Power for the People | Cyber Threats in the Energy Sector and How To Defend Against Them

Powering the infrastructures that sustain how people communicate, work, and live, our dependence on the energy sector has pushed it to the top of the list of targets for cybercriminals. Concerns on how to defend this critical sector have only been magnified by ongoing dilemmas in the economic and political landscapes.

Beyond the immediate financial losses and operational disruptions, attacks on a critical sector like energy have cascading effects on other sectors, such as manufacturing, healthcare, and transportation.

This blog post outlines these effects and challenges, exploring the reasons behind growing cyberattacks on energy grids and what energy and utilities suppliers can do to safeguard themselves from advanced threat actors.

A Global Snapshot of Recent Attacks on Energy

Some of the most notable attacks on energy and utilities providers have occurred in the past few years alone, marking threat actors’ increasingly steep interest in this sector.

Ransomware Extremes | How the Colonial Pipeline Attack Spurred Changes to US Cybersecurity Policies

Early in the morning of May 7, 2021, a ransom note was uncovered by a Colonial Pipeline employee, revealing a successful systems breach attributed to the DarkSide ransomware group. DarkSide had managed to exploit an outdated virtual private network (VPN) account, the first step leading to one of the most significant cyberattacks on the energy infrastructure in US history.

DarkSide threat actors had encrypted an estimated 100 GB of sensitive, business-critical data within Colonial’s expansive operational technology (OT) network. In response, Colonial Pipeline suspended all operations, including the delivery of over 2.5 million barrels of refined gasoline a day  to U.S. customers. Affecting businesses and millions of individuals along the East Coast of the United States, the fallout included lengthy gas lines reminiscent of the 1970s, price hikes, panic buying, and the closure of numerous fuel stations.

Shortly after this attack, the Transportation Security Administration (TSA) released a directive mandating that pipeline operators promptly notify CISA of all potential cyberattacks. The directive also required the presence of an on-site cybersecurity coordinator. A second directive soon followed, directing pipeline operators to address vulnerabilities, enhance their defenses, and create contingency plans for future security events. Earlier in 2023, CISA unveiled a Ransomware Vulnerability Warning Pilot (RVWP) program, set to support critical infrastructure providers with the best practices and tools needed to protect against ransomware attacks.

New Battlegrounds | Russian-Based Attacks on Energy Providers

At the onset of the invasion of Ukraine in early 2022, Ukrainian government officials revealed that Russian state-sponsored threat actors aimed to compromise the Ukrainian power grid, intending to trigger a blackout that would have impacted a staggering 2 million people. The attack involved the use of a wiper – a specialized form of malware designed to take down targeted systems by erasing critical data. Had the hack been successful, it would have caused the world’s biggest cyber-induced blackout to date.

One month after the invasion of Ukraine, President Biden issued a statement discussing the heightened potential of Russian cyberattacks against the US energy infrastructure in retaliation for imposing economic sanctions. Several US energy companies and more than a dozen others in associated sectors all reported to have experienced abnormal scanning from Russian-linked IP addresses, likely indicative of early reconnaissance in which threat actors scan targeted networks for vulnerabilities that could be used in a future attack.

Threat Actors’ Eyes on Energy | Why the Sector Is At Risk

The energy sector powers the reliability of all other sectors, making it the linchpin of all critical infrastructure. Extending far beyond single power plants, pipelines, or grid systems, the attack surface for the energy sector exists at every point on the power chain. This dependency on interconnected networks and industrial control systems (ICS) creates vulnerabilities that malicious actors find extremely attractive. Cyberattacks on the energy sector can disrupt the flow of essential resources, leading to power outages, fuel shortages, and economic instability.

Several factors underpin the risk faced by the energy sector.

Evolving Digitalization & Interconnectivity

Rapid digital transformation within the energy and utilities sector has expanded its attack surface. Increasing connectivity, cloud adoption, and the internet of things (IoT) integrations have introduced many more entry points for threat actors. This digital evolution, while boosting efficiency and monitoring capabilities, has also introduced vulnerabilities that malicious actors can exploit. Modern technologies have accelerated digitalization but also make this sector more susceptible to cyber threats than ever before.

Adding another layer of intricacy is the interdependence of all essential parts. For instance, a power outage in one region can have large ripple effects, affecting electricity availability in other parts of the country as smaller grids have to adapt to meet the sudden demand. Similarly, a compromised oil pipeline not only causes localized shortages but can trigger nationwide spikes in gas prices, highlighting the intricate web of interconnections within the industry.

Dispersed Geographic Locations & Reliance on Third-Parties

Energy and utility providers face an expanding attack surface, stemming from the challenge of securing geographically scattered assets such as hydroelectric dams and coal-fired generation plants. Safeguarding against multiple threats in a dispersed environment presents security leaders with a logistical challenge.

Making this more complex is the energy sector’s reliance on third-party supply chain relationships. The industry, which encompasses a blend of private and public ownership, is built on strategic partnerships among the various stakeholders. As a result, securing all the various components that make up the energy industry requires collective action and responsibility among diverse agencies and organizations, each of which have their own cybersecurity challenges.

Economic Incentives for Attackers

The energy and utilities sector is an enticing target for financially motivated cybercriminals. Ransomware attacks, in particular, have become increasingly prevalent, with actors seeking hefty payouts to unlock critical systems. Colonial Pipeline’s CEO explained that the company paid the “highly controversial” $4.4 million dollar ransom given the essential nature of the company’s infrastructure. The strains of recent times, including post-Covid economic uncertainty, inflation, and job losses, have created fertile ground for cyber extortion schemes, exacerbating the risk faced by this sector.

Gaps Between Physical & Cyber Infrastructure

Operational technology (OT) systems control and monitor physical processes, such as power generation, distribution, and transmission. These systems are increasingly interconnected with information technology (IT) networks to improve efficiency, optimize operations, and enable remote monitoring and control. This connection creates a bridge between the physical and cyber infractures, allowing data and commands to flow between them. However, gaps between the two greatly increase cyber risk.

The interdependencies between physical and cyber infrastructure mean that issues on the IT side have real-world consequences. For instance, a cyberattack on a power plant’s IT network can potentially disrupt the OT systems responsible for controlling critical processes. Conversely, physical events, such as equipment failures or power outages, can affect the availability and security of IT networks.

Powering Up Cyber Resilience Within the Energy Sector

The challenge for those in this sector lies in staying ahead of ever-evolving threat tactics. The following guidelines can help energy providers to mitigate risk and build a stronger, proactive cybersecurity posture.

Manage Cyber Risk Within the Supply Chain

Managing risk in the energy supply chain starts with understanding all current vendor relationships, including OSS dependencies, and creating stricter standards for procurement. Start by reviewing supplier assessments for all in-use vendors and agree on procurement processes and shared security responsibilities. To integrate cybersecurity into the procurement process, mandate software bill of materials (BOMs) to track all digital components in a system across the supply chain to identify potential issues.

Implement Hardware Authentication

Hardware authentication offers a robust approach to user authentication – a critical element in securing geographically dispersed OT networks in the energy sector. This strategy hinges on the use of a dedicated physical device, typically a token or hardware key, alongside a primary password. This dual-factor authentication method enhances access control by requiring both something the user knows (the password) and something the user has (the physical token) for access. Hardware authentication serves as a strong defense against unauthorized access, ensuring that only authorized personnel with the right physical device can interact with sensitive systems.

Leverage User-Behavior Analytics (UBA)

Going beyond predefined patterns or signatures, user-behavior analytics (UBA) delves into the nuanced behaviors of users within a given system. UBA’s strength lies in its capacity to alert on unusual or suspicious activities based on a comprehensive understanding of typical user interactions with a particular environment. By creating behavioral baselines for legitimate users, UBA can swiftly flag any deviations and pinpoint potential security breaches or insider threats.

UBA works by harnessing machine learning (ML) techniques to decipher the underlying intent behind user actions. This continuous learning and adaptation enable UBA to evolve alongside the ever-changing threat landscape, enhancing its accuracy in recognizing even the most subtle anomalies in user behavior.

Maintain Deep Visibility Through Real-Time Monitoring

Deep system and network visibility, coupled with real-time monitoring, detection, and response capabilities, are security essentials for the energy sector. Advanced security solutions such as autonomous and AI-powered XDR can offer a comprehensive view of both IT and OT environments, enabling security teams to shave off minutes when identifying anomalies and potential cyber threats.

In an era of evolving and sophisticated attacks, such as ransomware and state-sponsored intrusions, real-time monitoring ensures that any unusual activity is quickly detected, allowing for immediate action and remediation as needed. This proactive approach is critical in safeguarding critical energy infrastructure against cyber threats that could disrupt operations and endanger public safety.

