The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good | U.S. Treasury Cracks Down on Russian & Chinese State-Backed Threats

In back-to-back announcements this week, the U.S. Department of the Treasury has sanctioned cryptocurrency exchanges leveraged by Russian dark markets and a Chinese-based company linked to APT31 threat actors (aka Zirconium and Violet Typhoon).

Thirteen entities and two individuals now face sanctions by the Treasury’s Department’s Office of Foreign Assets Control (OFAC) for their role in developing and servicing OFAC-designated Russian dark web markets and banks. Bitpapa IC FZC LLC and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP) both facilitated substantial transactions with entities like Hydra Market and Garantex, while Crypto Explorer DMCC (AWEX) operated as a crypto exchange, facilitating conversions involving OFAC-designated Russian banks.

Before its seizure in April 2022, Hydra Market was one the world’s largest and longest-operating darknet markets, attributed with over 80% of all darknet-related crypto transactions at the time.

The Treasury, in collaboration with other international agencies, has also placed sanctions on a Wuhan-based company and two Chinese nationals associated with targeting U.S. politicians to support China’s espionage objectives. Both individuals are allegedly linked to APT31, a PRC state-backed hacking group focused on stealing information from government officials, journalists, and academics.

The coordinated effort with the DoJ, FBI, Department of State, and the UK Foreign, Commonwealth & Development Office (FCDO) led to unsealed indictments and sanctions, freezing all assets and interests in the United States connected to the designated individuals and entities. These sanctions are part of an ongoing commitment by the U.S. government to protect national security interests amidst evolving geopolitical tensions.

The Bad | Upgraded PhaaS Phishing Kit Threatens Microsoft & Google MFA Measures

The emergence of a new phishing-as-a-service (PhaaS) platform dubbed “Tycoon 2FA” is targeting Microsoft 365 and Gmail accounts with the aim of circumventing two-factor authentication (2FA) safeguards.

Initially detected by cybersecurity analysts in October 2023 during routine threat monitoring, Tycoon 2FA had been operational since at least August 2023 and initially distributed through private Telegram channels by a group called Saad Tycoon. Similarities between Tycoon 2FA and other adversary-in-the-middle (AitM) platforms indicate potential code reuse or collaborative efforts between developers.

Tycoon 2FA’s modus operandi involves a multi-step process where users are tricked into interacting with phishing pages. Background scripts then extract the user’s email in order to customize the attack while the user is redirected to a fake Microsoft login page to steal credentials. The threat actors then employ a reverse proxy server hosting phishing web pages to intercept session cookies. Once a user completes the MFA challenge and successfully authenticates their access, the actors can then replay the sessions and bypass multi-factor authentication (MFA) mechanisms.

Most currently, the analysts have reported Tycoon 2FA’s latest version upgrade, which enhances its capabilities, by expanding traffic filtering and refining stealth tactics to evade analysis. The modifications are indicative of ongoing efforts to refine the kit’s effectiveness in avoiding detection by identifying and bypassing typical traffic patterns.

Recent estimates show that Tycoon 2FA is associated with thousands of phishing pages found in the wild since August 2023. Given this broad user base of cybercriminals using the service for their phishing operations, it is essential for organizations to double down on educating their users on how to recognize the signs of phishing attacks, even if they have MFA enabled.

The Ugly | Chinese APTs Target ASEAN Members in Cyber Espionage Campaign

A new report shed light this week on a three-month long espionage campaign conducted by two Chinese-based advanced persistent threat (APT) groups. Most notably, both APTs have focused their efforts on entities and member nations of the Association of Southeast Asian Nations (ASEAN).

The first of the two APT groups is known by names such as Stately Taurus, Camaro Dragon, or Earth Preta, active since 2012. As observed, Stately Taurus targeted organizations in Japan, Singapore, Myanmar, and the Philippines via phishing scams delivering two custom-created malware packages. Coincidentally, the state-sponsored APT group took advantage of a recent ASEAN-Australia Special Summit event to launch this campaign – a tactic used by threat actors to exploit the increased online activity, communications, and digital traffic characteristic of major events.

One of the malware packages is designed to masquerade as a ZIP file, containing an executable named “Talking_Points_for_China.exe” to initiate the deployment of a known Stately Taurus malware called “PUBLOAD” upon execution. This executable, a renamed copy of the legitimate software KeyScrambler.exe, executes malicious code discreetly through DLL side-loading. The second package comprises a screensaver executable titled “Note PSO.scr”, which serves as a conduit for retrieving additional malicious payloads from a remote IP address. These payloads include a benign program disguised as “WindowsUpdate.exe” alongside a rogue DLL.

The second, unidentified APT group has been observed compromising government entities in Singapore, Cambodia, and Laos. Given their role in managing sensitive diplomatic and economic information, attacks on ASEAN member countries are consistent. These kinds of cyber espionage campaigns will continue to be a key challenge for government entities, where nation state-backed threat groups aim to collect geopolitical leverage within their regions in order to get ahead in the international arena.

Thread Hijacking: Phishes That Prey on Your Curiosity

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a recent thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

The LancasterOnline story about Adam Kidan.

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline’s Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

The phishing lure attached to the thread hijacking email from Mr. Kidan.

