The Good, the Bad and the Ugly in Cybersecurity – Week 5

The Good | Recent Cyber Operations Combat Insider Threats and Disrupt Sophisticated Malware

In a series of cyber arrests and operations this week, law enforcement agencies around the world made strides in taking down cyber threats across different regions.

In the U.S., three former Department of Homeland Security employees, including a former Acting Inspector General, were sentenced for stealing proprietary government software and the personal data of 200,000 federal employees. The trio pleaded guilty to conspiring to share the stolen assets with Indian software developers to create and sell a similar commercial product to other government agencies.

In Brazil, joint federal operatives arrested several operators of Grandoreiro malware, a banking trojan known for targeting Latin American countries. A design flaw in Grandoreiro’s network protocol uncovered by cybersecurity researchers was used to identify the victimology patterns. Grandoreiro, active since 2017, targets banking information through keyloggers and overlays, with the threat actors leveraging phishing lures and a domain generation algorithm (DGA) to evade detection. Since the arrests, the malware operation has come to a full stop at the time of this writing.

Source: Zscaler

Meanwhile, KV Botnet, a part of Volt Typhoon’s arsenal, has been successfully disrupted after the FBI hacked into the botnet’s command and control (C2) server. The PRC-based state hackers were known to use the botnet to evade detection in their attacks against U.S. critical infrastructure. These attacks utilized compromised devices, including cameras and vulnerable routers that were reaching end-of-life status, to avoid detection during attacks on communication, energy, transportation, and water sectors. CISA and the FBI issued guidance for small office/home office (SOHO) router manufacturers to secure against ongoing attacks, emphasizing automated security updates and secure web management interfaces.

The Bad | Continued String of New Ivanti Vulnerabilities Trigger First CISA Emergency Directive of 2024

In early January, we covered an ongoing exploitation of two zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure Gateways products. In the hands of an attacker, CVE-2023-46805 and CVE-2024-21887 could allow unauthorized command-injection attacks to expose targeted systems and restricted resources. Reports linked UNC5221 operators to the exploits where the threat group were observed leveraging various backdoors, webshells, credential harvesters, and post-exploitation tools.

The latest development this week adds two more high-severity flaws found in the same Ivanti products. Tracked as CVE-2024-21888 and CVE-2024-21893, these vulnerabilities are both currently under targeted exploitation in the wild. CVE-2024-21888 enables an attacker to elevate privileges to admin-level while CVE-2024-21893 targets a server-side request forgery, allowing attackers to bypass authentication and access restricted resources.

Ivanti has said that no customers have been impacted by CVE-2024-21888 to date, but the Utah-based company has confirmed in-the-wild exploitation of CVE-2024-21893 that appears to target a limited number of customers. Ivanti urges its customers to factory reset their appliance before applying the patches to prevent attackers from establishing persistence in affected environments.

Source: Shodan

To protect U.S. federal agencies, CISA has ordered those using Ivanti Connect Secure and Policy Secure to disconnect any affected VPN appliances before Saturday, February 3, 2024. This is a required action, appended to the first emergency directive of 2024 (ED-24-01), which mandates all Federal Civilian Executive Branch (FCEB) agencies to secure their ICS and IPS devices against the Ivanti flaws.

The emergency directive highlights the continued risks posed by various vulnerable Ivanti products that have been involved in active attacks including those announced in July and August of 2023.

The Ugly | Two In-the-Wild Jenkins CI/CD Vulnerabilities Pose Risk to Over 45K Servers

Multiple proof-of-concept (PoC) exploits have surfaced for critical-level flaws in Jenkins, widely used in software development for Continuous Integration (CI) and Continuous Deployment (CD).

Security researchers have pinpointed two flaws, the first being CVE-2024-23897, which allows unauthenticated attackers with overall/read permissions to access data from arbitrary files on the Jenkins server. Should specific conditions be met, this could lead to privilege escalation as well as arbitrary remote code execution (RCE). Even those without this permission can read the initial lines of files, depending on available CLI commands.

This vulnerability stems from the CLI’s default feature automatically replacing an @ character followed by a file path with file contents. Attackers exploiting CVE-2024-23897 can read arbitrary files on the Jenkins controller’s file system, potentially compromising sensitive information based on their permissions. Based on recent scans, approximately 45,000 publicly exposed Jenkins instances remain vulnerable to CVE-2024-23897.

The second flaw, CVE-2024-23898, involves a cross-site WebSocket hijacking issue, enabling attackers to execute arbitrary CLI commands by tricking users into clicking malicious links. While Jenkins released fixes for both flaws in late January, validated PoCs are now available on GitHub that make it easier for attackers scanning exposed servers to exploit the flaws with minimal or no modification.

Jenkin’s security bulletin advises admin users that are unable to patch immediately to disable access to the CLI to prevent exploitation completely. Applying this workaround does not require a Jenkins restart, and further instructions on the process can be found in their knowledge base article.

Backdoor Activator Malware Running Rife Through Torrents of macOS Apps

Malware authors have long targeted the market for free, cracked apps available through torrent services: in recent years a variety of cryptominers, adware, browser hijackers and bundled software installers have all plied their warez this way, but a recent macOS malware first spotted by researchers at Kaspersky is currently running rampant through dozens of different cracked copies of popular software.

Aside from the scale of the campaign, macOS.Bkdr.Activator is concerning because its objective appears to be to infect macOS users on a massive scale, potentially for the purpose of creating a macOS botnet or delivering other malware at scale. The software titles targeted also include a range of business-focused and productivity apps that could be attractive in workplace settings.

What is macOS.Bkdr.Activator?

Researchers first identified the campaign earlier in January and noted how its multi-stage delivery made use of some novel techniques.

Initial delivery method is via a torrent link which serves a disk image containing two applications: An apparently ‘uncracked’ and unusable version of the targeted software title, and an ‘Activator’ app that patches the software to make it usable. Users are instructed to copy both items to the /Applications folder before launching the Activator program.

Backdoor Activator malware infects macOS

The Activator.app contains two malicious executables: a binary written in Swift named GUI located in the bundle’s MacOS folder, and a binary written in Objective-C named tool and stored in the Resources folder. The latter folder also contains a legitimate, signed installer for Python 3.9.

On launching the Activator.app, victims are asked for an administrator password. This is used to turn off Gatekeeper settings via the spctl master-disable command and to allow apps sourced from ‘Anywhere’ to now run on the device.

Disable Gatekeeper macOS Sonoma

Activator also checks for a Python install and, if absent, writes the Python package from its Resources folder to the /tmp directory.

Activator infection macOS malware

At this point the tool binary takes over, installs Python if required, and begins a series of malicious actions. The malware uses embedded Python code to kill the Notification Center. This is likely a means to bypass Apple’s attempt to alert users via Notifications when new persistence items like LaunchAgents are installed.

python kill Notification Center

The Activator contains code to install a LaunchAgent at the following path, where the %@ variable is replaced with a UUID string generated at runtime.

/Library/LaunchAgents/launched.%@.plist
#regex:
/Library/LaunchAgents/launched.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}.plist

Prior to executing the Python script and installing the LaunchAgent, the tool binary attempts to retrieve a remote Python script. If the retrieval is successful, it then leverages the Apple defaults API to determine whether it has ran the same script before. Defaults allows programs to store preferences and other information that need to be maintained when the application isn’t running. While it is a standard macOS technology, it has rarely been leveraged by malware.

The Activator.app computes a hash of the script and saves it to the user defaults under the key lastExecutedScriptHash. If no hash has been previously saved or the stored hash is different, the retrived script is executed.

The application’s bundle identifier is “-.GUI”, so threat hunters may search the defaults database for signs of compromise with:

defaults read "-.GUI"

macOS Torrents Infected with Backdoor Activator

We have found several hundred unique Mach-O binaries on VirusTotal that are infected with macOS.Bkdr.Activator. Some have very low detection rates, and a few are currently not detected by any VirusTotal engines at all.

macOS Activator malware undetected

Although the following list cannot be considered complete as new samples continue to be found, the malicious binaries we have discovered pertain to over 70 individual ‘cracked’ apps that have been hijacked for the Activator campaign.

