Microsoft Patch Tuesday, November 2023 Edition

/0 Comments/in /by

Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.

The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.

Kevin Breen, senior director of threat research at Immersive Labs, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”

The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.

“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said Mike Walters, president and co-founder of the security firm Action1. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”

The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.

Beyond the zero day flaws, Breen said organizations running Microsoft Exchange Server should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.

“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.

Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.

Finally, the SANS Internet Storm Center points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in ASP.NET Core, with a CVSS score of 8.2; and CVE-2023-36413: A Microsoft Office security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.

Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

The Future As One | Major Announcements from SentinelOne’s Inaugural OneCon

/0 Comments/in /by

Last week in Boca Raton, Florida, SentinelOne hosted OneCon, our first-ever customer conference, which brought together some of the brightest minds from the cybersecurity community today.

Even in its earliest stages, we envisioned OneCon to be the industry’s most forward-thinking event, aimed at exploring new and innovative ways of thinking about security. For those who weren’t able to join us in person, read on for a round-up of all of the highlights from this year’s gathering.

Key News at OneCon23

Recognizing the business imperative of embedding a comprehensive security approach across the organization, we kicked off OneCon with the launch of PinnacleOne, a new strategic risk analysis and advisory group to support today’s organizational leaders. Led by industry experts Chris Krebs and Alex Stamos, Pinnacle One will help today’s executives with unparalleled intelligence, risk management insights, and transformative strategies to navigate today’s ever-changing threat landscape.

For this event, our focus was equipping customers with the innovative technology required to tackle both present and future cybersecurity challenges. In today’s ever-changing threat landscape and uncertain economic environment, enterprises are looking to increase efficiency, focus on what’s important, and accelerate their security operations to stay ahead of attacks.

To help our customers secure now and in the future, SentinelOne announced a unified set of innovations for the Singularity™ Platform:

  • Purple AI (Beta), an AI assistant to unify, accelerate, and simplify SecOps workflows
  • Singularity Endpoint’s new unified agent, covering endpoint and identity attack surfaces for continuous, real-time protection
  • Singularity Cloud Workload Security’s integration with Snyk to deliver code-to-cloud security
  • Singularity Data Lake, a central, unified solution for security and IT analytics streamlining ingestion, normalization, and visualization for rapid queries, retention, and processing.

“Enterprises don’t just need a robust and capable platform, they also need intelligent automation that simplifies the analyst experience and boosts the productivity of their security teams” shared Ric Smith, Chief Product & Technology Officer at SentinelOne, in his OneCon keynote. “Guided by our belief that the fusion of design-driven product development and AI culminates in an unparalleled security experience, the Singularity Unity Release is meticulously crafted to heighten user experience and fortify security measures.”

PinnacleOne Advisory Group | Unparalleled Insights & Transformative Risk Management

In the face of increasingly complex and vulnerable systems, enterprise leaders contend with a changing global business landscape and developing geopolitical risks that, to cybercriminals and nation-state threat actors, creates avenues for attack.

To support C-suite leaders, SentinelOne launched PinnacleOne at OneCon as a strategic risk analysis and advisory group. Through PinnacleOne, customers will have access to an elite team of experts, led by industry experts Chris Krebs and Alex Stamos, who will help today’s executives with unparalleled intelligence, risk management insights, and transformative strategies.

It all comes back down to the idea of fostering open communication and community. PinnacleOne was created as a direct response to those asking for help in solving the big security challenges and making sure their future path is a safe one. SentinelOne gives a warm welcome to Krebs, joining SentinelOne as Chief Intelligence and Public Policy Officer and President of PinnacleOne and Stamos, who will serve as Chief Trust Officer for SentinelOne.

“In launching PinnacleOne, we are providing access to top experts who can help enterprises think bigger and broader than the siloed approaches of today.”, said Tomer Weingarten, CEO, SentinelOne. “Our holistic approach to risk management will empower organizations to adapt and move forward with confidence across all products and environments.”

For more information on the PinnacleOne Advisory Group, read our Press Release here.

Purple AI | Empowering Analysts to Detect Earlier, Respond Faster & Stay Ahead of Attacks

SentinelOne is proud to be a pioneer in the application of AI to cybersecurity with the industry’s first AI-powered security platform. At OneCon, we announced our continued leadership with the beta release of Purple AI – our generative AI assistant that unifies, accelerates, and simplifies SecOps to help protect what matters most.

Today’s SecOps teams must contend with long alert queues, thousands of investigation hours, and complex configuration tasks, all compounded by a growing skills gap putting pressure on advanced analysts. This leaves little time for proactive threat hunting and results in analyst burnout and an overtaxed SOC.

Purple AI is a force multiplier that saves time and resources for security teams by scaling autonomous protection across the enterprise. Unify your workflows with a single place to access data across the platform and partner logs, and scale collaboration across teams using notebooks, which can save, tag, and export investigation workflows.

Simplify the complex by using natural language to streamline threat hunting and investigations. Every level of analyst is empowered with instructional hunting prompts, AI-powered auto-summaries, suggested queries, and actionable next steps. Finally, accelerate SecOps workflows with Purple AI’s auto-investigations* to collect evidence from the Singularity Data Lake, generate reports, and help determine a verdict for detected threats.

Underpinning it all, know that your data and privacy are protected. Purple AI models do not train using your data or requests, and we never share your processes or insights with other customers. To learn more, sign up for a demo today.

*Coming post-GA

Endpoint Security | Advanced Protection for Identity and Exposure Management

SentinelOne’s platform strategy focuses on enterprise-grade prevention, detection, and response across all attack surfaces from endpoints and devices to servers. The Singularity Platform Unity Release enhances customers’ endpoint security experience through new features like Identity (conditional access and breached password detection) and Attack Surface and Exposure Management (prioritizing and managing vulnerability exposures).

These new features will be seamlessly delivered in a single, rebootless agent with advanced behavioral detections built-in.

Cloud Security | Delivering Enhanced Protection with CNAPP

As part of the 12-month roll-out, the Singularity Platform will soon feature a comprehensive Cloud-Native Application Protection Platform (CNAPP) designed to safeguard public and private cloud infrastructures. By combining both agent and agentless capabilities, the platform will provide robust run-time protection and real-time defenses against threats, misconfigurations, and exposed secrets.

