Phishers Spoof USPS, 12 Other Natl’ Postal Services

The fake USPS phishing page.

Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.

KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain usps.informedtrck[.]com.

The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.

The remaining buttons on the phishing page all link to the real USPS.com website. After collecting your address information, the fake USPS site goes on to request additional personal and financial data.

This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations.

Check out the bottom portion of the screenshot below, and you’ll notice that this phishing site fails to load some external resources, including an image from a link called fly.linkcdn[.]to.

Click the image to enlarge.

A search on this domain at the always-useful URLscan.io shows that fly.linkcdn[.]to is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking):

usps.receivepost[.]com
usps.informedtrck[.]com
usps.trckspost[.]com
postreceive[.]com
usps.trckpackages[.]com
usps.infortrck[.]com
usps.quicktpos[.]com
usps.postreceive].]com
usps.revepost[.]com
trackingusps.infortrck[.]com
usps.receivepost[.]com
usps.trckmybusi[.]com
postreceive[.]com
tackingpos[.]com
usps.trckstamp[.]com
usa-usps[.]shop
usps.infortrck[.]com
unlistedstampreceive[.]com
usps.stampreceive[.]com
usps.stamppos[.]com
usps.stampspos[.]com
usps.trckmypost[.]com
usps.trckintern[.]com
usps.tackingpos[.]com
usps.posinformed[.]com

As we can see in the screenshot below, the developer tools console for informedtrck[.]com complains that the site is unable to load a Google Analytics code — UA-80133954-3 — which apparently was rejected for pointing to an invalid domain.

Notice the highlighted Google Analytics code exposed by a faulty Javascript element on the phishing website. Click to enlarge. That code actually belongs to the USPS.

The valid domain for that Google Analytics code is the official usps.com website. According to dnslytics.com, that same analytics code has shown up on at least six other nearly identical USPS phishing pages dating back nearly as many years, including onlineuspsexpress[.]com, which DomainTools.com says was registered way back in September 2018 to an individual in Nigeria.

A different domain with that same Google Analytics code that was registered in 2021 is peraltansepeda[.]com, which archive.org shows was running a similar set of phishing pages targeting USPS users. DomainTools.com indicates this website name was registered by phishers based in Indonesia.

DomainTools says the above-mentioned USPS phishing domain stamppos[.]com was registered in 2022 via Singapore-based Alibaba.com, but the registrant city and state listed for that domain says “Georgia, AL,” which is not a real location.

Alas, running a search for domains registered through Alibaba to anyone claiming to reside in Georgia, AL reveals nearly 300 recent postal phishing domains ending in “.top.” These domains are either administrative domains obscured by a password-protected login page, or are .top domains phishing customers of the USPS as well as postal services serving other countries.

Those other nations include the Australia Post, An Post (Ireland), Correos.es (Spain), the Costa Rican post, the Chilean Post, the Mexican Postal Service, Poste Italiane (Italy), PostNL (Netherlands), PostNord (Denmark, Norway and Sweden), and Posti (Finland). A complete list of these domains is available here (PDF).

A phishing page targeting An Post, the state-owned provider of postal services in Ireland.

The Georgia, AL domains at Alibaba also encompass several that spoof sites claiming to collect outstanding road toll fees and fines on behalf of the governments of Australia, New Zealand and Singapore.

An anonymous reader wrote in to say they submitted fake information to the above-mentioned phishing site usps.receivepost[.]com via the malware sandbox any.run. A video recording of that analysis shows that the site sends any submitted data via an automated bot on the Telegram instant messaging service.

The traffic analysis just below the any.run video shows that any data collected by the phishing site is being sent to the Telegram user @chenlun, who offers to sell customized source code for phishing pages. From a review of @chenlun’s other Telegram channels, it appears this account is being massively spammed at the moment — possibly thanks to public attention brought by this story.

Meanwhile, researchers at DomainTools recently published a report on an apparently unrelated but equally sprawling SMS-based phishing campaign targeting USPS customers that appears to be the work of cybercriminals based in Iran.

Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the United Parcel Service (UPS) disclosed that fraudsters were abusing an online shipment tracking tool in Canada to send highly targeted SMS phishing messages that spoofed the UPS and other brands.

With the holiday shopping season nearly upon us, now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Update: Added information about the Telegram bot and any.run analysis.

The Good, the Bad and the Ugly in Cybersecurity – Week 40

The Good | Joint Advisory Reveals Top Ten Common Misconfigurations Found in Global Organizations

This week, the NSA and CISA released a joint advisory rounding up the top ten most common cybersecurity misconfigurations that plague organizations around the world. The advisory outlines the tactics, techniques, and procedures (TTPs) that threat actors often use in their attacks and includes best practices for building a strong network security posture.

Based on data collected by NSA and CISA red and blue teams during defensive testing, the list of misconfigurations calls to attention a pattern of weaknesses found in many large-scale organizations. While threat actors use novel methods to gain access and move through networks, attacks are often due to common misconfigurations. Issues stemming from default credentials, service permissions, improper segmentation, and poor patch management all create opportunities for attackers to break into sensitive systems.

The advisory also highlights the role of software manufacturers in particular, explaining how integral they are to establishing secure-by-design principles from inception. By taking ownership to improve their customers’ security, software manufacturers can reduce the trend of common misconfigurations by design and help ensure the integrity, availability, and confidentiality of data across critical industries.

Security is a shared responsibility though, and organizations can be proactive with their defense strategy. Other than applying the recommended cyber best practices, NSA and CISA note the importance of learning from industry case studies and keeping up to date with cybersecurity trends. Cyber threats are constantly evolving, and learning from real-world incidents helps organizations adapt and fortify their defenses in the long term.

The Bad | Qakbot Operators Return With Phishing Campaigns Despite International Takedown

One of the longest-established malware and botnet operators, Qakbot, has returned to the cyber threat ecosystem just months after a joint global operation dismantled their server infrastructure. Despite the major disruption, the threat actors behind Qakbot are now reportedly linked to an ongoing phishing campaign that has distributed Remcos remote access trojan (RAT) and Ransom Knight ransomware since August.

According to security researchers, ‘Operation Duck Hunt’ likely impacted QakBot operators’ command-and-control (C2) servers rather than their spam delivery infrastructure. While there is moderate confidence in attributing recent activity to QakBot, there is no evidence indicating that operators have resumed distributing their malware loader since the September takedown.

The recent activity associated with QakBot involves the use of malicious LNK files likely distributed through phishing emails. When these files are executed, they trigger the infection process, ultimately leading to the deployment of Ransom Knight ransomware; a recent rebrand of the Cyclops ransomware-as-a-service (RaaS) scheme. The ZIP archives containing these LNK files have also been observed to include Excel add-in (.XLL) files, which serve to propagate the Remcos RAT. This RAT provides the attackers with persistent backdoor access to compromised endpoints. Some of the file names used in this campaign are in Italian, indicating a potential focus on targeting European users.

