The Good, the Bad and the Ugly in Cybersecurity – Week 23

The Good | FBI Obtains 7000 LockBit Decryption Keys

Past victims of LockBit ransomware received a boon this week from the FBI who revealed they obtained over 7000 decryption keys which can be used to recover encrypted data. This was announced at the 2024 Boston Conference on Cyber Security, where both known and suspected victims of the notorious threat group were invited to come forward to restore their systems.

FBI Cyber Division Assistant Director Bryan Vorndran delivers a keynote address at the 2024 Boston Conference on Cyber Security (Source: FBI)

This new initiative follows in the February takedown of LockBit’s infrastructure via ‘Operation Cronos’ – a collaborative effort between several international law enforcement agencies. Since 2020, LockBit has cost $91 million in losses within the U.S. alone with targets spanning across several critical sectors and industries. In the February operation, authorities were able to seize multiple darknet domains operated by LockBit leading to the disruption of the primary infrastructure that hosted their Ransomware-as-a-Service model.

In March, Mikhail Vasiliev was sentenced for his significant administrative role within LockBit operations and pled guilty to eight charges including cyber extortion, cyber mischief, and weapons-related allegations. Later in April, police unmasked some 200 affiliates of LockBit when they matched a list of pseudonyms used by the ransomware gang to suspected cybercriminals.

Though the gang has experienced major setbacks this year, they have also been able to resume posting old and new stolen data on leak sites, though without the same level of pre-seizure momentum. The U.S. Department of State continues to offer a reward up to $10 million for information leading to the arrest or conviction of several LockBit leaders and affiliates at large.

The Bad | Russian-Linked RaaS Attacks Pathology Provider, Interrupting Critical Services Across Major NHS Hospitals

A ransomware attack on Synnovis, a pathology and diagnostic services provider, caused major disruptions to NHS hospitals across London, U.K. this week. The developing incident is impacting critical services such as blood transfusions as well as operations and procedures relying on pathology services. These services have since been canceled or redirected, though the NHS has stated that emergency care services remain available.

The National Cyber Security Centre (NCSC), which is investigating the attack, reports that the ransomware attack is likely the work of Russian-based cybercriminals known as Qilin. CEO of the NCSC, Ciaran Martin, says, “They’re simply looking for money” despite the British government’s policy against paying ransom demands. Martin describes the attack on Synnovis as “one of the more serious” seen in the U.K.

Qilin ransomware was first observed in July of 2022 and operates as a Ransomware-as-a-Service (RaaS). The group specializes in double extortion, demanding payment for a decryptor and the release of exfiltrated data. Qilin is known to target large enterprises and high-value targets (many in the Commonwealth of Independent States) and has listed over 130 companies on their dark web leak site over the past two years. Notably, Qilin attackers target their victims through phishing and spear phishing campaigns, and often leverage exposed applications and interfaces like remote desktop protocol (RDP). The RaaS outfit also recruits heavily in well known underground forums and dark markets.

The critical healthcare sector continues to be a lucrative target for cyberattackers. Factors such as weak security infrastructures, lack of cyber expertise, third-parties, and aging software systems all contribute to an increasingly high risk of compromise. Working with cybersecurity providers can help healthcare providers keep their patient data safe, manage their regulatory compliance controls, and ensure continuous care for those in need.

The Ugly | Identity-Based Attacks Target Unprotected Snowflake Cloud Storage Accounts

Recent data breaches at Ticketmaster and Santander Bank this week serve as a marked reminder of how important cyber hygiene is in today’s digital landscape. A threat actor known as ‘ShinyHunters’ has reportedly taken responsibility for these breaches, claiming that they stole the data by compromising an employee account at Snowflake, a cloud storage provider. Snowflake has disputed this, clarifying that the source of the breaches was due to poor credential hygiene on targeted accounts.

The initial report from researchers said that the threat actors bypassed authentication processes through a compromised Snowflake employee’s ServiceNow account before generating session tokens to exfiltrate data. These credentials were allegedly stolen in October 2023 when the employee was infected by an infostealer. Later, this report was taken down.

ShinyHunters claim to be selling a trove of stolen data from the recent breaches including: the personal and financial data of 560 million Ticketmaster customers, banking information of 30 million Santander clients and employees, and 3TB of sales history and transactional data from Advance Auto Parts.

Snowflake representatives have since stated that while the threat actor is targeting user accounts that have multi-factor authentication (MFA) disabled, there is no evidence of exploiting misconfigurations or vulnerabilities in the platform infrastructure. Snowflake has released a list of IoCs here and urges customers to enable MFA, limit traffic networks to only trusted locations, and reset all credentials. CISA recommends customers to stay alert for suspicious activity and to take steps to prevent unauthorized access.

Under the cloud shared responsibility model, end-users are also responsible for following certain standard security best practices such as MFA to reduce risk. Despite the murky details and disputes developing alongside these incidents, what’s clear is how crucial basic security hygiene is for modern enterprises using cloud technology.

AWS Integrations | Enhancing Visibility & Powering Threat Hunting

As organizations go beyond simply migrating to the cloud and use cloud services strategically to accelerate their business outcomes, securing the cloud footprint has become a key element of this strategy. It’s also becoming increasingly complex with most organizations using multiple clouds, Saas-based tools, and security solutions within their stack to protect them. Gaining consistent visibility, prioritizing the most critical alerts and risks, and having the data to complete robust threat hunting and remediation means organizations can ensure strong security outcomes.

Many cloud service providers, including Amazon Web Services (AWS), are increasing the number of native security services and integration points for security partners to help customers gain the data they need to protect their business. These include AWS Security Hub, Amazon GuardDuty, Amazon Security Lake, and more. SentinelOne’s integrations with AWS native services and ingestion of AWS logs is a strategic focus to help customers stay secure.

This blog post explores the benefits of this integration, focusing on how it enhances security outcomes, leverages the AWS shared responsibility model, and improves visibility and threat hunting capabilities through the SentinelOne Singularity Platform.

