The Good, the Bad and the Ugly in Cybersecurity – Week 22

The Good | Two Major Botnets Taken Down by Collaborative DoJ and Europol Operations

The botnet industry took a serious hit this week as law enforcement in the U.S. and in Europe executed two major operations to dismantle 911 S5 – likely one of the world’s largest botnets, and an extensive ecosystem of malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot, respectively.

DoJ-led Operation Tunnel Rat successfully disrupted and seized the notorious 911 S5 residential proxy botnet and arrested its administrator, Chinese national YunHe Wang (35). Wang’s current charges stem from his deployment of malware and the creation and operation of the botnet service. According to the indictment, Wang and his co-conspirators amassed a network of over 19 million residential Windows devices globally, including 613,841 IP addresses located in the United States alone.

911 S5 revenue was generated by offering cybercriminals access to infected IP addresses for a fee. Over its years of operation, the 911 S5 botnet facilitated numerous large-scale cyberattacks, financial and identity schemes, child exploitation, bomb threats, and more. Wang faces 65 years in prison if convicted on all counts.

Europol’s Operation Endgame saw similar success by targeting over 100 servers worldwide that feed several major malware droppers. Malware droppers serve to introduce harmful payloads into a victim’s system, acting like an initial access point and delivery vehicle for ransomware, spyware, keyloggers, trojans and more. After seizing an infrastructure hosting over 2000 domains, the agency arrested four individuals and identified eight fugitives linked to associated malware operations. According to reports, one of the main suspects involved made $74.5 million USD by renting out their infrastructure for ransomware deployment. Operation Endgame is being lauded as the largest operation against botnets and a marked step forward in disrupting the ransomware landscape.

The Bad | Proof-of-Concept Exploit Released for Critical RCE Flaw in Fortinet’s SIEM Appliances

An exploit has been released for a maximum severity remote code execution (RCE) flaw in Fortinet’s security information and event management (SIEM) solution. Described as an improper neutralization of elements in an os command injection within FortiClient FortiSIEM (versions 6.4.0 and higher), CVE-2024-23108 allows attackers to execute unauthorized code or commands via crafted API requests.

Security researchers providing a technical analysis of the issue noted that the CVE-2024-2318 was patched in February along with another critical severity RCE bug tracked as CVE-2024-23109. Initially, Fortinet claimed these two flaws were duplicates of a similar flaw (CVE-2023-34992) patched in October, however, they later confirmed that the CVEs were variants of the original vulnerability.

Now, the newly released proof-of-concept (PoC) shows that while the first patches attempted to neutralize user-controlled inputs by adding a wrapShellToken() utility, there is actually a second order command injection remaining when certain parameters are passed to datastore.py.

datastore.py validating server_ip (Source: Horizon3.ai)

Ransomware outfits commonly target Fortinet vulnerabilities to obtain initial access to corporate and government organizations. Such flaws are also often seen in cyber espionage attacks, where the threat actors can establish a beachhead to target several high-value victims quickly. Placing an emphasis on regular patch management and system log monitoring in conjunction with robust monitoring and detection technology that covers all attack surfaces minimizes the risk of data loss and business disruptions.

The Ugly | PyPi Info-Stealer Promoted On Stack Overflow By Threat Actors Posing As Helpful Contributors

The online developer community Stack Overflow is reportedly being exploited by threat actors to distribute malware. Blending into the Q&A structure of the platform, actors have been observed answering questions and promoting a malicious PyPi package named ‘pytoileur’. Security researchers reporting the discovery describe how the package installs information-stealing malware on Windows systems to perform surveillance, establish persistence, and steal cryptocurrency.

(Source: Sonatype)

Pytoileur was uploaded to the PyPi repository as an API management tool. The package’s metadata includes a ‘Cool package’ string, linking pytoileur to an ongoing campaign from 2023. While such packages are usually spread through typosquatting, actors leveraged Stack Overflow’s popularity and reach amongst global developers, posing as users answering open issues before promoting pytoileur as the solution.

The malicious package contains a ‘setup.py’ file with a base64 encoded command that is padded with spaces, making it difficult to detect unless users have word wrap enabled in the text editor. Once decoded, the command downloads and executes a file called runtime.exe – a Python program steals passwords, cookies, credit cards, browser history, and other sensitive data from the user’s system. Harvested data is then sent back to the threat actor to be used for future compromise of affected account owners, or sold on dark markets.

Before the malicious account was suspended from Stack Overflow, it was downloaded 369 times as of this writing. Though malicious PyPi packages are a recurring problem, threat actors masquerading as helpful users on question-and-answer forums is a novel technique. It underscores the evolving strategies of cybercriminals, who continue to leverage widely-trusted open-source platforms that support developers of all experience-levels as a way to propagate malware.

Chained Detections | Revolutionizing Adaptive Threat Hunting

Chained detections is a new threat hunting paradigm aligned with the strategy of chaining interesting events to identify behavior patterns and augment threat attribution. Much like SentinelOne’s Storyline technology, which connects events from various sources to create a narrative of an attack, human threat hunters harness these capabilities to comprehensively grasp the potential impact of a threat actor.

This new methodology, unique to SentinelOne’s WatchTower services, incorporates proactive and sophisticated ways of uncovering and responding to complex threats. This blog is the second installment in our series showcasing today’s threat hunting infrastructures and explores how to further leverage Chained Detections to enhance an organization’s security posture through adaptive threat hunting. Read part one of the series here.

Understanding Chained Detections

One of the biggest challenges in threat hunting is the fact it is operating primarily within the sphere of low and medium fidelity results. High fidelity detections can be easily converted into alerts, but others are subject to a mundane and time-consuming review, something only more senior analysts can do well. This can make threat hunting both a time consuming and cost prohibitive exercise for many organizations.

