The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good | Multimillion Dollar Cryptojacking Scammer Arrested In Joint Europol Operation

After creating a million virtual servers to mine €1.8 million in stolen cryptocurrency, the kingpin behind the illicit operation has been apprehended in their native Ukraine. The 29-year old individual stands accused of orchestrating a sophisticated cryptojacking scheme before being caught by the National Police of Ukraine, assisted by Europol and an unnamed cloud service provider.

Source: Europol

The joint investigation began in January 2023 when a cloud provider informed Europol about compromised user accounts. The agency shared this intelligence with Ukrainian authorities,  with reports noting that the accused had been infecting a prominent e-commerce company’s servers with a miner virus since at least 2021, utilizing custom brute-force tools to infiltrate 1,500 accounts.

Subsequently, the hacker accessed the service’s management through the compromised accounts, creating over one million virtual computers to sustain the cryptojacking operation. Ukrainian authorities confirmed that the suspect utilized TON cryptocurrency wallets to transfer the illicit proceeds.

Cryptojacking involves the unauthorized use of a victim’s computing resources to mine cryptocurrencies. In cloud environments, attackers typically gain access through compromised credentials and installing miners that leverage the host’s processing power for mining without consent. This allows the attacker to sidestep the usual fees associated with mining infrastructure through the abuse of free trials or by compromising legitimate tenants.

Given that cryptojackers often exploit flaws in cloud platforms for initial compromise, maintaining continuous monitoring methods and regular patch management can help safeguard systems against external threats. To guard against crypto-centric attacks, look for unusual activity such as irregular spikes in resource usage and consider implementing role based access control and zero-trust policies to protect administrative privileges from abuse.

The Bad | High Profile Victims Plunged Into New Custom COLDRIVER Phishing Malware

The next iteration of a Russia-linked threat actor dubbed COLDRIVER has surfaced, delivering its first-ever custom malware coded in Rust to extend past its usual credential harvesting tradecraft.

In the latest report on their tactics, COLDRIVER’s evolution uses PDFs as decoy documents to initiate the infection sequence. Sent from impersonation accounts, the PDFs are aimed to engage high-profile targets in the U.K., U.S., and other NATO countries, as well as those neighboring Russia.

The documents are disguised as op-eds or articles seeking feedback and display encrypted text to the recipient. This is meant to prompt the victim into replying that the document cannot be read, after which the threat actor provides a malicious link to a supposed-decryptor tool called Proton-decrypter.exe.

Lure document displays encrypted text (Source: Google TAG)

The decryption tool is actually a backdoor named SPICA, marking COLDRIVER’s first custom malware. SPICA employs JSON over WebSockets for command-and-control (C2), then enabling the execution of commands, cookie theft from web browsers, file uploading and downloading, and file enumeration and exfiltration.

Security researchers note that there is currently no visibility into how many victims have been successfully compromised with SPICA as it has only been used in limited, targeted attacks. So far through, all victims are from critical sectors including NGOs, defense, academia, think tanks, and energy facilities.

This development follows the recent sanctioning of two Russian nationals associated with COLDRIVER. The threat actors have been active since 2015 and continue to focus on open-source intelligence (OSINT) and social engineering skills to develop their spear-phishing attacks. As of December 2023, U.S. authorities are offering a $10 million reward for information leading to the arrest of COLDRIVER members.

The Ugly | Citrix Customers Urged to Patch Against Two Exploited Zero-Day Vulnerabilities

Citrix NetScaler ADC and NetScaler Gateway customers were warned this week of two zero-day vulnerabilities being actively exploited in the wild. The first of the two, tracked as CVE-2023-6548 with a CVSS score of 5.5, is a code injection flaw that allows authenticated (low privilege) remote code execution (RCE) on Management Interface. The second, tracked as CVE-2023-6549 with a CVSS score of 8.2, is a buffer overflow flaw that could be exploited for denial of service (DoS) attacks if the appliance is configured as a Gateway or authorization and accounting, or AAA, virtual server.

Citrix’s security notice urges NetScaler ADC and NetScaler Gateway version 12.1 users to upgrade their appliances to a supported version that patches the flaws. Users that cannot deploy the updates immediately are advised to remove exposure of the management interface to the internet to reduce the risk of exploitation and block network traffic to affected instances. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.

CISA has mandated U.S. federal agencies to secure their systems against both Citrix vulnerabilities, emphasizing the high risk they pose to federal enterprise security. The directive requires patching CVE-2023-6548 by January 24 while CVE-2023-6549 must be mitigated within three weeks by February 7. While the directive applies to federal agencies, CISA encourages all organizations, including private companies, to prioritize patching these listed vulnerabilities. Not three months ago, another Citrix flaw dubbed “Citrix Bleed” (tracked as CVE-2023-4966) made headlines after being leveraged by notorious ransomware affiliates of the LockBit group to attack government organizations and high-value tech companies worldwide.

Canadian Man Stuck in Triangle of E-Commerce Fraud

A Canadian man who says he’s been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve “triangulation fraud,” which occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.

Triangulation fraud. Image: eBay Enterprise.

Timothy Barker, 56, was until recently a Band Manager at Duncan’s First Nation, a First Nation in northwestern Alberta, Canada. A Band Manager is responsible for overseeing the delivery of all Band programs, including community health services, education, housing, social assistance, and administration.

Barker told KrebsOnSecurity that during the week of March 31, 2023 he and the director of the Band’s daycare program discussed the need to purchase items for the community before the program’s budget expired for the year.

“There was a rush to purchase items on the Fiscal Year 2023 timeline as the year ended on March 31,” Barker recalled.

Barker said he bought seven “Step2 All Around Playtime Patio with Canopy” sets from a seller on Amazon.ca, using his payment card on file to pay nearly $2,000 for the items.

On the morning of April 7, Barker awoke to a series of nasty messages and voice calls on Facebook from an Ontario woman he’d never met. She demanded to know why he’d hacked her Walmart account and used it to buy things that were being shipped to his residence. Barker shared a follow-up message from the woman, who later apologized for losing her temper.

One of several messages from the Ontario woman whose Walmart account was used to purchase the goods that Barker ordered from Amazon.

“If this is not the person who did this to me, I’m sorry, I’m pissed,” the lady from Ontario said. “This order is being delivered April 14th to the address above. If not you, then someone who has the same name. Now I feel foolish.”

On April 12, 2023, before the Amazon purchases had even arrived at his home, Barker received a call from an investigator with the Royal Canadian Mounted Police (RCMP), who said Barker urgently needed to come down to the local RCMP office for an interview related to “an investigation.” Barker said the officer wouldn’t elaborate at the time on the nature of the investigation, and that he told the officer he was in Halifax for several days but could meet after his return home.

According to Barker, the investigator visited his home anyway the following day and began questioning his wife, asking about his whereabouts, his work, and when he might return home.

On April 14, six boxes arrived to partially fulfill his Amazon order; another box was delayed, and the Amazon.ca seller he’d purchased from said the remaining box was expected to ship the following week. Barker said he was confused because all six boxes came from Walmart instead of Amazon, and the shipping labels had his name and address on them but carried a contact phone number in Mexico.

Three days later, the investigator called again, demanding he submit to an interview.

“He then asked where my wife was and what her name is,” Barker said. “He wanted to know her itinerary for the day. I am now alarmed and frightened — this doesn’t feel right.”

Barker said he inquired with a local attorney about a consultation, but that the RCMP investigator showed up at his house before he could speak to the lawyer. The investigator began taking pictures of the boxes from his Amazon order.

“The [investigator] derisively asked why would anyone order so many play sets?” Barker said. “I started to give the very logical answer that we are helping families improve their children’s home life and learning for toddlers when he cut me off and gave the little speech about giving a statement after my arrest. He finally told me that he believes that I used someone’s credit card in Ontario to purchase the Walmart products.”

Eager to clear his name, Barker said he shared with the police copies of his credit card bills and purchase history at Amazon. But on April 21, the investigator called again to say he was coming to arrest Barker for theft.

“He said that if I was home at five o’clock then he would serve the papers at the house and it would go easy and I wouldn’t have to go to the station,” Barker recalled. “If I wasn’t home, then he would send a search team to locate me and drag me to the station. He said he would kick the door down if I didn’t answer my phone. He said he had every right to break our door down.”

Barker said he briefly conferred with an attorney about how to handle the arrest. Later that evening, the RCMP arrived with five squad cars and six officers.

“I asked if handcuffs were necessary – there is no danger of violence,” Barker said. “I was going to cooperate. His response was to turn me around and cuff me. He walked me outside and stood me beside the car for a full 4 or 5 minutes in full view of all the neighbors.”

Barker believes he and the Ontario woman are both victims of triangulation fraud, and that someone likely hacked the Ontario woman’s Walmart account and added his name and address as a recipient.

But he says he has since lost his job as a result of the arrest, and now he can’t find new employment because he has a criminal record. Barker’s former employer — Duncan’s First Nation — did not respond to requests for comment.