Stay Up-to-Date with Government Guidelines & Resources

Legacy OT assets are designed without robust defenses against malicious cyber activities. Easy access to unsecured assets, wide availability of open-sourced device information (e.g. Shodan and Kamerka), and oft-deployed exploits accessible through frameworks like Metasploit, Core Impact, and Immunity Canvas, have all created a perfect storm of factors leading to increased cyber intrusion. To combat these growing risks, the U.S. government continues to urge energy and utilities providers to improve the resilience of their systems.

Following CISA’s latest warnings of increased exposure of OT systems to cyberattacks, the NSA published new resources this month to help organizations using SNORT improve their threat hunting. Called ‘ELITEWOLF’, the repository contains various ICS/SCADA (supervisory control and data acquisition)/OT-focused signatures and analytics to support critical suppliers as they implement continuous monitoring measures.

In addition to the new repository, CISA, FBI, NSA, and the U.S. Department of the Treasury also released guidance for OR vendors and other critical infrastructure facilities, focusing on how to minimize risk when using open-source software (OSS) in OT products.


Given their central role in powering economies, physical infrastructure, and digital systems, global energy and utility service providers have had to consider how to defend against  a new wave of cyber adversaries in the last few years. Recent shifts in geopolitics have also added a new layer of complexity to this threat landscape, further highlighting the need for enhanced cybersecurity measures.

To thwart these threats and safeguard critical power grids and pipelines, energy and utility providers are increasingly looking to adopt a proactive and adaptive cybersecurity approach. This entails comprehensive risk assessments, robust detection and response systems, and building safer standards for working with third-parties vendors.

SentinelOne is ready to stand by organizations in the energy sector by managing the evolving attack surface before attacks can happen. Contact us or request a demo to learn how our AI-powered, autonomous XDR platform, Singularity™, provides protection to the nation’s critical power service providers.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

The Good, the Bad and the Ugly in Cybersecurity – Week 43

The Good | Multi-Million Dollar Scam Syndicate Dismantled Revealing Stolen Data of 4 Million Citizens

Four million people won justice this week when the Spanish National Police successfully dismantled a cybercriminal organization responsible for monetizing their stolen data. The police agency carried out a total of 16 targeted searches across multiple Spanish cities, resulting in the arrest of 34 members of the criminal group.

Source: Europol

During these raids, authorities seized a cache of illicit items, including firearms, high-end cars, and 80,000 euros in cash. The most critical discovery, however, was the recovery of computers holding sensitive banking information belonging to four million individuals, all ill-gotten by infiltrating financial and credit institutions.

Based on their report, the Spanish police said that the group members were linked to a wide array of fraudulent schemes. Through email and SMS phishing scams, members impersonated delivery companies and electricity suppliers to gain their victims’ trust. The members were also known to call unsuspecting parents, pretending to be ‘sons in distress’ as a means to extract ‘urgently needed’ money. In other cases, they allegedly leveraged an insider within an international tech firm and routed valuable merchandise to addresses under their control. The crime syndicate is estimated to have earned approximately $3.2 million from reselling stolen data to other cybercriminals.

Though the ringleaders of this particular cybercrime ring have been caught, social engineering tactics remain top attack paths into critical systems. Awareness training programs, in combination with multi-factor authentication (MFA), identity threat detection and response (ITDR) solutions, and robust endpoint security, can help both organizations and individual users combat against this type of threat.

The Bad | Pro-Russian APT Exploits Webmail Zero-Day to Harvest Email Data From European Governments

Winter Vivern APT has been found exploiting a zero-day vulnerability in Roundcube’s open-source webmail software. Targeting governments and think tanks in Europe, these attacks leveraged CVE-2023-5631 to harvest emails from compromised accounts. According to a security report this week, this is a marked step up for the threat actor’s cyber operations.

Russia and Belarus-aligned Winter Vivern is a relatively underreported group with limited resources. In the latest string of attacks however, researchers highlighted a notable shift in the APT’s tactics. Where Winter Vivern would typically exploit known flaws for which proof-of-concepts (PoCs) were readily available online, their latest attacks exploited a zero-day vulnerability. Zero-days are those that remain undisclosed to the software’s developers, providing threat actors with an advantage. In this case, Winter Vivern’s exploitation of the Roundcube zero-day allowed them to infiltrate email accounts and exfiltrate valuable data without prior detection or mitigation.

CVE-2023-5631 is a stored cross-site scripting flaw that could allow remote threat actors to load arbitrary JavaScript code. The attacks began with phishing messages containing a Base64-encoded payload embedded within the HTML source code. This payload, when decoded, facilitated a JavaScript injection from a remote server. Then, a second-stage JavaScript component acted as a loader, enabling the execution of a final payload leading to exfiltratration of email messages to a command-and-control (C2) server. A fix for the vulnerability has since been released by Roundcube.

Despite Winter Vivern’s limited resources, they have been able to lure high-value victims through persistent and frequent phishing campaigns and by leveraging unknown flaws in high traffic software. Organizations can stay safe by following regular patch schedules and ensuring deep monitoring within their systems.

The Ugly | Slews of Crypto Donation Scams Hit Social Media Platforms Amid Ongoing Israel-Hamas War

Cybercriminals are exploiting the deadly Israel-Hamas conflict to spread donation and fundraising scams through popular social media platforms. As reported this week, researchers have raised the alarm on how scammers are capitalizing on the ongoing war to solicit donations. So far, over 500 fraudulent emails have been observed impersonating charitable organizations and fundraisers. The cyber scammers have also been seen listing fraudulent cryptocurrency wallet addresses on Instagram, Telegram, and X, taking full advantage of high-strung emotions in the continuing political crisis.

Scam “aid Gaza” account on X (Source: BleepingComputer)

These scams seek to manipulate emotions, often posting graphic images of wounded soldiers, women, and children to spur action. Researchers saw similar social engineering tactics in circulation during the height of the Russo-Ukrainian war and following the Turkey-Syria earthquakes. To increase their chances of success, the scammers are creating multiple text variations to evade spam filters and modifying their designs to target specific groups. Spoofed websites often copy content directly from their legitimate counterparts, but crucially lack details about the organizational staff and contact information as well as fund usage.

Given the prevalence of these scams, the public are being advised to proceed with extreme caution when participating in online fundraisers. The U.S. Federal Trade Commission (FTC) has provided best practices to prevent falling victim to scams and the IRS has also issued an advisory warning citizens against giving into pressure. Always verify the authenticity of charitable organizations before making donations by referring to the government’s official charity register. In hand with social engineering schemes, security practitioners are warned to stay updated on other emerging cyber activity and threat actors currently active in the Middle East.

Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware

The current conflict between Israel and the Hamas militant group has begun an onslaught of hacktivist-level activity carried out in the name of both sides. Amongst the ongoing fighting, numerous hacktivist groups and ‘lone wolves’ have taken the opportunity to maneuver into the cyber arena, deploying an array of malicious activities including Distributed-Denial-of-Service (DDoS) attacks, cyber defacement, doxxing, and custom malware launches.

So far, the use of novel malware/scareware and tools such as Redline Stealer and PrivateLoader by these threat actors continue to target Israeli citizens, businesses, and critical sector entities, causing data leaks and widespread disruptions. This write-up serves as a roundup of tactics and techniques we are observing in the Middle East, allowing security practitioners to stay informed and on top of developing threats stemming from the war.

Analysis of Data Leaks & Stealers


Haghjhoyan logo

Haghjhoyan, known also as the “Peace Seekers”, first emerged in October 2023. It is characterized as a pro-Iran hacktivist group, which has been leaking small archives of Israeli citizen data through their recently established Telegram channel. On October 8th, the group announced an infiltration of the Israeli Red Alert Emergency System. This was followed by the October 13th, 2023 announcement of the group’s infiltration of multiple critical infrastructure targets across Israel during which Haghjhoyan shared screenshots of their virtual network computing (VNC) sessions in a variety of utility-centric targets. ‘Proof’ files associated with this breach were also shared in the Haghjhoyan Telegram channel.

Attack on Israeli utilities

Between October 15th and October 19, 2023, the group continued to announce new leaks and attacks, including the claim of infecting “1000” Israeli computers. The full message shared is as follows: “1000 computers from Israel were infected. This is a gift from Palestinian children to Israel hac*kers and the bast*ard people of Israel”.

Attack on the Israeli public

Screenshots shared in the Haghjhoyan Telegram channel show filenames that hold ‘clues’ potentially pointing towards the use of malware. Further, there is indication of potential social engineering lures used by the group to encourage the download and execution of trojanized applications.

