Russian Reshipping Service ‘SWAT USA Drop’ Exposed

The login page for the criminal reshipping service SWAT USA Drop.

One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.

Among the most common ways that thieves extract cash from stolen credit card accounts is through purchasing pricey consumer goods online and reselling them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia.

But such restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive stolen goods and relay them to crooks living in the embargoed areas.

Services like SWAT are known as “Drops for stuff” on cybercrime forums. The “drops” are people who have responded to work-at-home package reshipping jobs advertised on and job search sites. Most reshipping scams promise employees a monthly salary and even cash bonuses. In reality, the crooks in charge almost always stop communicating with drops just before the first payday, usually about a month after the drop ships their first package.

The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

SWAT takes a percentage cut (up to 50 percent) where “stuffers” — thieves armed with stolen credit card numbers — pay a portion of each product’s retail value to SWAT as the reshipping fee. The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive and successfully reship the stolen packages, the stuffers then sell the products on the local black market.

The SWAT drop service has been around in various names and under different ownership for almost a decade. But in early October 2023, SWAT’s current co-owner — a Russian-speaking individual who uses the handle “Fearlless” — took to his favorite cybercrime forum to lodge a formal complaint against the owner of a competing reshipping service, alleging his rival had hacked SWAT and was trying to poach his stuffers and reshippers by emailing them directly.

Milwaukee-based security firm Hold Security shared recent screenshots of a working SWAT stuffer’s user panel, and those images show that SWAT currently lists more than 1,200 drops in the United States that are available for stuffers to rent. The contact information for Kareem, a young man from Maryland, was listed as an active drop. Contacted by KrebsOnSecurity, Kareem agreed to speak on condition that his full name not be used in this story.

A SWAT panel for stuffers/customers. This page lists the rules of the service, which do not reimburse stuffers for “acts of god,” i.e. authorities seizing stolen goods or arresting the drop.

Kareem said he’d been hired via an online job board to reship packages on behalf of a company calling itself CTSI, and that he’s been receiving and reshipping iPads and Apple watches for several weeks now. Kareem was less than thrilled to learn he would probably not be getting his salary on the promised payday, which was coming up in a few days.

Kareem said he was instructed to create an account at a website called portal-ctsi[.]com, where each day he was expected to log in and check for new messages about pending shipments. Anyone can sign up at this website as a potential reshipping mule, although doing so requires applicants to share a great deal of personal and financial information, as well as copies of an ID or passport matching the supplied name.

A SWAT panel for stuffers/customers, listing hundreds of drops in the United States by their status. “Going to die” are those who are about to be let go without promised payment, or who have quit on their own.

On a suspicion that the login page for portal-ctsi[.]com might be a custom coding job, KrebsOnSecurity selected “view source” from the homepage to expose the site’s HTML code. Grabbing a snippet of that code (e.g., “smarty/default/jui/js/jquery-ui-1.9.2.min.js”) and searching on it at reveals more than four dozen other websites running the same login panel. And all of those appear to be geared toward either stuffers or drops.

In fact, more than half of the domains that use this same login panel actually include the word “stuffer” in the login URL, according to publicwww. Each of the domains below that end in “/user/login.php” are sites for active and prospective drops, and each corresponds to a unique fake company that is responsible for managing its own stable of drops:


Why so many websites? In practice, all drops are cut loose within approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, each stuff shop operator must be constantly recruiting new drops. Also, with this distributed setup, even if one reshipping operation gets shut down (or exposed online), the rest can keep on pumping out dozens of packages a day.

A 2015 academic study (PDF) on criminal reshipping services found the average financial hit from a reshipping scheme per cardholder was $1,156.93. That study looked into the financial operations of several reshipping schemes, and estimated that approximately 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year.

It’s not hard to see how reshipping can be a profitable enterprise for card crooks. For example, a stuffer buys a stolen payment card off the black market for $10, and uses that card to purchase more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.

The breach at SWAT exposed not only the nicknames and contact information for all of its stuffers and drops, but also the group’s monthly earnings and payouts. SWAT apparently kept its books in a publicly accessible Google Sheets document, and that document reveals Fearlless and his business partner each routinely made more than $100,000 every month operating their various reshipping businesses.

The exposed SWAT financial records show this crime group has tens of thousands of dollars worth of expenses each month, including payments for the following recurring costs:

-advertising the service on crime forums and via spam;
-people hired to re-route packages, usually by voice over the phone;
-third-party services that sell hacked/stolen USPS/Fedex labels;
-“drops test” services, contractors who will test the honesty of drops by sending them fake jewelry;
-“documents,” e.g. sending drops to physically pick up legal documents for new phony front companies.

The spreadsheet also included the cryptocurrency account numbers that were to be credited each month with SWAT’s earnings. Unsurprisingly, a review of the blockchain activity tied to the bitcoin addresses listed in that document shows that many of them have a deep association with cybercrime, including ransomware activity and transactions at darknet sites that peddle stolen credit cards and residential proxy services.

The information leaked from SWAT also has exposed the real-life identity and financial dealings of its principal owner — Fearlless, a.k.a. “SwatVerified.” We’ll hear more about Fearlless in Part II of this story. Stay tuned.

.US Harbors Prolific Malicious Link Shortening Service

The top-level domain for the United States — .US — is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.

Researchers at Infoblox say they’ve been tracking what appears to be a three-year-old link shortening service that is catering to phishers and malware purveyors. Infoblox found the domains involved are typically three to seven characters long, and hosted on bulletproof hosting providers that charge a premium to ignore any abuse or legal complaints. The short domains don’t host any content themselves, but are used to obfuscate the real address of landing pages that try to phish users or install malware.

A graphic describing the operations of a malicious link shortening service that Infoblox has dubbed “Prolific Puma.”

Infoblox says it’s unclear how the phishing and malware landing pages tied to this service are being initially promoted, although they suspect it is mainly through scams targeting people on their phones via SMS. A new report says the company mapped the contours of this link shortening service thanks in part to pseudo-random patterns in the short domains, which all appear on the surface to be a meaningless jumble of letters and numbers.

“This came to our attention because we have systems that detect registrations that use domain name generation algorithms,” said Renee Burton, head of threat intelligence at Infoblox. “We have not found any legitimate content served through their shorteners.”

Infoblox determined that until May 2023, domains ending in .info accounted for the bulk of new registrations tied to the malicious link shortening service, which Infoblox has dubbed “Prolific Puma.” Since then, they found that whoever is responsible for running the service has used .US for approximately 55 percent of the total domains created, with several dozen new malicious .US domains registered daily.

.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. But Uncle Sam has long outsourced the management of .US to various private companies, which have gradually allowed the United States’s top-level domain to devolve into a cesspool of phishing activity.

Or so concludes The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content.

Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and identified approximately 30,000 .US phishing domains. Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. Others were used to impersonate or attack U.S. government agencies.

Under NTIA regulations, domain registrars processing .US domain registrations must take certain steps (PDF) to verify that those customers actually reside in the United States, or else own organizations based in the U.S. However, if one registers a .US domain through GoDaddy — the largest domain registrar and the current administrator of the .US contract — the way one “proves” their U.S. nexus is simply by choosing from one of three pre-selected affirmative responses.

In an age when most domain registrars are automatically redacting customer information from publicly accessible registration records to avoid running afoul of European privacy laws, .US has remained something of an outlier because its charter specifies that all registration records be made public. However, Infoblox said it found more than 2,000 malicious link shortener domains ending in .US registered since October 2023 through NameSilo that have somehow subverted the transparency requirements for the usTLD and converted to private registrations.

“Through our own experience with NameSilo, it is not possible to select private registration for domains in the usTLD through their interface,” Infoblox wrote. “And yet, it was done. Of the total domains with private records, over 99% were registered with NameSilo. At this time, we are not able to explain this behavior.”