All of these features are set to integrate seamlessly with Singularity Operations Center and Data Lake, providing customers with deep visibility and operational governance over their entire digital estate.

The SentinelOne & Snyk Integration | Cloud Workload Protection From Build Time to Runtime

The complexity of the modern software supply chain and supporting apps makes prioritizing fixes a challenge for software developers and security teams. To solve this, SentinelOne has joined forces with Snyk, a leading force in developer security to announce a new cloud-native security integration.

The OneCon crowd was first to hear about this latest integration, which works by correlating SentinelOne-identified cloud runtime threat detections together with vulnerabilities found by Snyk in container images. The integration empowers cloud security, application security, and developer teams to more effectively collaborate and address the root cause of rising issues.

While developers are under increasing pressure to build applications faster, they must also work with their security teams to secure both their build and runtime environments. The SentinelOne & Snyk integration supports this process by providing security teams the means to manage application risks in the cloud. This in turn simplifies the prioritization and remediation focus for developers.

The integration is now available to SentinelOne and Snyk customers through the Singularity Marketplace. Learn more about the integration here.

Singularity Data Lake | Cost-Effective, High Performance Security & Log Analytics

Singularity Data Lake enables organizations to centralize and transform data for cost-effective, high-performance security and log analytics. This consolidated, AI-powered security and log data platform brings together Security Information and Event Management (SIEM), Extended Detection Response (XDR), and Log Analytics solutions. By streamlining cybersecurity and IT operations, it reduces complexity and enhances effectiveness in managing security.

Singularity Data Lake leverages the Open Cybersecurity Schema Framework (OCSF) to normalize all types of data, offering a full view of an organization’s security and data analytics. Its cloud-native architecture and marketplace of connectors simplify data importation and promote cost efficiency and scalability, leading to significant cybersecurity cost savings.

Singularity Data Lake empowers organizations to confidently navigate the ever-evolving threat landscape. By providing centralized data management, faster detection, advanced analysis, and enhanced investigation capabilities, these solutions offer more than just another cybersecurity product – they comprise a comprehensive data platform that drives business value and keeps organizations secure in today’s digital landscape.

Conclusion

We created OneCon as a space for cyber defenders to learn, share, and equip themselves with the tools and inspiration to confidently tackle today’s security challenges.

For the SentinelOne team, true enterprise-wide security lies in proactively and comprehensively securing the entire organization with the power of AI. In the face of a changing threat landscape, we are glad to be in the company of leading cybersecurity experts who are ready to collectively shift with us.

We’d like to thank all of our sponsors, guest speakers, partner presenters, support staff, event organizers, and most of all, our attendees for an amazing OneCon23. From all of us at SentinelOne, we look forward to seeing you at next year’s event!

Contact us to learn more about what we are doing to evolve the cyber defense industry or book a demo to get more in-depth experience with our newest integrations and security offerings.

It’s Still Easy for Anyone to Become You at Experian

/0 Comments/in /by

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.

Entering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorize.

I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.

A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.

The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”

Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.

Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

If you don’t have an Experian account, it’s a good idea to create one. Because at least then you will receive one of these  emails when someone hijacks your credit file at Experian.

And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!

In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.

Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.

“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”

Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?

Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”

“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”

The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.

“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”

I was fortunate in that whoever hijacked my account did not also thaw my credit freeze.  Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.

It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.

In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

More greatest hits from Experian:

2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

The Good, the Bad and the Ugly in Cybersecurity – Week 45

/0 Comments/in /by

The Good | Russian National Linked to Ryuk Ransomware Laundering Schemes Sanctioned By US Authorities

One of Ryuk ransomware’s many affiliates just had a target placed on their back by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Ekaterina Zhdanova was sanctioned this week after being identified as a key player in laundering millions of dollars in cryptocurrency. Zhdanova leveraged her expertise in cryptocurrency and blockchain networks to circumvent anti-money laundering controls.

Zhdanova’s on-chain activity (Source: Chainalysis)

The OFAC and blockchain analysis experts highlight her use of a vast global network of money launderers to obscure her financial activities while expanding her clientele. Most notably, Zhdanova is believed to have aided the Ryuk ransomware operation, laundering over $2.3 million in suspected ransom payments for one of its known affiliates.

Ryuk ransomware operators made global headlines during the COVID-19 pandemic after extorting healthcare facilities for astronomical ransoms. Her work with the Ryuk affiliate involved the use of a fake investment account and real estate transactions to conceal the origins of the ransom payments.

A long list of malicious transactions follow Zhdanova. Authorities say that she has also been identified in helping Russian oligarchs evade Western sanctions set after Russia’s invasion of Ukraine. In addition, she facilitated the transfer of over $100 million for a Russian oligarch to the United Arab Emirates, orchestrating cases where her clients could obtain UAE tax residency, ID cards, and bank accounts.

Now, Zhdanova faces a freeze on all her U.S.-based assets, and U.S. individuals and entities are barred from transacting with her. This move underscores the U.S. government’s commitment to curbing money laundering activities, especially those linked to ransomware operations and the evasion of international sanctions.

The Bad | BlazeStealer Malware Hidden in Python Open-Source Packages Target Software Developers

Software developers are, once again, being targeted by threat actors through trojanized code libraries. Security research this week highlights at least eight developer tools published since January containing hidden payloads that are now reaching thousands of downloads.

So far, all eight in this series of packages have used Python programming language and are prefixed with the “pyobf” string to mimic genuine obfuscator tools like “pyobf2” and “pyobfuscator”. The latest in the string of malicious packages is called “pyobfgood”, which like its seven predecessors poses as a legitimate obfuscation tool for developers to defend against reverse engineering and code tampering.

Timeline of Python obfuscation traps (Source: Checkmarx)

In the case of the “pyobfgood” package, malware called BlazeStealer is installed as soon as the unsuspecting developer runs the code, giving the threat actor capabilities such as exfiltrating detailed host information, setting up keyloggers, stealing passwords from web browsers, downloading sensitive files, recording both screen and audio, and encrypting files for potential ransom. A list of the malicious package names and indicators of compromise may be found here.