In the image above, the following file names are of special interest:

  • Frosty Mod Manager (Beta 4) (FIFA 19)
  • Subinfeudated Oat.exe
  • Default-Dark-Mode-1.20-2023.6.0.zip

The ‘Frost Mod’ and ‘Default-Dark-Mode’ file names are references to the games FIFA and Minecraft respectively. From the data shared by the threat actor, it appears as though they are using these games as social engineering lures, manipulating targets through social media platforms like Discord, Whatsapp, and Telegram into launching trojanized versions of the applications. Targeting users of extremely popular games like Roblox, Minecraft, and FIFA with possible free ‘mod’ packages is an effective way to target a large portion of the general public.

We can also glean some information from the leaked data itself. For example, the stealer log output from the ICS targets contained in the leaked file “IL-ISRAEL-25PCS-2023.rar” is formatted in such a way that may suggest the use of Redline Stealer, or similar malware.

Stealer logs from Haghjhoyan target showing similarities with Redline Stealer

This is further solidified if we look at another leaked screenshot from the threat actors. The following screenshot shows the malware being executed. The file name on the launched executable also happens to be the SHA1 hash of the malware. SHA1 hash (0b0123d06d46aa035e8f09f537401ccc1ac442e0) is a public sample of Redline Stealer originating from 2019 and it is not exclusive to these attacks and campaigns.

Redline running in leaked screenshot from Haghjhoyan

In a separately-shared screenshot from Haghjhoyan, there are clues pointing to the use of another malware tool called PrivateLoader.

The “Subinfeudated Oat” malicious application

The “Subinfeudated Oat.exe” in the above image is a sample of PrivateLoader. Something of a commodity tool, it is often used as a method to download and launch additional malware payloads. Loaders such as this or Smoke Loader allows lower-tier actors evade basic detective controls like legacy antivirus (AV).

Through these two examples we can tie the use of PrivateLoader and Redline Stealer to these anti-Israel malware attacks driven by Haghjhoyan. Current intelligence indicates that the data being leaked by Haghjhoyan acquired via Redline is fresh and valid, not having been leaked in the wild prior. It should also be noted that Haghjhoyan made their Telegram channel private on October 24th, 2023.

Soldiers of Solomon

Another malicious hacktivist group going by the moniker, Soldiers of Solomon, has also made bold claims around the infiltration and infection of critical infrastructure in Israel. They have also claimed ownership of a customized ransomware called Crucio. On October 18th, 2023, the Soldiers of Solomon announced their attack via the resurrected BreachForums.

Announcement of Crucio ransomware attack (BreachForums)

The Soldiers of Solomon also announced this effort via their public Telegram channel. The full message reads as follows: “The Soldiers of Solomon have taken full control of more than 50 servers, security cameras and smart city management system in Nevatim military area. Once we got access to those targets, we exfiltrated 25TB of data and ransomed them via our customised Crucio ransomware (Ltd). Database Link: https://www.mediafire.com/folder/5fahf8k…/All+Files”.

The ‘proof’ package, hosted on MediaFire, consists of the same screenshots provided in their Telegram channel.

Soldiers of Solomon ‘proof’ screenshots

The bulk of these images show a Windows desktop with a document (.jpg image) displayed with the Soldiers of Solomon’s anti-Israeli messaging.

Soldiers of Solomon “infected” host

From these images, we can see that the filename for the document displayed is “ref.jpg”.

ref.jpg note

Analysis of the Crucio ransomware deployment is ongoing and full details are not yet corroborated. That said, we can state that it is not outside the realm of possibility that these groups would repackage an existing or leaked malware builder or kit and use that as a payload to get their message out and cause disruption.

Cyb3r Drag0nz Team

Cyb3r Drag0nz Team logo

Cyb3r Drag0nz Team is a hacktivist team with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity. They are now taking credit for multiple leaks and DDoS attacks against Israeli targets. This includes a DDoS attack against the official website of the Israeli Air Force.

Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks. To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.

The Cyb3r Drag0nz Team has been observed taking full advantage of various social media platforms to announce their targeting and intrusions. They post updates via Instagram, Twitter, and Telegram as well as FaceBook and Youtube.

Data of 6000 Israeli citizens leaked

Most recently, the group claims to have stolen the data of more than “1 million” Israeli citizens.

Israel citizen data leaked by Cyb3r Drag0nz Team

This announcement was accompanied with a RAR archive named “Israel Leaked By Cyb3r Drag0nz Team.rar”. Current analysis of data being leaked by Cyb3r Drag0nz Team shows a varying level of ‘freshness’. Some of the sample leaked data has appeared in prior leaks or dumps from other groups while other data appears to be new.

Files shared by Cyb3r Drag0nz Team


The hacktivist groups currently active in the Israel-Hamas conflict are ramping up in both intent and skill level. Though these groups are still relatively small, it is clear that they are carrying out successful attacks and putting ordinary citizens at risk. This class of criminal activity is often viewed as being of a lower tier, however, ongoing fighting in Gaza has provided a springboard for these groups to leverage political chaos to further their malicious cyber goals.

We believe that these groups are of relatively low-sophistication and financial resources. The malicious actors’ use of tools like Redline and PrivateLoader speak to their position of having to use what is at their disposal. This is bolstered by the example of using in-the-wild Redline samples with known hashes, revealing that the actors are not making the effort to modify or customize the older malware.

That said, these groups continue to impact ordinary civilians, putting their identity and data at risk to reach their goals. As the war continues to escalate across multiple arenas, these small-yet-effective attacks are expected to only increase.

We recommend the following the best practices that can help strengthen any existing cybersecurity measures:

  • Focus on awareness and practice overly-diligent cyber hygiene. Take any opportunity to spread information about basic protection. Be vigilant against unexpected links, practice link validation, and do not engage in any unauthorized chats across popular social media platforms, particularly on Discord, Whatsapp, Telegram, and X.
  • Some of the malicious tools mentioned in this post are known to be disguised as mods for popular games. In some cases, we saw FIFA 19, Minecraft, and Roblox being used as social engineering lures. Be aware of this potential lure style and think twice before downloading game mod packages, or take extra precautions when doing so.
  • Update all security software and ensure it is properly configured. Use modern and reputable security solutions and software and look out for patches and fixes.
  • Monitor all endpoints in your controls, whether at home or in an office, for signs of compromise. Having a robust XDR solution can provide deep visibility across endpoints in a system as well as automated detection and response capabilities.

Indicators of Compromise (IoCs)

Redline Stealer (SHA1)


PrivateLoader (SHA1)



Decrypting SentinelOne’s Detection | An In-depth Look at Our Real-Time CWPP Static AI Engine

Artificial intelligence (AI) is such a hot topic right now with everyone clamoring to say how their company is leveraging AI in all the new, flashy ways. Here at SentinelOne, we don’t do hype or hyperbole and AI is nothing new. We were founded in 2013 on the premise that AI could fundamentally transform cybersecurity and achieve real-time defenses against machine-speed attacks. Our cloud workload protection platform (CWPP), Singularity Cloud Workload Security, uses AI to deliver real-time detection and response to runtime threats. Our CWPP agent uses five engines onboard:

  • Static AI Engine
  • Cloud Intelligence Engine
  • App Control Engine
  • Behavioral AI Engine
  • STAR Rules Engine

Some of the engines use AI while others are rules-based. Each works in concert with the other to defend business applications (aka workloads) running on your infrastructure whether in public or private cloud, on servers, VMs, or containers. To better understand the role of AI in achieving this objective, this blog post focuses on our Static AI Engine and is the first of a five-part series exploring each of our detection engines.

Static AI Engine 101

Much like cloud security, AI itself is a broad field and machine learning (ML) is a subset of this field. ML is exactly as the name suggests: machines learning to perform a task with high accuracy. ML models can be trained for any number of uses, from the academic (e.g., to differentiate between photographs of dalmatian puppies or chocolate chip ice cream) to the highly practical, such as differentiating between benign files and malware.

At the highest level of abstraction, our Static AI Engine consists of supervised machine learning algorithms which analyze files before they execute, examining the file structure and searching for historical patterns synonymous with malicious intent. Digging in a little deeper, the Static AI Engine is a classifier engine, categorizing the files being scanned in a number of classes, such as benign, suspicious, malicious, and so on. Ultimately, the decision tree algorithm delivers a predictive confidence level for a file’s maliciousness. For ML models to perform well, they must be trained over a large data set. SentinelOne’s classifier algorithms have been trained across nearly a billion samples over the past decade, and our threat researchers are continuously improving the models against the latest threats.