NameSilo CEO Kristaps Ronka said the company actively responds to reports about abusive domains, but that it hasn’t seen any abuse reports related to Infoblox’s findings.

“We take down hundreds to thousands of domains, lots of them proactively to combat abuse,” Ronka said. “Our current abuse rate on abuseIQ for example is currently at 0%. AbuseIQ receives reports from countless sources and we are yet to see these ‘Puma’ abuse reports.”

Experts who track domains associated with malware and phishing say even phony information supplied at registration is useful in identifying potentially malicious or phishous domains before they can be used for abuse.

For example, when it was registered through NameSilo in July 2023, the domain 1ox[.]us — like thousands of others — listed its registrant as “Leila Puma” at a street address in Poland, and the email address But according to, on Oct. 1, 2023 those records were redacted and hidden by NameSilo.

Infoblox notes that the username portion of the email address appears to be a reference to the song October 33 by the Black Pumas, an Austin, Texas based psychedelic soul band. The Black Pumas aren’t exactly a household name, but they did recently have a popular Youtube video that featured a cover of the Kinks song “Strangers,” which included an emotional visual narrative about Ukrainians seeking refuge from the Russian invasion, titled “Ukraine Strangers.” Also, Leila Puma’s email address is at a Ukrainian email provider.

DomainTools shows that hundreds of other malicious domains tied to Prolific Puma previously were registered through NameCheap to a “Josef Bakhovsky” at a different street address in Poland. According to, the anglicized version of this surname — Bakovski — is the traditional name for someone from Bakowce, which is now known as Bakivtsi and is in Ukraine.

This possible Polish and/or Ukrainian connection may or may not tell us something about the “who” behind this link shortening service, but those details are useful for identifying and grouping these malicious short domains. However, even this meager visibility into .US registration data is now under threat.

The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity.

Infoblox’s Burton says Prolific Puma is remarkable because they’ve been able to facilitate malicious activities for years while going largely unnoticed by the security industry.

“This exposes how persistent the criminal economy can be at a supply chain level,” Burton said. “We’re always looking at the end malware or phishing page, but what we’re finding here is that there’s this middle layer of DNS threat actors persisting for years without notice.”

Infoblox’s full report on Prolific Puma is here.

Power for the People | Cyber Threats in the Energy Sector and How To Defend Against Them

Powering the infrastructures that sustain how people communicate, work, and live, our dependence on the energy sector has pushed it to the top of the list of targets for cybercriminals. Concerns on how to defend this critical sector have only been magnified by ongoing dilemmas in the economic and political landscapes.

Beyond the immediate financial losses and operational disruptions, attacks on a critical sector like energy have cascading effects on other sectors, such as manufacturing, healthcare, and transportation.

This blog post outlines these effects and challenges, exploring the reasons behind growing cyberattacks on energy grids and what energy and utilities suppliers can do to safeguard themselves from advanced threat actors.

A Global Snapshot of Recent Attacks on Energy

Some of the most notable attacks on energy and utilities providers have occurred in the past few years alone, marking threat actors’ increasingly steep interest in this sector.

Ransomware Extremes | How the Colonial Pipeline Attack Spurred Changes to US Cybersecurity Policies

Early in the morning of May 7, 2021, a ransom note was uncovered by a Colonial Pipeline employee, revealing a successful systems breach attributed to the DarkSide ransomware group. DarkSide had managed to exploit an outdated virtual private network (VPN) account, the first step leading to one of the most significant cyberattacks on the energy infrastructure in US history.

DarkSide threat actors had encrypted an estimated 100 GB of sensitive, business-critical data within Colonial’s expansive operational technology (OT) network. In response, Colonial Pipeline suspended all operations, including the delivery of over 2.5 million barrels of refined gasoline a day  to U.S. customers. Affecting businesses and millions of individuals along the East Coast of the United States, the fallout included lengthy gas lines reminiscent of the 1970s, price hikes, panic buying, and the closure of numerous fuel stations.

Shortly after this attack, the Transportation Security Administration (TSA) released a directive mandating that pipeline operators promptly notify CISA of all potential cyberattacks. The directive also required the presence of an on-site cybersecurity coordinator. A second directive soon followed, directing pipeline operators to address vulnerabilities, enhance their defenses, and create contingency plans for future security events. Earlier in 2023, CISA unveiled a Ransomware Vulnerability Warning Pilot (RVWP) program, set to support critical infrastructure providers with the best practices and tools needed to protect against ransomware attacks.

New Battlegrounds | Russian-Based Attacks on Energy Providers

At the onset of the invasion of Ukraine in early 2022, Ukrainian government officials revealed that Russian state-sponsored threat actors aimed to compromise the Ukrainian power grid, intending to trigger a blackout that would have impacted a staggering 2 million people. The attack involved the use of a wiper – a specialized form of malware designed to take down targeted systems by erasing critical data. Had the hack been successful, it would have caused the world’s biggest cyber-induced blackout to date.

One month after the invasion of Ukraine, President Biden issued a statement discussing the heightened potential of Russian cyberattacks against the US energy infrastructure in retaliation for imposing economic sanctions. Several US energy companies and more than a dozen others in associated sectors all reported to have experienced abnormal scanning from Russian-linked IP addresses, likely indicative of early reconnaissance in which threat actors scan targeted networks for vulnerabilities that could be used in a future attack.

Threat Actors’ Eyes on Energy | Why the Sector Is At Risk

The energy sector powers the reliability of all other sectors, making it the linchpin of all critical infrastructure. Extending far beyond single power plants, pipelines, or grid systems, the attack surface for the energy sector exists at every point on the power chain. This dependency on interconnected networks and industrial control systems (ICS) creates vulnerabilities that malicious actors find extremely attractive. Cyberattacks on the energy sector can disrupt the flow of essential resources, leading to power outages, fuel shortages, and economic instability.

Several factors underpin the risk faced by the energy sector.

Evolving Digitalization & Interconnectivity

Rapid digital transformation within the energy and utilities sector has expanded its attack surface. Increasing connectivity, cloud adoption, and the internet of things (IoT) integrations have introduced many more entry points for threat actors. This digital evolution, while boosting efficiency and monitoring capabilities, has also introduced vulnerabilities that malicious actors can exploit. Modern technologies have accelerated digitalization but also make this sector more susceptible to cyber threats than ever before.

Adding another layer of intricacy is the interdependence of all essential parts. For instance, a power outage in one region can have large ripple effects, affecting electricity availability in other parts of the country as smaller grids have to adapt to meet the sudden demand. Similarly, a compromised oil pipeline not only causes localized shortages but can trigger nationwide spikes in gas prices, highlighting the intricate web of interconnections within the industry.

Dispersed Geographic Locations & Reliance on Third-Parties

Energy and utility providers face an expanding attack surface, stemming from the challenge of securing geographically scattered assets such as hydroelectric dams and coal-fired generation plants. Safeguarding against multiple threats in a dispersed environment presents security leaders with a logistical challenge.

Making this more complex is the energy sector’s reliance on third-party supply chain relationships. The industry, which encompasses a blend of private and public ownership, is built on strategic partnerships among the various stakeholders. As a result, securing all the various components that make up the energy industry requires collective action and responsibility among diverse agencies and organizations, each of which have their own cybersecurity challenges.

Economic Incentives for Attackers

The energy and utilities sector is an enticing target for financially motivated cybercriminals. Ransomware attacks, in particular, have become increasingly prevalent, with actors seeking hefty payouts to unlock critical systems. Colonial Pipeline’s CEO explained that the company paid the “highly controversial” $4.4 million dollar ransom given the essential nature of the company’s infrastructure. The strains of recent times, including post-Covid economic uncertainty, inflation, and job losses, have created fertile ground for cyber extortion schemes, exacerbating the risk faced by this sector.