“In Canada, a criminal record is not a record of conviction, it’s a record of charges and that’s why I can’t work now,” Barker said. “Potential employers never find out what the nature of it is, they just find out that I have a criminal arrest record.”

Barker said that right after his arrest, the RCMP called the Ontario woman and told her they’d solved the crime and arrested the perpetrator.

“They even told her my employer had put me on administrative leave,” he said. “Surely, they’re not allowed to do that.”

Contacted by KrebsOnSecurity, the woman whose Walmart account was used to fraudulently purchase the child play sets said she’s not convinced this was a case of triangulation fraud. She declined to elaborate on why she believed this, other than to say the police told her Barker was a bad guy.

“I don’t think triangulation fraud was used in this case,” she said. “My actual Walmart.ca account was hacked and an order was placed on my account, using my credit card. The only thing Mr. Barker did was to order the item to be delivered to his address in Alberta.”

Barker shared with this author all of the documentation he gave to the RCMP, including screenshots of his Amazon.ca account showing that the items in dispute were sold by a seller named “Adavio,” and that the merchant behind this name was based in Turkey.

That Adavio account belongs to a young computer engineering student and “SEO expert” based in Adana, Turkey who did not respond to requests for comment.

Amazon.ca said it conducted an investigation and found that Mr. Barker never filed a complaint about the seller or transaction in question. The company noted that Adavio currently has a feedback rating of 4.5 stars out of 5.

“Amazon works hard to provide customers with a great experience and it’s our commitment to go above and beyond to make things right for customers,” Amazon.ca said in a written statement. “If a customer has an issue with an order, they may flag to Amazon through our Customer Service page.”

Barker said when he went to file a complaint with Amazon last year he could no longer find the Adavio account on the website, and that the site didn’t have a category for the type of complaint he wanted to file.

When he first approached KrebsOnSecurity about his plight last summer, Barker said he didn’t want any media attention to derail the chances of having his day in court, and confronting the RCMP investigator with evidence proving that he was being wrongfully prosecuted and maligned.

But a week before his court date arrived at the end of November 2023, prosecutors announced the charges against him would be stayed, meaning they had no immediate plans to prosecute the case further but that the investigation could still be reopened at some point in the future.

The RCMP declined to comment for this story, other than to confirm they had issued a stay of proceedings in the case.

Barker says the stay has left him in legal limbo — denying him the ability to clear his name, while giving the RCMP a free pass for a botched investigation. He says he has considered suing the investigating officer for defamation, but has been told by his attorney that the bar for success in such cases against the government is extremely high.

“I’m a 56-year-old law-abiding citizen, and I haven’t broken any laws,” Barker said, wondering aloud who would be stupid enough to use someone else’s credit card and have the stolen items shipped directly to their home.

“Their putting a stay on the proceedings without giving any evidence or explanation allows them to cover up bad police work,” he said. “It’s all so stupid.”

Triangulation fraud is hardly a new thing. KrebsOnSecurity first wrote about it from an e-commerce vendor’s perspective in 2015, but the scam predates that story by many years and is now a well-understood problem. The Canadian authorities should either let Mr. Barker have his day in court, or drop the charges altogether.

SentinelOne | A Gartner Magic Quadrant Leader for Three Consecutive Years

For the third year in a row, SentinelOne has again been recognized as a Leader in the 2023 Gartner Magic Quadrant for Endpoint Protection Platforms. At SentinelOne, our priority is to keep our customers safe with continuous innovation, and Gartner’s recognition reflects our distinctive, leading ability to protect the entire enterprise from evolving threats like ransomware.

Since disrupting the EDR market with our AI-powered Singularity Platform, we’ve continued to lead the industry in comprehensive security, protecting organizations of all sizes across any endpoint, on every cloud, and for every operating system. Supercharged with Purple AI and threat intelligence, complemented by a robust portfolio of managed services, and built on top of the most performative Data Lake in the market, SentinelOne’s Singularity Platform empowers customers with the most powerful security solution available today.

With Singularity Endpoint, customers gain best-in-class endpoint protection and a central, unified portal to manage configurations and real-time monitoring. Let’s take a closer look at what this recognition tells customers about SentinelOne.

Rapid, Endpoint Security Innovation

Proven innovation with best-in-class endpoint protection, detection, and response. Challenged by sophisticated attackers and tasked with protecting an ever-expanding digital footprint, security teams need to seamlessly understand and protect the entire attack surface against breaches.

SentinelOne’s unique single agent provides dynamic device discovery, and our unified console provides analysts with unmatched visibility, vulnerability management, real-time monitoring, rollback capabilities, and advanced deception tools.

AI-Powered EDR

AI-powered autonomous detection and response against malware, ransomware, and emergent threats across all potential attack paths. Accelerate incident resolution so security teams can focus on critical risks and proactive posture management.

At SentinelOne, AI has been central in everything we do from the start – built into detections, our intelligence, and our agent. Now, with Purple AI, the industry’s first AI security solution, every analyst is also empowered to detect threats earlier, respond faster, and stay ahead of attackers.

One Unified, Central Data Lake

Security is a team sport, but it is also a big data sport. Singularity Data Lake forms the backbone of every SentinelOne product – ensuring a robust, scalable, predictable, and cost-effective solution to ingestion, normalization, and retention.

Wrangling data is one thing, but visualization is the key to unlocking critical trends and insights in your data. The Singularity Platform provides security and log analytics capabilities in one centralized platform – the only true unified security analytics platform in the market – capable of combining SIEM, XDR, EDR, and Cloud in a single experience.

Protect the Entire Enterprise

While the endpoint remains a targeted entry-point for many attackers, as threats such as ransomware continue to increase in frequency, speed, and complexity, organizations can no longer think of security in silos. Integration is key to protecting the perimeter and SentinelOne remains committed to providing customers with solutions to protect the entire enterprise.

The Singularity Platform spans endpoint, cloud, data, and identity and enriches investigations with threat intelligence and the power of generative AI. As evidenced by the 2023 Gartner Magic Quadrant for Endpoint Protection Platforms, SentinelOne continues to grow and scale, leading in innovation and vision and further developing the solid foundation of secure business that customers know and trust.

Our platform’s versatility is also evident in the industry’s broadest platform support which include:

  • Windows: From legacy systems like Windows XP to the latest Windows Pro and Windows Server editions, we ensure robust protection against evolving threats in the most widely used operating system.
  • macOS: Recognizing the growing popularity of Apple’s macOS in enterprise environments, we have a long-track record of emphasizing protection for this operating system. We are proud of our macOS advanced security features tailored to its unique ecosystem.
  • Linux: Our platform extends to numerous Linux families, catering to the diverse needs of Linux users and administrators, with special attention to enterprise-level deployments and server environments.
  • Android and iOS: In the mobile domain, we cover both Android and iOS platforms, acknowledging the critical role smartphones and tablets play in today’s business operations.
  • eBPF for Linux: Embracing the cutting-edge extended Berkeley Packet Filter (eBPF) technology, we provide enhanced security measures for modern Linux systems, ensuring high performance and advanced capabilities.
  • NetApp ONTAP: For businesses leveraging NetApp’s data management solutions, our security extends to the ONTAP operating system, safeguarding critical data storage and management activities.
  • Cloud Platforms: We offer specialized protections for cloud-based environments, including those running on AWS, Azure, and Google Cloud Platform, ensuring a secure cloud presence.

A Trusted Partner to Businesses Around the Globe

More than 11,500 organizations around the globe trust SentinelOne as their partner for security – including Fortune 10, Fortune 500, and Global 2000 companies. That’s why we’re so proud of being one of the highest-ranked vendors in the 2023 Gartner Peer Insights Voice of the Customer Endpoint Protection Platforms and recognized as a “2023 Customer’s Choice.”

Learn more about the Singularity Platform and how SentinelOne can help your business accelerate securely into the future knowing that the tools are in place to prevent breaches. Request a demo today and see how the industry’s only true Security Operations Center is ready for the challenges of today, and tomorrow, empowering your teams to operate at machine-speed and global, cloud scale.

2023 Gartner Magic Quadrant for Endpoint Protection Platforms

Gartner Disclaimer
Gartner, Voice of the Customer for Endpoint Protection Platforms, Peer Contributors, 18 September 2023.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Max Taggett, Franz Hinner, Nikul Patel.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

E-Crime Rapper ‘Punchmade Dev’ Debuts Card Shop

The rapper and social media personality Punchmade Dev is perhaps best known for his flashy videos singing the praises of a cybercrime lifestyle. With memorable hits such as “Internet Swiping” and “Million Dollar Criminal” earning millions of views, Punchmade has leveraged his considerable following to peddle tutorials on how to commit financial crimes online. But until recently, there wasn’t much to support a conclusion that Punchmade was actually doing the cybercrime things he promotes in his songs.

Images from Punchmade Dev’s Twitter/X account show him displaying bags of cash and wearing a functional diamond-crusted payment card skimmer.

Punchmade Dev’s most controversial mix — a rap called “Wire Fraud Tutorial” — was taken down by Youtube last summer for violating the site’s rules. Punchmade shared on social media that the video’s removal was prompted by YouTube receiving a legal process request from law enforcement officials.