Even though QakBot distribution hasn’t been observed post-takedown, the malware is likely to remain a threat in the future. Since the operators are still active, they may opt to rebuild the QakBot infrastructure, potentially resuming their previous activities in the near future. The situation underscores the importance of ongoing vigilance and innovative cybersecurity measures to combat evolving threats.

The Ugly | Released PoC of Critical WS_FTP Vulnerabilities Accelerate the Need to Patch

Ransomware operators are actively exploiting recently fixed vulnerabilities associated with WS_FTP Server, a file-sharing application by Progress Software also known for its MOVEit file transfer tool. A critical zero-day vulnerability found in MOVEit made headlines this summer and has reportedly affected over 600 organizations and 40 million people, with numbers still mounting.

Out of the eight fixed WS_FTP Server vulnerabilities, two were given critical severity ratings. First, CVE-2023-40044 (CVSS score 10) is a .NET deserialization flaw that allows attackers to execute malicious code remotely without requiring authentication. CVE-2023-42657 (CVSS score 9.9) affects directory traversal, permitting remote code execution (RCE) on files outside of their authorized folder path. This flaw, however, requires prior authentication. Shodan currently shows over 2000 devices running WS_FTP Server that are vulnerable to exploitation.

Signs of active exploitation emerged last Friday with attackers attempting to establish a permanent presence on compromised servers since. Subsequently, a proof-of-concept (PoC) exploit began circulating online, furthering the risk of compromise as customers continue to apply patches.

File transfer tools have become a favored target of ransomware attackers as they are often integrated into organizations’ core infrastructure and transmit sensitive data. This raises the stakes for the victim. To avoid data loss and business disruption, victims may give into paying the ransom to quickly regain access. Compared to the MOVEit file transfer vulnerability, the WS_FTP Server vulnerabilities may be less widespread since fixes were made available before exploits began. Still, admins are advised to prioritize patching, disable server-ad hoc transfer mode if immediate patching is not feasible, and thoroughly monitor for signs of compromise.

Steps for disabling server-ad hoc transfer mode

LostTrust Ransomware | Latest Multi-Extortion Threat Shares Traits with SFile and Mindware

The LostTrust ransomware operation is a new multi-extortion threat that emerged in September 2023. Our analysis of LostTrust malware payloads indicates that the family is an evolution of SFile and Mindware, and that all three follow similar operations and tradecraft to MetaEncryptor. Similarities between the LostTrust leaks sites and the earlier MetaEncryptor leaks sites are also apparent, while aspects of SFile encryptor previously observed with MetaEncryptor campaigns are still in use with the LostTrust payloads we analyzed.

In this analysis, we provide a high-level technical outline of where these ransomware families and their operations overlap. We will examine LostTrust payload behavior as well as compare artifacts to the SFile and Mindware families.

LostTrust Ransom Demands

LostTrust victims are presented with a ransom note that attempts to portray the gang as providing a service, a fake veneer that is commonly adopted by cybercriminals perpetrating intrusions. An excerpt from a LostTrust ransom note illustrates this approach:

Our team has an extensive background in legal and so called white hat hacking.
However, clients usually considered the found vulnerabilities to be minor and poorly
paid for our services.
So we decided to change our business model. Now you understand how important it is
to allocate a good budget for IT security.
This is serious business for us and we really don’t want to ruin your privacy,
reputation and a company.
We just want to get paid for our work whist finding vulnerabilities in various networks.
LostTrust ransom note
LostTrust ransom note

The LostTrust leaks site contains information claiming that the gang are “young people who identify themselves as specialists in the field of network security”. Thinly-veiled threats that stolen data will be made available to interested parties if the gang do not receive payment are followed by a warning that notification of the victim’s breach will be widely publicized.

LostTrust Execution Details

In order to prevent existing processes on the victim device inhibiting encryption or data exfiltration, LostTrust ransomware payloads attempt to discover and terminate a plethora of services and processes. Critical services associated with the processes belonging to Microsoft Exchange, MSSQL, SharePoint, Tomcat, postgresql and others are terminated if identified.

The ransomware initiates numerous, hidden CMD.EXE sessions in order to carry out these tasks. The hidden CMD.EXE windows subsequently host the observed WMIC, NET, SC, taskkill, VSSADMIN and wevtutil commands.

In addition to process discovery and termination, the ransomware attempts to remove VSS (Volume Shadow Copies) via VSSADMIN, as well as clearing out all Windows Event Logs via wevtutil.exe.

LostTrust payload execution output is streamed to a visible command window, allowing for clear observation of the various encryption stages.

LostTrust output
LostTrust output

The full list of observed commands is as follows:

"C:WindowsSystem32cmd.exe" /c wevtutil cl Application
"C:WindowsSystem32cmd.exe" /c wevtutil cl security
"C:WindowsSystem32cmd.exe" /c wevtutil cl setup
"C:WindowsSystem32cmd.exe" /c wevtutil cl system
"C:WindowsSystem32cmd.exe" /c vssadmin.exe delete shadows /all /quiet
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL STOPSERVIC
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL STOPSERVICE
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Firebird%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%MSSQL%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SQL%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%Exchange%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%wsbex%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%postgresql%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%BACKP%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%tomcat%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SharePoint%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c WMIC SERVICE WHERE "caption LIKE '%SBS%'" CALL ChangeStartMode 'Disabled'
"C:WindowsSystem32cmd.exe" /c sc config FirebirdServerDefaultInstance start= disabled
"C:WindowsSystem32cmd.exe" /c taskkill /IM fb_inet_server.exe /F
"C:WindowsSystem32cmd.exe" /c net stop FirebirdServerDefaultInstance
"C:WindowsSystem32cmd.exe" /c C:Windowssystem32net1 stop FirebirdServerDefaultInstance
"C:WindowsSystem32cmd.exe" /c taskkill /IM sqlservr.exe /F
"C:WindowsSystem32cmd.exe" /c sc config MSSQLSERVER start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSSQL$SQLEXPRESS start= disabled
"C:WindowsSystem32cmd.exe" /c net stop MSSQLSERVER
"C:WindowsSystem32cmd.exe" /c C:Windowssystem32net1 stop MSSQLSERVER
"C:WindowsSystem32cmd.exe" /c net stop MSSQL$SQLEXPRESS
"C:WindowsSystem32cmd.exe" /c C:Windowssystem32net1 stop MSSQL$SQLEXPRESS
"C:WindowsSystem32cmd.exe" /c taskkill /IM pg_ctl.exe /F
"C:WindowsSystem32cmd.exe" /c sc config postgresql-9.0 start= disabled
"C:WindowsSystem32cmd.exe" /c net stop postgresql-9.0
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeAB start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeAntispamUpdate start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeEdgeSync start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeFDS start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeFBA start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeImap4 start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeIS start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeMailSubmission start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeMailboxAssistants start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeMailboxReplication start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeMonitoring start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangePop3 start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeProtectedServiceHost start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeRPC start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeSearch start= disable
"C:WindowsSystem32cmd.exe" /c sc config wsbexchange start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeSA start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeThrottling start= disabled
"C:WindowsSystem32cmd.exe" /c sc config MSExchangeTransportLogSearch start= disabled
"C:WindowsSystem32cmd.exe" /c net stop MSExchangeAB
"C:WindowsSystem32cmd.exe" /c net stop MSExchangeAntispamUpdate
"C:WindowsSystem32cmd.exe" /c net stop MSExchangeEdgeSync
"C:WindowsSystem32cmd.exe" /c net stop MSExchangeImap4
"C:WindowsSystem32cmd.exe" /c net stop MSExchangeMailboxReplication
"C:WindowsSystem32cmd.exe" /c net stop MSExchangeProtectedServiceHost