Gaps Between Physical & Cyber Infrastructure

Operational technology (OT) systems control and monitor physical processes, such as power generation, distribution, and transmission. These systems are increasingly interconnected with information technology (IT) networks to improve efficiency, optimize operations, and enable remote monitoring and control. This connection creates a bridge between the physical and cyber infractures, allowing data and commands to flow between them. However, gaps between the two greatly increase cyber risk.

The interdependencies between physical and cyber infrastructure mean that issues on the IT side have real-world consequences. For instance, a cyberattack on a power plant’s IT network can potentially disrupt the OT systems responsible for controlling critical processes. Conversely, physical events, such as equipment failures or power outages, can affect the availability and security of IT networks.

Powering Up Cyber Resilience Within the Energy Sector

The challenge for those in this sector lies in staying ahead of ever-evolving threat tactics. The following guidelines can help energy providers to mitigate risk and build a stronger, proactive cybersecurity posture.

Manage Cyber Risk Within the Supply Chain

Managing risk in the energy supply chain starts with understanding all current vendor relationships, including OSS dependencies, and creating stricter standards for procurement. Start by reviewing supplier assessments for all in-use vendors and agree on procurement processes and shared security responsibilities. To integrate cybersecurity into the procurement process, mandate software bill of materials (BOMs) to track all digital components in a system across the supply chain to identify potential issues.

Implement Hardware Authentication

Hardware authentication offers a robust approach to user authentication – a critical element in securing geographically dispersed OT networks in the energy sector. This strategy hinges on the use of a dedicated physical device, typically a token or hardware key, alongside a primary password. This dual-factor authentication method enhances access control by requiring both something the user knows (the password) and something the user has (the physical token) for access. Hardware authentication serves as a strong defense against unauthorized access, ensuring that only authorized personnel with the right physical device can interact with sensitive systems.

Leverage User-Behavior Analytics (UBA)

Going beyond predefined patterns or signatures, user-behavior analytics (UBA) delves into the nuanced behaviors of users within a given system. UBA’s strength lies in its capacity to alert on unusual or suspicious activities based on a comprehensive understanding of typical user interactions with a particular environment. By creating behavioral baselines for legitimate users, UBA can swiftly flag any deviations and pinpoint potential security breaches or insider threats.

UBA works by harnessing machine learning (ML) techniques to decipher the underlying intent behind user actions. This continuous learning and adaptation enable UBA to evolve alongside the ever-changing threat landscape, enhancing its accuracy in recognizing even the most subtle anomalies in user behavior.

Maintain Deep Visibility Through Real-Time Monitoring

Deep system and network visibility, coupled with real-time monitoring, detection, and response capabilities, are security essentials for the energy sector. Advanced security solutions such as autonomous and AI-powered XDR can offer a comprehensive view of both IT and OT environments, enabling security teams to shave off minutes when identifying anomalies and potential cyber threats.

In an era of evolving and sophisticated attacks, such as ransomware and state-sponsored intrusions, real-time monitoring ensures that any unusual activity is quickly detected, allowing for immediate action and remediation as needed. This proactive approach is critical in safeguarding critical energy infrastructure against cyber threats that could disrupt operations and endanger public safety.

Stay Up-to-Date with Government Guidelines & Resources

Legacy OT assets are designed without robust defenses against malicious cyber activities. Easy access to unsecured assets, wide availability of open-sourced device information (e.g. Shodan and Kamerka), and oft-deployed exploits accessible through frameworks like Metasploit, Core Impact, and Immunity Canvas, have all created a perfect storm of factors leading to increased cyber intrusion. To combat these growing risks, the U.S. government continues to urge energy and utilities providers to improve the resilience of their systems.

Following CISA’s latest warnings of increased exposure of OT systems to cyberattacks, the NSA published new resources this month to help organizations using SNORT improve their threat hunting. Called ‘ELITEWOLF’, the repository contains various ICS/SCADA (supervisory control and data acquisition)/OT-focused signatures and analytics to support critical suppliers as they implement continuous monitoring measures.

In addition to the new repository, CISA, FBI, NSA, and the U.S. Department of the Treasury also released guidance for OR vendors and other critical infrastructure facilities, focusing on how to minimize risk when using open-source software (OSS) in OT products.


Given their central role in powering economies, physical infrastructure, and digital systems, global energy and utility service providers have had to consider how to defend against  a new wave of cyber adversaries in the last few years. Recent shifts in geopolitics have also added a new layer of complexity to this threat landscape, further highlighting the need for enhanced cybersecurity measures.

To thwart these threats and safeguard critical power grids and pipelines, energy and utility providers are increasingly looking to adopt a proactive and adaptive cybersecurity approach. This entails comprehensive risk assessments, robust detection and response systems, and building safer standards for working with third-parties vendors.

The Good, the Bad and the Ugly in Cybersecurity – Week 43

The Good | Multi-Million Dollar Scam Syndicate Dismantled Revealing Stolen Data of 4 Million Citizens

Four million people won justice this week when the Spanish National Police successfully dismantled a cybercriminal organization responsible for monetizing their stolen data. The police agency carried out a total of 16 targeted searches across multiple Spanish cities, resulting in the arrest of 34 members of the criminal group.

Source: Europol

During these raids, authorities seized a cache of illicit items, including firearms, high-end cars, and 80,000 euros in cash. The most critical discovery, however, was the recovery of computers holding sensitive banking information belonging to four million individuals, all ill-gotten by infiltrating financial and credit institutions.

Based on their report, the Spanish police said that the group members were linked to a wide array of fraudulent schemes. Through email and SMS phishing scams, members impersonated delivery companies and electricity suppliers to gain their victims’ trust. The members were also known to call unsuspecting parents, pretending to be ‘sons in distress’ as a means to extract ‘urgently needed’ money. In other cases, they allegedly leveraged an insider within an international tech firm and routed valuable merchandise to addresses under their control. The crime syndicate is estimated to have earned approximately $3.2 million from reselling stolen data to other cybercriminals.

Though the ringleaders of this particular cybercrime ring have been caught, social engineering tactics remain top attack paths into critical systems. Awareness training programs, in combination with multi-factor authentication (MFA), identity threat detection and response (ITDR) solutions, and robust endpoint security, can help both organizations and individual users combat against this type of threat.

The Bad | Pro-Russian APT Exploits Webmail Zero-Day to Harvest Email Data From European Governments

Winter Vivern APT has been found exploiting a zero-day vulnerability in Roundcube’s open-source webmail software. Targeting governments and think tanks in Europe, these attacks leveraged CVE-2023-5631 to harvest emails from compromised accounts. According to a security report this week, this is a marked step up for the threat actor’s cyber operations.

Russia and Belarus-aligned Winter Vivern is a relatively underreported group with limited resources. In the latest string of attacks however, researchers highlighted a notable shift in the APT’s tactics. Where Winter Vivern would typically exploit known flaws for which proof-of-concepts (PoCs) were readily available online, their latest attacks exploited a zero-day vulnerability. Zero-days are those that remain undisclosed to the software’s developers, providing threat actors with an advantage. In this case, Winter Vivern’s exploitation of the Roundcube zero-day allowed them to infiltrate email accounts and exfiltrate valuable data without prior detection or mitigation.

CVE-2023-5631 is a stored cross-site scripting flaw that could allow remote threat actors to load arbitrary JavaScript code. The attacks began with phishing messages containing a Base64-encoded payload embedded within the HTML source code. This payload, when decoded, facilitated a JavaScript injection from a remote server. Then, a second-stage JavaScript component acted as a loader, enabling the execution of a final payload leading to exfiltratration of email messages to a command-and-control (C2) server. A fix for the vulnerability has since been released by Roundcube.