The 24-year-old rapper told reporters he wasn’t instructing people how to conduct wire fraud, but instead informing his fans on how to avoid being victims of wire fraud. However, this is difficult to discern from listening to the song, which sounds very much like a step-by-step tutorial on how to commit wire fraud.

“Listen up, I’m finna show y’all how to hit a bank,” Wire Fraud Tutorial begins. “Just pay attention, this is a quick way to jug in any state. First you wanna get a bank log from a trusted site. Do your research because the information must be right.”

And even though we’re talking about an individual who regularly appears in videos wearing a half-million dollars worth of custom jewelry draped around his arm and neck (including the functional diamond-encrusted payment card skimming device pictured above), there’s never been much evidence that Punchmade was actually involved in committing cybercrimes himself. Even his most vocal critics acknowledged that the whole persona could just be savvy marketing.

That changed recently when Punchmade’s various video and social media accounts began promoting a new web shop that is selling stolen payment cards and identity data, as well as hacked financial accounts and software for producing counterfeit checks.

Punchmade Dev's shop.

Punchmade Dev’s shop.

The official Punchmadedev account on Instagram links to many of the aforementioned rap videos and tutorials on cybercriming, as well as to Punchmadedev’s other profiles and websites. Among them is mainpage[.]me/punchmade, which includes the following information for “Punchmade Empire ®

-212,961 subscribers

#1 source on Telegram

Contact: @whopunchmade

24/7 shop: https://punchmade[.]atshop[.]io

Visiting that @whopunchmade Telegram channel shows this user is promoting punchmade[.]atshop[.]io, which is currently selling hacked bank accounts and payment cards with high balances.

Clicking “purchase” on the C@sh App offering, for example, shows that for $80 the buyer will receive logins to Cash App accounts with balances between $3,000 and $5,000. “If you buy this item you’ll get my full support on discord/telegram if there is a problem!,” the site promises. Purchases can be made in cryptocurrencies, and checking out prompts one to continue payment at Coinbase.com.

Another item for sale, “Fullz + Linkable CC,” promises “ID Front + Back, SSN with 700+ Credit Score, and Linkable CC” or credit card. That also can be had for $80 in crypto.

WHO IS PUNCHMADE DEV?

Punchmade has fashioned his public persona around a collection of custom-made, diamond-covered necklaces that are as outlandish and gaudy as they are revelatory. My favorite shot from one of Punchmade’s videos features at least three of these monstrosities: One appears to be a boring old diamond and gold covered bitcoin, but the other two necklaces tell us something about where Punchmade is from:

Notice the University of Kentucky logo, and the Lexington, Ky skyline.

One of them includes the logo and mascot of the University of Kentucky. The other, an enormous diamond studded skyline, appears to have been designed based on the skyline in Lexington, Ky:

The “About” page on Punchmade Dev’s Spotify profile describes him as “an American artist, rapper, musician, producer, director, entrepreneur, actor and investor.” “Punchmade Dev is best known for his creative ways to use technology, video gaming, and social media to build a fan base,” the profile continues.

The profile explains that he launched his own record label in 2021 called Punchmade Records, where he produces his own instrumentals and edits his own music videos.

A search on companies that include the name “punchmade” at the website of the Kentucky Secretary of State brings up just one record: OBN Group LLC, in Lexington, Ky. This November 2021 record includes a Certificate of Assumed Name, which shows that Punchmade LLC is the assumed name of OBN Group LLC.

The president of OBN Group LLC is listed as Devon Turner. A search on the Secretary of State website for other businesses tied to Devon Turner reveals just one other record: A now-defunct entity called DevTakeFlightBeats Inc.

The breach tracking service Constella Intelligence finds that Devon Turner from Lexington, Ky. used the email address obndevpayments@gmail.com. A lookup on this email at DomainTools.com shows it was used to register the domain foreverpunchmade[.]com, which is registered to a Devon Turner in Lexington, Ky. A copy of this site at archive.org indicates it once sold Punchmade Dev-branded t-shirts and other merchandise.

Mr. Turner did not respond to multiple requests for comment.

Searching online for Devon Turner and “Punchmade” brings up a video from @brainjuiceofficial, a YouTube channel that focuses on social media celebrities. @Brainjuiceofficial says Turner was born in October 2000, the oldest child of a single mother of five whose husband was not in the picture.

Devon Turner, a.k.a. “Punchmade Dev,” in an undated photo.

The video says the six-foot five Turner played basketball, track and football in high school, but that he gradually became obsessed with playing the video game NBA 2K17 and building a following of people watching him play the game competitively online.

According to this brief documentary, Turner previously streamed his NBA 2K17 videos on a YouTube channel called DevTakeFlight, although he originally went by the nickname OBN Dev.

“Things may eventually catch up to Devon if he isn’t careful,” @Brainjuiceofficial observed, noting that Turner has been shot at before, and also robbed at an ATM while flexing a bunch of cash for a picture and wearing $500k in jewelry. “Although you have a lot of people that are into what you do, there are a lot of people waiting for you to slip up.”

The Rise of Drainer-as-a-Service | Understanding DaaS

A recent wave of Twitter/X account takeover attacks has seen multiple high-profile social media accounts compromised and used to spread malicious content aimed at stealing cryptocurrency.  The attacks use a family of malware known as crypto-drainers and often supplied through Drainer-as-a-Service (DaaS) platforms.  Some recent high-profile victims include the SEC and Mandiant.

Crypto Drainers and Drainers as a Service have received little attention from security researchers to date despite having been around since at least 2021. In this post, we turn the spotlight on Crypto Drainers and DaaS to raise awareness of this family of threats and how it impacts organizations.

Introduction to DaaS and Crypto Drainers

A crypto drainer is a malicious tool or script that is specially designed to transfer or redirect cryptocurrency from a victim’s wallet to that under the control of an attacker. Drainers targeting MetaMask first appeared around 2021, where they were openly marketed in underground forums and marketplaces.

2021 Thread on Metamask drainer services (exploit market)
2021 Thread on Metamask drainer services (exploit market)

However, drainers and drainer-style attacks can exist in several forms. Malicious smart contracts may contain hidden functionality to trigger unauthorized transfers. Other forms of drainers may exploit NFT or Token-based triggers to generate fake resources that in turn facilitate the hidden and unauthorized transfer of cryptocurrencies.

Crypto drainers are often provided through a Drainer-as-a-Service model, with DaaS vendors offering software and support to cybercriminals for a percentage of the stolen funds. Services typically offered by a modern DaaS include

  1. Turnkey crypto-draining scripts
  2. Customizable smart contracts
  3. Phishing kits and social engineering services
  4. Premium OPSEC or security and anonymity services
  5. Integration assistance and mixing/obfuscation
  6. Ongoing updates, maintenance and technical support.

Turnkey or ready-to-use crypto draining scripts, for example, are used to facilitate the automation of draining cryptocurrency from target wallets. They are structured to be simple to understand and deploy, with little to no previous knowledge required.

Documentation and setup guide for NFT Stealer/Drainer marketed across Telegram and Discord
Documentation and setup guide for NFT Stealer/Drainer marketed across Telegram and Discord

The stolen cryptocurrency is split between affiliates (users of the DaaS) and the Daas operators. Typically operators take anywhere between 5% and 25% of the cut, depending on the services provided.

The Threat of Account Takeover Attacks

Crypto draining can be hugely profitable for threat actors when they successfully take over high-profile social media accounts and use these to push malicious content to large audiences from what appears to be a trusted source as recently happened to Mandiant and the U.S. Securities and Exchange Commission.

Other high-profile account takeovers include CertiK and Bloomberg Crypto. In late December, it was reported that a crypto drainer stole $59 million from 63,000 individuals using over 10,000 phishing websites.

These attacks typically begin with a brute-force password attack. This involves systematically attempting all possible passwords until the correct one is found. Accounts that lack 2FA or MFA are particularly vulnerable to this kind of attack.

Once an attacker gains access to the account, they are able to distribute phishing links to websites hosting drainers. For example, they may post content from the account offering free NFTs or other rewards to people who visit the site and sign a transaction. Unwitting victims, believing they will receive something of worth, are all too ready to connect their wallets, little knowing that the site contains a drainer script to empty their wallets.

Attackers use platforms like X, Telegram and Discord to spread their phishing links, leveraging the trust and reach of the respected but compromised accounts to target more victims.

Anatomy of an Attack | the CLINKSINK Drainer

In the Mandiant incident, attackers used malware called CLINKSINK, an obfuscated JavaScript drainer lying in wait for victims who fell for phishing links with cryptocurrency-themed lures. These lures often masquerade as legitimate cryptocurrency resources including BONK, DappRadar and Phantom.

Source: Mandiant

Victims are enticed to connect their wallets in order to claim an ‘airdrop’ – a distribution of tokens or coins to other wallet addresses as a reward or promotion. They are then asked to sign a ‘transaction’ to complete the transfer. This is the crucial step for the crypto thieves as it involves the victim using their private key to authenticate themselves on the blockchain network. If the user completes this step, the crypto draining can then proceed to transfer the contents of the victim’s wallet to their own.

