Happy 14th Birthday, KrebsOnSecurity!

KrebsOnSecurity celebrates its 14th year of existence today! I promised myself this post wouldn’t devolve into yet another Cybersecurity Year in Review. Nor do I wish to hold forth about whatever cyber horrors may await us in 2024. But I do want to thank you all for your continued readership, encouragement and support, without which I could not do what I do.

As of this birthday, I’ve officially been an independent investigative journalist for longer than I was a reporter for The Washington Post (1995-2009). Of course, not if you count the many years I worked as a paperboy schlepping The Washington Post to dozens of homes in Springfield, Va. (as a young teen, I inherited a largish paper route handed down from my elder siblings).

True story: At the time I was hired as a lowly copy aide by The Washington Post, all new hires — everyone from the mailroom and janitors on up to the executives — were invited to a formal dinner in the Executive Suite with the publisher Don Graham. On the evening of my new hires dinner, I was feeling underdressed, undershowered and out of place. After wolfing down some food, I tried to slink away to the elevator with another copy aide, but was pulled aside by the guy who hired me. “Hey Brian, not so fast! Come over and meet Don!”

I was 23 years old, and I had no clue what to say except to tell him that paper route story, and that I’d already been working for him for half my life. Mr. Graham laughed and told me that was the best thing he’d heard all day. Which of course made my week, and made me feel more at ease among the suits.

I remain grateful to WaPo for instilling many skills, such as how to distill technobabble into plain English for a general audience. And how to make people the focus of highly technical stories. Because people — and their eternal struggles — are imminently relatable, regardless of whether one has a full grasp of the technical details.

Words fail me when trying to describe how grateful I am that this whole independent reporter thing still works, financially and otherwise. I mostly just keep my head down researching stuff and sharing what I find, and somehow loads of people keep coming back to the site. As I like to say, I hope they let me keep doing this, because I’m certainly unqualified to do much else!

Another milestone of sorts: We’ve now amassed more than 52,000 subscribers to our email newsletter, which is a fancy term for a plain text email that goes out immediately whenever a new story is published here. Subscribing is free, we never share anyone’s email address, and we don’t send emails other than new story notifications (2-3 per week).

A friendly reminder that while you may see ads (or spaces where ads otherwise would be) at the top of this website, all two-dozen or so ad creatives we run are vetted by me and served in-house. Nor does this website host any third-party content. If you regularly browse the web with an ad blocker turned on, please consider adding an exception for KrebsOnSecurity.com. Our advertising partners are how we keep the lights on over here.

And in case you missed any of them, here are some of the most-read stories published by KrebsOnSecurity in 2023. Happy 2024 everyone!

Ten Years Later, New Clues in the Target Breach
It’s Still Easy for Anyone to Become You at Experian
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach
Why is .US Being Used to Phish So Many of US?
Few Fortune 100 Firms List Security Pros in Their Executive Ranks
Who’s Behind the Domain Networks Snail Mail Scam?
Phishing Domains Tanked After Meta Sued Freenom
Many Public Salesforce Sites are Leaking Private Data
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
Identity Thieves Bypassed Experian Security to View Credit Reports

The Best, The Worst and The Ugliest in Cybersecurity | 2023 Edition

As we get ready to wave goodbye to 2023, this week’s The Good, Bad and the Ugly takes the opportunity to rewind and revisit the best, the worst, and the ugliest cybersecurity news from the past 12 months.

The Best

Of all The Good things we reported on in cybersecurity this year, there can be no doubt that the most needful was a joined-up, coordinated approach to cyber led from the top, and the Biden-Harris administration’s National Cybersecurity Strategy went a long way toward that end. The strategy is a comprehensive approach to defend critical infrastructure, disrupt threat actors, promote data privacy and security, invest in cyber resilience, and establish international partnerships to combat cyber threats.

It’s a response to the increase in cyber attacks on various sectors in the U.S. and has already led to some useful initiatives, including the Counter Ransomware Initiative. We hope and expect to see more in 2024.

We reported on plenty of criminals being brought to justice during 2023, including the arrest of core members of the prolific ransomware gang, DoppelPaymer, in a joint operation conducted by Europol, the FBI, and the Dutch police in Germany and Ukraine.

Joseph James O’Connor was another significant capture of the year. Known as PlugWalkJoe, O’Connor was sentenced to five years in prison for various cybercrimes, including his role in the 2020 Twitter Hack, in which he and his associates used SIM swaps along with social engineering tactics to gain access to Twitter’s back-end tools and transfer control of high-profile accounts to various unauthorized users.

Joseph James O’Connor | Source: Reuters

While some accounts were hijacked by the actors themselves, O’Connor sold the access rights of several well-known accounts to third parties. O’Connor was also charged with stealing cryptocurrency, money laundering, cyberstalking, and unauthorized access to TikTok and Snapchat.

Of course, AI has been one of the big themes of 2023. Again, the government, in collaboration with tech companies like OpenAI and Anthropic, has taken a leading role. The “AI Cyber Challenge” (AIxCC), led by the Defense Advanced Research Projects Agency (DARPA), offers up to $20 million in prizes for entries that use artificial intelligence to protect critical U.S. infrastructure from cybersecurity threats.

Leveraging AI to enhance cybersecurity is, of course, the core DNA of SentinelOne. In 2023, we announced Purple AI, a game-changing generative AI dedicated to threat-hunting, analysis and response that empowers security teams to identify and respond to attacks faster and easier using natural language conversational prompts and responses.

Singularity Purple AI

The Worst

Picking out the worst of The Bad things that happened in cybersecurity in 2023 is a challenging task, given just how many attacks, compromises, breaches and ITW vulnerabilities we reported on this year, but among the more standout stories of concern was Winter Vivern APT’s exploitation of a zero-day vulnerability (CVE-2023-5631) in Roundcube’s webmail software, used to steal email data from European governments and think tanks.

Casinos MGM and Caesars were among some of the big name victims of the year’s record number of ransomware attacks.

2023 saw a 95% year-on-year increase in extortion attacks as threat actors continue to leverage social engineering, weak or misconfigured cloud assets, and old vulnerabilities to lock files and steal data.

A feature of 2023 ransomware has been a new focus on compromising ESXi hypervisors through a slew of variants built out of the leaked Babuk (Babyk) code. A wave of ESXiArgs ESXi targeted attacks was reported early in the year, encrypting extensive amounts of data across servers in the US, Canada, and Central Europe.

XVGV .rodata segment references to file extensions (left) and Babuk source code equivalent
ESXi ransomware .rodata segment references to file extensions (left) and Babuk source code equivalent

A report by SentinelLabs in May detailed how numerous threat actors were hopping on the easy availability of source code for Linux ransomware to target vulnerable EXSi servers.

The Ugliest

What have 3CX, JumpCloud and macOS users involved with cryptocurrency got in common? You guessed it: North Korea. From supply chain attacks to espionage and financially-motivated cybercrime, DPRK-aligned threat actors have been keeping us busy and many victims awake at night throughout 2023.

The SmoothOperator campaign disclosed in early 2023 was a supply chain attack targeting both macOS and Windows users, exfiltrating victim data over https using a custom data encoding algorithm. The macOS version of the trojanized 3CX application was delivered via a maliciously crafted version of libffmpeg.dylib contained within the application bundle’s Electron Framework folder.

../3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib

Although the full extent of the attack remains unclear, reports at the time suggested that over 240,000 IP addresses were using the trojanized 3CX Phone System Management Console.

Breaches of government networks are always among the ugliest of the Ugly, and several concerning attacks were recorded throughout 2023. In December, a high-severity vulnerability, tracked as CVE-2023-26360, found in Adobe’s ColdFusion was used to gain initial access into U.S. government servers.

CISA highlighted two incidents in which CVE-2023-26360 was used to compromise federal agency systems. Both instances involved outdated server software vulnerable to various CVEs, with threat actors leveraging the vulnerability to deploy malware through HTTP POST commands to the ColdFusion-associated directory path. It seems the government still has plenty of work to do to implement its own cybersecurity best practices.

Finally, it’s been a tough year across OSes in terms of in-the-wild exploitation of vulnerabilities, but it appears to have been a record year for Apple’s increasingly troubled iOS platform, with 19 zero days reported as being abused by threat actors in 2023. The phrase “Apple is aware of a report that this issue may have been exploited…” may have never been more oft-seen by Apple users than this year.