Despite Winter Vivern’s limited resources, they have been able to lure high-value victims through persistent and frequent phishing campaigns and by leveraging unknown flaws in high traffic software. Organizations can stay safe by following regular patch schedules and ensuring deep monitoring within their systems.

The Ugly | Slews of Crypto Donation Scams Hit Social Media Platforms Amid Ongoing Israel-Hamas War

Cybercriminals are exploiting the deadly Israel-Hamas conflict to spread donation and fundraising scams through popular social media platforms. As reported this week, researchers have raised the alarm on how scammers are capitalizing on the ongoing war to solicit donations. So far, over 500 fraudulent emails have been observed impersonating charitable organizations and fundraisers. The cyber scammers have also been seen listing fraudulent cryptocurrency wallet addresses on Instagram, Telegram, and X, taking full advantage of high-strung emotions in the continuing political crisis.

Scam “aid Gaza” account on X (Source: BleepingComputer)

These scams seek to manipulate emotions, often posting graphic images of wounded soldiers, women, and children to spur action. Researchers saw similar social engineering tactics in circulation during the height of the Russo-Ukrainian war and following the Turkey-Syria earthquakes. To increase their chances of success, the scammers are creating multiple text variations to evade spam filters and modifying their designs to target specific groups. Spoofed websites often copy content directly from their legitimate counterparts, but crucially lack details about the organizational staff and contact information as well as fund usage.

Given the prevalence of these scams, the public are being advised to proceed with extreme caution when participating in online fundraisers. The U.S. Federal Trade Commission (FTC) has provided best practices to prevent falling victim to scams and the IRS has also issued an advisory warning citizens against giving into pressure. Always verify the authenticity of charitable organizations before making donations by referring to the government’s official charity register. In hand with social engineering schemes, security practitioners are warned to stay updated on other emerging cyber activity and threat actors currently active in the Middle East.

Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware

The current conflict between Israel and the Hamas militant group has begun an onslaught of hacktivist-level activity carried out in the name of both sides. Amongst the ongoing fighting, numerous hacktivist groups and ‘lone wolves’ have taken the opportunity to maneuver into the cyber arena, deploying an array of malicious activities including Distributed-Denial-of-Service (DDoS) attacks, cyber defacement, doxxing, and custom malware launches.

So far, the use of novel malware/scareware and tools such as Redline Stealer and PrivateLoader by these threat actors continue to target Israeli citizens, businesses, and critical sector entities, causing data leaks and widespread disruptions. This write-up serves as a roundup of tactics and techniques we are observing in the Middle East, allowing security practitioners to stay informed and on top of developing threats stemming from the war.

Analysis of Data Leaks & Stealers


Haghjhoyan logo

Haghjhoyan, known also as the “Peace Seekers”, first emerged in October 2023. It is characterized as a pro-Iran hacktivist group, which has been leaking small archives of Israeli citizen data through their recently established Telegram channel. On October 8th, the group announced an infiltration of the Israeli Red Alert Emergency System. This was followed by the October 13th, 2023 announcement of the group’s infiltration of multiple critical infrastructure targets across Israel during which Haghjhoyan shared screenshots of their virtual network computing (VNC) sessions in a variety of utility-centric targets. ‘Proof’ files associated with this breach were also shared in the Haghjhoyan Telegram channel.

Attack on Israeli utilities

Between October 15th and October 19, 2023, the group continued to announce new leaks and attacks, including the claim of infecting “1000” Israeli computers. The full message shared is as follows: “1000 computers from Israel were infected. This is a gift from Palestinian children to Israel hac*kers and the bast*ard people of Israel”.

Attack on the Israeli public

Screenshots shared in the Haghjhoyan Telegram channel show filenames that hold ‘clues’ potentially pointing towards the use of malware. Further, there is indication of potential social engineering lures used by the group to encourage the download and execution of trojanized applications.

In the image above, the following file names are of special interest:

  • Frosty Mod Manager (Beta 4) (FIFA 19)
  • Subinfeudated Oat.exe

The ‘Frost Mod’ and ‘Default-Dark-Mode’ file names are references to the games FIFA and Minecraft respectively. From the data shared by the threat actor, it appears as though they are using these games as social engineering lures, manipulating targets through social media platforms like Discord, Whatsapp, and Telegram into launching trojanized versions of the applications. Targeting users of extremely popular games like Roblox, Minecraft, and FIFA with possible free ‘mod’ packages is an effective way to target a large portion of the general public.

We can also glean some information from the leaked data itself. For example, the stealer log output from the ICS targets contained in the leaked file “IL-ISRAEL-25PCS-2023.rar” is formatted in such a way that may suggest the use of Redline Stealer, or similar malware.

Stealer logs from Haghjhoyan target showing similarities with Redline Stealer

This is further solidified if we look at another leaked screenshot from the threat actors. The following screenshot shows the malware being executed. The file name on the launched executable also happens to be the SHA1 hash of the malware. SHA1 hash (0b0123d06d46aa035e8f09f537401ccc1ac442e0) is a public sample of Redline Stealer originating from 2019 and it is not exclusive to these attacks and campaigns.

Redline running in leaked screenshot from Haghjhoyan

In a separately-shared screenshot from Haghjhoyan, there are clues pointing to the use of another malware tool called PrivateLoader.

The “Subinfeudated Oat” malicious application

The “Subinfeudated Oat.exe” in the above image is a sample of PrivateLoader. Something of a commodity tool, it is often used as a method to download and launch additional malware payloads. Loaders such as this or Smoke Loader allows lower-tier actors evade basic detective controls like legacy antivirus (AV).

Through these two examples we can tie the use of PrivateLoader and Redline Stealer to these anti-Israel malware attacks driven by Haghjhoyan. Current intelligence indicates that the data being leaked by Haghjhoyan acquired via Redline is fresh and valid, not having been leaked in the wild prior. It should also be noted that Haghjhoyan made their Telegram channel private on October 24th, 2023.

Soldiers of Solomon

Another malicious hacktivist group going by the moniker, Soldiers of Solomon, has also made bold claims around the infiltration and infection of critical infrastructure in Israel. They have also claimed ownership of a customized ransomware called Crucio. On October 18th, 2023, the Soldiers of Solomon announced their attack via the resurrected BreachForums.

Announcement of Crucio ransomware attack (BreachForums)

The Soldiers of Solomon also announced this effort via their public Telegram channel. The full message reads as follows: “The Soldiers of Solomon have taken full control of more than 50 servers, security cameras and smart city management system in Nevatim military area. Once we got access to those targets, we exfiltrated 25TB of data and ransomed them via our customised Crucio ransomware (Ltd). Database Link:…/All+Files”.

The ‘proof’ package, hosted on MediaFire, consists of the same screenshots provided in their Telegram channel.

Soldiers of Solomon ‘proof’ screenshots

The bulk of these images show a Windows desktop with a document (.jpg image) displayed with the Soldiers of Solomon’s anti-Israeli messaging.

Soldiers of Solomon “infected” host

From these images, we can see that the filename for the document displayed is “ref.jpg”.

ref.jpg note

Analysis of the Crucio ransomware deployment is ongoing and full details are not yet corroborated. That said, we can state that it is not outside the realm of possibility that these groups would repackage an existing or leaked malware builder or kit and use that as a payload to get their message out and cause disruption.

Cyb3r Drag0nz Team

Cyb3r Drag0nz Team logo

Cyb3r Drag0nz Team is a hacktivist team with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity. They are now taking credit for multiple leaks and DDoS attacks against Israeli targets. This includes a DDoS attack against the official website of the Israeli Air Force.

Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks. To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.

The Cyb3r Drag0nz Team has been observed taking full advantage of various social media platforms to announce their targeting and intrusions. They post updates via Instagram, Twitter, and Telegram as well as FaceBook and Youtube.

