Microsoft’s Dangerous Addiction To Security Revenue

Last week, CNBC gave me a chance to discuss Microsoft’s Friday-night news dump of a new breach by Russian intelligence services, in which I called for more details from Microsoft so that other organizations could defend themselves.

On Jauary 25th, we gained a bit more transparency in the form of a blog post from “Microsoft Security”, the commercial security division of Microsoft. Let me offer some reactions.

Microsoft Buries the Lede

“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”

Translation: Since the techniques outlined in the blog only work on Microsoft-hosted cloud identity and email services, this means that other companies were compromised using the same flaws in Entra (better known as Azure Active Directory) and Microsoft 365.

Microsoft’s language here plays this up as a big favor they are doing the ecosystem by sharing their “extensive knowledge of Midnight Blizzard” when, in fact, what they are announcing is that this breach has affected multiple tenants of their cloud products.

Update: Joseph Menn of the Washington Post has several sources indicating that at least ten companies were breached and will be disclosing soon.

Microsoft Continues to Downplay the Attack By Abusing the Term “Legacy”

One of the big open questions from last week was how an attack against a “legacy non-production test tenant” could lead to access to the emails of key Microsoft executives. We get a bit more detail in this paragraph:

“Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.”

I have seen this fundamental problem in multiple investigations, including the one that Microsoft worked so hard to label as the Solarwinds Incident*: AzureAD is overly complex, and lacks a UX that allows for administrators to easily understand the web of security relationships and dependencies that attackers are becoming accustomed to exploiting.

In many organizations, AzureAD is deployed in hybrid mode, which combines the vulnerability of cloud (external password sprays) and on-premises (NTLM, mimikatz) identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence.

Calling this a “legacy” tenant is a dodge; this system was clearly configured to allow for production access as of a couple of weeks ago, and Microsoft has an obligation to secure their legacy products and tenants just as well as ones provisioned today. It’s not clear what they mean by “legacy”, but whatever Microsoft’s definition it is likely to be representative of how thousands of their customers are utilizing their products.

Microsoft does, however, offer all of us some solution…

Microsoft is Using Its Own Security Flaws as an Opportunity to Upsell

These sentences in the blog post deserve a nomination to the Cybersecurity Chutzpah Hall of Fame, as Microsoft recommends that potential victims of this attack against their cloud-hosted infrastructure:

  • “Detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.
  • Investigate compromised accounts using Microsoft Purview Audit (Premium).
  • Enforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain Services.”

Microsoft is using this announcement as an opportunity to upsell customers on their security products, which are apparently necessary to run their identity and collaboration products safely!

This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts. It has become clear over the past few years that Microsoft’s addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases.

While these two arrogant and circumspect posts do, at least, admit “the urgent need to move even faster” in securing their products, I would argue that Microsoft has a much deeper cultural problem to solve as the world’s most important IT company.

They need to throw away this poisonous idea of security as a separate profit center and rededicate themselves to shipping products that are secure-by-default while providing all security features to all customers. I understand the need to charge for log storage or human services, but we should no longer accept the idea that Microsoft’s basic enterprise offerings (including those paid for by the US taxpayer) should lack the basic features necessary to protect against likely attacks.

My current employer competes against some of these products, but if Microsoft did a better job by default then that would actually reduce the need for SentinelOne and other security vendors to provide basic safety protections.

For all the language about the sophistication of the SVR hackers behind this attack, there is nothing here that is outside the norm for ransomware groups attacking Microsoft technologies, and Microsoft customers of all sizes should be concerned that these techniques will be deployed against them if they do not pay extra for the secure version of Microsoft’s cloud products.

Twenty one years after the Trustworthy Computing memo, it’s once again time for some soul searching in Redmond.

Note

* While the breach of Solarwinds was a critical part of the SVR campaign to break into around 200 organizations, weaknesses in the deployed configuration of AzureAD also played an important role, which Microsoft effectively papered over in their Congressional testimony and written statements.

PinnacleOne
PinnacleOne Strategic Advisory Group offers a comprehensive suite of services that address the multifaceted security challenges facing organizations today.

SentinelOne’s WatchTower | Transforming Proactive Defense with Advanced 24/7 Threat Hunting Capabilities

Security teams face an uphill battle as stealthy threats and Advanced Persistent Threats (APTs) become increasingly adept at slipping past conventional security tools, leaving organizations at heightened risk. It’s a game of digital hide-and-seek against well-funded and well-resourced adversaries that are proving to be ever more difficult to detect. The longer these threats go unnoticed, the greater the cyber risk becomes – and when an adversary is successful, the financial impact of a data breach can average $4.45M.

But what if we could change the game? SentinelOne’s innovative WatchTower services are designed to augment security teams and help them stay ahead of adversaries, offering a fresh approach to uncovering the elusive threats that traditional methods often miss.

Why is Threat Hunting So Important?

Threat hunting is a proactive, systematic exploration for potential cyber threats lurking within an organization’s network or systems. It’s not about waiting for alerts from security tools; it’s actively seeking out the hidden dangers that may have slipped past these traditional security measures.

Threat hunting is more than just another activity in the SOC – it’s the constant practice of uncovering adversaries who are silently hiding in your network, patiently waiting to launch an attack or achieve their malicious objectives. Instead of simply reacting to threats, hunting proactively seeks out to identify, prioritize, and mitigate risk. A combination of manual and automated techniques come into play, including delving into security events, carrying out network scans, and leveraging threat intelligence feeds. The primary goal is to spot potential threats at the earliest kill-chain stage possible, ideally before they’ve had a chance to impact the organization.

This isn’t a task for just any security solution or team – it requires a platform that integrates cross-domain security data and the expertise of threat-hunting professionals. These skilled individuals possess strong analytical and technical abilities, perfectly equipped to lead the hunt. When paired with the right security platform, threat hunters are technically empowered with:

  • The ability to quickly execute searches for newly discovered threats across historical security telemetry
  • Access to the newest Threat Intelligence combined with a tailored hunting approach. Threat Intelligence provides the ability to find a needle in a haystack; looking for behavioral attack patterns across seemingly benign events is an invaluable addition to cross-domain detections

By embracing cyber threat hunting and threat hunting practices, organizations can significantly reduce their risk of falling victim to cyber-attacks, ensuring the security and availability of their systems and networks remain intact.

Unveiling the WatchTower Lineup

A New Era of Threat Hunting with SentinelOne

SentinelOne is excited to announce the general availability (GA) of its expanded AI-infused managed threat hunting services, WatchTower and WatchTower Pro. Building off an established foundation in serving customers around the world, this release marks the start of a new era of threat hunting due to numerous upgrades in threat hunting methodologies. WatchTower and WatchTower Pro now incorporate advanced AI technologies and more robust threat intelligence feeds. With SentinelOne’s WatchTower team at your back, you’re not just responding to threats but actively hunting them down, pushing the boundaries of what’s possible in improving risk posture.

Coupled with the Singularity Platform’s detection capabilities, customers who opt for WatchTower are backed by a team of threat hunting experts on standby 24/7 to hunt and stop adversary behavior. WatchTower offers intelligence-driven and behavior-based threat hunting, backed by expert human analysis, to help security teams maximize threat visibility and identify emergent attackers across every part of their business. The expanded capabilities of WatchTower ™ include:

  • 24/7 real-time threat hunting
  • Retrospective threat hunting across all historical data
  • Anomalous and suspicious behavior detection
  • Multi-faceted hunting approach, including intelligence-based, behavioral & AI-driven threat hunting
  • Expanded coverage against known and emergent threats
  • Detailed reporting on hunting activities and findings in the environment
  • Access to WatchTower’s in-house threat intelligence library, including behavioral hunting queries, indicators of compromise, and more.
  • Monthly reporting on the global threat landscape

Customized Approach to Threat Hunting with WatchTower Pro

Customers that require a highly customized threat and risk hunting approach should look to WatchTower Pro™. Building on the features of WatchTower, WatchTower Pro™ adds:

  • Detailed enterprise-wide compromise & security risk assessments multiple times throughout the year, along with mitigation guidance
  • Custom hunting support via a dedicated Threat Hunter, including on-demand threat hunting and intelligence support
  • Darkweb exposure hunting and domain mimic monitoring
  • A bespoke and detailed plan to evolve your corporate security and risk posture

About WatchTower Threat Hunters

The SentinelOne WatchTower Threat Hunting team is comprised of experienced threat hunters from around the globe to ensure round-the-clock defenses of your cyber estate. Skilled hunters sweep through threat intelligence sources, global events, and malware families to automate the most prevalent threat hunts and set regular threat hunting schedules for less prevalent, but still potential threats. Our continued investment in automation enables us to scale every week, so your WatchTower analyst can perform additional hunts on your behalf.