There have been many attempts to tackle this problem, including risk-based alerting, clustering, baselining, allowlisting and denylisting, data normalization, tokenization, and supporting the results with additional data enrichment strategies, but there is one more highly effective method out there. Chained detections execute a sequence of automated tasks triggered by an initial detection with the aim to triage and enrich telemetry data progressively.

Chained detections within the feedback loop

This approach helps to uncover and respond to complex threats without going down too many rabbit holes. Incorporating this new adaptive threat hunting methodology increases the effectiveness of any threat hunting program.

Initial Detection Trigger

The process begins with an initial detection, which could be based on various indicators such as anomalous behavior, known attack patterns, or suspicious activity in telemetry data. Due to the nature of the methodology, vague signals can be also utilized to execute the chain. For example, a file with a specific file name dropped anywhere on a system could act as a trigger.

Automated Triage

Once a detection is made, automated triage processes come into play. These processes aim to quickly assess the detection’s severity and relevance. Some basic steps in automated triage would include:

  • Contextual Enrichment – Gathering additional data and context around the event, such as user accounts, device information, or network traffic patterns.
  • Correlation – Determining if the event is part of a broader attack or a standalone incident by correlating it with events that may have triggered and are stored in a centralized logging backend.
  • Prioritization – Assigning a priority level to the event based on its perceived risk and potential impact to the organization before collecting more information.

Chaining Tasks

Depending on the outcome of the initial triage, additional automated tasks are triggered in a chained manner. These tasks are designed to gather more information, validate the detection, and potentially take predefined actions. Examples of chained tasks include:

  • Threat Intelligence Lookup – Querying threat intelligence feeds to check if the indicators associated with the event are known threats.
  • Isolation and Remediation – Isolating the affected system or network segment to prevent lateral movement by the attacker and initiating remediation actions, such as applying patches or disabling compromised accounts.

Data Collection

Gathering detailed information about the affected system, such as running YARA rules and collecting memory dumps, process lists, or file system snapshots may be necessary.

Decision Points, Human Intervention & Feedback Loops

At each stage of the chained detection process, decision points are established based on the findings. These decision points guide whether to continue with additional tasks, escalate the incident, or conclude the investigation.

While much of this process is automated, there is still a role for human intervention. Security analysts may be brought into the loop when certain thresholds are met or when the automated processes cannot make conclusive determinations.

Chained detections also incorporate a feedback loop for continuous improvement. Information gathered during investigations, including false positives and false negatives, is used to refine and enhance detection and response processes.

The chained detections approach for threat hunting is highly effective for dealing with advanced and evolving threats. It enables organizations to respond rapidly and systematically to security incidents, minimizing the impact and reducing the time to remediation. It also leverages automation to handle repetitive tasks, allowing security analysts to focus on complex investigations and strategic decision-making.

Case Study | Real-World Threat Hunting with SentinelOne’s WatchTower Team

A malicious hacker reaches out to a client, claiming they’ve infiltrated their CCTV system and is asking for compensation. The SentinelOne WatchTower team receives the call to help uncover the culprits behind the extortion attempt, the precise actions taken, the systems involved, and the exact timing of it all. First, the team deploys instrumentation where there has been a cybersecurity blackout, a significant number of systems with no detection and response tools installed. This is a digital detective game and the main goal is to gain insight into every system level and user-based move.

SentinelOne followed the below steps to effectively threat hunt and mitigate the threat:

  1. Scanning for initial indicators, the SentinelOne response team identified an initial detection found in the EDR telemetry that malware payloads may potentially be present on an endpoint.
  2. Although there were no malicious processes and the files had been deleted, the team was able to locate some low frequency indicators. To build more context, enter metadata collection leveraging YARA rules.
  3. This revealed definite artifacts of files that were once on the system, specifically, payloads which may have included remote access tools (RATs) such as njRAT and StRaXxXD – likely downloaded from Telegram.
  4. After backtracking the user activities, various RDP brute forcing tools such as NLA.Ckecker and NLBrute were identified as having been downloaded onto other systems.
  5. This activity strongly indicated potential Initial Access Broker activity – not just an average attacker, but a sophisticated criminal organization.

Initial Detection on Target Compromised System

Threat Hunting Details:

endpoint.name: xxxserver1

timestamp: <>

tgt.file.path:

C:Users...Downloadsnj-RAT.zip

C:Users...DownloadsTelegram Desktopnj-RAT.zip

tgt.file.sha1: ed4f80…

src.process.user: xxxserver1userA

The same user downloaded ddos.exe (alerted by SentinelOne upon agent installation on a different system):

timestamp: <>

tgt.file.path: C:Users...DownloadsTelegram Desktopddos.exe

tgt.file.sha1: fddece…

src.process.user: xxxserver1userA

Viewing event logs and correlating activity, the SentinelOne WatchTower team identified an active attempt to brute force login after finding numerous failed login attempts on xxxserver1. Upon checking the visible IP in the console, the team found it to be 10.x.x.x with an open RDP port 3389 accessible from the Internet. Subsequently, the team pinpointed the machine that was subjected to Remote Desktop Protocol (RDP) brute forcing and subsequently compromised to launch the attack.

Selecting and running a brute force attack with NLBrute

Remote Desktop Protocol (RDP), developed by Microsoft, provides a convenient way to access IT systems remotely and is widely used across client environments. However, it also poses significant risks if not properly configured. Attackers often target exposed RDP clients, attempting brute force attacks on usernames and passwords. If successful, they can gain a foothold in the victim’s network.