Revisiting the Shared Responsibility Model

AWS focuses on security, both of the infrastructure and in equipping customers to make the best security decisions for their environments. Although AWS provides many security focused features and services, it recognizes the value and expertise of security vendors and chooses to prioritize a partner model, for innovation, integration, and even co-selling, that matches customers with the right security solutions for their business.

Part of the security approach with AWS is the Shared Responsibility Model, which delineates the security responsibilities between AWS and the customer. AWS is responsible for the security “of” the cloud, ensuring the infrastructure (hardware, software, networking, and facilities) that runs all AWS services. Customers are responsible for security “in” the cloud, which includes the configuration and management of the AWS services they use, data protection, and identity management. By partnering in security technologies, AWS and SentinelOne help organizations effectively manage their responsibilities within this model with leading-edge security solutions such as Singularity Cloud Security and Purple AI.

Singularity Marketplace

All SentinelOne integrations with AWS (and other technology partners) are available in the Singularity Marketplace, accessed directly from the SentinelOne management console. The process of downloading and installing these applications and integrations is user-friendly, involving simple click-throughs with clear guidance and documentation. This not only simplifies the operational aspect of security deployments but also minimizes the need for extensive manual configuration, allowing teams to focus more on strategic security tasks rather than technical setup.

The Singularity Marketplace dashboard displaying several of the 18 AWS integrations available

Streamlining Data for Better Security Outcomes

Many of the SentinelOne and AWS integrations focus on SentinelOne ingesting key AWS data, or even third-party data stored in AWS, to help connect disparate or siloed datasets. By using AI and normalizing data using the latest in Open Cybersecurity Scheme Framework (OCSF) standards, the entire security process can be streamlined.

Key benefits of these types of integrations include:

  1. Accelerated threat detection, including advanced threat hunting – With real-time data from AWS services and data collected from SentinelOne solutions, customers can detect and respond to threats more quickly and accurately using AI-powered engines and the SentinelOne Storyline™ feature.
  2. Faster response and remediation times – By integrating first and third-party resources, threats can be mitigated quickly in entirety, ensuring business continuity.
  3. Streamlined security operations – By automating the ingestion, normalization, and analysis of logs, it reduces the workload on security teams. Purple AI can further streamline this as an automated SOC assistant.
  4. Improved compliance and reporting – Centralized logging and monitoring help meet regulatory requirements and simplify audit processes.

Integrating SentinelOne with AWS native services such as AWS AppFabric, Security Hub, Amazon Security Lake, and GuardDuty offers today’s businesses a comprehensive and leading-edge approach to securing their cloud environments.

Integrations with AWS Native Services

The SentinelOne Singularity Platform has had integrations with AWS native services for several years, and the list grows every year, notably with Amazon Security Lake and Amazon AppFabric. SentinelOne’s platform is known for being AI-driven, able to do advanced threat hunting using features like Storyline™. With the addition of Cloud Native Security (CNS) and Singularity™ Data Lake it’s become the ideal enterprise security platform for AWS customers to use. Here is a brief overview of just some of the newest, and most commonly used integrations between SentinelOne and AWS.

AWS Security Hub

AWS Security Hub provides a centralized platform to manage and aggregate security alerts from multiple AWS accounts and services, enhancing the visibility and management of security threats. The SentinelOne integration for Security Hub sends threat information from SentinelOne Agents running on AWS workloads to AWS Security Hub. AWS Security Hub then aggregates, organizes, and prioritizes security alerts that enable security teams to respond to any threats in progress. The integration retrieves results, including metadata from the SentinelOne Management Console, and pushes them to Security Hub. The incidents are converted to the AWS Security Finding Format (ASFF) for incident investigation.

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This integration enables collection and analysis of logs from GuardDuty into the Singularity Cloud Security Platform for correlation and further analysis.

Amazon Security Lake

Amazon Security Lake is an AWS security service that unifies and evaluates security logs from cloud and on-premises sources. Singularity™ Cloud Security and the Amazon Security Lake use OCSF to simplify log analysis. This is a particularly interesting integration as both SentinelOne and AWS offer Security Lakes with SentinelOne’s new solution, Singularity™ Data Lake. SentinelOne will ingest logs from the Amazon Security Lake as part of the initial integration. The second phase of this integration, a bi-directional feed, is planned and will allow customers to choose the best option depending on their requirements.

AWS CloudTrail

AWS CloudTrail records actions by a user, role, or AWS service from the AWS Management Console, command-line interface, SDKs, or APIs. This integration lets you ingest CloudTrail logs. In SentinelOne you can view, monitor, and query the data in Singularity™ Data Lake.

AWS Config

AWS Config is a service that provides an inventory and configuration history of AWS resources. The service helps you understand how your infrastructure is set up, how it is evolving, and whether it complies with your organization’s policies and security standards. The integration lets you import AWS Config events into SentinelOne so you can view, monitor, and query the data in Singularity™ Data Lake.

AWS AppFabric

AWS AppFabric gathers and organizes log information from commonly used apps and productivity tools like Asana, Slack, Zoom, Microsoft 365, and Google Workspace. This makes it easier to monitor all your applications and saves money by avoiding the need for individual connections between each one. This integration allows logs from AppFabric to be collected and analyzed in the Singularity Cloud Security Platform using the OCSF format.

The AWS AppFabric integration ingests logs from AWS directly into the Singularity Data Lake

Conclusion

Incorporating SentinelOne with AWS native services and logs is a strategic move for organizations looking to bolster their security posture. By leveraging the AI-powered capabilities of SentinelOne and the comprehensive capabilities of AWS services such as AppFabric, Security Hub, Amazon Security Lake, and GuardDuty, organizations can achieve better security outcomes. These integrations enhance visibility, streamline operations, and enable proactive threat management, all while aligning with the AWS shared responsibility model.

Take a self guided tour of the SentinelOne Singularity™ solutions here. To learn more about SentinelOne solutions optimized for AWS customers, visit us at booth 427 at AWS re:Inforce happening June 10-12 or, see our CNAPP solution in the AWS Marketplace.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

PinnacleOne ExecBrief | Chips and Spies – Insider Threats as China Seeks to Evade Controls

Last week, PinnacleOne examined the digital “great game” in the Middle East, as the convergence of AI, nuclear energy, and geopolitical competition.