Mandiant says that it identified 42 unique wallet addresses used to receive stolen funds in recent CLINKSINK campaigns like the one associated with its recent Twitter/X account takeover. A number of different DaaS offerings use the CLINKSINK malware, and it is not clear at this time which DaaS may have been involved with the particular incident relating to Mandiant.

Crypto Drainers Are on the Increase

Crypto drainers have become increasingly prominent since 2023 and many are now advertised across underground markets and Telegram channels. Mandiant identified Chick Drainer and Rainbow Drainer as two DaaS offerings using CLINKSINK. However, it is also suspected that the CLINKSINK source code may have leaked and be in use by multiple other threat actors.

Two other DaaS offerings that are being widely and openly marketed are Angel Drainer and Rugging’s Multi-chain Drainer.

Angel Drainer is a Daas that emerged around August 2023, offering tools and services that were simultaneously advertised across Telegram by known threat actors such as GhostSec. Aside from taking a 20% cut, the operators also require affiliates to make an initial deposit of between $5000 and $10000.

Release of Angel Drainer v8.2
Release of Angel Drainer v8.2

Rugging’s Multi-chain Drainer is another offering that claims to support 20 different crypto platforms. The operators try to entice affiliates by offering low fees, around 5-10% of the affiliates gains.

Preventing Drainer Attacks

Although crypto drainers primarily aim to steal crypto assets from individuals, enterprises and organizations should be alert as their social media accounts can become part of the attack chain. Employees or business units within the organization that deal with cryptocurrency assets could also be at risk.

To combat the threat of attacks from crypto drainers, it is important to ensure that 2FA or MFA is enabled for all social media accounts. Cryptocurrency users are advised to exercise the same kind of caution and be alert for social engineering attempts with NFTs, ‘airdrops’ and other crypto advertisements as they would with emails and other communication channels. Users should also consider adopting hardware-based wallets for added security.

Conclusion

Low skill, low risk, high reward, like Ransomware-as-a-Service (Raas) before it, Drainer-as-a-Service offers those with malicious intent an easy avenue into the crimeware ecosystem. And, as with Raas offerings before, we will not be surprised to see competition among DaaS operators result in a race-to-the-bottom price-wise, tempting even more into malicious activity.

Credentials and access to social media accounts should be treated to the same security considerations as other business services as even temporary access to a businesses’ social media audience can now be used to cause harm much greater than just defacement or denial of service. To learn about how SentinelOne can help protect your organization, contact us or request a free demo.

The Many Faces of Undetected macOS InfoStealers | KeySteal, Atomic & CherryPie Continue to Adapt

We have been reporting on the rise of infostealers targeting macOS since early last year, but threat actors show no signs of slowing down. Throughout last year, we saw variants of Atomic Stealer, macOS MetaStealer, RealStealer and others.

Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures.

In this post, we provide details on three active infostealers that are currently evading many static signature detection engines. We provide a high-level overview of each along with relevant indicators to aid threat hunters and defenders.

KeySteal | Jumping on the AI Bandwagon

First noted in 2021, the internals of KeySteal have changed markedly since it was first described by Trend Micro. Apple added a signature almost a year ago to XProtect in v2166 (Feb 2023), but this no longer detects current versions, some of which are distributed as a binary named “ChatGPT”.

A recent sample of KeySteal uses the name ‘ChatGPT’ for its executable
A recent sample of KeySteal uses the name ‘ChatGPT’ for its executable

Initially, KeySteal was distributed in .pkg format with an embedded macOS utility called “ReSignTool” – a legitimate open-source application for signing and bundling apps into .ipa files for distribution on iOS devices.

The malware authors modified the code to steal Keychain information and to drop persistence components in the following locations:

/Library/LaunchDaemons/com.apple.googlechrome.plist
~/Library/LaunchAgents/com.apple.googleserver.plist

The latest round of KeySteal samples have changed considerably. They no longer leverage the ReSign tool and instead appear in multi-architecture Mach-O binaries with names such as “UnixProject” and “ChatGPT”. Distribution methods are unclear at this time. Some of the most recent versions undetected by XProtect also enjoy low detection scores on VirusTotal.

Undetected by XProtect, these KeySteal sample also have low scores on VirusTotal
Undetected by XProtect, these KeySteal samples also have low scores on VirusTotal

Both versions are written in Objective C but the primary methods responsible for the malicious behavior have changed from JKEncrypt in the early versions to UUnixMain, KCenterModity, and ICenterModity in the most recent versions.

One factor in common between the early and current iterations of KeySteal is the hardcoded C2, and threat hunters and static detections will still have some luck pivoting off that.

usa[.]4jrb7xn8rxsn8o4lghk7lx6vnvnvazva[.]com

However, it is quite unusual for threat actors not to rotate C2 addresses, and we would encourage defenders to develop better hunting and detection rules to detect KeySteal in advance of an inevitable change.

KeySteal samples that we have observed are signed with an ad hoc code signature with artifacts suggesting the binary was built in Xcode, Apple’s development IDE.

KeySteal sample with an ad hoc code signature
KeySteal sample with an ad hoc code signature

Atomic InfoStealer | Multiple Variants Continue to Evade

We first wrote about Atomic Stealer last year, and since then ourselves and other industry peers have noted a number of changes. Many of these iterations are being seen in the wild concurrently, indicating completely different development chains rather than one core version that is being updated.

Prior to this writing, Malwarebytes reported on an obfuscated Go version of Atomic Stealer which appeared shortly after Apple’s XProtect update v2178 (Jan 2024). Apple’s update included a detection rule for the version described by MalwareBytes under the rulename SOMA_E.

However, we have already seen variations appearing since then that are not currently detected by XProtect.

Some of these samples also have low detection scores on VirusTotal at the time of writing.

The most recent version of Atomic Stealer are not well detected on VirusTotal
The most recent version of Atomic Stealer are not well detected on VirusTotal

This version of Atomic Stealer is written in C++ and includes logic to prevent the victims, analysts or malware sandboxes from running the Terminal at the same time as the stealer. In addition, it checks to see if the malware is being run inside a Virtual Machine.

Atomic Stealer closes the Terminal
Atomic Stealer closes the Terminal

Unlike the obfuscated versions from earlier in January, these samples use hard-coded AppleScript in clear text, clearly indicating the malware’s stealing logic.

Atomic still makes heavy use of hardcoded AppleScript
Atomic still makes heavy use of hardcoded AppleScript

Initial distribution is likely through torrents or gaming-focused social media platforms as the malware continues to appear in .dmg form with names such as ‘CrackInstaller’ and ‘Cozy World Launcher’.

 An Atomic Stealer installer instructing the victim to override Gatekeeper control
An Atomic Stealer installer instructing the victim to override Gatekeeper control

CherryPie | Caught by Apple, But Many Static Engines Lagging Behind

macOS CherryPie was added to XProtect in v2176. Also known as Gary Stealer, AT&T Labs described the same malware as “JaskaGo” in December 2023.

CherryPie / Gary Stealer 09de6c864737a9999c0e39c1391be81420158877

While Apple’s XProtect rule continues to remain robust against further samples that we have identified, VirusTotal engines are faring less well in some cases.

The following sample – first uploaded on 09, Sept 2023 – along with its embedded malware binary, remains undetected on VirusTotal as of today.

macOS.CherryPie undetected on VirusTotal
macOS.CherryPie undetected on VirusTotal

CherryPie is a cross-platform Windows/macOS stealer written in Go and containing extensive logic for anti-analysis and VM detection. Despite that, the malware authors have left seemingly obvious strings embedded in the malware to indicate both its purpose (stealer) and its intent (malicious).

CherryPie contains some rather telling hardcoded strings
CherryPie contains some rather telling hardcoded strings

Some versions of CherryPie use the legitimate open-source Wails project to wrap their malicious code into an application bundle.

CherryPie samples we have observed are signed with an ad hoc signature. As part of the application’s set up it also calls the macOS spctl utility with the --master-disable argument. This code is used to disable Gatekeeper and is run with administrator privileges via sudo.

macOS.CherryPie attempts to disable Gatekeeper with admin privileges
macOS.CherryPie attempts to disable Gatekeeper with admin privileges

SentinelOne Detects macOS InfoStealers

SentinelOne customers are protected from macOS KeySteal, Atomic InfoStealer, and CherryPie/Gary Stealer.

With the policy set to ‘Detect-Only’, the SentinelOne agent issues alerts for each of the threats when executed.

When the policy is set to ‘Protect’ the malicious behaviors are killed without any action needed from the management console.

Conclusion

The continued prevalence and adaptation of macOS infostealers like KeySteal, Atomic InfoStealer, and CherryPie underscores the ongoing challenges facing macOS enterprise users. Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade.

Given these challenges, it is vital to adopt a comprehensive, defense-in-depth approach. Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed. Aside from a modern EDR platform with native macOS capabilities, proactive threat hunting, enhanced detection rules, and awareness of the evolving tactics can help security teams to stay ahead of threats targeting the macOS platform.