Google HQ, aka “GooglePlex”, sits 7 miles from Apple Campus and staff there also appear to have had their hands full patching security bugs throughout 2023. Among the more severe bugs patched this year were:

  • CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
  • CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
  • CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
  • CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx

However, the WebP vulnerability likely had the largest impact on users, as the flawed library is used across Apple, Google, Microsoft, Mozilla and other non-browser products. The bug in the widely used image encoding and compression library was first reported by Citizen Lab to Apple as part of an in-the-wild attack.

Github commit CVE-2023-4863
Github commit in libwebp related to CVE-2023-4863

Microsoft, meanwhile, has continued to patch up its regularly exploited backlog of vulnerabilities, while at times ignoring newly-discovered security issues. In June, the company said that a bypass found by researchers that can allow malware to be delivered to any Teams account from external accounts did not ‘meet the bar for immediate servicing’. The response came as a surprise as researchers showed that all MS Teams accounts running in the default configuration were susceptible to their PoC attack.

Conclusion

So much for the highlights and low spots of 2023: You can find more on all these stories as well as all the others we reported on this year right here.

Our regular weekly roundups will return next Friday; in the meantime, let us wish you a happy and secure New Year 2024 from all of us here at SentinelOne!

12 Months of Fighting Cybercrime & Defending Enterprises | SentinelLabs 2023 Review

The last twelve months have been unprecedented in cybersecurity. Multiple state-sponsored hacktivist groups marched to the forefront of concerns as 2023 saw the Russian invasion of Ukraine continue into its second year and a new cyber battlefront open up due to the kinetic war between Israel and Hamas.

Meanwhile, despite new government initiatives and international cooperation to combat cybercrime, ransomware continues to be a top challenge for enterprises, in an environment where cloud assets represent new targets and LLMs offer both defenders and attackers new tools and new opportunities. Throughout the year, SentinelLabs has been tracking, identifying and disclosing information on these and other issues to help organizations and defenders stay ahead of the threats to their business operations.

All our research and threat intelligence posts can be found on the SentinelLabs home page, but for a quick recap of the year’s main cybersecurity events, take a scroll through the 2023 timeline below.

January

In January, we reported on pro-Russia hacktivist group NoName057(16), describing its attacks on Ukraine and NATO organizations as well as its targeting of the 2023 Czech presidential election. We identified a volunteer-fueled DDoS progam operating over public Telegram channels and described in detail their DDosia malware. We also revealed how the group, previously reported on for tageting both the Polish government and the Danish financial sector, abused GitHub to host its toolkit and offered payments to its most impactful contributors.

In January 2023, we also reported on DragonSpark, a cluster of opportunistic attacks against organizations in East Asia. The threat actors used Golang malware that implemented an uncommon technique to hinder static analysis and evade detection: Golang source code interpretation.

February

SentinelLabs observed the first ELF variant of Clop ransomware and reported on its flawed encryption method, allowing us to develop and publish a decryptor for the malware.

In February, we also exposed a cluster of virtualized .NET malware loaders being distributed through malvertising attacks. Dubbed MalVirt, the loaders were seen distributing the Formbook family of malware and disguising C2 traffic by beaconing to random decoy servers hosted on providers such as Azure and Namecheap.

In other research published this month, SentinelLabs in collaboration with QGroup GmbH identified a new threat cluster tracked as WIP26 engaging in targeted espionage activities against telecommunications businesses. WIP26 also relies heavily on public cloud infrastructure to disguise malicious traffic, abusing Microsoft 365 Mail and Google Firebase services for C2 purposes.

March

Telcos were also the targets of Operation Tainted Love, this time in the Middle East. Believed to be an operation conducted by Chinese cyberespionage actors, we disclosed how the campaign was an evolution of Operation Soft Cell. The initial attack phase involved infiltrating Internet-facing Microsoft Exchange servers to deploy webshells for command execution. Once a foothold had been established, the attackers deployed custom credential theft malware.

Also in March we reported on the evolution of AlienFox, a comprehensive, modular toolset for credentials harvesting against multiple cloud service providers.

April

Transparent Tribe (aka APT36) is a suspected Pakistan-based threat group active since at least 2013. In April, SentinelLabs observed this long-running threat actor expand its interest into the Indian education sector through a cluster of malicious documents staging Crimson RAT. Previously focused on Indian military and government personnel, the threat actor was observed distributing malicious education-themed content hosted on known APT36 infrastructure. The malicious documents stage Crimson RAT using Microsoft Office macros or OLE embedding.

In addition, some Crimson RAT variants were identified using a cracked versions of a commercial tool Eazfuscator to obfuscate code. This represents a change in tactics from earlier versions which relied on the Crypto Obfuscator tool for such functionality.

May

The leak of Babuk source code back in 2021 has led to multiple ransomware variants and contributed to a widely expanded crimeware ecosystem. In May 2023, SentinelLabs revealed how this same source code was behind 10 different ransomware families targeting VMware ESXi, potentially enabling new threat actors who might otherwise lack the technical skills to target Linux systems. Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware.

In May, the SentinelLabs team also disclosed Operation Magalenha, a long running campaign by a Brazilian threat actor targeting Portuguese financial institutions for credentials and PII theft.

June

Across May and June, SentinelLabs released reports on DPRK-aligned threat actor Kimsuky. In collaboration with NK News, we disclosed a targeted social engineering campaign against experts in North Korean affairs from the NGO sector. The campaign focused on theft of email credentials, delivery of reconnaissance malware, and theft of NK News subscription credentials.

A hallmark of the activity was establishing initial contact and developing a rapport with their targets prior via impersonation of industry figures before initiating malicious activities, a tactic also seen in DPRK-aligned cybercrime activity aimed at cryptocurrency exchanges.

If the target engages in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL to a Google document, which redirects to a malicious website specifically crafted to capture Google credentials. Kimsuky has also been seen delivering weaponized Office documents that execute the ReconShark malware.

July

Cloud security came to the fore in July through both crimeware and APT intrusions. We reported on a cloud credentials stealing campaign that had expanded from targeting AWS cloud instances to include both Azure and Google Cloud. Primarily seeking out exposed Docker instances, crimeware actors looked to deploy a worm-like propagation module via script-based and UPX-packed Golang-based ELF binaries.

Elsewhere, an intrusion at cloud-based IT management service company JumpCloud turned out to have infrastructure connections DPRK-aligned threat activity, SentinelLabs reported. The intrusion bore links to the earlier 3CX SmoothOperator campaign we reported on in March.

August

North Korean-aligned threat actors were having a busy year throughout 2023, but not all their targets were in the west. In August, we identified intrusions into the Russian missile engineering organization NPO Mashinostroyeniya, a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use or under development for the Russian military.

Our investigation uncovered an email trove leaked from the victim organization that revealed two separate sets of activity. We were able to establish a connection between each cluster of activity and reveal that a more significant network intrusion had occurred that the victim organization realized.

Chinese adversaries also came to our attention this month after we identified malware and infrastructure directed at the Southeast Asia gambling sector. We observed indicators that pointed to China-alinged BRONZE STARLIGHT group: a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution. However, exact attribution remains unclear due to the complex interconnections between various Chinese APT groups.

September

Transparent Tribe came to our attention for a second time in 2023 via distribution of its CapraRAT malware in a novel YouTube-like Android application we dubbed CapraTube. We identified three Android application packages mimicking the appearance of YouTube but which also requested spyware-like permissions.

In September, SentinelLabs also hosted its second LABScon event, featuring talks from leaders across the cybersecurity industry. Among the keynotes were Tom Hegel’s presentation on how China uses strategic intrusions in under monitored regions such as Africa to further and to strengthen its regional goals.

SentinelLabs’ Aleksandar Milenkoski, in collaboration with QGroup, reported on yet another adversary targeting telcos. Dubbed Sandman, the previously unreported threat actor has targeted organizations across the Middle East, Western Europe and the South Asian subcontinent with a novel modular backdoor that utilized the LuaJIT platform.

October

The shocking events in Israel in October 2023 and their aftermath may yet come to define much of the headlines to come in 2024, but in terms of cyber activity there is still a lack of clarity as different hacktivist groups pursue various goals in support of one side or another.

Our initial reporting on state-sponsored activity emerging from events on the ground aimed to highlight adversaries-of-interest to the cybersecurity community at large in an effort to better coordinate reporting and help to understand the threat model facing organizations.

November

Continuing on from October’s activity, we reported on Arid Viper‘s SpyC23 malware and the group’s espionage campaign targeting Android devices.

This long-running campaign through 2022 and 2023 involves weaponized apps posing as the Telegram messeging app or a romance-themed messaging app called ‘Skipped Messenger’. Our report highlighted how Arid Viper had developer several newer SpyC23 versions delivered via social engineering. The spyware, once installed, gained a high degree of control over the victim’s device including being able to make calls without user interaction, capture microphone and audio input, and collect sensitive data, including the phone’s contacts list.

