Powering the infrastructures that sustain how people communicate, work, and live, our dependence on the energy sector has pushed it to the top of the list of targets for cybercriminals. Concerns on how to defend this critical sector have only been magnified by ongoing dilemmas in the economic and political landscapes.

Beyond the immediate financial losses and operational disruptions, attacks on a critical sector like energy have cascading effects on other sectors, such as manufacturing, healthcare, and transportation.

This blog post outlines these effects and challenges, exploring the reasons behind growing cyberattacks on energy grids and what energy and utilities suppliers can do to safeguard themselves from advanced threat actors.

A Global Snapshot of Recent Attacks on Energy

Some of the most notable attacks on energy and utilities providers have occurred in the past few years alone, marking threat actors’ increasingly steep interest in this sector.

Ransomware Extremes | How the Colonial Pipeline Attack Spurred Changes to US Cybersecurity Policies

Early in the morning of May 7, 2021, a ransom note was uncovered by a Colonial Pipeline employee, revealing a successful systems breach attributed to the DarkSide ransomware group. DarkSide had managed to exploit an outdated virtual private network (VPN) account, the first step leading to one of the most significant cyberattacks on the energy infrastructure in US history.

DarkSide threat actors had encrypted an estimated 100 GB of sensitive, business-critical data within Colonial’s expansive operational technology (OT) network. In response, Colonial Pipeline suspended all operations, including the delivery of over 2.5 million barrels of refined gasoline a day  to U.S. customers. Affecting businesses and millions of individuals along the East Coast of the United States, the fallout included lengthy gas lines reminiscent of the 1970s, price hikes, panic buying, and the closure of numerous fuel stations.

Shortly after this attack, the Transportation Security Administration (TSA) released a directive mandating that pipeline operators promptly notify CISA of all potential cyberattacks. The directive also required the presence of an on-site cybersecurity coordinator. A second directive soon followed, directing pipeline operators to address vulnerabilities, enhance their defenses, and create contingency plans for future security events. Earlier in 2023, CISA unveiled a Ransomware Vulnerability Warning Pilot (RVWP) program, set to support critical infrastructure providers with the best practices and tools needed to protect against ransomware attacks.

New Battlegrounds | Russian-Based Attacks on Energy Providers

At the onset of the invasion of Ukraine in early 2022, Ukrainian government officials revealed that Russian state-sponsored threat actors aimed to compromise the Ukrainian power grid, intending to trigger a blackout that would have impacted a staggering 2 million people. The attack involved the use of a wiper – a specialized form of malware designed to take down targeted systems by erasing critical data. Had the hack been successful, it would have caused the world’s biggest cyber-induced blackout to date.

One month after the invasion of Ukraine, President Biden issued a statement discussing the heightened potential of Russian cyberattacks against the US energy infrastructure in retaliation for imposing economic sanctions. Several US energy companies and more than a dozen others in associated sectors all reported to have experienced abnormal scanning from Russian-linked IP addresses, likely indicative of early reconnaissance in which threat actors scan targeted networks for vulnerabilities that could be used in a future attack.

Threat Actors’ Eyes on Energy | Why the Sector Is At Risk

The energy sector powers the reliability of all other sectors, making it the linchpin of all critical infrastructure. Extending far beyond single power plants, pipelines, or grid systems, the attack surface for the energy sector exists at every point on the power chain. This dependency on interconnected networks and industrial control systems (ICS) creates vulnerabilities that malicious actors find extremely attractive. Cyberattacks on the energy sector can disrupt the flow of essential resources, leading to power outages, fuel shortages, and economic instability.

Several factors underpin the risk faced by the energy sector.

Evolving Digitalization & Interconnectivity

Rapid digital transformation within the energy and utilities sector has expanded its attack surface. Increasing connectivity, cloud adoption, and the internet of things (IoT) integrations have introduced many more entry points for threat actors. This digital evolution, while boosting efficiency and monitoring capabilities, has also introduced vulnerabilities that malicious actors can exploit. Modern technologies have accelerated digitalization but also make this sector more susceptible to cyber threats than ever before.

Adding another layer of intricacy is the interdependence of all essential parts. For instance, a power outage in one region can have large ripple effects, affecting electricity availability in other parts of the country as smaller grids have to adapt to meet the sudden demand. Similarly, a compromised oil pipeline not only causes localized shortages but can trigger nationwide spikes in gas prices, highlighting the intricate web of interconnections within the industry.

Dispersed Geographic Locations & Reliance on Third-Parties

Energy and utility providers face an expanding attack surface, stemming from the challenge of securing geographically scattered assets such as hydroelectric dams and coal-fired generation plants. Safeguarding against multiple threats in a dispersed environment presents security leaders with a logistical challenge.

Making this more complex is the energy sector’s reliance on third-party supply chain relationships. The industry, which encompasses a blend of private and public ownership, is built on strategic partnerships among the various stakeholders. As a result, securing all the various components that make up the energy industry requires collective action and responsibility among diverse agencies and organizations, each of which have their own cybersecurity challenges.

Economic Incentives for Attackers

The energy and utilities sector is an enticing target for financially motivated cybercriminals. Ransomware attacks, in particular, have become increasingly prevalent, with actors seeking hefty payouts to unlock critical systems. Colonial Pipeline’s CEO explained that the company paid the “highly controversial” $4.4 million dollar ransom given the essential nature of the company’s infrastructure. The strains of recent times, including post-Covid economic uncertainty, inflation, and job losses, have created fertile ground for cyber extortion schemes, exacerbating the risk faced by this sector.

Gaps Between Physical & Cyber Infrastructure

Operational technology (OT) systems control and monitor physical processes, such as power generation, distribution, and transmission. These systems are increasingly interconnected with information technology (IT) networks to improve efficiency, optimize operations, and enable remote monitoring and control. This connection creates a bridge between the physical and cyber infractures, allowing data and commands to flow between them. However, gaps between the two greatly increase cyber risk.