Where Static Detection Shines

Static detection of malicious files has several pronounced advantages. Most notably, examining a potentially malicious file before it executes means, quite simply, your endpoint and cloud workloads are protected from malware before it has the opportunity to transact evil. Additionally, static file analysis is computationally inexpensive relative to behavioral analysis. The latter embeds more behavioral signals across the operating system (OS), requiring certain techniques to observe OS-level processes as the file executes. This relative computational efficiency is especially important on cloud infrastructure-as-a-service (IaaS), because every bit of CPU usage shows up on the monthly bill from your cloud service provider (CSP). Therefore, being a good steward of CPU resources is especially important for the CWPP agent, all the more so at scale.

Static analysis is an excellent way to detect malware, but it can’t solve every use case. For example, fileless attacks that launch processes directly from memory without ever creating a file on disk cannot be detected via static analysis. Such memory injection attacks require different detection capabilities. Security teams need not worry  as the behavioral analysis in SentinelOne’s CWPP agent’s Behavioral AI Engine can detect memory injection attacks. We’ll dive deeper into Behavioral AI in part two of this blog series.

Case Study | Static Detection vs. Trojan Malware

Recently, the SentinelOne CWPP agent detected Linux malware targeting a customer’s public cloud infrastructure. In this example, the Static AI Engine detected that an originating process called ‘busybox’ wrote a suspicious ELF file to storage associated with a customer’s Amazon EC2 instance. Upon subsequent analysis by SentinelOne, we believe this ELF file to be a Trojan. As the name would suggest, a Trojan is a type of malware that is disguised as a real, reputable program. The supervised ML models in the Static AI Engine are trained in SentinelOne’s labs to recognize features of Trojan malware and more, such as communication modules back to command and control (C2) infrastructure owned by threat actors.

Once the ELF file was written, it was then set to executable, which then called back to a malicious IP address. This C2 infrastructure was a cloud compute instance controlled by the threat actor and operated from another cloud service provider in Europe. Cloud infrastructure is especially attractive to threat actors for use as C2 infrastructure, because they can change IP addresses, locations, and domain names in an attempt to cover their tracks. Our CWPP agent collected all the precise details, which we intentionally redacted from this example to protect our client’s identity.

Figure 1: CWPP Static Threat Detection in the SentinelOne Console

In the SentinelOne management console shown in Figure 1, there are a few things to point out. The engine responsible for making the threat detection is “On-Write Static AI,” meaning that the Static AI Engine made the detection when a suspicious file was written to disk.

Secondly, the AI Confidence Level is shown as “SUSPICIOUS.” There are two confidence levels: SUSPICIOUS and MALICIOUS. Different policies for response action can be set for each confidence level. Finally, the agent policy for this detection confidence level is shown as “Detect.” This means that the agent has issued an alert, but no response action is taken, meaning that it is awaiting disposition from a cybersecurity professional.

In this specific example, the customer is also subscribed to our Vigilance MDR service. As shown in the incident notes section of Figure 1, the SentinelOne Vigilance analyst confirmed the verdict as a true positive, took mitigative actions to quarantine the threat file, and then notified the customer. Since the Threat Status was “Mitigated,” the status symbol in the upper left of the console displays a green shield with a check mark.

It is worth noting that agent policy can just as easily be set to “Protect”. The choice between Detect or Protect Mode is governed by policies which the customer controls. If the policy had been set to Protect for this case study example, the mitigation response action would have been fully automated and executed immediately after the detection, surgically unwinding the effects of the attack while simultaneously preserving a record of all telemetry collected during the incident.


The Static AI Engine truly is the workhorse of our CWPP agent. By training our proprietary ML models over nearly a billion malware samples over the course of nearly a decade, our static file analysis is the first line of defense in our ruthlessly efficient CWPP agent.

To learn more about the value of real-time CWPP in your cloud security stack, head over to the solution homepage. Or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. For a personalized demo, connect with one of our cloud security experts today.

EBook: A Cloud Workload Protection Platform Buyer’s Guide
The Cloud Workload Protection Platform Buyer’s Guide is designed to walk you through key considerations when buying cloud workload solutions. We hope it helps to bring clarity to your evaluation and selection process.

The Realm of Ethical Hacking | Red, Blue & Purple Teaming Explained

Businesses continue to digitize their critical infrastructures and operations, expanding their attack surface and exposure to various threat vectors. To combat this, leaders are recognizing the value of having in-house experts who can think like cybercriminals and help build a proactive stance against attackers.

Considering new and constant developments in the cyber threat landscape, business leaders can leverage the work of ethical hackers as well as red, blue, and purple teaming to stay ahead of malicious actors and APTs. These practices are useful tools in a security teams’ arsenal, collectively enhancing the resilience of organizations against threats.

This blog post discusses how ethical hacking and strategies involving red, blue, and purple teaming have risen over the years to help detect and mitigate vulnerabilities and also anticipate potential attacks. These practices promote a culture of continuous improvement in cybersecurity, as knowledge and expertise are shared and refined.

An Overview | Six Decades of Proactive Security Testing

Ethical hacking, red teaming, blue teaming, and purple teaming are important components of modern cybersecurity, each with its unique role and purpose in defending digital assets.

Ethical Hacking | The Formalization of “Hackers”

The history of ethical hacking, also known as white hat hacking, is intertwined with the development of computer technology and a growing global awareness of cybersecurity. In the early days of computing, during the 1960s and 1970s, the term “hacker” was used to describe individuals who were passionate about exploring computer systems and software to better understand how they worked. These early hackers, often operating in academic and research settings, laid the foundation for ethical hacking by uncovering vulnerabilities and sharing their findings to improve system security.

As computer networks expanded in the 1980s and 1990s, malicious hacking activities began to pose significant threats. In response, ethical hacking took on a more formalized role. Organizations recognized the need for experts who could use their knowledge of hacking techniques for legitimate, defensive purposes. The terms “ethical hacker” and “white hat hacker” emerged, and certifications like Certified Ethical Hacker (CEH) were introduced to provide formal training in the field.

Red Teaming | Simulations From the Cold War to the Corporate World

In contrast, the origins of red teaming can be traced back to military and strategic planning from the Cold War era, where it was employed as a tool for testing and refining defense strategies. Military organizations employed independent teams to simulate the tactics, strategies, and capabilities of potential adversaries. Called “red teams”, these testers helped defense planners assess vulnerabilities, evaluate their own strategies, and improve readiness in the event of real conflict.

Over time, the practice expanded beyond military circles to include corporate environments. Businesses began using red teaming as a means to test the security and resilience of their operations, including physical facilities and cybersecurity measures. The focus shifted to identifying weaknesses, vulnerabilities, and operational risks, rather than direct military threats.

In a modern context, organizations now use red teams to simulate cyberattacks and assess the effectiveness of their cybersecurity defenses. These teams employ various techniques to expose vulnerabilities and weaknesses in systems, networks, and applications, helping organizations enhance their security measures.

Blue Teaming | An Evolution of Proactive Network Protection

Blue teaming evolved in response to the need for organizations to take a proactive and defensive stance against cyber threats. It became more prominent with the growth of networked systems and critical infrastructure in the 1990s. Organizations recognized that they needed dedicated teams to focus on defense, monitoring, and incident response. These teams were tasked with assessing and improving the security measures in place, ensuring they were robust enough to withstand emerging threats.

The term “blue team” is derived from military war gaming exercises, where blue forces typically represent friendly and defensive elements. In cybersecurity, blue teams are responsible for protecting and fortifying an organization’s digital assets, including systems, networks, and data.

In the early 2000s, the advent of compliance regulations and standards such as the PCI-DSS and HIPAA further solidified the importance of blue teaming. Organizations had to demonstrate their commitment to safeguarding sensitive data, making blue teams a necessity.

Purple Teaming | Developing A More Holistic Approach to Cyber Defenses

Purple teaming is a relatively new and evolving concept, born out of the need for greater collaboration and knowledge sharing between red and blue teams. The term “purple teaming” is derived from the combination of red and blue, representing the merging of offensive (red) and defensive (blue) security operations. It has gained popularity as a response to an increasingly complex and adversarial threat landscape.

Purple teaming acts as a bridge between red and blue teams. In a purple team engagement, the offensive red team works closely with the defensive blue team. The red team provides insights into their tactics, techniques, and procedures (TTPs), while the blue team gains a deeper understanding of how to detect and respond to threats effectively. This cooperative approach helps organizations fine-tune their security measures and improve their overall cyber resilience.

The history of purple teaming is marked by a growing awareness of the need for a more holistic approach to cybersecurity. Organizations have recognized that sharing knowledge between red and blue teams is essential for a comprehensive understanding of their security posture. In doing so, purple teaming helps organizations adapt and strengthen their defenses against a wide range of evolving cyber threats.