Of course, 2023 has also been the breakout year for AI, and threat actors have not been slow to jump on the bandwagon either. In November, we reported on Predator AI, a new Python-based infostealer and hacktool designed to target cloud services. Advertised through Telegram channels related to hacking, the main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES.

December

We rounded out the year with two reports on earlier themes. In joint research between SentinelLabs, PwC and MS Threat Intelligence, we published further intelligence on the Sandman APT we reported at September’s LABScon, noting that Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices. Importantly, we described commonalities between two distinct malware strains: the LuaDream malware and the KEYPLUG backdoor.

In our final report of the year, we turned to activity attributed to Gaza Cybergang, a long-running cluster of Hamas-aligned threat activity known since 2012. Tracking activity spanning from late 2022 until late 2023, we observed that the group introduced a new backdoor to their malware arsenal, Pierogi++, used in targeting primarily Palestinian entities.

These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israel–Hamas war. We describe the development of Pierogi++ and highlight overlaps in targeting that suggest the Gaza Cybergang sub-groups have likely been consolidating.

Conclusion

This year as last, SentinelLabs has continued its mission to keep defenders abreast of the latest developments and trends across crimeware, APT and other cyber threat activity. Aside from the research highlighted here, there’s more to be found across our From the Front Lines series of posts and our published and forthcoming videos of talks from LABScon 2023.

You can also meet the SentinelLabs team in our quarterly threat briefings.

We’ll be back in 2024 with more security research and threat intelligence reporting. In the meantine, we wish all a happy, secure and peaceful New Year and 2024.

SentinelLabs Quarterly Threat Intelligence Webinar
Stay updated on the latest cybersecurity threat intelligence, and ensure your organization remains protected.

The Good, the Bad and the Ugly in Cybersecurity – Week 51

The Good | Latest Global Crackdown Hailed a Success With 3500 Cybercriminals Arrested and $300 Million Funds Seized

3,500 suspected cybercriminals of all levels found themselves nabbed this week by a major international law enforcement initiative dubbed Operation HAECHI IV. The arrests were accompanied by the confiscation of a staggering $300 million in illegal gains. The half-year long operation, spearheaded by South Korean authorities, saw collaboration with agencies from 34 nations, including major players such as the United States, the United Kingdom, Japan, and India.

This expansive operation unfolded between July and December 2023, with a primary focus on combating threat actors engaged in a spectrum of cybercrimes that ranged from e-commerce and investment fraud, business email compromise (BEC), voice phishing, online sextortion, and illicit online gambling. Additionally, Interpol identified and froze a substantial 82,112 bank accounts across 34 countries linked to various cybercrimes and fraudulent activities.

The operation revealed two key threat trends that continue to gain traction in the current cybercrime world. The first focuses on digital investment frauds and NFT investment platforms that operate briefly before a final “rug pull”, where the scammers abscond with all invested funds and erase all traces of their existence. The second adds to existing concerns about the use of artificial intelligence (AI) by threat actors. HAECHI found that the fraudsters leveraged AI and deepfake tools to mimic real individuals’ voices to further their impersonation scams.

Interpol has emphasized the gravity of the $300 million seizure, describing it as a clear driving force behind the rising nature of transnational organized crime. Global involvement in major operations like HAECHI continue to underscore the need for disrupting underground financial infractures that fund and support hierarchies of cyber threat actors and groups.

The Bad | Chameleon Banking Trojan Gets a Feature Upgrade Allowing Hackers to Steal Android Device PINs

Android users were put on high alert this week with news of a novel version of Chameleon banking trojan enabling hackers to steal device PINs. Security researchers reporting on the latest iteration noted that targets have spread to include users in the UK and Italy.

Analysis of the resurgence indicates that Chameleon is now distributed through an off-the-shelf Dropper-as-a-Service (DaaS) called Zombinder, allowing the trojan to masquerade as a Google Chrome web browser. Zombinder attaches malware to legitimate Android apps, tricking victims to unknowingly use the intended app while dangerous code runs in the background.

Source: ThreatFabric

The latest Chameleon variant introduces two notable features. Firstly, it displays an HTML page on devices running Android 13 and later, prompting victims to grant permission for the app to use the Accessibility service. By detecting Android 13 or 14, the malware bypasses the “Restricted Setting” security feature, enabling it to guide users through a manual process to activate Accessibility and overcome system protections. Secondly, Chameleon disrupts biometric operations like fingerprint and face unlock, forcing a fallback to PIN or password authentication using the Accessibility service. The trojan captures entered PINs and passwords, allowing it to unlock the device at will for malicious activities concealed from the user.

These feature enhancements speak to the adaptability of the new Chameleon variant, positioning it as a more potent threat in the mobile banking landscape. To mitigate the threat, users are advised to avoid downloading Android package files (APKs) from unofficial sources, as this is the primary distribution method for the Zombinder service. Users should also ensure that Play Protect is enabled and conduct regular device scans for malware and adware.

The Ugly | Millions Impacted In Data Breach of Major Electronic Health Record Software Company

ESO Solutions informed their customers this week of a ransomware attack on their systems, which compromised the personal data of 2.7 million patients. The company is a major supplier of electronic health record (EHR) products for various healthcare organizations and fire departments across the U.S. As of this writing, no ransomware group has claimed responsibility for the ESO attack.

According to their notice, the initial attack occurred in late September and involved data exfiltration before the attackers encrypted several company systems. This tactic points to double extortion where victims are threatened in a two-pronged approach: first, the victim is threatened to decrypt their files via ransom payment, and then they face the risk of having the stolen files and data leaked or sold online. This strategy amplifies the impact of ransomware attacks, putting the victim in a very dangerous dilemma. Paying the ransom fuels the attackers to continue future threat campaigns, and refusing to pay means losing sensitive information.

In the attack on ESO, the attackers were able to access a machine containing sensitive personal data of several ESO clients, including full names, dates of birth, phone numbers, patient account/medical record numbers, injury type and date, diagnosis information, treatment type and date, procedure details, and Social Security Numbers (SSNs).

ESO Solutions has confirmed that other than notifying the FBI and state authorities, they took affected systems offline immediately and successfully restored operations through viable backups. The company also clarified that currently, no evidence has been found that the compromised data has been misused. To mitigate the short and long-term risks post-breach, ESO has offered 12 months of identity monitoring service coverage to affected individuals.

Transforming Security and Log Analytics | Welcome to Singularity Data Lake

It’s an undeniable fact – organizations today are swamped with a massive volume of data spanning across users, devices, and networks. This increase in data volume is a result of accelerating digital transformation while also introducing point security tooling to stay ahead of adversaries.

Security is a big data problem. This data, while invaluable for proactive threat mitigation, often proves to be a challenge to collect, normalize, and analyze, especially when scattered across siloed tools and systems.

Legacy data solutions lack flexibility, scalability, and are cost prohibitive, preventing organizations from achieving the required level of security management. As the cybersecurity landscape continues to evolve, a robust, scalable, and cost-effective data solution becomes a necessity.

It is reported that 60% of all SIEM and Data Lake projects fail. One of the primary reasons is the sheer complexity of ingesting and normalizing different data sources into a single place. Many organizations have to create dedicated teams of IT and Security engineers to spend days grappling with data ingestion or managing parsers. In essence, teams are spending more time configuring prerequisites than focusing on security operations.

The Future of Enterprise Security Data and Analytics

That’s where SentinelOne can help with Singularity Data Lake. This solution empowers businesses to centralize and transform data into actionable intelligence for real-time investigation and response with our AI-powered, unified Data Lake. Singularity Data Lake is a cost-effective, high-performance security and log analytics platform converging SIEM, XDR, and Log Analytics into one solution.

Ingesting third-party data is simple with Singularity Marketplace, an ecosystem of data connectors to integrate with industry-leading solution providers. Empower teams to quickly collect and normalize all types of data, with one-click installation, into the Open Cybersecurity Schema Framework (OCSF) for a broad view of security and data analytics.

By leveraging the standards-driven OCSF-ready connectors from Marketplace, Singularity Data Lake simplifies cybersecurity and IT operations by eliminating the need for teams to manage parsers and handle data normalization. This simplified data ingestion promotes cost efficiency and scalability–translating into significant cybersecurity cost savings.

Singularity Data Lake offers advanced threat detection, investigation, incident response, and contextualized threat intelligence. This empowers security professionals with the tools necessary to stay ahead of potential breaches, ensuring swift and effective blocking, removal, and mitigation of threats.