Data of 6000 Israeli citizens leaked

Most recently, the group claims to have stolen the data of more than “1 million” Israeli citizens.

Israel citizen data leaked by Cyb3r Drag0nz Team

This announcement was accompanied with a RAR archive named “Israel Leaked By Cyb3r Drag0nz Team.rar”. Current analysis of data being leaked by Cyb3r Drag0nz Team shows a varying level of ‘freshness’. Some of the sample leaked data has appeared in prior leaks or dumps from other groups while other data appears to be new.

Files shared by Cyb3r Drag0nz Team


The hacktivist groups currently active in the Israel-Hamas conflict are ramping up in both intent and skill level. Though these groups are still relatively small, it is clear that they are carrying out successful attacks and putting ordinary citizens at risk. This class of criminal activity is often viewed as being of a lower tier, however, ongoing fighting in Gaza has provided a springboard for these groups to leverage political chaos to further their malicious cyber goals.

We believe that these groups are of relatively low-sophistication and financial resources. The malicious actors’ use of tools like Redline and PrivateLoader speak to their position of having to use what is at their disposal. This is bolstered by the example of using in-the-wild Redline samples with known hashes, revealing that the actors are not making the effort to modify or customize the older malware.

That said, these groups continue to impact ordinary civilians, putting their identity and data at risk to reach their goals. As the war continues to escalate across multiple arenas, these small-yet-effective attacks are expected to only increase.

We recommend the following the best practices that can help strengthen any existing cybersecurity measures:

  • Focus on awareness and practice overly-diligent cyber hygiene. Take any opportunity to spread information about basic protection. Be vigilant against unexpected links, practice link validation, and do not engage in any unauthorized chats across popular social media platforms, particularly on Discord, Whatsapp, Telegram, and X.
  • Some of the malicious tools mentioned in this post are known to be disguised as mods for popular games. In some cases, we saw FIFA 19, Minecraft, and Roblox being used as social engineering lures. Be aware of this potential lure style and think twice before downloading game mod packages, or take extra precautions when doing so.
  • Update all security software and ensure it is properly configured. Use modern and reputable security solutions and software and look out for patches and fixes.
  • Monitor all endpoints in your controls, whether at home or in an office, for signs of compromise. Having a robust XDR solution can provide deep visibility across endpoints in a system as well as automated detection and response capabilities.

Indicators of Compromise (IoCs)

Redline Stealer (SHA1)


PrivateLoader (SHA1)



Decrypting SentinelOne’s Detection | An In-depth Look at Our Real-Time CWPP Static AI Engine

Artificial intelligence (AI) is such a hot topic right now with everyone clamoring to say how their company is leveraging AI in all the new, flashy ways. Here at SentinelOne, we don’t do hype or hyperbole and AI is nothing new. We were founded in 2013 on the premise that AI could fundamentally transform cybersecurity and achieve real-time defenses against machine-speed attacks. Our cloud workload protection platform (CWPP), Singularity Cloud Workload Security, uses AI to deliver real-time detection and response to runtime threats. Our CWPP agent uses five engines onboard:

  • Static AI Engine
  • Cloud Intelligence Engine
  • App Control Engine
  • Behavioral AI Engine
  • STAR Rules Engine

Some of the engines use AI while others are rules-based. Each works in concert with the other to defend business applications (aka workloads) running on your infrastructure whether in public or private cloud, on servers, VMs, or containers. To better understand the role of AI in achieving this objective, this blog post focuses on our Static AI Engine and is the first of a five-part series exploring each of our detection engines.

Static AI Engine 101

Much like cloud security, AI itself is a broad field and machine learning (ML) is a subset of this field. ML is exactly as the name suggests: machines learning to perform a task with high accuracy. ML models can be trained for any number of uses, from the academic (e.g., to differentiate between photographs of dalmatian puppies or chocolate chip ice cream) to the highly practical, such as differentiating between benign files and malware.

At the highest level of abstraction, our Static AI Engine consists of supervised machine learning algorithms which analyze files before they execute, examining the file structure and searching for historical patterns synonymous with malicious intent. Digging in a little deeper, the Static AI Engine is a classifier engine, categorizing the files being scanned in a number of classes, such as benign, suspicious, malicious, and so on. Ultimately, the decision tree algorithm delivers a predictive confidence level for a file’s maliciousness. For ML models to perform well, they must be trained over a large data set. SentinelOne’s classifier algorithms have been trained across nearly a billion samples over the past decade, and our threat researchers are continuously improving the models against the latest threats.

Where Static Detection Shines

Static detection of malicious files has several pronounced advantages. Most notably, examining a potentially malicious file before it executes means, quite simply, your endpoint and cloud workloads are protected from malware before it has the opportunity to transact evil. Additionally, static file analysis is computationally inexpensive relative to behavioral analysis. The latter embeds more behavioral signals across the operating system (OS), requiring certain techniques to observe OS-level processes as the file executes. This relative computational efficiency is especially important on cloud infrastructure-as-a-service (IaaS), because every bit of CPU usage shows up on the monthly bill from your cloud service provider (CSP). Therefore, being a good steward of CPU resources is especially important for the CWPP agent, all the more so at scale.

Static analysis is an excellent way to detect malware, but it can’t solve every use case. For example, fileless attacks that launch processes directly from memory without ever creating a file on disk cannot be detected via static analysis. Such memory injection attacks require different detection capabilities. Security teams need not worry  as the behavioral analysis in SentinelOne’s CWPP agent’s Behavioral AI Engine can detect memory injection attacks. We’ll dive deeper into Behavioral AI in part two of this blog series.

Case Study | Static Detection vs. Trojan Malware

Recently, the SentinelOne CWPP agent detected Linux malware targeting a customer’s public cloud infrastructure. In this example, the Static AI Engine detected that an originating process called ‘busybox’ wrote a suspicious ELF file to storage associated with a customer’s Amazon EC2 instance. Upon subsequent analysis by SentinelOne, we believe this ELF file to be a Trojan. As the name would suggest, a Trojan is a type of malware that is disguised as a real, reputable program. The supervised ML models in the Static AI Engine are trained in SentinelOne’s labs to recognize features of Trojan malware and more, such as communication modules back to command and control (C2) infrastructure owned by threat actors.

Once the ELF file was written, it was then set to executable, which then called back to a malicious IP address. This C2 infrastructure was a cloud compute instance controlled by the threat actor and operated from another cloud service provider in Europe. Cloud infrastructure is especially attractive to threat actors for use as C2 infrastructure, because they can change IP addresses, locations, and domain names in an attempt to cover their tracks. Our CWPP agent collected all the precise details, which we intentionally redacted from this example to protect our client’s identity.

Figure 1: CWPP Static Threat Detection in the SentinelOne Console

In the SentinelOne management console shown in Figure 1, there are a few things to point out. The engine responsible for making the threat detection is “On-Write Static AI,” meaning that the Static AI Engine made the detection when a suspicious file was written to disk.

Secondly, the AI Confidence Level is shown as “SUSPICIOUS.” There are two confidence levels: SUSPICIOUS and MALICIOUS. Different policies for response action can be set for each confidence level. Finally, the agent policy for this detection confidence level is shown as “Detect.” This means that the agent has issued an alert, but no response action is taken, meaning that it is awaiting disposition from a cybersecurity professional.

In this specific example, the customer is also subscribed to our Vigilance MDR service. As shown in the incident notes section of Figure 1, the SentinelOne Vigilance analyst confirmed the verdict as a true positive, took mitigative actions to quarantine the threat file, and then notified the customer. Since the Threat Status was “Mitigated,” the status symbol in the upper left of the console displays a green shield with a check mark.