To learn how SentinelOne can help protect the macOS devices in your fleet, contact us or request a free demo.

Indicators of Compromise

KeySteal

95d775b68f841f82521d516b67ccd4541b221d17
f75a06398811bfbcb46bad8ab8600f98df4b38d4
usa[.]4jrb7xn8rxsn8o4lghk7lx6vnvnvazva[.]com

Atomic InfoStealer

1b90ea41611cf41dbfb2b2912958ccca13421364
2387336aab3dd21597ad343f7a1dd5aab237f3ae
8119336341be98fd340644e039de1b8e39211254
973cab796a4ebcfb0f6e884025f6e57c1c98b901
b30b01d5743b1b9d96b84ef322469c487c6011c5
df3dec7cddca02e626ab20228f267ff6caf138ae

CherryPie

04cbfa61f2cb8daffd0b2fa58fd980b868f0f951
09de6c864737a9999c0e39c1391be81420158877
6a5b603119bf0679c7ce1007acf7815ff2267c9e
72dfb718d90e8316135912023ab933faf522e78a
85dd9a80feab6f47ebe08cb3725dea7e3727e58f
104[.]243[.]38[.]177

The Good, the Bad and the Ugly in Cybersecurity – Week 2

The Good | Cops Arrest Man Behind Babuk Spinoff, Tortilla Ransomware

Dutch police, in cooperation with cyber security firms, have arrested an individual in Amsterdam alleged to be behind the Tortilla variant of Babuk ransomware. As a result of the operation, the threat actor’s decryptor tool was obtained and cybersecurity researchers were able to analyze it, recover the decryption key and create a public decryptor to share with victims.

The arrest and subsequent development of a decryptor is significant as the Tortilla variant had been resistant to other public decryptors available for Babuk ransomware. The Babuk code was leaked in 2021 and has been causing headaches ever since, as cybercriminals can relatively easily create minor variations to produce an endless stream of novel ransomware payloads, including many variants that are being used to attack Linux and VM ESXi servers as well as Windows systems.

The Tortilla variant appeared shortly after the Babuk code leak, and was soon seen infecting victims in the UK, Finland, Germany, Thailand and Ukraine. Tortilla campaigns initially used a chain of vulnerabilities in Microsoft Exchange Server known as ProxyShell to compromise victims. The ransomware takes its name from the name of the original payload, tortilla.exe.

Developers at Avast have now added the Tortilla keys to the generic Babuk ransomware decryptor. Victims needing to unlock files encrypted by Tortilla can download the free Babuk decryptor from NoMoreRansom.

The increasing availability of decryptor tools, along with organizations learning the lesson of ensuring they have offline backups after high-profile ransomware outbreaks like WannaCry and NotPetya, spurred many threat actors to shift tactics toward double extortion, and in some case, to simply demand ransoms for stolen data without encryption at all – a reminder that while decryptors can be helpful and backups are a must-have for all kinds of potential data loss or outage reasons, a strong prevention policy remains essential.

The Bad | AI Chat Assistant Hacked, Gifting Access and Exposing Data

Concerning news around the safety of AI digital assistants emerged this week as researchers claim to have infiltrated an AI chatbot used by fast food franchises for hiring. AI chatbot outfit Chattr apparently fell victim to a security breach exposing sensitive data including personal information of job applicants and internal details of several fast food chains.

Researchers say the gained unauthorized access to Chattr's management portal
Researchers say the gained unauthorized access to Chattr’s management portal

Researchers say they discovered a vulnerability in Chattr after using a script to search for exposed Firebase credentials, a common backend platform for apps. This led to a Firebase configuration linked to fast food chain KFC, revealing a tranche of data including personal details and internal communications.

Using a tool named Firepwn, the researchers gained further access to the Chattr system, including an administrative dashboard that provided control over job application approvals and rejections for various organizations, including other prominent fast food chains Chick-fil-A and Subway.

The researchers says they were able to view conversations between job applicants and Chattr’s bot, make decisions on the candidates’ applications, and access sensitive company information, including:

  • billing information
  • plaintext passwords
  • phone numbers
  • resumes
  • emails
  • full application conversation
  • candidate notes
  • profile pictures
  • addresses
  • all notifications
  • company phone numbers
  • payment information

KFC reportedly said that a lone franchisee had independently contracted with Chattr and the company had no other associations with the digital assistant provider. Chattr apparently fixed the issue the following day after it was reported without much acknowledgment, according to one of the researchers.

At present, there is no indication that the vulnerability was exploited to cause harm. However, as many organizations move to rapid adoption of AI technologies and digital assistants, the incident highlights the importance of ensuring that robust security measures are in place to protect sensitive data.

The Ugly | Chinese Threat Actors Exploit Zero Days in Enterprise VPN Products

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog this week in light of reports that Chinese threat actors have been actively exploiting two zero-day flaws in the Ivanti Connect Secure and Policy Secure VPN products.

Researchers say that CVE-2023-46805 and CVE-2024-21887 can be chained together to achieve unauthenticated command execution on ICS devices exposed to the public internet. The first of the two CVEs is an authentication bypass that allows remote access to restricted resources by bypassing control checks. The second is a command injection vulnerability that allows an authenticated administrator to spend specially crafted requests that can execute arbitrary commands on the device.

In one observed incident, threat actors used the bugs to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance”. Researchers were alerted to the zero days after finding that logs of an ICS VPN had been wiped and logging disabled. Further inspection of the compromised device revealed suspicious outbound and inbound communication from its management IP address.

Importantly, CVE-2023-46805 and CVE-2024-21887 affect all supported versions and no patches are available as yet. According to Ivanti, software updates are expected around the week of January 22. In the meantime, Ivanti customers are advised to apply workarounds described in their advisory.

This isn’t the first time the product, formerly known as Pulse Secure, has been targeted by APT actors. Chinese and Russian actors conducted extended campaigns targeting Covid-19 research during the pandemic thanks to CVE-2019-11510, a bug that was patched but also added to CISA’s KEV catalog due to the number of incidents that continued to occur.

Decrypting SentinelOne Cloud Detection | The Application Control Engine in Real-Time CWPP

In the third installment of the Detection Engine blog series, we examine the Application Control Engine, one of five detection engines which work together as part of our cloud workload protection platform (CWPP) to detect and block runtime threats impacting cloud workloads. (The first and second blog posts discuss the Static AI Engine and Behavioral AI Engine, respectively.)

Application Control Engine 101

SentinelOne’s Application Control Engine is a highly specialized drift prevention engine within our real-time CWPP agent that is focused on preserving immutability of containers and virtual machines (VMs). It accomplishes this by detecting any binaries or scripts created and executed after the VM or container starts. Stated another way, the Application Control Engine ensures that only executables from the original container image run in the workload instance.

Originally, the engine was designed to protect immutability of containerized workloads running within Kubernetes and other container orchestration systems such as Hashicorp Nomad and AWS ECS. However, the cloud security innovators at SentinelOne expanded the scope to include Linux VMs. In short, the Application Control Engine reduces the attack surface of your immutable container architecture.

Gain Immutable Protection

Most often, the set of executables and scripts found within a running container do not deviate from those of the original container image from which the container was instantiated. This fact offers a big advantage to security teams in that if rogue executables or scripts suddenly appear within a container that is supposed to be immutable, it’s a telltale sign that the container may have been compromised.

Attackers often use custom scripts or executables to automate the work of finding vulnerabilities that allow for privilege escalation or lateral movement. With SentinelOne’s Application Control Engine enabled, these types of attack tools are trivial to identify and prevent.

The functionality is largely based on timestamps, and so requires very little operational overhead. It is easily enabled or disabled in policy. When a new container is instantiated, Singularity Cloud Workload Security (CWS), SentinelOne’s real-time CWPP solution, denotes its timestamp.

From that point forward, CWS compares the timestamp of any file from which a process is spawned against the container’s instantiation timestamp. If the timestamp of the file is more recent than that of the container, we can infer that the file was not in the original container image. In this case, the Application Control Engine will log an incident to the management console and, if configured in policy which the customer controls, prevent the process from running.

On the other hand, if the timestamp of a file precedes the container’s instantiation timestamp, the Application Control check is satisfied and the process is allowed to start. Moreover, any activities from this process are still monitored by the other Static and Behavioral Engines within the autonomous, real-time CWPP agent. As previously mentioned, our five CWPP detection engines each work to complement the other.

Monitoring and preserving immutability with the Application Control Engine is a big win for cloud security practitioners and DevOps alike. It greatly simplifies the identification of anomalous activity, and there is very little operational overhead to maintain it.

Benefit from Maximum Agility

Compared to cumbersome application allowlisting methods of legacy security products, with the Application Control Engine there is:

  • No pre-deployment scanning
  • No ML training periods, waiting on an algorithm to “learn” what’s in a given image
  • No list of paths/executables to maintain.

Pre-deployment scans for legacy solutions create an allowlist of expected processes. While this approach ensures that a container will always run with a predefined set of processes, it adds the overhead of allowlist management.

