We are thrilled to announce our latest S Ventures investment in Guardz, a unified cybersecurity platform built to empower MSPs to secure and insure small to medium-sized businesses (SMBs).
A Modern Approach to Cybersecurity for SMBs
SMBs today face a unique set of challenges when it comes to protecting against the evolving cybersecurity threat landscape. With cloud and SaaS adoption, SMBs’ IT infrastructures are becoming increasingly complex to manage. This is coupled with limited budgets and staff, making it difficult for SMBs to acquire and deploy best-in-class cybersecurity solutions. With 88% of the SMB market turning to Managed Service Providers (MSPs) for cybersecurity protection, there is a critical need to build a scalable, easy-to-use cybersecurity platform that is specifically tailored to the needs of MSPs and their SMB customers.
In comes Guardz – addressing this gap head-on and developing a modern approach for SMB cybersecurity. The Guardz platform combines a robust cybersecurity technology and deep insurance expertise that ensures MSPs and their SMB customers can proactively safeguard their digital assets against a myriad of cyber threats, mitigate cybersecurity risks, and prevent the next cybersecurity attack.
“Guardz offers a modern approach to protect the underserved SMB market, developing a unified cybersecurity solution that is built for MSPs from day one. This investment underscores SentinelOne’s unwavering commitment to pioneering cybersecurity solutions and amplifies our partner-first philosophy.”
Ken Marks, Vice President, Worldwide Channels & MSSP
The Guardz platform is uniquely designed specifically for MSPs protecting their SMB customers. Instead of offering traditional point solutions that are hard to manage and deploy, Guardz offers a unified SaaS-based multi-tenant platform that integrates, collects, analyzes, and provides insights on top of a variety of security tools, ranging from email, endpoint, identity, browser filtering, cloud security and awareness and training programs.
With 43% of cyber attacks targeting SMBs and 61% of SMBs failing to get adequate cybersecurity insurance, the demand for a new approach specifically tailored to the needs of SMBs is stronger than ever. As a result, there is an increasing number of MSPs turning to provide cybersecurity solutions for their SMB customers. Cybersecurity spending for SMBs is going to reach $109B in 2026, accounting for 60% of the total spending on cyber security worldwide.
Powered by AI, Guardz is equipped with automated detection and response capabilities that enable MSPs to take a proactive approach to securing SMBs’ digital assets across emails, devices, data, and cloud applications. It is a cost-effective solution, offering full-stack cybersecurity from a single pane of glass.
With a low-touch, self-serve model, MSPs can now easily onboard their end users and attract new customers by leveraging the Guardz’s efficient prospecting capabilities, accurate reporting, and complete coverage insurance.
Why We Invested in Guardz
From day one of its inception, SentinelOne recognized the importance of supporting SMBs and our partners in their quest for cybersecurity resilience. Our investment in Guardz reflects our dedication to always being partner-first. By aligning with Guardz, we’re not only investing in a company, we’re championing a safer digital ecosystem for SMBs worldwide. Guardz’s market approach resonates with our vision of democratizing access to cutting-edge cybersecurity technologies, ensuring businesses of all sizes can defend themselves with the same level of sophistication and efficacy as larger enterprises.
Led by an experienced team with a track record building and scaling businesses for SMBs and MSPs, Guardz is well poised to set a new standard for SMB cybersecurity and we at S Ventures are excited to back such an important mission. As we embark on this journey together, our focus remains steadfast on innovating, empowering, and protecting businesses worldwide. Together, we look forward to a future where every SMB can operate with confidence.
S Ventures
Investing in the next generation of category-defining security and data companies.
https://phxtechsol.com/wp-content/uploads/2024/04/S-Ventures-Guardz.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-16 07:51:572024-04-16 07:51:59S Ventures Invests in Guardz to Revolutionize Cybersecurity for SMBs
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”
Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.
Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.
A smart lock enabled with Chirp. Image: Camdenliving.com
Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.
Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.
Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.
Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”
“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”
In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”
“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”
Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.
In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-16 07:30:042024-04-16 07:30:17Crickets from Chirp Systems in Smart Lock Key Leak
For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.
Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.
The Associated Pressreports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.
“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.
A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.
KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.
On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”
“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”
A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.
“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”
On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond.
On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.
Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.
The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.
“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.
As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.
Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.
Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.
While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.
Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).
According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.
But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.
A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.
A Google-translated version of Shtazi dot ru. Image: Archive.org.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-16 07:29:522024-04-16 07:30:04Who Stole 3.6M Tax Records from South Carolina?
Following the takedown of their operations earlier in the year, the inner workings of LockBit’s affiliate infrastructure have become clearer this week as investigations continue. The UK’s National Crime Agency, with assistance from the FBI, have reportedly matched a list of pseudonyms used by the ransomware gang to suspected cybercriminals.