Developers remain a lucrative target for threat actors, given their work with both sensitive and valuable information. Open-source libraries also continue to draw attention. In late September, a 10.0-level vulnerability in the LibWebP image library was exploited in the wild, and just last month a flaw found in curl, a widely-used open-source command-line tool, was described as one of the most serious bugs found in the tool for some time.

For now, the Biden administration and CISA have placed an open call out for support in securing the nation’s open-source software and have several ongoing security initiatives for the broader open-source ecosystem.

The Ugly | SaaS Analytics Firm Advise API Key Resets After AWS Account is Compromised

After evidence of a breach surfaced last Friday, Sumo Logic officially disclosed the incident this week, notifying users that its Amazon Web Services (AWS) account was compromised using stolen credentials. The Californian data analytics firm has confirmed that its systems, networks, and customer data remain unaffected.

Upon detection, Sumo Logic was able to lock down the exposed infrastructure and rotate all potentially compromised credentials. So far, the company has implemented additional security measures such as enhanced monitoring and vulnerability scanning to help prevent similar occurrences in the future. Continuous monitoring of network and system logs is also ongoing to identify any signs of additional malicious activity.

In response to the breach, Sumo Logic has advised its customers to rotate credentials used for accessing its services as well as those shared with the company for accessing other systems. Specifically, customers were urged to reset API access keys, Sumo Logic-installed collector credentials, third-party credentials stored for data collection purposes, and user passwords to Sumo Logic accounts.

While an investigation is ongoing, regular updates are being posted in the company’s Security Response Center. Sumo Logic has also pushed out a playbook instructing customers on how to update their API keys. Known for its cloud-native SaaS analytics platform, the firm offers log analytics, infrastructure monitoring, and cloud infrastructure security to over 2000 customers including 23andMe, GoFundMe, Mattel, and SEGA.

Threat actors continue to keep AWS accounts in their sights due to the wealth of sensitive data and critical services hosted on the platform. As a major cloud service provider, it is seen as a springboard into a vast number of businesses, government agencies, and high-profile organizations.

Announcing the Integration of SentinelOne CWPP with Snyk Container

/0 Comments/in /by

SentinelOne is thrilled to announce general availability (GA) of the integration between our real-time, AI-powered cloud workload protection platform (CWPP) with Snyk Container. The integration and partnership helps cloud security practitioners, AppSec, and developers more seamlessly collaborate to streamline triage, stop the spread of security incidents for containerized workloads, and solve root cause of issues impacting production back in application source code.

Overview

When Singularity Cloud Workload Security, the real-time CWPP from SentinelOne, detects a runtime threat to a containerized workload running on cloud infrastructure, the threat details are automatically enriched with relevant context from Snyk Container about known vulnerabilities in the application code.

These vulnerability details are ingested from Snyk Container into the SentinelOne’s Singularity Data Lake in one of 2 ways: (1) via an API call to Snyk upon the runtime threat detection, and (2) optionally at a pre-defined cadence set by the customer.

By consolidating cloud security data from build and runtime, customers are better equipped to accelerate investigation and response. No more data silos, no more context switching, no more copy and paste. Instead, powerful context resides in one convenient location. Through the integration, our mutual customers can now:

  • Automatically correlate runtime threats to known container image vulnerabilities
  • Easily notify the source code owner
  • Better prioritize and fix source code vulnerabilities impacting production operations
  • Facilitate remediation of runtime issues at the workload source code

Getting Started

Phase 1 of the integration, in which runtime threat detections from SentinelOne are enriched with software vulnerabilities identified by Snyk, is available today to mutual customers. To get started, SentinelOne customers can navigate to the Singularity Marketplace from within the management console and search for Snyk.

As shown in Figure 1, select the Snyk app and install. This integration app will pull vulnerability details from the Snyk client into the Singularity Data Lake. Initial setup documentation can be found in the Knowledge Base document here.

Figure 1: Snyk in SentinelOne Singularity Marketplace
Figure 1: Snyk in SentinelOne Singularity Marketplace

The Value of Combining Runtime and Built Time Context

Knowing which workload vulnerabilities to fix first is a challenge. Keeping container images free of vulnerabilities can be difficult, as developers often lack visibility into the severity and associated risks of build-time vulnerabilities. Although users of Singularity Cloud Workload Security have visibility into container threats at runtime, they lack context about the vulnerabilities in container images, sometimes not even knowing who owns the workload’s source code. Without this build-time context, identifying the root cause of these threats can be difficult and time-consuming.

Solving the vulnerabilities at the source, in the source code, is ideal, as this prevents recurrence.

By enriching runtime threat detections from SentinelOne with vulnerabilities in the workload image identified by Snyk, cloud security, AppSec, and developers can collaborate better. They are better equipped to make informed decisions, put critical issues first, and better manage risk.

The enrichment of runtime threats with build-time context helps streamline triage, stop the spread, and solve issues impacting production right back at the source code.

Example: Runtime Threat, Build Time Context

In our example, we are running a container on a Kubernetes worker node. This node is part of a k8s cluster deployed on our managed k8s service, Amazon Elastic Kubernetes Service. Singularity Cloud Workload Security for Kubernetes has detected a runtime threat affecting our example containerized workload. More specifically, and as shown in Figure 2, both the Application Control and Behavioral AI Engines on the SentinelOne CWPP agent have triggered on a curl command.

Figure 2: Behavioral AI Threat Detection on a K8s Node
Figure 2: Behavioral AI Threat Detection on a K8s Node

After clicking into the incident for more detail, the user is presented with the details shown in Figure 3. Here we see that the CWPP agent has automatically assembled details relating to the threat indicators mapped to the MITRE ATT&CK TTPs, information on the Amazon EC2 instance which is running the container, as well as k8s context including container image information such as registry, repo, labels, and container ID.

Figure 3: Runtime Threat and K8s Context
Figure 3: Runtime Threat and K8s Context

With our integration with Snyk Container, SentinelOne automatically enriches these threat details with information from Snyk about vulnerabilities found in the workload image from which our container was instantiated.