The interdependencies between physical and cyber infrastructure mean that issues on the IT side have real-world consequences. For instance, a cyberattack on a power plant’s IT network can potentially disrupt the OT systems responsible for controlling critical processes. Conversely, physical events, such as equipment failures or power outages, can affect the availability and security of IT networks.

Powering Up Cyber Resilience Within the Energy Sector

The challenge for those in this sector lies in staying ahead of ever-evolving threat tactics. The following guidelines can help energy providers to mitigate risk and build a stronger, proactive cybersecurity posture.

Manage Cyber Risk Within the Supply Chain

Managing risk in the energy supply chain starts with understanding all current vendor relationships, including OSS dependencies, and creating stricter standards for procurement. Start by reviewing supplier assessments for all in-use vendors and agree on procurement processes and shared security responsibilities. To integrate cybersecurity into the procurement process, mandate software bill of materials (BOMs) to track all digital components in a system across the supply chain to identify potential issues.

Implement Hardware Authentication

Hardware authentication offers a robust approach to user authentication – a critical element in securing geographically dispersed OT networks in the energy sector. This strategy hinges on the use of a dedicated physical device, typically a token or hardware key, alongside a primary password. This dual-factor authentication method enhances access control by requiring both something the user knows (the password) and something the user has (the physical token) for access. Hardware authentication serves as a strong defense against unauthorized access, ensuring that only authorized personnel with the right physical device can interact with sensitive systems.

Leverage User-Behavior Analytics (UBA)

Going beyond predefined patterns or signatures, user-behavior analytics (UBA) delves into the nuanced behaviors of users within a given system. UBA’s strength lies in its capacity to alert on unusual or suspicious activities based on a comprehensive understanding of typical user interactions with a particular environment. By creating behavioral baselines for legitimate users, UBA can swiftly flag any deviations and pinpoint potential security breaches or insider threats.

UBA works by harnessing machine learning (ML) techniques to decipher the underlying intent behind user actions. This continuous learning and adaptation enable UBA to evolve alongside the ever-changing threat landscape, enhancing its accuracy in recognizing even the most subtle anomalies in user behavior.

Maintain Deep Visibility Through Real-Time Monitoring

Deep system and network visibility, coupled with real-time monitoring, detection, and response capabilities, are security essentials for the energy sector. Advanced security solutions such as autonomous and AI-powered XDR can offer a comprehensive view of both IT and OT environments, enabling security teams to shave off minutes when identifying anomalies and potential cyber threats.

In an era of evolving and sophisticated attacks, such as ransomware and state-sponsored intrusions, real-time monitoring ensures that any unusual activity is quickly detected, allowing for immediate action and remediation as needed. This proactive approach is critical in safeguarding critical energy infrastructure against cyber threats that could disrupt operations and endanger public safety.

Stay Up-to-Date with Government Guidelines & Resources

Legacy OT assets are designed without robust defenses against malicious cyber activities. Easy access to unsecured assets, wide availability of open-sourced device information (e.g. Shodan and Kamerka), and oft-deployed exploits accessible through frameworks like Metasploit, Core Impact, and Immunity Canvas, have all created a perfect storm of factors leading to increased cyber intrusion. To combat these growing risks, the U.S. government continues to urge energy and utilities providers to improve the resilience of their systems.

Following CISA’s latest warnings of increased exposure of OT systems to cyberattacks, the NSA published new resources this month to help organizations using SNORT improve their threat hunting. Called ‘ELITEWOLF’, the repository contains various ICS/SCADA (supervisory control and data acquisition)/OT-focused signatures and analytics to support critical suppliers as they implement continuous monitoring measures.

In addition to the new repository, CISA, FBI, NSA, and the U.S. Department of the Treasury also released guidance for OR vendors and other critical infrastructure facilities, focusing on how to minimize risk when using open-source software (OSS) in OT products.

Conclusion

Given their central role in powering economies, physical infrastructure, and digital systems, global energy and utility service providers have had to consider how to defend against  a new wave of cyber adversaries in the last few years. Recent shifts in geopolitics have also added a new layer of complexity to this threat landscape, further highlighting the need for enhanced cybersecurity measures.

To thwart these threats and safeguard critical power grids and pipelines, energy and utility providers are increasingly looking to adopt a proactive and adaptive cybersecurity approach. This entails comprehensive risk assessments, robust detection and response systems, and building safer standards for working with third-parties vendors.

SentinelOne is ready to stand by organizations in the energy sector by managing the evolving attack surface before attacks can happen. Contact us or request a demo to learn how our AI-powered, autonomous XDR platform, Singularity, provides protection to the nation’s critical power service providers.

The current conflict between Israel and the Hamas militant group has begun an onslaught of hacktivist-level activity carried out in the name of both sides. Amongst the ongoing fighting, numerous hacktivist groups and ‘lone wolves’ have taken the opportunity to maneuver into the cyber arena, deploying an array of malicious activities including Distributed-Denial-of-Service (DDoS) attacks, cyber defacement, doxxing, and custom malware launches.

So far, the use of novel malware/scareware and tools such as Redline Stealer and PrivateLoader by these threat actors continue to target Israeli citizens, businesses, and critical sector entities, causing data leaks and widespread disruptions. This write-up serves as a roundup of tactics and techniques we are observing in the Middle East, allowing security practitioners to stay informed and on top of developing threats stemming from the war.