Exploring The Complexities Behind Ethical Hacking

Ethical hackers are legally employed by organizations to assess and strengthen their cybersecurity defenses. These professionals are hired with the explicit consent and authorization of the company or institution they work with. Contracts and agreements clearly define the scope of their activities, ensuring that their actions are well within the boundaries of the law.

Ethical hackers operate under strict rules of engagement, abiding by legal and ethical guidelines while probing systems, networks, and applications for vulnerabilities. This transparent and consensual approach is essential to maintain the integrity of their work. At its core, the primary aim of ethical hacking is to improve security measures, protect sensitive data, and prevent cyber threats. Despite these good intentions though, ethical hacking is not without some practical complexities.

Regulating Ethical Hacking

The legal landscape surrounding ethical hacking is complex and nuanced, often varying from one jurisdiction to another. Navigating these legal boundaries can be challenging, as what is considered permissible in one region may inadvertently cross legal lines in another. For ethical hackers, this diversity of legal frameworks necessitates a deep understanding of the specific regulations and requirements in the areas where they operate.

Even with explicit authorization, they must remain vigilant and cautious to ensure that their activities conform to local laws and do not inadvertently violate any statutes. This legal intricacy underscores the need for not only ethical hacking skills but also a strong awareness of the legal framework in which they work, to guarantee their actions remain within the boundaries of the law.

Communication Is Key

Communication is another hurdle. Ethical hackers must clearly convey their findings to clients, who may not have a deep understanding of cybersecurity. Translating technical jargon into layman’s terms and helping clients prioritize remediation efforts can be a delicate task.

Ethical hackers must act as interpreters, bridging the gap between the technical aspects of their discoveries and the business implications they carry. They also play a critical role in helping clients prioritize remediation efforts by providing clear, actionable recommendations and risk assessments. This demanding role requires not only technical expertise but also strong interpersonal and communication skills, ensuring that clients can make informed decisions to bolster their security measures effectively.

Ethical Reporting Processes

Balancing the need for responsible disclosure is a pivotal ethical concern for ethical hackers. When they unearth critical vulnerabilities, the dilemma lies in how and when to report these findings. Timely disclosure is essential for organizations to patch vulnerabilities and protect their assets, but rushing the process can inadvertently inform malicious actors of weaknesses before mitigation measures are in place.

Ethical hackers must carefully weigh the urgency of disclosure against the potential risks, often following a structured responsible disclosure process. This entails notifying the affected organization, allowing them time to address the issue, and only revealing the vulnerability publicly once a fix is available, reducing the chances of exploitation by cybercriminals. Finding this equilibrium in the ethical tightrope walk is a constant challenge.

Implementing Ethical Hacking for the Modern Business

Modern enterprise businesses can collaboratively and safely work with ethical hackers to enhance their cybersecurity while adhering to a robust code of ethics. Here are key ways to establish a successful partnership:

  • Clear Legal Framework – Create a clear legal framework outlining the terms and conditions of the engagement. Contracts and agreements should explicitly state the scope of work, responsibilities, and liabilities, ensuring compliance with applicable laws.
  • Authorized Access – Ethical hackers must be granted an appropriate level of authorized access to the systems, networks, and applications they are testing. This access should be well-documented and any changes should be carefully monitored.
  • Informed Consent – Ensure that the organization provides informed and unequivocal consent for ethical hacking activities. This consent should be obtained from all relevant stakeholders, including legal and executive teams.
  • Code of Ethics – Create a comprehensive code of ethics or conduct for ethical hackers, emphasizing the principles of responsible disclosure, confidentiality, and professionalism. This code should outline expectations and responsibilities, ensuring alignment with the organization’s values.
  • Data Protection and Privacy – Protect sensitive data and ensure that ethical hackers handle it with the utmost care. Implement robust data protection measures and clearly define how data should be handled during testing.
  • Transparency – Foster open and transparent communication between the organization and ethical hackers. Regular updates and debriefings are essential to ensure that all parties are aware of the progress and findings.
  • Vulnerability Disclosure Process – Establish a vulnerability disclosure process that outlines how identified weaknesses are reported, addressed, and resolved. This process should include timelines for patching vulnerabilities and ensuring a smooth remediation cycle.
  • Documentation and Reporting – Ethical hackers should meticulously document their findings, including potential risks and possible exploits. This documentation is crucial for remediation and improvement efforts.

Augmenting Red, Blue & Purple Teaming with XDR

XDR, or Extended Detection and Response, plays a pivotal role in supporting and augmenting ethical hacking, red teaming, blue teaming, and purple teaming. Since XDR acts as an overarching security solution, it can bring these practices together, enhancing their effectiveness and bolstering the overall security posture.

Deep Visibility & Data Correlation

XDR provides ethical hackers with a more comprehensive view of an organization’s security landscape. It offers an integrated platform that collects, correlates, and analyzes data from multiple security tools, enabling ethical hackers to have a holistic understanding of potential vulnerabilities. This, in turn, empowers them to conduct more effective penetration tests, as they can better simulate real-world attack scenarios and discover intricate weaknesses.

Consolidated Data Streams

Red teaming benefits from XDR by gaining access to a broader set of data sources and enhanced visibility. XDR solutions can aggregate data from various security technologies, including intrusion detection systems, endpoint protection, and network traffic analysis, offering a consolidated view of the enterprise’s security posture. This consolidated data streamlines red team operations, making it easier to identify vulnerabilities and launch realistic cyberattack simulations.

Integrated Monitoring & Incident Response

Blue teaming thrives in an XDR environment due to the integrated monitoring and incident response capabilities. With XDR, blue teams can swiftly detect and respond to potential threats through real-time monitoring of security events and alerts. The cross-correlation of data from various sources allows blue teams to identify anomalies and potential breaches more effectively, improving response times and minimizing damage.

Collaborative Information Sharing

Purple teaming, which emphasizes collaboration between red and blue teams, is supported through XDR. XDR fosters information sharing between the teams and enables them to jointly assess an organization’s security readiness. By working with a consolidated dataset, the purple team can more effectively evaluate the organization’s response to simulated attacks and refine their defense strategies collaboratively.

XDR can enhance the efficiency and effectiveness of these cybersecurity practices by offering a single platform for data aggregation, correlation, and analysis. This unified approach not only streamlines operations but also enables a more agile and proactive response to emerging threats.


Cybercriminals are becoming more adept at exploiting vulnerabilities, making it imperative that organizations are equally effective in defending against these threats. Ethical hacking, red teaming, blue teaming, and purple teaming are not just cybersecurity measures; they have become strategic investments that secure not only data but also an organization’s reputation and day-to-day operations. By proactively seeking out weaknesses, organizations can significantly reduce the risks associated with data breaches, downtime, and financial losses.

Ethical hackers not only assist in finding vulnerabilities but also educate and train security teams to prevent future incidents. Red and blue teaming, representing the offense and defense in cybersecurity, help organizations strengthen their resilience. Purple teaming bridges the gap between red and blue, fostering collaboration, knowledge sharing, and mutual understanding. It enhances an organization’s ability to respond effectively to cyber threats.

When joined together with autonomous XDR capabilities, these practices foster a proactive culture of cybersecurity, reduce exposure to vulnerabilities, and provide invaluable insights for an organization’s security team. Beyond this, they help organizations comply with industry standards and regulations, which are essential in today’s highly regulated business environment.

To learn more about how Singularity XDR helps global enterprise businesses stay steps ahead of even the most advanced cyber threats, contact us today or book a demo.

NJ Man Hired Online to Firebomb, Shoot at Homes Gets 13 Years in Prison

A 22-year-old New Jersey man has been sentenced to more than 13 years in prison for participating in a firebombing and a shooting at homes in Pennsylvania last year. Patrick McGovern-Allen was the subject of a Sept. 4, 2022 story here about the emergence of “violence-as-a-service” offerings, where random people from the Internet hire themselves out to perform a variety of local, physical attacks, including firebombing a home, “bricking” windows, slashing tires, or performing a drive-by shooting at someone’s residence.

McGovern-Allen, of Egg Harbor Township, N.J., was arrested Aug. 12, 2022 on an FBI warrant, which showed he was part of a group of cybercriminals who are settling scores with one another by hiring people to carry out violent attacks on their rivals.

That Sept. 2022 story about his arrest included links to two videos released on Telegram that were recorded and shared by McGovern-Allen and/or a co-conspirator as “proof” that they had carried out the attacks as hired.