Benefits

Threat Expertise on Tap

In cybersecurity, we’re seeing a prolonged skills gap – especially in skilled roles like threat hunting – that can often leave in-house teams scrambling to keep up. This is where managed services step in – a powerful strategy to bolster your defenses and make even the smallest teams more potent in their fight against adversaries. Imagine having access to a pool of specialized talent, ready to augment your existing team’s threat hunting capabilities. This isn’t just about filling in the gaps; it’s about amplifying your capabilities, offering fresh perspectives, and bringing proven approaches to your cybersecurity needs.

Confidently Navigate the Threat Landscape with Unparalleled Threat Intelligence

WatchTower flash and monthly reports are your comprehensive guide in navigating the complex terrain of threats. Get tailored insights to help you better understand your environment and effectively strategize your next move. We’re harnessing the power of machine learning and AI and integrating them into our threat hunting algorithms so customers get enhanced effectiveness, sharper predictions, and more precise countermeasures against threats. Why choose between human expertise and industry-leading technology when you can have the best of both?

Read this year’s WatchTower 2023 End of Year Report for expert analysis of the top cyber threats of 2023 and predictions for 2024.

WatchTower now integrates expanded intelligence sources, providing an enriched set of atomic and behavioral IOC hunting capabilities. This is further bolstered by rapidly growing libraries for Linux, OSX, and Cloud behavioral hunting, significantly expanding the scope of threat detection. WatchTower also automates host-based YARA and forensic artifact collection for hunt verifications.

For organizations seeking to outsource more of their security operations, combining WatchTower Services with our Vigilance MDR and DFIR services ensures that all threats, even those detected through WatchTower’s enhanced visibility, are promptly acted upon and mitigated by a skilled investigation and response team.

24 x 7 Risk Reduction

Adopting SentinelOne’s WatchTower services results in considerable risk reduction across business operations by providing continuous and proactive threat identification. With 24/7 real-time threat hunting, investigation, and containment, threats are identified and contained before they can disrupt your business. WatchTower covers a wide spectrum of threats ranging from hidden Advanced Persistent Threats (APTs) and covert cyber crime to policy misuse and insider threats. Even vulnerabilities resulting from poor security practices or environmental factors are addressed.

WatchTower Pro also provides a designated threat hunter who conducts comprehensive compromise and risk assessments in your environment. The integration of machine learning and AI into threat-hunting algorithms significantly enhances the effectiveness of these proactive measures.

Conclusion

Staying one step ahead of threats is not just a lofty goal, but a business necessity. SentinelOne’s suite of advanced security services, including the newly updated WatchTower and WatchTower Pro, equips you with the tools, insights, and expertise to meet whatever challenges you’re facing head-on.

Whether it’s uncovering stealthy threats with AI-powered threat hunting or fortifying your defenses with our globally distributed team of seasoned threat hunters, we stand ready to elevate your security posture. At SentinelOne, we’re not just about responding to threats – we help you proactively anticipate and eliminate risk before it can impact your business.

WatchTower
Personalized 24×7 threat hunting services and expert analysis to help security teams maximize threat visibility and identify emergent attackers.

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

A graphic depicting how 0ktapus leveraged one victim to attack another. Image credit: Amitai Cohen of Wiz.

Prosecutors say Noah Michael Urban of Palm Coast, Fla., stole at least $800,000 from at least five victims between August 2022 and March 2023. In each attack, the victims saw their email and financial accounts compromised after suffering an unauthorized SIM-swap, wherein attackers transferred each victim’s mobile phone number to a new device that they controlled.

The government says Urban went by the aliases “Sosa” and “King Bob,” among others. Multiple trusted sources told KrebsOnSecurity that Sosa/King Bob was a core member of a hacking group behind the 2022 breach at Twilio, a company that provides services for making and receiving text messages and phone calls. Twilio disclosed in Aug. 2022 that an intrusion had exposed a “limited number” of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

Shortly after that disclosure, the security firm Group-IB published a report linking the attackers behind the Twilio intrusion to separate breaches at more than 130 organizations, including LastPass, DoorDash, Mailchimp, and Plex. Multiple security firms soon assigned the hacking group the nickname “Scattered Spider.”

Group-IB dubbed the gang by a different name — 0ktapus — which was a nod to how the criminal group phished employees for credentials. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

A booking photo of Noah Michael Urban released by the Volusia County Sheriff.

0ktapus used newly-registered domains that often included the name of the targeted company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule. The phishing sites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

0ktapus often leveraged information or access gained in one breach to perpetrate another. As documented by Group-IB, the group pivoted from its access to Twilio to attack at least 163 of its customers. Among those was the encrypted messaging app Signal, which said the breach could have let attackers re-register the phone number on another device for about 1,900 users.

On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information, and weeks later LastPass said an investigation revealed no customer data or password vaults were accessed.

However, on November 30, 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach. LastPass said criminal hackers had stolen encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault. In that incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

KING BOB’S GRAILS

A review of thousands of messages that Sosa and King Bob posted to several public forums and Discord servers over the past two years shows that the person behind these identities was mainly focused on two things: Sim-swapping, and trading in stolen, unreleased rap music recordings from popular artists.

Indeed, those messages show Sosa/King Bob was obsessed with finding new “grails,” the slang term used in some cybercrime discussion channels to describe recordings from popular artists that have never been officially released. It stands to reason that King Bob was SIM-swapping important people in the music industry to obtain these files, although there is little to support this conclusion from the public chat records available.

“I got the most music in the com,” King Bob bragged in a Discord server in November 2022. “I got thousands of grails.”

King Bob’s chats show he was particularly enamored of stealing the unreleased works of his favorite artists — Lil Uzi Vert, Playboi Carti, and Juice Wrld. When another Discord user asked if he has Eminem grails, King Bob said he was unsure.

“I have two folders,” King Bob explained. “One with Uzi, Carti, Juicewrld. And then I have ‘every other artist.’ Every other artist is unorganized as fuck and has thousands of random shit.”

King Bob’s posts on Discord show he quickly became a celebrity on Leaked[.]cx, one of most active forums for trading, buying and selling unreleased music from popular artists. The more grails that users share with the Leaked[.]cx community, the more their status and access on the forum grows.

The last cache of Leaked dot cx indexed by the archive.org on Jan. 11, 2024.

And King Bob shared a large number of his purloined tunes with this community. Still others he tried to sell. It’s unclear how many of those sales were ever consummated, but it is not unusual for a prized grail to sell for anywhere from $5,000 to $20,000.

In mid-January 2024, several Leaked[.]cx regulars began complaining that they hadn’t seen King Bob in a while and were really missing his grails. On or around Jan. 11, the same day the Justice Department unsealed the indictment against Urban, Leaked[.]cx started blocking people who were trying to visit the site from the United States.

Days later, frustrated Leaked[.]cx users speculated about what could be the cause of the blockage.

“Probs blocked as part of king bob investigation i think?,” wrote the user “Plsdontarrest.” “Doubt he only hacked US artists/ppl which is why it’s happening in multiple countries.”

FORESHADOWING

On Sept. 21, 2022, KrebsOnSecurity told the story of a “Foreshadow,” the nickname chosen by a Florida teenager who was working for a SIM-swapping crew when he was abducted, beaten and held for a $200,000 ransom. A rival SIM-swapping group claimed that Foreshadow and his associates had robbed them of their fair share of the profits from a recent SIM-swap.

In a video released by his abductors on Telegram, a bloodied, battered Foreshadow was made to say they would kill him unless the ransom was paid.

As I wrote in that story, Foreshadow appears to have served as a “holder” — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams.

KrebsOnSecurity has since learned that Foreshadow was a holder for a particularly active SIM-swapper who went by “Elijah,” which was another nickname that prosecutors say Urban used.

Shortly after Foreshadow’s hostage video began circulating on Telegram and Discord, multiple known actors in the SIM-swapping space told everyone in the channels to delete any previous messages with Foreshadow, claiming he was fully cooperating with the FBI.

This was not the first time Sosa and his crew were hit with violent attacks from rival SIM-swapping groups. In early 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urban’s parents in Sanford, Fl.

“Brickings” are among the “violence-as-a-service” offerings broadly available on many cybercrime channels. SIM-swapping and adjacent cybercrime channels are replete with job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing brickings, where someone is hired to visit a specific address and toss a brick through the target’s window. Other typical IRL job offers involve tire slashings and even drive-by shootings.

THE COM

Sosa was known to be a top member of the broader cybercriminal community online known as “The Com,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported last year that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment an MGM Resorts extortion attacks.

“ALPHV, an established ransomware-as-a-service operation thought to be based in Russia and linked to attacks on dozens of entities, claimed responsibility for Caesars and MGM attacks in a note posted to its website earlier this month,” Vicens wrote. “Experts had said the attacks were the work of a group tracked variously as UNC 3944 or Scattered Spider, which has been described as an affiliate working with ALPHV made up of people in the United States and Britain who excel at social engineering.”