So far, investigators have been able to link some 200 affiliates of LockBit who were using nondescript usernames to real world identities. The NCA’s senior officer on the case further confirmed that authorities have been able to connect specific affiliates back to particular cyberattacks. As the investigations carry on, all details collected are helping law enforcement to pursue more of the gang’s influential members, as well as any associated money launderers and malware developers.
Over the past three years, LockBit’s Ransomware-as-a-Service (RaaS) operations have left a long line of victims in its wake, with their ransom demands totalling at least $120 million.
Despite a dramatic takedown in February and having a senior administrator sentenced in March, LockBit lingers on through a new blog and data leak site, though lacking its prior momentum. Still, the gang’s ringleaders remain at large and cyber defenders continue to monitor for signs of rebranding – a strategy used by Hive and predecessors of BlackCat/ALPHV. Law enforcement’s efforts in matching up outstanding LockBit usernames to known criminals is a major step in disrupting LockBit’s new and future operations.
The Bad | New Phishing Campaign Drops Multi-Stage Malware via SVG Files
Security researchers this week reported on a complex cyberattack leveraging phishing emails to spread a wide range of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer.
In this wave of phishing attacks, the threat actor emails fake invoices in the form of Scalable Vector Graphics (SVG) files, which trigger the infection process after the victim engages. Researchers pegged this technique to the use of BatCloak malware obfuscation engines and a crypter called ScrubCrypt to deliver obfuscated batch scripts carrying the malware.
According to the report, the SVG file drops a ZIP archive containing a batch script, likely crafted using BatCloak, which unpacks the ScrubCrypt batch file to deploy Venom RAT. The remote access trojan then establishes control over compromised systems, executing commands from a command-and-control (C2) server.
The threat actors has been observed using various methods to distribute additional plugins, including NanoCore RAT, XWorm, and Remcos RAT, with Remcos RAT distributed through obfuscated VBS scripts, ScrubCrypt, and GuLoader PowerShell. Finally, a stealer component targets crypto wallets and applications like Atomic Wallet and Telegram to send stolen data to a remote server.
Accounting for the multiple layers of obfuscation and plugin deployment via different payloads, the campaign demonstrates threat actors’ efforts to stay versatile in their approach in order to persist and evade detection<. Pairing consistent monitoring capabilities with cyber hygiene surrounding email security continues to be an effective approach to minimizing threats from increasingly intricate phishing campaigns.
The Ugly | Bug in Rust Could Allow Command Injection Attacks
Codenamed BatBadBut, a new and critical vulnerability (CVE-2024-24576) could allow threat actors to target Windows systems and execute command injection attacks. The flaw, rated 10/10 CVSS, arises from weaknesses in OS command and argument handling in a number of programming languages, including Rust.
BatBadBut permits remote exploitation by unauthenticated attackers without user interaction. The bug only impacts Windows and only when programs or their dependencies execute batch files with untrusted arguments. In their security advisory, the Rust Security Response Working Group attributed the flaw to improper argument escaping when invoking batch files on Windows using the Command API.
The flaw affects all Rust versions prior to 1.77.2. Addressing the complexity of parsing rules in cmd.exe, Rust’s security team have since enhanced the escaping code and Command API to mitigate the risk. They have also introduced an InvalidInput error if the Command API fails to safely escape arguments during process spawning.
Today, Rust 1.77.2 will be released with a critical security patch to the standard library for those on Windows using the Command API to invoke batch files with untrusted arguments. No other platform or use is affected.
Maintainers of other languages have either updated their documentation or provided a patch, with the exception of Java, which currently has a status of ‘Won’t fix’.
Project
Status
Erlang
Documentation update
Go
Documentation update
Haskell
Patch available
Java
Won’t fix
Node.js
Patch available
PHP
Patch available
Python
Documentation update
Ruby
Documentation update
Rust
Patch available
The emergence of CVE-2024-24576 draws attention back to a February statement made by the National Cyber Director who called for widespread adoption of memory-safe programming languages (like Rust) to bolster their software security. A report released by the White House also promoted tech manufacturers to be proactive about reducing risk by adopting memory-safe programming languages in their operations.
https://phxtechsol.com/wp-content/uploads/2024/04/lockbit_leaksite_seizure.jpg11881932Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-12 07:09:292024-04-12 07:09:32The Good, the Bad and the Ugly in Cybersecurity – Week 15
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.
New York City based Sisense has more than a thousand customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”
“We are taking this matter seriously and promptly commenced an investigation,” Dash continued. “We engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.”
In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.
“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the sparse alert reads. “We will provide updates as more information becomes available.”