Any of the following applications that have been sourced from a torrent site or anywhere other than their official distribution channels should be considered as a possible indicator of compromise and the host device inspected for signs of malware infection.

4K Video Downloader 1.4.0 4K YouTube to MP3 Pro 5.1.0 Aiseesoft Blu-ray Player Alarm Clock Pro 15.6
AnyMP4 iOS Cleaner 1.0.30 Battery Indicator 2.17.0 Bike 1.18.0 Boxy SVG 4.21.1
Chain Timer 10.0 Clipsy Clipboard Manager2.1 ColorWell 7.4.1 Cookie 7.2.1
Cover Desk 1.7 DaisyDisk 4.26 (4.26) DeliverExpress 2.7.11 Disk Xray 4.1.4
Dropshare 5.45 Easy Data Transform 1.46.1 Eon Timer 2.9.11 Final Draft 12.0.10
Fix My iPhone 2.4.9 FonePaw iOS Transfer 6.0.0 FontLab 8.3.0.8766.0 Beta Fork 2.38
ForkLift 4.0.6 getIRC – IRC Client 1.5 Ghost Buster Pro 2.5.0 GrandTotal 8.2.2
Hides 5.9.2 HitPaw Video Converter 3.3.0 Infuse Pro 7.6.6 Invisible 2.8.0
Iris 1.6.4 iShowUInstantAdvanced 1.4.19 iTubeGo 7.4.0 Cracked Keep It 2.3.7
MacX DVD Ripper Pro 6.8.2 MacX MediaTrans 7.9 Magic Battery 8.1.1 Magic Disk Cleaner 2.6.0
MarsEdit 5.1.2 MetaImage 2.6.3 Millumin 4 v4.18.d Mission Control Plus 1.23
Money Pro 2.10.4 MouseBoost Pro 3.3.5 NetWorker Pro 9.0.1 Nisus Writer Express 4.4
Omni Toolbox 1.5.1 OmniFocus Pro 4.0.3 OmniReader Pro 2.6.8 Pastebot 2.4.6
Perfectly Clear 4.6.0.2629 Privatus 7.0.2 QuickLinks 3.2 RAW Power 3.4.17 Cracked
Rhino-8 SimpleMind Pro 2.3.0 SiteSucker Pro 5.3.0 Soulver 3.10.0
SpamSieve 3.0.3 Swinsian 3.0 SyncBird Pro 4.0.8 TechSmith Snagit 2023.2.6
uDock 4.0.3 Unclutter 2.2.6 Valentina Studio Pro 13.7.0 Web Confidential 5.4.3
WiFiSpoof 3.9.3 Xliff Editor 2.9.15 xScope 4.7.0 zFuse Pro 1.7.36

Further Stages

The Activator malware functions as a Stage 1 installer and downloader. The tool binary constructs a hardcoded domain name string and, according to Kaspersky researchers, retrieves TXT records for this domain from a DNS server. We were unable to confirm this in our tests, but the previous research suggests that the malware uses a novel technique of retrieving base64-encoded messages from the snippets contained in the DNS responses. These are then decrypted in-memory and were seen to contain a Python script which reached out to a further remote server to download the next stage.

The content of these encrypted messages could change according to the operator’s whim, but in the observed case the final stage turned out to be a Python backdoor that allows the operator to execute arbitrary commands on the infected device. More details on this stage can be found here.

SentinelOne Detects macOS.Bkdr.Activator

The campaign is ongoing and we continue to track and identify new malicious samples. When the policy is set to ‘Protect’, the SentinelOne agent blocks execution of malicious samples. With the policy set to ‘Detect Only’, an alert is raised and the sample may be allowed to run for the purposes of observation.

Indicators of Compromise

File Paths
/tmp/python-3.9.6-macosx10.9.pkg
/Applications/Activator.app/Contents/MacOS/GUI
/Applications/Activator.app/Contents/Resources/tool

[~]/Library/LaunchAgents/launched.%@.plist
#regex:
/Library/LaunchAgents/launched.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}.plist

SHA1 Mach-Os
01223c67c44b9cb893576c624ceeb6971d7c8a64
02a38a5dd5dcff4354fab26601dd766c1d24293e
03c4a36c06c12e3420bd410a9600e09ddb4b4211
07da6661657d72a4d9fc14990bb57f46514318a9
08503aca7610a83aeb55d5cf68be16b221f677bf
14f6e7759541de4c31e6cdc5efd4059363b748a9
192fd322a6c4df2bb0e3d743dfe84d30c82512bd
1acaf1e08a03137827b9ef1972198cf9b52d0e15
1b434829544a5a63101e4d0e45ddb65ec840c841
21a5895c184b047c7b9aa7aa4f6451acbc8be826
21e6691d8466ecc6fbf25481cc33338ad47caf5c
25e12022e796d77f2496c3c2090febd048015a9f
28de5c653b938626b5c2663de07ec3affb61da7a
29f8c0f7f3a70ec114ac3cef2a47f0c285138fdb
2c6c43cf0655a2ed0d155ea12cfb100f1fc1f770
2c6d7642dd442d1e50985b938a4c5d827720b8b2
2e0159157a2443fe41abc1643d75cc923cda6896
2f26dc03de6ad3e8c7853588a96c524b5093d37e
315b793de51286b03fdedfd7bca1aa8885dfabb8
341e215d527c058d17c82ab34e4fc392a8d20575
343f788d605e9433aebc40edc3d1d621b11aef38
38d38f96558d3a476d9cf0b319299d069ae629e4
392377835b20d2faca7f40c5ea6959f8be0ca586
3a9a511b32753de5e3824abc91a1969bf12fbb47
3bac1bb68a996b0524d1082ec810d6af33061a50
429a81049145a7c03ec39e7d23a20a74d89d6dd9
4f2d4e69abf124edff096870271c4e1942ecef12
55d893acd26927a66583c200377f10baffc06347
5facd492d920ba088acb32d311ede7ae2190c7fd
5fd1f90079bfe29d519ab59380ab9d152e837b6d
61cf0c13d58bb03eaf8886e599132581f96a8585
65ca8d43bc622561d3b9b990873cb82ed2b7db6d
6bc6586134013472c5020e08648c946f5da859aa
719efeae3e91ba89222c8118ad76790cf996ae79
72c2469669b1aa50e0dc356dfc036a405ce26ef3
7966a3cdf552e698c6861849479cb25fb2fe22c7
7ebf2eba7be3535c6afd1195305f683a8d46f45a
8133447d1bfd6a704dbee353cecfa8105bdc324a
8c78b2b159894abf5dfaa08a4cd8b1b79aabe446
8d9f0539f82609de097c244d2c8182f7f240545f
8ecf86ee0eb436e30508b22bcda89585bf5a5613
9089265798cfd830240e1bb981df6e61aea49692
90ffd2f23d0c57c7b3becd52525d31aadcb142ba
92b476221f3b88de74e31aca92c44eb8ae8e1c6c
98e9bb5de5d8f487f84bca9276905a87a76d3bb4
9c75698e5ec05c3613510e866ef37673e1649536
a1bc32090d7a9599d14e5310ffd981727cec4d9a
a2a6948d39a3b1239d0e83792f3178c338aaefb6
a3b9ea16b0d44e835d6458db44c018349f1cff3f
a5a28411bffe4efb72c99a63d234bffdd83bafef
a6fb4aaebd82681b5e5fac086cb4a41c7d64b718
b11d8ba52cef7fc9cd4b224a780bc2440afcfb82
bc51a249ade7b619da3ad4d3593176381f114b01
c4e9f2bc657d32c9e642274c056b3d4a8e0bbb06
c74d70da36badfa1fb4914494d4e952fa56fdbb1
caadd51d6191966002986f5529ab3b60622f9a03
cd4d2e325fd4741bf7c1918e9f341a3bc0e2c45c
d326b6f10d91965282ba0eb0041f2bb3dc0c004b
d58823309eeed0a40287d1df22ce799a672483db
d5b4ba66b24becfce2944a0df7b5d36f2a617ebf
d73cb24b88bdeb29ea09a867d67006061f3d9464
db49f7b2ebb06eba1a821ed9a0050ca36a38d31e
dc64a04830d9209142c72937cd348d581afbad09
dcb8efd9817a46f79021afcad9ea67ef4c898ff6
def1ca81e74dad6bef7cd37d896d9521afd3e19e
e18c9dff96ba0b982cbfd1911db24f974db82cce
e439e6a35fe685b909e8656fed03b4c2ae8533cd
e591b784a7a6783580e8674ff1b263d5a6d91e86
e85cc29f9ea7c7cfcb31450cecaed85bc0201d32
e8613f03b1cbebb6c6fa42a65aef59ab547a8a59
eca71e86d45b43a558f1f05acd6fdbf48c79f097
ee90f40748c4bd0ba78abbf113a6251f39a5bbd5
f3f498574f91da8fc4a69e5ae35dbfcb058abb7b
fa08c5f4c6dbb5f32288ea05ed558ffcd273f181