This week, we highlight how China’s strategy for evading semiconductor technology controls is driving an increased insider threat issue for leading western enterprises.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com.

Insight Focus | Chips and Spies

Chips may be the new oil, but there is no petroleum intellectual property buried under the ground to steal. As nations see their economic and strategic futures increasingly dependent on securing digital supply chains, the semiconductor industry is now the front line for intense economic espionage activity and commercially motivated insider threat.

China’s Strategy for Evading Semiconductor Technology Controls

A CSIS report from last year described “China’s New Strategy for Waging the Microchip Tech War.” The report identified the ZTE crisis in April 2018 as a pivotal moment in China’s changing strategic thinking on semiconductors. The U.S. export controls imposed on the Chinese telecommunications giant served as a wake-up call, prompting China to elevate semiconductors from an economic priority to a national security imperative. This imperative has become only more intense as U.S. and allied technology controls tightened over the last two years, becoming now a de facto semiconductor blockade on China for leading edge technologies.

As Chinese intelligence agencies and national semiconductor champions explicitly target key industries through insider and cyber espionage to bolster its economic and military capabilities, semiconductor firms find themselves in the targeting bullseye.

In response, China has adopted a four-pronged strategy aimed at:

  • Limiting its exposure to foreign pressure
  • Deterring U.S. and allied actions
  • Increasing international dependence on its semiconductor industry
  • Harnessing the power of AI for economic and military advantages

This strategic shift has led to a more aggressive approach to acquiring foreign semiconductor technologies, with insider IP theft emerging as a key tactic. The blurred lines between state-sponsored espionage and commercial IP theft complicate the threat landscape – Huawei doesn’t need to be told by the MSS to steal valuable IP from its competitors, though it will take their support if offered.

As the Chip Four strengthen multilateral export control enforcement on China and slow AI chip exports to the middle east (seen as a backdoor for China), China will amp up the use of illicit and covert means to circumvent restrictions. This is exactly what we’ve seen.

Surge of Insider IP Theft Incidents

Against the backdrop of China’s shifting strategy, the semiconductor industry has witnessed a surge in insider IP theft incidents, many involving employees of Chinese descent allegedly stealing confidential data and trade secrets from their employers.

Just last week, an incident was reported at SK hynix where a former Chinese employee was arrested for allegedly stealing over 3,000 pages of confidential data on atomic layer deposition (ALD) equipment used in DRAM manufacturing processes. Hired in 2013, the employee worked in the department responsible for analyzing defects in semiconductor designs and was most recently involved in consultations with business-to-business clients in China. China has not yet been able to develop ALD equipment needed for precise and uniform deposition of advanced chips. The Chinese national returned to Korea in June 2022, and left to join Huawei the same month.

Other similar incidents over the past few years include:

  • In March 2024, a former Google engineer named Linwei Ding, a Chinese national, was charged by the U.S. Department of Justice for allegedly stealing hundreds of Google’s classified AI files while secretly working for two Chinese companies, including an Ant Group affiliate called Beijing Rongshu Lianzhi Technology Company.
  • In February 2024, an ex-Apple engineer was sentenced to prison for stealing self-driving car technology before attempting to flee to China.
  • In June 2023, Haoyang Yu, a former engineer from Lexington, Massachusetts, was sentenced to six months in prison for possessing a stolen semiconductor trade secret from his former employer, Analog Devices, Inc. He was found guilty of using the stolen design to start his own microchip business.
  • In February 2023, a court found seven former employees of Samsung guilty of illegally obtaining and transferring semiconductor-related technology to Chinese companies. The information related to semiconductor cleaning equipment and was classed as “national core technologies” protected by South Korean laws.
  • In September 2021, a former employee of Applied Materials was convicted of possessing stolen trade secrets related to proprietary LCD chip technology, while two other employees were acquitted. Three other employees were initially charged with conspiracy to steal trade secrets under the allegation they planned to use them to launch a US/China-based competitor but were not convicted.

Developing a Comprehensive Insider Threat Program

As we described in an earlier ExecBrief, technology companies need to recognize and address the threat of malicious insiders. To effectively combat the rising tide of insider IP theft, semiconductor firms must develop and assess a comprehensive set of insider threat scenarios tailored to their unique threat model, technical controls, organizational design, and internal culture. The following example threat scenarios can guide insider trust program assessment.

Insider Threat Scenarios for Security Control Validation and Program Assessment

In particular, firms can follow the following approach to build a robust insider threat program:

  1. Define a tailored set of insider threat scenarios:
    • Consider both nation-state actors and lone-wolf/commercial threat actors, identifying plausible targets and objectives specific to the firm’s critical assets and IP.
    • Map out potential attack paths and exploitation methods used by insiders, such as exfiltration via USB/cloud storage, installing remote access tools, or destroying critical data.
    • Develop a comprehensive set of scenarios that reflect the firm’s unique threat model and risk profile.
  2. Assess current security controls against these scenarios:
    • Evaluate the effectiveness of existing technical controls, such as data loss prevention, access monitoring, and endpoint security, in detecting and preventing insider actions described in the scenarios.
    • Identify gaps in visibility, detection capabilities, and response procedures.
  3. Evaluate organizational design and internal culture:
    • Analyze how the firm’s structure, processes, and culture may enable or mitigate insider threats, assessing factors such as employee screening, segregation of duties, access management, and security awareness.
    • Identify potential weaknesses or inconsistencies that insiders could exploit.
  4. Develop a roadmap for improvements:
    • Prioritize areas for enhancing insider threat defenses based on the gaps identified in the assessment phase.
    • Define clear action items across people, process, and technology domains, such as deploying additional monitoring tools, refining incident response playbooks, improving access controls, and providing targeted security training.
    • Set timelines and assign accountability for implementation.
  5. Implement program enhancements and conduct ongoing validation:
    • Execute the improvement roadmap in a phased manner, continuously testing and validating security controls against updated insider threat scenarios.
    • Engage third-party experts as needed to assess program maturity and identify further opportunities for improvement.
  6. Foster a culture of insider threat awareness:
    • Regularly communicate the importance of insider threat prevention to all employees, encouraging the reporting of suspicious activities through clear and safe channels.
    • Provide role-specific training on identifying and responding to potential insider incidents, and recognize and reward employees who demonstrate strong security practices.