As shown in Figure 4, Snyk has identified 377 vulnerabilities in the workload source code of varying severity, including five which are critical. A cloud security practitioner can include this information in a security ticket which they then route to the DevOps owner. The cloud security analyst and developer can easily pivot from the SentinelOne console to the Snyk Platform via a convenient deep link, to view the project details and fix the vulnerabilities at the source code.

Figure 4: Runtime Threat Enrichment with Build-Time Context from Snyk
Figure 4: Runtime Threat Enrichment with Build-Time Context from Snyk

Once the developer updates the code, rebuilds, and redeploys the image to the registry, a new container image can be launched from the clean image.

Better Cloud Security Outcomes

By correlating runtime threat detections by SentinelOne with vulnerability details identified by Snyk, cloud security practitioners can slash mean time to repair and more easily collaborate with AppSec and development teams to solve root cause in workload source code. The combination of SentinelOne Singularity Cloud Workload Security and Snyk Container help customers close the runtime-to-build-time feedback loop, to improve triage, prioritization, and create better cloud security outcomes.

To see how our two solutions work seamlessly together, check out this 2-minute guided walk-through. To learn more about the value of real-time CWPP in your cloud security stack, head over to the Singularity Cloud Workload Security homepage. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

Join Our Webinar | Nov 16

SentinelOne and Snyk | Streamlining Cloud Incident Response, from Runtime to Build Time
Thursday, November 16 at 10:00 a.m. PST / 1:00 p.m. EST

Save Your Spot

The Truth Crisis | The Rising Threat of Online Misinformation and Disinformation

/0 Comments/in /by

Access to the internet and social media platforms lies in the backpocket of nearly every user in the world. From a security point of view, one of the fastest rising concerns is how this level of connectivity is being used to spread discord and division both quickly and across huge numbers of users.

According to the latest global survey by the United Nations, more than 85% of people are concerned about the impact of disinformation. Some 87% believe that misinformation, disinformation, and malinformation (MDM) campaigns have already left a negative impact on their country’s politics and would play a significant part in future elections.

Since the consequences of MDM extend far beyond the digital realm, threat actors including nation-states, advanced persistent threat (APT) groups, cybercriminals, and hacktivists are increasingly turning to deceptive tactics to target victims and pursue their objectives.

This blog explores the evolving threat of MDM campaigns and their role in the cyber warfare arena, exposing the strategies used by threat actors and the risks posed to organizations, businesses, and society at large.

Misinformation Campaigns | The Snowball Effect of Mistakes & Fake News

Misinformation, often stemming initially from genuine mistakes or inaccuracies, has had a long and storied history. In the last two decades alone, several notable misinformation cases have threatened public safety:

  • Iraq War and Weapons of Mass Destruction (WMD) – In 2003, faulty and exaggerated reports of Iraq’s apparent possession of weapons of mass destruction, as promoted by some government officials and the media, played a significant role towards catalyzing the U.S.-led invasion of Iraq. Over the course of nine years, millions of displaced Iraqi victims, and a death toll numbering at 4500 American and 185,000 Iraqi lives, the Iraq War is still widely viewed as a foreign policy disaster.
  • Pizzagate – During the 2016 US presidential election cycle, one man’s personal email account was hacked in a spear phishing attack. After the emails were leaked, conspiracy theorists falsely claimed that they hid coded messages leading to an alleged human trafficking ring run by high-ranking Democratic party officials. After one pizzeria in Washington, D.C. was pinpointed as a trafficking establishment, an armed individual entered the pizzeria to “investigate” the claims, opening fire and threatening the employees.
  • COVID-19 Misinformation – Throughout the height of the COVID-19 pandemic, a barrage of fake news and misinformation circulated widely, impacting public health and security. Unfounded claims about the virus’s origins, treatments, and preventive measures have led to confusion, noncompliance with public health guidelines, and life-threatening consequences. Health misinformation directly contributes to the spread of disease and the cases seen during the pandemic highlighted the gaps in content checks on popular social media platforms.

Today, misinformation campaigns have evolved into a more sophisticated form, with threat actors purposefully exploiting the echo chambers of social media to propagate false information or “fake news”. The manipulation of algorithms, the use of deepfakes, and hijacking of “For You” pages (suggesting trending topics) have all contributed to an efficient spread of deceptive content.

Disinformation Campaigns | Sowing the Virtual Seeds of Discord

Disinformation campaigns work by deliberately spreading false information to deceive, manipulate, or sow discord. These campaigns target many at once, influencing elections, escalating geopolitical tensions, and creating real-world security threats. To date, state-sponsored actors, hacktivists, and criminal groups continue to conduct disinformation operations on a global scale through propaganda, political manipulation, and psychological warfare. Some notable examples include:

  • Russian Interference in U.S. Presidential Elections – During the 2016 election cycle, Russian state-sponsored actors leveraged social media to launch a multifaceted disinformation campaign to influence election outcomes and erode public confidence in the American government. This campaign raised concerns about national security and the resilience of democratic institutions against cyber threats. Foreign actors including Russia and Iran again attempted to interfere during the 2020 cycle by promoting false narratives about election fraud, aiming to undermine public trust in the democratic process.
  • Brexit and Scottish Independence Referendums – A U.S. Senate report in 2018 stated that Russia had sought to influence democracy in the United Kingdom through “disinformation, cyber hacking and corruption”, and that researchers had identified 150,000 Twitter accounts with various ties to Russia that disseminated messages about Brexit before the referendum, indicating “that the broader aim was to magnify societal discord”. In January 2023, the European Court of Human Rights sought a response from the British government to a legal claim that it had failed to properly investigate Russian interference in both the Brexit referendum and the 2014 Scottish referendum on independence. A 2020 British Intelligence and Security Committee was said by the same report to have found credible evidence Russia had tried to influence the Scottish referendum.
  • French Presidential Election – In the lead-up to the 2017 French presidential election, various state-sponsored and non-state actors launched disinformation campaigns to influence the election’s outcome. Spreading doctored tweets and emails, the actors attempted to threaten the security of the electoral process and public trust in specific electoral candidates.
  • Ongoing ​​Disinformation in the Russia-Ukraine War – Ukraine has been a hotspot for disinformation campaigns for several years, driven largely by Russia’s efforts to shape narratives, undermine the Ukrainian government, and influence events in the region. These campaigns, which claim Ukrainian aggression or exploit ethnic divisions within Ukraine for example, are part of a broader information warfare strategy that continues to be used to exploit political and social fault lines.