Analysis of Data Leaks & Stealers

Haghjhoyan

Haghjhoyan, known also as the “Peace Seekers”, first emerged in October 2023. It is characterized as a pro-Iran hacktivist group, which has been leaking small archives of Israeli citizen data through their recently established Telegram channel. On October 8th, the group announced an infiltration of the Israeli Red Alert Emergency System. This was followed by the October 13th, 2023 announcement of the group’s infiltration of multiple critical infrastructure targets across Israel during which Haghjhoyan shared screenshots of their virtual network computing (VNC) sessions in a variety of utility-centric targets. ‘Proof’ files associated with this breach were also shared in the Haghjhoyan Telegram channel.

Between October 15th and October 19, 2023, the group continued to announce new leaks and attacks, including the claim of infecting “1000” Israeli computers. The full message shared is as follows: “1000 computers from Israel were infected. This is a gift from Palestinian children to Israel hac*kers and the bast*ard people of Israel”.

Screenshots shared in the Haghjhoyan Telegram channel show filenames that hold ‘clues’ potentially pointing towards the use of malware. Further, there is indication of potential social engineering lures used by the group to encourage the download and execution of trojanized applications.

In the image above, the following file names are of special interest:

• Frosty Mod Manager 1.0.6.0 (Beta 4) (FIFA 19)
• Subinfeudated Oat.exe
• Default-Dark-Mode-1.20-2023.6.0.zip

The ‘Frost Mod’ and ‘Default-Dark-Mode’ file names are references to the games FIFA and Minecraft respectively. From the data shared by the threat actor, it appears as though they are using these games as social engineering lures, manipulating targets through social media platforms like Discord, Whatsapp, and Telegram into launching trojanized versions of the applications. Targeting users of extremely popular games like Roblox, Minecraft, and FIFA with possible free ‘mod’ packages is an effective way to target a large portion of the general public.

We can also glean some information from the leaked data itself. For example, the stealer log output from the ICS targets contained in the leaked file “IL-ISRAEL-25PCS-2023.rar” is formatted in such a way that may suggest the use of Redline Stealer, or similar malware.

This is further solidified if we look at another leaked screenshot from the threat actors. The following screenshot shows the malware being executed. The file name on the launched executable also happens to be the SHA1 hash of the malware. SHA1 hash (0b0123d06d46aa035e8f09f537401ccc1ac442e0) is a public sample of Redline Stealer originating from 2019 and it is not exclusive to these attacks and campaigns.

In a separately-shared screenshot from Haghjhoyan, there are clues pointing to the use of another malware tool called PrivateLoader.

The “Subinfeudated Oat.exe” in the above image is a sample of PrivateLoader. Something of a commodity tool, it is often used as a method to download and launch additional malware payloads. Loaders such as this or Smoke Loader allows lower-tier actors evade basic detective controls like legacy antivirus (AV).

Through these two examples we can tie the use of PrivateLoader and Redline Stealer to these anti-Israel malware attacks driven by Haghjhoyan. Current intelligence indicates that the data being leaked by Haghjhoyan acquired via Redline is fresh and valid, not having been leaked in the wild prior. It should also be noted that Haghjhoyan made their Telegram channel private on October 24th, 2023.

Soldiers of Solomon

Another malicious hacktivist group going by the moniker, Soldiers of Solomon, has also made bold claims around the infiltration and infection of critical infrastructure in Israel. They have also claimed ownership of a customized ransomware called Crucio. On October 18th, 2023, the Soldiers of Solomon announced their attack via the resurrected BreachForums.

The Soldiers of Solomon also announced this effort via their public Telegram channel. The full message reads as follows: “The Soldiers of Solomon have taken full control of more than 50 servers, security cameras and smart city management system in Nevatim military area. Once we got access to those targets, we exfiltrated 25TB of data and ransomed them via our customised Crucio ransomware (Ltd). Database Link: https://www.mediafire.com/folder/5fahf8k…/All+Files”.

The ‘proof’ package, hosted on MediaFire, consists of the same screenshots provided in their Telegram channel.

The bulk of these images show a Windows desktop with a document (.jpg image) displayed with the Soldiers of Solomon’s anti-Israeli messaging.

From these images, we can see that the filename for the document displayed is “ref.jpg”.

Analysis of the Crucio ransomware deployment is ongoing and full details are not yet corroborated. That said, we can state that it is not outside the realm of possibility that these groups would repackage an existing or leaked malware builder or kit and use that as a payload to get their message out and cause disruption.

Cyb3r Drag0nz Team

Cyb3r Drag0nz Team is a hacktivist team with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity. They are now taking credit for multiple leaks and DDoS attacks against Israeli targets. This includes a DDoS attack against the official website of the Israeli Air Force.

Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks. To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.

The Cyb3r Drag0nz Team has been observed taking full advantage of various social media platforms to announce their targeting and intrusions. They post updates via Instagram, Twitter, and Telegram as well as FaceBook and Youtube.

Most recently, the group claims to have stolen the data of more than “1 million” Israeli citizens.

This announcement was accompanied with a RAR archive named “Israel Leaked By Cyb3r Drag0nz Team.rar”. Current analysis of data being leaked by Cyb3r Drag0nz Team shows a varying level of ‘freshness’. Some of the sample leaked data has appeared in prior leaks or dumps from other groups while other data appears to be new.

Conclusion

The hacktivist groups currently active in the Israel-Hamas conflict are ramping up in both intent and skill level. Though these groups are still relatively small, it is clear that they are carrying out successful attacks and putting ordinary citizens at risk. This class of criminal activity is often viewed as being of a lower tier, however, ongoing fighting in Gaza has provided a springboard for these groups to leverage political chaos to further their malicious cyber goals.

We believe that these groups are of relatively low-sophistication and financial resources. The malicious actors’ use of tools like Redline and PrivateLoader speak to their position of having to use what is at their disposal. This is bolstered by the example of using in-the-wild Redline samples with known hashes, revealing that the actors are not making the effort to modify or customize the older malware.