Arrests in $400M SIM-Swap Tied to Heist at FTX?

Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.

A graphic illustrating the flow of more than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.

An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. “Carti,” and “Punslayer,” allegedly assisted in compromising devices.

In a SIM-swapping attack, the crooks transfer the target’s phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.

The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name “Victim 1.”

Wired’s Andy Greenberg recently wrote about FTX’s all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:

“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”

“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”

The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.

Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.

“We put the value of the cryptoassets stolen at $477 million,” Robinson said. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, it’s certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.”

The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.

“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”

Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything they’ve witnessed from US-based SIM-swappers.

“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has worked with [ransomware] groups like ALPHV/BlackCat,” Bax said.

CISA’s alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.

“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA said, referring to the group’s signature “Tactics, Techniques an Procedures.”

Nick Bax, posting on Twitter/X in Nov 2022 about his research on the $400 million FTX heist.

Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

Financial claims involving FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.

KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.

Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasn’t shared that information yet. Powell’s next court date is a detention hearing on Feb. 2, 2024.

Microsoft’s Dangerous Addiction To Security Revenue

Last week, CNBC gave me a chance to discuss Microsoft’s Friday-night news dump of a new breach by Russian intelligence services, in which I called for more details from Microsoft so that other organizations could defend themselves.

On Jauary 25th, we gained a bit more transparency in the form of a blog post from “Microsoft Security”, the commercial security division of Microsoft. Let me offer some reactions.

Microsoft Buries the Lede

“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”

Translation: Since the techniques outlined in the blog only work on Microsoft-hosted cloud identity and email services, this means that other companies were compromised using the same flaws in Entra (better known as Azure Active Directory) and Microsoft 365.

Microsoft’s language here plays this up as a big favor they are doing the ecosystem by sharing their “extensive knowledge of Midnight Blizzard” when, in fact, what they are announcing is that this breach has affected multiple tenants of their cloud products.

Update: Joseph Menn of the Washington Post has several sources indicating that at least ten companies were breached and will be disclosing soon.

Microsoft Continues to Downplay the Attack By Abusing the Term “Legacy”

One of the big open questions from last week was how an attack against a “legacy non-production test tenant” could lead to access to the emails of key Microsoft executives. We get a bit more detail in this paragraph:

“Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.”

I have seen this fundamental problem in multiple investigations, including the one that Microsoft worked so hard to label as the Solarwinds Incident*: AzureAD is overly complex, and lacks a UX that allows for administrators to easily understand the web of security relationships and dependencies that attackers are becoming accustomed to exploiting.

In many organizations, AzureAD is deployed in hybrid mode, which combines the vulnerability of cloud (external password sprays) and on-premises (NTLM, mimikatz) identity technologies in a combination that smart attackers utilize to bounce between domains, escalate privilege and establish persistence.

Calling this a “legacy” tenant is a dodge; this system was clearly configured to allow for production access as of a couple of weeks ago, and Microsoft has an obligation to secure their legacy products and tenants just as well as ones provisioned today. It’s not clear what they mean by “legacy”, but whatever Microsoft’s definition it is likely to be representative of how thousands of their customers are utilizing their products.

Microsoft does, however, offer all of us some solution…

Microsoft is Using Its Own Security Flaws as an Opportunity to Upsell

These sentences in the blog post deserve a nomination to the Cybersecurity Chutzpah Hall of Fame, as Microsoft recommends that potential victims of this attack against their cloud-hosted infrastructure:

  • “Detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.
  • Investigate compromised accounts using Microsoft Purview Audit (Premium).
  • Enforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain Services.”

Microsoft is using this announcement as an opportunity to upsell customers on their security products, which are apparently necessary to run their identity and collaboration products safely!

This is morally indefensible, just as it would be for car companies to charge for seat belts or airplane manufacturers to charge for properly tightened bolts. It has become clear over the past few years that Microsoft’s addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases.

While these two arrogant and circumspect posts do, at least, admit “the urgent need to move even faster” in securing their products, I would argue that Microsoft has a much deeper cultural problem to solve as the world’s most important IT company.

They need to throw away this poisonous idea of security as a separate profit center and rededicate themselves to shipping products that are secure-by-default while providing all security features to all customers. I understand the need to charge for log storage or human services, but we should no longer accept the idea that Microsoft’s basic enterprise offerings (including those paid for by the US taxpayer) should lack the basic features necessary to protect against likely attacks.

My current employer competes against some of these products, but if Microsoft did a better job by default then that would actually reduce the need for SentinelOne and other security vendors to provide basic safety protections.

For all the language about the sophistication of the SVR hackers behind this attack, there is nothing here that is outside the norm for ransomware groups attacking Microsoft technologies, and Microsoft customers of all sizes should be concerned that these techniques will be deployed against them if they do not pay extra for the secure version of Microsoft’s cloud products.

Twenty one years after the Trustworthy Computing memo, it’s once again time for some soul searching in Redmond.

Note

* While the breach of Solarwinds was a critical part of the SVR campaign to break into around 200 organizations, weaknesses in the deployed configuration of AzureAD also played an important role, which Microsoft effectively papered over in their Congressional testimony and written statements.

PinnacleOne
PinnacleOne Strategic Advisory Group offers a comprehensive suite of services that address the multifaceted security challenges facing organizations today.

SentinelOne’s WatchTower | Transforming Proactive Defense with Advanced 24/7 Threat Hunting Capabilities

Security teams face an uphill battle as stealthy threats and Advanced Persistent Threats (APTs) become increasingly adept at slipping past conventional security tools, leaving organizations at heightened risk. It’s a game of digital hide-and-seek against well-funded and well-resourced adversaries that are proving to be ever more difficult to detect. The longer these threats go unnoticed, the greater the cyber risk becomes – and when an adversary is successful, the financial impact of a data breach can average $4.45M.

But what if we could change the game? SentinelOne’s innovative WatchTower services are designed to augment security teams and help them stay ahead of adversaries, offering a fresh approach to uncovering the elusive threats that traditional methods often miss.

Why is Threat Hunting So Important?

Threat hunting is a proactive, systematic exploration for potential cyber threats lurking within an organization’s network or systems. It’s not about waiting for alerts from security tools; it’s actively seeking out the hidden dangers that may have slipped past these traditional security measures.

Threat hunting is more than just another activity in the SOC – it’s the constant practice of uncovering adversaries who are silently hiding in your network, patiently waiting to launch an attack or achieve their malicious objectives. Instead of simply reacting to threats, hunting proactively seeks out to identify, prioritize, and mitigate risk. A combination of manual and automated techniques come into play, including delving into security events, carrying out network scans, and leveraging threat intelligence feeds. The primary goal is to spot potential threats at the earliest kill-chain stage possible, ideally before they’ve had a chance to impact the organization.

