Feature Spotlight | Auto-Discover Unprotected Amazon EC2 Instances with Cloud Rogues

SentinelOne is pleased to announce general availability (GA) of Cloud Rogues, an exciting new feature of our real-time cloud workload protection platform (CWPP), Singularity Cloud Workload Security. Cloud Rogues continuously monitors virtual machines (VMs) in all AWS accounts where it is enabled, across all regions. It automates a complete inventory of unprotected VMs and identifies any newly created VMs. With this knowledge, cloud security practitioners may take next steps, such as deploying the SentinelOne CWS agent on running VMs or updating machine images to ensure that future VMs are protected when created.

Singularity Cloud Workload Security delivers real-time CWPP for workloads running in servers, VMs, containers, and Kubernetes, and across AWS, Azure, Google Cloud, private, and other clouds. The Cloud Rogues feature itself presently supports Amazon EC2 and services such as Amazon ECS and Amazon EKS, which are backed by Amazon EC2. Support for cloud compute from other CSPs (cloud service providers) is coming.

Getting Started with Cloud Rogues

To get started, Singularity Cloud Workload Security customers need to first grant SentinelOne read-only access to their AWS cloud accounts. This onboarding process may be for a single cloud account, or for an entire AWS Organization. Within minutes, SentinelOne discovers all VMs, Linux or Windows, in the specified AWS accounts which the customer has onboarded.

Here is a simple step-by-step guide to onboard a single AWS account. SentinelOne customers may consult the Knowledge Base (KB) article, How to Integrate Your AWS Cloud Accounts for more details or for step-by-step guidance to onboard an AWS Organization.


  1. From within the SentinelOne management console, go to Settings > Integrations > AWS Accounts and click Add AWS Accounts.
  2. Choose AWS Account and click Next.
    Pro Tip: Cloud Rogues also supports AWS Organizations to help onboard accounts at scale.
  3. Select CWS (for Cloud Workload Security) and click Next.
  4. In the AWS Standalone Account Protection pop-up, click the link next to Create the connection stack. This opens the AWS CloudFormation console. From there, choose Create a Stack; consult the AWS docs for details. Create a unique Stack Name and Role Name, then click Create.
  5. Once creation of the Connection Stack is complete, copy the Role ARN value, return to the SentinelOne console, and paste the Role ARN value where indicated in the AWS Standalone Account Protection pop-up. Click Connect to Account.

  6. SentinelOne and the AWS account are now connected. The next step is to prepare for deployment.

  7. In the AWS Standalone Account Protection – Deploy window, click SentinelOneDeploy Stack. This opens the AWS console. Select a CloudTrail to monitor for changes and click Submit.
  8. Back in the SentinelOne console, click Finish.

Cloud Rogues is now active, automatically discovering unprotected Amazon EC2 instances (VMs) in the chosen AWS account. Knowing that many organizations have dozens if not hundreds of AWS accounts, onboarding via AWS Organizations is preferred at scale. Of course, the vast majority of users will prefer to start with a single AWS account to “test” the Cloud Rogues functionality. Discussion of onboarding via AWS Organizations is found in the aforementioned SentinelOne Knowledge Base (KB) article.

Discovering Unprotected VMs

Any VMs not currently protected by a SentinelOne agent are listed in the SentinelOne management console under Sentinels > Cloud Rogues. Details such as cloud account ID, instance ID, tags, network, and OS are shown in the inventory. Users may export the inventory in a CSV or JSON file. Newly created VMs are reported shortly after their creation.

With this information, security practitioners can make better risk management decisions. They may choose to deploy a SentinelOne CWPP agent (Singularity Cloud Workload Security for Servers/VMs) directly to the running VM. Alternatively, they may choose to update the Amazon Machine Image (AMI), from which the EC2 instance was spawned, to include the CWPP agent so that all future EC2 instances are protected when created. Less likely, but still possible, is that the security team elects to do nothing, and simply document an exception indicating that they understand that this cloud VM lacks any runtime protection or forensic workload visibility.