In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed access to T-Mobile on 100 separate occasions over a 7-month period in 2022.

The SIM-swapping groups were able to switch targeted phone numbers to another device on demand because they constantly phished T-Mobile employees into giving up credentials to employee-only tools. In each of those cases the goal was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

Allison Nixon, chief research officer at the New York cybersecurity consultancy Unit 221B, said the increasing brazenness of many Com members is a function of how long it has taken federal authorities to go after guys like Sosa.

“These incidents show what happens when it takes too long for cybercriminals to get arrested,” Nixon said. “If governments fail to prioritize this source of threat, violence originating from the Internet will affect regular people.”

NO FIXED ADDRESS

The Daytona Beach News-Journal reports that Urban was arrested Jan. 9 and his trial is scheduled to begin in the trial term starting March 4 in Jacksonville. The publication said the judge overseeing Urban’s case denied bail because the defendant was a strong flight risk.

At Urban’s arraignment, it emerged that he had no fixed address and had been using an alias to stay at an Airbnb. The judge reportedly said that when a search warrant was executed at Urban’s residence, the defendant was downloading programs to delete computer files.

What’s more, the judge explained, despite telling authorities in May that he would not have any more contact with his co-conspirators and would not engage in cryptocurrency transactions, he did so anyway.

Urban entered a plea of not guilty. Urban’s court-appointed attorney said her client would have no comment at this time.

Prosecutors charged Urban with eight counts of wire fraud, one count of conspiracy to commit wire fraud, and five counts of aggravated identity theft. According to the government, if convicted Urban faces up to 20 years in federal prison on each wire fraud charge. He also faces a minimum mandatory penalty of two years in prison for the aggravated identity offenses, which will run consecutive to any other prison sentence imposed.

The Cybersecurity Journey | Pathways to Becoming a Top-Tier SOC Analyst

Skilled security operations center (SOC) analysts bring a human element to cybersecurity, allowing for nuanced analysis, proactive threat hunting, and strategic decision-making. Combined with the right security solutions, having SOC analysts at the front line is a key element in building up a strong defense posture in today’s cyber threat landscape.

Combining technical expertise and human adaptability with experience, the journey of a successful SOC analyst is marked by continuous learning, skill development, and strategic progression. Cyber defenders looking to grow a career can read our free eBook, Mastering the Art of SOC Analysis for an in-depth guide on developing the rounded set of skills needed for aspiring SOC analysts. In this post, we explore some of the guide’s best tips on how to move from an entry-level SOC analyst to a leader in security operations.

Essential Skills for Entry-Level SOC Analysts

Embarking on a career in cybersecurity often begins through an entry-level SOC role, where budding defenders can gradually lay the groundwork for technical skills. Entry-level SOC analysts serve as the frontline defenders, tasked with monitoring security alerts, analyzing potential threats, and responding to incidents. These professionals are immersed in a dynamic environment, gaining hands-on experience with various security tools and technologies.

The development of foundational skills in networking architecture, network, log, and endpoint analysis is crucial to success in this early stage. The most important elements include a thorough understanding of:

  • Networking Fundamentals – develop a solid understanding of networking concepts such as TCP/IP, DNS, HTTP, and SSL. Learning to interpret a packet’s structure and each header field’s role can help identify and troubleshoot network issues.
  • Network Security Principles – Focus on firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs).
  • Hands-on Labs Practice – Use virtual labs or physical equipment to gain hands-on experience in configuring and troubleshooting networks. Examples include GNS3, Packet Tracer, EVE-NG, and TryHackMe.
  • Network Analysis Tools – Various network analysis tools can help analyze network traffic, such as Wireshark, tcpdump, and tshark. These tools can be used to capture, decode, and analyze packets in real-time or from saved capture files.
  • Network Traffic Analysis – Practice on real-world network traffic data. Sample capture files are obtainable from online resources such as the Wireshark Sample Captures page or by capturing traffic on a test network. Use the traffic to simulate an attack and create detection rules using a NIDS-like snort.
  • Log Analysis, Parsing, and Search Techniques – SOC analysts must have a wide arsenal of knowledge on log analysis techniques such as anomaly detection, correlation analysis, and threat hunting. Also, practice parsing and searching logs with different log management tools and techniques.
  • Endpoint Security – Gain as much experience on Endpoint Security tools as possible and learn about advanced threat detection mechanisms like behavioral analysis, machine learning, and artificial intelligence to detect and respond to threats. EDR solutions provide real-time visibility into endpoint devices, enabling SOC analysts to quickly detect and respond to incidents.

Beyond understanding network, logging, and endpoint essentials, budding SOC analysts should maintain a proactive mindset and consistently build up their collective knowledge and resources to stay sharp. The following tips and resources can be helpful:

  • Join Networking and Security Communities – Connect with professionals in the networking and security industry to learn from their experience, ask questions, and gain insights into the latest trends and technologies. Online communities such as Reddit’s /r/networking or /r/netsec, or professional associations such as ISACA, ISSA, or (ISC)², can be a great resource for connecting with others in the field.
  • Stay Up to Date With Industry News – Follow security and networking news sites such as Dark Reading, BleepingComputer, or SecurityWeek to stay informed on the latest security threats and trends. Add threat intel sites like SentinelLabs to your feeds.
  • Learn from Online Resources – there are many free online resources that can be leveraged to develop cybersecurity skills, including the Wireshark University, PacketTotal, and the SANS Institute. These and other resources can help budding analysts learn advanced techniques like protocol analysis, network forensics, and malware analysis.

Progressing to a Mid-Level SOC Analyst

At this stage, developing SOC analysts are able to comfortably navigate the primary responsibilities of monitoring, analysis, and incident response. As mid-level SOC analysts, the scope broadens, covering a more nuanced understanding of cybersecurity threats and various attack surfaces. A mid-level professional may take the opportunity in their career to dive into specialized areas, honing their expertise in threat detection and incident mitigation, and often taking on leadership responsibilities within smaller teams and some decision-making authority.

Adept at interpreting complex security alerts and correlating data from various sources, mid-level analysts contribute to the SOC by having a deeper engagement with threat intelligence feeds. This involves practicing proactive threat hunting and collaborating with cross-functional teams to strengthen their organization’s defenses. At this stage, SOC analysts should have an intricate understanding of cloud computing and security, active directory security, and proactive threat hunting.

Cloud Computing & Security

Effective SOC analysts continuously work with the industry’s latest technologies and tools. Cloud computing, especially, is of increasing importance as organizations seek to streamline operations, enhance scalability, and stay agile while adapting to market dynamics.

Cloud computing services encompass infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Essential cloud concepts for SOC analysts include cloud service models, deployment models, security controls, compliance frameworks, and incident response.

Active Directory

Active Directory (AD) has long been a prime target for attackers. To effectively monitor and secure AD, SOC analysts will have a thorough understanding of AD concepts like domains, users, groups, and permissions.

To effectively monitor and manage AD to identify and respond to security incidents, successful SOC analysts will be fluent in AD security best practices – such as implementing strong password policies, restricting administrative access, and regularly auditing AD activity – and familiar with AD security tools, such as Microsoft’s Active Directory Users and Computers (ADUC) console.

Proactive Threat Hunting

Threat hunting aims to identify and mitigate advanced threats that can evade traditional security measures. Unlike reactive approaches, threat hunting involves human analysts actively analyzing anomalies and potential security breaches within an organization’s network.

Mid-level SOC analysts will leverage a combination of advanced tools, intelligence sources, and their own developing expertise to uncover subtle indicators of compromise and any abnormal patterns that may indicate malicious activities. This process is often iterative and hypothesis-driven, requiring a deep understanding of the organization’s systems and potential threat landscapes.

Becoming a SOC Manager or Cybersecurity Leader

The role of the SOC manager marks a transition from hands-on technical tasks to overseeing the comprehensive security operations of an organization. At this stage, SOC managers shoulder the responsibility of looking at the bigger picture – they are the ones who orchestrate and optimize the greater security infrastructure. This means aligning cybersecurity strategies with the overarching goals of the business.

SOC managers are leveraged by senior leadership as cybersecurity subject matter experts (SMEs). They are often brought in as key contributors to a company’s incident response plans (IRPs), incident investigation processes, and expected to lead the implementation of advanced security measures and policies. The role extends beyond technical expertise and can require:

  • The ability to articulate complex cybersecurity concepts to executive leadership by focusing on risk management
  • Managing diverse teams with varying cybersecurity skill sets
  • Constantly adapting security policies and strategies to meet the needs of the business, mitigate emerging threats, and adhere to changing regulatory requirements

All of these requirements revolve around being able to communicate well. Building strong communication skills involves practicing clear verbal and written communication as well as developing effective questioning skills.