This isn’t a task for just any security solution or team – it requires a platform that integrates cross-domain security data and the expertise of threat-hunting professionals. These skilled individuals possess strong analytical and technical abilities, perfectly equipped to lead the hunt. When paired with the right security platform, threat hunters are technically empowered with:

  • The ability to quickly execute searches for newly discovered threats across historical security telemetry
  • Access to the newest Threat Intelligence combined with a tailored hunting approach. Threat Intelligence provides the ability to find a needle in a haystack; looking for behavioral attack patterns across seemingly benign events is an invaluable addition to cross-domain detections

By embracing cyber threat hunting and threat hunting practices, organizations can significantly reduce their risk of falling victim to cyber-attacks, ensuring the security and availability of their systems and networks remain intact.

Unveiling the WatchTower Lineup

A New Era of Threat Hunting with SentinelOne

SentinelOne is excited to announce the general availability (GA) of its expanded AI-infused managed threat hunting services, WatchTower and WatchTower Pro. Building off an established foundation in serving customers around the world, this release marks the start of a new era of threat hunting due to numerous upgrades in threat hunting methodologies. WatchTower and WatchTower Pro now incorporate advanced AI technologies and more robust threat intelligence feeds. With SentinelOne’s WatchTower team at your back, you’re not just responding to threats but actively hunting them down, pushing the boundaries of what’s possible in improving risk posture.

Coupled with the Singularity Platform’s detection capabilities, customers who opt for WatchTower are backed by a team of threat hunting experts on standby 24/7 to hunt and stop adversary behavior. WatchTower offers intelligence-driven and behavior-based threat hunting, backed by expert human analysis, to help security teams maximize threat visibility and identify emergent attackers across every part of their business. The expanded capabilities of WatchTower ™ include:

  • 24/7 real-time threat hunting
  • Retrospective threat hunting across all historical data
  • Anomalous and suspicious behavior detection
  • Multi-faceted hunting approach, including intelligence-based, behavioral & AI-driven threat hunting
  • Expanded coverage against known and emergent threats
  • Detailed reporting on hunting activities and findings in the environment
  • Access to WatchTower’s in-house threat intelligence library, including behavioral hunting queries, indicators of compromise, and more.
  • Monthly reporting on the global threat landscape

Customized Approach to Threat Hunting with WatchTower Pro

Customers that require a highly customized threat and risk hunting approach should look to WatchTower Pro™. Building on the features of WatchTower, WatchTower Pro™ adds:

  • Detailed enterprise-wide compromise & security risk assessments multiple times throughout the year, along with mitigation guidance
  • Custom hunting support via a dedicated Threat Hunter, including on-demand threat hunting and intelligence support
  • Darkweb exposure hunting and domain mimic monitoring
  • A bespoke and detailed plan to evolve your corporate security and risk posture

About WatchTower Threat Hunters

The SentinelOne WatchTower Threat Hunting team is comprised of experienced threat hunters from around the globe to ensure round-the-clock defenses of your cyber estate. Skilled hunters sweep through threat intelligence sources, global events, and malware families to automate the most prevalent threat hunts and set regular threat hunting schedules for less prevalent, but still potential threats. Our continued investment in automation enables us to scale every week, so your WatchTower analyst can perform additional hunts on your behalf.

Benefits

Threat Expertise on Tap

In cybersecurity, we’re seeing a prolonged skills gap – especially in skilled roles like threat hunting – that can often leave in-house teams scrambling to keep up. This is where managed services step in – a powerful strategy to bolster your defenses and make even the smallest teams more potent in their fight against adversaries. Imagine having access to a pool of specialized talent, ready to augment your existing team’s threat hunting capabilities. This isn’t just about filling in the gaps; it’s about amplifying your capabilities, offering fresh perspectives, and bringing proven approaches to your cybersecurity needs.

Confidently Navigate the Threat Landscape with Unparalleled Threat Intelligence

WatchTower flash and monthly reports are your comprehensive guide in navigating the complex terrain of threats. Get tailored insights to help you better understand your environment and effectively strategize your next move. We’re harnessing the power of machine learning and AI and integrating them into our threat hunting algorithms so customers get enhanced effectiveness, sharper predictions, and more precise countermeasures against threats. Why choose between human expertise and industry-leading technology when you can have the best of both?

Read this year’s WatchTower 2023 End of Year Report for expert analysis of the top cyber threats of 2023 and predictions for 2024.

WatchTower now integrates expanded intelligence sources, providing an enriched set of atomic and behavioral IOC hunting capabilities. This is further bolstered by rapidly growing libraries for Linux, OSX, and Cloud behavioral hunting, significantly expanding the scope of threat detection. WatchTower also automates host-based YARA and forensic artifact collection for hunt verifications.

For organizations seeking to outsource more of their security operations, combining WatchTower Services with our Vigilance MDR and DFIR services ensures that all threats, even those detected through WatchTower’s enhanced visibility, are promptly acted upon and mitigated by a skilled investigation and response team.

24 x 7 Risk Reduction

Adopting SentinelOne’s WatchTower services results in considerable risk reduction across business operations by providing continuous and proactive threat identification. With 24/7 real-time threat hunting, investigation, and containment, threats are identified and contained before they can disrupt your business. WatchTower covers a wide spectrum of threats ranging from hidden Advanced Persistent Threats (APTs) and covert cyber crime to policy misuse and insider threats. Even vulnerabilities resulting from poor security practices or environmental factors are addressed.

WatchTower Pro also provides a designated threat hunter who conducts comprehensive compromise and risk assessments in your environment. The integration of machine learning and AI into threat-hunting algorithms significantly enhances the effectiveness of these proactive measures.

Conclusion

Staying one step ahead of threats is not just a lofty goal, but a business necessity. SentinelOne’s suite of advanced security services, including the newly updated WatchTower and WatchTower Pro, equips you with the tools, insights, and expertise to meet whatever challenges you’re facing head-on.

Whether it’s uncovering stealthy threats with AI-powered threat hunting or fortifying your defenses with our globally distributed team of seasoned threat hunters, we stand ready to elevate your security posture. At SentinelOne, we’re not just about responding to threats – we help you proactively anticipate and eliminate risk before it can impact your business.

WatchTower
Personalized 24×7 threat hunting services and expert analysis to help security teams maximize threat visibility and identify emergent attackers.

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

A graphic depicting how 0ktapus leveraged one victim to attack another. Image credit: Amitai Cohen of Wiz.

Prosecutors say Noah Michael Urban of Palm Coast, Fla., stole at least $800,000 from at least five victims between August 2022 and March 2023. In each attack, the victims saw their email and financial accounts compromised after suffering an unauthorized SIM-swap, wherein attackers transferred each victim’s mobile phone number to a new device that they controlled.

The government says Urban went by the aliases “Sosa” and “King Bob,” among others. Multiple trusted sources told KrebsOnSecurity that Sosa/King Bob was a core member of a hacking group behind the 2022 breach at Twilio, a company that provides services for making and receiving text messages and phone calls. Twilio disclosed in Aug. 2022 that an intrusion had exposed a “limited number” of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

Shortly after that disclosure, the security firm Group-IB published a report linking the attackers behind the Twilio intrusion to separate breaches at more than 130 organizations, including LastPass, DoorDash, Mailchimp, and Plex. Multiple security firms soon assigned the hacking group the nickname “Scattered Spider.”

Group-IB dubbed the gang by a different name — 0ktapus — which was a nod to how the criminal group phished employees for credentials. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

A booking photo of Noah Michael Urban released by the Volusia County Sheriff.

0ktapus used newly-registered domains that often included the name of the targeted company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule. The phishing sites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

0ktapus often leveraged information or access gained in one breach to perpetrate another. As documented by Group-IB, the group pivoted from its access to Twilio to attack at least 163 of its customers. Among those was the encrypted messaging app Signal, which said the breach could have let attackers re-register the phone number on another device for about 1,900 users.

On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information, and weeks later LastPass said an investigation revealed no customer data or password vaults were accessed.