Training periods for machine-learning algorithms means the ML learns the expected behavior of a container over time, usually in a sandbox and before pushing to production. This approach automatically creates an allowlist, but its effectiveness depends upon the training period duration. Set the training period too low and risk a large number of false positives. Conversely, setting it too high causes long delays when trying to release code to production. This is the very opposite of agility.

The Application Control Engine circumvents the shortcomings of legacy solutions: no allowlists to create and maintain, and no ML training periods to slow you down.

The Advantages of Operational Flexibility

Should you have containers that do change (in controlled and predictable ways) within your environment, exclusions can be applied to accommodate these variances. The classic example of a container that is mutable by nature is a build system like Jenkins, used to build software from source code. Build systems often have pipeline steps that pull code from remote repositories and build executables from that code.

These build steps can cause “false positives” for Application Control because new executables and scripts are being executed in containers whose images did not originally contain them. However, it is both desired and expected that these files be allowed to run.

To allow for this scenario, SentinelOne’s Exclusion feature can be used to exclude files and directories (and optionally their subdirectories) from inspection. This allows for the “known-mutable” areas of a container to function as desired while the rest of the container’s immutability is enforced.

Extending to VMs

As previously mentioned, although originally designed for containerized workloads, the Application Control Engine has been extended to Linux VMs. An example use case is for Amazon Auto Scaling Groups, in which Amazon EC2 instances are created from Amazon Machine Images (AMIs) in response to increased workload demand.

Once an EC2 is instantiated, it is extremely uncommon that one would run yum/apt to install and update packages or load scripts on these live production hosts. Rather, should an update be necessary, the AMI itself would be modified to include the desired packages, scripts, etc. When the new AMI is ready for deployment, DevOps engineers update the machine image version (tag) to point to the newly updated machine image.

From then on, any new VMs (EC2) within the Auto Scaling Group will be created from the updated AMI, and VMs on the outdated AMI decommissioned. This DevOps process promotes uniformity, repeatability, and scalability.

Example: Cryptomining Malware

Let’s extend the explanation of the VM use case to a common threat vector – cryptominers. While the use of cryptomining malware ebbs and flows with the price of Bitcoin, it pays to be prepared to protect your infrastructure from being used by unwelcome guests. After all, they keep the Bitcoin, and you keep the cloud compute bill.

Assume for this example that a threat actor has obtained access credentials to an EC2 compute cluster. The threat actor then simply remote shells to the VM, downloads a crypto miner, makes the file executable, and executes. These steps are easily scripted and launched with a single command line.

Here is what the detection looks like in the SentinelOne management console.

CWPP Agent Detection of Crypto mining Malware
CWPP Agent Detection of Cryptomining Malware

As shown in the image above, the Application Control Engine was not the only engine to trigger a detection. Even so, it’s all consolidated in a single alert. The AI within the agent has assessed a confidence level of MALICIOUS to this detection. The path to the cryptominer – in this case, xmrig – is shown, along with command line arguments, Storyline™ identifier and more. On the right hand side under THREAT INDICATORS, the detection has automatically been mapped to a MITRE TTP. Together, these details help streamline investigation of the detection.

Note that the incident is shown as NOT MITIGATED. This is because the agent policy is set to Detect Mode (as shown). Had the policy been set to Protect Mode, the incident would have automatically triggered a response action. In this example, however, the information is laid out intuitively, and the cloud security engineer can easily initiate remediation with a single click, while also notifying the DevOps owner of the incident so that root cause (credential compromise) can be addressed.

Conclusion

The Application Control Engine is yet another of the detection engines integral to SentinelOne’s real-time CWPP. Originally designed to preserve immutability of containerized workloads, it also protects Linux VMs.

To learn more about the value of real-time CWPP in your cloud security stack, head over to the solution homepage, or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

EBook: A Cloud Workload Protection Platform Buyer’s Guide
The Cloud Workload Protection Platform Buyer’s Guide is designed to walk you through key considerations when buying cloud workload solutions. We hope it helps to bring clarity to your evaluation and selection process.

Here’s Some Bitcoin: Oh, and You’ve Been Served!

A California man who lost $100,000 in a 2021 SIM-swapping attack is suing the unknown holder of a cryptocurrency wallet that harbors his stolen funds. The case is thought to be the first in which a federal court has recognized the use of information included in a bitcoin transaction — such as a link to a civil claim filed in federal court — as reasonably likely to provide notice of the lawsuit to the defendant. Experts say the development could make it easier for victims of crypto heists to recover stolen funds through the courts without having to wait years for law enforcement to take notice or help.

Ryan Dellone, a healthcare worker in Fresno, Calif., asserts that thieves stole his bitcoin on Dec. 14, 2021, by executing an unauthorized SIM-swap that involved an employee at his mobile phone provider who switched Dellone’s phone number over to a new device the attackers controlled.

Dellone says the crooks then used his phone number to break into his account at Coinbase and siphon roughly $100,000 worth of cryptocurrencies. Coinbase is also named as a defendant in the lawsuit, which alleges the company ignored multiple red flags, and that it should have detected and stopped the theft. Coinbase did not respond to requests for comment.

Working with experts who track the flow of funds stolen in cryptocurrency heists, Dellone’s lawyer Ethan Mora identified a bitcoin wallet that was the ultimate destination of his client’s stolen crypto. Mora says his client has since been made aware that the bitcoin address in question is embroiled in an ongoing federal investigation into a cryptocurrency theft ring.

Mora said it’s unclear if the bitcoin address that holds his client’s stolen money is being held by the government or by the anonymous hackers. Nevertheless, he is pursuing a novel legal strategy that allows his client to serve notice of the civil suit to that bitcoin address — and potentially win a default judgment to seize his client’s funds within — without knowing the identity of his attackers or anything about the account holder.

In a civil lawsuit seeking monetary damages, a default judgment is usually entered on behalf of the plaintiff if the defendant fails to respond to the complaint within a specified time. Assuming that the cybercriminals who stole the money don’t dispute Dellone’s claim, experts say the money could be seized by cryptocurrency exchanges if the thieves ever tried to move it or spend it.

The U.S. courts have generally held that if you’re going to sue someone, you have to provide some kind of meaningful and timely communication about that lawsuit to the defendant in a way that is reasonably likely to provide them notice.

Not so long ago, you had track down your defendant and hire someone to physically serve them with a copy of the court papers. But legal experts say the courts have evolved their thinking in recent years about what constitutes meaningful service, and now allow notification via email.

On Dec. 14, 2023, a federal judge in the Eastern District of California granted Dellone permission to serve notice of his lawsuit directly to the suspected hackers’ bitcoin address — using a short message that was attached to roughly $100 worth of bitcoin Mora sent to the address.

Bitcoin transactions are public record, and each transaction can be sent along with an optional short message. The message uses what’s known as an “OP RETURN,” or an instruction of the Bitcoin scripting language that allows users to attach metadata to a transaction — and thus save it on the blockchain.

In the $100 bitcoin transaction Mora sent to the disputed bitcoin address, the OP RETURN message read: “OSERVICE – SUMMONS, COMPLAINT U.S. Dist. E.D. Cal. LINK: t.ly/123cv01408_service,” which is a short link to a copy of the lawsuit hosted on Google Drive.

“The courts are adapting to the new style of service of process,” said Mark Rasch, a former federal prosecutor at the U.S. Department of Justice. “And that’s helpful and useful and necessary.”

Rasch said Mora’s strategy could force the government to divulge information about their case, or else explain to a judge why the plaintiff shouldn’t be able to recover their stolen funds without further delay. Rasch said it could be that Dellone’s stolen crypto was seized as part of a government asset forfeiture, but that either way there is no reason Uncle Sam should hold some cybercrime victims’ life savings indefinitely.

“The government doesn’t need the crypto as evidence, but in a forfeiture action the money goes to the government,” Rasch said. “But it was never the government’s money, and that doesn’t help the victim. The government should be providing information to the victims of cryptocurrency theft so that their attorneys can go get the money back themselves.”

Nick Bax is a security researcher who specializes in tracing the labyrinthine activity of criminals trying to use cryptocurrency exchanges and other financial instruments to launder the proceeds of cybercrime. Bax said Mora’ method could allow more victims to stake legitimate legal claims to their stolen funds.

“If you get a default judgment against a bitcoin address, for example, and then down the road that bitcoin gets sent to an exchange that complies with or abides by U.S. court orders, then it’s yours,” Bax said. “I’ve seen funds with a court order on them get frozen by the exchanges that decided it made sense to comply with orders from a U.S. federal court.”

Bax’s research was featured in a Sept. 2023 story here about how experts now believe it’s likely hackers are cracking open some of the password vaults stolen in the 2022 data breach at LastPass.

“I’ve talked to a lot victims who have had life-changing amounts of money being seized and would like that money back,” Bax said. “A big goal here is just making civil cases more efficient. Because then people can help themselves and they don’t need to rely solely on law enforcement with its limited resources. And that’s really the goal: To scale this and make it economically viable.”