Notable items detected by threat hunters:

…DownloadsStRaXxXD.zip 62a861056f35fd8cb754672080b0eeb8faae806d

…Telegram DesktopNLBrute (RDP brute forcing tool)

…Telegram DesktopIN_ip_ranges.txt, ip.txt (possible enumeration)

…Telegram Desktopسنگین بدبویTXT.txt

…Telegram Desktop@Delta_Package pentest network xxx.part3.rar

…Telegram Desktop2.rar

…Telegram Desktopip.txt

…Telegram Desktopindia test.txt

…Telegram Desktopdork for mahdi.txt

…Telegram Desktop@Delta_Package pentest network xxx.part6.rar

…Telegram DesktopLinux 1,2.rar

…Telegram DesktopWork With Dorks [DORKs Generator] By JohnDoe v.2.1.rar

Targeting Domains with Google Dorks

…Telegram Desktopep1.rar

…Telegram Desktop4.rar

…Telegram DesktopNLBrute (2).rar

…Telegram DesktopCracker (1).exe 756280…

…Telegram DesktopNLA.Ckecker.zip dddbd…

…Telegram DesktopSQLi Dumper V10.3.zip f00d9…

…Telegram DesktopNLA.Ckecker (2).zip dddbd…

…Telegram Desktopready.apk b78812…

Summary of Further Analysis

Swift action by the SentinelOne WatchTower team prompted the client to pull the plug on their server after receiving the details of the compromise. After a thorough investigation, the team advocated for the closure of unused RDP ports and security tools for threat detection and prevention be installed on every system. The team also recommended the implementation of multi-factor authentication (MFA) for every system accessible from the Internet as a best practice.

Conclusion

Threat hunting continues to face significant challenges, particularly in navigating the realm of low and medium fidelity results. This dilemma often translates into a cumbersome and time-consuming review process, reserved for seasoned analysts, making threat hunting both costly and impractical for many organizations. Chained detections represent a proactive and sophisticated methodology that revolutionizes threat hunting by streamlining the investigative process, avoiding unnecessary tangents, and focusing resources where they matter most. By incorporating automated triage, external tasks, and establishing decision points, organizations can swiftly uncover and respond to complex threats with precision and agility.

The chained detections approach supports a symbiotic relationship between automation and human intervention, harnessing the power of technology to handle repetitive tasks while empowering security analysts to tackle intricate investigations and strategic decision-making. The integration of a feedback loop ensures continuous improvement, refining detection and response processes based on real-world insights gathered during threat hunts and cyber investigations.

For organizations seeking to fortify their cybersecurity posture and elevate their threat hunting capabilities, embracing the chained detections methodology is not merely an option but a necessity in today’s threat landscape. By leveraging a combination of both automation, intelligence and human expertise, organizations can effectively combat advanced and evolving threats, minimizing the impact of security incidents, and accelerating the path to remediation.

Learn More About SentinelOne’s WatchTower

For enterprises looking for a threat hunting partner to help them implement a robust methodology and stand up to emergent threats, SentinelOne’s WatchTower provides threat hunting experts equipped with the latest threat intelligence powered by artificial intelligence (AI) and machine learning (ML) algorithms.

Today, customers can use WatchTower to achieve real-time and retroactive detections of anomalous activity across their enterprise to proactively address evolving threats and strengthen their security posture. Learn more about what WatchTower can do for your enterprise by requesting a demo.

‘Operation Endgame’ Hits Malware Delivery Platforms

Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Dubbed “the largest ever operation against botnets,” the international effort is being billed as the opening salvo in an ongoing campaign targeting advanced malware “droppers” or “loaders” like IcedID, Smokeloader and Trickbot.

A frame from one of three animated videos released today in connection with Operation Endgame.

Operation Endgame targets the cybercrime ecosystem supporting droppers/loaders, slang terms used to describe tiny, custom-made programs designed to surreptitiously install malware onto a target system. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs, including viruses, ransomware, or spyware.

Droppers like IcedID are most often deployed through email attachments, hacked websites, or bundled with legitimate software. For example, cybercriminals have long used paid ads on Google to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is the hidden component bundled with the legitimate software that quietly loads malware onto the user’s system.

Droppers remain such a critical, human-intensive component of nearly all major cybercrime enterprises that the most popular have turned into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and their supporting infrastructure, authorities are hoping to disrupt multiple cybercriminal operations simultaneously.

According to a statement from the European police agency Europol, between May 27 and May 29, 2024 authorities arrested four suspects (one in Armenia and three in Ukraine), and disrupted or took down more than 100 Internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, United States and Ukraine. Authorities say they also seized more than 2,000 domain names that supported dropper infrastructure online.

In addition, Europol released information on eight fugitives suspected of involvement in dropper services and who are wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on 30 May 2024.

A “wanted” poster including the names and photos of eight suspects wanted by Germany and now on Europol’s “Most Wanted” list.

“It has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,” Europol wrote. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.”

There have been numerous such coordinated malware takedown efforts in the past, and yet often the substantial amount of coordination required between law enforcement agencies and cybersecurity firms involved is not sustained after the initial disruption and/or arrests.

But a new website erected to detail today’s action — operation-endgame.com — makes the case that this time is different, and that more takedowns and arrests are coming. “Operation Endgame does not end today,” the site promises. “New actions will be announced on this website.”

A message on operation-endgame.com promises more law enforcement and disruption actions.

Perhaps in recognition that many of today’s top cybercriminals reside in countries that are effectively beyond the reach of international law enforcement, actions like Operation Endgame seem increasingly focused on mind games — i.e., trolling the hackers.

Writing in this month’s issue of Wired, Matt Burgess makes the case that Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem.

“These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched,” Burgess wrote.

When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

The Operation Endgame website also includes a countdown timer, which serves to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online. At least two of the videos include a substantial amount of text written in Russian.