Developing Effective Communication Skills

SOC managers possess proficiency in verbal and written communication and are able to communicate effectively with different teams and stakeholders. Top tips for developing the required skills include:

  1. Using clear and concise language when communicating with others.
  2. Avoiding technical jargon or acronyms that others may not understand.
  3. Practicing active listening as part of effective verbal communication.
  4. Listening carefully to what others say and asking questions to clarify misunderstandings early on.

SOC managers are also responsible for writing reports, creating security policies, and communicating with leadership. Effective reporting uses jargon-free language and overly verbose structures. Short and to-the-point sentences can convey messages quickly and easily, particularly for busy, senior level readers.

A critical part of being a clear communicator is asking the right questions to gather useful information and to understand issues quickly. SOC leaders will often be called upon to gather accurate and relevant information, identify patterns and trends, and collaborate in cross-functional projects.

Good questioning skills include:

  • Asking open-ended questions – encourage users and other stakeholders to provide detailed information and explanations to fully understand the scope and impact of a security incident.
  • Asking relevant follow-up questions – it is important to obtain additional details and clarification to identify patterns and trends in security incidents.
  • Asking contextual questions – look for the security incident’s bigger picture, including the business impact and related incidents or events.

Continuing the Journey

Cybersecurity is a field that is in constant flux and continuous learning is part of the job. SOC analysts can progress in their career by ensuring that they remain adaptable, open to learning, and ready for new challenges. Businesses, similarly, are increasingly aware of the value of skilled security professionals. Together with the right security tools, SOC analysts can keep their businesses safe from evolving threats in the cyber landscape.

To learn more about developing cybersecurity skills, read our free eBook, Mastering the Art of SOC Analysis. To see how SentinelOne can help build your business’s cybersecurity posture and protect it against sophisticated threats, contact us or request a demo.

Mastering the Art of SOC Analysis
12 Top Tips and Skills for Aspiring Security Operations Center Analysts

The Good, the Bad and the Ugly in Cybersecurity – Week 4

The Good | TrickBot Developer Jailed for Five Years

Developer and distributor of the notorious TrickBot malware, Russian national Vladimir Dunaev, was handed down 5 years and 4 months of prison time this week. According to the DoJ, TrickBot caused tens of millions of dollars in losses and was used to attack hospitals, schools and businesses with ransomware in the U.S.

TrickBot started out in life as a dedicated banking trojan but over time evolved into a complex malware framework, shifting focus to enterprise environments and incorporating a suite of features including network profiling, mass data collection and lateral traversal exploits. At its height, TrickBot was believed to be in use by both APTs and crimeware actors.

Source: SentinelLabs

Dunaev was arrested in South Korea back in 2021 and subsequently extradited to the U.S. that October. He finally stood trial in November of 2023, when he pleaded guilty to conspiracy to commit computer fraud and identity theft, and conspiracy to commit wire fraud and bank fraud. According to the DoJ, Dunaev had created programs to bypass AV software and developed credential harvesting and data mining tools.

He is the second member of the gang behind TrickBot to be sentenced to jail time: A Latvian woman, Alla Witte, received 2 years and 8 months in June of last year. A number of other individuals have been indicted and sanctioned by U.S. authorities.

The Bad | Researchers Warn of Risks with Google Search

Security researchers are raising concerns about Google Search in the wake of increasing abuse of Google Ads – a service which promotes paid advertisements above organic search results – by various threat actors.

In one report this week, researchers noted how Chinese-speaking Googlers were being served Remote Administration Trojans (RATs) through malicious adverts shown at the top of search results for messaging apps like Telegram, which are restricted in China.

Closer to home, KrebsOnSecurity said U.S and other English-speaking users were being targeted when searching with Google for software. In one recent example, searches for the (legitimate) FreeCAD graphic design program were returning links to the malicious freecad-us[.]org domain above the real freecad.org site. Searches for other popular software that have been seen returning malicious paid advertisements include Corel Draw, GitHub Desktop, RoboForm and TeamViewer.

malvertising google search
Source: KrebsOnSecurity

According to SentinelLabs’ Tom Hegel, threat actors behind the malvertising schemes rotate serving malware with serving legitimate software as a means to escape detection by Google. Krebs quoted Hegel as noting that “In the malicious ad campaigns we’ve seen…they would wait until the domains gain legitimacy on the search engines, and then flip the page [to serve malware] for a day or so and then flip back.”

In addition, the malicious sites use scripts to fingerprint visitors and determine whether they should serve malware based on criteria such as geolocation, browser or language. This allows the sites to target, say, users from the United States while ignoring users from other locations. An earlier report into this kind of malvertising suggested that many of these sites are used to deliver infostealers and trojans like IcedID, Formbook and others.

In response, Google said that it had removed the ads brought to its attention by the report, but researchers remain concerned that the problem is beyond Google’s ability to fully control. Users are advised to exercise caution when clicking sponsored links returned in Google searches.

The Ugly | Russian APT Strolls Into Microsoft and HP Networks

Both Microsoft and Hewlett Packard Enterprise revealed this week that they had separately become victims of Russian state-sponsored intrusions by APT 29, also known as Midnight Blizzard, The Dukes, Nobelium and NobleBaron. The same threat actor was held responsible for the SolarWinds supply chain attack in 2021.

In a statement released Thursday, Microsoft said that it had detected a nation-state attack on January 12, 2024. The threat actor used password spray attacks to compromise a vulnerable account. They then used this initial access to create multiple OAuth applications and target Microsoft corporate email accounts.

The company has released few further details about the nature of the compromise, other than to note that the attackers used residential proxies to obfuscate the source of the attack. The technique involves routing traffic through a large number of IP addresses that are also used by legitimate users. The high change over rate of IP addresses makes it difficult for non-behavioral solutions to detect malicious traffic.

Meanwhile, in a filing to the SEC last Friday, HP said that a suspected nation-state actor it also believed to be Midnight Blizzard had gained unauthorized access to its cloud-based email environment.

The filing says that the company believes the activity is related to an intrusion from at least May 2023 in which a number of SharePoint files had been exfiltrated. It further stated that it had “determined that such activity did not materially impact the Company”, although again further details around the compromise remain undisclosed.

Who is Alleged Medibank Hacker Aleksandr Ermakov?

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia’s most destructive ransomware groups, but little more is shared about the accused. Here’s a closer look at the activities of Mr. Ermakov’s alleged hacker handles.

Aleksandr Ermakov, 33, of Russia. Image: Australian Department of Foreign Affairs and Trade.

The allegations against Ermakov mark the first time Australia has sanctioned a cybercriminal. The documents released by the Australian government included multiple photos of Mr. Ermakov, and it was clear they wanted to send a message that this was personal.

It’s not hard to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million records on current and former Medibank customers. When the company refused to pay a $10 million ransom demand, the hackers selectively leaked highly sensitive health records, including those tied to abortions, HIV and alcohol abuse.

The U.S. government says Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.

“REvil was among the most notorious cybercrime gangs in the world until July 2021 when they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and generally motivated by financial gain,” a statement from the U.S. Department of the Treasury reads. “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”

The sanctions say Ermakov went by multiple aliases on Russian cybercrime forums, including GustaveDore, JimJones, and Blade Runner. A search on the handle GustaveDore at the cyber intelligence platform Intel 471 shows this user created a ransomware affiliate program in November 2021 called Sugar (a.k.a. Encoded01), which focused on targeting single computers and end-users instead of corporations.

An ad for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers against sharing information with security researchers, law enforcement, or “friends of Krebs.”

In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang.”

In 2020, GustaveDore advertised on several Russian discussion forums that he was part of a Russian technology firm called Shtazi, which could be hired for computer programming, web development, and “reputation management.” Shtazi’s website remains in operation today.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

The third result when one searches for shtazi[.]ru in Google is an Instagram post from a user named Mikhail Borisovich Shefel, who promotes Shtazi’s services as if it were also his business. If this name sounds familiar, it’s because in December 2023 KrebsOnSecurity identified Mr. Shefel as “Rescator,” the cybercriminal identity tied to tens of millions of payment cards that were stolen in 2013 and 2014 from big box retailers Target and Home Depot, among others.

How close was the connection between GustaveDore and Mr. Shefel? The Treasury Department’s sanctions page says Ermakov used the email address ae.ermak@yandex.ru. A search for this email at DomainTools.com shows it was used to register just one domain name: millioner1[.]com. DomainTools further finds that a phone number tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]net.

The December 2023 story here that outed Mr. Shefel as Rescator noted that Shefel recently changed his last name to “Lenin,” and had launched a service called Lenin[.]biz that sells physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel includes images of stacked USSR-era Ruble notes, as well as multiple links to Shtazi.

The Instagram account of Mikhail Borisovich Shefel, aka MikeMike aka Rescator.

Intel 471’s research revealed Ermakov was affiliated in some way with REvil because the stolen Medibank data was published on a blog that had one time been controlled by REvil affiliates who carried out attacks and paid an affiliate fee to the gang.