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.
Customers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.
Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.
It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.
The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time — sometimes indefinitely. And depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.
Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they’ve previously entrusted to Sisense.
Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISO’s customer email to both LinkedIn and Mastodon on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.
But when confronted with the details shared by my sources, Sisense apparently changed its mind.
“After consulting with Sisense, they have told me that they don’t wish to respond,” the PR rep said in an emailed reply.
Update, 6:49 p.m., ET: Added clarification that Sisense is using a self-hosted version of Gitlab, not the cloud version managed by Gitlab.com.
Also, Sisense’s CISO Dash just sent an update to customers directly. The latest advice from the company is far more detailed, and involves resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens.
The full message from Dash to customers is below:
“Good Afternoon,
We are following up on our prior communication of April 10, 2024, regarding reports that certain Sisense company information may have been made available on a restricted access server. As noted, we are taking this matter seriously and our investigation remains ongoing.
Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.
Specifically, you should:
– Change Your Password: Change all Sisense-related passwords on http://my.sisense.com
– Non-SSO:
– Replace the Secret in the Base Configuration Security section with your GUID/UUID.
– Reset passwords for all users in the Sisense application.
– Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
– Single Sign-On (SSO):
– If you use SSO JWT for the user’s authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler.
– We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider.
– If you utilize OpenID, it’s imperative to rotate the client secret as well.
– Following these adjustments, update the SSO settings in Sisense with the revised values.
– Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
– Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.
– Data Models: Change all usernames and passwords in the database connection string in the data models.
– User Params: If you are using the User Params feature, reset them.
– Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.
– HTTP Authentication for GIT: Rotate the credentials in every GIT project.
– B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.
– Infusion Apps: Rotate the associated keys.
– Web Access Token: Rotate all tokens.
– Custom Email Server: Rotate associated credentials.
– Custom Code: Reset any secrets that appear in custom code Notebooks.
If you need any assistance, please submit a customer support ticket at https://community.sisense.com/t5/support-portal/bd-p/SupportPortal and mark it as critical. We have a dedicated response team on standby to assist with your requests.
At Sisense, we give paramount importance to security and are committed to our customers’ success. Thank you for your partnership and commitment to our mutual security.
Regards,
Sangram Dash
Chief Information Security Officer”
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-12 06:47:322024-04-12 06:47:40Why CISA is Warning CISOs About a Breach at Sisense
On Mar 29, 2024 details emerged about CVE-2024-3094, a vulnerability impacting the xz compression libraries used by Linux distributions.
The backdoor code was distributed to all rolling distributions. However, it was tailored to target distributions such as Debian and Fedora, which patch their SSH daemon with liblzma. Further, the backdoor scripts included system checks to guarantee that the object files were solely injected into Debian and Fedora distributions.
SentinelOne analyzed the technical implementation of the xz backdoor and the differences between the two versions. In this blog post, we describe and explore how subtle changes made by the threat actor in the code commits suggest that further backdoors were being planned.
XZ Compromise | A Technical Breakdown
In the first iteration of the compromise (version 5.6.0), the actor successfully added code to the xz repository that enabled injection of the backdoor on Debian and Fedora distributions. However, the second iteration (version 5.6.1) adds significantly more maturity by introducing the ability to execute additional shell scripts during the build phase via binary test blobs, presumably to make future updates to the backdoor less suspicious.
The injection of malicious shell scripts occurs during the execution of the configure command, which then inserts code inside the Makefile to build and replace object files with backdoor-infected counterparts.
Although the backdoor and its functionality remain the same across both versions, the setup to inject and replace object files differs. These discrepancies offer insights into the motivation and long-term plan of the threat actor.
Initial Setup
The first piece of the backdoor is the m4/build-to-host.m4 file. This file orchestrates minor modifications and conceals the extraction and execution of the Stage 1 backdoor file, bad-3-corrupt_lzma2.xz.
Note how the grep command matches one file in the source directory:
The actor introduced several new files that contributed to setting up Stage 2 of the backdoor in a later commit with the description, “Tests: Add a few test files”.
The next step extracts and stores the script from the bad-3-corrupt_lzma2.xz file within the variable gl_[$1]_config.
Here, the extracted script is executed, marking the progression towards the Stage 1 payload of the attack cycle.
Stage 1 Payload | System Checks & Extraction
The Stage 1 payload can be extracted from the bad-3-corrupt_lzma2.xz file via the following command:
This payload is responsible for extracting the Stage 2 payload from good-large_compressed.lzma and executing the setup script. There are several variables defined in this step that will be utilized in the later stages.