That said, these groups continue to impact ordinary civilians, putting their identity and data at risk to reach their goals. As the war continues to escalate across multiple arenas, these small-yet-effective attacks are expected to only increase.

We recommend the following the best practices that can help strengthen any existing cybersecurity measures:

• Focus on awareness and practice overly-diligent cyber hygiene. Take any opportunity to spread information about basic protection. Be vigilant against unexpected links, practice link validation, and do not engage in any unauthorized chats across popular social media platforms, particularly on Discord, Whatsapp, Telegram, and X.
• Some of the malicious tools mentioned in this post are known to be disguised as mods for popular games. In some cases, we saw FIFA 19, Minecraft, and Roblox being used as social engineering lures. Be aware of this potential lure style and think twice before downloading game mod packages, or take extra precautions when doing so.
• Update all security software and ensure it is properly configured. Use modern and reputable security solutions and software and look out for patches and fixes.
• Monitor all endpoints in your controls, whether at home or in an office, for signs of compromise. Having a robust XDR solution can provide deep visibility across endpoints in a system as well as automated detection and response capabilities.

Indicators of Compromise (IoCs)

Redline Stealer (SHA1)

0b0123d06d46aa035e8f09f537401ccc1ac442e0

PrivateLoader (SHA1)

a25e93b1cf9cf58182241a1a49d16d6c26a354b6

8ade64ade8ee865e1011effebe338aba8a7d931b

Businesses continue to digitize their critical infrastructures and operations, expanding their attack surface and exposure to various threat vectors. To combat this, leaders are recognizing the value of having in-house experts who can think like cybercriminals and help build a proactive stance against attackers.

Considering new and constant developments in the cyber threat landscape, business leaders can leverage the work of ethical hackers as well as red, blue, and purple teaming to stay ahead of malicious actors and APTs. These practices are useful tools in a security teams’ arsenal, collectively enhancing the resilience of organizations against threats.

This blog post discusses how ethical hacking and strategies involving red, blue, and purple teaming have risen over the years to help detect and mitigate vulnerabilities and also anticipate potential attacks. These practices promote a culture of continuous improvement in cybersecurity, as knowledge and expertise are shared and refined.

An Overview | Six Decades of Proactive Security Testing

Ethical hacking, red teaming, blue teaming, and purple teaming are important components of modern cybersecurity, each with its unique role and purpose in defending digital assets.

Ethical Hacking | The Formalization of “Hackers”

The history of ethical hacking, also known as white hat hacking, is intertwined with the development of computer technology and a growing global awareness of cybersecurity. In the early days of computing, during the 1960s and 1970s, the term “hacker” was used to describe individuals who were passionate about exploring computer systems and software to better understand how they worked. These early hackers, often operating in academic and research settings, laid the foundation for ethical hacking by uncovering vulnerabilities and sharing their findings to improve system security.

As computer networks expanded in the 1980s and 1990s, malicious hacking activities began to pose significant threats. In response, ethical hacking took on a more formalized role. Organizations recognized the need for experts who could use their knowledge of hacking techniques for legitimate, defensive purposes. The terms “ethical hacker” and “white hat hacker” emerged, and certifications like Certified Ethical Hacker (CEH) were introduced to provide formal training in the field.

Red Teaming | Simulations From the Cold War to the Corporate World

In contrast, the origins of red teaming can be traced back to military and strategic planning from the Cold War era, where it was employed as a tool for testing and refining defense strategies. Military organizations employed independent teams to simulate the tactics, strategies, and capabilities of potential adversaries. Called “red teams”, these testers helped defense planners assess vulnerabilities, evaluate their own strategies, and improve readiness in the event of real conflict.

Over time, the practice expanded beyond military circles to include corporate environments. Businesses began using red teaming as a means to test the security and resilience of their operations, including physical facilities and cybersecurity measures. The focus shifted to identifying weaknesses, vulnerabilities, and operational risks, rather than direct military threats.

In a modern context, organizations now use red teams to simulate cyberattacks and assess the effectiveness of their cybersecurity defenses. These teams employ various techniques to expose vulnerabilities and weaknesses in systems, networks, and applications, helping organizations enhance their security measures.

Blue Teaming | An Evolution of Proactive Network Protection

Blue teaming evolved in response to the need for organizations to take a proactive and defensive stance against cyber threats. It became more prominent with the growth of networked systems and critical infrastructure in the 1990s. Organizations recognized that they needed dedicated teams to focus on defense, monitoring, and incident response. These teams were tasked with assessing and improving the security measures in place, ensuring they were robust enough to withstand emerging threats.

The term “blue team” is derived from military war gaming exercises, where blue forces typically represent friendly and defensive elements. In cybersecurity, blue teams are responsible for protecting and fortifying an organization’s digital assets, including systems, networks, and data.

In the early 2000s, the advent of compliance regulations and standards such as the PCI-DSS and HIPAA further solidified the importance of blue teaming. Organizations had to demonstrate their commitment to safeguarding sensitive data, making blue teams a necessity.

Purple Teaming | Developing A More Holistic Approach to Cyber Defenses

Purple teaming is a relatively new and evolving concept, born out of the need for greater collaboration and knowledge sharing between red and blue teams. The term “purple teaming” is derived from the combination of red and blue, representing the merging of offensive (red) and defensive (blue) security operations. It has gained popularity as a response to an increasingly complex and adversarial threat landscape.

Purple teaming acts as a bridge between red and blue teams. In a purple team engagement, the offensive red team works closely with the defensive blue team. The red team provides insights into their tactics, techniques, and procedures (TTPs), while the blue team gains a deeper understanding of how to detect and respond to threats effectively. This cooperative approach helps organizations fine-tune their security measures and improve their overall cyber resilience.