But by the time of the Medibank hack, the REvil group had mostly scattered after a series of high-profile attacks led to the group being disrupted by law enforcement. In November 2021, Europol announced it arrested seven REvil affiliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.

“The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time,” Intel 471 wrote. “This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.”

It is easy to dismiss sanctions like these as ineffective, because as long as Mr. Ermakov remains in Russia he has little to fear of arrest. However, his alleged role as an apparent top member of REvil paints a target on him as someone who likely possesses large sums of cryptocurrency, said Patrick Gray, the Australian co-host and founder of the security news podcast Risky Business.

“I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray said. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.”

January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers & Ransomware Updates

Over the last month a number of interesting leaks have occurred within the ransomware-market ecosystem pertaining to the likes of BlackCat and Zeppelin. We saw some familiar names dominate the ransomware landscape in terms of volume and visibility, among them Play, BlackCat/AlphV, LockBit, Phobos (8base) and Akira.

In this month’s update we also discuss some of the vulnerabilities being weaponized by these actors over the last month below, with high profile enterprises Microsoft SQL and SharePoint among the targets.

Crypto drainers, DaaS, and associated scams came to the forefront over the last few weeks with associated hacks being observed across multiple high-profile social media accounts. We will touch base on these recent scams and discuss how these attacks are occurring.

We will round out our discussion this month covering a short update on access-brokers and malicious tools targeting EDR platforms along with some positive news around law enforcement and the release of a Babuk decryptor.

Ongoing Exploitation of N-Day and 0-Day Vulnerabilities

Multiple threat actors have been observed targeting CVE-2023-29357, a critical privilege escalation vulnerability in Microsoft SharePoint. The ongoing exploitation of this flaw, along with the emergence of public PoC code, motivated CISA to add this flaw to its Known Exploited Vulnerabilities Catalog.

In early January, details began to emerge regarding the ongoing exploitation of at least two zero day flaws in the Ivanti platforms (Ivanti Connect Secure and Ivanti Policy Secure Gateways). The newly identified vulnerabilities, CVE-2023-46805 and CVE-2024-21887, allow for unauthorized command-injection attacks, exposing the systems to (unauthenticated) attackers.

According to initial reports, the Ivanti vulnerabilities have been targeted by an espionage-focused threat group (UNC5221) and used to drop a variety of malware including backdoors, webshells and credential harvesters, along with post-exploitation tools such as PySoxy (tunneling proxy) and BusyBox. Almost 20,000 vulnerable instances of the various Ivanti products have been identified as publicly exposed.

Global distribution of exposed Ivanti Devices (via Shodan)
Global distribution of exposed Ivanti Devices (via Shodan)

It should be noted that PoC code and MetaSploit modules for these flaws are now available.

New Ivanti PoC code on Github
New Ivanti PoC code on Github

Recommendations

These flaws should rank high on the priority list if they have not already been addressed. Defenders are encouraged to review guidance provided by Ivanti and CISA. The CISA guidance also provides explicit requirements for Federal Agencies (per current Federal cybersecurity directives).

Ransomware Updates

This month we saw a number of interesting developments in the ransomware ecosystem. An alleged prior affiliate of the now-defunct Zeppelin RaaS advertised the sale of the associated builder and support files on an underground market. The seller, known as “RET”, offered the package for 500.00 USD. This same seller has a history of selling “AV/EDR-killer” style tools as well.

This sale lowers the previous barrier to entry for Zeppelin-derived RaaS offerings. Prior to this leak (hosted on the well-established RAMP forum), Zeppelin ransomware builders were offered at a fee starting at at least 2000.00 USD. Malicious actors looking to get a discounted form of a “road tested” builder are highly attracted to these types of offers.

In addition, we saw a similar attempt at marketing of a RaaS with a posting to a well-known forum offering BlackCat/ALPHV source code for sale. The posting was accompanied with screenshots of what appears to be affiliate tools for delivery and management of BlackCat payloads.

BlackCat/ALPHV locker for sale?
BlackCat/ALPHV locker for sale?

It will take time before the full reach and repercussions of these particular leaks are understood. Any lowering-of-the-bar around these tool sets inevitably attracts more enterprising criminals for whom these tools may have been out of reach prior.

Elsewhere, a portal for the creatively named “Going Insane Ransomware” emerged this month. For those that recall the late 1990s, “Going Insane” appears to embrace the GeoCities aesthetic with a decidedly ‘90’s’ take on the layout of their site.

Going Insane Ransomware Portal
Going Insane Ransomware Portal

The group is actively recruiting and advertises its affiliate program (RaaS) with the following feature set (quoted):

  • Military-grade AES encryption
  • Encrypts All Files, Every single one, under lock and key.”
  • Spreads in network, Infects every device in the network.”
  • Wallet Stealer
  • Browser Stealer
  • System Info Stealer
  • Auto Parsed Cookies
  • Fully Undetected, bypasses all AVs
  • FUD (0 detects) forever ig

Recommendations

SentinelOne Singularity™ Endpoint detects and prevents attacks associated with known Zeppelin/Buran, ALPHV and Insane RaaS. Defenders and threat hunters may find the following additional indicators useful for GIR ransomware.

nv5lbsrr4rxmewzmpe25nnalowe4ga7ki6yfvit3wlpu7dfc36pyh4ad[.]onion
gfksiwpsqudibondm6o2ipxymaonehq3l26qpgqr3nh4jvcyayvogcid[.]onion
r2ad4ayrgpf7og673lhrw5oqyvqg4em2fpialk7l7gxkasvqkqow4qad[.]onion
insane[@]cock[.]lu

Drainers and Accounts Takeovers

Recently, a swath of account takeover attacks has swept through Twitter/X, leading to the compromise of several high-profile accounts. These accounts have been manipulated to disseminate content centered on cryptocurrency scams, orchestrated by groups known as crypto-drainers, or Drainers as a Service (DaaS).

Victims of these attacks include prominent entities such as CertiK, the SEC and cybersecurity vendor Mandiant.

The methods used to compromise accounts vary, ranging from brute-forcing credentials in cases without Multi-Factor Authentication (MFA) to SIM-swapping where MFA is enabled.

While the concept of Drainers and DaaS is not new, the recent high-profile breaches have cast a renewed spotlight on these malicious activities. The attackers are evidently motivated to target high-traffic accounts, aiming to redirect more users to their malevolent sites, as indicated by the increased click-through rates on the fraudulent posts linked to these hijacked accounts.

Hijacked Twitter/X account - promoting a cryptocurrency scam
Hijacked Twitter/X account – promoting a cryptocurrency scam

The initial vector for these attacks is typically via phishing followed by device takeovers through techniques such as SIM swapping.

Ultimately these attacks have a far reaching effect beyond just the financial loss of those that fall victim to the scam. Reputable brands that have accounts taken over by these criminals are at risk of reputational harm which could in turn have a financial impact.

Access Brokering and Tools

We continue to see the market for corporate and enterprise-level access flourish, to the point where buyers are soliciting for an opportunity to purchase from the plentiful well of providers. Buyers are currently trying to outbid each other for access either by offering greater fees or taking lower percentages.

Corporate Access buyers (AI translated)
Corporate Access buyers (AI translated)

Corporate Access buyers (AI translated)
Corporate Access buyers (AI translated)

Those that are selling such access are profiting from targeting unprotected services such as IAM and reaping great rewards. It truly is a seller’s market out there at the moment, which is a worrying sign for defenders.

Concurrently, we continue to observe the marketing and use of customized “AV/EDR-killer” style tools. Tools like auKill and BackStab are frequently found amongst the artifacts left behind after a long-term ransomware attack or even an ATP campaign.

AV/EDR Killer vendor (AI translated) January 2024
AV/EDR Killer vendor (AI translated) January 2024

Recommendations

So-called AV/EDR “killer” tools typically rely on BYOD (Bring your own driver) functionality and additional components such as Process Explorer, Zemana and others. This makes them highly visible to well tuned platforms like SentinelOne Singularity™. Ensuring that the organization has good visibility into endpoint processes along with anomaly detection can provide additional safeguards against such tools.

For more information on Drainers and DaaS, defenders are encouraged to review The Rise of Drainer-as-a-Service | Understanding DaaS.

Law Enforcement and Disruption

It’s not all doom and gloom! Fortunately, there have been some important disruptions in the cybercrime landscape over late December and throughout January.

The main figurehead of the ShinyHunters threat group, Sebastien Raoult, was sentenced to 3 years in prison, along with having to pay requisite restitution. The group has an extended history of compromising developer repositories to steal API keys and other credentials. Raoult (alias “Sezyo Kaizen’) was found guilty of selling or facilitating the sale of breached company data across multiple platforms and markets. This includes well-known markets such as Alpha and Empire as well as forums like XSS and RaidForums.