Another notable feature of this stage is the repeated use of the head command to discard 1024 bytes (1 KB) but use other 2048 bytes (2 KB) in a cyclic manner. This layer of obfuscation extracts another payload and removes junk data used to hide the payload, as shown in the following code from version 5.6.0:
This stage in version 5.6.1 has several differences from the previous version. One notable distinction is the inclusion of an operating system check to ensure that the backdoor is injected only when built on a Linux machine, which repeats five times.
Additionally, minor variations include changing the final byte count in the head command from 724 to 939, and adjusting the argument for the tr utility to account for this modified offset.
Following extraction, this payload is executed by piping it to bash, which advances the attack chain to Stage 2.
Stage 2 Payload | Injecting The Backdoor
The Second Stage Payload is responsible for the extraction, injection and cleaning of the backdoor files on Debian and Fedora builds. The script is broken in two execution phases:
Phase 1: executed during the configure command; injects code into the makefile
Phase 2: executed during the make command; injects the backdoor in object files
The script injects code in the makefile to execute the malicious code by running the make command. The script is aware of the phase it is executing in by checking the presence of config.status file and .libs/liblzma_la-crc64_fast.o.
This stage differs between versions. We believe the newer version seeks to make the backdoor modular so that other payloads could be injected down the line without adding new code to the build files.
5.6.0_stage_2_backdoor_extracted.sh
048b064241f06b0975c2e20132379b5478af0247
5.6.1_stage_2_backdoor_extracted.sh
cc23255b7c051d9c35d769d4e91d168e3f410c01
The script defines several environment variables that should be considered indicators of compromise when present on a system:
is_arch_extension_supported : a check that is replaced by _get_cpuid from a malicious object file
__get_cpuid: function that is replaced by malicious function exported in the backdoor object file
Good-large_compressed.lzma and bad-3-corrupt_lzma2.xz: Files that contain setup scripts for the backdoor
This step enables several checks which are performed before the backdoor is injected during the build process:
Checks that the GCC compiler is installed
Checks that the operating system is Linux and that the distribution is Debian or Fedora
Checks for the presence of a file named config.status
During this stage, the difference between versions 5.6.0 and 5.6.1 becomes significant. In 5.6.1, the threat actor introduced a code snippet aimed at enhancing the modularity of the backdoor. This modification enables the potential injection of different variants via test files in subsequent stages.
If any test file exists within the directory srcdir/tests/files/ and contains the magic bytes ~!:_ W and |_!{ -, the file will be unpacked and subsequently processed to execute the embedded scripts.
This enables the threat actor to deploy multiple backdoors in upstream packages through binary test files without arousing suspicion in the commit tree. These test binary blobs typically serve the purpose of stress-testing compression algorithms, pushing them to their limits by providing unconventional binary data for decompression.
This backdoor feature addresses a significant challenge faced by the threat actor during the development of the backdoor in version 5.6.0. The commit history shows the actor fabricated a pretext to commit new test files in order to update the backdoor.
Such functionality isn’t limited to a single instance. Another similar code snippet can be observed in the elif branch of the script executed during phase 2: make command execution. In this case, a check for magic bytes jV!.^% and %.R.1Z is performed, but the core extraction and execution of the script remain unchanged.
The remaining part of Stage 2 is consistent across both versions. The backdoored object file is extracted from the file good-large_compressed via an intricate awk command.
This segment is an implementation of a modified RC4 algorithm, which decrypts the payload after processing the compressed data, and writes it to liblzma_la-crc64-fast.o. The process remains identical in both versions, differing only in the bytes that are written.
The backdoor leverages ifunc resolvers, a feature of glibc and a recent addition to the xz project. These resolvers enable developers to have multiple implementations of a function and dynamically select which one to use at runtime through a resolver function. In this context, the backdoor replaces existing functions, i.e crc32_resolve() and crc64_resolve(), to execute different code discreetly. This mechanism provides an ideal means to execute the backdoor’s code without raising suspicion.
The script then proceeds to modify the source code of crc64_fast.c and compile it dynamically to incorporate ifunc resolvers, linking the backdoored liblzma_la-crc64_fast.o. Once the backdoor is successfully linked and set up, the script initiates cleanup to remove the artifacts used to build the backdoor.
Analysis of Attack Execution
The overall compromise spanned over two years. Under the alias Jia Tan, the actor began contributing to the xz project on October 29, 2021. Initially, the commits were innocuous and minor. However, the actor gradually became a more active contributor to the project, steadily gaining reputation and trust within the community.
Pressure emails
While Jia Tan made active contributions to the project, the project maintainer Lasse Collin started receiving emails from different people that pressured Lasse to transfer maintainership of the project to Jia. It’s possible that these emails were orchestrated as part of the operation, purportedly originating from non-existent individuals.