However, on November 30, 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach. LastPass said criminal hackers had stolen encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault. In that incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

KING BOB’S GRAILS

A review of thousands of messages that Sosa and King Bob posted to several public forums and Discord servers over the past two years shows that the person behind these identities was mainly focused on two things: Sim-swapping, and trading in stolen, unreleased rap music recordings from popular artists.

Indeed, those messages show Sosa/King Bob was obsessed with finding new “grails,” the slang term used in some cybercrime discussion channels to describe recordings from popular artists that have never been officially released. It stands to reason that King Bob was SIM-swapping important people in the music industry to obtain these files, although there is little to support this conclusion from the public chat records available.

“I got the most music in the com,” King Bob bragged in a Discord server in November 2022. “I got thousands of grails.”

King Bob’s chats show he was particularly enamored of stealing the unreleased works of his favorite artists — Lil Uzi Vert, Playboi Carti, and Juice Wrld. When another Discord user asked if he has Eminem grails, King Bob said he was unsure.

“I have two folders,” King Bob explained. “One with Uzi, Carti, Juicewrld. And then I have ‘every other artist.’ Every other artist is unorganized as fuck and has thousands of random shit.”

King Bob’s posts on Discord show he quickly became a celebrity on Leaked[.]cx, one of most active forums for trading, buying and selling unreleased music from popular artists. The more grails that users share with the Leaked[.]cx community, the more their status and access on the forum grows.

The last cache of Leaked dot cx indexed by the archive.org on Jan. 11, 2024.

And King Bob shared a large number of his purloined tunes with this community. Still others he tried to sell. It’s unclear how many of those sales were ever consummated, but it is not unusual for a prized grail to sell for anywhere from $5,000 to $20,000.

In mid-January 2024, several Leaked[.]cx regulars began complaining that they hadn’t seen King Bob in a while and were really missing his grails. On or around Jan. 11, the same day the Justice Department unsealed the indictment against Urban, Leaked[.]cx started blocking people who were trying to visit the site from the United States.

Days later, frustrated Leaked[.]cx users speculated about what could be the cause of the blockage.

“Probs blocked as part of king bob investigation i think?,” wrote the user “Plsdontarrest.” “Doubt he only hacked US artists/ppl which is why it’s happening in multiple countries.”

FORESHADOWING

On Sept. 21, 2022, KrebsOnSecurity told the story of a “Foreshadow,” the nickname chosen by a Florida teenager who was working for a SIM-swapping crew when he was abducted, beaten and held for a $200,000 ransom. A rival SIM-swapping group claimed that Foreshadow and his associates had robbed them of their fair share of the profits from a recent SIM-swap.

In a video released by his abductors on Telegram, a bloodied, battered Foreshadow was made to say they would kill him unless the ransom was paid.

As I wrote in that story, Foreshadow appears to have served as a “holder” — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams.

KrebsOnSecurity has since learned that Foreshadow was a holder for a particularly active SIM-swapper who went by “Elijah,” which was another nickname that prosecutors say Urban used.

Shortly after Foreshadow’s hostage video began circulating on Telegram and Discord, multiple known actors in the SIM-swapping space told everyone in the channels to delete any previous messages with Foreshadow, claiming he was fully cooperating with the FBI.

This was not the first time Sosa and his crew were hit with violent attacks from rival SIM-swapping groups. In early 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urban’s parents in Sanford, Fl.

“Brickings” are among the “violence-as-a-service” offerings broadly available on many cybercrime channels. SIM-swapping and adjacent cybercrime channels are replete with job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing brickings, where someone is hired to visit a specific address and toss a brick through the target’s window. Other typical IRL job offers involve tire slashings and even drive-by shootings.

THE COM

Sosa was known to be a top member of the broader cybercriminal community online known as “The Com,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported last year that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment an MGM Resorts extortion attacks.

“ALPHV, an established ransomware-as-a-service operation thought to be based in Russia and linked to attacks on dozens of entities, claimed responsibility for Caesars and MGM attacks in a note posted to its website earlier this month,” Vicens wrote. “Experts had said the attacks were the work of a group tracked variously as UNC 3944 or Scattered Spider, which has been described as an affiliate working with ALPHV made up of people in the United States and Britain who excel at social engineering.”

In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed access to T-Mobile on 100 separate occasions over a 7-month period in 2022.

The SIM-swapping groups were able to switch targeted phone numbers to another device on demand because they constantly phished T-Mobile employees into giving up credentials to employee-only tools. In each of those cases the goal was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

Allison Nixon, chief research officer at the New York cybersecurity consultancy Unit 221B, said the increasing brazenness of many Com members is a function of how long it has taken federal authorities to go after guys like Sosa.

“These incidents show what happens when it takes too long for cybercriminals to get arrested,” Nixon said. “If governments fail to prioritize this source of threat, violence originating from the Internet will affect regular people.”

NO FIXED ADDRESS

The Daytona Beach News-Journal reports that Urban was arrested Jan. 9 and his trial is scheduled to begin in the trial term starting March 4 in Jacksonville. The publication said the judge overseeing Urban’s case denied bail because the defendant was a strong flight risk.

At Urban’s arraignment, it emerged that he had no fixed address and had been using an alias to stay at an Airbnb. The judge reportedly said that when a search warrant was executed at Urban’s residence, the defendant was downloading programs to delete computer files.

What’s more, the judge explained, despite telling authorities in May that he would not have any more contact with his co-conspirators and would not engage in cryptocurrency transactions, he did so anyway.

Urban entered a plea of not guilty. Urban’s court-appointed attorney said her client would have no comment at this time.

Prosecutors charged Urban with eight counts of wire fraud, one count of conspiracy to commit wire fraud, and five counts of aggravated identity theft. According to the government, if convicted Urban faces up to 20 years in federal prison on each wire fraud charge. He also faces a minimum mandatory penalty of two years in prison for the aggravated identity offenses, which will run consecutive to any other prison sentence imposed.

The Cybersecurity Journey | Pathways to Becoming a Top-Tier SOC Analyst

Skilled security operations center (SOC) analysts bring a human element to cybersecurity, allowing for nuanced analysis, proactive threat hunting, and strategic decision-making. Combined with the right security solutions, having SOC analysts at the front line is a key element in building up a strong defense posture in today’s cyber threat landscape.

Combining technical expertise and human adaptability with experience, the journey of a successful SOC analyst is marked by continuous learning, skill development, and strategic progression. Cyber defenders looking to grow a career can read our free eBook, Mastering the Art of SOC Analysis for an in-depth guide on developing the rounded set of skills needed for aspiring SOC analysts. In this post, we explore some of the guide’s best tips on how to move from an entry-level SOC analyst to a leader in security operations.

Essential Skills for Entry-Level SOC Analysts

Embarking on a career in cybersecurity often begins through an entry-level SOC role, where budding defenders can gradually lay the groundwork for technical skills. Entry-level SOC analysts serve as the frontline defenders, tasked with monitoring security alerts, analyzing potential threats, and responding to incidents. These professionals are immersed in a dynamic environment, gaining hands-on experience with various security tools and technologies.

The development of foundational skills in networking architecture, network, log, and endpoint analysis is crucial to success in this early stage. The most important elements include a thorough understanding of:

  • Networking Fundamentals – develop a solid understanding of networking concepts such as TCP/IP, DNS, HTTP, and SSL. Learning to interpret a packet’s structure and each header field’s role can help identify and troubleshoot network issues.
  • Network Security Principles – Focus on firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs).
  • Hands-on Labs Practice – Use virtual labs or physical equipment to gain hands-on experience in configuring and troubleshooting networks. Examples include GNS3, Packet Tracer, EVE-NG, and TryHackMe.
  • Network Analysis Tools – Various network analysis tools can help analyze network traffic, such as Wireshark, tcpdump, and tshark. These tools can be used to capture, decode, and analyze packets in real-time or from saved capture files.
  • Network Traffic Analysis – Practice on real-world network traffic data. Sample capture files are obtainable from online resources such as the Wireshark Sample Captures page or by capturing traffic on a test network. Use the traffic to simulate an attack and create detection rules using a NIDS-like snort.
  • Log Analysis, Parsing, and Search Techniques – SOC analysts must have a wide arsenal of knowledge on log analysis techniques such as anomaly detection, correlation analysis, and threat hunting. Also, practice parsing and searching logs with different log management tools and techniques.
  • Endpoint Security – Gain as much experience on Endpoint Security tools as possible and learn about advanced threat detection mechanisms like behavioral analysis, machine learning, and artificial intelligence to detect and respond to threats. EDR solutions provide real-time visibility into endpoint devices, enabling SOC analysts to quickly detect and respond to incidents.

