Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit

Politically-motivated hacktivist groups are increasingly utilizing ransomware payloads both to disrupt targets and draw attention to their political causes. Notable among these hacktivist groups is Ikaruz Red Team, a threat actor that is currently leveraging leaked ransomware builders.

In attacks occurring over recent months, we have observed Ikaruz Red Team and aligned groups such as Turk Hack Team and Anka Underground (aka Anka Red Team) conduct attacks against Philippine targets and hijack branding and imagery belonging to the government’s Computer Emergency Response Program (CERT-PH).

In this post, we profile this hacktivist group and its recent actions, highlighting the threat actor’s methodology, social media activity and relevance within the wider geopolitical context.

Geopolitical Context & Affiliations

Ikaruz Red Team (IRT), under various identities, has targeted entities in the Philippines through defacements, small-scale DDoS attacks and now ransomware attacks. This behavior, between 2023 and present day (2024), is part of the larger wave of hacktivist groups targeting the region, as documented by Resecurity in April 2024. Resecurity ties these more recent observations to the greater geopolitical landscape, in the context of rising tensions with China, noting that the Philippines’ strategic significance in the Indo-Pacific makes it an attractive target for actors bent on civil disruption.

Over the last year or so, the Philippines has experienced an increase in scattered hacktivist attack campaigns. Previously identified hacktivist groups such as Robin Cyber Hood, Philippine Exodus (aka PHEDS), Cyber Operations Alliance, and Philippine Hacking University have been claiming credit for a variety of ransomware attacks, misinformation campaigns and espionage. On April 8th, the Philippine’s National Privacy Commission (NPC) launched an investigation into a breach of critical government infrastructure through an attack on the Department of Science & Technology by a previously unknown hacktivist identifying itself as #opEDSA.

More widely, as we detail below, IRT shares close associations with Anka Red Team and Turk Hack Team, a pro-Hamas hacktivist collective that has gained increased notoriety since the onset of the Israel-Hamas war.

Ikaruz Red Team Ransomware Activity

Within this context, Ikaruz Red Team, previously known primarily for web defacements and nuisance attacks, appears to be engaged in launching small-scale ransomware attacks with leaked LockBit builders. The group has been actively distributing modified LockBit 3 ransomware payloads and advertising data leaks from a variety of organizations in the Philippines.

Ikaruz Red Team FaceBook posting (.ph victims and ransomware used)
Ikaruz Red Team FaceBook posting (.ph victims and ransomware used)

Ikaruz Red Team ransom notes use the original LockBit template almost entirely intact with the exception of the top line, where the LockBit ransomware name is replaced by ‘Ikaruz Red Team’. Modifying the config.json file prior to building the LockBit payloads allows for this simple modification within the ransom notes.

A standard LockBit ransomware note modified by Ikaruz Red Team
A standard LockBit ransomware note modified by Ikaruz Red Team

All contact details in the analyzed ransom notes are left to the default TOX IDs, Jabber IDs, and email addresses present in the LockBit builder. This is indicative of a threat actor with little interest or perhaps ability to engage in the kind of follow-up and victim negotiations typical of serious ransomware operators and affiliates, suggesting instead that the motivation is more to sow disruption and garner attention through social media postings.

Between January and September of 2023, Ikaruz Red Team claimed responsibility for attacks on multiple Philippine entities. Besides LockBit, the group’s social media postings indicate the use of JellyFish (aka Medusa), Vice Society, ALPHV, BianLian, 8base, and Cl0p ransomware families.

Some of the reported attacks were publicly announced on IRT’s social media accounts, as well as being listed on the larger ransomware platforms’ respective data leak sites.

Observed payloads are standard LockBit 3.0 LBE.3 executables packaged as self-extracting RAR files with a custom IRT .ico file.

Ikaruz Red Team icon file
Ikaruz Red Team icon file

This bundled .ico file is meant to replace the stock LockBit icon resource on encrypted files. However there appears to be an error in referencing the resource, or the author omitted the inclusion of the required RED.png file.

RED.png error upon execution of the ransomware
RED.png error upon execution of the ransomware

When executed under typical circumstances, the payload will extract the embedded LockBit payload (lb3.exe) and launch it. The ransomware will then rapidly traverse available local and mounted shared volumes, encrypting applicable files and data.

Encrypted files are given a .Uc2RrigQ extension with the specific Ikaruz Red Team LockBit payload we reviewed. The same .Uc2RrigQ string is appended to the names of the ransom notes (e.g., Uc2RrigQ4.README.txt). Per typical LockBit execution, the desktop wallpaper is also replaced with condensed instructions referencing the dropped ransom note.

Co-opting of Hack4Gov Imagery

As part of its attempts to draw attention, IRT has co-opted imagery and branding developed by the Philippine’s Department of Information and Communications Technology (DICT) and CERT-PH as part of a Hack4Gov challenge. HackForGov, started in 2023, is an annual government-sponsored CTF (Capture-the-Flag) competition hosted in Manila and aimed at building the country’s cybersecurity capacity.

DICT Youtube Videos on Hack4Gov 2023 Challenges
DICT Hack4Gov 2023 videos on YouTube

Ikaruz Red Team has co-opted much of this imagery and branding into their defacements and social media profiles. For example, an IRT Twitter/X profile under the name ‘Ikaruz Reginor’ heavily incorporates the same imagery, as does the group’s Zone-Xsec defacement entries, which claim affiliation to team “HACK4GOV.PH”.

Zone-Xsec Entries for “Ikaruz”
Zone-Xsec Entries for “Ikaruz”

This threat actor is neither a participant in nor affiliated with the official HACK4GOV challenges in any way. We can only speculate as to the reasons behind co-opting official government images and branding, but perhaps two plausible theories would be as an attempt to mock the government’s efforts at improving cybersecurity resilience or an effort to cloak malicious activities behind official-looking iconography. These are, of course, neither mutually exclusive nor exhaustive possibilities.

Tracking Ikaruz Red Team Across Social Media

The threat actor utilizes various social media platforms and identities to engage with its audience and promote its political causes. The aliases “IkaruzRT” and “Ikaruz Reignor” are the most prevalent. This persona is active on popular forums including (the currently defunct) BreachForums and Zone-Xsec. Various public profiles also exist on GitHub, Facebook, Iris, X/Twitter, and Imgur.

The ‘ikaruzrt’ profile on BreachForums has actively posted regarding availability of data leaks from victims in the Philippines between August of 2023 and January of 2024.

ikaruzrt BreachForums profile
ikaruzrt BreachForums profile

These postings on BreachForums include a September 2023 post advertising the breach of Yakult Philippines Incorporated. This appears to be a repost of data listed on Cl0ps data leak site in July 2023.

A related Ikaruz Red Team GitHub repository was created in mid-2023 and has historically contained code for webshells and defacement tools featuring 403/404 error code bypass features. Note that the co-opted Hack4Gov imagery extends to this platform also.

Ikaruz Red Team GitHub repositories
Ikaruz Red Team GitHub repositories

Hack4Gov reference in IRT PHP code
Hack4Gov reference in IRT PHP code

Across the group’s social media footprint, IRT claims affiliation or alignment with other hacktivist groups, in particular Anka Red Team, Anka Underground Team and Turk Hack Team.

Telegram banner (2021) upon channel creation (Anka UnderGround Team)
Telegram banner (2021) upon channel creation (Anka UnderGround Team)

Turk Hack Team, established in 2004, is a prolific, Turkish-aligned, hacktivist group known primarily for website defacements and DDoS attacks, including the mass-defacement of nearly 3000 Dutch websites in the “Netherlands Operation” and the notable DDoS attack against Crédit Agricole. Under the banner of “Anka Red Team”, this hacktivist collective has drawn more attention since the onset of the Israel-Hamas war through its support of Palestinian group Hamas.

Conclusion

Politically-motivated attacks targeting the Philippines have been on the rise, especially in the last year. Individual actors like Ikaruz Red Team aligning themselves with previously known groups such as Turk Hack Team and PHEDS are becoming increasingly destructive in their actions.

This destruction, ranging from government data breaches to small-scale ransomware attacks, is being facilitated by the open availability of leaked ransomware builders such as LockBit and ready-to-go scripts for DDoS attacks and web defacements.

For hacktivists, ransomware serves an entirely different purpose from that of financial gain, aiding instead their desire to cause disruption and make political statements against those they consider enemies or those who are deemed to be supporters of these perceived enemies.

Within the hacktivist landscape, Ikaruz Red Team fits into a larger movement of threat actors committing unsophisticated yet damaging attacks targeting the Philippines region. There is indication that a broader cluster of these behaviors may be part of rising regional tensions with China and a desire to destabilize Philippine critical infrastructure.

Indicators of Compromise

SHA1 Description
133388ea2bd362993198bba461c7273a2a3af1ec ransom note
2454820aef7c6289af85758df89976718013a5a4 ransom note
267ed8df557c41cd322d4ed5dd1764018c74f611 ransom note
41b2e3f0ddb3ceef2cddb09ca9edf4334461720c webshell (github)
57cc1ef9f762b1db9999772356cd8e6a70cb9964 ransom note
5b830b5d5577ad8186e9ba4f7fdeee0b32c535e3 test.php
8596a6bb124e56f6d545b77e74c3b23f6f578f55 RED.ico
8bc4fadf5a929103b0c25c5f2f02da9c9ca67a1f ransom note
a379e55be365ece1ca2b8f72b6c54bb8b5bfe4e9 lb3.exe
b65183cc886185a8c34860f68d3289d8e9dd84e3 LockBit 3.0 (Ikaruz Red Team)
Singularity™ Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.

Why Your Wi-Fi Router Doubles as an Apple AirTag

Image: Shutterstock.

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.

They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.

UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.

Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.

A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.

The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.

A heatmap of Starlink routers in Ukraine. Image: UMD.

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.

“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.

“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.

Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.

UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:

“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.

“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”

Apple did not respond to requests for comment. But in late March 2024, Apple quietly tweaked its privacy policy, allowing people to opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID).

Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending “_nomap” to the network’s name.

Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.

“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.

“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.

“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”

The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.

“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”

A copy of the UMD research is available here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 20

The Good | International Law Enforcement Charge Crypto Criminals & Take Down a New Iteration of BreachForums

In the past week, law enforcement agencies took down cryptocurrency thieves responsible for a multi-million dollar theft from the Ethereum blockchain, and seized a second iteration of the notorious hacking platform, BreachForums.

The DoJ has unsealed an indictment charging Anton Peraire-Bueno (24) and James Pepaire-Bueno (28) with conspiracy to commit wire fraud and conspiracy to commit wire fraud and money laundering. The brothers allegedly manipulated the blockchain in 12-seconds to pilfer $25 million worth of cryptocurrency in a first-of-its-kind attack.

This was done by tampering with the transaction validation processes on the blockchain, altering pending transactions, and rejecting requests by victims to return the stolen funds. Prior to the attack on the blockchain, the brothers focused on performing reconnaissance on their victims, learning their identities and trading behaviors. If found guilty, each of the brothers face a maximum sentence of 20 years in prison for each count.

A little over a year has passed since the arrest of Conor Brian Fitzpatrick “Pompompurin”, owner and administrator of BreachForums. This week, the FBI have seized the hacking forum for a second time. Working with international law enforcement partners, the FBI have shut down a Telegram channel belonging to Fitzpatrick’s successor, “Baphomet”, along with the second iteration of the BreachForums website. Authorities are currently investigating the site’s backend data and have issued a call for new information.

Source: FBI

This iteration of BreachForum, run from June 2023 to May 2024, operated as a clearnet marketplace where cybercriminals could buy, sell, and trade illicit contraband such as hacking tools, compromised databases, stolen access devices, and various illegal services. As forums and dark markets continue to rise and fall multiple times, organizations are reminded to keep their defenses up to safeguard their sensitive data.

The Bad | North Korean APT Kimsuky Abuses Facebook Messenger in Latest Social Engineering Campaigns

Threat actors have found a new way to abuse social media to carry out their cyberattacks. In their latest string of attacks, a DPRK-linked APT known as Kimsuky used fake Facebook accounts to deliver malware via Messenger. Security researchers noted that the campaign leveraged the identity of a real individual in order to specifically target activists within North Korean human rights groups and anti-North Korean sectors.

Unlike traditional spear phishing attacks, this campaign employs Facebook Messenger to lure victims into opening private documents shared by the fake persona. The documents are hosted on OneDrive and pretend to be related to a trilateral summit involving Japan, South Korea, and the U.S. Their use of MSC files, an uncommon file type to carry out the attack, points to Kimsuky’s attempts to avoid detection.

Once opened by the victim, the MSC file triggers a connection to a server controlled by the attackers, displaying a decoy document while executing background commands for persistence and data collection. All of the gathered data is finally exfiltrated to the command and control (C2) server to further harvest IP addresses, User-Agent strings, and HTTP request timestamps, before delivering the payloads.

Source: Genians (Kimsuky’s Facebook-based ReconShark attack)

Kimsuky’s latest exploits call back to activity from last spring, such as ReconShark, which also targeted specific individuals through spear phishing emails, a file reconnaissance and data exfiltration campaign using RandomQuery malware, and a social engineering campaign stealing Google ad subscription credentials of a reputable news service focusing on North Korea. The DPRK-linked APTs continued commitment to developing their social engineering attacks highlights the need for organizations to remain vigilant, collaborate with their security partners, and invest in solutions including advanced detection capabilities.

The Ugly | New Lunar Toolset Deployed by GRU-Linked Actors Targets European Government Agencies

Reports have surfaced this week detailing cyber intrusions of various European foreign affairs ministries. The campaign leverages two previously unknown backdoors, both of which have been active since at least 2020.

Researchers have dubbed the backdoors “LunarWeb” and “LunarMail”, and attribute the campaign with medium confidence to Turla, an APT connected to the Russian Federal Security Service (FSB). Turla (aka Krypton, UNC4210, or Secret Blizzard) has been known to target high profile entities including governments and diplomatic organizations in Europe, Central Asia, and the Middle East.

Initial infection occurs through spear phishing emails carrying Microsoft Word files with malicious macro code to install the LunarMail backdoor. This VBA macro then ensures persistence on the infected system by creating an Outlook add-in that is activated when the email is launched. Researchers also noted the potential abuse of Zabbix, an open-source solution for network and application monitoring, to deploy the LunarWeb payload.

Once active, Lunar backdoors enable direct communication with the C2 server, allowing for lateral movement within the network using stolen credentials and compromised domain controllers. These backdoors are tailored for long-term surveillance, data theft, and maintaining control over compromised systems, particularly in high-value sectors. A complete list of IoCs can be found here.

Source: ESET (The two observed Lunar toolset compromise chains)

Recent findings state that Russian-sponsored threats currently pose the greatest amount of risk to election infrastructure. Their goals also include amplifying GRU-linked interests and retaliating against perceived adversaries. In February, SentinelLabs uncovered a Russia-aligned influence operation network dubbed Doppelgänger employing disinformation tactics to influence public opinions within Germany. As major elections are around the corner for both the U.S. and EU members, malicious activities from nation-backed actors are expected to climb, making socio-economic and geopolitical terrains even more complex to navigate.

RSAC 2024 Recap | Advancing the Power of Possibility Through Community

Last week, the SentinelOne team wrapped up another exciting year at RSA Conference 2024. The four-day event was, as usual, an invaluable opportunity to connect with leaders across the community, share stories, and learn from each other. This year’s event garnered attendees numbering 40,000 strong from more than 130 countries, showing just how much expertise is available to be shared.

For those who couldn’t join us in San Francisco, our recap blog captures all of the event highlights including snippets from exclusive keynote sessions and all the announcements from SentinelOne.

RSAC 2024 | Understanding “The Art of Possible” in the Cyber World

This year’s theme for the event was “the art of possible”, a phrase that inspires hope while also serving as a warning to never underestimate what is possible by our cyber adversaries.

Community unlocks possibility and, thinking about the theme as it applies to cybersecurity, we are reminded to celebrate new technologies and leverage the strength of the collective whole and remain vigilant in the face of growing threats and risks.

Delivering The Future of Autonomous Security with Purple AI & Singularity Data Lake

It’s no surprise that many of the conversations at RSAC 2024 revolved around the topic of artificial intelligence (AI) and its impact on the cybersecurity landscape. SentinelOne was thrilled to announce innovative new capabilities within our Singularity Platform, designed to empower IT teams to take a predictive and autonomous stance against incoming threats:

  • AI-Powered Anomaly Detection – Purple AI surfaces correlated risks from integrated log sources.
  • Automated Alert Triage – The technology analyzes trillions of anonymized data signals at a global scale to evaluate how security analysts assess and respond to similar alerts and provides automated verdicts and recommended actions.
  • AI-Powered Response Recommendations and Hyper Automation Rules – Using global similarity analyses, Purple AI provides intelligent response recommendations based on how others have responded to similar alerts and smart recommendations to turn those actions into hyper automation rules to put response actions in autonomous mode.
  • 24/7 Auto-Investigations – Through zero-touch auto-investigation capabilities, Purple AI eliminates the need for human-driven investigations and empowers security teams to focus on validating and mitigating threats at scale.
  • Mandiant Threat Intelligence – Building on our existing OEM partnership, the Singularity platform integrates leading threat intelligence from Mandiant (part of Google Cloud) to provide the latest and most comprehensive security insights. This includes detailed adversarial TTPs, enrichment of all security alerts and enhancing threat hunting capabilities. Intelligence will also be accessible through Purple AI, boosting the platform’s proactive and automated functions in private preview later this quarter, with general availability later this year.

Combining the power of Singularity Data Lake and Purple AI, these capabilities help transform security operations by offering new autonomous capabilities in the Singularity Platform. Regardless of an organization’s size, budget, or resources, the latest features ensure they can respond to advanced threats and adopt a proactive approach, anticipating and mitigating issues before they bloom into full-out cyber events.

Further, Purple AI, SentinelOne’s advanced AI security solution is now embedded across the Singularity Platform and accessible via a new unified security console, Singularity Operations Center. The Operations Center console is a significant stride forward to simplifying the analyst workflow by unifying alert triage and workflows across all event collections.

Now generally available, the Operations Center works by consolidating security management with unified alerts, inventory management, correlation engine, and a contextualized Singularity Graph to accelerate advanced SOC capabilities including detection, triage, and investigation.

Redefining Cloud Security

Attacks on cloud environments continue to soar as threat actors zero in on the concentration of business-critical data and services held in clouds. To help cloud teams, developers, and security professionals reduce their cloud and container attack surfaces, we announced the launch of Singularity™ Cloud Native Security (CNS) – our agentless Cloud Native Application Protection Platform (CNAPP) uniquely designed to assess cloud environments through the eyes of a threat actor.

With rapid agentless onboarding across 6 different cloud environments, CNS consolidates and correlates a range of cloud security capabilities:

  • Rapid onboarding with multi-cloud support
  • Cloud Asset Inventory and mapping with easy-to-understand graph visualizations
  • Vulnerability Scanning
  • Cloud Security Posture Management (CSPM)
  • Secrets Scanning
  • Infrastructure as Code (IaC) Scanning, including VCS integration
  • Container Image Security, including CI/CD integration
  • Software Bill of Materials (SBOM)
  • Kubernetes Security Posture Management (KSPM)
  • Cloud Detection and Response (CDR)
  • Integration with Singularity Data Lake for accelerated investigations via Purple AI

One of the major challenges security teams face is cutting through a very noisy attack surface, spending time on separating truly critical and exploitable risks from theoretical attack paths. CNS uses a unique Offensive Security Engine™ that safely simulates attacker behaviors to provide evidence-based false-positive free Verified Exploit Paths™ so security teams can prioritize their time and prevent attacks more effectively.

SentinelOne & CISA | Improving the Nation’s Cybersecurity Posture

Chris Krebs Joins CISA’s Cyber Safety Review Board

The Cyber Safety Review Board (CSRB) was born as a result of President Biden’s Executive Order “Improving the Nation’s Cybersecurity”, administered by CISA on behalf of the Secretary of Homeland Security. At RSAC 2024, we announced that Chris Krebs, SentinelOne’s Chief Intelligence and Public Policy Officer, has joined the CSRB alongside private sector and senior officials from the DoD, NSA, DoJ, FBI, and more.

The objective of the CSRB focuses on fact-finding, conducting independent reviews before issuing recommendations in the wake of major cyber incidents across U.S. entities and organizations. CISA Director Jen Easterly welcomed Krebs to the CSRB stating that “his cybersecurity expertise and experience will be instrumental in the continuing evolution of the CSRB as a catalyst for positive change in the cybersecurity ecosystem.”

Krebs joined SentinelOne in November 2023, helping executives understand the realities of operating in the modern global business landscape by providing unbiased insights and transformative risk management strategies. Prior, he held the role of inaugural director at the Department of Homeland Security’s CISA and worked alongside businesses and government agencies to protect against an expanding set of cybersecurity threats. Before joining the DHS, Krebs led Microsoft’s U.S. cybersecurity policy efforts. Currently, he co-chairs the Aspen Institute’s U.S. Cybersecurity Working Group and is a CBS News Contributor.

SentinelOne Makes a Pledge for CISA’s Secure by Design

SentinelOne joined 67 other leaders across the security industry in signing CISA’s Secure by Design pledge at RSAC 2024, a voluntary commitment where the biggest names in tech today promised to take actions within one year to make their products and services more secure. The pledge seeks to complement and build on existing software security best practices, buckling down on the idea of continuously improving the nation’s cybersecurity.

The scope of the pledge includes improving seven aspects of on-prem software products and services, defined in the CISA’s Secure by Design principles. SentinelOne is proud to add our statement of support:

“In today’s rapidly evolving and increasingly complex threat landscape, security cannot be an afterthought. It has to come first. As a vendor of cybersecurity products that tens of thousands of organizations rely on to keep their organizations safe, we believe it is our ethical duty to design products with a security-first mindset and to uphold the highest standards in delivering them, and in signing the Secure by Design Pledge, we are signaling our commitment to doing so.” Ric Smith, Chief Product and Technology Officer

Celebrating the Cybersecurity Community at RSAC 2024

The cybersecurity industry works hard, overcoming ever-evolving threats and risks to protect what’s most important. We take a moment to recognize and celebrate the ongoing collaboration and contributions from the entire community. Here are some highlights from the event!

Chris Krebs was joined by Chris Mullin, NBA Hall of Famer and Golden State Warriors Alumni at the SentinelOne executive happy hour.
RSAC wouldn’t be the same without the annual FOMO Party. This year’s bash featured Chris Clouse as opening DJ and EDM legend deadmau5 as headliner.
Holly Bittinger, our resident Product Communications Specialist, hangs out with Tina Hausmann (representing Aston Martin in F1 Academy in 2024) and Jessica Hawkins (Team Head of F1 Academy and Driver Ambassador for Aston Martin).

Thank You, RSAC – See You In 2025!

From the entire team at SentinelOne, we’d like to thank all of our customers, esteemed panelists, fellow vendors, and hosts for another amazing year with RSAC. These events continue to reflect the energy and drive that make up the tight-knit cybersecurity community we are all a part of. As we close out our time with RSAC 2024, we hope to continue the spirit of exchanging ideas, sharing experiences, and learning from one another to keep improving.

We’re already looking forward to next years’ event and welcome everyone to keep the conversation going on our social media channels and at our demo sessions. Be sure to learn more about all of SentinelOne’s latest security offerings as we invest in a more secure future.

Singularity™ Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.

Securing Peace of Mind with Breach Response Warranty

Running a business means accepting all of its fluctuating risks and uncertainties. For business leaders, one of the major challenges is managing their cybersecurity posture in an ever-changing threat landscape. With rapid digitalization and increasingly opportunistic attackers to consider, small to medium-sized businesses (SMBs) can be especially vulnerable.

Based on recent reports, over 40% of cyberattacks target today’s SMBs and only 14% of these organizations have the right response plans and policies to properly face the threat. While many business owners invest in cyber insurance, traditional insurance policies are no longer enough to provide the coverage needed in the current climate.

This blog post dives into why modern business leaders are investing in cyber warranties to round out their cyber defense strategies and fill in the gaps for cyber financial protections needed in a worst-case-scenario. Also, learn more about SentinelOne’s newly launched Breach Response Warranty available for businesses of all levels of endpoint counts.

Taking the Proactive Approach with Cyber Warranties | Why Cyber Insurance Alone Isn’t Enough

Although both cyber insurance and cyber warranties offer financial compensation in the case of a breach, they aim to serve different purposes. Where cyber insurance covers financial losses resulting in data breaches or attacks that have already occurred, cyber warranties are a pledge from security vendors.

Cyber insurance can also sometimes require lengthy paperwork and approval cycles with timelines for compensation being drawn out. Warranties can plug this time gap and provide immediate relief and event payout to help cover the deductible for cyber insurance coverage.

Vendors can offer different kinds of cyber warranties such as:

  • Service-Based Warranties – These are associated with specific products and services. For example, warrantied products and services are guaranteed to be free from known vulnerabilities.
  • Scope-Based Warranties – These outline specific conditions or sets of controls that the buyer must adhere to in order for the warranty to be considered valid.
  • Limited Liability Warranties – These hold the provider responsible for damages or losses that result from a cyberattack or breach if the attack was related to a covered product or service.

In terms of risk management, SMBs cannot rely on the reactive nature of cyber insurance policies, which only provide relief after a cyber incident has already happened. On average, an incident can cost SMBs up to $653,000 – a considerable amount of capital that many businesses cannot afford to pay to keep afloat post-attack.

To build up effective and scalable cyber resilience, businesses need to take a proactive approach that helps to prevent cyberattacks from occurring. Many leaders are bolstering their strategy by investing in cyber warranties, which act like guarantees from vendors that their solutions will keep them secure and round out their risk profile.

SentinelOne’s Breach Response Warranty Is Now Available

At SentinelOne, we understand that securing peace of mind requires more than delivering the best technology and cybersecurity expertise. We’re proud to introduce our Breach Response Warranty, the latest service enhancement we offer providing additional coverage and assurance of financial relief should a worst-case scenario occur. This is just one more way we are confidently partnering with you.

Coverage and Eligibility

Our Breach Response warranty is offered to both our direct customers and Managed Security Service Providers (MSSPs). Coverage amounts are tiered by endpoint counts to cover all of our Complete, Vigilance, and WatchTower customers at no additional cost to the customer.

Comprehensive Recovery Expense

Our third-party insurance partner underwrites our warranty and provides up to $1 million of financial relief to ensure business continuity. That means if a breach occurs due to a lapse in our service, our warranty will be triggered to cover operational and legal expenses incurred to restore data and systems and gain compliance with data privacy for a quick recovery.

Comprehensive Endpoint Detection

Unlike many solution providers, our warranty covers physical and virtual devices across multiple operating systems, including Windows, Linux, Mac, and cloud workloads (containers). Our comprehensive protection ensures that all endpoints are covered regardless of the platform.

Conclusion | How to Invest In SentinelOne’s Warranty Program

As threat actors become more sophisticated and well-funded, businesses can bolster their cyber resilience and overall posture by partnering with security vendors that offer integrated warranties for their solutions and services. In assuming a more proactive approach to building their tech stacks, business leaders take on a competitive advantage over those with gaps in their risk profiles.

A combination of a cyber warranty-backed tech stack and cyber insurance coverage gives business leaders the assurance needed to operate confidently in today’s digital environment.

The SentinelOne Breach Response Warranty reflects our commitment to partnering closely with businesses of all sizes to secure their digital assets. Experience true peace of mind with our industry-leading security solutions, now covered by a comprehensive warranty. Please refer to the Breach Response Warranty Agreement for detailed information and specific inquiries. Stay protected and stay secure with SentinelOne.

Patch Tuesday, May 2024 Edition

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.

Unify the Analyst Experience with Singularity Operations Center

On April 26, 2024, SentinelOne marked a significant milestone in security management with the launch of the Singularity Operations Center, the new unified security console. This major update to the Singularity Platform is now generally available (GA) to all cloud-native customers, representing a pivotal shift to a more integrated and efficient analyst experience for security teams.

This blog post introduces the many features of Operations Center and delves into how it centralizes security management with unified alerts, asset inventory management, a correlation engine, and our contextualized Singularity Graph to accelerate detection, triage, and investigation. Operations Center significantly boosts analyst productivity with enterprise-wide visibility and control, setting a high standard against other vendors with fragmented systems.

One Console, One Platform

Implementing disconnected tools for different attack surfaces and use cases has led to complex navigation, operational inefficiencies, and less visibility across security ecosystems. Using disparate tools has also generated data spread across multiple consoles, forcing analysts to continuously context switch and making it more difficult to understand their whole security landscape. Together, these pain points detract security teams from their ability to focus on everyday tasks while also creating slower, error-prone, and more manual triage and investigation processes. We built the Singularity Platform and Operations Center to help eliminate noise and workflow disruptions while providing best-in-class protection for organizations everywhere.

The Singularity Platform is an AI-powered cybersecurity platform with one console and one data lake for a truly unified experience. We worked closely with over 200 organizations to ensure the design of Operations Center prioritizes and empowers security analysts, threat hunters, security administrators, incident responders, and SOC managers, considering their everyday tasks through workflow-based navigation. Through our Design Partner Program, our active users, ranging from advanced to early-career analysts across different industries, play a vital role in the product development process to ensure our improvements enhance the overall analyst function.

Gain End-to-End Visibility and Control

One of the core philosophies of Operations Center is centralization. Consolidating security operations through intuitive and integrated design provides a single view across the enterprise. The new unified alert management page enables security teams to conduct faster and more comprehensive investigations by managing and responding to security alerts in one location.

Without pivoting to multiple tabs and consoles, analysts benefit from a single queue comprised of alerts from SentinelOne native solutions in addition to ingested partner alerts. Customers can use Singularity Marketplace to ingest alerts from industry-leading partner solutions, such as Proofpoint TAP, ExtraHop Reveal(x), Microsoft Defender Suite, Palo Alto Firewall, and more. By understanding the full scope of an alert and its attributes, such as severity level, event indicators, origin, and more specific details, users can facilitate rapid response and surface holistic insights.

Organizations also require deep insight into all the assets in their environment to fully understand their attack surface, identify coverage gaps, and reduce potential risks. In the Operations Center, security teams can now centrally oversee and manage all assets in a unified inventory, which includes managed endpoints, cloud resources, identity assets, and network-discovered devices. To accelerate triage and investigation, analysts have access to an up-to-date inventory page that contains essential asset properties for easy review, criticality assignment, organizational tagging, and direct actions, such as initiating security scans.

Accelerate Detection, Triage, and Investigation

SentinelOne’s goal with Operations Center is to optimize efficiency at every stage of the analyst experience, from preparation and detection to recovery. We are introducing our new correlation engine to help detect complex cyber threats earlier and in real time, preventing breaches and minimizing damage. It correlates activities from multiple data sources and events and identifies patterns that indicate malicious intent to generate a more detailed and reliable alert. The correlation engine saves time and accelerates triage and investigation for analysts, eliminating the need to manually search through thousands of logs to validate specific criteria.

When investigating a potential threat, users now benefit from our Singularity Graph, an interactive graph that correlates and contextualizes security alerts and assets. Analysts can write their own queries or leverage the graph library for out-of-the-box queries to conduct faster investigations. The visual graphs enable the discovery of deeper contextual insights with a visual representation of the relationship between threats and their connections to assets currently in the organization. Users can easily click on any asset or alert for more detailed information and quickly take action to mitigate threats.

Singularity Operations Center is a testament to our commitment to delivering the most advanced AI-powered security platform:

  • Consolidate Security Operations – Centralize workflows through integrated and intuitive design for complete visibility and control across the enterprise, including workplace and cloud environments.
  • Streamline Incident Response – Accelerate detection, triage, and investigation with contextual insights for rapid response and risk reduction.
  • Simplify Configuration Management – Improve productivity and save time by efficiently managing configuration, settings, and policies from one location.

Enable Now to Elevate Security Operations

The Singularity Operations Center is Generally Available to current cloud-native customers as an opt-in toggle. Existing customers can visit the Customer Portal to learn how to enable the new console and navigation.

Learn More

Not a customer, but want to see more? Meet our team for a demo to see how you can get started with the Singularity Platform, or visit our self-guided product tours.

Singularity Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.

PinnacleOne ExecBrief | Cyber Strategy in Focus: Talent, Tools, and Intel

Last week, PinnacleOne examined the growing trend towards digital sovereignty, manifesting in national competition to secure and lead increasingly strategic cloud, AI, and space networks.

This week, we consider what the Office of National Cyber Director’s Annual Report means to modern enterprises.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Stratagem

The Office of the National Cyber Director (ONCD) released its inaugural report on the cybersecurity posture of the U.S. last week. The report detailed a contested, complex, and interconnected environment for the U.S. government to navigate. Underlining the greatest hits of last year, like the Volt Typhoon disclosures and multiple takedowns of criminal hacking groups, the report detailed the offensive steps the government took to impact malicious actors. But, most of the content is focused on what the government can do to improve defensive conditions in the U.S. To that end, we have adapted some of the report’s themes for modern enterprise defenders to consider.

Talent

Who are you hiring? The U.S. is a leader in cybersecurity education and talent training. Governments around the world, including China, copied early U.S. efforts to educate a generation of defenders and hackers. The highly-respected National Security Agency, along with many other federal government partners, certified some universities as Centers of Academic Excellence. Their graduates are sure to make excellent hires for corporate cybersecurity teams.

The people hired to run your cybersecurity shop are the most important thing you will spend your budget on. Your team designs the business processes, deploys the tools, conducts hunts, remediates incidents, and protects the bottom-line. But, good talent costs money and cybersecurity teams are frequently hamstrung by the payscale HR sets.

Consider what the U.S. government has done: exempting cybersecurity talent from government pay scales and allowing experts to grow in place. This HR system is two-fold. First, cybersecurity jobs are on a different pay scale than other government jobs to attract qualified candidates. Second, defenders are allowed to grow their compensation in place. Mature teams need experts, and experts need to remain in their domain of expertise to provide value to the organization. Too often, pay increases are only accessible to people as they move up the corporate management ladder. To stop this loss of talent, some government agencies will advance technical experts up the pay scale consistent with the highest-levels of management pay, just to keep that person in place and not incentivize them to pursue management.

Procurement

Use your money wisely and demand more from your suppliers. The U.S. government is moving to use its purchasing power to drive cybersecurity requirements. As a massive purchaser, it is nearly impossible for companies to match the influence of the U.S. government. That said, if industry associations move in concert to require specific features or design protocols to purchase goods, and these requirements are clearly articulated with timelines for implementation, they may well have the intended impact. Coordinating with partners through your industry’s ISAC is a good place to start.

Intelligence

Who can provide you visibility into the things you need to know about the systems you rely on? How does that provider gain information about particular threat actors, their interests, and how do they communicate it to you?

Cyber threat intelligence is often consumed by cybersecurity teams not mature enough to use it. These teams accept whatever cut-rate intelligence they can afford without thought to the provider’s visibility, value to defenders, and timeliness of intelligence. When they do receive an intelligence report, it is often marveled at, categorized, and then forgotten.

Mature teams digest intelligence differently. They understand the frequency at which tools are scanning, collecting, and disseminating. They understand the threat landscape well enough to know which threat actors matter most to them, including when to action intelligence with a threat hunt in their environment and when to ignore it.

The 2024 Annual Report from the Office of the National Cyber Director emphasizes the importance of accurate and timely intelligence distribution to defenders. What is in your hands, is whether the intelligence that reaches your team can be of use.

Going Forward

Companies cannot control the threat environment in which they operate. The reams of technology deployed across corporate enterprises today are almost entirely out of the control of their consumers. But, there are important levers corporate leadership can pull to improve network security: talent, procurement, and intelligence.

Talent is the base of cybersecurity. Top-notch defenders should work in concert with IT teams to determine procurement decisions of tools, hardware, and software in the environment. Finally, those same teams will be mature enough to find good intelligence from providers with the visibility required to provide impactful analysis. The U.S. government may be far different from modern enterprise, but the ONCD’s recent report gives the C-suite much to chew on.

Cloud Native Security | Prioritize Better, Respond Faster, with Verified Exploit Paths™

This week, SentinelOne launched Singularity™ Cloud Native Security (CNS), our agentless Cloud Native Application Protection Platform (CNAPP) uniquely designed to assess cloud environments through the eyes of a threat actor. As attackers increasingly target cloud environments, SentinelOne’s latest solution helps organizations better defend against these attacks.

CNS simulates attack methods to verify exploit pathways, so-called Verified Exploit Paths™. In so doing, CNS reduces the noise of the theoretically possible so that cloud security practitioners can focus on fixing what matters most.

In this blog post, Ely Kahn, VP of Product Management for Cloud Security, AI/ML, and Core Platform, and Anand Prakash, Product Leader for SentinelOne’s Cloud Native Security, explore the value and outcomes of Cloud Native Security. Learn how our agentless CNAPP with a unique Offensive Security Engine™ is set to help security, developers, and cloud teams collaborate and communicate to radically reduce their cloud and container attack surfaces.

Think Like An Attacker | The Vision for Cloud Native Security (CNS)

Ely: Anand, could you outline our overall vision for Cloud Native Security (CNS)?

Anand: For me, Cloud Native Security (CNS) is cloud security that Thinks Like An Attacker.

As organizations build and run their multi-cloud and container environments there are many security concerns: OS and application level vulnerabilities, misconfigured cloud services, overly permissive cloud identities, misconfigured container deployments, leaked credentials … the list goes on. Aside from meeting compliance needs and building cross-functional collaboration workflows with other teams, cloud defenders must ensure visibility across the entire estate to build and enforce security policies. They simply have too much to do and insufficient time or resources. On the other side, attackers have a single and clear remit: to find ONE way in.

Cloud Native Security provides a unified view of all the risks listed above and, importantly, applies an attacker’s mindset to a cloud attack surface to highlight which areas of cloud insecurity represent genuinely exploitable risks. CNS communicates the critical areas of your cloud environment where there’s immediate exploitation potential, providing evidence with screenshots and code snippets. We call these Verified Exploit Paths™.

Sometimes, a CVSS score isn’t sufficient to communicate a risk’s impact. Understanding hundreds of potential theoretical Attack Paths wastes everybody’s time investigating never-exploitable threats. CNS focuses on providing evidence, which not only means no false positives, it helps cloud security teams effectively work with their peers to remediate cloud issues rapidly.

Ely: That autonomous attacker’s mindset is extremely valuable to customers. I think it’s worth talking about how that’s achieving several things for security teams including:

  • Identifying which risks are exploitable and which require alert prioritization
  • Validating the nature of the risk and providing evidence of the attack vector, which automates the finding deconfliction process
  • How the provision of evidence speeds up remediation by providing all teams the “so what” that’s often required to drive action

Now that we’ve got the bigger picture, let’s talk about how Cloud Native Security achieves this.

Instant Visibility and Coverage

Anand: Let’s start with how we first engage with our customers, the onboarding process.

As an agentless CNAPP, CNS onboarding takes minutes, and results are immediate. CNS is an incredibly efficient onboarding wizard that steps customers through onboarding their multi-cloud environments. It provides templates to deploy, and within minutes, allows customers to set up read-access across AWS, Microsoft Azure, Google GCP, Oracle Cloud, Alibaba Cloud, and Digital Ocean.

That’s all CNS requires to return with immediate observability and comprehensive security across cloud infrastructure within minutes. Additionally, CNS automatically detects new accounts, projects, and subscriptions as they’re spun up. This is very important to ensure our customers have complete visibility of their ever-changing estate.

Based on feedback from our customers, they describe a struggle with cloud asset sprawl or, “shadow cloud”. This visibility is the start of all security for me, as you can’t protect what you can’t see, or don’t know if it exists!

CNS provides a full cloud Asset Inventory and an easy-to-navigate graph explorer of the cloud environment. The image below shows the SentinelOne Graph Explorer, which visually analyzes cloud resources. All security issues have a pre-built link view of the potential blast radius of cloud resources affected by an identified vulnerability or misconfiguration. It’s also a convenient and visual method of writing queries or creating custom policies. Any search and view can be converted to reusable security policies in a few clicks.

Cloud Security Posture Management (CSPM)

Ely: Let’s move on to misconfigurations. Cloud misconfigurations can often cause trouble for security and cloud teams. Let’s talk about our cloud security posture management (CSPM).

Anand: To help cloud and security analysts hunt for cloud misconfigurations, CNS has over 2,000 built-in checks, including the ability to easily add custom checks. These checks cover a broad range of cloud services and can be quickly searched by severity, cloud provider, or service type.

For each misconfiguration alert, CNS provides details on the nature of the resource and links to the affected resource within the native Cloud Service Provider console. Alerts include a quick description of the misconfiguration and provide an impact statement on why that particular misconfiguration is dangerous. CNS then lists recommended actions for engineers to remediate. Beyond the recommendations, one-click and automated remediation is available depending on the nature of the misconfiguration.

Currently for each misconfiguration, you can assign a particular analyst, apply labels so that analysts can document their progress, and provide an activity overview to allow users to audit actioning. As expected, CNS also integrates with ITSM providers like Jira to provide alerting workflows that your teams may prefer.

Ely: How are we helping customers from a compliance lens? Cloud posture and misconfigurations are often viewed within the context of compliance.

Anand: They are! While attackers don’t care about compliance, it’s a vital business requirement. To help security analysts easily meet their compliance requirements, CNS includes a dedicated dashboard for your chosen compliance standards. It covers NIST, SOC, ISO, CIS, and many more regulatory frameworks. CNS also includes real-time compliance score tracking over time that can help communicate a team’s progress within your organization.

Agentless Vulnerability Scanning

Anand: In addition to contextualizing cloud assets and hunting for cloud misconfigurations, CNS has agentless vulnerability scanning across running virtual machines and containers. Vulnerability Management checks for vulnerabilities in OS packages, libraries, and running applications, to identify potential security risks. This scanning is continuous to provide an up-to-date view of your cloud health. CNS uses a rich repository of known vulnerabilities from 25+ databases, including CISA KEV, CVE, RedHat, NVD, MSRP, Kubernetes Security, OSVDB, and more. This ensures that organizations are safeguarded against new attack vectors, providing comprehensive protection for their entire cloud estate.

Additionally, our Vulnerability Management includes a software bill of materials (SBOM) detailing a resource’s inventory of components, libraries, and dependencies. Like how we handle misconfigurations, each vulnerability alert has a graphical view of the affected resources and can be assigned and tracked. Each vulnerability has details to contextualize the alert including the CVSS score, the EPSS score, and an overview of the Attack Vector, Attack Complexity, Privileges Required, User Interaction, Confidentiality Impact, Integrity Impact, Availability Impact, and Scope.

Ely: The real value is how CNS prioritizes alerts of vulnerabilities which are public internet-facing, and which vulnerabilities are connected to resources that are also misconfigured, which raises the risk profile of those assets. It’s tying together all the features we have discussed so far.

Now we have discussed cloud visibility and asset inventory, hunting misconfigurations with CSPM, and covered Vulnerability Management. These are all security features that assess running cloud environments. How are we helping customers as they build? For misconfigurations, how can we shift our security left?

Infrastructure as Code (IaC) Scanning

Anand: This is where I like to talk about the opportunity of Infrastructure as Code (IaC) Scanning. Many organizations leverage IaC to build repeatable architecture, Golden IaC templates are a great way to prevent resource misconfigurations. CNS identifies pre-production issues in IaC template files like Terraform and CloudFormation.

To enable this, CNS has multiple integrations with popular Version Control Systems to scan those templates and pinpoint misconfigurations before they reach production. Within the DevOps pipeline, we ensure consistent, repeatable, and appropriate configurations are codified according to best practices. This shift-left approach to security enables cloud and DevOps engineers to address issues and ensure best practices within the build phase.

For issues that are not immediately worrisome and exploitable, I always recommend fixing them via the IaC approach, as it is always safer and less intrusive than making changes to live cloud environments.

Container & Kubernetes Security

Anand: For our clients needing container and Kubernetes security, CNS has simple and quick integration with popular CI/CD platforms to enable vulnerability scans of container images as they are built. By providing developers with feedback early in the development phase, security issues can be remediated before they make it to production.

Another way we can help cloud defenders shift their security left is by scanning container configuration files for Kubernetes (including Helm and manifests) to hunt for Kubernetes misconfigurations. Kubernetes is a widely-adopted container orchestration platform, notorious for overly permissive configurations that create unique security challenges for containerized workloads.

Kubernetes Security Posture Management (KSPM) goes well beyond CSPM which is ill-suited to the intricacies of Kubernetes network configurations and interpod communications. Our KSPM spans from the shift-left scan to real-time visibility of clusters and their activity. The KSPM capabilities within CNS deliver comprehensive visibility into workloads, nodes, pods, containers, and the Kubernetes API, enabling continuous monitoring and evaluation of your Kubernetes security stance.

CNS offers insights into your compliance posture, encompassing CIS Benchmarks for EKS, GKE, and AKS, the managed K8s services from the three leading cloud service providers, as well as the CIS Kubernetes Framework. For example, with CNS, customers pinpoint overly permissive roles, and detect namespaces lacking proper labeling to enforce Kubernetes-specific pod security standards.

Another example of CNS security checks across the build lifecycle is Secret Scanning.

Ely: This is so important – compromised credentials remain one of the primary causes of cloud security failures. It can be incredibly easy to leak API keys or accidentally hard code credentials during development, testing and staging, and the risk profile is massive given their power. From an attacker’s perspective, we often see automated repository scans for credentials, as they can appear in clear text. This is an easy point of entry for threat actors to login rather than hack in into a cloud account, or web application, or part of your cloud infrastructure.

Secret Scanning

Anand: That’s exactly right Ely, and this is something I used to build as well as a bug bounty hunter and ethical hacker. We are proud to announce Cloud Native Security leads the industry with over 750 distinct types of secrets and credentials that we scan for across code repositories and configuration files.

CNS periodically scans codebases within build environments and configuration files as well as public and private repositories of the organization, and public repositories of associated developers, to detect and alert on potential exposure of secrets and prevent credential leakage.

By automatically and meticulously scanning each commit, we ensure peace of mind that leakage is detected within seconds. Additionally, CNS flags for any newly created public repositories, ensuring that any fresh codebases are brought immediately to the attention of security teams for scanning and review.

For each Secret alert, alongside the typical impact, recommended action and alerting options, CNS provides a detailed overview of the sensitive data that has been exposed or is at risk. A concise list view with crucial insights including the specific type of the secret, location, with a linked source, and linked code snippet, file name, discovery time and the user who committed.

Crucially, CNS validates each secret alert, indicating if the exposed data is currently considered “valid” or not. This validation has its own timestamp and can be re-run with the click of the button, allowing analysts to validate risk in real time and monitor how remediation de-risks an environment. By clicking on “Revalidate”, the system will re-scan the secret and update its status accordingly. It’s especially useful when teams believe they’ve remediated a detected secret or when they suspect that the initial detection might have been a false positive.

However, CNS also goes a step further. CNS is able to block and prevent credential leakage in real-time, with enforcement mechanisms to ensure secret-free merges.

Finally, CNS has a revolutionary Offensive Security Engine, the industry’s first autonomous red team approach to cloud security. This is the attacker’s mindset that we began our conversation with.

Offensive Security Engine

Anand: Across all of CNS’ findings, the Offensive Security Engine runs to differentiate between the theoretical and the exploitable. To begin, each reported issue includes a trace of the path through which the insecurity was detected. Via this path, CNS simulates attacker methods with de-fanged attacks. CNS then captures the response to validate the impact of an attack and provide evidence of exploitability. This Verified Exploit Path™ with evidence means that each Offensive Security Engine alert is proof-positive – there’s zero opportunity for false-negatives with these findings. This is prioritization at its finest.

Ely: Again this is a revolutionary approach to cloud security. The Offensive Security Engine allows security teams to contextualize their cloud alerts, cut through the theoretical noise and focus on remediating the truly critical exploitable risks first to have maximum positive impact on the business’ cloud posture.

This is outcomes-focused, autonomous security for cloud defenders. With this launch, the agentless security capabilities are part of the greater whole of the Singularity Platform.

Cloud Security in The Singularity Platform

CNS has native integration to the Singularity Data Lake for investigation and custom detection purposes. The findings are in the universal Open Cybersecurity Schema Framework (OCSF) format. This means CNS alerting and findings can be correlated and combined with telemetry and findings from SentinelOne’s agent-based cloud security, our Cloud Workload Security, alongside our Endpoint Security telemetry and additional partner feeds.

Conclusion | Learn How Cloud Native Security Keeps Clouds Secure

Circling back to outcomes, Cloud Native Security (CNS) tackles the challenges customers face in adopting cloud platforms: sprawling asset footprints, too much noise from security alerting, not enough time, and preventable issues being detected too late.

CNS offers customers a breadth of coverage, supporting all major cloud providers, source code repositories, Kubernetes environments, and CI/CD pipelines. Installation is easy and fast, with near instant visibility in returning cloud assets inventory and assessing for issues.

Most importantly, Cloud Native Security provides evidence-based reporting of issues using a unique Offensive Security Engine. Beyond detecting issues, CNS validates which concerns are genuine with evidence of exploitation.

CNS is set to revolutionize cloud security for modern enterprises and provide security professionals with the tools they need to secure today, tomorrow, and beyond. Saving time and maximizing resources with evidence based Verified Exploit Paths™ ensures enterprises can focus on business-critical operations and build up a strong and lasting cloud cyber posture.

Book a demo or contact us today to see how SentinelOne’s Cloud Native Security is set to radically improve enterprise cloud security posture.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

How Did Authorities Identify the Alleged Lockbit Boss?

Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.

Dmitry Yuryevich Khoroshev. Image: treasury.gov.

On May 7, the U.S. Department of Justice indicted Khoroshev on 26 criminal counts, including extortion, wire fraud, and conspiracy. The government alleges Khoroshev created, sold and used the LockBit ransomware strain to personally extort more than $100 million from hundreds of victim organizations, and that LockBit as a group extorted roughly half a billion dollars over four years.

Federal investigators say Khoroshev ran LockBit as a “ransomware-as-a-service” operation, wherein he kept 20 percent of any ransom amount paid by a victim organization infected with his code, with the remaining 80 percent of the payment going to LockBit affiliates responsible for spreading the malware.

Financial sanctions levied against Khoroshev by the U.S. Department of the Treasury listed his known email and street address (in Voronezh, in southwest Russia), passport number, and even his tax ID number (hello, Russian tax authorities). The Treasury filing says Khoroshev used the emails sitedev5@yandex.ru, and khoroshev1@icloud.com.

According to DomainTools.com, the address sitedev5@yandex.ru was used to register at least six domains, including a Russian business registered in Khoroshev’s name called tkaner.com, which is a blog about clothing and fabrics.

A search at the breach-tracking service Constella Intelligence on the phone number in Tkaner’s registration records  — 7.9521020220 — brings up multiple official Russian government documents listing the number’s owner as Dmitri Yurievich Khoroshev.

Another domain registered to that phone number was stairwell[.]ru, which at one point advertised the sale of wooden staircases. Constella finds that the email addresses webmaster@stairwell.ru and admin@stairwell.ru used the password 225948.

DomainTools reports that stairwell.ru for several years included the registrant’s name as “Dmitrij Ju Horoshev,” and the email address pin@darktower.su. According to Constella, this email address was used in 2010 to register an account for a Dmitry Yurievich Khoroshev from Voronezh, Russia at the hosting provider firstvds.ru.

Image: Shutterstock.

Cyber intelligence firm Intel 471 finds that pin@darktower.ru was used by a Russian-speaking member called Pin on the English-language cybercrime forum Opensc. Pin was active on Opensc around March 2012, and authored 13 posts that mostly concerned data encryption issues, or how to fix bugs in code.

Other posts concerned custom code Pin claimed to have written that would bypass memory protections on Windows XP and Windows 7 systems, and inject malware into memory space normally allocated to trusted applications on a Windows machine.

Pin also was active at that same time on the Russian-language security forum Antichat, where they told fellow forum members to contact them at the ICQ instant messenger number 669316.

NEROWOLFE

A search on the ICQ number 669316 at Intel 471 shows that in April 2011, a user by the name NeroWolfe joined the Russian cybercrime forum Zloy using the email address d.horoshev@gmail.com, and from an Internet address in Voronezh, RU.

Constella finds the same password tied to webmaster@stairwell.ru (225948) was used by the email address 3k@xakep.ru, which Intel 471 says was registered to more than a dozen NeroWolfe accounts across just as many Russian cybercrime forums between 2011 and 2015.

NeroWolfe’s introductory post to the forum Verified in Oct. 2011 said he was a system administrator and C++ coder.

“Installing SpyEYE, ZeuS, any DDoS and spam admin panels,” NeroWolfe wrote. This user said they specialize in developing malware, creating computer worms, and crafting new ways to hijack Web browsers.

“I can provide my portfolio on request,” NeroWolfe wrote. “P.S. I don’t modify someone else’s code or work with someone else’s frameworks.”

In April 2013, NeroWolfe wrote in a private message to another Verified forum user that he was selling a malware “loader” program that could bypass all of the security protections on Windows XP and Windows 7.

“The access to the network is slightly restricted,” NeroWolfe said of the loader, which he was selling for $5,000. “You won’t manage to bind a port. However, it’s quite possible to send data. The code is written in C.”

In an October 2013 discussion on the cybercrime forum Exploit, NeroWolfe weighed in on the karmic ramifications of ransomware. At the time, ransomware-as-a-service didn’t exist yet, and many members of Exploit were still making good money from “lockers,” relatively crude programs that locked the user out of their system until they agreed to make a small payment (usually a few hundred dollars via prepaid Green Dot cards).

Lockers, which presaged the coming ransomware scourge, were generally viewed by the Russian-speaking cybercrime forums as harmless moneymaking opportunities, because they usually didn’t seek to harm the host computer or endanger files on the system. Also, there were still plenty of locker programs that aspiring cybercriminals could either buy or rent to make a steady income.

NeroWolfe reminded forum denizens that they were just as vulnerable to ransomware attacks as their would-be victims, and that what goes around comes around.

“Guys, do you have a conscience?,” NeroWolfe wrote. “Okay, lockers, network gopstop aka business in Russian. The last thing was always squeezed out of the suckers. But encoders, no one is protected from them, including the local audience.”

If Khoroshev was ever worried that someone outside of Russia might be able to connect his early hacker handles to his real life persona, that’s not clear from reviewing his history online. In fact, the same email address tied to so many of NeroWolfe’s accounts on the forums — 3k@xakep.ru — was used in 2011 to create an account for a Dmitry Yurevich Khoroshev on the Russian social media network Vkontakte.

NeroWolfe seems to have abandoned all of his forum accounts sometime in 2016. In November 2016, an exploit[.]ru member filed an official complaint against NeroWolfe, saying NeroWolfe had been paid $2,000 to produce custom code but never finished the project and vanished.

It’s unclear what happened to NeroWolfe or to Khoroshev during this time. Maybe he got arrested, or some close associates did. Perhaps he just decided it was time to lay low and hit the reset on his operational security efforts, given his past failures in this regard. It’s also possible NeroWolfe landed a real job somewhere for a few years, fathered a child, and/or had to put his cybercrime career on hold.

PUTINKRAB

Or perhaps Khoroshev saw the coming ransomware industry for the endless pot of gold that it was about to become, and then dedicated himself to working on custom ransomware code. That’s what the government believes.

The indictment against Khoroshev says he used the hacker nickname Putinkrab, and Intel 471 says this corresponds to a username that was first registered across three major Russian cybercrime forums in early 2019.

KrebsOnSecurity could find no obvious connections between Putinkrab and any of Khoroshev’s older identities. However, if Putinkrab was Khoroshev, he would have learned from his past mistakes and started fresh with a new identity (which he did). But also, it is likely the government hasn’t shared all of the intelligence it has collected against him (more on that in a bit).

Putinkrab’s first posts on the Russian cybercrime forums XSS, Exploit and UFOLabs saw this user selling ransomware source code written in C.

A machine-translated ad for ransomware source code from Putinkrab on the Russian language cybercrime forum UFOlabs in 2019. Image: Ke-la.com.

In April 2019, Putkinkrab offered an affiliate program that would run on top of his custom-made ransomware code.

“I want to work for a share of the ransoms: 20/80,” Putinkrab wrote on Exploit. “20 percent is my percentage for the work, you get 80% of the ransoms. The percentage can be reduced up to 10/90 if the volumes are good. But now, temporarily, until the service is fully automated, we are working using a different algorithm.”

Throughout the summer of 2019, Putinkrab posted multiple updates to Exploit about new features being added to his ransomware strain, as well as novel evasion techniques to avoid detection by security tools. He also told forum members he was looking for investors for a new ransomware project based on his code.

In response to an Exploit member who complained that the security industry was making it harder to profit from ransomware, Putinkrab said that was because so many cybercriminals were relying on crappy ransomware code.

“The vast majority of top antiviruses have acquired behavioral analysis, which blocks 95% of crypto-lockers at their root,” Putinkrab wrote. “Cryptolockers made a lot of noise in the press, but lazy system administrators don’t make backups after that. The vast majority of cryptolockers are written by people who have little understanding of cryptography. Therefore, decryptors appear on the Internet, and with them the hope that files can be decrypted without paying a ransom. They just sit and wait. Contact with the owner of the key is lost over time.”

Putinkrab said he had every confidence his ransomware code was a game-changer, and a huge money machine.

“The game is just gaining momentum,” Putinkrab wrote. “Weak players lose and are eliminated.”

The rest of his response was structured like a poem:

“In this world, the strongest survive.
Our life is just a struggle.
The winner will be the smartest,
Who has his head on his shoulders.”

Putinkrab’s final post came on August 23, 2019. The Justice Department says the LockBit ransomware affiliate program was officially launched five months later. From there on out, the government says, Khoroshev adopted the persona of LockBitSupp. In his introductory post on Exploit, LockBit’s mastermind said the ransomware strain had been in development since September 2019.

The original LockBit malware was written in C (a language that NeroWolfe excelled at). Here’s the original description of LockBit, from its maker:

“The software is written in C and Assembler; encryption is performed through the I/O Completion Port; there is a port scanning local networks and an option to find all DFS, SMB, WebDAV network shares, an admin panel in Tor, automatic test decryption; a decryption tool is provided; there is a chat with Push notifications, a Jabber bot that forwards correspondence and an option to terminate services/processes in line which prevent the ransomware from opening files at a certain moment. The ransomware sets file permissions and removes blocking attributes, deletes shadow copies, clears logs and mounts hidden partitions; there is an option to drag-and-drop files/folders and a console/hidden mode. The ransomware encrypts files in parts in various places: the larger the file size, the more parts there are. The algorithms used are AES + RSA.

You are the one who determines the ransom amount after communicating with the victim. The ransom paid in any currency that suits you will be transferred to your wallets. The Jabber bot serves as an admin panel and is used for banning, providing decryption tools, chatting – Jabber is used for absolutely everything.”

CONCLUSION

Does the above timeline prove that NeroWolfe/Khoroshev is LockBitSupp? No. However, it does indicate Khoroshev was for many years deeply invested in countless schemes involving botnets, stolen data, and malware he wrote that others used to great effect. NeroWolfe’s many private messages from fellow forum members confirm this.

NeroWolfe’s specialty was creating custom code that employed novel stealth and evasion techniques, and he was always quick to volunteer his services on the forums whenever anyone was looking help on a malware project that called for a strong C or C++ programmer.

Someone with those qualifications — as well as demonstrated mastery of data encryption and decryption techniques — would have been in great demand by the ransomware-as-a-service industry that took off at around the same time NeroWolfe vanished from the forums.

Someone like that who is near or at the top of their game vis-a-vis their peers does not simply walk away from that level of influence, community status, and potential income stream unless forced to do so by circumstances beyond their immediate control.

It’s important to note that Putinkrab didn’t just materialize out of thin air in 2019 — suddenly endowed with knowledge about how to write advanced, stealthy ransomware strains. That knowledge clearly came from someone who’d already had years of experience building and deploying ransomware strains against real-life victim organizations.

Thus, whoever Putinkrab was before they adopted that moniker, it’s a safe bet they were involved in the development and use of earlier, highly successful ransomware strains. One strong possible candidate is Cerber ransomware, the most popular and effective affiliate program operating between early 2016 and mid-2017. Cerber thrived because it emerged as an early mover in the market for ransomware-as-a-service offerings.

In February 2024, the FBI seized LockBit’s cybercrime infrastructure on the dark web, following an apparently lengthy infiltration of the group’s operations. The United States has already indicted and sanctioned at least five other alleged LockBit ringleaders or affiliates, so presumably the feds have been able to draw additional resources from those investigations.

Also, it seems likely that the three national intelligence agencies involved in bringing these charges are not showing all of their cards. For example, the Treasury documents on Khoroshev mention a single cryptocurrency address, and yet experts interviewed for this story say there are no obvious clues connecting this address to Khoroshev or Putinkrab.

But given that LockBitSupp has been actively involved in Lockbit ransomware attacks against organizations for four years now, the government almost certainly has an extensive list of the LockBit leader’s various cryptocurrency addresses — and probably even his bank accounts in Russia. And no doubt the money trail from some of those transactions was traceable to its ultimate beneficiary (or close enough).

Not long after Khoroshev was charged as the leader of LockBit, a number of open-source intelligence accounts on Telegram began extending the information released by the Treasury Department. Within hours, these sleuths had unearthed more than a dozen credit card accounts used by Khoroshev over the past decade, as well as his various bank account numbers in Russia.

The point is, this post is based on data that’s available to and verifiable by KrebsOnSecurity. Woodward & Bernstein’s source in the Watergate investigation — Deep Throat — famously told the two reporters to “follow the money.” This is always excellent advice. But these days, that can be a lot easier said than done — especially with people who a) do not wish to be found, and b) don’t exactly file annual reports.