As compliance needs evolve, organizations that select Singularity Data Lake for their security and log analytics can pick from a variety of short-range retention periods, including up to 360 days. Thanks to its high-scale, cloud-native data lake architecture combined with a massively parallel query engine, Singularity Data Lake ensures data is always readily available in hot storage, for both short and long-range retention and querying.

For organizations looking to prolong data storage, teams can opt for long-range retention and long-range queries spanning one to five years. Unlike traditional solutions on the market which involve storing long-term data in slow cold storage, Singularity Data Lake’s high-performance search and availability allow for instant access at any time.

What’s more, it’s not just about data centralization. SentinelOne’s multi-tenancy and role-based access controls allow organizations to efficiently partition data and delegate responsibilities. Organizations can also gain unique insights from customizable dashboards, transforming raw data into actionable insights, tailored to specific needs.

In a nutshell, Singularity Data Lake empowers organizations to navigate the ever-evolving threat landscape confidently. By making data easier to centralize, transform, and retain, security teams can gain faster detection, advanced analysis, and enhanced investigation capabilities. Singularity Data Lake is a comprehensive security and log analytics platform that improves security outcomes and keeps organizations secure in today’s digital landscape.

AI-Powered Security Platform

Singularity Data Lake powers the Singularity Platform, the first AI security platform to provide enterprise-wide visibility and protection, bringing all enterprise data together in a unified data lake to reduce risk and help protect businesses. Any organization with Singularity Platform included in their subscription such as Singularity Complete, Singularity Commercial, and Singularity Enterprise customers already have access to Singularity Data Lake with up to 10GB per day of third-party data ingestion, not including native security data from SentinelOne, at no additional cost. Customers can increase this ingestion volume and add long-range retention and queries of up to five years.

Enhanced Standalone Singularity Data Lake

We often hear from organizations that the top pain points for traditional SIEM solutions are cost and performance. As data growth outpaces budgets, security and IT teams are leaving important data behind and prioritizing intake only on what they can afford. This can lead to gaps in investigation, triage, hunting, response effort, and compliance issues. When attacks happen, security teams often need to go back much further than the last 14 or 30 days.

To help organizations move away from a costly and slow traditional SIEM solution and accommodate compliance needs, Singularity Data Lake is also available as a standalone product, serving as a robust, high-performance security and log analytics solution. The same short and long-range retention and long-range query options are also available.

With our innovative Singularity Data Lake, we’re empowering security teams with SIEM and XDR capabilities beyond their existing legacy SIEM solutions. The standalone offering of Singularity Data Lake provides the following capabilities:

  • Centralize all data into a unified data lake for streamlined analysis.
  • Search effortlessly across all ingested data to find crucial insights quickly.
  • Access the Singularity Marketplace seamlessly, equipped with dozens of OCSF-ready data connectors that ensure automatic normalization of security data.
  • Manage access to multiple organizations with multi-tenancy and Role-Based Access Control (RBAC) capabilities to efficiently partition data and responsibilities.
  • Customize dashboards for better visualization, transforming ingested data into actionable insights.
  • Utilize PowerQuery to craft precise detections that enhance cybersecurity posture.

Learn More

To learn how to transform security and log analytics, meet our team for a demo. For existing SentinelOne customers, please contact your SentinelOne account team to discuss how to further leverage the Singularity Data Lake.

BlackCat Ransomware Raises Ante After FBI Disruption

The U.S. Federal Bureau of Investigation (FBI) disclosed today that it infiltrated the world’s second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang’s darknet website, and released a decryption tool that hundreds of victim companies can use to recover systems. Meanwhile, BlackCat responded by briefly “unseizing” its darknet site with a message promising 90 percent commissions for affiliates who continue to work with the crime group, and open season on everything from hospitals to nuclear power plants.

A slightly modified version of the FBI seizure notice on the BlackCat darknet site (Santa caps added).

Whispers of a possible law enforcement action against BlackCat came in the first week of December, after the ransomware group’s darknet site went offline and remained unavailable for roughly five days. BlackCat eventually managed to bring its site back online, blaming the outage on equipment malfunctions.

But earlier today, the BlackCat website was replaced with an FBI seizure notice, while federal prosecutors in Florida released a search warrant explaining how FBI agents were able to gain access to and disrupt the group’s operations.

A statement on the operation from the U.S. Department of Justice says the FBI developed a decryption tool that allowed agency field offices and partners globally to offer more than 500 affected victims the ability to restore their systems.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” Deputy Attorney General Lisa O. Monaco said. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

The DOJ reports that since BlackCat’s formation roughly 18 months ago, the crime group has targeted the computer networks of more than 1,000 victim organizations. BlackCat attacks usually involve encryption and theft of data; if victims refuse to pay a ransom, the attackers typically publish the stolen data on a BlackCat-linked darknet site.

BlackCat formed by recruiting operators from several competing or disbanded ransomware organizations — including REvilBlackMatter and DarkSide. The latter group was responsible for the Colonial Pipeline attack in May 2021 that caused nationwide fuel shortages and price spikes.

Like many other ransomware operations, BlackCat operates under the “ransomware-as-a-service” model, where teams of developers maintain and update the ransomware code, as well as all of its supporting infrastructure. Affiliates are incentivized to attack high-value targets because they generally reap 60-80 percent of any payouts, with the remainder going to the crooks running the ransomware operation.

BlackCat was able to briefly regain control over their darknet server today. Not long after the FBI’s seizure notice went live the homepage was “unseized” and retrofitted with a statement about the incident from the ransomware group’s perspective.

The message that was briefly on the homepage of the BlackCat ransomware group this morning. Image: @GossiTheDog.

BlackCat claimed that the FBI’s operation only touched a portion of its operations, and that as a result of the FBI’s actions an additional 3,000 victims will no longer have the option of receiving decryption keys. The group also said it was formally removing any restrictions or discouragement against targeting hospitals or other critical infrastructure.

“Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS [a common restriction against attacking organizations in Russia or the Commonwealth of Independent States]. You can now block hospitals, nuclear power plants, anything, anywhere.”

The crime group also said it was setting affiliate commissions at 90 percent, presumably to attract interest from potential affiliates who might otherwise be spooked by the FBI’s recent infiltration. BlackCat also promised that all “advertisers” under this new scheme would manage their affiliate accounts from data centers that are completely isolated from each other.

BlackCat’s darknet site currently displays the FBI seizure notice. But as BleepingComputer founder Lawrence Abrams explained on Mastodon, both the FBI and BlackCat have the private keys associated with the Tor hidden service URL for BlackCat’s victim shaming and data leak site.

“Whoever is the latest to publish the hidden service on Tor (in this case the BlackCat data leak site), will resume control over the URL,” Abrams said. “Expect to see this type of back and forth over the next couple of days.”

The DOJ says anyone with information about BlackCat affiliates or their activities may be eligible for up to a $10 million reward through the State Department’s “Rewards for Justice” program, which accepts submissions through a Tor-based tip line (visiting the site is only possible using the Tor browser).

Further reading: CISA StopRansomware Alert on the tools, techniques and procedures used by ALPHV/BlackCat.

December 2023 Cybercrime Update | Extortion Trends, Identity-Focused Attacks & Counter-Operations

In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. Several high profile threat operators have continued to briefly disappear only to re-emerge, lending to a more dynamic ransomware landscape. Highlighting the risks seen in the identity attack surface, we also continue to see the fallout from this season’s onslaught of attacks against Identity Access Management (IAM) platforms, specifically. Finally, this post discusses new cyber initiatives and counter-operations from the federal government to support global collaboration across the cyber threat environment and recent law enforcement wins.

Emerging Pressure Tactics In Ransomware Schemes

In the latest ransomware and extortion operations, financially motivated actors are leveraging new ways to pressure their victims into complying to their demands. Groups like ALPHV, for example, are now openly threatening to report victims to the SEC for violation of public disclosure for breaches they themselves committed. We have also observed groups like Rhysida threatening to expose illicit and incriminating data that was discovered upon exfiltration of the victim data.

Recent developments in legal frameworks, including the SEC’s updated rules for cybersecurity incident reporting, GDPR, and existing data protection laws, are being manipulated to increase pressure on organizations that are already at risk. Cybercriminals are using these regulations to heighten victims’ fears of legal repercussions and damage to their reputation, thereby forcing them into paying ransoms.

This trend highlights the urgency for organizations to bolster their cybersecurity measures, adhere to regulatory standards, and stay prepared for the ever-changing landscape of cyber threats. With cybercriminals constantly seeking innovative methods to exploit businesses, it is important for cyberdefense teams to maintain vigilance and adaptability in their approaches to counter these advancing threats.