It is worth noting that agent policy can just as easily be set to “Protect”. The choice between Detect or Protect Mode is governed by policies which the customer controls. If the policy had been set to Protect for this case study example, the mitigation response action would have been fully automated and executed immediately after the detection, surgically unwinding the effects of the attack while simultaneously preserving a record of all telemetry collected during the incident.


The Static AI Engine truly is the workhorse of our CWPP agent. By training our proprietary ML models over nearly a billion malware samples over the course of nearly a decade, our static file analysis is the first line of defense in our ruthlessly efficient CWPP agent.

To learn more about the value of real-time CWPP in your cloud security stack, head over to the solution homepage. Or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. For a personalized demo, connect with one of our cloud security experts today.

The Realm of Ethical Hacking | Red, Blue & Purple Teaming Explained

Businesses continue to digitize their critical infrastructures and operations, expanding their attack surface and exposure to various threat vectors. To combat this, leaders are recognizing the value of having in-house experts who can think like cybercriminals and help build a proactive stance against attackers.

Considering new and constant developments in the cyber threat landscape, business leaders can leverage the work of ethical hackers as well as red, blue, and purple teaming to stay ahead of malicious actors and APTs. These practices are useful tools in a security teams’ arsenal, collectively enhancing the resilience of organizations against threats.

This blog post discusses how ethical hacking and strategies involving red, blue, and purple teaming have risen over the years to help detect and mitigate vulnerabilities and also anticipate potential attacks. These practices promote a culture of continuous improvement in cybersecurity, as knowledge and expertise are shared and refined.

An Overview | Six Decades of Proactive Security Testing

Ethical hacking, red teaming, blue teaming, and purple teaming are important components of modern cybersecurity, each with its unique role and purpose in defending digital assets.

Ethical Hacking | The Formalization of “Hackers”

The history of ethical hacking, also known as white hat hacking, is intertwined with the development of computer technology and a growing global awareness of cybersecurity. In the early days of computing, during the 1960s and 1970s, the term “hacker” was used to describe individuals who were passionate about exploring computer systems and software to better understand how they worked. These early hackers, often operating in academic and research settings, laid the foundation for ethical hacking by uncovering vulnerabilities and sharing their findings to improve system security.

As computer networks expanded in the 1980s and 1990s, malicious hacking activities began to pose significant threats. In response, ethical hacking took on a more formalized role. Organizations recognized the need for experts who could use their knowledge of hacking techniques for legitimate, defensive purposes. The terms “ethical hacker” and “white hat hacker” emerged, and certifications like Certified Ethical Hacker (CEH) were introduced to provide formal training in the field.

Red Teaming | Simulations From the Cold War to the Corporate World

In contrast, the origins of red teaming can be traced back to military and strategic planning from the Cold War era, where it was employed as a tool for testing and refining defense strategies. Military organizations employed independent teams to simulate the tactics, strategies, and capabilities of potential adversaries. Called “red teams”, these testers helped defense planners assess vulnerabilities, evaluate their own strategies, and improve readiness in the event of real conflict.

Over time, the practice expanded beyond military circles to include corporate environments. Businesses began using red teaming as a means to test the security and resilience of their operations, including physical facilities and cybersecurity measures. The focus shifted to identifying weaknesses, vulnerabilities, and operational risks, rather than direct military threats.

In a modern context, organizations now use red teams to simulate cyberattacks and assess the effectiveness of their cybersecurity defenses. These teams employ various techniques to expose vulnerabilities and weaknesses in systems, networks, and applications, helping organizations enhance their security measures.

Blue Teaming | An Evolution of Proactive Network Protection

Blue teaming evolved in response to the need for organizations to take a proactive and defensive stance against cyber threats. It became more prominent with the growth of networked systems and critical infrastructure in the 1990s. Organizations recognized that they needed dedicated teams to focus on defense, monitoring, and incident response. These teams were tasked with assessing and improving the security measures in place, ensuring they were robust enough to withstand emerging threats.

The term “blue team” is derived from military war gaming exercises, where blue forces typically represent friendly and defensive elements. In cybersecurity, blue teams are responsible for protecting and fortifying an organization’s digital assets, including systems, networks, and data.

In the early 2000s, the advent of compliance regulations and standards such as the PCI-DSS and HIPAA further solidified the importance of blue teaming. Organizations had to demonstrate their commitment to safeguarding sensitive data, making blue teams a necessity.

Purple Teaming | Developing A More Holistic Approach to Cyber Defenses

Purple teaming is a relatively new and evolving concept, born out of the need for greater collaboration and knowledge sharing between red and blue teams. The term “purple teaming” is derived from the combination of red and blue, representing the merging of offensive (red) and defensive (blue) security operations. It has gained popularity as a response to an increasingly complex and adversarial threat landscape.

Purple teaming acts as a bridge between red and blue teams. In a purple team engagement, the offensive red team works closely with the defensive blue team. The red team provides insights into their tactics, techniques, and procedures (TTPs), while the blue team gains a deeper understanding of how to detect and respond to threats effectively. This cooperative approach helps organizations fine-tune their security measures and improve their overall cyber resilience.

The history of purple teaming is marked by a growing awareness of the need for a more holistic approach to cybersecurity. Organizations have recognized that sharing knowledge between red and blue teams is essential for a comprehensive understanding of their security posture. In doing so, purple teaming helps organizations adapt and strengthen their defenses against a wide range of evolving cyber threats.

Exploring The Complexities Behind Ethical Hacking

Ethical hackers are legally employed by organizations to assess and strengthen their cybersecurity defenses. These professionals are hired with the explicit consent and authorization of the company or institution they work with. Contracts and agreements clearly define the scope of their activities, ensuring that their actions are well within the boundaries of the law.

Ethical hackers operate under strict rules of engagement, abiding by legal and ethical guidelines while probing systems, networks, and applications for vulnerabilities. This transparent and consensual approach is essential to maintain the integrity of their work. At its core, the primary aim of ethical hacking is to improve security measures, protect sensitive data, and prevent cyber threats. Despite these good intentions though, ethical hacking is not without some practical complexities.

Regulating Ethical Hacking

The legal landscape surrounding ethical hacking is complex and nuanced, often varying from one jurisdiction to another. Navigating these legal boundaries can be challenging, as what is considered permissible in one region may inadvertently cross legal lines in another. For ethical hackers, this diversity of legal frameworks necessitates a deep understanding of the specific regulations and requirements in the areas where they operate.

Even with explicit authorization, they must remain vigilant and cautious to ensure that their activities conform to local laws and do not inadvertently violate any statutes. This legal intricacy underscores the need for not only ethical hacking skills but also a strong awareness of the legal framework in which they work, to guarantee their actions remain within the boundaries of the law.

Communication Is Key

Communication is another hurdle. Ethical hackers must clearly convey their findings to clients, who may not have a deep understanding of cybersecurity. Translating technical jargon into layman’s terms and helping clients prioritize remediation efforts can be a delicate task.

Ethical hackers must act as interpreters, bridging the gap between the technical aspects of their discoveries and the business implications they carry. They also play a critical role in helping clients prioritize remediation efforts by providing clear, actionable recommendations and risk assessments. This demanding role requires not only technical expertise but also strong interpersonal and communication skills, ensuring that clients can make informed decisions to bolster their security measures effectively.

Ethical Reporting Processes

Balancing the need for responsible disclosure is a pivotal ethical concern for ethical hackers. When they unearth critical vulnerabilities, the dilemma lies in how and when to report these findings. Timely disclosure is essential for organizations to patch vulnerabilities and protect their assets, but rushing the process can inadvertently inform malicious actors of weaknesses before mitigation measures are in place.

Ethical hackers must carefully weigh the urgency of disclosure against the potential risks, often following a structured responsible disclosure process. This entails notifying the affected organization, allowing them time to address the issue, and only revealing the vulnerability publicly once a fix is available, reducing the chances of exploitation by cybercriminals. Finding this equilibrium in the ethical tightrope walk is a constant challenge.