The first showed two young men tossing a Molotov Cocktail at the side of a residence in Abington Township, Pa, setting it ablaze. The second featured two men with handguns unloading multiple rounds haphazardly into the first story of a house in West Chester, Pa. Fortunately in both cases, the occupants of the homes were unharmed in the attacks.

Federal prosecutors said McGovern-Allen went by the alias “Tongue” on Discord, and that in one chat he was quite explicit about his violence-as-a-service offering.

“In the chats, [Tongue] tells other Discord users that he was the person who shot K.M.’s house and that he was willing to commit firebombings using Molotov Cocktails,” the complaint against McGovern-Allen explains. “For example, in one Discord chat from March 2022, [the defendant] states ‘if you need anything done for $ lmk [“let me know”]/I did a shooting/Molotov/but I can also do things for ur entertainment.”

The chat channels that Tongue frequented have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job. A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window.

McGovern-Allen was in the news not long ago. According to a Sept. 2020 story from The Press of Atlantic City, a then 19-year-old Patrick McGovern-Allen was injured after driving into a building and forcing residents from their home.

“Police found a 2007 Lexus, driven by Patrick McGovern-Allen, 19, that had lost control and left the road, crashing into the eastern end of the 1600 building,” the story recounted. “The car was driven through the steps that provide access to the second-floor apartments, destroying them, and also caused damage to the outer wall.”

A copy of McGovern-Allen’s sentencing statement says he pleaded guilty to three criminal counts, including two for stalking, and one for the use of fire in commission of a federal felony. The judge in the case gave McGovern-Allen 160 months in prison — about 13.3 years. After completing his sentence, McGovern-Allen will be on supervised release for three years.

The Good, the Bad and the Ugly in Cybersecurity – Week 42

The Good | Ragnar Locker’s Tor & Leak Sites Taken Down In International Seizure

Ragnar Locker took a serious blow this week when authorities seized the ransomware operation’s Tor negotiation and data leak sites. This is the latest takedown coordinated across over a dozen international authorities. Now, visitors to the once-infamous sites are greeted with a seizure message.

Source: BleepingComputer

Standing as one of the longest-running ransomware operations to date, Ragnar Locker activity began in late 2019 with a primary focus on infiltrating enterprises. In that time, Ragnar Locker has been highly successful at infiltrating corporate networks, moving laterally through systems, harvesting sensitive data, and encrypting computers within compromised networks. Encrypted files and stolen data are powerful bargaining chips in the operations’ double extortion schemes.

While many similar operators have moved to a Ransomware-as-a-Service (RaaS) model, Ragnar Locker has remained semi-private. It has refrained from promotion and recruitment instead working with external operators to breach networks. Ragnar Locker is also known for pure data theft attacks, eschewing the file locking techniques that are characteristic of most ransomware operations.

In March 2022, the FBI published a flash alert warning that at least 52 organizations across 10 critical infrastructure sectors had fallen victim to Ragnar Locker. Over the years, Ragnar Locker’s rap sheet has boasted numerous high-profile victims, including Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp, Belgium. The seizure this week marks a significant win for cybersecurity law enforcement and reinforces the ongoing global effort to dismantle cyber threat infrastructures.

The Bad | Critical CI/CD RCE Flaw Actively Exploited By DPRK-Based Threat Actors

DPRK-based threat actors linked to the Lazarus Group are actively exploiting a critical security vulnerability in JetBrains TeamCity this week. Tracked as CVE-2023-42793 (CVSS score 9.8), the authentication bypass and remote code execution (RCE) flaw affects JetBrains’ continuous integration and continuous delivery (CI/CD) solution. The company reports a customer base of nearly 16 million developers globally, including several Fortune 100 companies. Security researchers have attributed the recent attacks to two factions within the Lazarus Group, which they refer to as Diamond Sleet (aka Hidden Cobra) and Onyx Sleet (aka Andariel).

Diamond Sleet has been observed employing two distinct attack methods. The first involves breaching TeamCity servers, followed by deploying an implant from previously compromised legitimate infrastructure. The second approach leverages the initial foothold to introduce a malicious DLL through DLL search-order hijacking. This facilitates the execution of a subsequent payload or a remote access trojan (RAT).

Onyx Sleet’s intrusions exploit the flaw to create a new user account likely to impersonate a Kerberos Ticket Granting Ticket. This account is then added to the Local Administrators Group before the attacker performs system discovery commands. Afterwards, a custom proxy tool is deployed, establishing a persistent connection between the compromised host and attacker-controlled infrastructure.

Since 2009, the Lazarus Group has earned a reputation for its sophisticated and persistent cyberattacks, namely financial crimes, espionage, and supply chain attacks. JetBrains urges users to apply patches and thoroughly monitor networks for signs of compromise. The U.S. National Security Council (NSC) believes that the revenue generated from these illicit activities funds North Korea’s missile program and the recently increasing number of launches.

As much of the world’s attention has been focused recently on the cyber threats emanating out of first the Russia-Ukraine war and now the Israel-Hamas war, these intrusions serve as a timely reminder that there are ongoing and diverse cyber threats posed by North Korean and other state-sponsored actors that still require our constant vigilance.

The Ugly | Cisco IOS XE Under Attack By Unpatched, In-The-Wild Zero-Day Flaw

Thousands of vulnerable enterprises are facing potential compromises this week from in-the-wild exploitation of CVE-2023-20198; a critical vulnerability affecting Cisco’s IOS XE software. This zero-day flaw is rated the maximum CVSS severity score of 10.0 and rooted in the web UI feature. The bug affects enterprise networking equipment when the feature is enabled and accessible over the internet or untrusted networks.

According to Cisco’s advisory, the vulnerability allows remote, unauthenticated attackers to create an account with privilege level 15 access on a compromised system. This account can then be used to gain full control of the system. The issue affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled.

Latest reports tracking CVE-2023-20198 are finding that the flaw has given attackers privileged access, potentially allowing them to monitor network traffic, pivot into protected networks, and execute Man-in-the-Middle (MiTM) attacks. Shodan scans show that over 14,000 internet-exposed devices with the web UI feature enabled are currently vulnerable to attack.

Source: Shodan

While the exact origins of the threat actor behind these attacks are unclear, Cisco suggests that the initial cluster of activity seen in September may have been the actor’s testing phase, while October activity reflects an expansion of operations, including the establishment of persistent access. This has prompted CISA to issue an advisory, BOD for government organizations and add the zero-day to its Known Exploited Vulnerabilities (KEV) catalog.

Though there is currently no available patch at the time of this writing, Cisco recommends disabling the HTTP server feature on all internet-facing systems and using the copy running-configuration startup-configuration command to save the running-configuration. This should ensure the HTTP server feature is not unexpectedly enabled in the event of a system reload, Cisco said.

Hackers Stole Access Tokens from Okta’s Support Unit

Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.

In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users.

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” their notice continued. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

The security firm BeyondTrust is among the Okta customers who received Thursday’s alert from Okta. BeyondTrust Chief Technology Officer Marc Maiffret said that alert came more than two weeks after his company alerted Okta to a potential problem.

Maiffret emphasized that BeyondTrust caught the attack earlier this month as it was happening, and that none of its own customers were affected. He said that on Oct 2., BeyondTrust’s security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an all-powerful administrator account within their Okta environment.

When BeyondTrust reviewed the activity of the employee account that tried to create the new administrative profile, they found that — just 30 minutes prior to the unauthorized activity — one of their support engineers shared with Okta one of these HAR files that contained a valid Okta session token, Maiffret said.

“Our admin sent that [HAR file] over at Okta’s request, and 30 minutes after that the attacker started doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to act on behalf of that user,” he said.

Maiffret said BeyondTrust followed up with Okta on Oct. 3 and said they were fairly confident Okta had suffered an intrusion, and that he reiterated that conclusion in a phone call with Okta on October 11 and again on Oct. 13.

In an interview with KrebsOnSecurity, Okta’s Deputy Chief Information Security Officer Charlotte Wylie said Okta initially believed that BeyondTrust’s alert on Oct. 2 was not a result of a breach in its systems. But she said that by Oct. 17, the company had identified and contained the incident — disabling the compromised customer case management account, and invalidating Okta access tokens associated with that account.

Wylie declined to say exactly how many customers received alerts of a potential security issue, but characterized it as a “very, very small subset” of its more than 18,000 customers.

The disclosure from Okta comes just weeks after casino giants Caesar’s Entertainment and MGM Resorts were hacked. In both cases, the attackers managed to social engineer employees into resetting the multi-factor login requirements for Okta administrator accounts.

In March 2022, Okta disclosed a breach from the hacking group LAPSUS$, a criminal hacking group that specialized in social-engineering employees at targeted companies. An after-action report from Okta on that incident found that LAPSUS$ had social engineered its way onto the workstation of a support engineer at Sitel, a third-party outsourcing company that had access to Okta resources.