By leveraging the new Cloud Rogues feature, the cloud security team now has the data needed to make informed risk management decisions. Security begins with visibility, and Cloud Rogues delivers continuous visibility of unprotected VMs across the cloud footprint.

Available To All SentinelOne Customers

Existing SentinelOne customers (endpoint, identity) who have not yet purchased Singularity Cloud Workload Security can still benefit from Cloud Rogues. The Cloud Rogues feature itself is agentless, using AWS APIs to identify Amazon EC2 instances in the account/organization of interest. As such, any SentinelOne customer can use Cloud Rogues to understand the extent of the unprotected compute infrastructure in their AWS accounts. Armed with this knowledge, customers can build a business case to justify purchasing Singularity Cloud Workload Security. Of course, the benefits of our real-time CWPP solution go far beyond simple visibility – namely, maximum workload integrity and availability, forensic analytics for use during triage and incident response, and more.

Taking the Next Step with Real-Time CWPP

Better cloud security begins with visibility of the attack surface. By automatically identifying unprotected cloud compute instances in their AWS footprint, organizations are better able to manage the attack surface, reduce risk, and take informed actions.

Next steps may include deploying a CWPP agent to the unprotected instance, updating the machine image to include an agent, or documenting an exception. With Singularity Cloud Workload Security, customers have real-time cloud workload protection and forensic visibility into all workload telemetry.

To learn more about the value of real-time CWPP in your cloud security stack, head over to the solution homepage. Or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Protecting the Checkout Line | Understanding the Top Threats to Retail Cybersecurity

The retail sector, a cornerstone of the global economy, has faced an unprecedented wave of cyberattacks in recent years. Innovations in e-commerce and payment technology have transformed the way consumers shop, but it has also opened up new avenues for cyber threats.

The consequences of these attacks can reach far beyond the immediate financial losses. Customer trust and brand reputation – some of a retailer’s most valuable assets – are on the line to be irrevocably damaged. In an effort to protect customer and payment card data, retailers also have to abide by strict regulatory requirements, which have added another element to managing modern cyber risks.

This blog post explores how cybercriminals target this lucrative sector, the security challenges retailers face, and key strategies businesses can adopt to protect themselves and their customers from advancing threats.

A Decade of Growing Attacks On The Retail Sector

Over the past decade, the nature of cyber threats targeting the retail sector has evolved. What once consisted of relatively simple scams and basic phishing attempts has now grown into a much more sophisticated landscape fraught with ransomware, extortion, and attacks on software supply chains. Cybercriminals have also adapted their strategies to exploit the ever-expanding digital footprint of retailers.

The brief timeline of cyberattacks on global retailers below shows the growing interest cyber threat actors have for this major sector.