By following these steps and tailoring them to their specific context, semiconductor firms can develop a robust insider threat program that addresses the full spectrum of risks posed by malicious, negligent, or compromised employees. Regular scenario-based testing and iterative improvement will ensure the program remains effective as the threat landscape evolves.

Going Forward

The semiconductor industry stands at a critical juncture, facing an onslaught of state-directed and commercially motivated IP theft that threatens a geostrategic industry. As geopolitical competition intensifies and the boundaries between economic development and national security blur, semiconductor companies must adapt to this new reality and take decisive action to safeguard their invaluable assets and personnel.

The Good, the Bad and the Ugly in Cybersecurity – Week 22

The Good | Two Major Botnets Taken Down by Collaborative DoJ and Europol Operations

The botnet industry took a serious hit this week as law enforcement in the U.S. and in Europe executed two major operations to dismantle 911 S5 – likely one of the world’s largest botnets, and an extensive ecosystem of malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot, respectively.

DoJ-led Operation Tunnel Rat successfully disrupted and seized the notorious 911 S5 residential proxy botnet and arrested its administrator, Chinese national YunHe Wang (35). Wang’s current charges stem from his deployment of malware and the creation and operation of the botnet service. According to the indictment, Wang and his co-conspirators amassed a network of over 19 million residential Windows devices globally, including 613,841 IP addresses located in the United States alone.

911 S5 revenue was generated by offering cybercriminals access to infected IP addresses for a fee. Over its years of operation, the 911 S5 botnet facilitated numerous large-scale cyberattacks, financial and identity schemes, child exploitation, bomb threats, and more. Wang faces 65 years in prison if convicted on all counts.

Europol’s Operation Endgame saw similar success by targeting over 100 servers worldwide that feed several major malware droppers. Malware droppers serve to introduce harmful payloads into a victim’s system, acting like an initial access point and delivery vehicle for ransomware, spyware, keyloggers, trojans and more. After seizing an infrastructure hosting over 2000 domains, the agency arrested four individuals and identified eight fugitives linked to associated malware operations. According to reports, one of the main suspects involved made $74.5 million USD by renting out their infrastructure for ransomware deployment. Operation Endgame is being lauded as the largest operation against botnets and a marked step forward in disrupting the ransomware landscape.

The Bad | Proof-of-Concept Exploit Released for Critical RCE Flaw in Fortinet’s SIEM Appliances

An exploit has been released for a maximum severity remote code execution (RCE) flaw in Fortinet’s security information and event management (SIEM) solution. Described as an improper neutralization of elements in an os command injection within FortiClient FortiSIEM (versions 6.4.0 and higher), CVE-2024-23108 allows attackers to execute unauthorized code or commands via crafted API requests.

Security researchers providing a technical analysis of the issue noted that the CVE-2024-2318 was patched in February along with another critical severity RCE bug tracked as CVE-2024-23109. Initially, Fortinet claimed these two flaws were duplicates of a similar flaw (CVE-2023-34992) patched in October, however, they later confirmed that the CVEs were variants of the original vulnerability.

Now, the newly released proof-of-concept (PoC) shows that while the first patches attempted to neutralize user-controlled inputs by adding a wrapShellToken() utility, there is actually a second order command injection remaining when certain parameters are passed to datastore.py.

datastore.py validating server_ip (Source: Horizon3.ai)

Ransomware outfits commonly target Fortinet vulnerabilities to obtain initial access to corporate and government organizations. Such flaws are also often seen in cyber espionage attacks, where the threat actors can establish a beachhead to target several high-value victims quickly. Placing an emphasis on regular patch management and system log monitoring in conjunction with robust monitoring and detection technology that covers all attack surfaces minimizes the risk of data loss and business disruptions.

The Ugly | PyPi Info-Stealer Promoted On Stack Overflow By Threat Actors Posing As Helpful Contributors

The online developer community Stack Overflow is reportedly being exploited by threat actors to distribute malware. Blending into the Q&A structure of the platform, actors have been observed answering questions and promoting a malicious PyPi package named ‘pytoileur’. Security researchers reporting the discovery describe how the package installs information-stealing malware on Windows systems to perform surveillance, establish persistence, and steal cryptocurrency.

(Source: Sonatype)

Pytoileur was uploaded to the PyPi repository as an API management tool. The package’s metadata includes a ‘Cool package’ string, linking pytoileur to an ongoing campaign from 2023. While such packages are usually spread through typosquatting, actors leveraged Stack Overflow’s popularity and reach amongst global developers, posing as users answering open issues before promoting pytoileur as the solution.

The malicious package contains a ‘setup.py’ file with a base64 encoded command that is padded with spaces, making it difficult to detect unless users have word wrap enabled in the text editor. Once decoded, the command downloads and executes a file called runtime.exe – a Python program steals passwords, cookies, credit cards, browser history, and other sensitive data from the user’s system. Harvested data is then sent back to the threat actor to be used for future compromise of affected account owners, or sold on dark markets.

Before the malicious account was suspended from Stack Overflow, it was downloaded 369 times as of this writing. Though malicious PyPi packages are a recurring problem, threat actors masquerading as helpful users on question-and-answer forums is a novel technique. It underscores the evolving strategies of cybercriminals, who continue to leverage widely-trusted open-source platforms that support developers of all experience-levels as a way to propagate malware.

Chained Detections | Revolutionizing Adaptive Threat Hunting

Chained detections is a new threat hunting paradigm aligned with the strategy of chaining interesting events to identify behavior patterns and augment threat attribution. Much like SentinelOne’s Storyline technology, which connects events from various sources to create a narrative of an attack, human threat hunters harness these capabilities to comprehensively grasp the potential impact of a threat actor.