Supported Command-line Arguments

LostTrust payloads support the following command-line arguments:

–enable-shares enable discovery and encryption of accessible network volumes
–onlypath Only encrypt files in the specified path.
Supported command-line arguments in LostTrust
Supported command-line arguments in LostTrust

The --enable-shares option has been seen in previous Sfile/Mindware samples. Notably, however, LostTrust does not include  previously seen SFile or Mindware parameters such as --killsusp.

Encrypted files are modified with the “.losttrustencoded” file extension, and a LostTrust ransom note is written to each folder containing encrypted items as !!LostTrustEncoded.txt.

Files encrypted by LostTrust
Files encrypted by LostTrust

Similarities to Mindware and SFile

We previously reported on the connection between Mindware and SFile, and LostTrust bears indications that it is an extension of this lineage.  LostTrust payloads, like those deployed by MetaEncryptor before, are based on the SFile encryptor. As such, the payloads for LostTrust and MetaEncryptor behave in a similar fashion, and produce similar artifacts. This includes overlap of the extensions to include in the encryption process, as well as what to exclude.

LostTrust handles exclusions via pattern/string (like the predecessors).  The full list of excluded patterns in observed LostTrust samples is:

$RECYCLE.BIN all usersmicrosoft All UsersMicrosoft
Application DataMicrosoft boot cache
cache2 Common Files CommonMicrosoft
DefaultExtensions drivers far manager
google ida 6.8 ida 7.0
inetpublogs intel Local SettingsMicrosoft
LocalMicrosoft LocalLowMicrosoft mozilla
msocache perflogs Program FilesInternet Explorer
Program FilesMicrosoft Games ProgramDataMicrosoft RoamingMicrosoft
Systemmsadc Temp Temporary Internet Files
tor browser windows.old windowssystem
windowssystem32 windowssyswow64 windowswinsxs
WindowsPowerShell wsus %windir%
$windows.~bt $windows.~ws autorun.inf
boot.ini bootfont.bin bootmgr
bootsect.bak desktop.ini iconcache.db
ntldr ntuser.dat ntuser.dat.log
ntuser.ini thumbs.db
:system volume information ! cynet ransom protection(don’t delete) !losttrustencoded.txt
Mindware encryption exclusions
Mindware encryption exclusions
Mindware encryption exclusions
LostTrust encryption exclusions

Encryption inclusion/exclusion in LostTrust looks similar to its Mindware and SFile predecessors.

Victim Blog Site

The TOR-based blog site for LostTrust appears to be a direct facsimile of the MetaEncryptor blog. Formatting and contact information (TOX) all match up. While there are no direct victim overlaps between the LostTrust and MetaEncryptor sites, some victims listed on LostTrust have been previously listed on leaks sites such as Royal, LockBit 3, and Medusa.

MetaEncryptor and LostTrust blogs existing in parallel
MetaEncryptor and LostTrust blogs existing in parallel

At the time of writing, 53 victims are listed on the LostTrust blog and 13 on the MetaEncryptor blog. Both blog sites remain active, while the MetaEncryptor blog has also been updated recently.

Comparison of LostTrust, Mindware and SFile Ransom Notes

LostTrust vs SFile ransom notes (head)
LostTrust vs SFile ransom notes (head)
LostTrust vs. SFile ransom notes (tail):  Contact Instructions
LostTrust vs. SFile ransom notes (tail):  Contact Instructions

Ransom note construction is also similar across relevant Mindware and LostTrust malware samples.

Ransom note construction in Mindware
Ransom note construction in Mindware
Ransom note construction in LostTrust
Ransom note construction in LostTrust

MetaEncryptor Strings and Artifacts

LostTrust, like SFile and Mindware, contains known references and functions around encryption staging.

MetaEncryptor references upon launch of LostTrust
MetaEncryptor references upon launch of LostTrust
MetaEncryptor references in SFile
MetaEncryptor references in SFile

The cross-references to MetaEncryptor encryption stage can be viewed within the LostTrust payload binaries as well.

Internal references to MetaEncryptor (LostTrust)
Internal references to MetaEncryptor (LostTrust)

Debug Paths & String Artifacts

Throughout the timeline of SFile to LostTrust, we see some commonalities with regards to the included debug paths and string artifacts.

SFile Mindware LostTrust
C:fake_exe.pdb D:fake.pdb C:fake_exe.pdb
D:fake.pdb C:fake_exe.pdb
D:coderansomware_winbindecoder.pdb

There is some variance among the email addresses provided in the ransom notes across these families as well. For example:

SFile

clark.rotband[@]mailfence[.]com finbdodscokpd[@]privatemail[.]com
gnidhyg[@]protonmail[.]com greemsy.jj[@]protonmail[.]ch
jj.greemsy[@]mailfence[.]com johny1cashusa[@]protonmail[.]ch
johny2[@]mailfence[.]com johny2recoveryusa[@]protonmail[.]com
johny3[@]mailfence[.]com jorge.smith[@]mailfence[.]com
mally[@]mailfence[.]com mallyrecovery[@]protonmail[.]ch
mandysales[@]mailfence[.]com primethetime[@]protonmail[.]com
recoverfiles[@]ctemplar[.]com recoverfilesquickly[@]ctemplar[.]com
salesmandy[@]protonmail[.]com

Mindware

cacaoocacaooohusl[@]onionmail[.]org corpovigiligiurati[@]onionmail[.]org
corpovigiligiuratiii[@]mailfence[.]com lifespire[@]mailfence[.]com
lifespire[@]onionmail[.]org niss.brandon[@]mailfence[.]com
niss.brook[@]onionmail[.]org pationatiforsa[@]mailfence[.]com

MetaEncryptor

hamfrelors[@]proton[.]me hermond.glass[@]mailfence[.]com

SentinelOne Detects and Protects Against LostTrust Ransomware

SentinelOne Singularity detects and prevents malicious behaviors and artifacts associated with LostTrust ransomware.