The history of purple teaming is marked by a growing awareness of the need for a more holistic approach to cybersecurity. Organizations have recognized that sharing knowledge between red and blue teams is essential for a comprehensive understanding of their security posture. In doing so, purple teaming helps organizations adapt and strengthen their defenses against a wide range of evolving cyber threats.

Exploring The Complexities Behind Ethical Hacking

Ethical hackers are legally employed by organizations to assess and strengthen their cybersecurity defenses. These professionals are hired with the explicit consent and authorization of the company or institution they work with. Contracts and agreements clearly define the scope of their activities, ensuring that their actions are well within the boundaries of the law.

Ethical hackers operate under strict rules of engagement, abiding by legal and ethical guidelines while probing systems, networks, and applications for vulnerabilities. This transparent and consensual approach is essential to maintain the integrity of their work. At its core, the primary aim of ethical hacking is to improve security measures, protect sensitive data, and prevent cyber threats. Despite these good intentions though, ethical hacking is not without some practical complexities.

Regulating Ethical Hacking

The legal landscape surrounding ethical hacking is complex and nuanced, often varying from one jurisdiction to another. Navigating these legal boundaries can be challenging, as what is considered permissible in one region may inadvertently cross legal lines in another. For ethical hackers, this diversity of legal frameworks necessitates a deep understanding of the specific regulations and requirements in the areas where they operate.

Even with explicit authorization, they must remain vigilant and cautious to ensure that their activities conform to local laws and do not inadvertently violate any statutes. This legal intricacy underscores the need for not only ethical hacking skills but also a strong awareness of the legal framework in which they work, to guarantee their actions remain within the boundaries of the law.

Communication Is Key

Communication is another hurdle. Ethical hackers must clearly convey their findings to clients, who may not have a deep understanding of cybersecurity. Translating technical jargon into layman’s terms and helping clients prioritize remediation efforts can be a delicate task.

Ethical hackers must act as interpreters, bridging the gap between the technical aspects of their discoveries and the business implications they carry. They also play a critical role in helping clients prioritize remediation efforts by providing clear, actionable recommendations and risk assessments. This demanding role requires not only technical expertise but also strong interpersonal and communication skills, ensuring that clients can make informed decisions to bolster their security measures effectively.

Ethical Reporting Processes

Balancing the need for responsible disclosure is a pivotal ethical concern for ethical hackers. When they unearth critical vulnerabilities, the dilemma lies in how and when to report these findings. Timely disclosure is essential for organizations to patch vulnerabilities and protect their assets, but rushing the process can inadvertently inform malicious actors of weaknesses before mitigation measures are in place.

Ethical hackers must carefully weigh the urgency of disclosure against the potential risks, often following a structured responsible disclosure process. This entails notifying the affected organization, allowing them time to address the issue, and only revealing the vulnerability publicly once a fix is available, reducing the chances of exploitation by cybercriminals. Finding this equilibrium in the ethical tightrope walk is a constant challenge.

Implementing Ethical Hacking for the Modern Business

Modern enterprise businesses can collaboratively and safely work with ethical hackers to enhance their cybersecurity while adhering to a robust code of ethics. Here are key ways to establish a successful partnership:

• Clear Legal Framework – Create a clear legal framework outlining the terms and conditions of the engagement. Contracts and agreements should explicitly state the scope of work, responsibilities, and liabilities, ensuring compliance with applicable laws.
• Authorized Access – Ethical hackers must be granted an appropriate level of authorized access to the systems, networks, and applications they are testing. This access should be well-documented and any changes should be carefully monitored.
• Informed Consent – Ensure that the organization provides informed and unequivocal consent for ethical hacking activities. This consent should be obtained from all relevant stakeholders, including legal and executive teams.
• Code of Ethics – Create a comprehensive code of ethics or conduct for ethical hackers, emphasizing the principles of responsible disclosure, confidentiality, and professionalism. This code should outline expectations and responsibilities, ensuring alignment with the organization’s values.
• Data Protection and Privacy – Protect sensitive data and ensure that ethical hackers handle it with the utmost care. Implement robust data protection measures and clearly define how data should be handled during testing.
• Transparency – Foster open and transparent communication between the organization and ethical hackers. Regular updates and debriefings are essential to ensure that all parties are aware of the progress and findings.
• Vulnerability Disclosure Process – Establish a vulnerability disclosure process that outlines how identified weaknesses are reported, addressed, and resolved. This process should include timelines for patching vulnerabilities and ensuring a smooth remediation cycle.
• Documentation and Reporting – Ethical hackers should meticulously document their findings, including potential risks and possible exploits. This documentation is crucial for remediation and improvement efforts.

Augmenting Red, Blue & Purple Teaming with XDR

XDR, or Extended Detection and Response, plays a pivotal role in supporting and augmenting ethical hacking, red teaming, blue teaming, and purple teaming. Since XDR acts as an overarching security solution, it can bring these practices together, enhancing their effectiveness and bolstering the overall security posture.

Deep Visibility & Data Correlation

XDR provides ethical hackers with a more comprehensive view of an organization’s security landscape. It offers an integrated platform that collects, correlates, and analyzes data from multiple security tools, enabling ethical hackers to have a holistic understanding of potential vulnerabilities. This, in turn, empowers them to conduct more effective penetration tests, as they can better simulate real-world attack scenarios and discover intricate weaknesses.

Consolidated Data Streams

Red teaming benefits from XDR by gaining access to a broader set of data sources and enhanced visibility. XDR solutions can aggregate data from various security technologies, including intrusion detection systems, endpoint protection, and network traffic analysis, offering a consolidated view of the enterprise’s security posture. This consolidated data streamlines red team operations, making it easier to identify vulnerabilities and launch realistic cyberattack simulations.