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these mutli-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Exit Sandman | How SentinelOne Deflects APT-Level Identity Security Risks

Information theft and the number of data breaches rooted in identity-based risks are rising as attackers continue to exploit vulnerabilities and find ways to evade detection. This makes early detection one of the most critical pillars of defense across today’s attack surfaces. As identity-based threats continue to develop, organizations that focus on advanced detection and response can protect their data from skilled adversaries.

Advanced persistent threats (APTs) like Sandman, for example, have been observed using identity-based attacks to achieve initial access and lateral movement. These kinds of threat groups are not looking for ransom payments, meaning information theft is their most likely objective.

Increasing cases of information theft put organizations at risk of cyber espionage, financial loss, and brand damage. For organizations to counter such threats, early discovery is key. In this post, we pinpoint how robust identity security measures can help mitigate the tactics, techniques, and procedures (TTPs) used by threat groups like Sandman APT.

Case Study | Identity-Based TTPs Used by Sandman APT

In September 2023, SentinelLabs exposed a series of attacks targeting telecommunication providers in the Middle East, Western Europe, and South Asia. This was the work of a previously undiscovered threat actor they dubbed “Sandman”.

In their findings, SentinelLabs researchers noted that Sandman’s activities were characterized by strategic lateral movement to targeted workstations and minimal engagement. This suggests a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection.

Sandman likely targeted major telcos for espionage purposes, using credential theft techniques and limiting engagement to evade detection. After infiltration, the threat group would wait before proceeding with their activities, suggesting a reliance on stealth for malicious purposes.

New Attack Tactics, Same Attack Cycle

Although the intrusions were detected and interrupted before the threat actor could progress the attacks, they illustrate how advanced intrusions still conform to a typical attack chain depicted below.

In this attack chain, threat actors will gather intelligence to identify the target and any exploitable entry methods. They will compromise an internal endpoint system to gain access and establish a foothold. Once in, they enter the persistence cycle of gathering information, identifying targets, moving laterally, and establishing backdoors while staying undetected. They will remain in this cycle until they finally execute their planned objectives and complete their mission.

Sandman APT established a foothold within the target organization after stealing administrative credentials and gathering intelligence through internal reconnaissance. Then, the APT infiltrated specifically targeted workstations using the pass-the-hash (PtH) technique over the NTLM authentication protocol. These tactics can be counteracted by having robust identity security controls in place.

To protect against attacks like those perpetrated by Sandman, SentinelOne suggests looking at its Singularity Identity and Singularity Hologram cyber deception solutions for cyber risk mitigation.

Preventing Identity-Based Attacks with Singularity Identity

As part of the SentinelOne agent, Singularity Identity protects an organization’s digital identities and identity infrastructure by safeguarding credentials on the endpoints and Active Directory (AD) objects, including accounts, groups, domain controllers, and more.

Singularity Identity provides cyberattack prevention by protecting identities through concealment and misdirection. After attackers like Sandman establish a foothold on an endpoint, they conduct local and network reconnaissance for usable identity data (e.g., credentials, passwords, AD objects, etc.) because masquerading as legitimate users provides access to resources while minimizing detection. This activity also helps them identify high-value assets such as privileged or sensitive accounts, servers, and data for future attacks.

As they gather intelligence, Singularity Identity conceals the locally stored credentials from discovery, whether memory-resident or stored locally in applications and the operating system. It also identifies AD queries attempting to harvest data from the domain controller like members of privileged groups, domain controllers, or service principal names (SPNs), and conceals the results. It then creates an alert on the SentinelOne console while giving decoy identity data as lures and bait so the attackers do not suspect anything is wrong and continue their activities.

When performing PtH, attackers may capture valid password hashes for accounts using a credential access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH performs actions on local or remote systems. Singularity Identity detects and alerts on this and many other credential-based attacks.

Additionally, Singularity Identity supports deploying deceptive credentials across different storage locations, such as browsers, keychains, Windows Credential Manager, and password managers. Credentials taken from these locations will generate an alert and attackers are misdirected away from a production asset.

Preventing Identity-Based Attacks with Singularity Hologram

The cyber deception technology of Singularity Hologram takes protection one step further by supplying enterprise-wide decoys to engage the attackers. Hologram is capable of detecting attacks using alternate authentication mechanisms such as the PtH technique. The solution then alerts on attempts to use such methods to move laterally into decoys.

The decoy identity data can point to a black hole destination IP or system. However, having Hologram decoys in the network adds another layer of realism by providing a destination and service for the bait and lures. It also provides a way to engage with attackers like Sandman, who rely on minimal engagement to avoid detection.

Hologram learns the environment and can automatically create and deploy these decoys adjacent to production systems on the same network segments. These decoys match the production environment, mimicking systems and services throughout the network. They also allow defenders to collect data on the attack, as they record all attack activity that engages with them on the network, in memory, and on local storage.

Conclusion

Imagine being an attacker that breaks into a network with the goal of stealing enterprise credentials. After accessing the network resource the attacker is then kicked out because the defense mechanisms in place detected the attempted credential theft, misdirected the attack to a decoy, and recorded all the malicious activity. Such is the power of SentinelOne’s identity security and cyber deception solutions.

As more APTs go the route of leveraging stealthy, prolonged attacks through identity-based TTPs, focusing on early detection and vigilant monitoring allows organizations to stay steps ahead of even the most advanced threats.