Also this past month, a new decryption tool for the Tortilla variant of Babuk (aka Babuk Tortilla) has been released. The tool is the result of a collaboration between Cisco Talos, the Dutch Police and Avast. Following the apprehension of the actor associated with this particular variant of Babuk, Talos was able to work with Avast to expand the existing decryptor to accommodate the newly gained insight into other Babuk variants.

The Babuk Tortilla decryptor tool is available for download via the NoMoreRansom project.

Conclusion

The first month of 2024 has seen a continuation of the trends we’ve been highlighting across the last quarter of 2023. The increasing availability of tools that lower the barrier to entry for cybercriminals continues to fuel a crimeware ecosystem in which relatively unskilled threat actors can carry out low-risk/high-reward attacks on unprepared organizations.

The uptick in ‘Drainer-as-a-Service’ offerings and attacks is an extension of the service model popularized by ‘Ransomware-as-a-Service’ to target the widespread use and popularity of cryptocurrency, a model that seeks to steal from individuals but harnesses corporate assets to reach a large audience through social media account takeovers. As we often note, where there is money, an enterprising criminal will look for a way.

Organizations can improve their security posture, protect their assets, and avoid being the next victim on the list through awareness, training and suitable security technology. To stay informed and receive our next update, follow us on social media. To see how SentinelOne can help secure your business, contact us or request a free demo.

Using Google Search to Find Software Can Be Risky

Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.

Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to create and enforce their abuse policies. And by most accounts, the threat from bad ads leading to backdoored software has subsided significantly compared to a year ago.

But cybercrooks are constantly figuring out ingenious ways to fly beneath Google’s anti-abuse radar, and new examples of bad ads leading to malware are still too common.

For example, a Google search earlier this week for the free graphic design program FreeCAD produced the following result, which shows that a “Sponsored” ad at the top of the search results is advertising the software available from freecad-us[.]org. Although this website claims to be the official FreeCAD website, that honor belongs to the result directly below — the legitimate freecad.org.

How do we know freecad-us[.]org is malicious? A review at DomainTools.com show this domain is the newest (registered Jan. 19, 2024) of more than 200 domains at the Internet address 93.190.143[.]252 that are confusingly similar to popular software titles, including dashlane-project[.]com, filezillasoft[.]com, keepermanager[.]com, and libreofficeproject[.]com.

Some of the domains at this Netherlands host appear to be little more than software review websites that steal content from established information sources in the IT world, including Gartner, PCWorld, Slashdot and TechRadar.

Other domains at 93.190.143[.]252 do serve actual software downloads, but none of them are likely to be malicious if one visits the sites through direct navigation. If one visits openai-project[.]org and downloads a copy of the popular Windows desktop management application Rainmeter, for example, the file that is downloaded has the same exact file signature as the real Rainmeter installer available from rainmeter.com.

But this is only a ruse, says Tom Hegel, principal threat researcher at the security firm Sentinel One. Hegel has been tracking these malicious domains for more than a year, and he said the seemingly benign software download sites will periodically turn evil, swapping out legitimate copies of popular software titles with backdoored versions that will allow cybercriminals to remotely commander the systems.

“They’re using automation to pull in fake content, and they’re rotating in and out of hosting malware,” Hegel said, noting that the malicious downloads may only be offered to visitors who come from specific geographic locations, like the United States. “In the malicious ad campaigns we’ve seen tied to this group, they would wait until the domains gain legitimacy on the search engines, and then flip the page for a day or so and then flip back.”

In February 2023, Hegel co-authored a report on this same network, which Sentinel One has dubbed MalVirt (a play on “malvertising”). They concluded that the surge in malicious ads spoofing various software products was directly responsible for a surge in malware infections from infostealer trojans like IcedID, Redline Stealer, Formbook and AuroraStealer.

Hegel noted that the spike in malicious software-themed ads came not long after Microsoft started blocking by default Office macros in documents downloaded from the Internet. He said the volume of the current malicious ad campaigns from this group appears to be relatively low compared to a year ago.

“It appears to be same campaign continuing,” Hegel said. “Last January, every Google search for ‘Autocad’ led to something bad. Now, it’s like they’re paying Google to get one out of every dozen of searches. My guess it’s still continuing because of the up-and-down [of the] domains hosting malware and then looking legitimate.”

Several of the websites at this Netherlands host (93.190.143[.]252) are currently blocked by Google’s Safebrowsing technology, and labeled with a conspicuous red warning saying the website will try to foist malware on visitors who ignore the warning and continue.

But it remains a mystery why Google has not similarly blocked more the 240+ other domains at this same host, or else removed them from its search index entirely. Especially considering there is nothing else but these domains hosted at that Netherlands IP address, and because they have all remained at that address for the past year.

In response to questions from KrebsOnSecurity, Google said maintaining a safe ads ecosystem and keeping malware off of its platforms is a priority across Google.

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement, sometimes showing Google one thing and users something else,” Google said in a written statement. “We’ve reviewed the ads in question, removed those that violated our policies, and suspended the associated accounts. We’ll continue to monitor and apply our protections.”

Google says it removed 5.2 billion ads in 2022, and restricted more than 4.3 billion ads and suspended over 6.7 million advertiser accounts. The company’s latest ad safety report says Google in 2022 blocked or removed 1.36 billion advertisements for violating its abuse policies.

Some of the domains referenced in this story were included in Sentinel One’s February 2023 report, but dozens more have been added since, such as those spoofing the official download sites for Corel Draw, Github Desktop, Roboform and Teamviewer.

This October 2023 report on the FreeCAD user forum came from a user who reported downloading a copy of the software from freecadsoft[.]com after seeing the site promoted at the top of a Google search result for “freecad.” Almost a month later, another FreeCAD user reported getting stung by the same scam.

“This got me,” FreeCAD forum user “Matterform” wrote on Nov. 19, 2023. “Please leave a report with Google so it can flag it. They paid Google for sponsored posts.”

Sentinel One’s report didn’t delve into the “who” behind this ongoing MalVirt campaign, and there are precious few clues that point to attribution. All of the domains in question were registered through webnic.cc, and several of them display a placeholder page saying the site is ready for content. Viewing the HTML source of these placeholder pages shows many of the hidden comments in the code are in Cyrillic.

Trying to track the crooks using Google’s Ad Transparency tools didn’t lead far. The ad transparency record for the malicious ad featuring freecad-us[.]org (in the screenshot above) shows that the advertising account used to pay for the ad has only run one previous ad through Google search: It advertised a wedding photography website in New Zealand.

The apparent owner of that photography website did not respond to requests for comment, but it’s also likely his Google advertising account was hacked and used to run these malicious ads.

Cybersecurity at the 2024 Paris Summer Olympics | Safeguarding the Spectacle

As the opening ceremony of the 2024 Paris Summer Olympics fast approaches, organizers are immersed in intense preparations on the cyber front. Such a prominent, international event makes for a vast attack surface that holds enticing opportunities for cybercriminals.

As it stands, the 2024 Olympic and Paralympics are currently projected to boast a count of 9.7 million spectators across 40 official sites. While France will enjoy the global spotlight for nearly two months, every aspect of planning and hosting the Games requires cybersecurity to be a top priority for the organizers.

In this blog post, we discuss the evolution of cyber threats that have played out over the last two decades and how they will inform the digital security of this year’s Games, including threat techniques, current geopolitical motivations, and effective countermeasures available.

A Timeline of Attacks

The spirit of competition and athletic celebration may unfold on Olympic grounds, but another type of race between threat actors and cybersecurity teams runs parallel, away from the main stages. Cybersecurity threats and attacks have loomed over the past two decades’ worth of Games, affecting athletes, attendees, and the underlying digital infrastructure that sustains the Olympics. Here are some of the most infamous cyber activities from the past seven Games showcasing various cyber challenges that Paris game planners may face:

2008 Summer Olympics (Beijing, China)

The Beijing 2008 Olympic Games marked the first instance of publicly reported malicious cyber operations during the Olympics. A cyber espionage campaign known as “Operation Shady Rat” targeted the International Olympic Committee (IOC) and various Western and Asian Olympic Committees. Possibly focused on information gathering, this campaign spanned from 2006 to 2011 and included the targeting of the World Anti-Doping Agency (WADA) in August 2009. Although the ultimate goal is still unclear, the operation has been associated with Chinese state-sponsored cyber activities.

The Beijing Olympics also witnessed lucrative malicious operations, including fraudulent ticket websites, spear phishing, and deceptive streaming platforms. These activities were attributed to opportunistic intrusion efforts, all capitalizing on the illicit money-making opportunities presented by the major event.

2012 Summer Olympics (London, United Kingdom)

While cyber incidents had been observed in previous editions, the 2012 London Olympics brought the notion of cyber threats into sharp focus for the Olympic community. Of the 212 million cyberattacks mounted during the event, a notable 40-minute distributed denial-of-service (DDoS) attack disrupted the power systems of the Olympic Park on the second day of the Games.