Malinformation | Branching Information Warfare Into Identity-Based Attacks

Malinformation campaigns are a more recent development in information warfare. These involve the release or distribution of truthful and legitimate private information for malicious intent. Malinformation often originates from data breaches or social engineering, where sensitive personal or corporate data is stolen or leaked and then published out of context. Victims of malinformation are then usually subject to doxxing, swatting, or other means of blackmail and harassment. These campaigns also harm organizations by publishing trade secrets, confidential data, or proprietary information. Infamous examples of malinformation cases are:

  • LinkedIn Data Breach – In 2012, a massive data breach exposed the passwords of millions of LinkedIn users. Many victims experienced extortion attempts when hackers threatened to reveal their compromised LinkedIn credentials unless a ransom was paid. Four years later, reports alleging the sale of the stolen credentials on the dark web surfaced, showing how potent breaches like this can be in both the short and long run.
  • GamerGate – A controversy that began in 2014 within the gaming industry but quickly escalated into a vicious online harassment campaign. Women and marginalized communities in the gaming industry were being targeted with doxxing, swatting threats, and harassment. The campaign highlighted the dark side of online communities and the impact of malinformation on personal security.
  • Political Doxxing During the Hong Kong Protests – During the pro-democracy/anti-government protests in Hong Kong in 2019, an unprecedented wave of doxxing campaigns targeted activists as well as police officers and journalists. Individuals on both sides of the protest line saw their private information (names, photos, ages, and occupations) shared across social media apps like Telegram.

MDM Tactics Move Into the Corporate World | How to Protect Enterprises & Organizations

In 2018, tech manufacturer Broadcom Inc. received a forged memo allegedly signed by the U.S. Department of Defense, asking for a review of their upcoming $19 billion dollar acquisition of CA Technologies by the The Committee on Foreign Investment in the United States (CFIUS). CFIUS is tasked with reviewing international deals for potential security risks to the nation. Since the acquisition of CA Technologies by Broadcom involved only American companies, the review has no basis, triggering suspicion.

Although quickly confirmed by the DoD to be fraudulent, the fake missive challenged national security measures in the public eye and caused both companies’ stocks to fall briefly. Examples like this show that the risks of MDM threats not only exist in geopolitical and social spheres, but the corporate sphere, too.

MDM threats in the corporate sector focus on causing brand and reputational damage, loss of customer trust, and both short and long-term financial losses. Disinformation-as-a-Service (DaaS) models, for example, allow malicious actors to purchase tailored MDM campaigns for their specific objectives. DaaS providers leverage a wide array of techniques, including creating and disseminating false narratives, manipulating online content, and conducting social engineering campaigns to achieve their goals.

Why Misinformation, Disinformation & Malinformation (MDM) Is a Cybersecurity Problem

MDM campaigns thrive off of connectivity and globalization to attack human perception both online and offline and have become a key component of modern information warfare. The intersection between MDM campaigns and cybersecurity can be examined across the following areas:

Terrain | Where Threat Actors Operate MDM Campaigns

While social media platforms often act as gateways and amplifiers for MDM campaigns, threat actors also leverage networking infrastructure and routing services to distribute malware, ransomware, and more to perform their malicious tasks. Disinformation and cybersecurity involve many of the same stakeholders within the private sector and the internet technical community.

Tools | Sharing the Same Methods of Attack

There is a substantial overlap between MDM and cybersecurity in terms of attack tools and methodologies. Much like in cyberattack strategies, MDM takes advantage by manipulating their victims’ anxieties and heightened emotions. For example, the deployment of “fearware”, a subset of phishing lures that thrived during the pandemic, preys on misinformation and information gaps. Further, disinformation campaigns and cybercrime tactics both dip into the realm of illegal dark web transactions, ill-got data and assets, and various forms of fraud.

Incentive | The ‘Why’ Behind MDM Campaigns

Hacking, cybercrime, and influence operations offer lucrative opportunities, often outsourced to skilled threat actors or cybercrime-as-a-service infrastructures. While individuals and businesses have increased their preparedness for ransomware attacks, MDM strategies like defamation and extortion are commonly used to inflict long-term reputational harm and secure a financial gain.

Applying Cybersecurity Lessons to Combat MDM Campaigns

Implementing robust cybersecurity practices play an important role in protecting organizations from a wide variety of threats. Cybersecurity practices are designed to identify and detect anomalies in data, network traffic, and user behavior. Advanced endpoint protection solutions can continuously monitor network traffic and identify suspicious patterns or deviations from the norm.

Ongoing monitoring is critical in the battle against MDM campaigns, particularly those feeding off public anxiety about current events. Cybersecurity teams continuously track information sources, social media channels, and online forums for signs of disinformation and misinformation. Automated tools and manual analysis help monitor the spread of false information and gauge its impact. Organizations can employ threat intelligence feeds and social listening tools to stay informed about emerging threats and campaigns.

Following cybersecurity best practices can also help to protect against harm caused by MDM campaigns. Effective best practices include implementing role-based access controls (RBAC), multi-factor authentication (MFA), encryption, and secure coding practices to safeguard information and data integrity. Cyber hygiene, such as regular software patching and updates, can also reduce any known vulnerabilities that malicious actors might exploit.

While cybersecurity best practices are essential, it is important to acknowledge that MDM campaigns are not solely a technical problem. These campaigns often involve psychological manipulation, social engineering, and the exploitation of cognitive biases. To secure from a user point of view, security awareness training educates employees about the risks of falling victim to disinformation campaigns, teaching them to recognize and report suspicious activities.