Beyond understanding network, logging, and endpoint essentials, budding SOC analysts should maintain a proactive mindset and consistently build up their collective knowledge and resources to stay sharp. The following tips and resources can be helpful:

  • Join Networking and Security Communities – Connect with professionals in the networking and security industry to learn from their experience, ask questions, and gain insights into the latest trends and technologies. Online communities such as Reddit’s /r/networking or /r/netsec, or professional associations such as ISACA, ISSA, or (ISC)², can be a great resource for connecting with others in the field.
  • Stay Up to Date With Industry News – Follow security and networking news sites such as Dark Reading, BleepingComputer, or SecurityWeek to stay informed on the latest security threats and trends. Add threat intel sites like SentinelLabs to your feeds.
  • Learn from Online Resources – there are many free online resources that can be leveraged to develop cybersecurity skills, including the Wireshark University, PacketTotal, and the SANS Institute. These and other resources can help budding analysts learn advanced techniques like protocol analysis, network forensics, and malware analysis.

Progressing to a Mid-Level SOC Analyst

At this stage, developing SOC analysts are able to comfortably navigate the primary responsibilities of monitoring, analysis, and incident response. As mid-level SOC analysts, the scope broadens, covering a more nuanced understanding of cybersecurity threats and various attack surfaces. A mid-level professional may take the opportunity in their career to dive into specialized areas, honing their expertise in threat detection and incident mitigation, and often taking on leadership responsibilities within smaller teams and some decision-making authority.

Adept at interpreting complex security alerts and correlating data from various sources, mid-level analysts contribute to the SOC by having a deeper engagement with threat intelligence feeds. This involves practicing proactive threat hunting and collaborating with cross-functional teams to strengthen their organization’s defenses. At this stage, SOC analysts should have an intricate understanding of cloud computing and security, active directory security, and proactive threat hunting.

Cloud Computing & Security

Effective SOC analysts continuously work with the industry’s latest technologies and tools. Cloud computing, especially, is of increasing importance as organizations seek to streamline operations, enhance scalability, and stay agile while adapting to market dynamics.

Cloud computing services encompass infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Essential cloud concepts for SOC analysts include cloud service models, deployment models, security controls, compliance frameworks, and incident response.

Active Directory

Active Directory (AD) has long been a prime target for attackers. To effectively monitor and secure AD, SOC analysts will have a thorough understanding of AD concepts like domains, users, groups, and permissions.

To effectively monitor and manage AD to identify and respond to security incidents, successful SOC analysts will be fluent in AD security best practices – such as implementing strong password policies, restricting administrative access, and regularly auditing AD activity – and familiar with AD security tools, such as Microsoft’s Active Directory Users and Computers (ADUC) console.

Proactive Threat Hunting

Threat hunting aims to identify and mitigate advanced threats that can evade traditional security measures. Unlike reactive approaches, threat hunting involves human analysts actively analyzing anomalies and potential security breaches within an organization’s network.

Mid-level SOC analysts will leverage a combination of advanced tools, intelligence sources, and their own developing expertise to uncover subtle indicators of compromise and any abnormal patterns that may indicate malicious activities. This process is often iterative and hypothesis-driven, requiring a deep understanding of the organization’s systems and potential threat landscapes.

Becoming a SOC Manager or Cybersecurity Leader

The role of the SOC manager marks a transition from hands-on technical tasks to overseeing the comprehensive security operations of an organization. At this stage, SOC managers shoulder the responsibility of looking at the bigger picture – they are the ones who orchestrate and optimize the greater security infrastructure. This means aligning cybersecurity strategies with the overarching goals of the business.

SOC managers are leveraged by senior leadership as cybersecurity subject matter experts (SMEs). They are often brought in as key contributors to a company’s incident response plans (IRPs), incident investigation processes, and expected to lead the implementation of advanced security measures and policies. The role extends beyond technical expertise and can require:

  • The ability to articulate complex cybersecurity concepts to executive leadership by focusing on risk management
  • Managing diverse teams with varying cybersecurity skill sets
  • Constantly adapting security policies and strategies to meet the needs of the business, mitigate emerging threats, and adhere to changing regulatory requirements

All of these requirements revolve around being able to communicate well. Building strong communication skills involves practicing clear verbal and written communication as well as developing effective questioning skills.

Developing Effective Communication Skills

SOC managers possess proficiency in verbal and written communication and are able to communicate effectively with different teams and stakeholders. Top tips for developing the required skills include:

  1. Using clear and concise language when communicating with others.
  2. Avoiding technical jargon or acronyms that others may not understand.
  3. Practicing active listening as part of effective verbal communication.
  4. Listening carefully to what others say and asking questions to clarify misunderstandings early on.

SOC managers are also responsible for writing reports, creating security policies, and communicating with leadership. Effective reporting uses jargon-free language and overly verbose structures. Short and to-the-point sentences can convey messages quickly and easily, particularly for busy, senior level readers.

A critical part of being a clear communicator is asking the right questions to gather useful information and to understand issues quickly. SOC leaders will often be called upon to gather accurate and relevant information, identify patterns and trends, and collaborate in cross-functional projects.

Good questioning skills include:

  • Asking open-ended questions – encourage users and other stakeholders to provide detailed information and explanations to fully understand the scope and impact of a security incident.
  • Asking relevant follow-up questions – it is important to obtain additional details and clarification to identify patterns and trends in security incidents.
  • Asking contextual questions – look for the security incident’s bigger picture, including the business impact and related incidents or events.

Continuing the Journey

Cybersecurity is a field that is in constant flux and continuous learning is part of the job. SOC analysts can progress in their career by ensuring that they remain adaptable, open to learning, and ready for new challenges. Businesses, similarly, are increasingly aware of the value of skilled security professionals. Together with the right security tools, SOC analysts can keep their businesses safe from evolving threats in the cyber landscape.

To learn more about developing cybersecurity skills, read our free eBook, Mastering the Art of SOC Analysis. To see how SentinelOne can help build your business’s cybersecurity posture and protect it against sophisticated threats, contact us or request a demo.

Mastering the Art of SOC Analysis
12 Top Tips and Skills for Aspiring Security Operations Center Analysts

The Good, the Bad and the Ugly in Cybersecurity – Week 4

The Good | TrickBot Developer Jailed for Five Years

Developer and distributor of the notorious TrickBot malware, Russian national Vladimir Dunaev, was handed down 5 years and 4 months of prison time this week. According to the DoJ, TrickBot caused tens of millions of dollars in losses and was used to attack hospitals, schools and businesses with ransomware in the U.S.

TrickBot started out in life as a dedicated banking trojan but over time evolved into a complex malware framework, shifting focus to enterprise environments and incorporating a suite of features including network profiling, mass data collection and lateral traversal exploits. At its height, TrickBot was believed to be in use by both APTs and crimeware actors.

Source: SentinelLabs

Dunaev was arrested in South Korea back in 2021 and subsequently extradited to the U.S. that October. He finally stood trial in November of 2023, when he pleaded guilty to conspiracy to commit computer fraud and identity theft, and conspiracy to commit wire fraud and bank fraud. According to the DoJ, Dunaev had created programs to bypass AV software and developed credential harvesting and data mining tools.

He is the second member of the gang behind TrickBot to be sentenced to jail time: A Latvian woman, Alla Witte, received 2 years and 8 months in June of last year. A number of other individuals have been indicted and sanctioned by U.S. authorities.