Conclusion

In this analysis we have provided a technical outline of where these ransomware families and operations overlap. When LostTrust’s blog emerged in September 2023, many eyebrows were raised given the immediate similarities noticed between the LostTrust and MetaEncryptor sites. Our current observations and analysis indicate that “LostTrust” is an evolution of SFile and Mindware.

Organizations without SentinelOne are recommended to review the indicators provided below and throughout this post.

Indicators of Compromise

SFile
0f20e5ccdbbed4cc3668577286ca66039c410f95
14e4557ea8d69d289c2432066d860b60a6698548
28f73b38ace67b48e525d165e7a16f3b51cec0c0
5ffac9dff916d69cd66e91ec6228d8d92c5e6b37
665572b84702c4c77f59868c5fe4d0b621f2e62a
6960beedbf4c927b75747ba08fe4e2fa418d4d9b
8c507d26c2fec90707320ffb721ae626139bbf11
a67686b5ce1d970a7920b47097d20dee927f0a4d
bdb0c0282b303843e971fbcd6d2888d834da204c

Mindware
46ca0c5ad4911d125a245adb059dc0103f93019d
9bc1972a75bb88501d92901efc9970824e6ee3f5
ae974e5c37936ac8f25cfea0225850be61666874
e9b52a4934b4a7194bcbbe27ddc5b723113f11fe
f91d3c1c2b85727bd4d1b249cd93a30897c44caa

MetaEncryptor
e04760f670fab000c5ff01da39d4f4994011e581

LostTrust
09170b8fd03258b0deaa7b881c46180818b88381

Boosting Digital Safety | Top Tips for Cybersecurity Awareness Month

Spanning global businesses and entire economies, to local communities and individuals, cybercrime affects users at all levels. While cyber threats take on varying forms and degrees of severity, what’s clear is how much these risks have grown in recent years. Consider that:

  • The average data breach cost organizations an average of $4.45 million USD
  • 72.7% of global businesses were affected this year by ransomware attacks
  • Phishing remains a top threat with approximately 8 billion spam emails sent within the the U.S. alone
  • So far in 2023, over 5.7 million mobile malware and adware attacks have targeted smartphone users
  • Identity fraud occurs every 22 seconds and more than one-third of Americans have faced identity theft in their lifetime, with that rate set to increase

The need for digital security has become an undeniable aspect of daily life. Building a safer online experience for all users requires cybersecurity awareness and empowering users with practical tips and best practices.

For the past 20 years, the month of October has been dedicated to raising awareness about cybersecurity and online safety for both private and public sectors. In this blog post, learn all about this year’s security recommendations, how to apply them to your organization, and how to improve your cybersecurity this month and beyond.

Celebrating 20 Years of Cybersecurity Awareness Month

Cybersecurity Awareness Month was first launched in 2004 by the Department of Homeland Security and the National Cyber Security Alliance to join government branches and industries together in reducing online risk. October represents a time for open and ongoing discussion about the importance of cybersecurity, current risks and threats, and how to further innovation in the defense sector.

“Secure Our World” | What Actions Governments Are Taking

In recognition of the 20th annual observation of Cybersecurity Awareness Month, CISA has announced a new and ongoing cybersecurity awareness program called Secure Our World. The program promotes a handful of key security actions to help businesses and individuals improve cybersecurity in their organizations and lives. The “Secure Our World” theme is set to be integrated across CISA’s future awareness campaigns and aims to encourage users to take action in protecting their devices.

To kickoff Cybersecurity Awareness Month 2023, President Biden calls for taking action on the global stage in order to slow down cyber threats crossing borders. This fall, the administration prepares to convene for the third annual International Counter-Ransomware Initiative in Washington D.C., which gathers over 40 security partners from around the world to address the risks and damages caused by ransomware attacks.

The President further outlined the launch of a new virtual rapid response program at NATO to ensure that allied partners can effectively support each other during active cyber incidents. This is the latest action from the Biden-Harris administration in modernizing the federal governments’ strategy to respond to the modern threat landscape. Efforts from this past summer include the launch of a U.S. Cyber Trust Mark program, the first ever Cybersecurity for K-12 Schools Summit, a new National Cyber Workforce & Education Strategy, and the passing of several legislative acts with an emphasis on incorporating cybersecurity measures into our infrastructure.

Four Key Ways to Stay Safe Online

This October, NIST has partnered with various federal agencies to highlight recommendations for better cybersecurity awareness. SentinelOne endorses the following four key cyber behaviors that businesses and individuals alike can focus on. These best practices can go a long way in helping users secure their online experiences and increase long-term resilience against future threats.

1 – Secure Your Accounts With MFA

Multi-factor authentication (MFA) is a staple in safeguarding users’ online presence. Imagine it as fortifying a digital fortress with an extra layer of security, rather than just relying on passwords. Considering that compromised credentials are behind more than half of all data breaches this year, MFA can be a steadfast defense mechanism for organizations and individuals.

MFA is a verification process that verifies a user’s identity during log in. Users enter something they know, such as their password, followed by something they have, like an SMS code sent to a mobile device, a fingerprint, or a facial scan. This multi-tiered approach not only enhances device security but also keeps accounts private to only its owner.

For businesses implementing MFA within their organizations:

  • Begin by identifying the most critical systems, applications, and data within the enterprise. These are the assets that require the highest level of protection and should be the first to have MFA implemented.
  • Select MFA methods that align with the organization’s needs and user preferences. Common MFA methods include SMS codes, mobile app-based authentication, hardware tokens, biometrics (fingerprint, facial recognition), and smart cards. Consider a combination of methods for flexibility.
  • Integrate MFA seamlessly with existing authentication systems and applications. Many identity and access management (IAM) solutions offer MFA integration options. This ensures compatibility and ease of use for employees.
  • Educate employees about the importance of MFA and provide training on how to use it. Users should understand the benefits of MFA and know how to recover their accounts if necessary.
  • Cyber threats evolve, so should MFA policies too. Regularly review and update any organization-wide MFA settings and authentication methods to adapt to changing security needs.

2 – Level Up Your Password Security

Online presences play an increasingly significant role in daily life, moving password security and identity management into the spotlight. According to recent findings, the number of digital identity apps in use is predicted to surpass 4.1 billion globally by 2027; nearly double from 2.3 billion in 2023.

The complexity and length of a password determines the resilience of private accounts against unauthorized access but, too often, users resort to easily memorable but weak passwords. This is where password managers come in. These tools are specialized to simplify and strengthen the management of passwords. They work by generating and securely storing complex, unique passwords for each of your online accounts. Instead of struggling to remember numerous intricate combinations, users need only to remember a single, strong master password.

Password managers greatly reduce the risk of brute force or dictionary attacks. By eliminating the need for users to memorize multiple passwords, they reduce the temptation to reuse weak passwords across accounts. Many tools available on the market now come equipped with features like password strength assessment, MFA, and secure password sharing for enhanced security.