  • Target (2013) – Cybercriminals breached Target’s network during the Christmas shopping season, stealing sensitive data from approximately 40 million debit and credit card accounts and personal information of an additional 70 million customers. Attackers gained access through a third-party HVAC vendor’s compromised credentials, highlighting the vulnerability of supply chain connections. Once inside, they installed malware on Target’s point-of-sale systems, allowing them to harvest payment card data as customers made purchases.
  • eBay (2014) – eBay, one of the world’s largest online marketplaces, fell victim to a significant cyberattack that exposed the personal information of approximately 145 million users, making it one of the largest data breaches at the time. Cybercriminals gained access to a small number of eBay employee credentials, which allowed them to infiltrate the company’s corporate network. Once inside, they managed to access a database containing user information, including names, addresses, email addresses, and encrypted passwords.
  • Home Depot (2014) – Known as one of the largest home improvement retailers in North America, Home Depot fell victim to a massive cyberattack that compromised the credit and debit card information of approximately 56 million customers as well as exposing approximately 53 million customer email addresses. The breach occurred when cybercriminals exploited a third-party vendor’s login credentials to gain unauthorized access to the retailer’s network. Once inside, they deployed malware on the retailer’s point-of-sale (POS) systems, enabling them to steal payment card data during transactions.
  • Costco (2015) – The popular wholesale retail giant faced a notable attack wherein threat actors breached Costco’s photo website and compromised the personal information of around 58,000 customers. This breach exposed customer names, addresses, and in some cases, sensitive payment card information.
  • Saks Fifth Avenue / Lord & Taylor (2018) – The two luxury department store chains were hit by a major cyberattack orchestrated by a group of cybercriminals known as JokerStash, or Fin7. The attack exposed sensitive information belonging to nearly 5 million customers. The attackers infiltrated the stores’ payment processing systems through a phishing campaign, allowing them to steal vast amounts of customer payment card data. The breach was extensive, impacting customers who had shopped at these retailers between May 2017 and April 2018.
  • Under Armor (2018) – The sportswear and athletic apparel manufacturer experienced a cyberattack that raised concerns about the protection of customer information. While the breach didn’t expose financial data or payment information, it did affect millions of user accounts on the company’s popular fitness tracking app, MyFitnessPal. The attack resulted in unauthorized access to user data, including usernames, email addresses, and hashed passwords.
  • Ikea (2021) – Globally recognized furniture and home goods retailer faced a cyberattack that targeted one of its subsidiaries, TaskRabbit. TaskRabbit is an online platform that connects customers with freelance labor for various tasks and services. The cyberattack temporarily disrupted TaskRabbit’s operations, impacting its website and mobile app. In response, Ikea promptly shut down the platform while they investigated the breach and took steps to secure customer data.
  • Sobeys (2022) – Sobeys, one of Canada’s largest supermarket chains, fell victim to an attack that disrupted its operations and impacted the company’s ability to process transactions. This led to in-store payment processing issues, causing disruptions for both customers and employees. The total amount of losses from the attack was reportedly $25 million in annual net earnings.
  • Indigo (2023) – One of Canada’s largest book retailers, Indigo, faced a ransomware event that disrupted their operations and booted payment systems offline, including its e-commerce platform and customer databases. The attack has since been claimed by notorious threat group, LockBit, and confirmed the theft of current and former employee data.
  • Hot Topic (2023) – Using credential stuffing tactics, cybercriminals breached the systems of popular alternative fashion retailer, Hot Topic. During the attack, the criminals exploited the reuse of usernames and passwords across different online services, attempting to gain unauthorized access to Hot Topic customer accounts. Any customers who had reused passwords were at risk, as their accounts were vulnerable to unauthorized access.

A Catalog of Cyber Threats Faced by Retailers

Retailers these days grapple with a wide variety of threats, including ransomware, phishing scams, point-of-sale (POS) system breaches, supply chain attacks, and even insider threats.

  • Ransomware with Double & Triple Extortion – Ransomware attacks can disrupt retailer operations due to service outages caused by encrypted data. In double extortion attacks, cybercriminals additionally steal sensitive data before encrypting it. They then threaten to release this stolen data publicly unless a ransom is paid. Triple extortion takes this one step further with threats to launch distributed denial-of-service (DDoS) attacks against the victim if the ransom demand is not met.
  • Supply Chain Attacks – Threat actors target third-party suppliers to infiltrate a retailer’s network, compromising data and operations.
  • Insider Threats – Malicious employees or partners can intentionally harm retailers by leaking sensitive data, sabotaging systems, or assisting external attackers.
  • Bot Attacks – Bot attacks deploy automated software programs to mimic human behavior, overwhelming websites and disrupting online operations. These malicious bots can scrape prices, abuse promotional offers, and complete fraudulent transactions.
  • POS Malware – Point-of-sale (POS) malware compromises POS terminals to steal payment card data during the transaction process.
  • Mobile Purchase, In-Store Payment Scams – Cyber criminals exploit mobile apps for fraudulent in-store purchases, often using stolen payment details to make unauthorized transactions.
  • Buy Online, Pick Up In-Store Scams – Threat actors manipulate the “buy online, pick up in store” system to collect orders without payment, relying on forged confirmations or identity theft.
  • “Add New Payment” Scams – Scammers trick users into adding fraudulent payment methods to online retail accounts, enabling unauthorized transactions.
  • Gift Card Fraud – Cybercriminals exploit vulnerabilities in gift card systems, often through brute force attacks or by compromising legitimate gift cards with stolen funds. These attackers manipulate gift card balances, rendering them worthless or transferring funds to their own accounts.