A previous blog post we published discusses the increasing “leveling up” of pressure tactics coupled with troubling victimology, painting a potentially problematic picture of how attacks are likely to play out in the near future. Companies dealing with this multi-pronged extortion onslaught include the likes of Toyota, Delta Dental, Fred Hutch Cancer Center, Kraft Foods, Idaho National Lab and more. There is more potential damage being done now in the big-game ransomware operation attacks and the frequency of these attacks deserves much consideration.

Multi-looting is amongst the tactics leveraged by these modern more extensive options—one example of this emerging behavior developed between ALPHV and medical product manufacturer, Henry Schein. According to reports, this victim experienced multiple encryptions during recovery and negotiation.

On Again, Off Again | Fluctuations In Ransomware Groups

For a brief moment, it was believed that ALPHV/BlackCat operations had been disrupted by law enforcement. The group’s TOR-based sites were down for a short time in mid-December, shortly after an alleged law enforcement takedown.

Within a similar timeframe, NoEscape also appeared to have closed up shop whilst holding onto millions of dollars in funds due to their affiliates. This is known as an exit scam, and the primary operators of NoEscape appear to have ceased communicating with both their partners and affiliates. There are a number of arbitration complaints against the operators on various major crimeware forums. These same forums and dark markets appear to have banned the operators from further activity in those forums.

Forum complaints against NoEscape

Adding to the already foggy situation, LockBit ransomware operations are reportedly attempting to recruit affiliates directly from the potential pool of those that have been “done wrong” by NoEscape and ALPHV operations.

LockBit poaching from NoEscape and ALPHV

A Year End Rise In Identity-Focused Attacks

Identity compromise, and the subsequent use of valid credentials to perform illegitimate activities, is nearly ubiquitous in the modern landscape of cyberattacks. IAM platforms play a crucial role in both enhancing security and improving user experience by streamlining access processes within an organization. They are particularly important in large and medium-sized businesses where managing a large number of user identities and permissions is a complex task.

The compromise of market-leading IAM platforms continues to blossom and expand as we head towards the end of 2023. When we discuss the compromises of enterprises like 1Password, LastPass, BeyondTrust, and other identity management providers, the thing to keep in mind is the long-term and downstream effects. Outside of the immediate problem of compromised credentials and accounts, victims also face the ongoing issues associated with associated legal issues that may arise, damaged reputation, and associated loss of revenue. Also to consider is that, once compromised, it is trivial for the attacker to leverage the platform to start intercepting the data and traffic belonging to platform users. In this scenario, a single compromise of an IAM extends to many victim environments.

The consequences of a security breach in an IAM platform are far-reaching and can impact an organization on multiple fronts, including financial, legal, operational, and reputational aspects. It underscores the critical importance of robust security measures and constant vigilance in managing these systems. The downstream effects of breaches within the likes of 1Password, LastPass, and similar will be felt going into 2024 and beyond.

Forum and Dark Market Updates

We previously discussed ongoing cyber activity occurring on Telegram in our September cybercrime update. In the context of low-sophistication cybercrime marketing and sales, Telegram has collected a reputation for being a “Wild Wild West-like” hub for criminal activities. Accounts, proxy access, mail/identity lists and data, VPS services, FUD crypting, bank logs, and SIM/cell carrier services (aka SIM-swapping) are all available with essentially zero barrier to entry. Cybercrime actors of all types continue to congregate within relevant Telegram channels.

Service updates and options from Darkside Hackerzone

Given the approaching holiday season, we are seeing many channels and bots providing pseudo-sales and promotions on malware kits, tools, and other illicit services.

PayPal and CashApp accounts for sale
Holiday promo for malicious finance app transfer services
Holiday-themed sales

On the subject of forums, the Clearnet forum launched by Cyber Drag0nz in September appears to now be down or defunct. In a broader trend, it seems that many of the smaller Middle-Eastern crimeware operations, which have been amplified with the onset of the Israel-Hamas war, are showing their true size and abilities.

Now defunct Cyb3r Drag0nz forum

The Good News | New Initiatives and Counter-Operations

In the final month of 2023, the information security community has seen more law enforcement activities such as crackdowns and arrests in parallel with some new and positive developments from the recent Counter Ransomware Initiative (CRI) Summit.

At the tail end of November, a large-scale option out of Europol led to the arrests of numerous ransomware affiliate actors associated with LockerGoga, MegaCortex, Hive, and Dharma. This action follows the initial wave of arrests that occurred in 2021. The recent action was focused across regions in Ukraine. Considered a large victory for global law enforcement agencies, these takedowns go some considerable distance in chipping away at the infrastructure of known threat actor infrastructure.

Notably, we also saw the arrest of an alleged ringleader of the Kelvin Security hacking group this past month in Spain. The detainee was a primary figure in an associated money laundering activity which focused on cryptocurrency exchanges. This is an especially satisfying victory for law enforcement given the scope of the involved victimology. According to the released statements, the group has operated since 2013 and has carried out more than 300 high-level cyberattacks in the last three years, targeting strategic industries in over 90 countries, including the U.S., Germany, Italy, Argentina, Chile, and Japan.

Along those lines, an individual known as FFX pleaded guilty to charges surrounding their involvement in the development of Trickbot malware. Specifically, the Russian national was known for their contributions to the malware’s browser injection components, along with mechanisms for deployment and management of additional code (e.g., ransomware payloads). The developer currently faces a maximum sentence of 35 years in prison for charges related to computer fraud, identity theft, wire, and bank fraud.

Recent developments from the highest levels of government are set to shape upcoming cybersecurity initiatives in the new year. At the latest Counter Ransomware Initiative Summit, members from across the world focused on global collaboration in ongoing cybersecurity strategies. Representatives from 50 countries discussed new methods to combat ransomware threats. Key topics included strengthening international cooperation, tackling financial underpinnings of ransomware, and enhancing public-private partnerships. The summit highlighted the evolving role of AI in cybersecurity and emphasized the importance of information sharing and policy initiatives to disrupt ransomware financing. These efforts aim to build a more resilient global cybersecurity infrastructure against the growing threat of ransomware.

Conclusion

After examining the past month, several compelling trends continue to demand our attention. High-profile threat operators, momentarily vanishing only to resurface later, have rendered the ransomware landscape more dynamic than ever. Ongoing attacks on leading IAM platforms signal to security leaders the very real vulnerabilities linked to the identity surface. Cybercriminals are shifting towards new methods in pressuring their victims to pay exuberant ransoms.

In the wake of these challenges, new cyber initiatives and counter-operations spearheaded by international federal governments are in place to address and push innovation in incident response, threat intel sharing, and other preventative measures.

In the face of these emerging trends, employing a comprehensive security solution like SentinelOne’s Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.

Decrypting SentinelOne Detection | The Behavioral AI Engine in Real-Time CWPP

In October, the first blog post in this series discussed the Static AI Engine. In this, the second installment of the Detection Engine blog series, we examine the SentinelOne Behavioral AI Engine. Although AI, especially GenAI, are very hot topics right now, SentinelOne has been using AI as a keystone of our technology since our founding in 2013. We hope that this blog series conveys to our customers, prospects, and stakeholders how our AI-powered agent in Singularity Cloud Workload Security is uniquely equipped to create substantial value in delivering real-time cloud workload protection.

Our real-time CWPP solution uses five detection engines, each working to complement the other, to detect runtime threats impacting cloud workloads.

  • Static AI Engine
  • Cloud Intelligence Engine
  • App Control Engine
  • Behavioral AI Engine
  • STAR Rules Engine

Behavioral AI Engine 101

SentinelOne’s Behavioral AI Engine detects and mitigates previously unknown threats by monitoring kernel process actions and memory usage. This form of AI is not bypassed by malicious countermeasures, and readily identifies sophisticated threats including:

  • Fileless attacks
  • Ransomware, including polymorphic ransomware
  • Zero-day exploits
  • Credential theft
  • Privilege escalation
  • Malicious scripts
  • MITRE tactics and techniques
  • And more.

The Behavioral AI Engine has several characteristics:

  • Autonomous operation: It functions fully with or without an internet connection to the SaaS management console. The intelligence of the engine is built within the agent itself such that there is no round-trip latency to the cloud for analysis.
  • Real-time: The agent monitors all kernel-level processes as they are launched.
  • Post-execution: Unlike the Static AI Engine, which examines files before they are executed, the Behavioral AI Engine is constantly observing all processes as they execute.
  • Storyline™: Our patented visualization technology that tracks what’s happening inside of each cloud workload.