SentinelOne’s Identity Suite delivers robust defenses to defend the infrastructure that houses business-critical digital identities. To learn more or request a demo, please visit https://www.sentinelone.com/lp/identity-suite-demo/.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Some of the many notifications Patel says he received from Apple all at once.

Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.

But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.

Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.

THE PHONE NUMBER IS KEY

Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.

“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”

Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.

“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”

Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.

Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — all the while still sitting at the local Apple Genius Bar.

Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the only aspect of Chris’s new iPhone and iCloud account that hadn’t changed.

WATCH OUT!

“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.

“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”

Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the “Don’t Allow” button.

Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.

A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.

Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.

KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.

After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.

The password reset page at iforgot.apple.com.

RATE LIMITS

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Apple has not yet responded to requests for comment.

Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.

Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.

“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.

Insights from the CyberLaw Forum | Intersecting Cybersecurity, Insurance & Regulation

SentinelOne’s CyberLaw Forum brings together lawyers, technical experts, and insurance executives to dive deep into challenges faced in today’s cyber insurance and legal realms. From the tactics of threat actors to contemplating the impact of artificial intelligence (AI) on enterprise security strategies, panelists from the event delved into the intricacies of cybersecurity in a rapidly evolving digital landscape.

This blog post highlights the key discussion questions from the event regarding cyber insurance viability post-breach and the intricacies of regulatory compliance, particularly in the wake of new SEC regulations.

Presentations From SentinelOne’s CyberLaw Forum

In partnership with Charleston Law School, the event covered a range of topics that many SentinelOne clients face each day:

  • What are threat actors doing and which ones should I be concerned about?
  • How will artificial intelligence (AI) impact my plans for securing my enterprise? Will threat actors use AI to overcome defenders?
  • Can I get cyber insurance? Or, will they renew my policy now that I have had a breach?

Keynote | Geopolitical Conflict and the Impact on Multinationals

Speakers: Alex Stamos & David Lashway

The event provided a platform for industry experts such as Alex Stamos to share his insights on the cybersecurity leadership landscape within the US government, Ukraine’s resilience in the face of cyber warfare, and the geopolitical dynamics shaping global cybersecurity strategies. Watch the keynote here.

Panel | What’s Concerning Cyber Insurers

Speakers: Chris Keegan, Tiffany Calhoun Pierce, Marcin Weryk, and Peter Castillo

Chris Keegan, who moderated the insurance panel, noted the willingness of senior underwriters to divulge valuable insights into cyber risks and market trends, shedding light on the complexities of insurance underwriting in the digital age.

This panel focused on:

  • Understanding the market and the players, including insurance carriers, currently occupying in the cyber insurance domain
  • Current strategies on risk mitigation before risk transfer, in-house versus third-party breaches, and quantifying risk assessments
  • Rising challenges as the insurance market grows, including systemic risks, war and nation-state attacks, data privacy, artificial intelligence, and supply chain risks for manufacturers

Watch the presentation here.

Panel | Hacking Incident Response

Speakers: Justine Phillips, Nikole Davenport, Brendan Rooney, and Terry Oehring

Meanwhile, Justine Phillips underscored the critical importance of proactive measures and swift response strategies in mitigating the impact of data breaches, emphasizing the need for robust incident response protocols. “There are only two things in life and cyber we can control: Everything we do or don’t do leading up to an event and what we do or don’t do in response to an event.”

This panel focused on:

  • Understanding the current threat landscape through the tactics, techniques, and procedures (TTPs) seen both left and right of boom
  • Key cyber regulations and enforcement actions
  • How to evaluate and manage your enterprise cyber risk
  • How to build a smart and flexible program through People, Process & Technology
  • Cybersecurity trends to watch out for in 2024

Watch the presentation here.

Panel | Automotive Security & Liability

Speakers: Amy Mushahwar, Todd B. Benoff, and Michael Bryant

For those navigating the intersection of automotive technology and cybersecurity, Amy Mushahwar’s panel offered invaluable insights into the future of driverless electric vehicles and the implications for data security and privacy.

This panel focused on:

  • How National Highway Traffic Safety Administration (NHTSA) is approaching the discussion of self-driving cars
  • State-to-state travel, creating one set of standards for performance and safety, and strict liability
  • The complications between strict and absolute liability, particularly for exploit-based accidents

Watch the presentation here.

Panel | National Cyber Strategy & Federal Regulations

Speakers: Evan Wolff, Megan Stifel, and Rob Knake

Evan Wolff led discussions on regulatory compliance and incident handling, providing clarity on navigating the intricacies of breach notification requirements and strategic decision-making in the aftermath of cyber incidents. This panel also looked at the national cyber strategy implementation with Rob Knake suggesting that “ransom payments should be banned.”

This panel focused on:

  • The five-pillar overview of the National Cybersecurity Strategy
  • SEC mandatory cybersecurity disclosure and risk management rules
  • DFARs and 7012 history – A timeline of changes to how the federal government contracts cybersecurity
  • Compliance trends in the cyber supply chain

Watch the presentation here.

Panel | Artificial Intelligence Transforming Cybersecurity

Speakers: Randy Sabett, Kristy Hornland, Jason Ingalls, and Chris Martenson

This interactive and open discussion led by Randy Sabett covered the intersection of artificial intelligence (AI) and cyber law in 2024. The panelists delved into how AI is transforming the legal landscape, from automating routine legal tasks to aiding in decision-making processes. As AI continues to impact privacy, data protection, intellectual property rights, and cybersecurity regulations, we are seeing emerging challenges and opportunities presented by AI in the legal domain.