Conclusion

The evolving threat of MDM campaigns continues to tighten its grip on the digital landscape, impacting geopolitical, social, and corporate spheres. Waves of these campaigns have become a common occurrence in modern cyber warfare, where information is strategically weaponized to manipulate election outcomes, disrupt critical operations, and undermine public trust.

MDM campaigns are a symptom of the dynamic nature of our digital age. In this ongoing battle, knowledge, vigilance, and proactive measures are the best defense against the rising influence of MDM tactics and their role in the realm of cyber warfare.

As businesses navigate these developing threat tactics and techniques, adopting a multi-dimensional security strategy that combines robust preventive measures with XDR capabilities becomes a vital one. To learn more about how SentinelOne’s Singularity XDR can help defend your organization, book a demo or contact us today.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Learn More

Who’s Behind the SWAT USA Reshipping Service?

/0 Comments/in /by

Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today’s Part II, we’ll examine clues about the real-life identity of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.

Based in Russia, SWAT USA recruits people in the United States to reship packages containing pricey electronics that are purchased with stolen credit cards. As detailed in this Nov. 2 story, SWAT currently employs more than 1,200 U.S. residents, all of whom will be cut loose without a promised payday at the end of their first month reshipping stolen goods.

The current co-owner of SWAT, a cybercriminal who uses the nickname “Fearlless,” operates primarily on the cybercrime forum Verified. This Russian-language forum has tens of thousands of members, and it has suffered several hacks that exposed more than a decade’s worth of user data and direct messages.

January 2021 posts on Verified show that Fearlless and his partner Universalo purchased the SWAT reshipping business from a Verified member named SWAT, who’d been operating the service for years. SWAT agreed to transfer the business in exchange for 30 percent of the net profit over the ensuing six months.

Cyber intelligence firm Intel 471 says Fearlless first registered on Verified in February 2013. The email address Fearlless used on Verified leads nowhere, but a review of Fearlless’ direct messages on Verified indicates this user originally registered on Verified a year earlier as a reshipping vendor, under the alias “Apathyp.”

There are two clues supporting the conclusion that Apathyp and Fearlless are the same person. First, the Verified administrators warned Apathyp he had violated the forum’s rules barring the use of multiple accounts by the same person, and that Verified’s automated systems had detected that Apathyp and Fearlless were logging in from the same device.  Second, in his earliest private messages on Verified, Fearlless told others to contact him on an instant messenger address that Apathyp had claimed as his.

Intel 471 says Apathyp registered on Verified using the email address triploo@mail.ru. A search on that email address at the breach intelligence service Constella Intelligence found that a password commonly associated with it was “niceone.” But the triploo@mail.ru account isn’t connected to much else that’s interesting except a now-deleted account at Vkontakte, the Russian answer to Facebook.

However, in Sept. 2020, Apathyp sent a private message on Verified to the owner of a stolen credit card shop, saying his credentials no longer worked. Apathyp told the proprietor that his chosen password on the service was “12Apathy.”

A search on that password at Constella reveals it was used by just four different email addresses, two of which are particularly interesting: gezze@yandex.ru and gezze@mail.ru. Constella discovered that both of these addresses were previously associated with the same password as triploo@mail.ru — “niceone,” or some variation thereof.

Constella found that years ago gezze@mail.ru was used to create a Vkontakte account under the name Ivan Sherban (former password: “12niceone“) from Magnitogorsk, an industrial city in the southern region of Russia. That same email address is now tied to a Vkontakte account for an Ivan Sherban who lists his home as Saint Petersburg, Russia. Sherban’s profile photo shows a heavily tattooed, muscular and recently married individual with his beautiful new bride getting ready to drive off in a convertible sports car.

A pivotal clue for validating the research into Apathyp/Fearlless came from the identity intelligence firm myNetWatchman, which found that gezze@mail.ru at one time used the passwords “геззи1991” (gezze1991) and “gezze18081991.”

Care to place a wager on when Vkontakte says is Mr. Sherban’s birthday? Ten points if you answered August 18 (18081991).

Mr. Sherban did not respond to multiple requests for comment.

The Good, the Bad and the Ugly in Cybersecurity – Week 44

/0 Comments/in /by

The Good | Global Alliance Looks to Curb Illicit Crypto Funds

This week Washington DC played host to the third annual International Counter-Ransomware Initiative summit, and delegates from 40 countries are pledging their support to prevent the payment of ransom demands to cybercriminals.

The news comes on the back of record numbers of ransomware attacks in September, with 514 incidents worldwide. Every month of 2023 has so far seen an increase in attacks compared to the same month last year, with the U.S. bearing the brunt of the surge, accounting for half of all ransomware incidents globally. New actors such as LostTrust and RansomedVC have significantly contributed to the 153% year-on-year increase.

In response, a U.S-led global initiative will seek to block cybercriminals from being paid and to seize illicit funds. Countries will share information on crypto wallets being used for ransomware payments and AI will be deployed to analyze blockchain transactions to identify criminal proceeds. Information will be shared across partner countries on two information sharing platforms, one set up by Lithuania and another jointly by Israel and the UAE.

Deputy National Security Adviser Anne Neuberger said that the problem of ransomware will only continue to grow until governments take action to stop the flow of money. Ransomware gangs work across national borders and the widespread use of cryptocurrency has fuelled the explosion in cybercrime. The most effective way to address the problem is to remove the ability for criminals to receive funds.

The Bad | SolarWinds Allegedly Defrauded Investors

Bad news for investors of Texas-based software outfit SolarWinds and its CISO, Timothy G. Brown, as concerning news broke this week that the SEC is charging both for fraud and internal control failures relating to cybersecurity vulnerabilities and risks.

SolarWinds was, of course, a primary target in the massive 2020 SUNBURST supply chain attack. The SEC alleges that for at least two years prior to that, SolarWinds knew of specific vulnerabilities and risks that were inconsistent with its public statements to investors. According to the complaint, SolarWinds knew that its remote access set-up was insecure and that an internal report said a threat actor could “do whatever without us detecting it until it’s too late”. Presentations by Brown in 2018 and 2019 stated that the company’s “current state of security leaves us in a very vulnerable state”, according to the SEC’s 68 page complaint.