What is Storyline™?

To truly appreciate the inner workings of the Behavioral AI Engine, one must understand the role of SentinelOne’s Storyline technology. Storyline accelerates attack responses, reduces atomic alert noise, and surfaces actionable context for security analysts. Here is how it works.

SentinelOne’s CWPP supports 14 (and counting) Linux distributions and 20 years of Windows Servers. Storyline observes all concurrent kernel processes, malicious and benign. It automatically “connects the dots” (i.e., identifies relationships) between related processes and preserves context such as process metadata. The AI monitors each thread against probabilistic thresholds of normalcy which, when crossed, trigger instantaneous protection against machine-speed attacks.

Because the CWPP agent has the Behavioral AI Engine’s intelligence built-in, the AI makes this judgment autonomously. There is no round-trip latency to the cloud for processing or for human analysis. The AI identifies and stops the spread of machine-speed evil in real-time, at the edge. Process threads, or storylines, deemed suspicious or malicious may be remediated (e.g., process kill and file quarantine) according to policies which are owned and governed by the customer, and which are easily modified via the management console.

Every thread is preserved in the SentinelOne Singularity Data Lake according to the data retention period the customer has selected. Therein, the workload telemetry may be queried, inspected, and used for threat hunting and/or further analysis. The following example walks through a representative behavioral detection and subsequent analysis.

Example: Behavioral Detection of a Python Script

In this example, we have a Kubernetes cluster running in Amazon EKS (Elastic Kubernetes Service), with Singularity Cloud Workload Security for Kubernetes deployed for real-time cloud workload protection.

For illustration purposes, we will launch a shell script via command injection, which will in turn download a python script and initiate a sequence of events and trigger the Behavioral AI Engine.

Additionally, the CWPP response policies are set to Detect Mode for suspicious threats (ie, those which the engine detects with reasonable confidence), and Protect Mode for malicious threats (ie, those which the engine assesses with high confidence). Recall that the algorithms in our detection engines have been trained over the course of several years and hundreds of millions (nearly a billion) of malware samples.

Detection

In the following figure, we see that the Behavioral AI Engine was triggered by what it deemed to be a suspicious threat. The details captured include the path to the source process (ie, python), all the command line arguments, which points to a base64-encoded script, the process user, and the originating process, which is containerd.

Behavioral detection triggered by a suspicious threat
Behavioral detection triggered by a suspicious threat

Additional details include:

  • information about the AWS EC2 instance running the k8s cluster (e.g., account ID, region, instance ID, network, tags, etc) on the CLOUD tab,
  • info on the cluster itself (e.g., namespace, pod, and container image) on the KUBERNETES tab, and
  • mapping of telemetry to MITRE TTPs on the THREAT INDICATORS pane.

All of this information can be used to accelerate an incident response investigation.

Rich details in the console for incident response
Rich details in the console for incident response

Analysis

By clicking on EXPLORE along the top of the management console, the security analyst can look at the process tree which Storyline has automatically assembled. The originating process, the containerd runtime, is shown in blue, indicating that the container runtime itself is not suspicious.

In itself, this is unsurprising, though it does indicate that the suspicious process is containerized. The Behavioral AI Engine first triggers a suspicious alert on the child bash process, which in turn spawns other child processes.

Note that the attack sequence is allowed to continue because the policy is set to Detect Mode. Each event in the sequence has process details recorded by the agent and shown in the right panel. It is worth noting that only an agent can deliver real-time threat detection and kernel process-level visibility, key for subsequent investigation, minimizing dwell time, and balancing risk management.

Exploring the execution chain
Exploring the execution chain

By simply following the visual sequence of events in the chain, each with its forensic details automatically recorded to the Singularity Data Lake by SentinelOne’s real-time CWPP, we quickly come to the python process itself. Here, the command line details shown in the right panel are much more telling. This is the malicious base64-encoded shell.

The security analyst now understands that a threat actor has accessed a specific k8s worker node (name, label, EC2 instance ID, region), installed a containerized web server, and, via command injection, downloaded a shell script which kicked-off a python script that launched base64-encoded web shell.

The explorer displays the base64-encoded command line used by the attacker
The explorer displays the base64-encoded command line used by the attacker

If arriving at that understanding seems like a lot of work, consider that CWPP and Storyline automatically assembled it all in an easy-to-follow sequence, compressing potentially hours of analysis into just a few minutes. And if those events seem like a lot of noise, consider that there is only a single alert per storyline, suppressing noise so that the analyst can focus on root cause analysis.

Remediation

Now that the attack is understood, the security analyst can initiate a 1-click remediation action in the management console, such as process kill – which stops all processes related to the threat sequence – and file quarantine, to encrypt the threat file and its executables. Recall, for this example, the customer policy was set to Detect Mode. Had the policy been set to Protect Mode, the CWPP solution would have initiated remediation actions (again, governed by policy) when the threat was detected.

The analyst can also open a JIRA or ServiceNow ticket, using the integrations available in Singularity Marketplace, conveniently accessed via the SentinelOne management console. Knowing that this incident impacted a containerized workload running on a managed Kubernetes service (ie, Amazon EKS), it is a good bet that this customer has a solution such as Synk Container to manage vulnerabilities in the workload source code.

By virtue of our CWPP integration with Synk, the runtime threat detection is automatically enriched with details from Snyk about known vulnerabilities it found in the source code. This information can be used to enrich the ticket and route to the appropriate DevOps owner, to investigate and resolve exploited vulnerabilities at the source.

Simple one-click remediation in the console mitigates the threat
Simple one-click remediation in the console mitigates the threat

Now that the suspicious threat has been mitigated, the analyst may wish to query the Singularity Data Lake to see what network activities are associated with this specific storyline. Doing so is as simple as a 1-click pivot on the “Storyline” field in the console, as shown here.

Such a query may reveal a pattern of communication back to specific IP addresses, which can then in turn, be hunted across the rest of the workload telemetry in the data lake, to understand what other activity, if any, the threat actor may have initiated.

Conclusion

If the Static AI Engine is the workhorse of our real-time CWPP solution, then the Behavioral AI Engine is the fusion reactor. By concurrently monitoring hundreds, even thousands, of concurrent kernel process threads, our Behavioral AI Engine is able to recognize when a sequence of related events exceed statistical norms.

In this way, the Behavioral AI Engine detects even the most sophisticated or as yet unknown threats in real time and records extensive attack details so that incident response is streamlined and an in-depth understanding achieved.

To learn more about the value of real-time CWPP in your cloud security stack, head over to the solution homepage, or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

The Good, the Bad and the Ugly in Cybersecurity – Week 50

The Good | US Detains Suspects in $80 Million ‘Pig Butchering’ Cryptocurrency Scam

Online financial crime resulted in losses of $3 billion last year, with cryptocurrency investment fraud rising by 183%, according to statistics released by the FBI. Good to hear, then, that the Department of Justice has this week arrested two individuals and charged another four over a cryptocurrency investment scam that allegedly netted the gang over $80 million.

The indictment accuses Lu Zhang, Justin Walker, Joseph Wong, and Hailong Zhu of operating a complex network of shell companies and bank accounts. These were allegedly used to launder money from victims lured into ‘pig butchering’ scams. The criminals built trust with their victims through messaging apps, dating platforms, and social media, before deceitfully draining their cryptocurrency wallets.

Two of the suspects, Zhang and Walker, appeared in a federal court in Los Angeles to face charges including conspiracy to commit money laundering, with potential sentences of up to 20 years if convicted.

According to the Justice Department, the gang’s activities involved at least 284 transactions and resulted in more than $80 million in victim losses. More than $20 million in stolen funds was directly deposited into bank accounts associated with the suspects.

The law enforcement action underscores the growing threat of online investment scams, particularly those involving cryptocurrencies, and highlights the need for vigilance in the ongoing battle against digital financial crimes.

The Bad | Microsoft Accounts Targeted Through Misuse of OAuth Applications

Threat actors are increasingly targeting Microsoft accounts by exploiting OAuth applications for a range of malicious activities, including BEC (Business Email Compromise), phishing, spamming, and cryptocurrency mining, researchers said this week. An investigation uncovered approximately 17,000 malicious multi-tenant OAuth applications created using compromised Microsoft accounts, leading to over 927,000 phishing emails in a campaign running from July to November 2023

Attackers are focusing on Microsoft user accounts with weak authentication, such as those lacking multi-factor authentication (MFA), and employing phishing or password-spraying tactics to gain control. Once access is secured, they create new OAuth applications with high privileges, enabling them to stay under the radar while maintaining persistent access.