Okta’s Wylie declined to answer questions about how long the intruder may have had access to the company’s case management account, or who might have been responsible for the attack. However, she did say the company believes this is an adversary they have seen before.

“This is a known threat actor that we believe has targeted us and Okta-specific customers,” Wylie said.

Update, 2:57 p.m. ET: Okta has published a blog post about this incident that includes some “indicators of compromise” that customers can use to see if they were affected. But the company stressed that “all customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

Update, 3:36 p.m. ET: BeyondTrust has published a blog post about their findings.

Social Engineering Attacks | How to Recognize and Resist The Bait

While much of cyber news often revolves around novel malware strains and high-profile data breaches, one threat that often flies under the radar relies on human vulnerability rather than technical vulnerabilities: social engineering attacks.

This type of attack exploits people’s most innate tendency to trust, comply, and share information. This is what makes these attacks exceptionally effective. Using psychological manipulation, cybercriminals behind these schemes are then able to trick users and organizations into giving up sensitive information, granting access to secure systems, or transferring funds.

As businesses and organizations rely more on interconnected systems and digital communication, they become more exposed to the dangers of social engineering. Part of countering this growing threat is understanding the psychology behind social engineering. Recognizing these tactics and the psychological triggers that attackers exploit can empower users and organizations to take proactive measures against the risks.

This blog delves into the intricacies of social engineering attacks, exploring the various forms they take and the underlying psychology behind these attacks. By mapping out the motivations and tactics used by attackers to exploit users’ cognitive biases and emotions, business leaders can learn how to recognize and resist attacks and stay one step ahead of cybercriminals.

The Fundamentals of Social Engineering Attacks

Social engineering attacks are multifaceted and ever-evolving making them an evergreen threat to individuals and businesses. These attacks draw on human psychology and social dynamics to manipulate users into divulging performing actions that compromise security, data, and assets.

Social engineering has become a bread-and-butter tactic for cybercriminals with recent reports finding a staggering 464% increase in email-based attacks in the first half of this year compared to 2022. Further, when considering such attacks per organization within the same time frame, researchers note a 24% increase, underscoring email as the leading attack vector used by cyberattackers.

Understanding the fundamentals of social engineering is critical for businesses and organizations, as it can help them recognize, defend against, and mitigate the risks these attacks pose in the short and long term.


Phishing is one of the most common forms of social engineering. It typically involves sending fraudulent emails that appear to be from a reputable source, such as a bank or a trusted colleague. The goal is to trick the recipient into clicking on malicious links or providing sensitive information, like login credentials or financial details.

Spear Phishing

Spear phishing is a more targeted form of phishing. Attackers conduct extensive research on their victims, crafting highly personalized emails that are much harder to distinguish from legitimate communications. They often target individuals such as privileged admins that have access to valuable information or financial resources within an organization.


In pretexting attacks, the attacker creates a fabricated scenario or pretext to obtain information. This often involves impersonating someone with authority or a legitimate reason for needing sensitive data, such as supporting a customer, complying with IT support personnel, or granting approval for multi-factor authentication (MFA).


Baiting attacks entice victims with an attractive promise, like a lucrative job offer, free software downloads, movies, or music. Once the victim takes the bait and downloads the file, malware is delivered, compromising the victim’s device and potentially spreading through the network.

Multi-Channel Attacks

Multi-channel social engineering leverages various communication platforms to manipulate and deceive individuals or organizations. Instead of relying on a single channel like email, attackers combine various communication methods, including email, phone calls, social media, and even physical interactions. This creates a convincing illusion of legitimacy and credibility, making it more challenging for targets to discern the fraudulent nature of the attack.

Pulling Back the Curtain | The Psychology Behind Social Engineering

Regardless of the type of attack, the role of psychological manipulation is key to successful attacks, exploiting the intricacies of human emotions, cognitive biases, and social dynamics. Human users can be tactfully manipulated into serving the attacker’s objectives.

The Psychology of Persuasion | Understanding the Attacker’s Mindset

Being aware of the manipulation strategies employed by attackers helps develop a heightened sense of skepticism, making it more challenging for social engineers to succeed.

Psychological manipulation involves a range of tactics that leverage fundamental aspects of human behavior:

  • Trust and Authority – Social engineers often assume roles or identities that inspire trust. Whether posing as a trusted colleague, a senior executive, or a knowledgeable IT technician, they exploit the natural inclination to comply with authority figures and follow social norms.
  • Reciprocity – By offering something of apparent value, even if it’s as simple as a small favor or free software, social engineers stimulate the instinct of reciprocity. When people feel they’ve received something, they’re more likely to return the favor, which can involve sharing information or granting access.
  • Fear & Urgency – Creating a sense of urgency or fear in targeted victims is a common tactic. This can include warnings of impending threats, account compromises, or financial loss, which then pushes the targeted victim to act hastily without critical evaluation.
  • Social Proof – People tend to follow the crowd or conform to social norms. Social engineers often use this bias by showing that others have already complied with their requests, suggesting that the target should do the same.
  • Bonding & ConnectionBuilding rapport and forming a connection with the target is a powerful tool. Social engineers may feign common interests, offer compliments, or appear as genuinely likable individuals to lower the target’s guard and increase their willingness to cooperate.
  • Fear of Missing Out (FOMO) – Creating the illusion of scarcity, whether it’s a limited-time offer or an apparently ‘exclusive’ opportunity, plays on the very human fear of missing out. This compels the targeted victims to take action quickly, often without thinking things through.
  • Commitment & Consistency – People tend to remain consistent with their prior actions and statements. Social engineers exploit this by encouraging small commitments or decisions that align with the targeted victims’ objectives. Once an individual commits to something, they are more likely to follow through with related, more significant requests, making them more susceptible to manipulation.

Cognitive Biases | Fertile Grounds Exploited by Social Engineers

Cognitive biases are deeply ingrained in how people think and make decisions. Cybercriminals focus on manipulating these biases to meet their malicious goals.

  • Anchoring Bias – relying too heavily on the first piece of information encountered, even if it is irrelevant. Cybercriminals use anchoring bias to set an initial reference point that heavily influences a target’s subsequent decisions. For example, in a negotiation for a fraudulent deal, attackers might suggest an extravagantly high initial price, thus anchoring the target’s perception of what is reasonable.
  • Confirmation Bias – the tendency to seek out, interpret, and remember information in a way that confirms one’s preexisting beliefs or expectations. Social engineers leverage this bias by providing fake evidence or information that aligns with the target’s preconceived notions, making the target more likely to trust and comply with their requests.
  • Recency Bias – the tendency to give more weight to recent events or information. Social engineers exploit this bias by timing their attacks strategically, ensuring their requests align with recent experiences or news. This makes it more likely for the victim to accept the request without due scrutiny.
  • Overconfidence Bias – the overestimation of one’s abilities, knowledge, or judgment. Attackers capitalize on this bias by encouraging targets to trust their own judgment in making decisions that benefit the attacker. Victims may believe they are too savvy to fall for scams, leaving them vulnerable to manipulation.

Rising Trends In Social Engineering

Recent developments in generative artificial intelligence (AI) are a cause for concern in the context of social engineering schemes. AI could be used by attackers to craft sophisticated threat campaigns that manipulate human behavior. Automating data collection and creating persuasive messages can significantly enhance the potential impact of such attacks.

The rise of deepfake technology has also introduced a new avenue for social engineering attacks where AI can be used to deceive a targeted victim into believing false information. Deepfakes leverage machine learning (ML) algorithms to create highly realistic images, audio, and videos that can easily fool viewers into thinking they are authentic. Deep fakes could allow attackers to impersonate high-profile individuals, such as senior leadership or government authorities, as a key part of their requests for access and information.

Recognizing Social Engineering Red Flags | Avoiding the Hooks, Lines, and Sinkers

Training and awareness programs can help teach employees about these biases and how they are used in social engineering attacks. To a trained eye, social engineering schemes are fraught with red flags. Learning how to recognize and resist these warning signs is how businesses can defend their sensitive data and keep their users safe from cyberattackers.

These are six of the most common triggers to look out for:

Red Flag #1: Out of the Blue Requests

One of the primary red flags in social engineering is receiving unsolicited requests or communications. Be cautious of unexpected emails, phone calls, or messages asking for sensitive information, money, or assistance. Cybercriminals often rely on the element of surprise to catch their targets off guard.

Red Flag #2: Feeling Under Pressure

Social engineers often employ tactics that create a sense of urgency and pressure to act quickly. They might claim that a situation requires immediate attention, or that failure to comply will lead to severe consequences. These pressure tactics are designed to override rational thinking and encourage hasty actions.