How PCI-DSS Sets Retailers Up For Success

The Payment Card Industry Data Security Standard (PCI-DSS) is a comprehensive set of security standards designed to safeguard the sensitive payment card data of customers during transactions. Developed by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB, PCI-DSS is crucial for any retailers that handle payment card information. PCI-DSS compliance helps retailers create a secure environment for processing payments. With the right controls in place, it helps reduce the risk of costly data breaches, regulatory penalties, and brand damage.

Some key ways in which PCI-DSS supports retailers’ cybersecurity efforts include:

  • Data Encryption – PCI-DSS mandates the encryption of cardholder data during transmission and when stored on servers or other devices. This encryption ensures that even if cybercriminals breach the system, the stolen data remains unreadable and unusable.
  • Regular Security Assessments – Retailers are required to conduct regular security assessments and vulnerability scans to identify and address potential weaknesses in their payment card systems. This proactive approach helps in detecting and mitigating vulnerabilities before they can be exploited by attackers.
  • Access Control – PCI-DSS emphasizes strict access control measures, ensuring that only authorized personnel have access to sensitive payment card data. This reduces the risk of insider threats and unauthorized access.
  • Network Security – Retailers must maintain robust network security measures, such as firewalls, intrusion detection systems, and regular security testing, to protect their payment card infrastructure from external threats.

Retailers from around the world trust SentinelOne’s Singularity™ platform to help them meet PCI-DSS cybersecurity controls and protect their business and customers from disruptive attacks. Read more about how Singularity measures against PCI-DSS requirements in a report conducted by Tevora, a security and risk management consulting firm, and a reputable PCI Qualified Security Assessor (QSA) and HITRUST Assessor.

SentinelOne Singularity XDR – A Comprehensive Solution for Retailer Protection

SentinelOne Singularity XDR offers a robust, all-encompassing solution that protects organizations from attacks. By extending coverage to all access points – from endpoints and users to cloud workloads and other devices – Singularity XDR delivers unparalleled visibility and security.

Key features of SentinelOne Singularity XDR that help defend against ATO attacks include:

  • Endpoint Protection – Secure endpoints with advanced machine learning algorithms that detect and block malicious activities in real-time.
  • User Behavior Analytics – Analyze user behavior patterns to identify potential account takeover attempts and take immediate action to prevent unauthorized access.
  • Cloud Workload Security – Protect your cloud infrastructure with automated CWPP enforcement, real-time monitoring, and threat detection, ensuring a secure environment for user accounts and sensitive data.
  • Integration with Existing Security Infrastructure – SentinelOne Singularity XDR seamlessly integrates with existing security stack, enhancing the organization’s overall defense against cyber threats.

Conclusion

The ecosystem for attacks on the retail sector has steadily transformed over the past decade. These attacks can have devastating consequences, from disrupting operations and causing financial losses to eroding customer trust and triggering legal consequences.

Robust cybersecurity measures can help retailers defeat cyber attacks. This includes endpoint protection with real-time detection and mitigation, cloud workload security, and compliance with frameworks such as PCI-DSS.

To learn more about how SentinelOne’s Singularity™ XDR platform can help protect your organization, contact us or request a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

Taylor Monahan is founder and CEO of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto.

Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.

“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”

Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

MetaMask owner Taylor Monahan on Twitter. Image: twitter.com/tayvano

Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.

Which is why the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.

“The seed phrase is literally the money,” said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”

Bax said he closely reviewed the massive trove of cryptocurrency theft data that Taylor Monahan and others have collected and linked together.

“It’s one of the broadest and most complex cryptocurrency investigations I’ve ever seen,” Bax said. “I ran my own analysis on top of their data and reached the same conclusion that Taylor reported. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, making it possible to strongly link those victims.”

Bax, Monahan and others interviewed for this story say they’ve identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.