In addition, subsequent to the cyber attack on SolarWinds, Brown allegedly wrote that “our backends are not that resilient”. Other company documents are said to have stated that the “the volume of security issues being identified over the last month” have “outstripped the capacity of Engineering teams to resolve”.

The SEC says that Brown and SolarWinds ignored repeated warnings about cyber risks and failed to address them, instead engaging in “a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

SolarWinds and Brown both deny the allegations, claiming that the company “maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since”.

The Ugly | Vendor Leaks PII of Identity Management Firm’s Employees

There is more troubling news concerning Okta this week as the company revealed that almost 5000 current and former employees had sensitive personal information exposed as a result of a third-party vendor breach.

According to Okta’s data breach notification, a data security incident at Rightway Healthcare, which managed healthcare provision for Okta employees between 2018 and 2020, led to the leak of personal information including names, SSNs and health or medical insurance plan numbers.

Rightway informed Okta last month that an unauthorized actor had gained access to the data likely in September 2023. At the present time, there is believed to be no evidence of the data being used against individuals, but the company has offered 2 years of free credit monitoring and fraud detection services to affected employees.

The breach notification comes in the wake of several cybersecurity incidents for Okta over the last two years. Just last month the company reported that a threat actor had gained access to files uploaded by some Okta customers, with a downstream impact on clients such as 1Password, BeyondTrust and Cloudflare, among others. Last year, hacking gang Lapsus$ gained access to confidential information and source code belonging to the company.

Due to its market position providing identity management services to thousands of organizations, Okta is a hugely attractive target for cybercriminals. In a statement today, the company apologized to its customers and said it is “deeply committed to providing up-to-date information” about cyber security incidents.

Welcoming Our New President & Chief Revenue Officer | Q&A with Michael Cremen 

/0 Comments/in /by

Today, we are thrilled to welcome Michael Cremen to SentinelOne as our President and Chief Revenue Officer. Michael is an accomplished international executive with extensive GTM experience in scaling software and SaaS companies. He will be responsible for the planning, development and global execution of our GTM strategy as we continue to evolve our business and deliver industry-leading growth.

Michael joins us from Elastic, a data search, observability and security company, where he was responsible for the global sales organization and field operations. Prior to joining Elastic, Michael was the Chief Revenue Officer at Cohesity and also served at Veritas Technologies and Hitachi, Ltd. in executive leadership roles.

We sat down with Michael to learn more about his decision to join SentinelOne and get his early thoughts on our rapidly growing business, industry-leading tech, stellar customer portfolio and award-winning culture.

Why SentinelOne?

When I consider joining an organization, I look at five key factors, and SentinelOne scored off the charts in each of these categories:

  • Product/Market fit
  • Long-term Vision of the CEO
  • Continuous Innovation and R&D
  • Market Reputation and Partnerships
  • People and Culture

SentinelOne is a company of firsts, driven by a unique vision and amazing technology. We were first to incorporate generative AI into cybersecurity, and we continue to bring innovations to market that help our customers see the future and secure it today. We are the global leader in AI security. This kind of innovation is the foundation of our market reputation, and that’s an early source of pride for me.

We were recently named the Best AI-Based CyberSecurity Solution Provider by the CyberSecurity Breakthrough Awards. And we are a top choice among customers, with 96 percent of end users who participated in the latest Gartner Peer Insights Customer Choice for Endpoint Protection Platforms report saying they would recommend us.

We are growing at a rapid pace, faster than any other public security company, and we are committed to scaling our business to support this growth. All of this was very compelling to me. But what really sealed the deal was the culture. During my interview process, I asked those I met what they loved most about SentinelOne, and the answer was the same – the People. I needed to be a part of that.

What are your first impressions of our Business and our Sentinels?

For me, it’s a perfect fit! Our Business is progressive and proactive. We are constantly evolving to better protect our customers against the evolving threat landscape. And our Sentinels are second-to-none when it comes to customer focus, relentlessness, diligence and dedication to our mission.

What do you see happening in the market?

We are seeing a proliferation of cyber incidents, new software vulnerabilities and an uptick in the use of AI-based attack methods – all of which have exposed the shortcomings of many cybersecurity vendors.

The opportunity in the cloud security market is enormous, and it’s constantly evolving. There’s a massive data explosion, and no one is better prepared to harness and secure enterprise data better than SentinelOne. The value of one comprehensive platform allows for consolidation of products and improved business continuity. And the future is bright – AI is foundational for SentinelOne, and as the leader in this space, we will continue to define the future of cybersecurity.

What opportunity do you see in the cloud security market?

In the cloud security market, we see a significant opportunity. While it’s currently fragmented, our strong presence in workload security positions us as a clear leader. What excites me is our product roadmap, which will continue to differentiate our platform and cloud solutions from the standalone CSPM solutions we see today. Our platform-centric approach will offer a unique solution to cloud security, reducing complexity, increasing protection and reducing risk. Customers and partners can expect us to deliver mature, innovative, and complete cloud security solutions, setting a new industry standard and leading the way in this vital cybersecurity arena.

What can our customers and partners expect of you?

They can expect visibility and engagement from me – around the world and across the industry. Everything I do as a GTM leader has a partner-centric approach. I will operate as their champion within SentinelOne and with our partners. I will make investments across each aspect of our GTM business and strengthen alignment with our Product and Engineering teams. Finally, I will ask for and look forward to constant feedback so that I can ensure our teams are supporting our customers and partners in the most optimal way possible.

What is your vision for the future of SentinelOne under your leadership?

My vision is to solidify SentinelOne as the undisputed leader in AI-driven cybersecurity. I want us to continue expanding our global reach, empowering organizations of all sizes to protect their organizations from endpoint to cloud with confidence. We’ll achieve this through strategic partnerships, cutting-edge technology, and a relentless commitment to customer success.

So, State-Sponsored Attackers Are Targeting Your Mobile Device. Now What?