The coordinated takedown comes on the heels of another law enforcement action this week against what the director of the FBI called “likely the world’s largest botnet ever.” On Wednesday U.S. Department of Justice (DOJ) announced the arrest of YunHe Wang, the alleged operator of the ten-year-old online anonymity service 911 S5. The government also seized 911 S5’s domains and online infrastructure, which allegedly turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

Partnering for Success | A Q&A with Brian Lanigan, SVP of Partner Ecosystem, SentinelOne

As a partner-driven organization, SentinelOne recognizes the critical role that partners play in securing our digital world. Partners are instrumental in helping customers understand how to break through the noise and recommending the best solutions to help solve their toughest security challenges, and businesses are increasingly turning to managed security to elevate protection, address cybersecurity talent shortages and better align cost structures. SentinelOne has a robust and powerful partner ecosystem that is a key differentiator for us, spanning MSSPs, incident response providers, and other strategic partners. We have a massive opportunity to expand our business and execute our mission to secure tomorrow.

Two months ago, we brought in Brian Lanigan, a seasoned leader with proven experience building and managing global sales teams that consistently over-achieve, to help us capitalize on this opportunity. He’s wasted no time putting the pieces in place to create a better experience and stronger engagement with partners across our ecosystem that drives our mutual success. We sat down with Brian to talk about his plans.

Welcome Brian Lanigan, SVP of Partner Ecosystem, SentinelOne

Brian joined us from Lacework, where he was the Worldwide Channels and Alliances leader, evolving the predominantly direct model to an 85 percent partner-aligned business. He helped establish Lacework as a top 20 AWS partner and the Cloud Security offering for six of the top eight MDR providers.

Prior to Lacework, Brian served as the head of global strategic alliances at Splunk, where he helped build the partner ecosystem as the business scaled from $200 million to $2.6 billion and led the teams that built:

  • The MSP RTM, leading to a $150 million ARR business
  • The GSI partner ecosystem, establishing the Accenture-Splunk business group
  • The AWS partnership, accelerating Splunk to a top five AWS Partner
  • The OEM business, establishing Splunk as the core data collection engine to many leading independent software vendors

What drew you to SentinelOne?

SentinelOne has a clear vision that meets the moment: Secure every surface, every minute of every day. It has the best technology in the industry to make it a reality. That was the first draw. The second was the sheer opportunity for both the company and its partners. The market for AI security services is massive and ripe for disruption. Together with our partners, we can move from securing endpoints and delivering MDR, into full business protection, across all security products leveraging our multi-tenanted data lake and Purple AI technology to manage across silos.

How will you do this?

Superior technology is the foundation of how we help our partners and customers build more resilient enterprises, and we will continue to invest in innovation that enables them to scale and remain ahead of adversaries now and into the future.

We just announced new capabilities within our Singularity Platform designed to democratize advanced cybersecurity operations through AI and automation. At the heart of these capabilities is Purple AI. Beyond a chatbot or virtual assistant, Purple AI is an advanced AI security solution that not only creates complex data queries from natural language, but anticipates what security analysts need to do and recommends next steps. It is the only Sec AI offering that is multi-tenanted and can be used horizontally across multiple sites, and we will leverage it to help our partners accelerate and scale their current services with hyper efficiency.

Cloud security is an important and growing part of our business and that of our partners, and we’re doubling down on investment to expanding our capabilities in this area as well, as evidenced by our recent launch of Singularity Cloud Native Security, which when combined with our AI-powered Cloud Workload Security and Cloud Data Security threat protection products, delivers visibility and mitigation capabilities in a single cloud security platform.

SentinelOne has evolved from an endpoint company to a platform. How is our go-to-market strategy evolving to accommodate this shift?

Point solutions are falling out of favor. Customers are seeking to consolidate not only their security vendors, but also their security consoles and data in order to gain a unified view of the enterprise security landscape.

Enterprises need a specialized security approach centered on all enterprise data to prevent attacks. This is where SentinelOne stands out. Disjointed platforms do not result in better protection. Bigger brands do not mean better security. SentinelOne is a true, unified AI security platform that seamlessly aggregates and connects data from all security products in a single streamlined technology and interface, and we make it easy for our partners to build on top of it to expand their offerings and unlock new opportunities in huge total addressable markets.

How are you aligning your organization to capitalize on these opportunities?

Our partner ecosystem is second-to-none and we are constantly adapting our organization to ensure we are creating a world-class experience for our partners that fuels their success, because at the end of the day, their success is our success. We’re focused on embracing the totality of the SentinelOne ecosystem in a harmonized manner – from value added resellers, distributors, systems integrators and cloud service providers to IR and technical alliance partners, MSSPs and MDRs.

We are investing in the partners that invest with us, focusing on those that have the joint vision to deliver outcomes for our customers. Further, we’re creating a sales culture that recognizes that many different partner types can be influential in a given account, rather than just simply the transacting partner(s). We’re helping our partners build and maintain successful and profitable lines of business centered around SentinelOne and we’re appointing proven leaders with experience in growth at scale to guide our team to its full potential.

Is Your Computer Part of ‘The Largest Botnet Ever?’

The U.S. Department of Justice (DOJ) today said they arrested the alleged operator of 911 S5, a ten-year-old online anonymity service that was powered by what the director of the FBI called “likely the world’s largest botnet ever.” The arrest coincided with the seizure of the 911 S5 website and supporting infrastructure, which the government says turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

The Cloud Router homepage, which was seized by the FBI this past weekend. Cloud Router was previously called 911 S5.

On May 24, authorities in Singapore arrested the alleged creator and operator of 911 S5, a 35-year-old Chinese national named YunHe Wang. In a statement on his arrest today, the DOJ said 911 S5 enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.

For example, the government estimates that 560,000 fraudulent unemployment insurance claims originated from compromised Internet addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion.

“Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5,” the DOJ wrote. “Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.”

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 S5 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

The prices page for 911 S5, circa July 2022. $28 would let users cycle through 150 proxies on this popular service.