Integrated Monitoring & Incident Response

Blue teaming thrives in an XDR environment due to the integrated monitoring and incident response capabilities. With XDR, blue teams can swiftly detect and respond to potential threats through real-time monitoring of security events and alerts. The cross-correlation of data from various sources allows blue teams to identify anomalies and potential breaches more effectively, improving response times and minimizing damage.

Collaborative Information Sharing

Purple teaming, which emphasizes collaboration between red and blue teams, is supported through XDR. XDR fosters information sharing between the teams and enables them to jointly assess an organization’s security readiness. By working with a consolidated dataset, the purple team can more effectively evaluate the organization’s response to simulated attacks and refine their defense strategies collaboratively.

XDR can enhance the efficiency and effectiveness of these cybersecurity practices by offering a single platform for data aggregation, correlation, and analysis. This unified approach not only streamlines operations but also enables a more agile and proactive response to emerging threats.

Conclusion

Cybercriminals are becoming more adept at exploiting vulnerabilities, making it imperative that organizations are equally effective in defending against these threats. Ethical hacking, red teaming, blue teaming, and purple teaming are not just cybersecurity measures; they have become strategic investments that secure not only data but also an organization’s reputation and day-to-day operations. By proactively seeking out weaknesses, organizations can significantly reduce the risks associated with data breaches, downtime, and financial losses.

Ethical hackers not only assist in finding vulnerabilities but also educate and train security teams to prevent future incidents. Red and blue teaming, representing the offense and defense in cybersecurity, help organizations strengthen their resilience. Purple teaming bridges the gap between red and blue, fostering collaboration, knowledge sharing, and mutual understanding. It enhances an organization’s ability to respond effectively to cyber threats.

When joined together with autonomous XDR capabilities, these practices foster a proactive culture of cybersecurity, reduce exposure to vulnerabilities, and provide invaluable insights for an organization’s security team. Beyond this, they help organizations comply with industry standards and regulations, which are essential in today’s highly regulated business environment.

To learn more about how Singularity XDR helps global enterprise businesses stay steps ahead of even the most advanced cyber threats, contact us today or book a demo.

The Good | Ragnar Locker’s Tor & Leak Sites Taken Down In International Seizure

Ragnar Locker took a serious blow this week when authorities seized the ransomware operation’s Tor negotiation and data leak sites. This is the latest takedown coordinated across over a dozen international authorities. Now, visitors to the once-infamous sites are greeted with a seizure message.

Standing as one of the longest-running ransomware operations to date, Ragnar Locker activity began in late 2019 with a primary focus on infiltrating enterprises. In that time, Ragnar Locker has been highly successful at infiltrating corporate networks, moving laterally through systems, harvesting sensitive data, and encrypting computers within compromised networks. Encrypted files and stolen data are powerful bargaining chips in the operations’ double extortion schemes.

While many similar operators have moved to a Ransomware-as-a-Service (RaaS) model, Ragnar Locker has remained semi-private. It has refrained from promotion and recruitment instead working with external operators to breach networks. Ragnar Locker is also known for pure data theft attacks, eschewing the file locking techniques that are characteristic of most ransomware operations.

In March 2022, the FBI published a flash alert warning that at least 52 organizations across 10 critical infrastructure sectors had fallen victim to Ragnar Locker. Over the years, Ragnar Locker’s rap sheet has boasted numerous high-profile victims, including Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp, Belgium. The seizure this week marks a significant win for cybersecurity law enforcement and reinforces the ongoing global effort to dismantle cyber threat infrastructures.

The Bad | Critical CI/CD RCE Flaw Actively Exploited By DPRK-Based Threat Actors

DPRK-based threat actors linked to the Lazarus Group are actively exploiting a critical security vulnerability in JetBrains TeamCity this week. Tracked as CVE-2023-42793 (CVSS score 9.8), the authentication bypass and remote code execution (RCE) flaw affects JetBrains’ continuous integration and continuous delivery (CI/CD) solution. The company reports a customer base of nearly 16 million developers globally, including several Fortune 100 companies. Security researchers have attributed the recent attacks to two factions within the Lazarus Group, which they refer to as Diamond Sleet (aka Hidden Cobra) and Onyx Sleet (aka Andariel).

Diamond Sleet has been observed employing two distinct attack methods. The first involves breaching TeamCity servers, followed by deploying an implant from previously compromised legitimate infrastructure. The second approach leverages the initial foothold to introduce a malicious DLL through DLL search-order hijacking. This facilitates the execution of a subsequent payload or a remote access trojan (RAT).

Onyx Sleet’s intrusions exploit the flaw to create a new user account likely to impersonate a Kerberos Ticket Granting Ticket. This account is then added to the Local Administrators Group before the attacker performs system discovery commands. Afterwards, a custom proxy tool is deployed, establishing a persistent connection between the compromised host and attacker-controlled infrastructure.

Since 2009, the Lazarus Group has earned a reputation for its sophisticated and persistent cyberattacks, namely financial crimes, espionage, and supply chain attacks. JetBrains urges users to apply patches and thoroughly monitor networks for signs of compromise. The U.S. National Security Council (NSC) believes that the revenue generated from these illicit activities funds North Korea’s missile program and the recently increasing number of launches.

As much of the world’s attention has been focused recently on the cyber threats emanating out of first the Russia-Ukraine war and now the Israel-Hamas war, these intrusions serve as a timely reminder that there are ongoing and diverse cyber threats posed by North Korean and other state-sponsored actors that still require our constant vigilance.