This new methodology, unique to SentinelOne’s WatchTower services, incorporates proactive and sophisticated ways of uncovering and responding to complex threats. This blog is the second installment in our series showcasing today’s threat hunting infrastructures and explores how to further leverage Chained Detections to enhance an organization’s security posture through adaptive threat hunting. Read part one of the series here.

Understanding Chained Detections

One of the biggest challenges in threat hunting is the fact it is operating primarily within the sphere of low and medium fidelity results. High fidelity detections can be easily converted into alerts, but others are subject to a mundane and time-consuming review, something only more senior analysts can do well. This can make threat hunting both a time consuming and cost prohibitive exercise for many organizations.

There have been many attempts to tackle this problem, including risk-based alerting, clustering, baselining, allowlisting and denylisting, data normalization, tokenization, and supporting the results with additional data enrichment strategies, but there is one more highly effective method out there. Chained detections execute a sequence of automated tasks triggered by an initial detection with the aim to triage and enrich telemetry data progressively.

Chained detections within the feedback loop

This approach helps to uncover and respond to complex threats without going down too many rabbit holes. Incorporating this new adaptive threat hunting methodology increases the effectiveness of any threat hunting program.

Initial Detection Trigger

The process begins with an initial detection, which could be based on various indicators such as anomalous behavior, known attack patterns, or suspicious activity in telemetry data. Due to the nature of the methodology, vague signals can be also utilized to execute the chain. For example, a file with a specific file name dropped anywhere on a system could act as a trigger.

Automated Triage

Once a detection is made, automated triage processes come into play. These processes aim to quickly assess the detection’s severity and relevance. Some basic steps in automated triage would include:

  • Contextual Enrichment – Gathering additional data and context around the event, such as user accounts, device information, or network traffic patterns.
  • Correlation – Determining if the event is part of a broader attack or a standalone incident by correlating it with events that may have triggered and are stored in a centralized logging backend.
  • Prioritization – Assigning a priority level to the event based on its perceived risk and potential impact to the organization before collecting more information.

Chaining Tasks

Depending on the outcome of the initial triage, additional automated tasks are triggered in a chained manner. These tasks are designed to gather more information, validate the detection, and potentially take predefined actions. Examples of chained tasks include:

  • Threat Intelligence Lookup – Querying threat intelligence feeds to check if the indicators associated with the event are known threats.
  • Isolation and Remediation – Isolating the affected system or network segment to prevent lateral movement by the attacker and initiating remediation actions, such as applying patches or disabling compromised accounts.

Data Collection

Gathering detailed information about the affected system, such as running YARA rules and collecting memory dumps, process lists, or file system snapshots may be necessary.

Decision Points, Human Intervention & Feedback Loops

At each stage of the chained detection process, decision points are established based on the findings. These decision points guide whether to continue with additional tasks, escalate the incident, or conclude the investigation.

While much of this process is automated, there is still a role for human intervention. Security analysts may be brought into the loop when certain thresholds are met or when the automated processes cannot make conclusive determinations.

Chained detections also incorporate a feedback loop for continuous improvement. Information gathered during investigations, including false positives and false negatives, is used to refine and enhance detection and response processes.

The chained detections approach for threat hunting is highly effective for dealing with advanced and evolving threats. It enables organizations to respond rapidly and systematically to security incidents, minimizing the impact and reducing the time to remediation. It also leverages automation to handle repetitive tasks, allowing security analysts to focus on complex investigations and strategic decision-making.

Case Study | Real-World Threat Hunting with SentinelOne’s WatchTower Team

A malicious hacker reaches out to a client, claiming they’ve infiltrated their CCTV system and is asking for compensation. The SentinelOne WatchTower team receives the call to help uncover the culprits behind the extortion attempt, the precise actions taken, the systems involved, and the exact timing of it all. First, the team deploys instrumentation where there has been a cybersecurity blackout, a significant number of systems with no detection and response tools installed. This is a digital detective game and the main goal is to gain insight into every system level and user-based move.

SentinelOne followed the below steps to effectively threat hunt and mitigate the threat:

  1. Scanning for initial indicators, the SentinelOne response team identified an initial detection found in the EDR telemetry that malware payloads may potentially be present on an endpoint.
  2. Although there were no malicious processes and the files had been deleted, the team was able to locate some low frequency indicators. To build more context, enter metadata collection leveraging YARA rules.
  3. This revealed definite artifacts of files that were once on the system, specifically, payloads which may have included remote access tools (RATs) such as njRAT and StRaXxXD – likely downloaded from Telegram.
  4. After backtracking the user activities, various RDP brute forcing tools such as NLA.Ckecker and NLBrute were identified as having been downloaded onto other systems.
  5. This activity strongly indicated potential Initial Access Broker activity – not just an average attacker, but a sophisticated criminal organization.

Initial Detection on Target Compromised System

Threat Hunting Details:

endpoint.name: xxxserver1

timestamp: <>

tgt.file.path:

C:Users...Downloadsnj-RAT.zip

C:Users...DownloadsTelegram Desktopnj-RAT.zip

tgt.file.sha1: ed4f80…

src.process.user: xxxserver1userA

The same user downloaded ddos.exe (alerted by SentinelOne upon agent installation on a different system):

timestamp: <>

tgt.file.path: C:Users...DownloadsTelegram Desktopddos.exe

tgt.file.sha1: fddece…

src.process.user: xxxserver1userA

Viewing event logs and correlating activity, the SentinelOne WatchTower team identified an active attempt to brute force login after finding numerous failed login attempts on xxxserver1. Upon checking the visible IP in the console, the team found it to be 10.x.x.x with an open RDP port 3389 accessible from the Internet. Subsequently, the team pinpointed the machine that was subjected to Remote Desktop Protocol (RDP) brute forcing and subsequently compromised to launch the attack.

Selecting and running a brute force attack with NLBrute

Remote Desktop Protocol (RDP), developed by Microsoft, provides a convenient way to access IT systems remotely and is widely used across client environments. However, it also poses significant risks if not properly configured. Attackers often target exposed RDP clients, attempting brute force attacks on usernames and passwords. If successful, they can gain a foothold in the victim’s network.