In one case, APT actor Storm-1283 used OAuth attacks to deploy virtual machines for cryptocurrency mining, causing financial losses to multiple organizations from $10,000 to $1.5 million.

In another, an attacker exploited OAuth applications for phishing campaigns and BEC reconnaissance, using Microsoft’s Outlook Web Application (OWA) to search for “payment” and “invoice” related information through compromised accounts.

Across several instances, attackers were found to have created multi-tenant OAuth apps for persistence, creating new credentials, and sending phishing emails via the Microsoft Graph API.

Admins are urged to ensure that MFA is required on all accounts and to enforce conditional access policies wherever possible. Accounts should be monitored for unusual or risky behavior and revoked if found to be suspicious.

The Ugly | Ukraine Mobile Network Hit As Russian Tax Service Attacked By Malware

Ukraine’s largest mobile network operator, Kyivstar, suffered a massive cyberattack earlier this week, leaving more than half of the nation’s population without crucial mobile and internet services. The attack disrupted IT infrastructure as well as air raid alert systems across several regions.

Kyivstar’s official website went offline, but the company said on social media that it had been targeted by “a powerful hacker attack”, which it attributed as a direct consequence of the Russian war on Ukraine. Kyivstar CEO Oleksandr Komarov was reported as saying that the attack had significantly damaged the company’s infrastructure, adding that “we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access.”

In the wake of the disruption, it is being suggested that while major services like mobile internet, voice services, and SMS should be restored soon, a full recovery of all services could take several weeks.

Initially, Russian hacktivist group Killnet made unsubstantiated claims to be behind the attack. By Wednesday, another group called Solntsepyok, believed to be linked to Russian military intelligence APT Sandworm, posted screenshots on Telegram purporting to show how it accessed Kyivstar’s servers, stating that “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as state bodies and Ukraine’s security forces”.

“Solntsepek hackers” claim responsibility for the Kyivstar attack

In a worrying sign of how civilian critical infrastructure is increasingly a target in cyber warfare, Ukraine announced on the same day as the Kyivstar attack that its defense intelligence directorate (GUR) had infected thousands of Russian servers used by Russia’s state tax service, destroying databases and backups. The statement said the attack had led to the complete destruction of Russia’s federal tax service (FNS) infrastructure.

Ten Years Later, New Clues in the Target Breach

On Dec. 18, 2013, KrebsOnSecurity broke the news that U.S. retail giant Target was battling a wide-ranging computer intrusion that compromised more than 40 million customer payment cards over the previous month. The malware used in the Target breach included the text string “Rescator,” which also was the handle chosen by the cybercriminal who was selling all of the cards stolen from Target customers. Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator.

Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang’s.

Shortly after breaking the Target story, KrebsOnSecurity reported that Rescator appeared to be a hacker from Ukraine. Efforts to confirm my reporting with that individual ended when they declined to answer questions, and after I declined to accept a bribe of $10,000 not to run my story.

That reporting was based on clues from an early Russian cybercrime forum in which a hacker named Rescator — using the same profile image that Rescator was known to use on other forums — claimed to have originally been known as “Helkern,” the nickname chosen by the administrator of a cybercrime forum called Darklife.

KrebsOnSecurity began revisiting the research into Rescator’s real-life identity in 2018, after the U.S. Department of Justice unsealed an indictment that named a different Ukrainian man as Helkern.

It may be helpful to first recap why Rescator is thought to be so closely tied to the Target breach. For starters, the text string “Rescator” was found in some of the malware used in the Target breach. Investigators would later determine that a variant of the malware used in the Target breach was used in 2014 to steal 56 million payment cards from Home Depot customers. And once again, cards stolen in the Home Depot breach were sold exclusively at Rescator’s shops.

On Nov. 25, 2013, two days before Target said the breach officially began, Rescator could be seen in instant messages hiring another forum member to verify 400,000 payment cards that Rescator claimed were freshly stolen.

By the first week of December, 2013, Rescator’s online store — rescator[.]la — was selling more than six million payment card records stolen from Target customers. Prior to the Target breach, Rescator had mostly sold much smaller batches of stolen card and identity data, and the website allowed cybercriminals to automate the sending of fraudulent wire transfers to money mules based in Lviv, Ukraine.

Finally, there is some honor among thieves, and in the marketplace for stolen payment card data it is considered poor form to advertise a batch of cards as “yours” if you are merely reselling cards sold to you by a third-party card vendor or thief. When serious stolen payment card shop vendors wish to communicate that a batch of cards is uniquely their handiwork or that of their immediate crew, they refer to it as “our base.” And Rescator was quite clear in his advertisements that these millions of cards were obtained firsthand.

FLASHBACK

The new clues about Rescator’s identity came into focus when I revisited the reporting around an April 2013 story here that identified the author of the OSX Flashback Trojan, an early malware strain that quickly spread to more than 650,000 Mac computers worldwide in 2012.

That story about the Flashback author was possible because a source had obtained a Web browser authentication cookie for a founding member of a Russian cybercrime forum called BlackSEO. Anyone in possession of that cookie could then browse the invite-only BlackSEO forum and read the user’s private messages without having to log in.

BlackSEO.com VIP member “Mavook” tells forum admin Ika in a private message that he is the Flashback author.

The legitimate owner of that BlackSEO user cookie went by the nickname Ika, and Ika’s private messages on the forum showed he was close friends with the Flashback author. At the time, Ika also was the administrator of Pustota[.]pw — a closely-guarded Russian forum that counted among its members some of the world’s most successful and established spammers and malware writers.

For many years, Ika held a key position at one of Russia’s largest Internet service providers, and his (mostly glowing) reputation as a reliable provider of web hosting to the Russian cybercrime community gave him an encyclopedic knowledge about nearly every major player in that scene at the time.

The story on the Flashback author featured redacted screenshots that were taken from Ika’s BlackSEO account (see image above). The day after that story ran, Ika posted a farewell address to his mates, expressing shock and bewilderment over the apparent compromise of his BlackSEO account.

In a lengthy post on April 4, 2013 titled “I DON’T UNDERSTAND ANYTHING,” Ika told Pustota forum members he was so spooked by recent events that he was closing the forum and quitting the cybercrime business entirely. Ika recounted how the Flashback story had come the same week that rival cybercriminals tried to “dox” him (their dox named the wrong individual, but included some of Ika’s more guarded identities).

“It’s no secret that karma farted in my direction,” Ika said at the beginning of his post. Unbeknownst to Ika at the time, his Pustota forum also had been completely hacked that week, and a copy of its database shared with this author.

A Google translated version of the farewell post from Ika, the administrator of Pustota, a Russian language cybercrime forum focused on botnets and spam. Click to enlarge.

Ika said the two individuals who tried to dox him did so on an even more guarded Russian language forum — DirectConnection[.]ws, perhaps the most exclusive Russian cybercrime community ever created. New applicants of this forum had to pay a non-refundable deposit, and receive vouches by three established cybercriminals already on the forum. Even if one managed to steal (or guess) a user’s DirectConnection password, the login page could not be reached unless the visitor also possessed a special browser certificate that the forum administrator gave only to approved members.

In no uncertain terms, Ika declared that Rescator went by the nickname MikeMike on DirectConnection:

“I did not want to bring any of this to real life. Especially since I knew the patron of the clowns – specifically Pavel Vrublevsky. Yes, I do state with confidence that the man with the nickname Rescator a.k.a. MikeMike with his partner Pipol have been Pavel Vrublevsky’s puppets for a long time.”

Pavel Vrublevsky is a convicted cybercriminal who became famous as the CEO of the Russian e-payments company ChronoPay, which specialized in facilitating online payments for a variety of “high-risk” businesses, including gambling, pirated Mp3 files, rogue antivirus software and “male enhancement” pills.

As detailed in my 2014 book Spam Nation, Vrublevsky not-so-secretly ran a pharmacy affiliate spam program called Rx-Promotion, which paid spammers and virus writers to blast out tens of billions of junk emails advertising generic Viagra and controlled pharmaceuticals like pain relief medications. Much of my reporting on Vrublevsky’s cybercrime empire came from several years worth of internal ChronoPay emails and documents that were leaked online in 2010 and 2011.

Pavel Vrublevsky’s former Facebook profile photo.

ZAXVATMIRA

In 2014, KrebsOnSecurity learned from a trusted source close to the Target breach investigation that the user MikeMike on DirectConnection — the same account that Ika said belonged to Rescator — used the email address “zaxvatmira@gmail.com.”