KrebsOnSecurity first identified Mr. Wang as the proprietor of the popular service in a deep dive on 911 S5 published in July 2022. That story showed that 911 S5 had a history of paying people to install its software by secretly bundling it with other software — including fake security updates for common programs like Flash Player, and “cracked” or pirated commercial software distributed on file-sharing networks.

Ten days later, 911 S5 closed up shop, claiming it had been hacked. But experts soon tracked the reemergence of the proxy network by another name: Cloud Router.

The announcement of Wang’s arrest came less than 24 hours after the U.S. Department of the Treasury sanctioned Wang and two associates, as well as several companies the men allegedly used to launder the nearly $100 million in proceeds from 911 S5 and Cloud Router customers.

Cloud Router’s homepage now features a notice saying the domain has been seized by the U.S. government. In addition, the DOJ says it worked with authorities in Singapore, Thailand and Germany to search residences tied to the defendant, and seized approximately $30 million in assets.

The Cloud Router homepage now features a seizure notice from the FBI in multiple languages.

Those assets included a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.

The government says Wang is charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison.

Brett Leatherman, deputy assistant director of the FBI’s Cyber Division, said the DOJ is working with the Singaporean government on extraditing Wang to face charges in the United States.

Leatherman encouraged Internet users to visit a new FBI webpage that can help people determine whether their computers may be part of the 911 S5 botnet, which the government says spanned more than 19 million individual computers in at least 190 countries.

Leatherman said 911 S5 and Cloud Router used several “free VPN” brands to lure consumers into installing the proxy service, including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN.

“American citizens who didn’t know that their IP space was being utilized to attack US businesses or defraud the U.S. government, they were unaware,” Leatherman said. “But these kind of operations breed that awareness.”

Treasury Sanctions Creators of 911 S5 Proxy Botnet

The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one’s Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.

The 911 S5 botnet-powered proxy service, circa July 2022.

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software.

A cached copy of flashupdate dot net, a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today’s Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5.

“A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPNs) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” reads the Treasury announcement.

The sanctions say Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency. The government alleges the virtual currencies paid by 911 S5 users were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Liu.

“Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the document continues. “These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats.”

The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm — Spicy Code Company Limited — and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

Ten days after the July 2022 story here on 911 S5, the proxy network abruptly closed up shop, citing a data breach that destroyed key components of its business operations.

In the months that followed, however, 911 S5 would resurrect itself under a different name: Cloud Router. That’s according to spur.us, a U.S.-based startup that tracks proxy and VPN services. In February 2024, Spur published research showing the Cloud Router operators reused many of the same components from 911 S5, making it relatively simple to draw a connection between the two.

The Cloud Router homepage, which according to Spur has been unreachable since this past weekend.

Spur found that Cloud Router was being powered by a new VPN service called PaladinVPN, which made it much more explicit to users that their Internet connections were going to be used to relay traffic for others. At the time, Spur found Cloud Router had more than 140,000 Internet addresses for rent.

Spur co-founder Riley Kilmer said Cloud Router appears to have suspended or ceased operations sometime this past weekend. Kilmer said the number of proxies advertised by the service had been trending downwards quite recently before the website suddenly went offline.

Cloud Router’s homepage is currently populated by a message from Cloudflare saying the site’s domain name servers are pointing to a “prohibited IP.”

PinnacleOne ExecBrief | The Digital Great Game in the Middle East – AI, Nuclear Energy, and Geopolitical Competition

Last week, PinnacleOne examined the convergence of AI and foreign malign influence efforts on the 2024 year of global elections.

This week, we dive into the new great game emerging in the Middle East over AI, nuclear, and other critical tech.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | The Digital Great Game in the Middle East – AI, Nuclear Energy, and Geopolitical Competition

The United Arab Emirates (UAE) and Saudi Arabia (KSA) are making bold moves in artificial intelligence (AI) and nuclear energy, using their deep pockets to diversify their economies and increase their geopolitical influence. As Sheikh Tahnoon bin Zayed Al Nahyan and Crown Prince Mohammed bin Salman write eye-popping checks and cut strategic tech deals, the West is taking notice and weighing the risks.

The Gulf States’ Trillion-Dollar Tech Play

The UAE and KSA are going all-in on AI and nuclear power (among other strategic industries like smart cities, synthetic biology, and space). Abu Dhabi’s sovereign wealth funds and state-owned enterprises, armed with over $2 trillion in assets, are hunting for cutting-edge tech, securing increasingly pole position in the funding rounds for emerging unicorns and snapping up large portions of the capital stack in leading western tech start-ups. The Abu Dhabi Investment Authority ($993B), Mubadala ($139B), and G42 ($10B) are leading the pack.

The Emirates recently launched a $100 billion AI-focused investment vehicle called MGX, with Mubadala and G42 as foundational partners. The focus of the fund is AI infrastructure, semiconductors, and AI core tech and applications, and will invest in data centers, fiber connections, chip design and manufacturing, frontier models, applications, data, biotech, and robotics.

As Bloomberg recently wrote, Sheikh Tahnoon bin Zayed Al Nahyan’s “conglomerate International Holding Co., or IHC, has investments in everything from Rihanna’s lingerie line to Elon Musk’s SpaceX… is up more than 400-fold since 2019…IHC also makes money from trading on the very exchange where it’s listed. It owns the Abu Dhabi stock exchange’s most active broker. Meanwhile, the emirate’s ADQ fund, which Sheikh Tahnoon chairs, oversees the exchange itself…It’s as if one man directed the New York Stock Exchange as well as two-thirds of the companies in the S&P 500 stock index.”

 

Source: Bloomberg

The Barakah nuclear plant, with its four reactors churning out 5,600MW, is set to power 25% of Abu Dhabi. But the UAE isn’t stopping there – it’s eyeing a spot on the global nuclear stage as an investor and developer, eager to partner with both west and east (including Russia) to pursue its strategic ambitions.