For businesses implementing password security policies within their organizations:

  • Implement regular password rotation policies, prompting users to change their passwords at set intervals. Avoid overly frequent rotations, which can lead to weaker passwords as users opt for easily memorable options.
  • Prevent users from reusing their previous passwords. Maintain a history of past passwords to ensure that users do not recycle old, potentially compromised ones.
  • Enforce account lockout policies that temporarily lock accounts after a certain number of failed login attempts. This helps deter brute force attacks.
  • Provide ongoing cybersecurity education and training to employees. Ensure they understand the importance of strong passwords, recognize social engineering, and follow security best practices.
  • Conduct regular security audits and assessments to identify weak or compromised passwords. Promptly address any vulnerabilities discovered.
  • Implement Privileged Access Management (PAM) solutions to tightly control and monitor access to critical systems and data. This includes robust password management for privileged accounts.

3 – Fight Emerging Threats With Software Updates

Having robust patch management policies helps organizations fight against vulnerabilities, which can be exploited by malicious actors. Software vendors regularly release patches and updates to address known vulnerabilities and security weaknesses in their products. Neglecting to apply these patches promptly can leave systems exposed to a wide array of cyber threats, from malware and ransomware attacks to data breaches. Cybercriminals are quick to capitalize on these weaknesses, making swift patch deployment a priority for IT teams.

Failing to prioritize patch management can be severe. Breaches can lead to significant financial losses, damage to an organization’s reputation, and legal and regulatory repercussions. The reality is that the time and resources needed after a successful breach are often far more extensive than the effort of implementing proactive patch management.

For businesses implementing patch management policies within their organizations:

  • Start with creating a comprehensive inventory of all hardware and software assets within your organization. This includes servers, workstations, network devices, and applications.
  • Conduct regular vulnerability assessments and scans to identify potential security weaknesses and vulnerabilities in systems and software. This step helps prioritize patching efforts.
  • Prioritize patches based on criticality and impact. Focus on patches that address vulnerabilities that are actively exploited or have a high risk of exploitation.
  • Test patches thoroughly in the controlled environment before deploying them to production systems. Involve IT teams and business units in testing to ensure all aspects are considered.
  • Implement a phased deployment strategy to minimize disruption. Start with non-production systems and gradually roll out patches to critical systems. Use automation tools for efficient deployment.

4 – Learn How to Spot & Report Phishing Bait

Phishing attacks have evolved with cybercriminals refining their tactics over the years. Before, phishing was relatively basic; a few generic emails filled with easy-to-spot spelling errors. Nowadays, phishing has become a top attack method involving sophisticated and convincing campaigns. Modern phishing attacks employ advanced social engineering techniques, exploit psychological triggers, and often impersonate trusted entities with astonishing accuracy. As a result, even the most vigilant users can be tricked.

In the corporate context, phishing attacks often serve as the gateway for larger-scale data breaches, ransomware attacks, and financial fraud. This makes employees the first line of defense. By promptly recognizing and reporting phishing attempts, they can help security teams take immediate action to neutralize threats and protect sensitive company data. Encouraging employees to verify email sources, spot malicious links and attachments, and follow a spam reporting process can help organizations develop their long-term cybersecurity posture.

Businesses can implement the following measures to develop their phishing awareness and reporting policies:

  • Conduct regular phishing awareness training sessions for employees. Educate them on how to recognize phishing attempts, verify email sources, and report suspicious emails promptly. Train employees to validate the legitimacy of websites and links in emails. Hover over links to view the URL before clicking on them.
  • Implement email authentication protocols like SPF, DKIM, and DMARC to help prevent email spoofing and domain impersonation.
  • Develop and enforce robust security policies and procedures related to email and communication security. Ensure employees are aware of and adhere to these policies.
  • Use endpoint security solutions that can detect and prevent malware downloads and malicious activity stemming from phishing emails.
  • Implement continuous monitoring of email traffic and user behavior to detect anomalies and suspicious activities.

SentinelOne As a Force for Good

SentinelOne is trusted by industry leaders and organizations to protect digital ecosystems through AI-driven detection and response capabilities, deep visibility, and data enrichment. As leaders in the cybersecurity space, SentinelOne continues to focus on circulating cyber threat intelligence and best practices in order to secure our digital futures.

Through their CyberSafe University, Global SentinelOne Ambassadors were able to engage more than 8000 students K-12 worldwide in 40+ schools and 6 countries in learning about cybersecurity fundamentals. The program was most recently expanded to include training materials in 10 languages, topics on smartphone and tablet safely for all ages, a parent resource, and a high school curriculum for youth interested in pursuing a career in cybersecurity.

For our partners, we offer SentinelOne University training programs that help raise the knowledge and skill set of cybersecurity professionals using SentinelOne technology to protect their people and data.

Conclusion

Cybersecurity has evolved into a critical aspect of our daily lives, underpinning not only personal data protection but also the resilience of businesses, governments, and entire economies. Right now, knowledge remains the best defense within the current threat landscape. By sharing awareness tips and best practices through global efforts like Cybersecurity Awareness Month, the defense community can empower both individuals and organizations to build up their resilience against real-world attacks and ongoing risks.

Fostering a community centered around cyber threat intelligence promotes collaboration and information-sharing among experts, security practitioners, and interested individuals. Pooling resources, intelligence, and expertise, helps the community enhance the collective cybersecurity posture.

To join the conversation and learn more about how to protect your organization, contact SentinelOne today or request a demo of our AI-powered threat detection and response platform, Singularity XDR.

Beyond the WebP Flaw | An In-depth Look at 2023’s Browser Security Challenges

This week, Firefox users were urged to apply Mozilla’s latest updates against a critical flaw that could allow attackers to take control of affected systems. It follows hard on the heels of similar updates for Microsoft Edge, Google Chrome, and Apple’s Safari browser. All have been heavily impacted by an actively exploited vulnerability in the WebP code library.

Although the WebP vulnerability affects other software as well, browsers are by far and away the most ubiquitous and widely used applications on end user devices. Having a foothold in a compromised browser gives threat actors access to sensitive information and potential avenues into targeted environments.

In this post, we take a deep dive into browser security, exploring the differences between vulnerabilities and exploits, zero days and N-days, and highlighting the major browser vulnerabilities seen in 2023. We’ll discuss the various kinds of attacks that threat actors perpetrate via browser software, and round off with a guide on how to bolster browser security in the enterprise.

Key Concepts | The Difference Between Vulnerabilities & Exploits

Vulnerabilities are essentially weaknesses or flaws in software, hardware, or systems that have the potential to be exploited. These can result from coding errors, misconfigurations, or design flaws, and they exist as unintentional openings for security threats.