Notable items detected by threat hunters:

…DownloadsStRaXxXD.zip 62a861056f35fd8cb754672080b0eeb8faae806d

…Telegram DesktopNLBrute (RDP brute forcing tool)

…Telegram DesktopIN_ip_ranges.txt, ip.txt (possible enumeration)

…Telegram Desktopسنگین بدبویTXT.txt

…Telegram Desktop@Delta_Package pentest network xxx.part3.rar

…Telegram Desktop2.rar

…Telegram Desktopip.txt

…Telegram Desktopindia test.txt

…Telegram Desktopdork for mahdi.txt

…Telegram Desktop@Delta_Package pentest network xxx.part6.rar

…Telegram DesktopLinux 1,2.rar

…Telegram DesktopWork With Dorks [DORKs Generator] By JohnDoe v.2.1.rar

Targeting Domains with Google Dorks

…Telegram Desktopep1.rar

…Telegram Desktop4.rar

…Telegram DesktopNLBrute (2).rar

…Telegram DesktopCracker (1).exe 756280…

…Telegram DesktopNLA.Ckecker.zip dddbd…

…Telegram DesktopSQLi Dumper V10.3.zip f00d9…

…Telegram DesktopNLA.Ckecker (2).zip dddbd…

…Telegram Desktopready.apk b78812…

Summary of Further Analysis

Swift action by the SentinelOne WatchTower team prompted the client to pull the plug on their server after receiving the details of the compromise. After a thorough investigation, the team advocated for the closure of unused RDP ports and security tools for threat detection and prevention be installed on every system. The team also recommended the implementation of multi-factor authentication (MFA) for every system accessible from the Internet as a best practice.

Conclusion

Threat hunting continues to face significant challenges, particularly in navigating the realm of low and medium fidelity results. This dilemma often translates into a cumbersome and time-consuming review process, reserved for seasoned analysts, making threat hunting both costly and impractical for many organizations. Chained detections represent a proactive and sophisticated methodology that revolutionizes threat hunting by streamlining the investigative process, avoiding unnecessary tangents, and focusing resources where they matter most. By incorporating automated triage, external tasks, and establishing decision points, organizations can swiftly uncover and respond to complex threats with precision and agility.

The chained detections approach supports a symbiotic relationship between automation and human intervention, harnessing the power of technology to handle repetitive tasks while empowering security analysts to tackle intricate investigations and strategic decision-making. The integration of a feedback loop ensures continuous improvement, refining detection and response processes based on real-world insights gathered during threat hunts and cyber investigations.

For organizations seeking to fortify their cybersecurity posture and elevate their threat hunting capabilities, embracing the chained detections methodology is not merely an option but a necessity in today’s threat landscape. By leveraging a combination of both automation, intelligence and human expertise, organizations can effectively combat advanced and evolving threats, minimizing the impact of security incidents, and accelerating the path to remediation.

Learn More About SentinelOne’s WatchTower

For enterprises looking for a threat hunting partner to help them implement a robust methodology and stand up to emergent threats, SentinelOne’s WatchTower provides threat hunting experts equipped with the latest threat intelligence powered by artificial intelligence (AI) and machine learning (ML) algorithms.

Today, customers can use WatchTower to achieve real-time and retroactive detections of anomalous activity across their enterprise to proactively address evolving threats and strengthen their security posture. Learn more about what WatchTower can do for your enterprise by requesting a demo.

‘Operation Endgame’ Hits Malware Delivery Platforms

Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Dubbed “the largest ever operation against botnets,” the international effort is being billed as the opening salvo in an ongoing campaign targeting advanced malware “droppers” or “loaders” like IcedID, Smokeloader and Trickbot.

A frame from one of three animated videos released today in connection with Operation Endgame.

Operation Endgame targets the cybercrime ecosystem supporting droppers/loaders, slang terms used to describe tiny, custom-made programs designed to surreptitiously install malware onto a target system. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs, including viruses, ransomware, or spyware.

Droppers like IcedID are most often deployed through email attachments, hacked websites, or bundled with legitimate software. For example, cybercriminals have long used paid ads on Google to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is the hidden component bundled with the legitimate software that quietly loads malware onto the user’s system.

Droppers remain such a critical, human-intensive component of nearly all major cybercrime enterprises that the most popular have turned into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and their supporting infrastructure, authorities are hoping to disrupt multiple cybercriminal operations simultaneously.

According to a statement from the European police agency Europol, between May 27 and May 29, 2024 authorities arrested four suspects (one in Armenia and three in Ukraine), and disrupted or took down more than 100 Internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, United States and Ukraine. Authorities say they also seized more than 2,000 domain names that supported dropper infrastructure online.

In addition, Europol released information on eight fugitives suspected of involvement in dropper services and who are wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on 30 May 2024.

A “wanted” poster including the names and photos of eight suspects wanted by Germany and now on Europol’s “Most Wanted” list.

“It has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,” Europol wrote. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.”

There have been numerous such coordinated malware takedown efforts in the past, and yet often the substantial amount of coordination required between law enforcement agencies and cybersecurity firms involved is not sustained after the initial disruption and/or arrests.

But a new website erected to detail today’s action — operation-endgame.com — makes the case that this time is different, and that more takedowns and arrests are coming. “Operation Endgame does not end today,” the site promises. “New actions will be announced on this website.”

A message on operation-endgame.com promises more law enforcement and disruption actions.

Perhaps in recognition that many of today’s top cybercriminals reside in countries that are effectively beyond the reach of international law enforcement, actions like Operation Endgame seem increasingly focused on mind games — i.e., trolling the hackers.

Writing in this month’s issue of Wired, Matt Burgess makes the case that Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem.

“These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched,” Burgess wrote.

When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

The Operation Endgame website also includes a countdown timer, which serves to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online. At least two of the videos include a substantial amount of text written in Russian.