This panel focused on:

  • The multidimensional nature of AI and machine learning (ML) for cyber
  • The increasingly commercial use of AI and ML across various industries and disciplines
  • How threat adversaries are leveraging AI and ML to monitor and model user behavior to create automated and tailored attacks
  • How cyber defenders are embedding AI and ML to accelerate threat identification, improve existing processes, and continuously monitor in real-time

Watch the presentation here.

Conclusion

As we reflect on the wealth of knowledge shared at this year’s CyberLaw Forum, we extend our gratitude to the esteemed panelists, sponsors, and moderators who helped deepen the conversations around these complex and dynamic cybersecurity issues. Learn more about how to participate in next year’s forum here.

The State of Cyber Law
Hear from the leading voices in cyber risk response, insurance, and law as we discuss the ever-changing threat landscape, how the industry is adapting, and what it means for organizations in 2024 and beyond.

PinnacleOne ExecBrief | Enterprise Risk Management in China

Last week, PinnacleOne flagged the ongoing SVR exploitation of their breach of Microsoft.

This week, we examine the geopolitical dynamics and risks facing firms that do business or have key dependencies in China and highlight principles to frame a China-for-China strategy given firm-specific threat models.

Please subscribe to read future issues — and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Enterprise Risk Management in China

China’s civilian intelligence service, the Ministry of State Security (MSS), ventured into public policy analysis when it posted on WeChat this Monday. In its post, the MSS underlined how important private sector cooperation with the security services is to safeguarding national security under the country’s Cybersecurity Law. Some sections even highlighted the need for security assessments for businesses transferring data overseas. An English-language state media outlet went so far as to put out an accompanying piece.

We don’t know what motivated the MSS and state media to highlight the PRC’s Cybersecurity Law – but we do know what they said and its implications.

Despite other parts of state media posting videos of Apple’s CEO Tim Cook walking around Shanghai and saying that China is open for business, the experience of executives trying to navigate the expanding labyrinth of PRC regulations is not so sanguine.

In the course of our advisory work, we have walked alongside a number of key leaders making decisions about how to approach their operations in the PRC. We find that, as China convinces other countries to join its “Community with Shared Future in Cyberspace” initiative, the risks below, the questions they raise, and resulting business decisions will become more pressing and may soon extend to other countries as well.

Business Risks Facing MNC Operations in China

  • Technical Risks: Chinese tech increasingly found throughout the global value chain will create “Bug Doors.” Moves to bifurcate tech stacks will result in more offensive hacking between the PRC and the rest and onshore operations are closely scrutinized.
  • Insider Trust: Arbitrary enforcement of local laws risks the security of IP and the safety of employees and executives — the PRC is sliding back to join other autocracies.
    • Insiders are likely victims of state-backed coercion and manipulation, rather than ill-willed employees.
    • The MSS offers cash payouts to anyone who reports unpatriotic behavior or actions that “endanger national security.” It’s unclear if disgruntled employees reporting employers for perceived actions against China’s interest will be accepted.
    • Know-how and how-to are increasingly prized over raw exfiltrated data, aligned to key strategic industries and political requirements, and in support of China’s geopolitical objectives.
  • Political & Operational Risks: China’s crackdown on capital and increasingly concentrated political power risks stable corporate operations.

Key Principles That Should Frame Any China-for-China Strategy

  • Navigate the Political Landscape: Each industry’s threat profile is different, and each requires its own course towards safety and resilience.
  • Target Resilience: Ensure you have the flexibility to manage future uncertainties by preserving optionality and limiting irreversible decisions, when possible.
  • Evaluate Enterprise Architecture: Determine how to shape the relationship between critical data storage, admin access, business impacts, and network dependencies.
  • Prioritize Strictly: Identifying what capabilities to move and duplicate now will reduce implementation risk.

Strategic Threat Modeling Should Drive De-Risking Decisions

Understand what threats are most likely to present a significant impact on your value chain and prioritize enterprise operations accordingly. This assessment should answer three key questions:

  1. Risks Mitigated: To what extent would localizing a given application, service, or infrastructure element mitigate plausible PRC risks?
  2. Risks Introduced: To what extent would localizing introduce new risks, and how are those evaluated and controlled?
  3. Operating Model Impact: What impact would localizing have on your firm’s operating model, customer delivery, and competitive position?
Firms should apply the following decision rule: Prioritize those applications for PRC localization that maximize known risks, minimize new risks, and limit operating model impact given inherent political and geopolitical uncertainty.

Across all related enterprise architecture de-risking decisions, firms should consider the following options:

  1. Adjusting logical controls to databases, applications, and systems;
  2. Creating hybrid structures for specific databases or apps with instances inside and outside China; or
  3. Conducting a full separation of enterprise networks and connectivity.

These decisions are complex, hard to tangibly justify, and costly. They require the input and buy-in across the executive team with a clear, actionable roadmap that reflects priority mitigations. All activities should be tightly managed internally with senior leadership guidance and sound operational security measures. Lastly, since these are multi-month/year initiatives, firms should regularly adjust their strategies given changes in the threat model and security environment.