Addition Of Modularity in 5.6.1 release
As outlined above, features that allow the build scripts to directly execute code from test binary files were added in the 5.6.1 release to the backdoor. This change indicates the actor planned to infect the xz repository with other vulnerabilities as well. This statement is also supported by the later commit made to break the LandLock functionality in xz util (not liblzma).
Git Commit Forgery (disabling LandLock)
The commit made February 28 2024 breaks the C program that is used to check support for LandLock. Landlock is a Linux kernel process sandboxing feature that restricts the rights of a set of processes, which would give the attacker more latitude to infect an impacted system. These commits are made under author Lasse Collin. It is possible commits were forged for these changes.
Attribution
The attribution of the operation and the intended targeting are currently unknown. Based on the sophistication and long timeframe required to execute this attack, we believe the actor is likely a state-aligned entity. It is plausible that this operation was outsourced by someone without necessarily revealing the true target of interest.
Conclusion
The operation that led to the xz backdoor demonstrates the risk of supply chain attacks in Open Source Software (OSS) projects. Open Source is often deemed safe from such attacks, given its scrutiny by a multitude of contributors, making it improbable to implant malicious code without detection.
The operation exploited gaps in the reputation process and the absence of audits on released tarballs. Moreover, commits to the LandLock functionality, along with code changes between versions, underscored the actor’s intention to introduce additional backdoors and sustain access to the repository.
SentinelOne is closely monitoring this supply-chain attack. SentinelOne Singularity detects malicious behaviors attempted by an adversary via this backdoor.
Indicators of Compromise
5.6.0_stage_1_backdoor_blob.bin
96e42f5baf3f1bad129de247e9e0b30e6bcbd8fe
5.6.0_stage_1_backdoor_extracted.bin
1e14bb58eaa1c1ac3227fd999fe9c3aa80ab25d3
5.6.0_stage_2_backdoor_blob.bin
bbeaeac4a1d3849098c2ebbaea526d2404171295
5.6.0_stage_2_backdoor_extracted.sh
048b064241f06b0975c2e20132379b5478af0247
5.6.1_stage_1_backdoor_blob.bin
01e966ce1de7f847d2e44c52fea1eb58c081ea0d
5.6.1_stage_1_backdoor_extracted.sh
894b62c59533996a4376743782e78426a52f8cbc
5.6.1_stage_2_backdoor_blob.bin
dcc80761f84592b2c85ab71df2bc10b835121861
5.6.1_stage_2_backdoor_extracted_script.sh
cc23255b7c051d9c35d769d4e91d168e3f410c01
liblzma.so.5.6.0
72e8163734d586b6360b24167a3aff2a3c961efb
liblzma.so.5.6.1
8a75968834fc11ba774d7bbdc566d272ff45476c
liblzma.so.5
123e570ac3d28a9f7ce6c30fdb19e20a8c23efae
liblzma_la-crc64-fast.o
0ebf4b63737cdf3e084941c7d02f8eec5ca8d257
liblzma_la-crc64-fast.o
cc5c1d8f9924a3939f932a50f666dba03531e6a9
liblzma_la_crc64_fast.o
fb8b18fa39f198298c9f553496a18aa94fa75c03
SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.
https://phxtechsol.com/wp-content/uploads/2024/04/XZ_Utils_soc.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-11 07:00:202024-04-11 07:00:38XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.
A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far shows the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”
Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in “twitter.com” to “x.com.”
Original story:
The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.
A number of these new domains including “twitter.com” appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was “acquired to prevent its use for malicious purposes,” along with a Twitter/X username.
The domain mentioned at the beginning of this story — fedetwitter.com — redirects users to the blog of a Japanese technology enthusiast. A user with the handle “amplest0e” appears to have registered space-twitter.com, which Twitter/X users would see as the CEO’s “space-x.com.” The domain “ametwitter.com” already redirects to the real americanexpress.com.
Some of the domains registered recently and ending in “twitter.com” currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).
The domain setwitter.com, which Twitter/X until very recently rendered as “sex.com,” redirects to this blog post warning about the recent changes and their potential use for phishing.
Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.
“Bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity — many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,” McNee said. “It is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.”
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:
“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-11 06:38:092024-04-11 06:38:16Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.
Yes, you read that right. Microsoft today released updates to address 147 security holes in Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, DNS Server, Windows Defender, Bitlocker, and Windows Secure Boot.
“This is the largest release from Microsoft this year and the largest since at least 2017,” said Dustin Childs, from Trend Micro’s Zero Day Initiative (ZDI). “As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time.”
Tempering the sheer volume of this month’s patches is the middling severity of many of the bugs. Only three of April’s vulnerabilities earned Microsoft’s most-dire “critical” rating, meaning they can be abused by malware or malcontents to take remote control over unpatched systems with no help from users.