The coordinated takedown comes on the heels of another law enforcement action this week against what the director of the FBI called “likely the world’s largest botnet ever.” On Wednesday U.S. Department of Justice (DOJ) announced the arrest of YunHe Wang, the alleged operator of the ten-year-old online anonymity service 911 S5. The government also seized 911 S5’s domains and online infrastructure, which allegedly turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

Partnering for Success | A Q&A with Brian Lanigan, SVP of Partner Ecosystem, SentinelOne

As a partner-driven organization, SentinelOne recognizes the critical role that partners play in securing our digital world. Partners are instrumental in helping customers understand how to break through the noise and recommending the best solutions to help solve their toughest security challenges, and businesses are increasingly turning to managed security to elevate protection, address cybersecurity talent shortages and better align cost structures. SentinelOne has a robust and powerful partner ecosystem that is a key differentiator for us, spanning MSSPs, incident response providers, and other strategic partners. We have a massive opportunity to expand our business and execute our mission to secure tomorrow.

Two months ago, we brought in Brian Lanigan, a seasoned leader with proven experience building and managing global sales teams that consistently over-achieve, to help us capitalize on this opportunity. He’s wasted no time putting the pieces in place to create a better experience and stronger engagement with partners across our ecosystem that drives our mutual success. We sat down with Brian to talk about his plans.

Welcome Brian Lanigan, SVP of Partner Ecosystem, SentinelOne

Brian joined us from Lacework, where he was the Worldwide Channels and Alliances leader, evolving the predominantly direct model to an 85 percent partner-aligned business. He helped establish Lacework as a top 20 AWS partner and the Cloud Security offering for six of the top eight MDR providers.

Prior to Lacework, Brian served as the head of global strategic alliances at Splunk, where he helped build the partner ecosystem as the business scaled from $200 million to $2.6 billion and led the teams that built:

  • The MSP RTM, leading to a $150 million ARR business
  • The GSI partner ecosystem, establishing the Accenture-Splunk business group
  • The AWS partnership, accelerating Splunk to a top five AWS Partner
  • The OEM business, establishing Splunk as the core data collection engine to many leading independent software vendors

What drew you to SentinelOne?

SentinelOne has a clear vision that meets the moment: Secure every surface, every minute of every day. It has the best technology in the industry to make it a reality. That was the first draw. The second was the sheer opportunity for both the company and its partners. The market for AI security services is massive and ripe for disruption. Together with our partners, we can move from securing endpoints and delivering MDR, into full business protection, across all security products leveraging our multi-tenanted data lake and Purple AI technology to manage across silos.

How will you do this?

Superior technology is the foundation of how we help our partners and customers build more resilient enterprises, and we will continue to invest in innovation that enables them to scale and remain ahead of adversaries now and into the future.

We just announced new capabilities within our Singularity Platform designed to democratize advanced cybersecurity operations through AI and automation. At the heart of these capabilities is Purple AI. Beyond a chatbot or virtual assistant, Purple AI is an advanced AI security solution that not only creates complex data queries from natural language, but anticipates what security analysts need to do and recommends next steps. It is the only Sec AI offering that is multi-tenanted and can be used horizontally across multiple sites, and we will leverage it to help our partners accelerate and scale their current services with hyper efficiency.

Cloud security is an important and growing part of our business and that of our partners, and we’re doubling down on investment to expanding our capabilities in this area as well, as evidenced by our recent launch of Singularity Cloud Native Security, which when combined with our AI-powered Cloud Workload Security and Cloud Data Security threat protection products, delivers visibility and mitigation capabilities in a single cloud security platform.

SentinelOne has evolved from an endpoint company to a platform. How is our go-to-market strategy evolving to accommodate this shift?

Point solutions are falling out of favor. Customers are seeking to consolidate not only their security vendors, but also their security consoles and data in order to gain a unified view of the enterprise security landscape.

Enterprises need a specialized security approach centered on all enterprise data to prevent attacks. This is where SentinelOne stands out. Disjointed platforms do not result in better protection. Bigger brands do not mean better security. SentinelOne is a true, unified AI security platform that seamlessly aggregates and connects data from all security products in a single streamlined technology and interface, and we make it easy for our partners to build on top of it to expand their offerings and unlock new opportunities in huge total addressable markets.

How are you aligning your organization to capitalize on these opportunities?

Our partner ecosystem is second-to-none and we are constantly adapting our organization to ensure we are creating a world-class experience for our partners that fuels their success, because at the end of the day, their success is our success. We’re focused on embracing the totality of the SentinelOne ecosystem in a harmonized manner – from value added resellers, distributors, systems integrators and cloud service providers to IR and technical alliance partners, MSSPs and MDRs.

We are investing in the partners that invest with us, focusing on those that have the joint vision to deliver outcomes for our customers. Further, we’re creating a sales culture that recognizes that many different partner types can be influential in a given account, rather than just simply the transacting partner(s). We’re helping our partners build and maintain successful and profitable lines of business centered around SentinelOne and we’re appointing proven leaders with experience in growth at scale to guide our team to its full potential.

Is Your Computer Part of ‘The Largest Botnet Ever?’

The U.S. Department of Justice (DOJ) today said they arrested the alleged operator of 911 S5, a ten-year-old online anonymity service that was powered by what the director of the FBI called “likely the world’s largest botnet ever.” The arrest coincided with the seizure of the 911 S5 website and supporting infrastructure, which the government says turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

The Cloud Router homepage, which was seized by the FBI this past weekend. Cloud Router was previously called 911 S5.

On May 24, authorities in Singapore arrested the alleged creator and operator of 911 S5, a 35-year-old Chinese national named YunHe Wang. In a statement on his arrest today, the DOJ said 911 S5 enabled cybercriminals to bypass financial fraud detection systems and steal billions of dollars from financial institutions, credit card issuers, and federal lending programs.

For example, the government estimates that 560,000 fraudulent unemployment insurance claims originated from compromised Internet addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion.