Vulnerabilities can exist in various aspects of technology, including operating systems, applications, network protocols, and even human behavior. Not every vulnerability can be exploited, and not every exploit can lead to code execution or data loss.

The likelihood and ease of a malicious actor being able to turn a vulnerability into an exploit, along with what that exploit could be used to do, is an informal way to understand the concept of vulnerability severity ranking. A more formal understanding of CVSS and vulnerability metrics can be found here.

Exploitation is the active act of taking advantage of vulnerabilities to carry out malicious actions. It involves utilizing the identified weakness to gain unauthorized access, compromise data, disrupt services, or perform other harmful activities. Exploitation can manifest in various forms, such as code execution, privilege escalation, data theft, or remote control over a compromised system.

Vulnerabilities and exploitation are two distinct but interconnected concepts in web browser security. While there may be many vulnerabilities that exist in web browser code today, not all of them are exploitable or actively exploited by threat actors.

Unpatched Vulnerabilities | Understanding Zero-Days and N-Days

When attackers discover a zero-day vulnerability, they have an opportunity to exploit it before the developer becomes aware and can release a security patch. The name ‘zero day’ stems from the uncomfortable fact that, since the developer is unaware of the bug, they have had no time (zero days) to fix it. After an unpatched flaw becomes known, it is often referred to as an N-day vulnerability from then on, where N represents the number of days from discovery to the issuing of a patch.

Both zero days and N-days represent a window of opportunity for cybercriminals to compromise user data, spread malware, or gain unauthorized access to systems. Exploiting these vulnerabilities can have far-reaching consequences, affecting a large number of users across various platforms. Zero-day vulnerabilities in web browsers represent one of the most critical and challenging aspects of cybersecurity.

Exploited Vulnerabilities in Major Browsers in 2023

The WebP vulnerability isn’t the only recent CVE affecting internet browsers. Among the patches Google has made to Chrome in 2023 are:

  • CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
  • CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
  • CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx

Meanwhile, Apple has had its fair share of zero days to patch in WebKit (the browser engine that powers Safari, among other web applications) this year.

  • In February, a patch was issued for a WebKit zero-day, CVE-2023-23529, used in attacks to gain code execution on  iPhone, iPad, and Mac devices.
  • In April, a WebKit use-after-free vulnerability, CVE-2023-28205 was patched to prevent an exploit that could lead attackers to gain code execution on compromised devices.
  • In May, three WebKit flaws, CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, were patched after reports they were being used in attacks.
  • In July, Apple patched CVE-2023-37450, a flaw in WebKit that was also being actively exploited in the wild.

Mozilla has also patched multiple vulnerabilities throughout 2023 including CVE-2023-34414 and CVE-2023-34416, CVE-2023-4584/5, and the critical severity CVE-2023-5217 bug in Firefox 118 related to the libvpx (WebP) vulnerability known to be actively exploited in the wild.

Microsoft Edge has likewise patched against the WebP vulnerability in recent days. In addition, last August’s Patch Tuesday saw the patching of two actively exploited zero days, CVE-2023-36884 and CVE-2023-38180, along with another 23 remote code execution vulnerabilities, six of which were rated as ‘critical’.

As with many other popular web browsers – Vivaldi, Brave, Opera – Edge is a Chromium-based browser, so many of the same vulnerabilities in Google Chrome also apply to these and Edge, too.

Extensions and Add Ons | Expanding the Attack Surface

While browsers themselves represent a readily-available attack surface, browser Extensions, Plug-Ins and Add Ons are also a vector for malware, particularly infostealers.

Following ChatGPT’s rise in popularity, for example, threat actors were observed jumping aboard the AI train, crafting fake ChatGPT browser extensions to hijack thousands of Facebook business accounts and propagate a malicious infostealer called “Quick access to ChatGPT”.

Malicious extensions have also been found in reputable download sites. In June this year, Google removed 32 malicious extensions from the Chrome Web store that, combined, had been downloaded over 75 million times. The sneaky code contained legitimate functionality the users expected, but also contained obfuscated code with malicious intent. In one example, a PDF Toolbox extension was used to inject JavaScript into every website users of the extension visited. Although it wasn’t clear what the threat actor’s objective was, such techniques can be used to hijack search results and inject malicious links.

While Google took action to remove the identified extensions from its Web Store, that removal doesn’t automatically deactivate or uninstall these extensions from the browser.

Browsers Beware | Websites Offering (Fake) Chrome Updates

As browsers are in such wide and continual use, they can also provide good lures for social engineering campaigns. Threat actors used malicious or poisoned websites to trick users into believing their browser needs to be updated in order to view a site, and then offering the user a malicious download posing as the supposedly needed update.

In a recent example of this kind of campaign, security researchers identified a new IDAT loader being used to deliver infostealers like Stealc, Lumma, and Amadey. The campaign falsely presents itself as a Chrome browser update, which redirects victims to another URL where a binary automatically downloads. After opening the fake update binary, “ChromeSetup.exe”, it proceeds to download the next stage payload.

Plugins and Cross-Site Scripting (XSS) Vulnerabilities

Cross-Site Scripting (XSS) is a common web application security vulnerability involving malicious code being injected into a website or web application, which is then served to other users who visit the site. XSS attacks are typically executed via web browsers.

CVE-2023-30777, discovered in May 2023, involved a vulnerability in the WordPress Advanced Custom Fields PRO Plugin (versions 6.1.5 and earlier). The flaw could allow an attacker to inject malicious scripts or other HTML payloads that execute when someone visits a site containing the vulnerable Plugin.

XSS vulnerabilities can also allow attackers to inject malicious scripts, often written in JavaScript, into input fields or other user-generated content areas of a web application. These scripts can be hidden within innocent-looking data, such as comments, search queries, or form submissions. When unsuspecting users visit the compromised web page, their web browsers render the injected script as part of the page content.

Malvertising | Kryptonite for Browser Software

As browsers’ primary purpose is to visit websites and render their content, they are inevitably subject to abuse from malicious code found on those sites. One of the more common forms of such code is malverts – online advertisements that spread malware.

Bad actors purchase ad space just like regular businesses, often using automated systems to place their orders. They then create adverts with embedded malicious code and deliver it through legitimate advertising networks.

Even popular and trusted websites have been found unintentionally serving malicious ads. Malverts can be used to deliver drive-by downloads that can be triggered without user interaction in the presence of certain browser vulnerabilities as well as by malicious links contained in the advertisements.

Browser Adware | More Than Just a Nuisance

Adware, or “advertisement software”, is a scourge that displays intrusive advertisements on a device without obtaining the user’s consent or even their knowledge. Often, adware is bundled with the installation of web browser extensions or plug-ins. Once established, adware operates by tracking a user’s online behavior, collecting data, and then presenting targeted ads promoting the advertiser’s interests. Additionally, adware may redirect a user’s web browser to specific websites or gather personal information.