Meanwhile, Saudi Arabia’s $620B Public Investment Fund is eyeing a massive $40B AI fund with Silicon Valley heavyweight Andreessen Horowitz. Nuclear energy is also on the table, as the kingdom looks to diversify and counter Iran, as part of the fraught US-brokered diplomatic grand-bargain with Israel (in a tenuous position now given the Gaza conflict).

High-Stakes Partnerships

The Gulf states are forging high-stakes partnerships with Western tech titans and governments. For example, Microsoft’s $1.5B investment in UAE’s G42 comes with strings attached – G42 must use Microsoft’s cloud and play by security rules. However, many of these security arrangements “remain to be worked out, including how to protect AI model weights, which… currently cannot be encrypted while in use… and [the] technical approaches for doing so remain at least a year away.”

Microsoft has “considered several alternative options to protect its technology, including a ‘vault within a vault’ that would involve physically separating parts of data centers where AI chips and model weights are housed and restricting physical access.” It remains to be seen how this arrangement will evolve as lawmakers and Microsoft’s customers continue to ask questions about the security controls.

France is also opening its doors to Emirati nuclear and AI investments, with Finance Minister Bruno le Maire rolling out the red carpet for senior level meetings, “adding that Paris wanted to work closely with Abu Dhabi on semiconductors and computer chip capabilities.”

It should be noted that Mubadala is the majority shareholder in chipmaker GlobalFoundaries, which is building a semiconductor facility in France with STMicroelectronics. France is now looking to jointly invest with the UAE in “cloud computing and data processing and that the strategic partnership would see more scientists and researchers at the Abu Dhabi campus of the Paris Sorbonne.”

For the West, it’s a tempting proposition, getting access to the Gulf’s deep pockets and booming digital markets along with a chance to outmaneuver China. But, the risks are real. Sensitive tech and know-how could slip through the cracks, and the western tech and innovation ecosystem may find itself strategically dependent on investment flows from an authoritarian partner known to be geopolitically promiscuous.

Balancing Act with Beijing

As the U.S. and China jockey for tech supremacy, the Gulf states are walking a tightrope. They’re courting American giants like Microsoft, but also keeping lines open to Beijing. Case in point: Saudi Arabia’s finance minister, Mohammed Al-Jadaan, just wrapped up high-level talks in China, focused on economic collaboration. The meeting, which brought together heavy hitters from the Saudi Central Bank, Capital Market Authority, and National Development Fund, underscores the kingdom’s delicate balancing act.

The West is watching warily. The Microsoft-G42 deal is an explicit attempt to try to box out China, but will it work? The tangled web of interests and alliances in the region makes it an ambiguous and ever shifting affair. As the Gulf states push more “chips” on the geopolitical table, they’re likely to keep playing both sides, seeking to maximize their own interests and extract concessions from western firms looking to do politically favored deals.

The G42-Microsoft Kenya Deal | A Case Study in Digital Sovereignty

The recent $1B investment by G42 and Microsoft in Kenya’s digital infrastructure is a prime example of the tech competition unfolding in the Global South. The deal, which includes a green data center, AI research, skills training, and connectivity investments, is being touted as a milestone in Kenya’s digital transformation.

Beneath the surface though, thorny questions of digital sovereignty and network competition loom large. The involvement of unnamed “UAE ecosystem partners” in Kenya’s fiber cable infrastructure raises eyebrows. Will these be U.S.-aligned firms, cementing Kenya’s place in the Western tech sphere? Or, will Chinese players sneak in, tilting the balance of surveillance and digital economic power?

The answers could have far-reaching implications. As countries like Kenya become battlegrounds in the global AI and digital infrastructure race, their choices about tech partners and standards will shape the geoeconomic and technological map. The G42-Microsoft deal is a test case, a preview of the complex trade-offs and power plays that will define the digital future.

Navigating the AI-Nuclear Nexus

For the West, the Gulf states’ AI and nuclear ambitions are a strategic contest. The prize: a slice of the region’s riches and a tech edge over China. The price: sharing sensitive tech with opaque, autocratic regimes.

To play this game and win, the West needs to strike a delicate balance. Robust safeguards and constant vigilance are a must to keep cutting-edge capabilities in AI, semiconductors, and nuclear tech from falling into the wrong hands. Data access, tech leakage, and research collaboration all need tight controls.

Equally important is a coherent, values-driven strategy. Engaging with the Gulf states can’t just be about chasing short-term profits or geopolitical points. It needs to align with the West’s long-term interests and principles. That means tough conversations about human rights, transparency, and responsible tech stewardship.

Conclusion

The Gulf states are making a trillion-dollar gambit on an AI and nuclear-powered future. For the West, it’s an opportunity and a risk. Navigating this landscape will require a deft touch, balancing short-term gains with long-term strategic imperatives.

As Saudi and Emirati money pours into AI labs, venture ecosystems, and nuclear reactors, and cutting-edge chips and algorithms flow back in return, the stakes couldn’t be higher. The choices made now – in boardrooms from Silicon Valley to Riyadh, in the government corridors from Washington to Abu Dhabi – will shape the global balance of power.

The challenge for the West is to engage with eyes wide open, to seize the moment while safeguarding its crown jewels. It must be a partner to the Gulf states, but also a principled leader, setting the rules of the road for an AI-enabled, nuclear-powered world. Only then can it hope to emerge as a true victor in the age of algorithms and atoms. The new Digital Great Game is on.