KrebsOnSecurity has reviewed this signature but is not publishing it at the request of Monahan and other researchers, who say doing so could cause the attackers to alter their operations in ways that make their criminal activity more difficult to track.

But the researchers have published findings about the dramatic similarities in the ways that victim funds were stolen and laundered through specific cryptocurrency exchanges. They also learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.

A graphic published by @tayvano on Twitter depicting the movement of stolen cryptocurrencies from victims who used LastPass to store their crypto seed phrases.

By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.

Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story.

Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.

“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.

“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastPass said in a written statement provided to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”

Their statement continues:

“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”

THE LASTPASS BREACH(ES)

On August 25, 2022, LastPass CEO Karim Toubba wrote to users that the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

Dan Goodin at Ars Technica reported and then confirmed that the attackers exploited a known vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

OFFLINE ATTACKS

A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.

LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.

But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.

“It does leave things vulnerable to brute force when the vaults are stolen en masse, especially if info about the vault HOLDER is available,” said Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis. “So you just crunch and crunch and crunch with GPUs, with a priority list of vaults you target.”

How hard would it be for well-resourced criminals to crack the master passwords securing LastPass user vaults? Perhaps the best answer to this question comes from Wladimir Palant, a security researcher and the original developer behind the Adblock Plus browser plugin.

In a December 2022 blog post, Palant explained that the crackability of the LastPass master passwords depends largely on two things: The complexity of the master password, and the default settings for LastPass users, which appear to have varied quite a bit based on when those users began patronizing the service.

LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”

But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.

“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”

Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years. One important setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.

Palant noted last year that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000.

Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.

“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”

A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

Image: palant.info

However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.

Weaver said a password or passphrase with average complexity — such as “Correct Horse Battery Staple” is only secure against online attacks, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow through it in no time.

“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver said. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”

Reached by KrebsOnSecurity, Palant said he never received a response from LastPass about why the company apparently failed to migrate some number of customers to more secure account settings.

“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”

Palant said upon logging into his LastPass account a few days ago, he found his master password was still set at 5,000 iterations.

INTERVIEW WITH A VICTIM

KrebsOnSecurity interviewed one of the victims tracked down by Monahan, a software engineer and startup founder who recently was robbed of approximately $3.4 million worth of different cryptocurrencies. The victim agreed to tell his story in exchange for anonymity because he is still trying to claw back his losses. We’ll refer to him here as “Connor” (not his real name).

Connor said he began using LastPass roughly a decade ago, and that he also stored the seed phrase for his primary cryptocurrency wallet inside of LastPass. Connor chose to protect his LastPass password vault with an eight character master password that included numbers and symbols (~50 bits of entropy).

“I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,” Connor said. “I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.’”

Those seed phrases sat in his LastPass vault for years. Then, early on the morning of Sunday, Aug. 27, 2023, Connor was awoken by a service he’d set up to monitor his cryptocurrency addresses for any unusual activity: Someone was draining funds from his accounts, and fast.

Like other victims interviewed for this story, Connor didn’t suffer the usual indignities that typically presage a cryptocurrency robbery, such as account takeovers of his email inbox or mobile phone number.

Connor said he doesn’t know the number of iterations his master password was given originally, or what it was set at when the LastPass user vault data was stolen last year. But he said he recently logged into his LastPass account and the system forced him to upgrade to the new 600,000 iterations setting.

“Because I set up my LastPass account so early, I’m pretty sure I had whatever weak settings or iterations it originally had,” he said.

Connor said he’s kicking himself because he recently started the process of migrating his cryptocurrency to a new wallet protected by a new seed phrase. But he never finished that migration process. And then he got hacked.

“I’d set up a brand new wallet with new keys,” he said. “I had that ready to go two months ago, but have been procrastinating moving things to the new wallet.”

Connor has been exceedingly lucky in regaining access to some of his stolen millions in cryptocurrency. The Internet is swimming with con artists masquerading as legitimate cryptocurrency recovery experts. To make matters worse, because time is so critical in these crypto heists, many victims turn to the first quasi-believable expert who offers help.

