrupted JBS’s global operations, impacting meat production and supply chains across several countries for nearly a week. REvil demanded a substantial ransom of $11 million for data decryption and the prevention of sensitive information leaks.
  • Toyota Motor (2022) – The automotive giant was hit with a supply chain cyberattack that had targeted Kojima Industries, Toyota’s plastic and electronics parts supplier. As a result, 14 domestic production lines were halted, affecting approximately 13,000 vehicles and costing almost $375 million from the company’s bottom line. Kojima was reported to take several months after the initial attack before they could return to pre-attack routines.
  • MKS Instruments (Feb, 2023) – the semiconductor chip maker reduced its estimates for the first quarter of 2023 by $200 million as a result of a ransomware attack. The company is also facing legal action related to the loss of PII.
  • Dole (Feb, 2023) – in the same month, food giant Dole was forced to shut down production plants after a ransomware attack, resulting in $10 million of direct costs.
  • Brunswick Corporation (June, 2023) – marine industry manufacturer Brunswick was caused to halt operations at some of its plants after a cyberattack that has so far resulted in at least $85 million in losses.

What Cyber Threats Are Faced by Manufacturers?

Manufacturers are at the forefront of driving significant innovation in product development, manufacturing processes, and their relationships within the industrial ecosystem to remain competitive in the global market. They employ a wide array of technologies, such as complex global networks, various back-office business applications, and several generations of industrial control systems (ICS) that oversee high-risk manufacturing procedures and a diverse range of technologies. As a result, the manufacturing industry has seen stark changes in the breadth and complexity of cyber risks.

Attacks on Industrial Control Systems (ICS)

Manufacturers rely on industrial control systems (ICS), also referred to as automation systems, as essential digital tools supporting production output. These systems are critical to efficient energy and labor costs, as well as helping to meet environmental requirements. Since ICSs reduce the need for constant human oversight, their automated nature presents opportunities for substantial cybersecurity risk. Where efficiency is enhanced, vulnerabilities are also created. Threat actors can infiltrate ICS systems with the purpose of jeopardizing human safety and causing widespread disruptions.

Unauthorized individuals gaining access to ICS systems can manipulate or disrupt manufacturing processes, potentially causing damage to equipment or product quality. Attackers may also discover and exploit unpatched (N-day) flaws or previously unknown vulnerabilities (Zero-days) to compromise ICS systems.

Social Engineering & Phishing

Social engineering attacks such as business email compromise (BEC) often target manufacturing employees with administrative access to sensitive data. If successful, attackers can gain unauthorized access to core systems, accessing intellectual property (IP), trade secrets, and even private customer data. Phishing attacks can also deliver malware that disrupts manufacturing operations, causing extended downtime and both short and long-term financial losses. Attackers may also manipulate systems, affecting product quality and safety, which in turn leads to brand damage and loss of new business opportunities.

Theft of Intellectual Property (IP)

A manufacturer’s intellectual property (IP) is perhaps its most valuable asset, and its compromise can have serious consequences. IP theft ranks among the most financially burdensome cyber threats. It can be perpetrated by external attackers seeking to steal trade secrets as well as by malicious insiders, aiming to profit by selling any confidential information they get their hands on.

Extortion and Ransomware

Manufacturing firms face ever-growing risks from threat actors using extortion tactics such as ransomware and data theft, with the average cost of data breaches in this sector totaling to $4.73 million USD in 2023, up from $4.47 million the year before. In 2022, manufacturers held the highest share of cyberattacks compared to other critical industries worldwide at almost 25% of total cyber attacks recorded.

These attacks particularly impact the manufacturing industry due to its acute time sensitivity. In the manufacturing world, time equates to revenue, and companies are under intense pressure to pay a ransom to avoid the immediate losses incurred from production delays. However, paying neither guarantees that stolen data will not still be leaked or quietly sold, nor that the victim will avoid longer term financial or reputational harm. An ever-growing list of sanctions against ransomware operators means payment itself may incur federal penalties.

Moreover, the costs of such attacks extend beyond the initial disruption and the ransom itself. Significant costs can accrue from legal actions taken by regulators, clients and employees, particularly when the data breach contains sensitive or personally identifying information. There are also significant costs associated with efforts to investigate the incident, recover systems and beef-up security after-the-fact, meaning that prevention is the most cost-effective cure for such attacks.