Opportunistic actors also engaged in lucrative malicious operations that impacted the public, employing phishing campaigns that enticed individuals with a chance to win free airline tickets for the London Summer Olympic Games by participating in a fake survey.

2014 Winter Olympics (Sochi, Russia)

Leading up to the Sochi Olympics, there were indications of cyber threats, raising concerns about the security of IT systems. Reports shortly surfaced that cyber espionage activities were targeting various organizations associated with the Olympics. The U.S. State Department issued a travel alert for the 2014 Sochi Winter Olympics, cautioning U.S. travelers about cybersecurity threats in the region. The alert specifically advised individuals to exercise caution when sharing sensitive or personal information on Russian electronic communication networks.

Following the Winter Olympics in Russia, an open-source report highlighted a cyber espionage campaign, accusing Russian intelligence services of gathering information on Olympic organizations, judges, journalists, spectators, and athletes.

2016 Summer Olympics (Rio de Janeiro, Brazil)

Before the Rio Olympics, concerns were voiced regarding the security of IT systems, including the potential for DDoS attacks. While the event itself did not witness any significant cybersecurity incidents reported, affiliated organizations saw a series of long-duration (540 Gbps) DDoS attacks in the months leading up to the Games.

Also of note, a sophisticated cyberespionage campaign orchestrated by APT28, an intrusion set associated with Russian military intelligence (GRU), was revealed by the World Anti-Doping Agency (WADA) two months after the Games. Hacktivist groups, including Anonymous Brazil, played a role in campaigns targeting the Brazilian Federal government and the Ministry of Sports, resulting in the exposure of personal and financial data.

Anonymous Brazil voiced grievances against the Games, citing insufficient investments in favelas and excessive spending on Rio 2016. Additionally, cybercrime operations targeted the public and organizations affiliated with the Rio Olympics, with security analysts noting an 83% increase in phishing URLs in Brazil before the Olympics, compared to a 13% increase globally.

2018 Winter Olympics (Pyeongchang, South Korea)

The opening ceremony of the Pyeongchang Winter Olympics witnessed a significant cyber attack that disrupted the event’s IT systems, including Wi-Fi, ticketing, and the official website. This attack was strategically designed to create chaos by destroying data and disrupting essential operations.

Executed through the malicious worm dubbed “Olympic Destroyer”, the official Olympic website was taken offline and the Wi-Fi service within the stadium was rendered inoperable. As well, live broadcast systems faced disruptions, leading to the denial of access to ticket printing for many spectators during the opening ceremony.

2021 Summer Olympics (Tokyo, Japan)

The Tokyo Olympics, rescheduled by a year due to the COVID-19 pandemic, emerged as a lucrative target for cyber attacks. The event witnessed a staggering 450 million cyber threats, a figure two and a half times higher than the reported number of cyberattacks during the London Olympics in 2012. Most notably, researchers uncovered a phishing attempt during the Tokyo Olympics, where cybercriminals were selling the “Olympic Games Official Token”. Invention of this fake “token” revealed that cyber criminals were testing new and sophisticated schemes to target individuals.

A year before the Games, reports of an espionage campaign attributed to the GRU-linked Sandworm APT, targeting officials and organizations involved in the Tokyo Olympics. In addition, threat actors sought to deploy wipers configured to specifically target Japanese-set computers and erase sensitive files.

2022 Winter Olympics (Beijing, China)

Prior to the Winter Olympics, the FBI recommended that athletes use temporary cell phones instead of personal devices, cautioning against the use of personal data on these temporary devices. Researchers identified vulnerabilities in the Chinese application My2022, mandatory for all attendees to install on their mobile devices during the Olympics. Exploiting these vulnerabilities could potentially grant access to personal and medical data.

Understanding the Geopolitical Discord Amongst Olympic Participants

Geopolitical tensions cast a profound shadow of influence on the Olympic Games, significantly impacting both the event’s dynamics and its cybersecurity landscape. Since the Olympics provide a global stage, it often becomes a battleground for nations to express political ideologies, ambitions, and conflicts.

Heightened geopolitical tensions amplify the attractiveness of the Olympics as a target for cyber threats. State-sponsored actors often exploit vulnerabilities in digital infrastructures to extend their target far beyond the organizing committees to reach athletes, spectators, and affiliated organizations, too.

Impact of the Russian War on Ukraine

Between 2018 and 2022, Russia faced an Olympic ban, preventing its participation under its national flag due to a state-sponsored doping scheme involving Russian athletes during the 2014 Sochi Games. This ban mirrored the decision taken by the International Olympic Committee (IOC) and the World Anti-Doping Agency (WADA) in 2014, which resonates in the 2024 Paris Olympics ban on Russia and Belarus following their 2022 invasion of Ukraine.

The suspension of the Russian Olympic Committee resulted from its oversight of sport organizations in four occupied Ukrainian regions. While Russia and Belarus athletes are permitted by the IOC to compete as “Neutral Individual Athletes”, geopolitical tensions raise concerns about potential retaliatory cyber operations.

Amidst France’s support for Ukraine in its defensive stance against Russia, there’s a looming possibility that the 2024 Paris Olympics could become a target for Russian and/or Belarus cyber operations. These operations, acting as potential retaliation measures, might come to pass as acts of disruption and sabotage with the aim of undermining France’s international reputation.

Impact of the Azerbaijan-Armenia Border Conflict

France’s involvement in the Azerbaijan-Armenia (Nagorno-Karabakh) conflict has faced criticism from Azerbaijan for its perceived bias towards Armenia. In November 2023, French state digital watchdog, Vignium, linked a disinformation campaign smearing the Paris 2024 Olympic games to Azerbaijani-based actors. Their investigation in late July was prompted by the widespread sharing on X of visuals urging a boycott of the 2024 Olympics.

The campaign utilized images depicting riots, the city of Paris, and the Olympic Games logo, employing three official X accounts of the Games and two hashtags, #paris2024 and #boycottparis2024. Between July 26 and 27, over 1,600 posts featuring these visuals or hashtags surfaced on X, with around 90 accounts believed to be involved in what the report called “artificial amplification”.

The Risks Targeting the Olympic Podium

Since at least Beijing 2008, past Olympic Games have become targets for offensive cyber operations, driven by motives ranging from cyber espionage, destabilization, or economic gain. The upcoming Paris 2024 Games could face a spectrum of malicious cyber operations, ranging from campaigns focused on destabilization, through influence campaigns, malware, and data extortion, to those centered on disruption, including DDoS attacks and disinformation.

Persistent cyber crimes also pose an ongoing risk to the Olympics. These opportunistic crimes exploit the event’s popularity, targeting diverse victims, from the general public to partners and organizers. Lucrative campaigns enticing spectators are much more likely to dish out Olympics-themed phishing, malicious apps, and typosquatted websites mimicking platforms related to reselling, ticketing, or betting activities.

What Solutions Are In Place to Protect the Paris 2024 Games?

To counter the growing concerns for cyberattacks, French authorities are taking concerted measures to secure this year’s Games. Notably, the ANSSI cybersecurity agency is set to collaborate with its Japanese counterpart, the NISC (National Center of Incident Readiness and Strategy for Cybersecurity). This partnership fosters improved dialogue and the exchange of cybersecurity insights, drawing from experiences in other major sporting events.

The COJO (Organizing Committee for the Olympic Games) has also rolled out a cybersecurity strategy based on four pillars: education, training, anticipation, and coordination. Other key parts of their defenses include:

  • Awareness-raising events – According to Franz Regul, CISO for the Paris 2024 Games, training courses promoting cyber awareness will be set to combat phishing, spam, online scams which represent the initial means of compromise to 80% of cyberattacks.
  • Security Operations Center (SOC) – The newly established SOC will be tasked with continuously monitoring all Olympic digital ecosystems. SO far, ANSSI has budgeted 17 million euros towards SOC services, which will revolve around nearly 12000 workstations spread across security sites for the duration of the Games.
  • AI-based tools – The SOC will use AI-based tools to detect signs of suspicious or malicious activity, track signs of compromise, and orchestrate incident response.
  • Olympic Management System (OMS) – The OMS manages access to events with all requests submitted to the Service National des Enquêtes Administratives de Sécurité (SNEAS) for final approval and badge issuing.
  • Olympic Diffusion Systems (ODS) – This application is dedicated to disseminating information and results in real time to the media and spectators to avoid any misinformation.
  • Improved ticket sales policies
    • A hopeful buyer has only 48 hours to buy their ticket after being selected by random draw in order to streamline online traffic. Only 30 tickets may be purchased per account to mitigate mass resales.
    • All resales must be conducted via the official resale site to prevent forgery and manage existing tickets.
    • Tickets are 100% digital and will only be sent to purchasers a few weeks before the start of the event.

Applying Cybersecurity Lessons Learned for Paris 2024

For Paris 2024, preparing for cybersecurity threats involves a multi-faceted approach combining a mix of infrastructure security, data protection, and collaboration.