At the time, KrebsOnSecurity could not connect that email address to anything or anyone. However, a recent search on zaxvatmira@gmail.com at the breach tracking service Constella Intelligence returns just one result: An account created in November 2010 at the site searchengines[.]ru under the handle  “r-fac1.”

A search on “r-fac1” at cyber intelligence firm Intel 471 revealed that this user’s introductory post on searchengines[.]ru advertised musictransferonline[.]com, an affiliate program that paid people to drive traffic to sites that sold pirated music files for pennies apiece.

According to leaked ChronoPay emails from 2010, this domain was registered and paid for by ChronoPay. Those missives also show that in August 2010 Vrublevsky authorized a payment of ~$1,200 for a multi-user license of an Intranet service called MegaPlan.

ChronoPay used the MegaPlan service to help manage the sprawling projects that Vrublevsky referred to internally as their “black” payment processing operations, including pirated pills, porn, Mp3s, and fake antivirus products. ChronoPay employees used their MegaPlan accounts to track payment disputes, order volumes, and advertising partnerships for these high-risk programs.

Borrowing a page from the Quentin Tarantino movie Reservoir Dogs, the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these employees had their MegaPlan account messages automatically forwarded to their real ChronoPay email accounts.

A screen shot of the org chart from ChronoPay’s MegaPlan Intranet system.

When ChronoPay’s internal emails were leaked in 2010, the username and password for its MegaPlan subscription were still working and valid. An internal user directory for that subscription included the personal (non-ChronoPay) email address tied to each employee Megaplan nickname. That directory listing said the email address zaxvatmira@gmail.com was assigned to the head of the Media/Mp3 division for ChronoPay, pictured at the top left of the organizational chart above as “Babushka Vani and Koli.”

[Author’s note: I initially overlooked the presence of the email address zaxvatmira@gmail.com in my notes because it did not show up in text searches of my saved emails, files or messages. I rediscovered it recently when a text search for zaxvatmira@gmail.com on my Mac found the address in a screenshot of the ChronoPay MegaPlan interface.]

The nickname two rungs down from “Babushka” in the ChronoPay org chart is “Lev Tolstoy,” which the MegaPlan service showed was picked by someone who used the email address v.zhabukin@freefrog-co-ru.

ChronoPay’s emails show that this Freefrog email address belongs to a Vasily Borisovich Zhabykin from Moscow. The Russian business tracking website rusprofile[.]ru reports that Zhabykin is or was the supervisor or owner of three Russian organizations, including one called JSC Hot Spot.

[Author’s note: The word “babushka” means “grandma” in Russian, and it could be that this nickname is a nod to the ChronoPay CEO’s wife, Vera. The leaked ChronoPay emails show that Vera Vrublevsky managed a group of hackers working with their media division, and was at least nominally in charge of MP3 projects for ChronoPay. Indeed, in messages exposed by the leaked ChronoPay email cache, Zhabykin stated that he was “directly subordinate” to Mrs. Vrublevsky].

CYBERCRIME HOTSPOT

JSC Hot Spot is interesting because its co-founder is another ChronoPay employee: 37-year-old Mikhail “Mike” Shefel. A Facebook profile for Mr. Shefel says he is or was vice president of payment systems at ChronoPay. However, the last update on that profile is from 2018, when Shefel appears to have legally changed his last name.

Archive.org shows that Hot Spot’s website — myhotspot[.]ru — sold a variety of consulting services, including IT security assessments, code and system audits, and email marketing. The earliest recorded archive of the Hot Spot website listed three clients on its homepage, including ChronoPay and Freefrog.

ChronoPay internal emails show that Freefrog was one of its investment projects that facilitated the sale of pirated Mp3 files. Rusprofile[.]ru reports that Freefrog’s official company name — JSC Freefrog — is incorporated by a thinly-documented entity based in the Seychelles called Impex Consulting Ltd., and it is unclear who its true owners are.

However, a search at DomainTools.com on the phone number listed on the homepage of myhotspot[.]ru (74957809554) reveals that number is associated with eight domain names.

Six of those domains are some variation of FreeFrog. Another domain registered to that phone number is bothunter[.]me, which included a copyright credit to “Hot Spot 2011.” At the annual Russian Internet Week IT convention in Moscow in 2012, Mr. Shefel gave a short presentation about bothunter, which he described as a service he designed to identify inauthentic (bot) accounts on Russian social media networks.

Interestingly, one of r-fac1’s first posts to Searchengines[.]ru a year earlier saw this user requesting help from other members who had access to large numbers of hacked social media accounts. R-fac1 told forum members that he was only looking to use those accounts to post harmless links and comments to the followers of the hacked profiles, and his post suggested he was testing something.

“Good afternoon,” r-fac1 wrote on Dec. 20, 2010. “I’m looking for people with their own not-recently-registered accounts on forums, (except for search) Social networks, Twitter, blogs, their websites. Tasks, depending on your accounts, post text and a link, sometimes just a link. Most often the topic is chatter, relaxation, discussion. Posting my links in your profiles, on your walls. A separate offer for people with a large set of contacts in instant messengers to try to use viral marketing.”

Neither Mr. Shefel nor Mr. Zhabykin responded to requests for comment.

WHERE ARE THEY NOW?

Mr. Zhabykin soon moved on to bigger ventures, co-founding a cryptocurrency exchange based in Moscow’s financial center called Suex. In September 2021, Suex earned the distinction of becoming the first crypto firm to be sanctioned by the U.S. Department of the Treasury, which effectively blocked Suex from the global financial system. The Treasury alleged Suex helped to process millions in criminal transactions, including the proceeds of numerous ransomware attacks.

“I don’t understand how I got mixed up in this,” Zhabykin told The New York Times in 2021. Zhabykin said Suex, which is registered in the Czech Republic, was mostly a failure and had conducted only a half dozen or so transactions since 2019.

The Russian business tracking service Rusprofile says Zhabykin also is the owner of a company based in the United Kingdom called RideWithLocal; the company’s website says it specializes in arranging excursions for extreme sports, including snowboarding, skiing, surfing and parasailing. Images from the RideWithLocal Facebook page show helicopters dropping snowboarders and skiers atop some fairly steep mountains.

A screenshot from the Facebook page of RideWithLocal.

Constella Intelligence found a cached copy of a now-deleted LinkedIn profile for Mr. Zhabykin, who described himself as a “sporttech/fintech specialist and mentor.”

“I create products and services worldwide, focusing on innovation and global challenges,” his LinkedIn profile said. “I’ve started my career in 2002 and since then I worked in Moscow, different regions of Russia, including Siberia and in Finland, Brazil, United Kingdom, Sri Lanka. Over the last 15 years I contributed to many amazing products in the following industries: sports, ecology, sport tech, fin tech, electronic payments, big data, telecommunications, pulp and paper industry, wood processing and travel. My specialities are Product development, Mentorship, Strategy and Business development.”

Rusprofile reports that Mikhail Borisovich Shefel is associated with at least eight current or now-defunct companies in Russia, including Dengi IM (Money IM), Internet Capital, Internet Lawyer, Internet 2, Zao Hot Spot, and (my personal favorite) an entity incorporated in 2021 called “All the Money in the World.”

Constella Intelligence found several official documents for Mr. Shefel that came from hacked Russian phone, automobile and residence records. They indicate Mr. Shefel is the registrant of a black Porsche Cayenne (Plate:X537SR197) and a Mercedes (Plate:P003PX90). Those vehicle records show Mr. Shefel was born on May 28, 1986.

Rusprofile reveals that at some point near the end of 2018, Shefel changed his last name to Lenin. DomainTools reports that in 2018, Mr. Shefel’s company Internet 2 LLC registered the domain name Lenin[.]me. This now-defunct service sold physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union.

Meanwhile, Pavel Vrublevsky remains imprisoned in Russia, awaiting trial on fraud charges levied against the payment company CEO in March 2022. Authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.

In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top spammers and botmasters to launch a distributed denial-of-service (DDoS) attack against a ChronoPay competitor that shut down the ticketing system for the state-owned Aeroflot airline.

Following his release, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.

KrebsOnSecurity sought comment on this research from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service, both of which have been involved in the Target breach investigation over the years. The Secret Service declined to confirm or dispute any of the findings, but said it is still interested in hearing from anyone who might have more information.

“The U.S. Secret Service does not comment on any open investigation and won’t confirm or deny the accuracy in any reporting related to a criminal manner,” the agency said in a written statement. “However, If you have any information relating to the subjects referenced in this article, please contact the U.S. Secret Service at mostwanted@usss.dhs.gov. The Secret Service pays a reward for information leading to the arrest of cybercriminals.”