The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good | Russian Nationals Sanctioned for Roles in GRU-Linked Influence Campaigns

Two Russian nationals are the latest to be sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) this week for their roles in various malign influence campaigns. Ilya Andreevich Gambashidze, the founder of Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, CEO and owner of Company Group Structura LLC, stand accused of working with the GRU to target audiences across the U.S. and in Europe.

This disinformation operation, known as Doppelgänger, targets audiences in Europe and the U.S. through fake news sites and social media accounts. Doppelgänger is known for persistent and aggressive attacks, closely exploiting current geopolitical and socio-economic events and movements as they receive media attention.

Source: EU DisInfo Lab

The Treasury alleges that Gambashidze and Tupikin played major roles in impersonating government entities and media outlets through a network of at least 60 spoofed sites. Designed to be a close imitation of their legitimate counterparts, the websites even featured working links and cookie consent pages to lull site visitors into a sense of legitimacy.

This is not the first sanction for Gambashidze. He, along with SDA and Structura LLC, were first sanctioned by the EU in 2023 for amplifying propaganda in support of Russia’s war against Ukraine.

With major elections fast approaching for the United States and across EU entities, activity from nation-backed threat actors is predicted to spike, making information warfare an even harder terrain to navigate. Initiatives like public awareness campaigns, social media literacy programs, and strict social media protocols will continue to be significant methods of pushing back the risks of online propaganda and wide-spreading disinformation campaigns.

The Bad | Evasive HTML Smuggling Via Google Sites Seen in Infostealing Campaigns

Threat actors are capitalizing on bogus Google Sites pages and HTML smuggling techniques to distribute AZORult malware, aimed at pilfering sensitive information. Security researchers describe this as an unconventional method, one where the actors embed malicious payloads within separate JSON files hosted on external websites.

AZORult was first spotted in 2016 and often spread through phishing emails, trojanized software installers, and malvertising. It is notably discreet, able to extract credentials, browser history, cookies, and other personal data from cryptocurrency wallets and several specific extensions.

The latest iteration of AZORult involves fake Google Docs that use HTML smuggling to deliver the payload. This method works by manipulating legitimate HTML5 and JavaScript features to launch the malware via a “smuggled” encoded script. Once visitors to the Docs are tricked into opening the pages via phishing emails, the payloads are activated, kickstarting a chain of actions which ultimately execute the scripts that contain the stealer malware.

Detection evasion techniques like this one are gaining popularity within the threat landscape. Last summer, a PRC-linked nation-state was seen using HTML smuggling to deliver the PlugX RAT on foreign affairs ministries and embassies. Nokoyawa operators also favor this method and are known to use it to deliver a password-protected ZIP and deploy their ransomware. SentinelOne customers are protected from Nokoyama.

SentinelOne agent detects Nokoyawa

Infostealers like AZORult are another example of how much campaign operators are evolving, experimenting with unorthodox methods to stay evasive. Organizations that have a layered approach to security are positioned best in defense of these novel techniques, heavily reducing where threat actors can go within a system and minimizing their access paths to critical data.

The Ugly | New “AcidPour” Data Wiper Found Targeting Linux Networking Devices

SentinelLabs first discovered AcidRain, a data wiper responsible for taking Eutelsat KA-SAT modems offline in Ukraine during the onset of the 2022 Russian invasion. AcidRain was officially attributed soon after to the Russian government by the EU and its member states.

Now, the researchers are reporting the discovery of the wiper’s latest variant, AcidPour, as it targets Linux x86 IoT and networking devices. Attribution has not yet been confirmed, though the timing of the discovery lines up closely with multiple Ukrainian telecom networks being offline, reportedly since March 13, 2024.

While sharing similarities with its predecessor, AcidPour expands the original set of capabilities to include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic to erase content from RAID arrays and large storage devices.

Data wipers are designed to delete or corrupt data on a targeted system or network, making critical information inaccessible or unusable. Since this is an irreversible process, data wipers are a highly destructive tool capable of disrupting major operations and inflicting financial and reputational damage on the victims. Data wipers are often used for sabotage, espionage, or as a diversionary tactic to cover up other malicious activities.

Two years after the discovery of AcidRain, AcidPour once again highlights the potential for destruction that wipers can cause both within and beyond the combat theater of the Russo-Ukrainian war. AcidPour clearly expands the destructiveness of the malware and shows a refinement in how threat actors are approaching their selected targets – critical infrastructure and communications.

Mozilla Drops Onerep After CEO Admits to Running People-Search Networks

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.

Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube.

Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.

On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.

But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.

Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).

Onerep CEO and founder Dimitri Shelest.

In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.

“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”

KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.

Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”

Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”

“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”

Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.

“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”

Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.

Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.

The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.

On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.

Experiencing a Data Breach? 8 Steps for Effective Incident Response

Experiencing a breach? Call us immediately at 1-855-868-3733.

If you would like to discuss your organization’s security posture, contact us here and our team will be in touch shortly.

Data breaches have been all over the news lately. Understanding how to prevent them—and what to do when they happen—is essential to every organization’s operational success.

A well-prepared enterprise has an incident response plan (IRP) ready to deploy in the event of a breach. These plans involve immediate communication with legal counsel, followed by engagement with an incident response team. SentinelOne advocates for a proactive approach, emphasizing the importance of evidence identification and data preservation to manage the situation effectively.