Instead, several friends steered Connor to Flashbots.net, a cryptocurrency recovery firm that employs several custom techniques to help clients claw back stolen funds — particularly those on the Ethereum blockchain.

According to Connor, Flashbots helped rescue approximately $1.5 million worth of the $3.4 million in cryptocurrency value that was suddenly swept out of his account roughly a week ago. Lucky for him, Connor had some of his assets tied up in a type of digital loan that allowed him to borrow against his various cryptocurrency assets.

Without giving away too many details about how they clawed back the funds, here’s a high level summary: When the crooks who stole Connor’s seed phrase sought to extract value from these loans, they were borrowing the maximum amount of credit that he hadn’t already used. But Connor said that left open an avenue for some of that value to be recaptured, basically by repaying the loan in many small, rapid chunks.

WHAT SHOULD LASTPASS USERS DO?

According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.

“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”

If you also had passwords tied to banking or retirement accounts, or even just important email accounts — now would be a good time to change those credentials as well.

I’ve never been comfortable recommending password managers, because I’ve never seriously used them myself. Something about putting all your eggs in one basket. Heck, I’m so old-fashioned that most of my important passwords are written down and tucked away in safe places.

But I recognize this antiquated approach to password management is not for everyone. Connor says he now uses 1Password, a competing password manager that recently earned the best overall marks from Wired and The New York Times.

1Password says that three things are needed to decrypt your information: The encrypted data itself, your account password, and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup.

“The two are combined on-device to encrypt your vault data and are never sent to 1Password,” explains a 1Password blog post ‘What If 1Password Gets Hacked?‘ “Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.

Weaver said that Secret Key adds an extra level of randomness to all user master passwords that LastPass didn’t have.

“With LastPass, the idea is the user’s password vault is encrypted with a cryptographic hash (H) of the user’s passphrase,” Weaver said. “The problem is a hash of the user’s passphrase is remarkably weak on older LastPass vaults with master passwords that do not have many iterations. 1Password uses H(random-key||password) to generate the password, and it is why you have the QR code business when adding a new device.”

Weaver said LastPass deserves blame for not having upgraded iteration counts for all users a long time ago, and called the latest forced upgrades “a stunning indictment of the negligence on the part of LastPass.”

“That they never even notified all those with iteration counts of less than 100,000 — who are really vulnerable to brute force even with 8-character random passwords or ‘correct horse battery staple’ type passphrases — is outright negligence,” Weaver said. “I would personally advocate that nobody ever uses LastPass again: Not because they were hacked. Not because they had an architecture (unlike 1Password) that makes such hacking a problem. But because of their consistent refusal to address how they screwed up and take proactive efforts to protect their customers.”

Bax and Monahan both acknowledged that their research alone can probably never conclusively tie dozens of high-dollar crypto heists over the past year to the LastPass breach. But Bax says at this point he doesn’t see any other possible explanation.

“Some might say it’s dangerous to assert a strong connection here, but I’d say it’s dangerous to assert there isn’t one,” he said. “I was arguing with my fiance about this last night. She’s waiting for LastPass to tell her to change everything. Meanwhile, I’m telling her to do it now.”

The Good, the Bad and the Ugly in Cybersecurity – Week 35

The Good | International Operation Takes Down Multi-Layered Qakbot Infrastructure

Qakbot, a long-established malware and botnet infrastructure in the cyber threat ecosystem, was toppled this week after a successful global operation led by US authorities.

Dubbed “Operation Duck Hunt”, the joint operation involved redirecting the botnet’s communication to FBI-controlled servers. The FBI seized the botnet’s critical infrastructure along with approximately $8.6 million in cryptocurrency and were able to uninstall the malware from some 700,000 infected devices – 200,000 of which were situated in the US.

In its first form circa 2008, Qakbot (aka Qbot, Quackbot, Pinkslipbot, and TA750) emerged as a banking trojan aimed at pilfering banking credentials, website cookies, and credit card data for financial fraud. Over time, the trojan evolved into a C2-based malware delivery service for other threat actors, providing initial network access for ransomware attacks, data theft, and a diverse range of malicious cyber activities. Qakbot has been observed partnering with various ransomware operators including BlackCat, Black Basta, Conti, REvil, and RansomEXX.