Implementing Ethical Hacking for the Modern Business

Modern enterprise businesses can collaboratively and safely work with ethical hackers to enhance their cybersecurity while adhering to a robust code of ethics. Here are key ways to establish a successful partnership:

  • Clear Legal Framework – Create a clear legal framework outlining the terms and conditions of the engagement. Contracts and agreements should explicitly state the scope of work, responsibilities, and liabilities, ensuring compliance with applicable laws.
  • Authorized Access – Ethical hackers must be granted an appropriate level of authorized access to the systems, networks, and applications they are testing. This access should be well-documented and any changes should be carefully monitored.
  • Informed Consent – Ensure that the organization provides informed and unequivocal consent for ethical hacking activities. This consent should be obtained from all relevant stakeholders, including legal and executive teams.
  • Code of Ethics – Create a comprehensive code of ethics or conduct for ethical hackers, emphasizing the principles of responsible disclosure, confidentiality, and professionalism. This code should outline expectations and responsibilities, ensuring alignment with the organization’s values.
  • Data Protection and Privacy – Protect sensitive data and ensure that ethical hackers handle it with the utmost care. Implement robust data protection measures and clearly define how data should be handled during testing.
  • Transparency – Foster open and transparent communication between the organization and ethical hackers. Regular updates and debriefings are essential to ensure that all parties are aware of the progress and findings.
  • Vulnerability Disclosure Process – Establish a vulnerability disclosure process that outlines how identified weaknesses are reported, addressed, and resolved. This process should include timelines for patching vulnerabilities and ensuring a smooth remediation cycle.
  • Documentation and Reporting – Ethical hackers should meticulously document their findings, including potential risks and possible exploits. This documentation is crucial for remediation and improvement efforts.

Augmenting Red, Blue & Purple Teaming with XDR

XDR, or Extended Detection and Response, plays a pivotal role in supporting and augmenting ethical hacking, red teaming, blue teaming, and purple teaming. Since XDR acts as an overarching security solution, it can bring these practices together, enhancing their effectiveness and bolstering the overall security posture.

Deep Visibility & Data Correlation

XDR provides ethical hackers with a more comprehensive view of an organization’s security landscape. It offers an integrated platform that collects, correlates, and analyzes data from multiple security tools, enabling ethical hackers to have a holistic understanding of potential vulnerabilities. This, in turn, empowers them to conduct more effective penetration tests, as they can better simulate real-world attack scenarios and discover intricate weaknesses.

Consolidated Data Streams

Red teaming benefits from XDR by gaining access to a broader set of data sources and enhanced visibility. XDR solutions can aggregate data from various security technologies, including intrusion detection systems, endpoint protection, and network traffic analysis, offering a consolidated view of the enterprise’s security posture. This consolidated data streamlines red team operations, making it easier to identify vulnerabilities and launch realistic cyberattack simulations.

Integrated Monitoring & Incident Response

Blue teaming thrives in an XDR environment due to the integrated monitoring and incident response capabilities. With XDR, blue teams can swiftly detect and respond to potential threats through real-time monitoring of security events and alerts. The cross-correlation of data from various sources allows blue teams to identify anomalies and potential breaches more effectively, improving response times and minimizing damage.

Collaborative Information Sharing

Purple teaming, which emphasizes collaboration between red and blue teams, is supported through XDR. XDR fosters information sharing between the teams and enables them to jointly assess an organization’s security readiness. By working with a consolidated dataset, the purple team can more effectively evaluate the organization’s response to simulated attacks and refine their defense strategies collaboratively.

XDR can enhance the efficiency and effectiveness of these cybersecurity practices by offering a single platform for data aggregation, correlation, and analysis. This unified approach not only streamlines operations but also enables a more agile and proactive response to emerging threats.


Cybercriminals are becoming more adept at exploiting vulnerabilities, making it imperative that organizations are equally effective in defending against these threats. Ethical hacking, red teaming, blue teaming, and purple teaming are not just cybersecurity measures; they have become strategic investments that secure not only data but also an organization’s reputation and day-to-day operations. By proactively seeking out weaknesses, organizations can significantly reduce the risks associated with data breaches, downtime, and financial losses.

Ethical hackers not only assist in finding vulnerabilities but also educate and train security teams to prevent future incidents. Red and blue teaming, representing the offense and defense in cybersecurity, help organizations strengthen their resilience. Purple teaming bridges the gap between red and blue, fostering collaboration, knowledge sharing, and mutual understanding. It enhances an organization’s ability to respond effectively to cyber threats.

When joined together with autonomous XDR capabilities, these practices foster a proactive culture of cybersecurity, reduce exposure to vulnerabilities, and provide invaluable insights for an organization’s security team. Beyond this, they help organizations comply with industry standards and regulations, which are essential in today’s highly regulated business environment.

To learn more about how Singularity XDR helps global enterprise businesses stay steps ahead of even the most advanced cyber threats, contact us today or book a demo.

NJ Man Hired Online to Firebomb, Shoot at Homes Gets 13 Years in Prison

A 22-year-old New Jersey man has been sentenced to more than 13 years in prison for participating in a firebombing and a shooting at homes in Pennsylvania last year. Patrick McGovern-Allen was the subject of a Sept. 4, 2022 story here about the emergence of “violence-as-a-service” offerings, where random people from the Internet hire themselves out to perform a variety of local, physical attacks, including firebombing a home, “bricking” windows, slashing tires, or performing a drive-by shooting at someone’s residence.

McGovern-Allen, of Egg Harbor Township, N.J., was arrested Aug. 12, 2022 on an FBI warrant, which showed he was part of a group of cybercriminals who are settling scores with one another by hiring people to carry out violent attacks on their rivals.

That Sept. 2022 story about his arrest included links to two videos released on Telegram that were recorded and shared by McGovern-Allen and/or a co-conspirator as “proof” that they had carried out the attacks as hired.

The first showed two young men tossing a Molotov Cocktail at the side of a residence in Abington Township, Pa, setting it ablaze. The second featured two men with handguns unloading multiple rounds haphazardly into the first story of a house in West Chester, Pa. Fortunately in both cases, the occupants of the homes were unharmed in the attacks.

Federal prosecutors said McGovern-Allen went by the alias “Tongue” on Discord, and that in one chat he was quite explicit about his violence-as-a-service offering.

“In the chats, [Tongue] tells other Discord users that he was the person who shot K.M.’s house and that he was willing to commit firebombings using Molotov Cocktails,” the complaint against McGovern-Allen explains. “For example, in one Discord chat from March 2022, [the defendant] states ‘if you need anything done for $ lmk [“let me know”]/I did a shooting/Molotov/but I can also do things for ur entertainment.”

The chat channels that Tongue frequented have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job. A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window.

McGovern-Allen was in the news not long ago. According to a Sept. 2020 story from The Press of Atlantic City, a then 19-year-old Patrick McGovern-Allen was injured after driving into a building and forcing residents from their home.

“Police found a 2007 Lexus, driven by Patrick McGovern-Allen, 19, that had lost control and left the road, crashing into the eastern end of the 1600 building,” the story recounted. “The car was driven through the steps that provide access to the second-floor apartments, destroying them, and also caused damage to the outer wall.”

A copy of McGovern-Allen’s sentencing statement says he pleaded guilty to three criminal counts, including two for stalking, and one for the use of fire in commission of a federal felony. The judge in the case gave McGovern-Allen 160 months in prison — about 13.3 years. After completing his sentence, McGovern-Allen will be on supervised release for three years.

The Good, the Bad and the Ugly in Cybersecurity – Week 42

The Good | Ragnar Locker’s Tor & Leak Sites Taken Down In International Seizure

Ragnar Locker took a serious blow this week when authorities seized the ransomware operation’s Tor negotiation and data leak sites. This is the latest takedown coordinated across over a dozen international authorities. Now, visitors to the once-infamous sites are greeted with a seizure message.