The Bad | Researchers Warn of Risks with Google Search

Security researchers are raising concerns about Google Search in the wake of increasing abuse of Google Ads – a service which promotes paid advertisements above organic search results – by various threat actors.

In one report this week, researchers noted how Chinese-speaking Googlers were being served Remote Administration Trojans (RATs) through malicious adverts shown at the top of search results for messaging apps like Telegram, which are restricted in China.

Closer to home, KrebsOnSecurity said U.S and other English-speaking users were being targeted when searching with Google for software. In one recent example, searches for the (legitimate) FreeCAD graphic design program were returning links to the malicious freecad-us[.]org domain above the real freecad.org site. Searches for other popular software that have been seen returning malicious paid advertisements include Corel Draw, GitHub Desktop, RoboForm and TeamViewer.

malvertising google search
Source: KrebsOnSecurity

According to SentinelLabs’ Tom Hegel, threat actors behind the malvertising schemes rotate serving malware with serving legitimate software as a means to escape detection by Google. Krebs quoted Hegel as noting that “In the malicious ad campaigns we’ve seen…they would wait until the domains gain legitimacy on the search engines, and then flip the page [to serve malware] for a day or so and then flip back.”

In addition, the malicious sites use scripts to fingerprint visitors and determine whether they should serve malware based on criteria such as geolocation, browser or language. This allows the sites to target, say, users from the United States while ignoring users from other locations. An earlier report into this kind of malvertising suggested that many of these sites are used to deliver infostealers and trojans like IcedID, Formbook and others.

In response, Google said that it had removed the ads brought to its attention by the report, but researchers remain concerned that the problem is beyond Google’s ability to fully control. Users are advised to exercise caution when clicking sponsored links returned in Google searches.

The Ugly | Russian APT Strolls Into Microsoft and HP Networks

Both Microsoft and Hewlett Packard Enterprise revealed this week that they had separately become victims of Russian state-sponsored intrusions by APT 29, also known as Midnight Blizzard, The Dukes, Nobelium and NobleBaron. The same threat actor was held responsible for the SolarWinds supply chain attack in 2021.

In a statement released Thursday, Microsoft said that it had detected a nation-state attack on January 12, 2024. The threat actor used password spray attacks to compromise a vulnerable account. They then used this initial access to create multiple OAuth applications and target Microsoft corporate email accounts.

The company has released few further details about the nature of the compromise, other than to note that the attackers used residential proxies to obfuscate the source of the attack. The technique involves routing traffic through a large number of IP addresses that are also used by legitimate users. The high change over rate of IP addresses makes it difficult for non-behavioral solutions to detect malicious traffic.

Meanwhile, in a filing to the SEC last Friday, HP said that a suspected nation-state actor it also believed to be Midnight Blizzard had gained unauthorized access to its cloud-based email environment.

The filing says that the company believes the activity is related to an intrusion from at least May 2023 in which a number of SharePoint files had been exfiltrated. It further stated that it had “determined that such activity did not materially impact the Company”, although again further details around the compromise remain undisclosed.

Who is Alleged Medibank Hacker Aleksandr Ermakov?

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia’s most destructive ransomware groups, but little more is shared about the accused. Here’s a closer look at the activities of Mr. Ermakov’s alleged hacker handles.

Aleksandr Ermakov, 33, of Russia. Image: Australian Department of Foreign Affairs and Trade.

The allegations against Ermakov mark the first time Australia has sanctioned a cybercriminal. The documents released by the Australian government included multiple photos of Mr. Ermakov, and it was clear they wanted to send a message that this was personal.

It’s not hard to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million records on current and former Medibank customers. When the company refused to pay a $10 million ransom demand, the hackers selectively leaked highly sensitive health records, including those tied to abortions, HIV and alcohol abuse.

The U.S. government says Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang REvil.

“REvil was among the most notorious cybercrime gangs in the world until July 2021 when they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and generally motivated by financial gain,” a statement from the U.S. Department of the Treasury reads. “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”

The sanctions say Ermakov went by multiple aliases on Russian cybercrime forums, including GustaveDore, JimJones, and Blade Runner. A search on the handle GustaveDore at the cyber intelligence platform Intel 471 shows this user created a ransomware affiliate program in November 2021 called Sugar (a.k.a. Encoded01), which focused on targeting single computers and end-users instead of corporations.

An ad for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers against sharing information with security researchers, law enforcement, or “friends of Krebs.”

In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang.”

In 2020, GustaveDore advertised on several Russian discussion forums that he was part of a Russian technology firm called Shtazi, which could be hired for computer programming, web development, and “reputation management.” Shtazi’s website remains in operation today.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

The third result when one searches for shtazi[.]ru in Google is an Instagram post from a user named Mikhail Borisovich Shefel, who promotes Shtazi’s services as if it were also his business. If this name sounds familiar, it’s because in December 2023 KrebsOnSecurity identified Mr. Shefel as “Rescator,” the cybercriminal identity tied to tens of millions of payment cards that were stolen in 2013 and 2014 from big box retailers Target and Home Depot, among others.

How close was the connection between GustaveDore and Mr. Shefel? The Treasury Department’s sanctions page says Ermakov used the email address ae.ermak@yandex.ru. A search for this email at DomainTools.com shows it was used to register just one domain name: millioner1[.]com. DomainTools further finds that a phone number tied to Mr. Shefel (79856696666) was used to register two domains: millioner[.]pw, and shtazi[.]net.

The December 2023 story here that outed Mr. Shefel as Rescator noted that Shefel recently changed his last name to “Lenin,” and had launched a service called Lenin[.]biz that sells physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel includes images of stacked USSR-era Ruble notes, as well as multiple links to Shtazi.

The Instagram account of Mikhail Borisovich Shefel, aka MikeMike aka Rescator.

Intel 471’s research revealed Ermakov was affiliated in some way with REvil because the stolen Medibank data was published on a blog that had one time been controlled by REvil affiliates who carried out attacks and paid an affiliate fee to the gang.

But by the time of the Medibank hack, the REvil group had mostly scattered after a series of high-profile attacks led to the group being disrupted by law enforcement. In November 2021, Europol announced it arrested seven REvil affiliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.

“The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time,” Intel 471 wrote. “This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.”

It is easy to dismiss sanctions like these as ineffective, because as long as Mr. Ermakov remains in Russia he has little to fear of arrest. However, his alleged role as an apparent top member of REvil paints a target on him as someone who likely possesses large sums of cryptocurrency, said Patrick Gray, the Australian co-host and founder of the security news podcast Risky Business.

“I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray said. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.”

January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers & Ransomware Updates

Over the last month a number of interesting leaks have occurred within the ransomware-market ecosystem pertaining to the likes of BlackCat and Zeppelin. We saw some familiar names dominate the ransomware landscape in terms of volume and visibility, among them Play, BlackCat/AlphV, LockBit, Phobos (8base) and Akira.

In this month’s update we also discuss some of the vulnerabilities being weaponized by these actors over the last month below, with high profile enterprises Microsoft SQL and SharePoint among the targets.

Crypto drainers, DaaS, and associated scams came to the forefront over the last few weeks with associated hacks being observed across multiple high-profile social media accounts. We will touch base on these recent scams and discuss how these attacks are occurring.

We will round out our discussion this month covering a short update on access-brokers and malicious tools targeting EDR platforms along with some positive news around law enforcement and the release of a Babuk decryptor.

Ongoing Exploitation of N-Day and 0-Day Vulnerabilities

Multiple threat actors have been observed targeting CVE-2023-29357, a critical privilege escalation vulnerability in Microsoft SharePoint. The ongoing exploitation of this flaw, along with the emergence of public PoC code, motivated CISA to add this flaw to its Known Exploited Vulnerabilities Catalog.

In early January, details began to emerge regarding the ongoing exploitation of at least two zero day flaws in the Ivanti platforms (Ivanti Connect Secure and Ivanti Policy Secure Gateways). The newly identified vulnerabilities, CVE-2023-46805 and CVE-2024-21887, allow for unauthorized command-injection attacks, exposing the systems to (unauthenticated) attackers.