/0 Comments/in /by

Earlier this week, Apple notified a number of individuals that their iPhones had apparently been targeted by state-sponsored attackers. Around a dozen iPhone users, including journalists and politicians in India’s opposition parties, are said to have received the alerts. Apple began warning its users that they could be being targeted by sophisticated, nation-state hackers in 2021, after the discovery that Pegasus spyware was widely being used by governments and other entities to compromise mobile devices. Since then, individuals in over 150 countries have been notified of potential nation-state hacks against their Apple devices.

Receiving an alert, however, leaves users with little to no indication of how they are being targeted or by whom. The wording of the alert even suggests it might be a mistake, raising questions about how alarmed users should be and what they ought to do. In this post, we explain how threat notifications work, discuss the security threat to mobile devices, and offer guidelines for concerned users.

What Are Apple Threat Notifications?

In the wake of rising incidents of spyware attacks from private sector greyware vendors such as the now-sanctioned NSO, developers of Pegasus, Positive Technologies, Candiru and the Computer Security Initiative Consultancy, Apple began sending alerts to users whenever it discovers activity “consistent with a state-sponsored attack”.

The alerts contain only generic information about such attacks and give no indication of precisely what Apple found, nor who might be behind the attack. Recipients are warned that attackers may be able to remotely access the device’s camera, microphone, data and applications such as messaging software. Somewhat confusingly, Apple’s alert also tells users that this could be a false alarm, but that the recipient should “take this warning seriously”.

ALERT: State-sponsored attackers may be targeting your iPhone
ALERT: State-sponsored attackers may be targeting your iPhone

The alerts are sent to the email addresses and phone numbers associated with a targeted Apple ID via email and iMessage notifications. Apple also displays a banner notification on the users AppleID login page.

Source: Apple

Who Is Behind the Attacks?

While there is plenty of speculation about who might be behind the activity Apple has warned users about this week, the information provided to users means it is impossible to attribute specific state-sponsored attackers to a batch of threat notifications.

Apple says its alerts are based on “threat intelligence signals” that may be imperfect and incomplete, and the company says it withholds making those details public “as that may help state-sponsored attackers adapt their behavior to evade detection in the future”.

However, there are a number of well-known Private-Sector-Offensive-Actors (PSOAs) that specialize in developing and selling mobile device exploits to governments and other “security” agencies. PSOAs may be contracted by nation-states to help them avoid attribution, or they may provide “software as a service” that nation-state actors deploy in their campaigns.

The most commonly observed PSOA actor in this space is NSO and its Pegasus software, recently used in an iPhone zero-click zero day to compromise the mobile device of a Washington DC-based civil society organization. Following this recent attack, Apple has in recent weeks issued three separate security updates for iOS to patch a number of bugs it says may have been “actively exploited in the wild”.

What Are the Threats to Mobile Devices?

Although mobile malware is most widely associated with spyware for surveillance and data theft, it can and has been used to serve a broader range of sinister capabilities. There are known cases where it has been employed to fabricate evidence of a crime, a disturbing trend that has gained prominence in the digital age. Cybercriminals with malicious intent have deployed malware to plant false data or tamper with existing records, creating a virtual trail of incriminating information against unsuspecting victims.

Such deceptive tactics can be used to frame individuals or organizations for illicit activities, thereby tarnishing their reputation or even leading to legal consequences. One example of an attacker who repeatedly and consistently planted evidence is the ModifiedElephant APT, which we reported on early last year.

What Should You Do If You Receive an Apple Threat Notification?

Threat actors evolve quickly, and as long as they are able to avoid attribution and repercussions of their actions, we can expect their activity to recur. For those who receive a threat notification, or who operate in high-profile political, religious, business, or civil society communities, the following recommendations can help:

  1. Enable auto updates for your devices, including iPhones, Macs, and Windows PCs.
  2. Ensure multi-factor authentication is enabled on iCloud accounts, and all email accounts you own. We strongly recommend hardware-based tokens and not text-message (SMS) codes.
  3. Turn on iOS Lockdown Mode.
  4. Enable Advanced Data Protection for iCloud.
  5. Remove all unnecessary apps from your devices, and perform a Safety Check.
  6. Reboot / Force Restart mobile devices at least once a day.
  7. Backup your mobile device at least once per week.
  8. If applicable, avoid iOS jailbreaking. In general, jailbreaking may increase the risk of your device.
  9. For work devices, request your organization to provide a trusted mobile security solution.

And What About Android Devices?

Although threat notifications are an Apple-only service, users may possess other kinds of mobile and computing devices. Android devices, for example, can be hardened with the following measures:

  1. Enable automatic updates.
  2. Never install apps from a third-party app store.
  3. Understand the risks of rooting a device. Like jailbreaking, this generally introduces more security weaknesses.
  4. Consider enabling Android Lockdown Mode. Unlike iOS Lockdown Mode, the Android version disables all forms of biometric authentication to prevent non-consensual phone access.
  5. Enable device encryption.
  6. If your organization uses Android for Work, consider using a work profile to separate work and leisure activity and requesting a trusted mobile security solution.
  7. Consider a reputable Android security solution for non-work devices.

Personal computers, whether Windows, Mac or Linux, should also be protected by trusted security software. Note that OS vendor supplied security software is also regularly targeted by threat actors looking for exploitable bugs. Both Windows and macOS have received multiple patches this year alone for vulnerabilities “actively exploited in the wild”.

Conclusion

In a world where state-sponsored attackers are increasingly targeting mobile devices, vigilance is essential. The recent widespread notifications from Apple serve as a stark reminder that no one is immune to such threats. As we’ve discussed, the potential for mobile devices to be weaponized against individuals and organizations is not limited to surveillance; it extends to the disturbing use of malware to fabricate evidence of crimes.

In this rapidly evolving landscape, it’s crucial to take proactive steps to protect your digital life. Enabling automatic updates, implementing multi-factor authentication, and regularly backing up your devices are some fundamental measures.

While different devices have their unique security considerations, the overarching principle remains the same: prioritize your digital security and be prepared for evolving threats. As threat actors continue to adapt and evade attribution, these precautions become our best defense against their relentless activities.

Singularity Mobile
Combat the Rising Tide of Mobile Threats with On-Device, Adaptive, Real-Time Mobile Defense

Get a Demo