Most of the flaws that Microsoft deems “more likely to be exploited” this month are marked as “important,” which usually involve bugs that require a bit more user interaction (social engineering) but which nevertheless can result in system security bypass, compromise, and the theft of critical assets.
Ben McCarthy, lead cyber security engineer at Immersive Labs called attention to CVE-2024-20670, an Outlook for Windows spoofing vulnerability described as being easy to exploit. It involves convincing a user to click on a malicious link in an email, which can then steal the user’s password hash and authenticate as the user in another Microsoft service.
Another interesting bug McCarthy pointed to is CVE-2024-29063, which involves hard-coded credentials in Azure’s search backend infrastructure that could be gleaned by taking advantage of Azure AI search.
“This along with many other AI attacks in recent news shows a potential new attack surface that we are just learning how to mitigate against,” McCarthy said. “Microsoft has updated their backend and notified any customers who have been affected by the credential leakage.”
CVE-2024-29988 is a weakness that allows attackers to bypass Windows SmartScreen, a technology Microsoft designed to provide additional protections for end users against phishing and malware attacks. Childs said one ZDI’s researchers found this vulnerability being exploited in the wild, although Microsoft doesn’t currently list CVE-2024-29988 as being exploited.
“I would treat this as in the wild until Microsoft clarifies,” Childs said. “The bug itself acts much like CVE-2024-21412 – a [zero-day threat from February] that bypassed the Mark of the Web feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass Mark of the Web.”
Update, 7:46 p.m. ET: A previous version of this story said there were no zero-day vulnerabilities fixed this month. BleepingComputer reports that Microsoft has since confirmed that there are actually two zero-days. One is the flaw Childs just mentioned (CVE-2024-21412), and the other is CVE-2024-26234, described as a “proxy driver spoofing” weakness.
Satnam Narang at Tenable notes that this month’s release includes fixes for two dozen flaws in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely” according to Microsoft.
“However, the last time Microsoft patched a flaw in Windows Secure Boot in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000,” Narang said. “BlackLotus can bypass functionality called secure boot, which is designed to block malware from being able to load when booting up. While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”
For links to individual security advisories indexed by severity, check out ZDI’s blog and the Patch Tuesday post from the SANS Internet Storm Center. Please consider backing up your data or your drive before updating, and drop a note in the comments here if you experience any issues applying these fixes.
Adobe today released nine patches tackling at least two dozen vulnerabilities in a range of software products, including Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate.
KrebsOnSecurity needs to correct the record on a point mentioned at the end of March’s “Fat Patch Tuesday” post, which looked at new AI capabilities built into Adobe Acrobat that are turned on by default. Adobe has since clarified that its apps won’t use AI to auto-scan your documents, as the original language in its FAQ suggested.
“In practice, no document scanning or analysis occurs unless a user actively engages with the AI features by agreeing to the terms, opening a document, and selecting the AI Assistant or generative summary buttons for that specific document,” Adobe said earlier this month.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-10 06:28:322024-04-10 06:28:35April’s Patch Tuesday Brings Record Number of Fixes
This week, we focus on how emerging generative AI tools are accelerating cybersecurity defensive capabilities, with a deep dive on SentinelOne’s newly released Purple AI.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Insight Focus | Navigating Cybersecurity in the Era of AI: Challenges, Opportunities, and Emerging Solutions
The rapid advancement of artificial intelligence (AI) has transformed the landscape of cybersecurity, presenting both promising innovations and potential risks. As AI becomes increasingly integrated into the strategies of both attackers and defenders, organizations must adapt to this new reality and develop effective approaches to safeguard their assets and maintain a competitive edge.
The landscape of generative AI is shifting and different firms will face different challenges and opportunities based on their position in the value chain. Risk management practices and effective tools are still in development, even as the pressure to deploy solutions for competitive advantage grows.
In the cybersecurity space, it is critical to balance innovation with security, pace with integrity, and simplicity over complexity. At the same time, adversaries and criminals are willing to take risks and experiment. Defenders must run faster, iterate more effectively, and stay ahead of the growing threat to the modern enterprise.
The Impact of AI on Cyber Threats and Defenses
AI has emerged as a double-edged sword in the realm of cybersecurity. Malicious actors, ranging from state-sponsored groups to opportunistic hackers, are leveraging AI to accelerate their activities, up-level capabilities, refine tactics, techniques, and procedures (TTPs), and launch more sophisticated attacks.
In response to these evolving threats, the cybersecurity industry is harnessing the power of AI to develop advanced defensive capabilities. SentinelOne is deploying its own AI technologies as a force multiplier for security teams, enabling organizations to keep pace with the increasing volume and complexity of cyber attacks.