The Ugly | Cisco IOS XE Under Attack By Unpatched, In-The-Wild Zero-Day Flaw

Thousands of vulnerable enterprises are facing potential compromises this week from in-the-wild exploitation of CVE-2023-20198; a critical vulnerability affecting Cisco’s IOS XE software. This zero-day flaw is rated the maximum CVSS severity score of 10.0 and rooted in the web UI feature. The bug affects enterprise networking equipment when the feature is enabled and accessible over the internet or untrusted networks.

According to Cisco’s advisory, the vulnerability allows remote, unauthenticated attackers to create an account with privilege level 15 access on a compromised system. This account can then be used to gain full control of the system. The issue affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled.

Latest reports tracking CVE-2023-20198 are finding that the flaw has given attackers privileged access, potentially allowing them to monitor network traffic, pivot into protected networks, and execute Man-in-the-Middle (MiTM) attacks. Shodan scans show that over 14,000 internet-exposed devices with the web UI feature enabled are currently vulnerable to attack.

While the exact origins of the threat actor behind these attacks are unclear, Cisco suggests that the initial cluster of activity seen in September may have been the actor’s testing phase, while October activity reflects an expansion of operations, including the establishment of persistent access. This has prompted CISA to issue an advisory, BOD for government organizations and add the zero-day to its Known Exploited Vulnerabilities (KEV) catalog.

Though there is currently no available patch at the time of this writing, Cisco recommends disabling the HTTP server feature on all internet-facing systems and using the copy running-configuration startup-configuration command to save the running-configuration. This should ensure the HTTP server feature is not unexpectedly enabled in the event of a system reload, Cisco said.

While much of cyber news often revolves around novel malware strains and high-profile data breaches, one threat that often flies under the radar relies on human vulnerability rather than technical vulnerabilities: social engineering attacks.

This type of attack exploits people’s most innate tendency to trust, comply, and share information. This is what makes these attacks exceptionally effective. Using psychological manipulation, cybercriminals behind these schemes are then able to trick users and organizations into giving up sensitive information, granting access to secure systems, or transferring funds.

As businesses and organizations rely more on interconnected systems and digital communication, they become more exposed to the dangers of social engineering. Part of countering this growing threat is understanding the psychology behind social engineering. Recognizing these tactics and the psychological triggers that attackers exploit can empower users and organizations to take proactive measures against the risks.

This blog delves into the intricacies of social engineering attacks, exploring the various forms they take and the underlying psychology behind these attacks. By mapping out the motivations and tactics used by attackers to exploit users’ cognitive biases and emotions, business leaders can learn how to recognize and resist attacks and stay one step ahead of cybercriminals.

The Fundamentals of Social Engineering Attacks

Social engineering attacks are multifaceted and ever-evolving making them an evergreen threat to individuals and businesses. These attacks draw on human psychology and social dynamics to manipulate users into divulging performing actions that compromise security, data, and assets.

Social engineering has become a bread-and-butter tactic for cybercriminals with recent reports finding a staggering 464% increase in email-based attacks in the first half of this year compared to 2022. Further, when considering such attacks per organization within the same time frame, researchers note a 24% increase, underscoring email as the leading attack vector used by cyberattackers.

Understanding the fundamentals of social engineering is critical for businesses and organizations, as it can help them recognize, defend against, and mitigate the risks these attacks pose in the short and long term.

Phishing

Phishing is one of the most common forms of social engineering. It typically involves sending fraudulent emails that appear to be from a reputable source, such as a bank or a trusted colleague. The goal is to trick the recipient into clicking on malicious links or providing sensitive information, like login credentials or financial details.

Spear Phishing

Spear phishing is a more targeted form of phishing. Attackers conduct extensive research on their victims, crafting highly personalized emails that are much harder to distinguish from legitimate communications. They often target individuals such as privileged admins that have access to valuable information or financial resources within an organization.

Pretexting

In pretexting attacks, the attacker creates a fabricated scenario or pretext to obtain information. This often involves impersonating someone with authority or a legitimate reason for needing sensitive data, such as supporting a customer, complying with IT support personnel, or granting approval for multi-factor authentication (MFA).

Baiting

Baiting attacks entice victims with an attractive promise, like a lucrative job offer, free software downloads, movies, or music. Once the victim takes the bait and downloads the file, malware is delivered, compromising the victim’s device and potentially spreading through the network.

Multi-Channel Attacks

Multi-channel social engineering leverages various communication platforms to manipulate and deceive individuals or organizations. Instead of relying on a single channel like email, attackers combine various communication methods, including email, phone calls, social media, and even physical interactions. This creates a convincing illusion of legitimacy and credibility, making it more challenging for targets to discern the fraudulent nature of the attack.

Pulling Back the Curtain | The Psychology Behind Social Engineering

Regardless of the type of attack, the role of psychological manipulation is key to successful attacks, exploiting the intricacies of human emotions, cognitive biases, and social dynamics. Human users can be tactfully manipulated into serving the attacker’s objectives.

The Psychology of Persuasion | Understanding the Attacker’s Mindset

Being aware of the manipulation strategies employed by attackers helps develop a heightened sense of skepticism, making it more challenging for social engineers to succeed.