According to initial reports, the Ivanti vulnerabilities have been targeted by an espionage-focused threat group (UNC5221) and used to drop a variety of malware including backdoors, webshells and credential harvesters, along with post-exploitation tools such as PySoxy (tunneling proxy) and BusyBox. Almost 20,000 vulnerable instances of the various Ivanti products have been identified as publicly exposed.

Global distribution of exposed Ivanti Devices (via Shodan)
Global distribution of exposed Ivanti Devices (via Shodan)

It should be noted that PoC code and MetaSploit modules for these flaws are now available.

New Ivanti PoC code on Github
New Ivanti PoC code on Github

Recommendations

These flaws should rank high on the priority list if they have not already been addressed. Defenders are encouraged to review guidance provided by Ivanti and CISA. The CISA guidance also provides explicit requirements for Federal Agencies (per current Federal cybersecurity directives).

Ransomware Updates

This month we saw a number of interesting developments in the ransomware ecosystem. An alleged prior affiliate of the now-defunct Zeppelin RaaS advertised the sale of the associated builder and support files on an underground market. The seller, known as “RET”, offered the package for 500.00 USD. This same seller has a history of selling “AV/EDR-killer” style tools as well.

This sale lowers the previous barrier to entry for Zeppelin-derived RaaS offerings. Prior to this leak (hosted on the well-established RAMP forum), Zeppelin ransomware builders were offered at a fee starting at at least 2000.00 USD. Malicious actors looking to get a discounted form of a “road tested” builder are highly attracted to these types of offers.

In addition, we saw a similar attempt at marketing of a RaaS with a posting to a well-known forum offering BlackCat/ALPHV source code for sale. The posting was accompanied with screenshots of what appears to be affiliate tools for delivery and management of BlackCat payloads.

BlackCat/ALPHV locker for sale?
BlackCat/ALPHV locker for sale?

It will take time before the full reach and repercussions of these particular leaks are understood. Any lowering-of-the-bar around these tool sets inevitably attracts more enterprising criminals for whom these tools may have been out of reach prior.

Elsewhere, a portal for the creatively named “Going Insane Ransomware” emerged this month. For those that recall the late 1990s, “Going Insane” appears to embrace the GeoCities aesthetic with a decidedly ‘90’s’ take on the layout of their site.

Going Insane Ransomware Portal
Going Insane Ransomware Portal

The group is actively recruiting and advertises its affiliate program (RaaS) with the following feature set (quoted):

  • Military-grade AES encryption
  • Encrypts All Files, Every single one, under lock and key.”
  • Spreads in network, Infects every device in the network.”
  • Wallet Stealer
  • Browser Stealer
  • System Info Stealer
  • Auto Parsed Cookies
  • Fully Undetected, bypasses all AVs
  • FUD (0 detects) forever ig

Recommendations

SentinelOne Singularity™ Endpoint detects and prevents attacks associated with known Zeppelin/Buran, ALPHV and Insane RaaS. Defenders and threat hunters may find the following additional indicators useful for GIR ransomware.

nv5lbsrr4rxmewzmpe25nnalowe4ga7ki6yfvit3wlpu7dfc36pyh4ad[.]onion
gfksiwpsqudibondm6o2ipxymaonehq3l26qpgqr3nh4jvcyayvogcid[.]onion
r2ad4ayrgpf7og673lhrw5oqyvqg4em2fpialk7l7gxkasvqkqow4qad[.]onion
insane[@]cock[.]lu

Drainers and Accounts Takeovers

Recently, a swath of account takeover attacks has swept through Twitter/X, leading to the compromise of several high-profile accounts. These accounts have been manipulated to disseminate content centered on cryptocurrency scams, orchestrated by groups known as crypto-drainers, or Drainers as a Service (DaaS).

Victims of these attacks include prominent entities such as CertiK, the SEC and cybersecurity vendor Mandiant.

The methods used to compromise accounts vary, ranging from brute-forcing credentials in cases without Multi-Factor Authentication (MFA) to SIM-swapping where MFA is enabled.

While the concept of Drainers and DaaS is not new, the recent high-profile breaches have cast a renewed spotlight on these malicious activities. The attackers are evidently motivated to target high-traffic accounts, aiming to redirect more users to their malevolent sites, as indicated by the increased click-through rates on the fraudulent posts linked to these hijacked accounts.

Hijacked Twitter/X account - promoting a cryptocurrency scam
Hijacked Twitter/X account – promoting a cryptocurrency scam

The initial vector for these attacks is typically via phishing followed by device takeovers through techniques such as SIM swapping.

Ultimately these attacks have a far reaching effect beyond just the financial loss of those that fall victim to the scam. Reputable brands that have accounts taken over by these criminals are at risk of reputational harm which could in turn have a financial impact.

Access Brokering and Tools

We continue to see the market for corporate and enterprise-level access flourish, to the point where buyers are soliciting for an opportunity to purchase from the plentiful well of providers. Buyers are currently trying to outbid each other for access either by offering greater fees or taking lower percentages.

Corporate Access buyers (AI translated)
Corporate Access buyers (AI translated)

Corporate Access buyers (AI translated)
Corporate Access buyers (AI translated)

Those that are selling such access are profiting from targeting unprotected services such as IAM and reaping great rewards. It truly is a seller’s market out there at the moment, which is a worrying sign for defenders.

Concurrently, we continue to observe the marketing and use of customized “AV/EDR-killer” style tools. Tools like auKill and BackStab are frequently found amongst the artifacts left behind after a long-term ransomware attack or even an ATP campaign.

AV/EDR Killer vendor (AI translated) January 2024
AV/EDR Killer vendor (AI translated) January 2024

Recommendations

So-called AV/EDR “killer” tools typically rely on BYOD (Bring your own driver) functionality and additional components such as Process Explorer, Zemana and others. This makes them highly visible to well tuned platforms like SentinelOne Singularity™. Ensuring that the organization has good visibility into endpoint processes along with anomaly detection can provide additional safeguards against such tools.

For more information on Drainers and DaaS, defenders are encouraged to review The Rise of Drainer-as-a-Service | Understanding DaaS.

Law Enforcement and Disruption

It’s not all doom and gloom! Fortunately, there have been some important disruptions in the cybercrime landscape over late December and throughout January.

The main figurehead of the ShinyHunters threat group, Sebastien Raoult, was sentenced to 3 years in prison, along with having to pay requisite restitution. The group has an extended history of compromising developer repositories to steal API keys and other credentials. Raoult (alias “Sezyo Kaizen’) was found guilty of selling or facilitating the sale of breached company data across multiple platforms and markets. This includes well-known markets such as Alpha and Empire as well as forums like XSS and RaidForums.

Also this past month, a new decryption tool for the Tortilla variant of Babuk (aka Babuk Tortilla) has been released. The tool is the result of a collaboration between Cisco Talos, the Dutch Police and Avast. Following the apprehension of the actor associated with this particular variant of Babuk, Talos was able to work with Avast to expand the existing decryptor to accommodate the newly gained insight into other Babuk variants.

The Babuk Tortilla decryptor tool is available for download via the NoMoreRansom project.

Conclusion

The first month of 2024 has seen a continuation of the trends we’ve been highlighting across the last quarter of 2023. The increasing availability of tools that lower the barrier to entry for cybercriminals continues to fuel a crimeware ecosystem in which relatively unskilled threat actors can carry out low-risk/high-reward attacks on unprepared organizations.

The uptick in ‘Drainer-as-a-Service’ offerings and attacks is an extension of the service model popularized by ‘Ransomware-as-a-Service’ to target the widespread use and popularity of cryptocurrency, a model that seeks to steal from individuals but harnesses corporate assets to reach a large audience through social media account takeovers. As we often note, where there is money, an enterprising criminal will look for a way.

Organizations can improve their security posture, protect their assets, and avoid being the next victim on the list through awareness, training and suitable security technology. To stay informed and receive our next update, follow us on social media. To see how SentinelOne can help secure your business, contact us or request a free demo.