In this blog post, the SentinelOne Vigilance Respond Team provides key recommendations and best practices for strong breach management, including the eight key steps for responding to breaches. Making the right series of decisions directly after discovery of a breach can help organizational leaders secure their operations and get the support they need.

A Brief Refresher | What Is a Data Breach?

It’s important to start with the basics: What exactly is a data breach? A data breach is an unauthorized access or exposure of sensitive or confidential information. They can be caused by a wide variety of factors, including hacking, malware attacks, malicious insiders, or even innocent human error. Regardless of their origin, the repercussions of successful data breaches are often dangerous and far-reaching, potentially leading to the loss of personal, financial, or proprietary information in the short term, and loss of revenue, brand trust, and reputation in the long run.

Have You Been Breached? | Eight Next Steps to Take During a Security Event

Incident response revolves around structured processes designed to identify and manage cybersecurity incidents. Before such incidents occur, well-prepared organizations will have collaborated with stakeholders, security leads, and department heads to map out business and industry-specific risks and create a response plan tailored to the needs of their business. Incident response plans formally document roles and responsibilities, determine threshold criteria for defining an incident, and plan for containment, business continuity, and ongoing recovery.

When breaches happen, organizational leaders are expected to act fast to preserve evidence and support an efficient investigation. These eight steps are the foundation for a robust and effective response.

1. Engage Legal Counsel & Incident Response

Organizations are required to navigate a complex landscape of legal obligations and both internal and external communication plans. While often varying by region or industry, these obligations usually involve notifying those affected, informing relevant authorities, and taking steps to minimize the spread and mitigate future risks.

Additionally, companies may need to disclose details of the breach to regulatory bodies depending on what compliance frameworks are applicable to them. Always inform your internal or external counsel of a potential cybersecurity event. Once counsel is engaged, contact your incident response retainer provider.

2. Keep Affected Endpoints Online

While reactive legal and compliance considerations are critical immediately after a breach, security leaders can also take on a proactive approach based on preserving data and evidence.

To do so, do not shut down any suspected compromised endpoints. Random Access Memory (RAM) contains valuable evidence but when systems are shut down, that RAM is permanently lost.

3. Disconnect from the Network

Disconnect suspected compromised systems from the network. There are a few ways you can do this:

  • For endpoints deployed by SentinelOne – Quarantine the suspected systems so they can only connect to the SentinelOne platform.
  • For endpoints deployed by other providers – Disconnect wired networks and turn off all wireless connectivity.
  • For all endpoints – Consider segmenting the compromised network from the clean network (e.g., virtual local area networks (VLAN) and network access control lists (ACL). This can assist with continuing business operations for non-impacted networks.

4. Identify & Preserve Evidence

Identify potential sources of evidence in all firewalls, intrusion detection systems (IDS), virtual private networks (VPN), antivirus solutions (AV), event logs). Ensure that they are configured to preserve evidence and will not automatically roll over older logs.

5. Collect IOCs & Samples

Collect all known indicators of compromise (IOCs) and malicious code samples. This may include suspect IP addresses or domains, hashes, PowerShell scripts, malicious executables, ransom notes, and any other known or suspected items that may contribute to an investigation.

6. Prepare for Restoration

Review and prepare to restore network functionality via any backup solutions, if applicable. What is important here is to make an effort to preserve forensic images of compromised systems prior to restoring clean images. Failure to preserve such evidence may hinder a successful investigation. Ensure backups are viable and clean before proceeding with any restoration efforts.

7. Develop a Timeline

Prepare a timeline of known suspect events that shows when the attack is believed to have started and the most recently identified malicious activity.

8. Identify Endpoints

Attempt to identify endpoints that have exhibited suspicious activity, specifically with an effort to identify the first impacted system (patient zero), and potential sources of exfiltration.

Understanding Additional Steps After Breach

The aftermath of a data breach can be complex and difficult to manage, and it can take a significant amount of time and resources to recover from the damage. Be aware that the most difficult part of a data breach isn’t necessarily the evidence preservation, system restoration, or even the legal and financial implications.

When sensitive data is compromised, it can cause serious damage to the business’s reputation and erode customer trust. Following these eight steps is a great way to begin restoring that trust and brand reputation, but keep in mind that this is just the beginning.

Mitigating Future Breaches

To avoid future data breaches, organizations can ensure that strong security measures are put in place across their systems. Recommended best practices include:

  • Investing in robust cybersecurity solutions such as extended detection and response (XDR) and managed detection and response (MDR) ensures a holistic approach to defense.
  • Implementing strong authentication methods such as multi-factor authentication (MFA) or role based access control (RBAC) to prevent unauthorized access to systems and data.
  • Conducting regular security assessments and audits to identify and address vulnerabilities.
  • Regularly monitoring and analyzing network traffic to identify and respond to potential threats.
  • Implementing data encryption and other security controls to protect sensitive data from unauthorized access.
  • Creating and communicating a well-defined incident response plan to key leaders across the organization to guarantee quick and effective response in the face of a potential data breach.
  • Developing partnerships with cybersecurity experts and organizations to gain access to the latest threat intelligence and security solutions.
  • Regularly monitoring and analyzing network traffic to identify and respond to potential threats.
  • Providing training and education to employees on data security and best practices.

Conclusion

Security breaches can come from a number of different sources and the implications are complex and far-reaching. For organizations that have been affected by a data breach, there are immediate steps that ensure evidence is preserved and an effective investigation can take place. Once systems are restored, organizations may need to work with their stakeholders, security providers, and regulatory bodies to deal with legal, financial, and any potential long-term challenges.