Infrastructure & Network Security

The IT infrastructure of the Paris 2024 Olympics includes a complex network of systems handling everything from scoring and timing to broadcasting and ticketing. Protecting this infrastructure involves deploying advanced network security solutions, including intrusion detection systems, firewalls, and real-time monitoring tools through security operation centers (SOCs).

Data Protection & Privacy

With the vast amount of personal data processed during the Olympics, including that of athletes, officials, and spectators, data protection and privacy are critical. This involves implementing stringent data security measures, such as advanced encryption, robust access controls, and continuous monitoring for data breaches. Compliance with international data protection regulations, such as the GDPR, is also crucial.

Global Cybersecurity Alliances

Cybersecurity for such a massive event cannot be siloed. Collaboration among various international entities, including cybersecurity firms, government agencies, and international sports bodies, is essential. This collaboration involves sharing intelligence on emerging cyber threats and best practices for mitigation.

The organizing committee of Paris 2024 is working in tandem with international cybersecurity organizations, leveraging their expertise and resources. These alliances enable the sharing of intelligence on emerging cyber threats and coordinated responses to potential attacks.

Advanced Cyber Defense Technologies

In anticipation of the 2024 Summer Olympics, Paris is gearing up for heightened, AI-based technological surveillance. The French government will be deploying an extensive network of cameras integrated with artificial intelligence (AI) tasked to closely watch over crowds and public areas and alert authorities to any signs of suspicious activity.

The recently approved Loi JO 2024 legislation, enacted earlier in 2023 permits the real-time application of algorithmic analysis to camera footage, enabling the identification of predetermined events that may pose a threat to public order. The surveillance system is slated to operate until March 2025, extending its functionality for six months after the close of the Games.

Simulation & Response Planning

GICAT (Group of French Industries for Land and Air-land Defense and Security), one of many tech solution providers associated with the Games, has confirmed nearly eight billion cybersecurity tests. These simulations, often referred to as red teaming, involve mimicking real-world cyberattacks to test the resilience of the cybersecurity infrastructure. This proactive approach allows the cybersecurity team to identify vulnerabilities and refine their response strategies, ensuring they are well-prepared for various attack scenarios.

Conclusion

The cybersecurity framework for Paris 2024 is not just about safeguarding IT infrastructure; it’s about protecting the very essence of the Olympic spirit — fair play, honor, and global unity. Cyber threats not only pose a risk to the operational aspects of the Games but also threaten the safety and privacy of the participants and spectators.

The Paris 2024 Olympics presents a unique set of challenges and opportunities in cybersecurity. As we move closer to this international spectacle, security leaders and game organizations will continue to glean the lessons learned from past Olympics and prepare for both opportunities and advanced persistent threats.

SentinelOne is trusted by global enterprises and organizations responsible for safeguarding large-scale events with complex security requirements. To learn more about how SentinelOne protects digital ecosystems through AI-driven detection and response capabilities, deep visibility, and data enrichment, contact us today or book a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Decrypting SentinelOne Cloud Detection | The Threat Intelligence Engine in Real-Time CWPP

In this the fourth installment of our Detection Engine blog series, we examine the Cloud Threat Intelligence Engine and its role as one of five detection engines which work together as part of our cloud workload protection platform (CWPP) to detect and block runtime threats impacting cloud workloads. (The first, second, and third posts in the series discuss the Static AI, Behavioral AI, and Application Control Engines, respectively.)

Cloud Threat Intelligence Engine 101

Unlike the Static and Behavioral AI Engines, which use AI, the SentinelOne Cloud Threat Intelligence Engine is a rules-based reputation engine which uses signatures to detect known malware. It is important to note that SentinelOne’s CWPP solution does not rely solely upon signatures. Any solution that relies solely upon signatures is woefully underprepared for cloud workload protection warfare.

Even though signatures are easily evaded by sophisticated threat actors, not every threat actor is sophisticated, and known malware is still often used. And so, the use of signatures still has a place in detecting known malware, while advanced threats (e.g., zero-day exploits, fileless attacks, polymorphic ransomware, etc.) still require a more modern, AI-powered arsenal.

How Does It Work?

The Cloud Threat Intelligence Engine runs locally on the agent anytime a file is written, modified, copied, or executed. The engine consolidates signatures from multiple reputation sources into a local blocklist of known malicious hashes. The engine uses a reputation lookup, comparing a file hash to those on the local blocklist, and is nearly 100% effective in detecting known malware.

If a match is made, the agent triggers a threat detection. Every file scanned consults both the Cloud Threat Intelligence Engine and the Static AI Engine.

The CWPP agent has its first blocklist built-in and is regularly updated from the SentinelOne SaaS management console on a periodic and adjustable cadence. The S1 management console collects hashes from the SentinelOne Cloud, which aggregates threat intelligence from a number of sources including VirusTotal, ReversingLabs, SentinelOne’s research team, and other agents within your tenant. When you mark a hash as a threat elsewhere in your environment, the management console updates the blocklist on all other agents which you have deployed.

SentinelOne continuously monitors multiple reputation feeds. The SentinelOne Cloud is updated with hashes from various sources and updates the agent fleet in real time. If a hash is not found in the local blocklist, the engine calls out to the management console to see if a new hash has been added to the SentinelOne Cloud. If it finds a new hash, it is added to the local blocklist. The system delivers a response within a second. The longest round trip will be 2 update cycles: one to send the hash upstream to the SentinelOne Cloud for inspection, and another to receive the update to the local blocklist.

In addition, SentinelOne will update the fleet if the verdict changes for a file which was previously queried within the last week. For example, consider that there is no reputation hash for a file that was queried. Then, 2 days later, the reputation feeds are updated, revealing that this file is now known to be malicious. The SentinelOne Cloud is updated with this information, SentinelOne will push a blocklist update to all customer consoles that asked about this specific file. And remember – the SentinelOne CWPP agent, part of Singularity Cloud Workload Security, still has the AI-powered engines active, keeping your cloud workloads protected in the interim.

Advantages of the Cloud Threat Intelligence Engine

The primary advantage is local autonomy. If cloud connectivity to the management console is disrupted for any reason, the agent, with all its local engines, continues to operate autonomously. The agent does not rely upon cloud connectivity or access to remote databases to perform its duty.

Another advantage is that the blocklist is nearly continuously updated. In the event that the Cloud Threat Intelligence Engine happens to miss a regularly scheduled update due to a network disruption, it will simply be updated when connectivity to the SentinelOne management console is restored.

A third advantage is computational efficiency. Not every battle requires Special Forces to achieve the objective. For detecting known malware, a reputational lookup can be the right tool for the job. Occam’s Razor states that the simplest explanation is preferred to one which is more complex. If it is already known malware, there is no need to re-prove it as such. Simply detect, quarantine, and move on.

Example: Shellshock Detection

A good example of a detection of known malware is shown in the following screenshot of the SentinelOne management console. Here, we have an Amazon EC2 instance running a containerized workload on Amazon Linux 2023. An analyst could find more details about the container and cloud service provider (CSP) under the tabs “DOCKER CONTAINER” and “CLOUD,” respectively.

The engine to which the detection is attributed is “SentinelOne Cloud,” meaning that SentinelOne added the hash to the local blocklist. The file is classified as malware with AI Confidence Level of MALICIOUS, the highest confidence level. With a simple click on the SHA1 value shown, the security analyst can visit VirusTotal, the reputation source for this malicious file, to find even more details.

The agent policy is set to “Protect,” such that upon detection, the agent immediately took mitigation actions defined in the policy. In this example, the mitigation actions taken are process kill and file quarantine. Therefore, the Threat Status is shown to be MITIGATED (see the green shield).

On the right pane under the “XDR” tab, we see helpful details from our integration with Snyk. Snyk has identified numerous vulnerabilities in the workload’s source code, one of which presumably, but not necessarily, allowed the threat actor to download malware (see the Originating Process, “curl”). There could have been any number of root causes of this attack, which, while interesting, are beyond the scope of describing a threat detection by reputation. Even though the immediate danger is gone, the security analyst can open a ticket and share these source code vulnerability details from Snyk with the application owner. This helps to foster collaboration between security and developers, and create better cloud security outcomes.

Conclusion

One of five detection engines in SentinelOne’s real-time CWPP solution, the Cloud Threat Intelligence Engine is a reputation engine using local blocklists to efficiently and effectively detect known malware. Moreover, it does not rely upon network connectivity to perform its job.

To learn more about the value of real-time, AI-powered CWPP in your cloud security stack, head over to the solution homepage, or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

EBook: A Cloud Workload Protection Platform Buyer’s Guide
The Cloud Workload Protection Platform Buyer’s Guide is designed to walk you through key considerations when buying cloud workload solutions. We hope it helps to bring clarity to your evaluation and selection process.