Psychological manipulation involves a range of tactics that leverage fundamental aspects of human behavior:

• Trust and Authority – Social engineers often assume roles or identities that inspire trust. Whether posing as a trusted colleague, a senior executive, or a knowledgeable IT technician, they exploit the natural inclination to comply with authority figures and follow social norms.
• Reciprocity – By offering something of apparent value, even if it’s as simple as a small favor or free software, social engineers stimulate the instinct of reciprocity. When people feel they’ve received something, they’re more likely to return the favor, which can involve sharing information or granting access.
• Fear & Urgency – Creating a sense of urgency or fear in targeted victims is a common tactic. This can include warnings of impending threats, account compromises, or financial loss, which then pushes the targeted victim to act hastily without critical evaluation.
• Social Proof – People tend to follow the crowd or conform to social norms. Social engineers often use this bias by showing that others have already complied with their requests, suggesting that the target should do the same.
• Bonding & Connection – Building rapport and forming a connection with the target is a powerful tool. Social engineers may feign common interests, offer compliments, or appear as genuinely likable individuals to lower the target’s guard and increase their willingness to cooperate.
• Fear of Missing Out (FOMO) – Creating the illusion of scarcity, whether it’s a limited-time offer or an apparently ‘exclusive’ opportunity, plays on the very human fear of missing out. This compels the targeted victims to take action quickly, often without thinking things through.
• Commitment & Consistency – People tend to remain consistent with their prior actions and statements. Social engineers exploit this by encouraging small commitments or decisions that align with the targeted victims’ objectives. Once an individual commits to something, they are more likely to follow through with related, more significant requests, making them more susceptible to manipulation.

Cognitive Biases | Fertile Grounds Exploited by Social Engineers

Cognitive biases are deeply ingrained in how people think and make decisions. Cybercriminals focus on manipulating these biases to meet their malicious goals.

• Anchoring Bias – relying too heavily on the first piece of information encountered, even if it is irrelevant. Cybercriminals use anchoring bias to set an initial reference point that heavily influences a target’s subsequent decisions. For example, in a negotiation for a fraudulent deal, attackers might suggest an extravagantly high initial price, thus anchoring the target’s perception of what is reasonable.
• Confirmation Bias – the tendency to seek out, interpret, and remember information in a way that confirms one’s preexisting beliefs or expectations. Social engineers leverage this bias by providing fake evidence or information that aligns with the target’s preconceived notions, making the target more likely to trust and comply with their requests.
• Recency Bias – the tendency to give more weight to recent events or information. Social engineers exploit this bias by timing their attacks strategically, ensuring their requests align with recent experiences or news. This makes it more likely for the victim to accept the request without due scrutiny.
• Overconfidence Bias – the overestimation of one’s abilities, knowledge, or judgment. Attackers capitalize on this bias by encouraging targets to trust their own judgment in making decisions that benefit the attacker. Victims may believe they are too savvy to fall for scams, leaving them vulnerable to manipulation.

Rising Trends In Social Engineering

Recent developments in generative artificial intelligence (AI) are a cause for concern in the context of social engineering schemes. AI could be used by attackers to craft sophisticated threat campaigns that manipulate human behavior. Automating data collection and creating persuasive messages can significantly enhance the potential impact of such attacks.

The rise of deepfake technology has also introduced a new avenue for social engineering attacks where AI can be used to deceive a targeted victim into believing false information. Deepfakes leverage machine learning (ML) algorithms to create highly realistic images, audio, and videos that can easily fool viewers into thinking they are authentic. Deep fakes could allow attackers to impersonate high-profile individuals, such as senior leadership or government authorities, as a key part of their requests for access and information.

Recognizing Social Engineering Red Flags | Avoiding the Hooks, Lines, and Sinkers

Training and awareness programs can help teach employees about these biases and how they are used in social engineering attacks. To a trained eye, social engineering schemes are fraught with red flags. Learning how to recognize and resist these warning signs is how businesses can defend their sensitive data and keep their users safe from cyberattackers.

These are six of the most common triggers to look out for:

Red Flag #1: Out of the Blue Requests

One of the primary red flags in social engineering is receiving unsolicited requests or communications. Be cautious of unexpected emails, phone calls, or messages asking for sensitive information, money, or assistance. Cybercriminals often rely on the element of surprise to catch their targets off guard.

Red Flag #2: Feeling Under Pressure

Social engineers often employ tactics that create a sense of urgency and pressure to act quickly. They might claim that a situation requires immediate attention, or that failure to comply will lead to severe consequences. These pressure tactics are designed to override rational thinking and encourage hasty actions.

Red Flag #3: Unverified Sources & Contacts

If a request or communication comes from an unverified or unfamiliar source, treat it with skepticism. Verify the identity of the sender through a secondary means outside of the initial communication platform. Since social engineers can easily impersonate trusted individuals or entities, confirm all requests independently and directly with the person or company they claim to be.

Red Flag #4: Issues With the Content

Pay close attention to the content of the communication. Check for inconsistencies, misspellings, or unusual language that may suggest a fraudulent message. Cybercriminals often make mistakes in their attempts to deceive, and these errors can serve as warning signs.

Red Flag #5: Emotional Manipulation

Social engineers frequently employ emotional manipulation to sway their targets. Be wary of messages that evoke strong emotions, such as fear, excitement, or sympathy. When emotions cloud judgment, individuals become more susceptible to manipulation.

Red Flag #6: Requests for Sensitive Information or Credentials

Perhaps the most obvious red flag is a request for sensitive information or login credentials. Legitimate contacts rarely ask for private information through unsolicited messages. Be cautious when providing personal or confidential data, especially when prompted via email or messaging platforms.

Conclusion

Social engineers capitalize on human psychology, cognitive biases, and our innate tendency to trust all in effort to slip past set security measures. Recognizing the red flags and understanding the evolving techniques of social engineering attacks is critical for businesses building an effective defense against these types of attack.

The threat landscape for social engineering attacks continues to evolve, requiring a proactive and adaptive approach to defense. To stay steps ahead of cybercriminals, businesses and organizations must be vigilant in recognizing and resisting these attacks to mitigate the short-term and long-term risks they pose. By educating employees and implementing robust security measures, leaders can significantly reduce their vulnerability to social engineering attacks and safeguard their operations and sensitive data.

SentinelOne is ready to help business and organizational leaders build a proactive cybersecurity stance against social engineering-based threats through continuous threat detection and response capabilities and autonomous threat hunting. Contact us today or book a demo to learn more.