As threat actors constantly refine their methods, organizations need to stay responsive. XDR empowers organizations to refine their security approaches and stop attacks before they can become all-out breaches. SentinelOne offers Singularity XDR, a leading solution in the security space powered by autonomous response. Learn how Singularity leverages artificial intelligence (AI) and machine learning (ML) to respond across entire security ecosystems and protect each attack surface.

If you’re currently experiencing a breach, please call us immediately at 1-855-868-3733.

Get In Touch With SentinelOne Experts
Connect with us to discuss unique security needs and how to bolster your organization’s security posture today.

The Not-so-True People-Search Network from China

It’s not unusual for the data brokers behind people-search websites to use pseudonyms in their day-to-day lives (you would, too). Some of these personal data purveyors even try to reinvent their online identities in a bid to hide their conflicts of interest. But it’s not every day you run across a US-focused people-search network based in China whose principal owners all appear to be completely fabricated identities.

Responding to a reader inquiry concerning the trustworthiness of a site called TruePeopleSearch[.]net, KrebsOnSecurity began poking around. The site offers to sell a report containing photos, police records, background checks, civil judgments, contact information “and much more!” According to LinkedIn and numerous profiles on websites that accept paid article submissions, the founder of TruePeopleSearch is Marilyn Gaskell from Phoenix, Ariz.

The saucy yet studious LinkedIn profile for Marilyn Gaskell.

Ms. Gaskell has been quoted in multiple “articles” about random subjects, such as this article at HRDailyAdvisor about the pros and cons of joining a company-led fantasy football team.

“Marilyn Gaskell, founder of TruePeopleSearch, agrees that not everyone in the office is likely to be a football fan and might feel intimidated by joining a company league or left out if they don’t join; however, her company looked for ways to make the activity more inclusive,” this paid story notes.

Also quoted in this article is Sally Stevens, who is cited as HR Manager at FastPeopleSearch[.]io.

Sally Stevens, the phantom HR Manager for FastPeopleSearch.

“Fantasy football provides one way for employees to set aside work matters for some time and have fun,” Stevens contributed. “Employees can set a special league for themselves and regularly check and compare their scores against one another.”

Imagine that: Two different people-search companies mentioned in the same story about fantasy football. What are the odds?

Both TruePeopleSearch and FastPeopleSearch allow users to search for reports by first and last name, but proceeding to order a report prompts the visitor to purchase the file from one of several established people-finder services, including BeenVerified, Intelius, and Spokeo.

DomainTools.com shows that both TruePeopleSearch and FastPeopleSearch appeared around 2020 and were registered through Alibaba Cloud, in Beijing, China. No other information is available about these domains in their registration records, although both domains appear to use email servers based in China.

Sally Stevens’ LinkedIn profile photo is identical to a stock image titled “beautiful girl” from Adobe.com. Ms. Stevens is also quoted in a paid blog post at ecogreenequipment.com, as is Alina Clark, co-founder and marketing director of CocoDoc, an online service for editing and managing PDF documents.

The profile photo for Alina Clark is a stock photo appearing on more than 100 websites.

Scouring multiple image search sites reveals Ms. Clark’s profile photo on LinkedIn is another stock image that is currently on more than 100 different websites, including Adobe.com. Cocodoc[.]com was registered in June 2020 via Alibaba Cloud Beijing in China.

The same Alina Clark and photo materialized in a paid article at the website Ceoblognation, which in 2021 included her at #11 in a piece called “30 Entrepreneurs Describe The Big Hairy Audacious Goals (BHAGs) for Their Business.” It’s also worth noting that Ms. Clark is currently listed as a “former Forbes Council member” at the media outlet Forbes.com.

Entrepreneur #6 is Stephen Curry, who is quoted as CEO of CocoSign[.]com, a website that claims to offer an “easier, quicker, safer eSignature solution for small and medium-sized businesses.” Incidentally, the same photo for Stephen Curry #6 is also used in this “article” for #22 Jake Smith, who is named as the owner of a different company.

Stephen Curry, aka Jake Smith, aka no such person.

Mr. Curry’s LinkedIn profile shows a young man seated at a table in front of a laptop, but an online image search shows this is another stock photo. Cocosign[.]com was registered in June 2020 via Alibaba Cloud Beijing. No ownership details are available in the domain registration records.

Listed at #13 in that 30 Entrepreneurs article is Eden Cheng, who is cited as co-founder of PeopleFinderFree[.]com. KrebsOnSecurity could not find a LinkedIn profile for Ms. Chen, but a search on her profile image from that Entrepreneurs article shows the same photo for sale at Shutterstock and other stock photo sites.

DomainTools says PeopleFinderFree was registered through Alibaba Cloud, Beijing. Attempts to purchase reports through PeopleFinderFree produce a notice saying the full report is only available via Spokeo.com.

Lynda Fairly is Entrepreneur #24, and she is quoted as co-founder of Numlooker[.]com, a domain registered in April 2021 through Alibaba in China. Searches for people on Numlooker forward visitors to Spokeo.