Supply Chain Attacks

Supply chain attacks involve cybercriminals targeting a company’s associates or suppliers, typically achieved through phishing or compromising these third parties’ networks. Once access is gained, attackers can proceed to infiltrate the manufacturer’s network, with intentions ranging from data theft and malware deployment to disrupting the supply chain sufficiently to stop production.

The manufacturing sector is particularly susceptible to such attacks due to the numerous vulnerable endpoints distributed among a vast network of interconnected suppliers. This diversity provides actors with multiple entry points to infiltrate a network and launch subsequent attacks on the manufacturer. Considering the fact that each link in the supply chain often relies on others, an attack on a single supplier can quickly affect many others within the chain.

Nation-State Attacks

Cyber threats against manufacturing companies aren’t solely the work of financially-motivated cybercriminals; they can also arise from foreign competitors and nation-state threat actors.

Recent data indicates that 17.7% of nation-state attacks have been directed at the manufacturing sector. These actors typically have significant resources and use advanced tools to perform attacks that can be difficult to identify and counter. Such threats may impact critical infrastructures or compromise military contractors. This emphasizes the importance of effective cybersecurity measures in the manufacturing sector.

IoT Attacks

Manufacturers are increasingly at risk of attacks as they embrace approaches like Industry 4.0 and related technologies, particularly IoT ‘Smart’ devices. Threat actors can exploit these connected devices to infiltrate networks, potentially compromising sensitive data and exposing both proprietary information and customer data.

Many IoT devices lack robust security features, making them easy targets for cybercriminals. Once compromised, Smart devices can serve as entry points to the broader manufacturing network. Attackers can also seek to manipulate IoT-controlled machinery, causing production delays, equipment damage, or even safety hazards.

Singularity Ranger
Singularity Ranger® is a cloud delivered, software-defined network discovery solution designed to add global visibility and control with minimal friction.

Regulators Have Taken Notice | It’s Time for Action

Federal and state-level governments are taking action to protect this critical sector, tackling the industry’s fragmented approach to cyber management. Specific sectors such as water, transportation, and pipelines, are all required to adhere to federal cybersecurity regulations. Internationally, IEC 62443 is recognized as the primary cybersecurity standard for industrial control systems.

Proposed legislation like the European Union’s Cyber Resilience Act aims to standardize cybersecurity requirements for products throughout their lifecycle. Meanwhile, regulations such as NIS 2 and Critical Entities Resilience (CER) directives classify select manufacturing sectors as vital entities, mandating heightened security measures.

How Singularity™ XDR Defends the Manufacturing Supply Chain

SentinelOne protects manufacturing enterprises through a single, AI-powered XDR solution that extends robust coverage from endpoints and users to cloud workloads, IoT devices, and more. Singularity™ XDR focuses on delivering maximum visibility across entire systems so as to detect and respond to the very first signs of intrusion.

Global leaders in the manufacturing industry trust Singularity™ XDR, which allows them to focus on guaranteeing uptime and providing greater ROI, reducing threats and making the most of their operational efficiencies. Key features of SentinelOne’s Singularity™ XDR defending modern manufacturing organizations include:

  • Endpoint Protection – Secure endpoints with advanced machine learning algorithms that detect and block malicious activities in real-time.
  • User Behavior Analytics – Analyze user behavior patterns to identify potential account takeover attempts and take immediate action to prevent unauthorized access.
  • Cloud Workload Security – Protect your cloud infrastructure with automated CWPP enforcement, real-time monitoring, and threat detection, ensuring a secure environment for user accounts and sensitive data.
  • Integration with Existing Security Infrastructure – SentinelOne Singularity™ XDR seamlessly integrates with existing security stack, enhancing the organization’s overall defense against cyber threats.

Conclusion

Rapid digital transformation in the manufacturing sector has accelerated growth but also exposed organizations to sophisticated cyber threats. Spanning essential branches including consumer goods, automotive, electronics, pharmaceuticals, and more, cyberattacks on manufacturers can trigger costly repercussions across global networks.

Though world governments are stepping up security investments in response to mounting cyber threats, manufacturers can augment their cybersecurity posture by investing in AI-powered detection and response capabilities that provide network-wide visibility and control.

To learn more about how SentinelOne’s Singularity™ XDR platform can help protect your organization, contact us or book a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.