The Good, the Bad and the Ugly in Cybersecurity – Week 21

The Good | Leaders of Crypto Investment Scam Arrested & Charged for $73 Million Laundering Scheme

This week, the tables were turned on two alleged cyber ‘pig butcherers’ who could now face time in the iron pen. The DoJ indicted Daren Li (41) and Yicheng Zhang (38) for their alleged roles leading a global syndicate that has laundered over $73 million through cryptocurrency investment scams. Both Li and Zhang are charged with conspiracy to commit money laundering and six counts of international laundering. If convicted, they face 20 years in prison on each count.

Source: Department of Justice

Pig butchering scams involve criminals building up trust with targeted victims via social media and messaging or dating platforms to convince them to invest in fraudulent schemes. After falling for the bait, the criminals then steal their victims’ cryptocurrency, draining the compromised wallets.

According to court documents, Li and Zhang transferred millions of their victims’ cryptocurrency to U.S. bank accounts connected to shell companies. The funds were then moved through various domestic and international accounts and crypto platforms in order to obscure their origins. Communications uncovered during the investigation revealed details on the operations, including commissions, victim information, and interactions with U.S. financial institutions.

In 2023 alone, the U.S. Secret Service recovered more than $1.1 billion from scam operations and the IC3 reported that investment fraud investment scams rose from $3.31 billion in 2022 to $4.57 billion last year. As schemes revolving around financial fraud become increasingly common and complex, cyber defenders reiterate the importance of learning how to spot predatory behavior online, staying vigilant with securing digital assets and identities, verifying the legitimacy of brokerages before investing, and reporting suspicions of fraud immediately.

The Bad | Threat Actors Exploit Legitimate Cloud Services to Deliver Malware in Emerging Campaign

In a new attack campaign, popular cloud storage services like Google Drive and Dropbox are being exploited to stage malicious payloads. Dubbed “CLOUD#REVERSER”, security researchers this week broke down how the campaign uses VBScript and PowerShell to perform command and control-like (C2) activities within the storage platforms to manage file uploads and download.

Attacks begin with a phishing email containing a ZIP archive file that includes an executable disguised as a Microsoft Excel file. This is done through making use of the hidden right-to-left override (RLO) Unicode character (U+202E) so that the order of the characters in the string are reserved. In this case, the victims receiving the email would see the file name RFQ-101432620247fl*U+202E*xslx.exe as RFQ-101432620247flexe.xlsx and open the file thinking it is a legitimate Excel spreadsheet. This is not a new trick, but it is less commonly seen in 2024.

Executing this file drops a total of eight payloads, one of which includes a decoy Excel file and an obfuscated VBScript that displays the .xlsx file to continue the deception. From there, a series of additional scripts allow the threat actor to establish persistence on the system, connect to the actor-controlled Google Drive and Dropbox accounts, fetch files from the storage services, and maintain connection to the actor’s command and control (C2) server.

CLOUD REVERSER stage 1
CLOUD#REVERSER Stage 1 (VirusTotal)

These developing attacks highlight the trend of threat actors abusing SaaS platforms to deliver malicious payloads under the guise of legitimate network traffic. By embedding multi-stage downloaders that run code within widely-used cloud platforms, the threat actors can ensure they have persistent access for data exfiltration while keeping a low profile.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

The Ugly | Military & Government Orgs Repeatedly Targeted by New PRC-Linked Threat Actor Over 6 Years

Details on a previously undocumented threat group called “Unfading Sea Haze” emerged this week when cybersecurity researchers reported on a series of attacks across countries bordering the South China Sea. So far, eight high-level organizations in critical sectors have been repeatedly targeted over the last six years with the attackers’ exploiting poor credential hygiene and unpatched devices and web services in particular.

Unfading Sea Haze is currently not linked to any known APT group, but appears to share similar goals, techniques, geopolitical victimology, and choice of tools known to be associated with Chinese-speaking threat actors. This includes the use of Gh0st RAT malware and running a tool called SharpJHandler, often employed by PRC-based APT41.

So far, Unfading Sea Haze has been observed sending spear phishing emails containing Windows shortcut (LNK) files. When launched, these files execute commands to retrieve the next-stage payload, a backdoor called “SerialPktdoor”, which then runs PowerShell scripts and manages files remotely. Also characteristic of Unfading Sea Haze attacks is use the Microsoft Build Engine (MSBuild) to execute files filelessly and minimize the risk of detection, and scheduled tasks to load a malicious DLL and establish persistence.

Other tools in the group’s arsenal include “Ps2dllLoader”, keylogger called “xkeylog”, a web browser data stealer, a monitoring tool keyed to the presence of portable devices, and a custom data exfiltration program named “DustyExfilTool”. The widely varied and complex toolkit points to a certain level of sophistication. Researchers note that the combination of both custom and commercial tools is indicative of a cyber espionage campaign, aimed at gathering sensitive information from military and government entities.

Organizations can mitigate the risks threat groups like Unfading Sea Haze pose with the SentinelOne Singularity platform.

Good security hygiene such as timely patch management, strong authentication methods, and secure credentials is also highly recommended.

Stark Industries Solutions: An Iron Hammer in the Cloud

The homepage of Stark Industries Solutions.

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”

This graphic comes from a recent report from NETSCOUT about DDoS attacks from Russian hacktivist groups.

As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.

The NoName DDoS group advertising on Telegram. Image: SentinelOne.com.

A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.

PROXY WARS

Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.

Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.

Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses  available for rent across the globe.

Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.

Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.

“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”

Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.

“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.

CLOUDY WITH A CHANCE OF BULLETS

Richard Hummel is threat intelligence lead a NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.

“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,’” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”

Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.

Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.

“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”

But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.

“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”

MERCENARIES TEAM

Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.

Ivan Neculiti, as pictured on LinkedIn.

Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”

“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”

Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.

“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”

DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.

An ad for war.md, circa 2009.

Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.

DON CHICHO & DFYZ

The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.

Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.

DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.

Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.

The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.

Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.

Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.

Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.

Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.

“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.

Below is a mind map that shows the connections between the accounts mentioned above.

A mind map tracing the history of the user Dfyz. Click to enlarge.

Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”

“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”

CORRECTIV ACTION

The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri.

Image credit: correctiv.org.

The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.

“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.

“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”

Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.

PEACE HOSTING?

Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.

DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.

This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.

Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.

“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”

“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”

In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.

Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.

Mr. Nesterenko took exception to Recorded Future’s report.

“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”

Recorded Future said they updated their story with comments from Mr. Nesterenko, but that they stand by their reporting.

Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.

In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.

Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.

“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.

A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.

PEERING INTO THE VOID

A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).

Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.

A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.

Proxyline dot net.

Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.

Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.

EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.

Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.

Image: Interisle Consulting.

A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.

The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.

It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).

For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”

A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.

Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.

According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ruis the seventh-oldest domain in the entire history of the Runet.

Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.

“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”

Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.

The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.

Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.

“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”

PinnacleOne ExecBrief | AI and Foreign Election Interference

Last week, PinnacleOne considered what the Office of National Cyber Director’s Annual Report means to modern enterprises.

This week, we highlight the convergence of AI and foreign malign influence efforts on the 2024 year of global elections.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | AI and Foreign Election Interference

The 2024 U.S. elections (and many other global elections) face a threat landscape defined by foreign influence actors using time-tested tactics augmented by emerging AI tools to undermine the democratic process. On May 15, 2024, officials from the Intelligence Community, FBI, and CISA testified before the Senate Select Committee on Intelligence to draw public attention to the evolving threat.

Their top-line message: Foreign adversaries – primarily Russia, China, and Iran, and their commercial enablers – are increasingly attempting to undermine democratic systems through both cyber interference targeting election infrastructure as well as covert influence efforts aimed at civil societies.

At the same time, these government leaders and outside experts (including our very own Chris Krebs) are confident that the 2024 election will be technically secure. Krebs noted on Face The Nation yesterday that while the 2020 election was deemed safe and secure, the current election systems are even more robust due to continued investments and improvements. However, his concerns remain focused on the growing influence capabilities of foreign actors:

“On influence, the scope, the scale, the technology available to our adversaries, including AI and deep fakes, [makes it] a much more precarious threat environment. The Chinese are active. The Russians are very active. They’ve been using deep fakes in Europe. We’ve seen AI [generated content] pop up in [elections in] Moldova, Slovakia, in Bangladesh. So it is going to be a tool.

My sense, however, is that threats that are AI powered or AI enabled, will be much like what happened in New Hampshire with the Robocall. It will be immediately detected, it will be investigated quickly, and it will be prosecuted. And that’s what’s happening right now.

I think the biggest concern though, is that this is cumulative. It’s accretive. So, rather than one single catastrophic AI-enabled event, it’s gonna be a steady drum beat where we, where the voters, the public are just going to lose confidence and trust in the overarching information ecosystem.”

Intensifying Influence Operations

This concern is merited as recent intelligence and observed operations show that threat actors have expanded well beyond traditional propaganda, adopting sophisticated tactics to sow discord and interfere with U.S. elections, including:

For example, recent PRC campaigns used AI to target voters in Taiwan and the U.S. with false information laundered through fake social media accounts, intending to identify and exploit divisive domestic political issues and shape election results. Last month, Belgian and Czech leaders called for urgent action to push back on Russian interference in advance of the European elections in June.

The Czech government imposed sanctions on individuals accused of attempting to bribe members of the European Parliament to promote Russian narratives. In January, the European Parliament opened an investigation of a Latvian representative, reported to be serving as a Russian agent since at least 2004.

Increased Incentives and Capabilities

Foreign adversaries view election interference as a cost-effective and plausibly deniable means to achieve their strategic goals and now have powerful new tools at their disposal. The combination of synthetic media tools and powerful LLMs (many open-source) can be used to democratize and proliferate the sort of cross-language disinformation and media manipulation activities that took the Internet Research Agency an entire building full of fluent English speakers and media designers to execute. The barrier to run a “troll farm” is falling precipitously.

Further, many adversaries have (and still are) collecting bulk data on western publics. Feeding this trove of information into sophisticated analytics engines may enable more precise targeting of selected populations and even individuals for bespoke influence, at a larger scale. While currently not directly observed, these sorts of future malign influence operations will be harder to discover, attribute, and counter.

As a result, the threat landscape continues to intensify, with a growing number of foreign actors, including non-state entities, engaging in election interference. In addition, more commercial firms (wittingly and unwittingly) are used by foreign actors to support influence operations, increasing their sophistication and making tracking more difficult.

U.S. Efforts to Counter Election Threats

The U.S. government has taken significant steps to bolster its defenses, including:

Recommendations for Cybersecurity Professionals and Election Officials

To effectively counter evolving threats, cybersecurity professionals and election officials must:

  • Stay informed about the latest adversary tactics, techniques, and procedures;
  • Join in close collaboration with intelligence, law enforcement, and private sector partners;
  • Actively participate in information sharing initiatives, such as the EI-ISAC;
  • Leverage CISA’s cybersecurity services and resources;
  • Invest in training and awareness programs for staff;
  • Continuously update and fortify cybersecurity defenses;
  • Leverage tools to detect and attribute synthetic media and AI-enabled influence efforts;
  • Work with government partners to establish attribution and response frameworks.

A Fraught Year for Elections

The 2024 elections will test the United States’ ability to safeguard its democratic institutions against foreign cyber threats and influence operations. By staying informed, collaborating with partners, leveraging resources, and strengthening defenses, cybersecurity professionals and election officials can play a vital role in ensuring the integrity of the electoral process. Prioritizing the development of robust attribution and response frameworks will be essential to effectively counter these threats and maintain public confidence in the democratic system.