The photo next to Ms. Fairly’s quote in Entrepreneurs matches that of a LinkedIn profile for Lynda Fairly. But a search on that photo shows this same portrait has been used by many other identities and names, including a woman from the United Kingdom who’s a cancer survivor and mother of five; a licensed marriage and family therapist in Canada; a software security engineer at Quora; a journalist on Twitter/X; and a marketing expert in Canada.

Cocofinder[.]com is a people-search service that launched in Sept. 2019, through Alibaba in China. Cocofinder lists its market officer as Harriet Chan, but Ms. Chan’s LinkedIn profile is just as sparse on work history as the other people-search owners mentioned already. An image search online shows that outside of LinkedIn, the profile photo for Ms. Chan has only ever appeared in articles at pay-to-play media sites, like this one from outbackteambuilding.com.

Perhaps because Cocodoc and Cocosign both sell software services, they are actually tied to a physical presence in the real world — in Singapore (15 Scotts Rd. #03-12 15, Singapore). But it’s difficult to discern much from this address alone.

Who’s behind all this people-search chicanery? A January 2024 review of various people-search services at the website techjury.com states that Cocofinder is a wholly-owned subsidiary of a Chinese company called Shenzhen Duiyun Technology Co.

“Though it only finds results from the United States, users can choose between four main search methods,” Techjury explains. Those include people search, phone, address and email lookup. This claim is supported by a Reddit post from three years ago, wherein the Reddit user “ProtectionAdvanced” named the same Chinese company.

Is Shenzhen Duiyun Technology Co. responsible for all these phony profiles? How many more fake companies and profiles are connected to this scheme? KrebsOnSecurity found other examples that didn’t appear directly tied to other fake executives listed here, but which nevertheless are registered through Alibaba and seek to drive traffic to Spokeo and other data brokers. For example, there’s the winsome Daniela Sawyer, founder of FindPeopleFast[.]net, whose profile is flogged in paid stories at entrepreneur.org.

Google currently turns up nothing else for in a search for Shenzhen Duiyun Technology Co. Please feel free to sound off in the comments if you have any more information about this entity, such as how to contact it. Or reach out directly at krebsonsecurity @ gmail.com.

A mind map highlighting the key points of research in this story. Click to enlarge. Image: KrebsOnSecurity.com

ANALYSIS

It appears the purpose of this network is to conceal the location of people in China who are seeking to generate affiliate commissions when someone visits one of their sites and purchases a people-search report at Spokeo, for example. And it is clear that Spokeo and others have created incentives wherein anyone can effectively white-label their reports, and thereby make money brokering access to peoples’ personal information.

Spokeo’s Wikipedia page says the company was founded in 2006 by four graduates from Stanford University. Spokeo co-founder and current CEO Harrison Tang has not yet responded to requests for comment.

Intelius is owned by San Diego based PeopleConnect Inc., which also owns Classmates.com, USSearch, TruthFinder and Instant Checkmate. PeopleConnect Inc. in turn is owned by H.I.G. Capital, a $60 billion private equity firm. Requests for comment were sent to H.I.G. Capital. This story will be updated if they respond.

BeenVerified is owned by a New York City based holding company called The Lifetime Value Co., a marketing and advertising firm whose brands include PeopleLooker, NeighborWho, Ownerly, PeopleSmart, NumberGuru, and Bumper, a car history site.

Ross Cohen, chief operating officer at The Lifetime Value Co., said it’s likely the network of suspicious people-finder sites was set up by an affiliate. Cohen said Lifetime Value would investigate to determine if this particular affiliate was driving them any sign-ups.

All of the above people-search services operate similarly. When you find the person you’re looking for, you are put through a lengthy (often 10-20 minute) series of splash screens that require you to agree that these reports won’t be used for employment screening or in evaluating new tenant applications. Still more prompts ask if you are okay with seeing “potentially shocking” details about the subject of the report, including arrest histories and photos.

Only at the end of this process does the site disclose that viewing the report in question requires signing up for a monthly subscription, which is typically priced around $35. Exactly how and from where these major people-search websites are getting their consumer data — and customers — will be the subject of further reporting here.

The main reason these various people-search sites require you to affirm that you won’t use their reports for hiring or vetting potential tenants is that selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically don’t include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

There are a growing number of online reputation management companies that offer to help customers remove their personal information from people-search sites and data broker databases. There are, no doubt, plenty of honest and well-meaning companies operating in this space, but it has been my experience that a great many people involved in that industry have a background in marketing or advertising — not privacy.

Also, some so-called data privacy companies may be wolves in sheep’s clothing. On March 14, KrebsOnSecurity published an abundance of evidence indicating that the CEO and founder of the data privacy company OneRep.com was responsible for launching dozens of people-search services over the years. OneRep still has not responded to that reporting.

Finally, some of the more popular people-search websites are notorious for ignoring requests from consumers seeking to remove their information, regardless of which reputation or removal service you use. Some force you to create an account and provide more information before you can remove your data. Even then, the information you worked hard to remove may simply reappear a few months later.

This aptly describes countless complaints lodged against the data broker and people search giant Radaris. On March 8, KrebsOnSecurity profiled the co-founders of Radaris, two Russian brothers in Massachusetts who also operate multiple Russian-language dating services and affiliate programs.

The truth is that these people-search companies will continue to thrive unless and until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century. Duke University adjunct professor Justin Sherman says virtually all state privacy laws exempt records that might be considered “public” or “government” documents, including voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman said.