Purple AI | Pioneering AI-Powered Cyber Defense
As security challenges become increasingly data-driven, traditional approaches to threat detection and response are proving insufficient. Security analysts often find themselves overwhelmed by the sheer volume of alerts and the complexity of the threat landscape, leading to alert fatigue and delayed response times.
Enter Purple AI: an innovative AI-powered cyber defense solution designed to streamline and enhance security operations. Developed by SentinelOne, Purple AI leverages generative models and natural language processing to empower analysts to interact with threat intelligence and security data in a more intuitive and efficient manner. By simply asking questions in natural language, analysts can quickly identify suspicious activities, uncover hidden threats, and receive context-aware insights and recommendations for remediation.
Purple AI is built upon a set of core design principles that prioritize helpfulness, accuracy, responsiveness, safety, transparency, adaptability, and comprehensiveness. These principles ensure that the solution reduces the burden on security teams, delivers up-to-date and accurate responses, enables SecOps at the pace of conversation, respects trust and security boundaries, provides clear insights into its workings, continuously improves with use and feedback, and offers a familiar and comprehensive approach to getting work done.
The integration of AI into cyber defense solutions like Purple AI democratizes threat hunting and response, empowering even less-experienced security teams to rapidly detect and mitigate threats that would have previously required significant time and expertise. This levels the playing field against sophisticated cyber adversaries and enables organizations to respond to incidents with greater speed and accuracy.
Navigating the Risks and Challenges of AI in Cybersecurity
While AI offers immense potential for enhancing cybersecurity, its adoption across the enterprise in diverse use cases introduces new risks and challenges that organizations must navigate. Effective AI risk management requires a holistic approach that encompasses regulatory compliance, technology and security, data privacy, reputation management, legal considerations, and operational resilience.
Cross-functional collaboration is essential for successful AI risk management. Information security, legal, and enterprise technology teams must work together to ensure a cohesive and comprehensive approach to AI governance and security. Bridging the gap between AI developers, product managers, trust and safety teams, and infosec professionals is crucial for addressing emerging AI security challenges effectively.
Moreover, AI safety and security assurance goes beyond traditional information security practices. It requires a broader perspective that includes assessments of model fairness, bias, harmful content, and potential misuse. Security practices must not only emulate the tactics of malicious actors but also consider the unintended consequences of AI systems and the potential for inadvertent data leakage or misuse by regular users.
As AI systems become more autonomous and powerful, organizations must establish robust controls and governance frameworks to ensure responsible development and deployment. The geopolitical implications of AI in cybersecurity cannot be overlooked, as nation-states compete for strategic advantage in this domain.
Embracing Responsible AI in Cybersecurity
The era of AI in cybersecurity presents both challenges and opportunities for organizations. By adopting a proactive and responsible approach to AI development and deployment, organizations can harness the power of AI to enhance their defenses while mitigating associated risks.
Embracing AI-powered solutions like Purple AI – which adhere to principles of transparency, adaptability, safety, and comprehensiveness – can enable organizations to stay ahead of evolving cyber threats. However, maintaining a balance between innovation and risk management requires ongoing collaboration, adaptability, and a commitment to responsible AI practices.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant, agile, and informed about the latest developments in AI and its implications for cyber defense. By fostering a culture of continuous learning, collaboration, and responsible innovation, organizations can navigate the challenges and opportunities of AI in cybersecurity and build a more secure and resilient future.
If you are interested in learning more about SentinelOne’s Purple AI or PinnacleOne’s approach to AI risk management and cybersecurity strategy, please reach out.
https://phxtechsol.com/wp-content/uploads/2024/04/Navigating-the-Era-of-AI-in-Cybersecurity.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-09 06:39:362024-04-09 06:39:45PinnacleOne ExecBrief | Navigating the Era of AI in Cybersecurity: Challenges, Opportunities & Emerging Solutions
Imagine if hunting for emerging threats was as straightforward as asking a colleague a simple question in plain language. Today, I’m excited to announce that SentinelOne has turned this into a reality with the launch of Purple AI.
Last April, we unveiled a first-of-its-kind AI-assisted platform that fuses data from SentinelOne’s real-time, embedded neural networks with a large language model (LLM)-based natural language interface to simplify threat hunting and help analysts boost productivity and scale their operations.
Today, we are excited to announce that Purple AI, the industry’s most advanced AI security analyst, is now generally available worldwide. Purple AI helps security teams detect earlier, respond faster, and stay ahead of attacks. It radically accelerates threat hunting, investigations, and response so security teams can save time, reduce costs, and better protect their environments.