While Dellone’s lawsuit may be the first time anyone has obtained approval from a federal judge to use bitcoin to notify another party of a civil action, the technique has been used in several recent unrelated cases involving other cryptocurrencies, including Ethereum and NFTs.

The law firm DLAPiper writes that in November 2022, the U.S. District Court for the Southern District of Florida “authorized service of a lawsuit seeking the recovery of stolen digital assets by way of a non-fungible token or NFT containing the text of the complaint and summons, as well as a hyperlink to a website created by the plaintiffs containing all pleadings and orders in the action.”

In approving Dellone’s request for service via bitcoin transaction, the judge overseeing the case cited a recent New York Superior Court ruling in a John Doe case brought by victims seeking to unmask the crooks behind a $1.3 million cyberheist.

In the New York case, the state trial court found it was acceptable for the plaintiffs to serve notice of the suit via cryptocurrency transactions because the defendants regularly used the Blockchain address to which the tokens were sent, and had recently done so. Also, the New York court found that because the account in question contained a significant sum of money, it was unlikely to be abandoned or forgotten.

“Thus the court inferred the defendants were likely to access the account in the future,” wrote Judge Helena M. March-Kuchta, for the Eastern District of California, summarizing the New York case. “Finally, the plaintiff had no alternative means of contacting these unknown defendants.”

Experts say regardless of the reason for a cryptocurrency theft or loss — whether it’s from a romance scam or a straight-up digital mugging — it’s important for victims to file an official report both with their local police and with the FBI’s Internet Crime Complaint Center (ic3.gov). The IC3 collects reports on cybercrime and sometimes bundles victim reports into cases for DOJ/FBI prosecutors and investigators.

The hard truth is that most victims will never see their stolen funds again. But sometimes federal investigators win minor victories and manage to seize or freeze crypto assets that are known to be associated with specific crimes and criminals. In those cases, the government will eventually make an effort to find, contact and in some cases remunerate known victims.

It might take many years for this process to unfold. But if and when they do make that effort, federal investigators are likely to focus their energies and attention responding to victims who staked a claim and can support it with documentation.

But have no illusions that any of this is likely to happen in a timeframe that is meaningful to victims in the short run. For example, in 2013 the U.S. government seized the assets of the virtual currency Liberty Reserve, massively disrupting a major vehicle for laundering the proceeds of cybercrime and other illegal activities.

When the government offered remuneration to Liberty Reserve account holders who wished to make a financial loss claim and supply supporting documentation, KrebsOnSecurity filed a claim. There wasn’t money much in my Liberty Reserve account; I simply wanted to know how long it would take for federal investigators to follow up on my claim, or indeed if they would at all.

In 2020 KrebsOnSecurity was contacted by an investigator with the U.S. Internal Revenue Service (IRS) who was seeking to discuss my claim. The investigator said they would have called sooner, but that it had taken that long for the IRS to gain legal access to the funds seized in the 2013 Liberty Reserve takedown.

Cybersecurity’s Defining Moments | 7 Lessons from History’s Most Infamous Breaches

For CISOs and other experienced security leaders, understanding past incidents is crucial for preparing against future cyber threats. Delving into some of the most impactful cyberattacks in recent history can serve as a potent reminder of the diverse nature of cyber threats and the need for robust security measures.

In this post, we explore seven pivotal cybersecurity incidents, their impacts, and the invaluable lessons they offer to security leaders and organizations in fortifying their cyber defenses.

1 – Colonial Pipeline Ransomware Attack (2021)

The Colonial Pipeline ransomware attack in May 2021 stands as a stark moment that shows the very tangible impacts that cyber threats have on critical infrastructure. This incident not only disrupted digital operations but also had far-reaching consequences on fuel supply, affecting a substantial portion of the U.S. East Coast and causing wide-spread panic buying in various affected cities.

What Happened?

The Colonial Pipeline, responsible for transporting nearly half of the East Coast’s fuel supply, fell victim to a ransomware assault that halted its operational capabilities. The ransomware locked the company out from its own systems, encrypting data and demanding payment for its release.

The immediate aftermath of the attack saw widespread fuel shortages and a spike in fuel prices. This scenario underscored the vulnerability of critical infrastructure to cyber threats and the domino effect such an attack can have on societal functioning.

In a move driven by urgency, the company conceded to the cybercriminals’ demands, paying a ransom of $4.4 million.

Impact on Cybersecurity Practices

The ransomware attack highlighted the pressing need for robust cybersecurity measures in sectors serving national infrastructure, emphasizing the importance of proactive defense strategies against ransomware.

As nations grapple with the escalating sophistication of cyber adversaries, the Colonial Pipeline incident reminds us of the need to collaborate on threat intelligence and invest in cyber resilience strategies to mitigate the potentially devastating fallout from attacks on critical infrastructure.

Industry Response & Learnings

Post-attack, there was a heightened awareness across industries regarding the susceptibility of critical infrastructure to cyber threats. The incident catalyzed initiatives to strengthen cybersecurity protocols, emphasizing the importance of proactive defense measures and contingency planning in the face of ransomware threats.

2 – SolarWinds Supply Chain Attack (2020)

The SolarWinds breach highlighted an attack vector that many organizations had overlooked: compromise through trusted software vendors. It was a sophisticated attack that impacted the global software supply chain, infiltrating organizations globally, including several U.S. government agencies.

What Happened?

State-sponsored hackers infiltrated SolarWinds’ Orion IT monitoring and management software’s build environment. This allowed them to embed a malicious code, “SUNBURST”, into legitimate software updates, enabling a stealthy spread to a vast network of users.

The SUNBURST malware exhibited an operational cunning by remaining dormant for 12 days post-deployment. This delay tactic, vital for evading immediate detection, underscores the necessity of extended data retention to identify latent threats. Once activated, SUNBURST employed a meticulous scanning process for specific processes, services, and drivers. It was programmed to terminate its operation if it detected monitoring tools or security processes, a self-preservation mechanism ensuring its longevity in targeted environments.

The malware’s design was remarkably sophisticated, blending its network communications seamlessly with normal SolarWinds traffic. The attackers, post-infiltration, focused on reconnaissance rather than immediate data exfiltration or disruption. They moved laterally across networks, identifying and collecting information on high-value targets, potentially escalating privileges for broader access.

Impact on Cybersecurity Practices

The SolarWinds attack increased awareness of the need to defend the digital supply chain. Its significance lies in the fact that threat actors, by compromising a trusted vendor, could gain unprecedented access to a multitude of organizations. The consequences of supply chain attacks are rippling and trigger a reassessment of third-party relationships, an emphasis on supply chain security, and a recognition that defending against such attacks requires a collective and coordinated effort.

Industry Response & Learnings

The breach necessitated a reassessment of cybersecurity practices, especially in software development and supply chain security. It highlighted the need for better monitoring of network behavior and the importance of rigorous code auditing and validation processes.

In response to the attack, the cybersecurity industry heightened its focus on advanced threat detection mechanisms. It highlighted the need for behavioral detection that can recognize malicious behavior regardless of whether a process is nominally ‘trusted’ or carries a known digital certificate. The collective industry effort aimed not only at technical solutions but also at a reimagined approach to supply chain security and intelligence sharing.

3 – NotPetya Malware (2017)

In 2017, organizations across the world were impacted by NotPetya, a malware initially masquerading as ransomware. However, its true design was far more sinister. It aimed at inflicting widespread damage rather than financial gain. NotPetya’s global impact was profound, affecting a diverse array of organizations from banks to shipping firms, and even disrupting the Chernobyl nuclear power plant’s radiation monitoring system.

What Happened?

NotPetya’s deceptive appearance as ransomware belied its actual purpose – to cause disruption on an unprecedented scale. Unlike typical ransomware, which locks up data for ransom, NotPetya was programmed for destruction. It quickly propagated globally, exploiting vulnerabilities in commonly used software.

The attack’s global footprint was vast, indiscriminately hitting organizations across different sectors. The financial ramifications were staggering, with the total cost of the attack estimated to exceed $10 billion. This figure reflects not just the immediate disruption caused but also the long-term operational and reputational damages incurred by affected entities.

NotPetya utilized sophisticated methods to infiltrate and spread across networks. It exploited known vulnerabilities, particularly in Microsoft Windows, and used techniques similar to ransomware to lock systems. However, its payload was primarily destructive, rendering affected systems inoperable and data irretrievable.

Impact on Cybersecurity Practices

This incident prompted a reevaluation of cybersecurity practices and highlighted the urgent need for improved global cooperation to prevent and respond to such similar activities in the future.

Industry Response & Learnings

The NotPetya malware outbreak showed the destructive potential of state-sponsored cyber attacks. Attributed to Russian military hackers, NotPetya targeted Ukrainian infrastructure but later morphed into a global menace. Its significance lies in the realization that cyber weapons can have unintentional consequences. NotPetya demonstrated the potential for cyber tools to transcend borders and impact organizations irrespective of geographical boundaries.

The attack alerted cybersecurity and infosec professionals of the potential for cyber weapons to cause real-world havoc. In response, there was a significant shift in the cybersecurity paradigm, with an increased emphasis on protecting against such destructive malware. This incident underscored the need for rigorous vulnerability management and the implementation of robust, multi-layered cybersecurity defenses.