Qakbot’s tiered C2 server infrastructure (Source: CISA)

Qakbot victims span organizations across several sectors including governments and healthcare providers. Propagation of the malware relies on phishing campaigns, incorporating tactics like reply-chain email attacks, where cybercriminals hijack email threads, respond with their own messages, and embed malicious attachments that install the Qakbot malware to the victim’s device.

Major takedowns like this one do much to shake up the cybercrime ecosystem, even though it is expected that threat groups will evolve and regroup. However, the success of Operation Duck Hunt underscores how effective global law enforcement collaboration can be in the ongoing fight against cyber threats.

The Bad | Ransomware Operators Target Critical Citrix NetScaler Vulnerability

Unpatched, Internet-facing Citrix NetScaler systems are under further attack this week by unconfirmed threat actors in what appears to be an ongoing ransomware campaign. The attack chain involves exploiting a critical code injection vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), which affects NetScaler ADC and Gateway servers and could enable unauthenticated remote code execution (RCE).

So far, the vulnerability has been used to perform a domain-wide attack where payloads were injected into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). Citrix’s security bulletin recommends customers to install the patched versions of NetScaler ADC and NetScaler Gateway immediately to minimize potential threats.

Alongside the exploit, the attackers have also employed tactics such as distributing obfuscated PowerShell scripts, PHP web shells, and leveraging a malware staging service called BlueVPS. The pattern of these attacks closely resembles a campaign reported in early August, in which around 2,000 Citrix NetScaler systems were backdoored.

According to cybersecurity researchers, the attacks from this week and earlier last month may be tied to the FIN8 hacking group, which specializes in ransomware campaigns targeting retail, food services, and hospitality industries.

Anatomy of a FIN8 cyberattack (Source: Bitdefender)

This surge in ransomware attacks coincides with the trend of cybercriminals exploiting low-hanging security vulnerabilities found in popular software. Ransomware groups such as FIN8 also continue to use customized and/or updated malware strains to refine their attack methodologies and encrypt stolen data faster, highlighting the need for organizations to focus their cybersecurity strategy on real-time detection and response capabilities.

The Ugly | China-Backed Actors Attack Local Government Agencies Using Barracuda Flaw

Chinese threat actors are currently suspected of launching a chain of targeted attacks on local government and government-affiliated organizations globally through a zero-day vulnerability (CVE-2023-2868, CVSS score: 9.8) in the Barracuda Email Security Gateway (ESG).

Security researchers this week revealed that a significant portion of the breached appliances belonged to North American-based agencies from all levels of government including state, provincial, county, tribal, and municipal. While local government targeting makes up about 7% of all affected organizations, this figure rises to nearly 17% within the US alone.

The primary motivation behind the attacks was espionage. The threat actor, tracked as UNC4841, engaged in targeted data exfiltration from systems linked to prominent users in government and high-tech sectors.

The vulnerabilities in the Barracuda ESG were first disclosed on May 20, with the company issuing patches and remote fixes. However, it was later discovered that the zero-day had been exploited since at least October 2022, employing new malware variants like SeaSpy, Saltwater, and SeaSide to gain unauthorized access.

While Barracuda has not found evidence of new ESG appliances being compromised after patching, the law enforcement authorities warn that the patches are insufficient, and the vulnerability continues to be exploited. Barracuda customers are advised to isolate and replace any compromised appliances quickly, check their networks for indications of potential breaches, and rotate all enterprise-privileged credentials to minimize the risk of attacks.

Why is .US Being Used to Phish So Many of Us?

Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.

.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.

That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.

.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.

Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.

“The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.”

Dean Marks is emeritus executive director for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight.

“Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.”

Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required.

“Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.”

Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor.

In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants.

Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the United States.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy.

GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information.

“We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement.

GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.”

“We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.”

Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, AppleAT&T, Citi, Comcast, Microsoft, Meta, and Target.

“Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.”

The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.

Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications.

The NTIA has not yet responded to requests for comment.

Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).