Source: BleepingComputer

Standing as one of the longest-running ransomware operations to date, Ragnar Locker activity began in late 2019 with a primary focus on infiltrating enterprises. In that time, Ragnar Locker has been highly successful at infiltrating corporate networks, moving laterally through systems, harvesting sensitive data, and encrypting computers within compromised networks. Encrypted files and stolen data are powerful bargaining chips in the operations’ double extortion schemes.

While many similar operators have moved to a Ransomware-as-a-Service (RaaS) model, Ragnar Locker has remained semi-private. It has refrained from promotion and recruitment instead working with external operators to breach networks. Ragnar Locker is also known for pure data theft attacks, eschewing the file locking techniques that are characteristic of most ransomware operations.

In March 2022, the FBI published a flash alert warning that at least 52 organizations across 10 critical infrastructure sectors had fallen victim to Ragnar Locker. Over the years, Ragnar Locker’s rap sheet has boasted numerous high-profile victims, including Energias de Portugal (EDP), Capcom, Campari, Dassault Falcon Jet, ADATA, and the City of Antwerp, Belgium. The seizure this week marks a significant win for cybersecurity law enforcement and reinforces the ongoing global effort to dismantle cyber threat infrastructures.

The Bad | Critical CI/CD RCE Flaw Actively Exploited By DPRK-Based Threat Actors

DPRK-based threat actors linked to the Lazarus Group are actively exploiting a critical security vulnerability in JetBrains TeamCity this week. Tracked as CVE-2023-42793 (CVSS score 9.8), the authentication bypass and remote code execution (RCE) flaw affects JetBrains’ continuous integration and continuous delivery (CI/CD) solution. The company reports a customer base of nearly 16 million developers globally, including several Fortune 100 companies. Security researchers have attributed the recent attacks to two factions within the Lazarus Group, which they refer to as Diamond Sleet (aka Hidden Cobra) and Onyx Sleet (aka Andariel).

Diamond Sleet has been observed employing two distinct attack methods. The first involves breaching TeamCity servers, followed by deploying an implant from previously compromised legitimate infrastructure. The second approach leverages the initial foothold to introduce a malicious DLL through DLL search-order hijacking. This facilitates the execution of a subsequent payload or a remote access trojan (RAT).

Onyx Sleet’s intrusions exploit the flaw to create a new user account likely to impersonate a Kerberos Ticket Granting Ticket. This account is then added to the Local Administrators Group before the attacker performs system discovery commands. Afterwards, a custom proxy tool is deployed, establishing a persistent connection between the compromised host and attacker-controlled infrastructure.

Since 2009, the Lazarus Group has earned a reputation for its sophisticated and persistent cyberattacks, namely financial crimes, espionage, and supply chain attacks. JetBrains urges users to apply patches and thoroughly monitor networks for signs of compromise. The U.S. National Security Council (NSC) believes that the revenue generated from these illicit activities funds North Korea’s missile program and the recently increasing number of launches.

As much of the world’s attention has been focused recently on the cyber threats emanating out of first the Russia-Ukraine war and now the Israel-Hamas war, these intrusions serve as a timely reminder that there are ongoing and diverse cyber threats posed by North Korean and other state-sponsored actors that still require our constant vigilance.

The Ugly | Cisco IOS XE Under Attack By Unpatched, In-The-Wild Zero-Day Flaw

Thousands of vulnerable enterprises are facing potential compromises this week from in-the-wild exploitation of CVE-2023-20198; a critical vulnerability affecting Cisco’s IOS XE software. This zero-day flaw is rated the maximum CVSS severity score of 10.0 and rooted in the web UI feature. The bug affects enterprise networking equipment when the feature is enabled and accessible over the internet or untrusted networks.

According to Cisco’s advisory, the vulnerability allows remote, unauthenticated attackers to create an account with privilege level 15 access on a compromised system. This account can then be used to gain full control of the system. The issue affects both physical and virtual devices running Cisco IOS XE software with the HTTP or HTTPS server feature enabled.

Latest reports tracking CVE-2023-20198 are finding that the flaw has given attackers privileged access, potentially allowing them to monitor network traffic, pivot into protected networks, and execute Man-in-the-Middle (MiTM) attacks. Shodan scans show that over 14,000 internet-exposed devices with the web UI feature enabled are currently vulnerable to attack.

Source: Shodan

While the exact origins of the threat actor behind these attacks are unclear, Cisco suggests that the initial cluster of activity seen in September may have been the actor’s testing phase, while October activity reflects an expansion of operations, including the establishment of persistent access. This has prompted CISA to issue an advisory, BOD for government organizations and add the zero-day to its Known Exploited Vulnerabilities (KEV) catalog.

Though there is currently no available patch at the time of this writing, Cisco recommends disabling the HTTP server feature on all internet-facing systems and using the copy running-configuration startup-configuration command to save the running-configuration. This should ensure the HTTP server feature is not unexpectedly enabled in the event of a system reload, Cisco said.

Hackers Stole Access Tokens from Okta’s Support Unit

Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.

In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because in this case they include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users.

“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” their notice continued. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

The security firm BeyondTrust is among the Okta customers who received Thursday’s alert from Okta. BeyondTrust Chief Technology Officer Marc Maiffret said that alert came more than two weeks after his company alerted Okta to a potential problem.

Maiffret emphasized that BeyondTrust caught the attack earlier this month as it was happening, and that none of its own customers were affected. He said that on Oct 2., BeyondTrust’s security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an all-powerful administrator account within their Okta environment.

When BeyondTrust reviewed the activity of the employee account that tried to create the new administrative profile, they found that — just 30 minutes prior to the unauthorized activity — one of their support engineers shared with Okta one of these HAR files that contained a valid Okta session token, Maiffret said.

“Our admin sent that [HAR file] over at Okta’s request, and 30 minutes after that the attacker started doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to act on behalf of that user,” he said.

Maiffret said BeyondTrust followed up with Okta on Oct. 3 and said they were fairly confident Okta had suffered an intrusion, and that he reiterated that conclusion in a phone call with Okta on October 11 and again on Oct. 13.

In an interview with KrebsOnSecurity, Okta’s Deputy Chief Information Security Officer Charlotte Wylie said Okta initially believed that BeyondTrust’s alert on Oct. 2 was not a result of a breach in its systems. But she said that by Oct. 17, the company had identified and contained the incident — disabling the compromised customer case management account, and invalidating Okta access tokens associated with that account.

Wylie declined to say exactly how many customers received alerts of a potential security issue, but characterized it as a “very, very small subset” of its more than 18,000 customers.

The disclosure from Okta comes just weeks after casino giants Caesar’s Entertainment and MGM Resorts were hacked. In both cases, the attackers managed to social engineer employees into resetting the multi-factor login requirements for Okta administrator accounts.

In March 2022, Okta disclosed a breach from the hacking group LAPSUS$, a criminal hacking group that specialized in social-engineering employees at targeted companies. An after-action report from Okta on that incident found that LAPSUS$ had social engineered its way onto the workstation of a support engineer at Sitel, a third-party outsourcing company that had access to Okta resources.

Okta’s Wylie declined to answer questions about how long the intruder may have had access to the company’s case management account, or who might have been responsible for the attack. However, she did say the company believes this is an adversary they have seen before.

“This is a known threat actor that we believe has targeted us and Okta-specific customers,” Wylie said.

Update, 2:57 p.m. ET: Okta has published a blog post about this incident that includes some “indicators of compromise” that customers can use to see if they were affected. But the company stressed that “all customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

Update, 3:36 p.m. ET: BeyondTrust has published a blog post about their findings.