Red Flag #3: Unverified Sources & Contacts

If a request or communication comes from an unverified or unfamiliar source, treat it with skepticism. Verify the identity of the sender through a secondary means outside of the initial communication platform. Since social engineers can easily impersonate trusted individuals or entities, confirm all requests independently and directly with the person or company they claim to be.

Red Flag #4: Issues With the Content

Pay close attention to the content of the communication. Check for inconsistencies, misspellings, or unusual language that may suggest a fraudulent message. Cybercriminals often make mistakes in their attempts to deceive, and these errors can serve as warning signs.

Red Flag #5: Emotional Manipulation

Social engineers frequently employ emotional manipulation to sway their targets. Be wary of messages that evoke strong emotions, such as fear, excitement, or sympathy. When emotions cloud judgment, individuals become more susceptible to manipulation.

Red Flag #6: Requests for Sensitive Information or Credentials

Perhaps the most obvious red flag is a request for sensitive information or login credentials. Legitimate contacts rarely ask for private information through unsolicited messages. Be cautious when providing personal or confidential data, especially when prompted via email or messaging platforms.


Social engineers capitalize on human psychology, cognitive biases, and our innate tendency to trust all in effort to slip past set security measures. Recognizing the red flags and understanding the evolving techniques of social engineering attacks is critical for businesses building an effective defense against these types of attack.

The threat landscape for social engineering attacks continues to evolve, requiring a proactive and adaptive approach to defense. To stay steps ahead of cybercriminals, businesses and organizations must be vigilant in recognizing and resisting these attacks to mitigate the short-term and long-term risks they pose. By educating employees and implementing robust security measures, leaders can significantly reduce their vulnerability to social engineering attacks and safeguard their operations and sensitive data.

SentinelOne is ready to help business and organizational leaders build a proactive cybersecurity stance against social engineering-based threats through continuous threat detection and response capabilities and autonomous threat hunting. Contact us today or book a demo to learn more.

Oct 2023 Cybercrime Update | Disinformation, DDoS and Scams as Gangs Look to Exploit Turmoil

In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. With the conflict between Israel and Hamas dominating the news cycle, we look at how this is currently impacting cybersecurity, and provide updates on ransomware and other cybercrime activity to help security leaders stay abreast of the latest developments in this ever-evolving battleground.

Disinformation, DDoS and Scams

Since October 7th, events in Israel and Gaza have dominated the world’s attention, and predictably the tragic events unfolding in the region have not been overlooked by cybercriminals. To date, the majority of cyber activity surrounding these events has fallen into the realm of hacktivism and DDoS operations, salted with a heavy helping of disinformation.

Dubious claims relating to purported cyber attacks, website defacements and intrusions can be found littered across the usual cybercrime forums and Telegram channels.

Cyb3r Drag0nz and defacements
Cyb3r Drag0nz and defacements

Besides hacktivism, the current situation is being leveraged by cybercriminals through social engineering tactics and email-based phishing campaigns. These are designed to deceive recipients with references to topics such as Israel, Palestine, and Gaza in order to perpetrate fraud through schemes such as charity and donation scams.

Phishing email with conflict-specific lure (subject)
Phishing email with conflict-specific lure (subject)

Much like the situation on the ground, the broader shape of how this conflict will play out in cyberspace is still emerging. We expect to provide further reporting in the near future.

New Ransomware Actors Emerge as Others Fall

Elsewhere in the cybercrime world, some notable ransomware operations have emerged since last month’s update. Among these is LostTrust ransomware, an evolution of the SFile and MindWare ransomware families. From early October, the LostTrust blog was listing 53 victims on its leaks site.

LuckBit ransomware is another operation that emerged in October 2023. Threat actors behind LuckBit request payment in terms of equivalency to the Malaysian Ringgit (MYR). Their campaigns have been observed requesting up to 20 Million MYR in BTC (Bitcoin), approximately US $4.2 million. Victims are instructed to contact the attacker only after making the payment. The ransom note contains the relevant contact details including an email address and a TOR-based web site/victim portal.

LuckBit ransom note
LuckBit ransom note

October has also seen the fall of prolific ransomware outfit Trigona, which at its peak was posting around 100 victim organizations per month. Trigona’s ransomware operations were first detected in June 2022. Over the course of its existence, Trigona operators have released payloads targeting both Windows and Linux systems. Their initial delivery methods have varied across campaigns, encompassing spear phishing and the exploitation of known vulnerabilities, such as MSSQL.

On October 17, however, a hacktivist group named Ukrainian Cyber Alliance (UCA) announced an attack on Trigona’s primary blog sites, claiming to have disrupted or wiped out accessible infrastructure.

The UCA, formed in 2014, claims to be driven by the goal of disrupting Russian criminal enterprises, both public and private. It describes itself as a community of Ukrainian cyber activists from various backgrounds that emerged from the FalconsFlame, Trinity, RUH8, and CyberHunta groups as a result of Russian aggression in Ukraine.

The UCA followed the attack by defacing Trigona’s TOR-based blog sites, prominently displaying the title “Trigona is Gone” on the blog pages. Additionally, they made several derogatory references to Trigona in their messages, which are still accessible at the time of writing.

Defaced Trigona blog (TOR)
Defaced Trigona blog (TOR)

Dark Markets and Cybercrime Services

While Cobalt Strike is not the only post exploitation and penetration testing toolkit out there anymore, it is still arguably the most popular, and its adoption by threat actors has been well-documented, as have efforts to curtail its illegitimate and unlicensed use.

This brings us to the recent leak of Cobalt Strike 4.9 (released in September 2023). Copies have been distributed in various forums and markets starting in early October 2023. This was tweeted (X’d) on October 9th, 2023 by @darkcoders_mrx.

Meanwhile, the AV/EDR bypass market, which we highlighted in our September update, continues to flourish and expand this October. High-dollar cybercrime vendors are updating their services to meet the market’s demands for bypass and evasion tools.

XDR Bypass updated on October 15, 2023
XDR Bypass updated on October 15, 2023

Crypting and obfuscation tools, like Rain Protector, have also seen updates. These tools are used by malware authors in an attempt to evade static detection technologies by way of obfuscation.

Crypter sale (Rain Protector)
Crypter sale (Rain Protector)

Within the Initial Access Broker market, vendors are preparing to take advantage of recent wide-spread exploits in order to bulk-up supply of readily-breached environments. Notable among these are the vulnerabilities in Confluence Data Center & Server (CVE-2023-22505 and CVE-2023-22508) and Bamboo Data Center (CVE-2023-22506).

Access for sale via Confluence RCE
Access for sale via Confluence RCE

Wider Trends | Generative AI Services and Offerings for Cybercrime

ChatGPT alternatives are potentially attractive to criminals as they claim to remove restrictions and barriers that the more mainstream LLM models impose in order to inhibit malicious use. Automating attacks though generative AI would provide a serious boost to the productivity of cybercrime operations. Earlier in the year WormGPT generated a lot of headlines, with claims to enable malicious AI capabilities such as:

  • Unrestricted creation of malware and phishing/clone page creation
  • No logging or storage of operator use
  • Remote, bulletproof access

As a result of negative press coverage, the service “officially” closed.

Closure of WormGPT
Closure of WormGPT

Nevertheless, we have observed a number of generative AI services and tools appearing to meet the demand for jailbroken AI, and we continue to track the development of this trend. To date, many of the available tools either lack a true context mechanism or are little more than novelty interfaces with canned responses for specific prompts.

In response to the development of WormGPT and similar models, numerous specialized tools have surfaced with the aim of bypassing limitations on generative AI. These tools, often hosted on platforms like “FlowGPT,” facilitate unrestricted prompt generation across various Large Language Models (LLMs) and the subsequent sharing of these creations.

Out of this come tools like “DarkGPT” and “CodeGPT”. Some of these are novelty at best, but some do generate valid code examples, and given time could lead someone down a road to bad things (or learning how to do them).

Quick code-on-demand via DarkGPT
Quick code-on-demand via DarkGPT

The market for unlocked generative AI services could get interesting in the coming year. More sophisticated fraud and cybercrime operations may see value in incorporating AI to increase the overall mass of their malicious output.


October has and will be dominated by developments around the Israel-Hamas conflict, and we will continue to provide updates as the situation evolves. Additionally, there has been some notable new ransomware operations, as well as the fall of Trigona ransomware. Cybercrime markets continue to thrive with an expansion into more private platforms like Telegram and TOX-only channels. We continue to monitor these developments, along with the emergence of potentially harmful versions of generative AI.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.