Adware degrades system performance by consuming valuable system resources and bandwidth. Most alarmingly, adware can serve as a conduit for other malicious software, including spyware and ransomware. Adware developers are among some of the most sophisticated developers out there, often using malware-style obfuscation and anti-analysis tricks to avoid detection and removal by users or security software.

Improving Web Browser Security

While browser vendors have continued to provide patch updates and develop new extensions and add-ons to address risks in their products, organizations can do much on their side to minimize the threat and protect their browsing sessions.

1 – Establish Good Browser Hygiene

  • Keeping browser software updated is a crucial part of cyber hygiene. Most popular browsers will update automatically when restarted and/or provide notifications when an update is available. To ensure that the update is legitimate, updates should always be done through the browser’s built-in update mechanism. Manual downloads should be avoided and in any case only ever sourced from the developer’s official software update site.
  • Web browsers often offer the option to save passwords for convenience. However, this convenience can come at the cost of security. Storing passwords in a browser makes them more vulnerable to theft in case of a security breach. As an alternative, use a reputable password manager instead. Password managers not only securely store credentials safely but also generate strong, unique passwords for each account.
  • Bookmarking can also help enhance general browser hygiene. Cybercriminals can create spoofs of commonly accessed sites that trick users into entering credentials and sensitive information. To mitigate this risk, use bookmarking for frequently used sites. This reduces the likelihood of accidentally stumbling upon a fake, lookalike site.

2 – Create Organization-Wide Browser Policies & Training Materials

Organizational leaders can work with the organizational IT team to automate general browser security practices. By establishing best practices settings for managing pop-ups, turning on auto-updates, and only downloading IT-approved browser security add-ons, all levels of users can browse the internet safely.

On the user level, requiring ongoing cybersecurity training helps build a better defense posture and protect the businesses’ digital assets. Users can learn to spot common threats like phishing attacks, malicious downloads, and spoofing and then flag issues immediately. Cybersecurity training also reiterates the importance of keeping browsers and related software up to date, as well as the risks associated with storing sensitive data in browsers.

3 – Invest In Threat Detection & Response Solutions

Having robust detection and response capabilities are key in keeping web browser sessions safe. XDR provides a holistic approach to security by integrating data from various sources, including web browsers. This means security teams can keep a watchful eye across all systems to raise the flag on potential threats and actively exploited browser vulnerabilities in real-time.

XDR solutions also use advanced analytics and machine learning (ML) algorithms to detect unusual or suspicious browser behavior, helping organizations pinpoint browser-based vulnerabilities before they can develop into full attacks. By analyzing user activity, network traffic, and endpoint data, XDR systems can identify signs of compromise or malicious activities that may otherwise go unnoticed.

In the context of browser-based cyber attacks, XDR allows security teams to respond quickly and effectively. When an attack is detected, it isolates affected endpoints, blocks malicious domains, and applies remediation actions right away to reduce the impact of the threats on an organization’s network.

Conclusion

Given the ubiquity of web browsers across desktop and mobile devices, it is unsurprising that they remain an attractive vector for threat actors looking to steal digital identities and personal information, or to launch full cyberattacks. Compromising a web browser can be used to gain a foothold on an operating system, hijack internet traffic or compromise online accounts.

Improving web browser security is a multi-layered approach that combines establishing good cybersecurity hygiene, ensuring ongoing user education, and having the right detection and response technology on hand.

Global organizations continue to trust SentinelOne for its AI-powered detection and response capabilities designed to drive enterprise-wide visibility against today’s cyber threats. Learn more about our XDR solution by contacting us or booking a demo.

The Microsoft Paradox | Dominance & Vulnerability in the World of Cybersecurity

Recent reports have estimated that Microsoft’s security business now makes over $20 billion a year. The International Data Corporation (IDC) estimates that the tech giant has the highest market share of 18.9% in 2022 with an increase of 7.2%. Research firm Gartner estimates that Microsoft controlled about 8.5% of the entire security software market in 2021, a larger share than any.

While Microsoft’s security business has accelerated faster than all other major parts of the company, the cybersecurity community has been vocal about Microsoft’s problematic business model and failure to keep its products secure from threat actors. This makes the decision making process for modern business owners a sure challenge. Microsoft may have secured its dominance in the cybersecurity arena, making it a common choice for prospective customers, but its failures have heavily impacted both consumers and the greater industry alike.

This blog post considers the current cybersecurity landscape through the lens of Microsoft’s dominance across the enterprise software stack, highlighting the challenges this creates for security leaders. By understanding these dynamics, businesses can make more informed decisions about how best to defend the enterprise.

Understanding Microsoft’s Journey In Cybersecurity

Microsoft’s history of security failures and its subsequent efforts to fix them provide valuable insights into the broader landscape of digital security. These insights underscore the importance of vigilance, transparency, innovation, and strategic positioning in the face of ever-changing cyber threats.

2010 to 2015: The Rise of Cloud & Windows 10

  • 2010: Introduction of Microsoft Azure, marking Microsoft’s entry into cloud computing.
  • 2013: Microsoft’s Windows 8.1 is found vulnerable to a privilege escalation attack, allowing unauthorized access to sensitive data.
  • 2015: Release of Windows 10, introduces novel security features as well as new vulnerabilities.

2016 to 2018: Security Challenges & Responses

  • 2016: BadTunnel vulnerability affects all Windows versions, allowing attackers to hijack network traffic.
  • 2017: WannaCry ransomware attack exploits Windows’ SMB protocol, impacting over 200,000 computers worldwide.
  • 2018: Announcement of Microsoft Secure Score, a security analytics tool to enhance organizational security posture.

2019 to 2020: Increasing Threats & Security Innovations

2021: A Year of High-Profile Vulnerabilities

Present Ongoing: Regulatory Scrutiny & Industry Response

  • Ongoing: Cyber Safety Review Board (CSRB) investigates major cyber events, including Microsoft’s breaches, to drive improvements.
  • Ongoing: SentinelOne and other cybersecurity vendors in the space position themselves as secure alternatives, highlighting Microsoft’s security challenges.

The Dangers of a “One Vendor To Rule Them All” Approach

Vulnerabilities found in Microsoft’s suite of products and services have had a profound impact on both the industry and consumers. Most recently, the tech giant faced numerous breaches by Chinese-based threat actors and has since been criticized for its lack of attention to cybersecurity practices.

The cybersecurity community has not been shy about voicing its concern over Microsoft’s historical security lapses, starting with criticism stemming from the Code Red and SQL Slammer outbreaks in the early 2000s. These high-profile incidents exposed vulnerabilities that have had cascading effects on the wider internet infrastructure and highlight the need for stronger security practices.

Microsoft products have long been an attractive target for cybercriminals, and any security weakness in Microsoft software can have far-reaching consequences, impacting millions of users and organizations worldwide.

The historical ubiquity of Microsoft software across industries has led to a number of present day cybersecurity challenges.