4 – WannaCry Ransomware Attack (2017)

For those working in infosec in 2017, the WannaCry ransomware attack was likely a day that they will never forget. The attack caused a global crisis that exposed the vulnerability of unpatched systems and the potential for rapid, widespread disruption. Infecting over 200,000 computers across 150 countries, the ransomware exploited a critical vulnerability in Microsoft Windows. What set WannaCry apart was its indiscriminate nature, affecting organizations ranging from healthcare institutions to government agencies and businesses.

What Happened?

WannaCry’s modus operandi was both aggressive and effective. It leveraged a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This bug, CVE-2017-0144, allowed the attacker to execute arbitrary code on the target system. This capability made it possible for WannaCry to propagate rapidly across networks, infecting computers and encrypting files.

Microsoft had in fact released a patch for the vulnerability in March 2017, approximately two months before WannaCry began spreading in May of that year. However, the rapid spread of WannaCry was largely attributed to the fact that many organizations had not applied the patch, leaving a significant number of systems vulnerable.

The attack indiscriminately targeted a range of sectors, causing severe disruptions in healthcare systems and manufacturing plants. Hospitals found their digital systems locked, impeding access to patient records and essential services. In the manufacturing sector, production lines were halted, leading to operational delays and financial losses.

Impact on Cybersecurity Practices

The WannaCry attack prompted an immediate and concerted response from cybersecurity professionals and organizations worldwide. Efforts to contain the spread included deploying security patches, isolating infected systems, and enhancing network defenses. This incident also accelerated the development and adoption of advanced threat detection and response capabilities, emphasizing the importance of timely patch management and proactive cybersecurity measures.

Industry Response & Learnings

The WannaCry attack was a wake-up call for organizations to prioritize cybersecurity hygiene and timely software updates. Its impact extended beyond financial losses, raising awareness of the importance of securing digital infrastructures. The attack also spurred increased collaboration between governments and the private sector to enhance cybersecurity measures.

WannaCry highlighted the interconnectedness of global cyber threats, emphasizing the need for a collective, proactive approach to cybersecurity. As a cautionary tale, WannaCry serves as a reminder that cybersecurity is a shared responsibility, urging organizations and individuals alike to fortify their defenses against evolving ransomware threats.

5 – Equifax Data Breach (2017)

The world witnessed one of the largest breaches of personal data when Equifax, a major consumer credit reporting agency, reported a data breach. To this day, the Equifax breach is an example of the staggering scale and potential consequences of lax data security practices.

What Happened?

Attackers exploited a vulnerability, CVE-2017-5638, in the Apache Struts web application framework, which allowed unauthorized access to Equifax’s systems. The attackers were able to navigate the network and gain access to files containing personal information of over 147 million individuals, making it one of the most consequential breaches in history. The breach was not just extensive in terms of the number of affected individuals but also in the sensitivity of the data compromised, which included Social Security numbers, names, addresses, and birth dates. Additionally, credit card numbers for approximately 209,000 consumers were also accessed.

The leak of highly sensitive personal data opened the floodgates to potential identity theft and financial fraud, impacting millions of individuals not just momentarily but potentially for years to come. The breach raised alarm bells about the security measures employed by large corporations handling sensitive personal data.

It also brought to light the risks associated with centralized data collection and storage practices. The aftermath of the breach saw widespread public concern, a loss of trust in Equifax, and led to questions about the adequacy of existing data protection laws and regulations.

Impact on Cybersecurity Practices

Beyond the immediate financial losses and identity theft risks faced by the affected individuals, the breach prompted a reevaluation of data protection standards. It highlighted the need for organizations to prioritize robust cybersecurity measures, secure sensitive information, and promptly disclose breaches to affected parties. The Equifax breach catalyzed discussions around consumer privacy, spurring legislative efforts to enhance data security regulations.

Industry Response & Learnings

The Equifax breach highlighted the need to safeguard personal data not just as a corporate responsibility but as a societal imperative, pushing both businesses and policymakers to elevate their commitment to cybersecurity in an era of escalating digital threats.

The breach precipitated a significant shift in how personal data is managed and protected. It led to an increased emphasis on robust identity cybersecurity, data protection policies, and regulatory compliance.

In the wake of the breach, there was a concerted effort across industries to strengthen defenses against such vulnerabilities, including implementing advanced encryption, regular security audits, and comprehensive data privacy frameworks.

6 – Sony Pictures Hack (2014)

The cyberattack on Sony Pictures Entertainment intertwines digital vulnerability with international politics. The attack led to a massive leak of sensitive company data, including unreleased films, confidential employee information, and private executive emails. This breach not only had major implications for Sony’s operations and reputation but also brought to the fore the intersection between cybersecurity and ongoing geopolitical tensions.

What Happened?

Attributed to North Korean hackers, the attack was widely seen as a retaliatory act against Sony’s release of “The Interview,” a film that satirically depicted the fictional assassination of North Korea’s leader. The hackers managed to infiltrate Sony’s network, exfiltrating large volumes of proprietary data and subsequently releasing it to the public.

The leak resulted in financial losses due to the exposure of unreleased content, damage to Sony’s reputation owing to the disclosure of sensitive internal communications, and the personal impact on employees whose private data was exposed.

Impact on Cybersecurity Practices

The Sony Pictures hack prompted a swift and comprehensive response from the company, involving extensive forensic investigations and bolstered cybersecurity measures. It also led to a broader industry-wide discussion on the importance of protecting sensitive data against nation-state cyberattacks and the need for enhanced cyber defense strategies.

Industry Response & Learnings

The incident highlighted the potential weaponization of cyber attacks for political motives, signaling a paradigm shift in the landscape of cyber threats. Beyond financial losses and reputational damage, the hack underscored the vulnerability of major entertainment and media entities to state-sponsored cyber aggression.

Sony’s ordeal spurred a reassessment of cybersecurity strategies across industries, emphasizing the need for robust defenses against advanced persistent threats. It also prompted a reevaluation of the relationship between cybersecurity and freedom of expression in the face of state-sponsored cyber threats.

7 – Yahoo’s Data Breaches (2013 & 2014)

Yahoo fell victim to two massive cyber incidents in 2013 and 2014. The scale of these breaches was unprecedented, encompassing almost half the world’s population at the time. The breaches compromised the personal information of a staggering 3 billion Yahoo users, including email addresses, passwords, and security questions.

What Happened?

In 2013, attackers used forged cookies to access users’ Yahoo accounts without a password. By forging the web cookies, attackers could authenticate themselves as any Yahoo user without credentials.

In what was considered a separate breach in 2014, attackers gained access to Yahoo’s network via a spear-phishing campaign, targeting specific individuals within the company and tricking them into handing over credentials or installing malware, thereby giving access to Yahoo’s internal network.

Importantly, disclosure of the breaches did not occur until late 2016 and the full impact took until October 2017 to be fully understood. The delay not only compounded the risks associated with the breach but also raised serious questions about corporate responsibility and transparency in the face of cybersecurity threats.

The revelation of these breaches caused severe harm to Yahoo’s reputation, eroding user trust and raising doubts about the company’s commitment to data security, landing the company with severe penalties from the SEC. Additionally, these incidents significantly influenced Yahoo’s valuation and terms of its acquisition by Verizon, underscoring the substantial business risks associated with cybersecurity lapses.

Impact on Cybersecurity Practices

These breaches underscored the vital importance of securing user data and the potential long-term consequences of compromised information. Beyond the immediate fallout, such as legal consequences and financial losses, the incidents prompted a change in how organizations approach data protection. They accelerated the adoption of more robust encryption practices and heightened awareness about the vulnerability of user accounts to increasingly sophisticated cyber attacks.

Industry Response & Learnings

The Yahoo data breaches served as a pivotal moment for the tech industry, emphasizing the importance of cybersecurity vigilance and prompt incident disclosure. In response, there was a marked shift towards strengthening data protection measures, enhancing breach notification protocols, and reinforcing user data encryption. These incidents also played a role in shaping data privacy regulations and highlighted the necessity for ongoing investment in cybersecurity defenses.

Conclusion

The cyberattacks we’ve explored – from the Colonial Pipeline to Yahoo’s massive data breaches – serve as harbingers of the complex and evolving nature of cyber threats. Each incident, unique in its execution and impact, underscores a common theme: the paramount importance of proactive and comprehensive cybersecurity strategies.

These events have brought about significant shifts in how we perceive and approach digital security, reinforcing the need for vigilance, collaboration, and continuous adaptation in the face of cyber adversaries.

These historical lessons serve as valuable guides, reminding us not only to continue to apply the lessons learned from previous breaches but also that as we respond and adapt, so too do cybercriminals. Security is an endlessly shifting target and threat actors are incentivized to never sit still. We must not, either.

Enterprises worldwide have turned to SentinelOne’s Singularity™ Platform to proactively resolve modern risks at machine speed. Learn how SentinelOne works to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more. Contact us or book a demo today.