Scaling Autonomous Protection Across the Enterprise
Purple AI is a force multiplier for security teams. It translates natural language questions into sophisticated PowerQueries within seconds, facilitates deep log analysis of native and third-party data, and provides one-click hunting quickstarts, suggested queries, and shareable investigation notebooks.
Early adopters perceived threat hunting with Purple as 80% faster, and 78% of those surveyed found investigation notebooks to be very or extremely helpful.
“The security insights provided by Purple AI have surpassed anything PruittHealth had before,” said Richard Bailey, SVP of IT at PruittHealth Connect Inc. “Purple AI assists in identifying weaknesses and vulnerabilities, thus bolstering PruittHealth’s overall security. Additionally, it enhances accuracy and reduces human error in data queries, allowing more time for other tasks.”
Maximizing the SOC’s Full Potential
Today’s security teams are dealing with a sophisticated threat landscape and endless alert queues that grow far faster than what teams can even hope to resolve. Staying ahead of adversaries requires both innovation and scalability, and Purple AI was specifically designed to empower your team to maximize their productivity.
Purple provides the following key benefits:
Simplifying the Complex – Querying your Singularity Data Lake is as easy as asking a colleague a question. Simply ask Purple a question like, “Am I being targeted by FIN12?” without needing to reference data schemas or create complex queries. This enables faster and more effective threat hunting for every analyst.
Up-Leveling the Entire SOC Team – Investigation notebooks make whole teams more efficient. Notebooks are auditable and shareable, and early adopters have used this as a knowledge-amplification tool. Senior analysts write plain language queries shared in an investigation notebook with their colleagues, which makes their expertise more accessible.
Taking Hunts from Hours to Minutes – Accelerate SecOps with AI-powered analyses, auto-summaries, and suggested next queries. Purple AI provides pre-populated threat hunting ‘quick starts’ and uses the latest threat intelligence so analysts can begin a hunt with a single click.
Safeguarding Your Data – Purple is designed for data protection and privacy by design. It is never trained with customer data and is architected with the highest level of safeguards.
What’s the Purple AI Difference?
As criminals around the world are starting to leverage AI-based, automated tools to execute malicious attacks, SentinelOne is taking this technology to help enterprises control all aspects of their security posture, from visibility and response, to supercharging SecOps and building long-term cyber resilience.
Speed & Visibility One Console, Platform & Data Lake
Responding to emerging threats requires both speed and deep visibility. Purple AI provides both, so analysts can see the full picture within the Singularity Platform. This means one unified console built on top of the industry’s most performant data lake for lightning-fast queries.
Purple AI is also the only AI security platform that supports the widely adopted Open Cybersecurity Schema Framework (OCSF), providing analysts with full data visibility and a single normalized view of native and partner data.
One of modern SOC teams’ biggest challenges is dealing with alert fatigue, which precludes proactive threat hunting and leads to missed notifications and burnout. Purple AI takes an intelligent, action-oriented approach to make threat hunting simple.
Security analysts are able to reduce critical MTTD through the Purple AI quickstart library, which provides suggested prompts to kick off investigations in natural language with a single click. Further, Purple will provide contextual suggested next queries to help analysts conduct faster, deeper investigations to better understand and mitigate critical risk.
Accelerated Collaboration Across the Board
Purple goes far beyond the now-popular chatbot experience. It helps analysts conduct deeper investigations that they can share across teams with auditable and auto-saved investigation notebooks. Since security analysts can now use natural language to conduct investigations, this means that the notebooks become artifacts they can share even with management and leadership teams without investing additional effort to make them understandable.
Open & Reliable AI
Purple AI focuses on transparency, prioritizing SentinelOne’s commitment to security and privacy. The platform employs the highest level of safeguards to protect and ensure you own your data, and models are not trained using customer data or requests. Purple is also designed so that SOC teams can easily view query translations for verification and analyst training.
Conclusion | Learn More About Purple AI
Purple AI is set to enhance the threat hunting experience for modern enterprises and provide security professionals with the tools they need to secure today, tomorrow, and beyond. Saving time and maximizing resources through Purple AI ensures enterprises can focus on business-critical operations and build up a strong and lasting cyber posture against even the most sophisticated threats.
Book a demo with the SentinelOne team to learn more about how Purple AI can help untap the potential of your security teams.
Purple AI Is Now Generally Available
Save time and resources by up-leveling every analyst with natural language query translation and patent-pending threat hunting technology.
https://phxtechsol.com/wp-content/uploads/2024/04/Transform-SecOps-with-Purple-AI-Now-Generally-Available.jpg6271200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2024-04-08 06:29:372024-04-08 06:29:45Transform SecOps with Purple AI, Now Generally Available
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them: