The Good, the Bad and the Ugly in Cybersecurity – Week 23

The Good | FBI Obtains 7000 LockBit Decryption Keys

Past victims of LockBit ransomware received a boon this week from the FBI who revealed they obtained over 7000 decryption keys which can be used to recover encrypted data. This was announced at the 2024 Boston Conference on Cyber Security, where both known and suspected victims of the notorious threat group were invited to come forward to restore their systems.

FBI Cyber Division Assistant Director Bryan Vorndran delivers a keynote address at the 2024 Boston Conference on Cyber Security (Source: FBI)

This new initiative follows in the February takedown of LockBit’s infrastructure via ‘Operation Cronos’ – a collaborative effort between several international law enforcement agencies. Since 2020, LockBit has cost $91 million in losses within the U.S. alone with targets spanning across several critical sectors and industries. In the February operation, authorities were able to seize multiple darknet domains operated by LockBit leading to the disruption of the primary infrastructure that hosted their Ransomware-as-a-Service model.

In March, Mikhail Vasiliev was sentenced for his significant administrative role within LockBit operations and pled guilty to eight charges including cyber extortion, cyber mischief, and weapons-related allegations. Later in April, police unmasked some 200 affiliates of LockBit when they matched a list of pseudonyms used by the ransomware gang to suspected cybercriminals.

Though the gang has experienced major setbacks this year, they have also been able to resume posting old and new stolen data on leak sites, though without the same level of pre-seizure momentum. The U.S. Department of State continues to offer a reward up to $10 million for information leading to the arrest or conviction of several LockBit leaders and affiliates at large.

The Bad | Russian-Linked RaaS Attacks Pathology Provider, Interrupting Critical Services Across Major NHS Hospitals

A ransomware attack on Synnovis, a pathology and diagnostic services provider, caused major disruptions to NHS hospitals across London, U.K. this week. The developing incident is impacting critical services such as blood transfusions as well as operations and procedures relying on pathology services. These services have since been canceled or redirected, though the NHS has stated that emergency care services remain available.

The National Cyber Security Centre (NCSC), which is investigating the attack, reports that the ransomware attack is likely the work of Russian-based cybercriminals known as Qilin. CEO of the NCSC, Ciaran Martin, says, “They’re simply looking for money” despite the British government’s policy against paying ransom demands. Martin describes the attack on Synnovis as “one of the more serious” seen in the U.K.

Qilin ransomware was first observed in July of 2022 and operates as a Ransomware-as-a-Service (RaaS). The group specializes in double extortion, demanding payment for a decryptor and the release of exfiltrated data. Qilin is known to target large enterprises and high-value targets (many in the Commonwealth of Independent States) and has listed over 130 companies on their dark web leak site over the past two years. Notably, Qilin attackers target their victims through phishing and spear phishing campaigns, and often leverage exposed applications and interfaces like remote desktop protocol (RDP). The RaaS outfit also recruits heavily in well known underground forums and dark markets.

The critical healthcare sector continues to be a lucrative target for cyberattackers. Factors such as weak security infrastructures, lack of cyber expertise, third-parties, and aging software systems all contribute to an increasingly high risk of compromise. Working with cybersecurity providers can help healthcare providers keep their patient data safe, manage their regulatory compliance controls, and ensure continuous care for those in need.

The Ugly | Identity-Based Attacks Target Unprotected Snowflake Cloud Storage Accounts

Recent data breaches at Ticketmaster and Santander Bank this week serve as a marked reminder of how important cyber hygiene is in today’s digital landscape. A threat actor known as ‘ShinyHunters’ has reportedly taken responsibility for these breaches, claiming that they stole the data by compromising an employee account at Snowflake, a cloud storage provider. Snowflake has disputed this, clarifying that the source of the breaches was due to poor credential hygiene on targeted accounts.

The initial report from researchers said that the threat actors bypassed authentication processes through a compromised Snowflake employee’s ServiceNow account before generating session tokens to exfiltrate data. These credentials were allegedly stolen in October 2023 when the employee was infected by an infostealer. Later, this report was taken down.

ShinyHunters claim to be selling a trove of stolen data from the recent breaches including: the personal and financial data of 560 million Ticketmaster customers, banking information of 30 million Santander clients and employees, and 3TB of sales history and transactional data from Advance Auto Parts.

Snowflake representatives have since stated that while the threat actor is targeting user accounts that have multi-factor authentication (MFA) disabled, there is no evidence of exploiting misconfigurations or vulnerabilities in the platform infrastructure. Snowflake has released a list of IoCs here and urges customers to enable MFA, limit traffic networks to only trusted locations, and reset all credentials. CISA recommends customers to stay alert for suspicious activity and to take steps to prevent unauthorized access.

Under the cloud shared responsibility model, end-users are also responsible for following certain standard security best practices such as MFA to reduce risk. Despite the murky details and disputes developing alongside these incidents, what’s clear is how crucial basic security hygiene is for modern enterprises using cloud technology.

AWS Integrations | Enhancing Visibility & Powering Threat Hunting

As organizations go beyond simply migrating to the cloud and use cloud services strategically to accelerate their business outcomes, securing the cloud footprint has become a key element of this strategy. It’s also becoming increasingly complex with most organizations using multiple clouds, Saas-based tools, and security solutions within their stack to protect them. Gaining consistent visibility, prioritizing the most critical alerts and risks, and having the data to complete robust threat hunting and remediation means organizations can ensure strong security outcomes.

Many cloud service providers, including Amazon Web Services (AWS), are increasing the number of native security services and integration points for security partners to help customers gain the data they need to protect their business. These include AWS Security Hub, Amazon GuardDuty, Amazon Security Lake, and more. SentinelOne’s integrations with AWS native services and ingestion of AWS logs is a strategic focus to help customers stay secure.

This blog post explores the benefits of this integration, focusing on how it enhances security outcomes, leverages the AWS shared responsibility model, and improves visibility and threat hunting capabilities through the SentinelOne Singularity Platform.

Revisiting the Shared Responsibility Model

AWS focuses on security, both of the infrastructure and in equipping customers to make the best security decisions for their environments. Although AWS provides many security focused features and services, it recognizes the value and expertise of security vendors and chooses to prioritize a partner model, for innovation, integration, and even co-selling, that matches customers with the right security solutions for their business.

Part of the security approach with AWS is the Shared Responsibility Model, which delineates the security responsibilities between AWS and the customer. AWS is responsible for the security “of” the cloud, ensuring the infrastructure (hardware, software, networking, and facilities) that runs all AWS services. Customers are responsible for security “in” the cloud, which includes the configuration and management of the AWS services they use, data protection, and identity management. By partnering in security technologies, AWS and SentinelOne help organizations effectively manage their responsibilities within this model with leading-edge security solutions such as Singularity Cloud Security and Purple AI.

Singularity Marketplace

All SentinelOne integrations with AWS (and other technology partners) are available in the Singularity Marketplace, accessed directly from the SentinelOne management console. The process of downloading and installing these applications and integrations is user-friendly, involving simple click-throughs with clear guidance and documentation. This not only simplifies the operational aspect of security deployments but also minimizes the need for extensive manual configuration, allowing teams to focus more on strategic security tasks rather than technical setup.

The Singularity Marketplace dashboard displaying several of the 18 AWS integrations available

Streamlining Data for Better Security Outcomes

Many of the SentinelOne and AWS integrations focus on SentinelOne ingesting key AWS data, or even third-party data stored in AWS, to help connect disparate or siloed datasets. By using AI and normalizing data using the latest in Open Cybersecurity Scheme Framework (OCSF) standards, the entire security process can be streamlined.

Key benefits of these types of integrations include:

  1. Accelerated threat detection, including advanced threat hunting – With real-time data from AWS services and data collected from SentinelOne solutions, customers can detect and respond to threats more quickly and accurately using AI-powered engines and the SentinelOne Storyline™ feature.
  2. Faster response and remediation times – By integrating first and third-party resources, threats can be mitigated quickly in entirety, ensuring business continuity.
  3. Streamlined security operations – By automating the ingestion, normalization, and analysis of logs, it reduces the workload on security teams. Purple AI can further streamline this as an automated SOC assistant.
  4. Improved compliance and reporting – Centralized logging and monitoring help meet regulatory requirements and simplify audit processes.

Integrating SentinelOne with AWS native services such as AWS AppFabric, Security Hub, Amazon Security Lake, and GuardDuty offers today’s businesses a comprehensive and leading-edge approach to securing their cloud environments.

Integrations with AWS Native Services

The SentinelOne Singularity Platform has had integrations with AWS native services for several years, and the list grows every year, notably with Amazon Security Lake and Amazon AppFabric. SentinelOne’s platform is known for being AI-driven, able to do advanced threat hunting using features like Storyline™. With the addition of Cloud Native Security (CNS) and Singularity™ Data Lake it’s become the ideal enterprise security platform for AWS customers to use. Here is a brief overview of just some of the newest, and most commonly used integrations between SentinelOne and AWS.

AWS Security Hub

AWS Security Hub provides a centralized platform to manage and aggregate security alerts from multiple AWS accounts and services, enhancing the visibility and management of security threats. The SentinelOne integration for Security Hub sends threat information from SentinelOne Agents running on AWS workloads to AWS Security Hub. AWS Security Hub then aggregates, organizes, and prioritizes security alerts that enable security teams to respond to any threats in progress. The integration retrieves results, including metadata from the SentinelOne Management Console, and pushes them to Security Hub. The incidents are converted to the AWS Security Finding Format (ASFF) for incident investigation.

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This integration enables collection and analysis of logs from GuardDuty into the Singularity Cloud Security Platform for correlation and further analysis.

Amazon Security Lake

Amazon Security Lake is an AWS security service that unifies and evaluates security logs from cloud and on-premises sources. Singularity™ Cloud Security and the Amazon Security Lake use OCSF to simplify log analysis. This is a particularly interesting integration as both SentinelOne and AWS offer Security Lakes with SentinelOne’s new solution, Singularity™ Data Lake. SentinelOne will ingest logs from the Amazon Security Lake as part of the initial integration. The second phase of this integration, a bi-directional feed, is planned and will allow customers to choose the best option depending on their requirements.

AWS CloudTrail

AWS CloudTrail records actions by a user, role, or AWS service from the AWS Management Console, command-line interface, SDKs, or APIs. This integration lets you ingest CloudTrail logs. In SentinelOne you can view, monitor, and query the data in Singularity™ Data Lake.

AWS Config

AWS Config is a service that provides an inventory and configuration history of AWS resources. The service helps you understand how your infrastructure is set up, how it is evolving, and whether it complies with your organization’s policies and security standards. The integration lets you import AWS Config events into SentinelOne so you can view, monitor, and query the data in Singularity™ Data Lake.

AWS AppFabric

AWS AppFabric gathers and organizes log information from commonly used apps and productivity tools like Asana, Slack, Zoom, Microsoft 365, and Google Workspace. This makes it easier to monitor all your applications and saves money by avoiding the need for individual connections between each one. This integration allows logs from AppFabric to be collected and analyzed in the Singularity Cloud Security Platform using the OCSF format.

The AWS AppFabric integration ingests logs from AWS directly into the Singularity Data Lake

Conclusion

Incorporating SentinelOne with AWS native services and logs is a strategic move for organizations looking to bolster their security posture. By leveraging the AI-powered capabilities of SentinelOne and the comprehensive capabilities of AWS services such as AppFabric, Security Hub, Amazon Security Lake, and GuardDuty, organizations can achieve better security outcomes. These integrations enhance visibility, streamline operations, and enable proactive threat management, all while aligning with the AWS shared responsibility model.

Take a self guided tour of the SentinelOne Singularity™ solutions here. To learn more about SentinelOne solutions optimized for AWS customers, visit us at booth 427 at AWS re:Inforce happening June 10-12 or, see our CNAPP solution in the AWS Marketplace.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

PinnacleOne ExecBrief | Chips and Spies – Insider Threats as China Seeks to Evade Controls

Last week, PinnacleOne examined the digital “great game” in the Middle East, as the convergence of AI, nuclear energy, and geopolitical competition.

This week, we highlight how China’s strategy for evading semiconductor technology controls is driving an increased insider threat issue for leading western enterprises.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com.

Insight Focus | Chips and Spies

Chips may be the new oil, but there is no petroleum intellectual property buried under the ground to steal. As nations see their economic and strategic futures increasingly dependent on securing digital supply chains, the semiconductor industry is now the front line for intense economic espionage activity and commercially motivated insider threat.

China’s Strategy for Evading Semiconductor Technology Controls

A CSIS report from last year described “China’s New Strategy for Waging the Microchip Tech War.” The report identified the ZTE crisis in April 2018 as a pivotal moment in China’s changing strategic thinking on semiconductors. The U.S. export controls imposed on the Chinese telecommunications giant served as a wake-up call, prompting China to elevate semiconductors from an economic priority to a national security imperative. This imperative has become only more intense as U.S. and allied technology controls tightened over the last two years, becoming now a de facto semiconductor blockade on China for leading edge technologies.

As Chinese intelligence agencies and national semiconductor champions explicitly target key industries through insider and cyber espionage to bolster its economic and military capabilities, semiconductor firms find themselves in the targeting bullseye.

In response, China has adopted a four-pronged strategy aimed at:

  • Limiting its exposure to foreign pressure
  • Deterring U.S. and allied actions
  • Increasing international dependence on its semiconductor industry
  • Harnessing the power of AI for economic and military advantages

This strategic shift has led to a more aggressive approach to acquiring foreign semiconductor technologies, with insider IP theft emerging as a key tactic. The blurred lines between state-sponsored espionage and commercial IP theft complicate the threat landscape – Huawei doesn’t need to be told by the MSS to steal valuable IP from its competitors, though it will take their support if offered.

As the Chip Four strengthen multilateral export control enforcement on China and slow AI chip exports to the middle east (seen as a backdoor for China), China will amp up the use of illicit and covert means to circumvent restrictions. This is exactly what we’ve seen.

Surge of Insider IP Theft Incidents

Against the backdrop of China’s shifting strategy, the semiconductor industry has witnessed a surge in insider IP theft incidents, many involving employees of Chinese descent allegedly stealing confidential data and trade secrets from their employers.

Just last week, an incident was reported at SK hynix where a former Chinese employee was arrested for allegedly stealing over 3,000 pages of confidential data on atomic layer deposition (ALD) equipment used in DRAM manufacturing processes. Hired in 2013, the employee worked in the department responsible for analyzing defects in semiconductor designs and was most recently involved in consultations with business-to-business clients in China. China has not yet been able to develop ALD equipment needed for precise and uniform deposition of advanced chips. The Chinese national returned to Korea in June 2022, and left to join Huawei the same month.

Other similar incidents over the past few years include:

  • In March 2024, a former Google engineer named Linwei Ding, a Chinese national, was charged by the U.S. Department of Justice for allegedly stealing hundreds of Google’s classified AI files while secretly working for two Chinese companies, including an Ant Group affiliate called Beijing Rongshu Lianzhi Technology Company.
  • In February 2024, an ex-Apple engineer was sentenced to prison for stealing self-driving car technology before attempting to flee to China.
  • In June 2023, Haoyang Yu, a former engineer from Lexington, Massachusetts, was sentenced to six months in prison for possessing a stolen semiconductor trade secret from his former employer, Analog Devices, Inc. He was found guilty of using the stolen design to start his own microchip business.
  • In February 2023, a court found seven former employees of Samsung guilty of illegally obtaining and transferring semiconductor-related technology to Chinese companies. The information related to semiconductor cleaning equipment and was classed as “national core technologies” protected by South Korean laws.
  • In September 2021, a former employee of Applied Materials was convicted of possessing stolen trade secrets related to proprietary LCD chip technology, while two other employees were acquitted. Three other employees were initially charged with conspiracy to steal trade secrets under the allegation they planned to use them to launch a US/China-based competitor but were not convicted.

Developing a Comprehensive Insider Threat Program

As we described in an earlier ExecBrief, technology companies need to recognize and address the threat of malicious insiders. To effectively combat the rising tide of insider IP theft, semiconductor firms must develop and assess a comprehensive set of insider threat scenarios tailored to their unique threat model, technical controls, organizational design, and internal culture. The following example threat scenarios can guide insider trust program assessment.

Insider Threat Scenarios for Security Control Validation and Program Assessment

In particular, firms can follow the following approach to build a robust insider threat program:

  1. Define a tailored set of insider threat scenarios:
    • Consider both nation-state actors and lone-wolf/commercial threat actors, identifying plausible targets and objectives specific to the firm’s critical assets and IP.
    • Map out potential attack paths and exploitation methods used by insiders, such as exfiltration via USB/cloud storage, installing remote access tools, or destroying critical data.
    • Develop a comprehensive set of scenarios that reflect the firm’s unique threat model and risk profile.
  2. Assess current security controls against these scenarios:
    • Evaluate the effectiveness of existing technical controls, such as data loss prevention, access monitoring, and endpoint security, in detecting and preventing insider actions described in the scenarios.
    • Identify gaps in visibility, detection capabilities, and response procedures.
  3. Evaluate organizational design and internal culture:
    • Analyze how the firm’s structure, processes, and culture may enable or mitigate insider threats, assessing factors such as employee screening, segregation of duties, access management, and security awareness.
    • Identify potential weaknesses or inconsistencies that insiders could exploit.
  4. Develop a roadmap for improvements:
    • Prioritize areas for enhancing insider threat defenses based on the gaps identified in the assessment phase.
    • Define clear action items across people, process, and technology domains, such as deploying additional monitoring tools, refining incident response playbooks, improving access controls, and providing targeted security training.
    • Set timelines and assign accountability for implementation.
  5. Implement program enhancements and conduct ongoing validation:
    • Execute the improvement roadmap in a phased manner, continuously testing and validating security controls against updated insider threat scenarios.
    • Engage third-party experts as needed to assess program maturity and identify further opportunities for improvement.
  6. Foster a culture of insider threat awareness:
    • Regularly communicate the importance of insider threat prevention to all employees, encouraging the reporting of suspicious activities through clear and safe channels.
    • Provide role-specific training on identifying and responding to potential insider incidents, and recognize and reward employees who demonstrate strong security practices.

By following these steps and tailoring them to their specific context, semiconductor firms can develop a robust insider threat program that addresses the full spectrum of risks posed by malicious, negligent, or compromised employees. Regular scenario-based testing and iterative improvement will ensure the program remains effective as the threat landscape evolves.

Going Forward

The semiconductor industry stands at a critical juncture, facing an onslaught of state-directed and commercially motivated IP theft that threatens a geostrategic industry. As geopolitical competition intensifies and the boundaries between economic development and national security blur, semiconductor companies must adapt to this new reality and take decisive action to safeguard their invaluable assets and personnel.