  • Enterprise Businesses – The reliance on Microsoft products, particularly Windows and Office, means that any security breach can result in large-scale data breaches, financial losses, and reputational damage.
  • Finance – The interconnected nature of the global financial system makes it vulnerable to cyberattacks that exploit Microsoft’s weaknesses. This sector has seen a marked uptick in attack in recent years.
  • Healthcare – The security of patient records and critical medical systems is paramount to safeguarding lives. Microsoft vulnerabilities can be exploited to compromise the confidentiality and integrity of patient data, violate privacy regulations and potentially endanger lives.
  • Public Sector – Government agencies are also susceptible to attacks, with the potential to disrupt essential services and compromise sensitive information, including national security data. The U.S. State Department has recently moved to diversify its software stack and to reduce reliance on a single vendor.
  • Supply Chain – The global supply chain, which relies heavily on Microsoft software for inventory management, logistics, and communication, faces disruptions that can ripple across industries, causing delays and economic losses.
  • Individual Users – Everyday consumers are not exempt; compromised Microsoft products can lead to identity theft, financial fraud, and the loss of personal data, affecting millions of individuals.

Microsoft’s response to software vulnerabilities and security breaches has been a mix of acknowledgment, remediation, and attempts to make strategic changes across its suite of products.

The company’s “Patch Tuesday” offers regular security updates and patches to address known vulnerabilities in its software. However, there have been criticisms and concerns regarding the effectiveness and timeliness of these updates, leading to delays in patching critical vulnerabilities. Microsoft’s once-a-month release of security updates has been criticized as cumbersome for IT teams and has led to delayed patching, leaving systems exposed to known vulnerabilities.

Microsoft’s suite of products is also unique in its vastness, encompassing a diverse range of software, services, and applications. Lack of visibility across this range can leave organizations exposed to security risks that may go undetected until a breach occurs. Administrators must work around blind spots within the complete ecosystem, making it a challenge to configure and manage security effectively across all solutions.

How Competitors’ Responses Stack Up to Microsoft’s History of Security Issues

Constructive criticism and feedback within the cybersecurity community fosters healthy competition and continuous improvement. As Microsoft works to address its pain points, other security leaders in the industry have openly responded to the tech giants’ history of vulnerabilities and security events.

Competitors like SentinelOne have challenged Microsoft to provide more comprehensive enterprise protection. They often highlight the need for more sophisticated threat detection, response, and automation capabilities. Outside of endpoint protection, competitors have also pointed out potential weaknesses in Microsoft’s cloud security offerings. With the increasing adoption of cloud services, they argue that their own cloud-native security solutions are more adept at protecting organizations in cloud environments.

SentinelOne’s Singularity XDR provides autonomous cybersecurity and has the following main features:

  • Ongoing Protection – SentinelOne’s military-grade prevention and response is powered by AI technology without needing internet connection. In the latest MITRE ATT&CK evaluation, SentinelOne achieved 100% protection and detection in real time, and with no configuration changes.
  • Threat Detection – Singularity XDR delivers comprehensive and easy-to-visualize threat coverage to help organizations reduce risk, costs, and inefficiencies.
  • Integration – One-click solutions to integrate Singularity XDR with existing tech stack through Singularity Marketplace. Direct integration with other best-of-breed platforms like Zscaler, Okta, and Mimecast for the purpose of automatically enriching alerts.
  • Ease of Use – Singularity XDR shows the value of one platform. By consolidating endpoint, cloud, and identity protection in one management console, IT and security operations center (SOC) teams get full context.

Conclusion

Looking at the current cybersecurity landscape, it is clear that there is no one-size-fits-all solution. For security leaders, an essential part of making informed decisions for their businesses lies in understanding the current threat landscape and how this interacts with the combined systems, services and software the enterprise deploys.

As organizations across the public and private sectors seek to lock out threat actors by reducing their dependence on vulnerable software and closing common routes of initial access, a key decision many are making is to reduce their reliance on a single vendor and to seek out the right solutions for the different challenges they face. By leveraging innovative solutions and specialized expertise, enterprises can better safeguard their digital assets.

Enterprises across all industries continue to place their trust in SentinelOne’s unique approach to endpoint, cloud, and identity security. To learn more about how SentinelOne secures the entire ecosystem, contact us today or request a demo.

Don’t Let Zombie Zoom Links Drag You Down

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

Image: @Pressmaster on Shutterstock.

At issue is the Zoom Personal Meeting ID (PMI), which is a permanent identification number linked to your Zoom account and serves as your personal meeting room available around the clock. The PMI portion forms part of each new meeting URL created by that account, such as:

zoom.us/j/5551112222

Zoom has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:

zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll

Using your PMI to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the PMI remains the same for all meetings, anyone with your PMI link can join any ongoing meeting unless you have locked the meeting or activated Zoom’s Waiting Room feature.

Including an encrypted passcode in the Zoom link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that Zoom link is somehow indexed by Google or some other search engine, which happens to be the case for thousands of organizations.

Armed with one of these links, an attacker can create meetings and invite others using the identity of the authorized employee. And many companies using Zoom have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at Zoom.us.

Using the same method, KrebsOnSecurity also found working Zoom meeting links for The National Football League (NFL), LinkedIn, Oracle, Humana, Disney, Warner Bros, and Uber. And that was from just a few minutes of searching. And to illustrate the persistence of some of these Zoom links, Archive.org says several of the links were first created as far back as 2020 and 2021.

KrebsOnSecurity received a tip about the Zoom exposures from Charan Akiri, a researcher and security engineer at Reddit. In April 2023, this site featured research by Akiri showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations (Akiri said Salesforce also had these open Zoom meeting links before he notified them).

The Zoom links that exposed working meeting rooms all had enabled the highlighted option.

Akiri said the misuse of PMI links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.

“These one-click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,” Akiri said. “Attackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.”

Akiri said he built a simple program to crawl the web for working Zoom meeting links from different organizations, and so far it has identified thousands of organizations with these perfectly functional zombie Zoom links.

According to Akiri, here are several tips for using Zoom links more safely:

Don’t Use Personal Meeting ID for Public Meetings: Your Personal Meeting ID (PMI) is the default meeting that launches when you start an ad hoc meeting. Your PMI doesn’t change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your PMI when starting an instant meeting in your profile settings.

Require a Passcode to Join: You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.

Only Allow Registered or Domain Verified Users: Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default, Zoom also restricts participants to those who are logged into Zoom, and you can even restrict it to Zoom users whose email address uses a certain domain.

Further reading: How to Keep Uninvited Guests Out of Your Zoom Meeting

Update 12:33 p.m.: The list of affected organizations was updated, because several companies listed apparently only exposed links that let anyone connect to existing, always-on meeting rooms — not initiate and completely control a Zoom meeting. The real danger with the zombie links described above is that anyone can find and use them to create new meetings and invite others.