“Additionally, in evaluating suspected fraud loss to the Economic Injury Disaster Loan (EIDL) program, the United States estimates that more than 47,000 EIDL applications originated from IP addresses compromised by 911 S5,” the DOJ wrote. “Millions of dollars more were similarly identified by financial institutions in the United States as loss originating from IP addresses compromised by 911 S5.”

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 S5 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

The prices page for 911 S5, circa July 2022. $28 would let users cycle through 150 proxies on this popular service.

KrebsOnSecurity first identified Mr. Wang as the proprietor of the popular service in a deep dive on 911 S5 published in July 2022. That story showed that 911 S5 had a history of paying people to install its software by secretly bundling it with other software — including fake security updates for common programs like Flash Player, and “cracked” or pirated commercial software distributed on file-sharing networks.

Ten days later, 911 S5 closed up shop, claiming it had been hacked. But experts soon tracked the reemergence of the proxy network by another name: Cloud Router.

The announcement of Wang’s arrest came less than 24 hours after the U.S. Department of the Treasury sanctioned Wang and two associates, as well as several companies the men allegedly used to launder the nearly $100 million in proceeds from 911 S5 and Cloud Router customers.

Cloud Router’s homepage now features a notice saying the domain has been seized by the U.S. government. In addition, the DOJ says it worked with authorities in Singapore, Thailand and Germany to search residences tied to the defendant, and seized approximately $30 million in assets.

The Cloud Router homepage now features a seizure notice from the FBI in multiple languages.

Those assets included a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, and 21 residential or investment properties.

The government says Wang is charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, he faces a maximum penalty of 65 years in prison.

Brett Leatherman, deputy assistant director of the FBI’s Cyber Division, said the DOJ is working with the Singaporean government on extraditing Wang to face charges in the United States.

Leatherman encouraged Internet users to visit a new FBI webpage that can help people determine whether their computers may be part of the 911 S5 botnet, which the government says spanned more than 19 million individual computers in at least 190 countries.

Leatherman said 911 S5 and Cloud Router used several “free VPN” brands to lure consumers into installing the proxy service, including MaskVPN, DewVPN, PaladinVPN, Proxygate, Shield VPN, and ShineVPN.

“American citizens who didn’t know that their IP space was being utilized to attack US businesses or defraud the U.S. government, they were unaware,” Leatherman said. “But these kind of operations breed that awareness.”

Treasury Sanctions Creators of 911 S5 Proxy Botnet

The U.S. Department of the Treasury today unveiled sanctions against three Chinese nationals for allegedly operating 911 S5, an online anonymity service that for many years was the easiest and cheapest way to route one’s Web traffic through malware-infected computers around the globe. KrebsOnSecurity identified one of the three men in a July 2022 investigation into 911 S5, which was massively hacked and then closed ten days later.

The 911 S5 botnet-powered proxy service, circa July 2022.

From 2015 to July 2022, 911 S5 sold access to hundreds of thousands of Microsoft Windows computers daily, as “proxies” that allowed customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States.

911 built its proxy network mainly by offering “free” virtual private networking (VPN) services. 911’s VPN performed largely as advertised for the user — allowing them to surf the web anonymously — but it also quietly turned the user’s computer into a traffic relay for paying 911 S5 customers.

911 S5’s reliability and extremely low prices quickly made it one of the most popular services among denizens of the cybercrime underground, and the service became almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose stolen credit card is about to be used, or whose bank account is about to be emptied.

In July 2022, KrebsOnSecurity published a deep dive into 911 S5, which found the people operating this business had a history of encouraging the installation of their proxy malware by any means available. That included paying affiliates to distribute their proxy software by secretly bundling it with other software.

A cached copy of flashupdate dot net, a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

That story named Yunhe Wang from Beijing as the apparent owner or manager of the 911 S5 proxy service. In today’s Treasury action, Mr. Wang was named as the primary administrator of the botnet that powered 911 S5.

“A review of records from network infrastructure service providers known to be utilized by 911 S5 and two Virtual Private Networks (VPNs) specific to the botnet operation (MaskVPN and DewVPN) showed Yunhe Wang as the registered subscriber to those providers’ services,” reads the Treasury announcement.

The sanctions say Jingping Liu was Yunhe Wang’s co-conspirator in the laundering of criminally derived proceeds generated from 911 S5, mainly virtual currency. The government alleges the virtual currencies paid by 911 S5 users were converted into U.S. dollars using over-the-counter vendors who wired and deposited funds into bank accounts held by Liu.

“Jingping Liu assisted Yunhe Wang by laundering criminally derived proceeds through bank accounts held in her name that were then utilized to purchase luxury real estate properties for Yunhe Wang,” the document continues. “These individuals leveraged their malicious botnet technology to compromise personal devices, enabling cybercriminals to fraudulently secure economic assistance intended for those in need and to terrorize our citizens with bomb threats.”

The third man sanctioned is Yanni Zheng, a Chinese national the U.S. Treasury says acted as an attorney for Wang and his firm — Spicy Code Company Limited — and helped to launder proceeds from the business into real estate holdings. Spicy Code Company was also sanctioned, as well as Wang-controlled properties Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited.

Ten days after the July 2022 story here on 911 S5, the proxy network abruptly closed up shop, citing a data breach that destroyed key components of its business operations.

In the months that followed, however, 911 S5 would resurrect itself under a different name: Cloud Router. That’s according to spur.us, a U.S.-based startup that tracks proxy and VPN services. In February 2024, Spur published research showing the Cloud Router operators reused many of the same components from 911 S5, making it relatively simple to draw a connection between the two.

The Cloud Router homepage, which according to Spur has been unreachable since this past weekend.

Spur found that Cloud Router was being powered by a new VPN service called PaladinVPN, which made it much more explicit to users that their Internet connections were going to be used to relay traffic for others. At the time, Spur found Cloud Router had more than 140,000 Internet addresses for rent.

Spur co-founder Riley Kilmer said Cloud Router appears to have suspended or ceased operations sometime this past weekend. Kilmer said the number of proxies advertised by the service had been trending downwards quite recently before the website suddenly went offline.

Cloud Router’s homepage is currently populated by a message from Cloudflare saying the site’s domain name servers are pointing to a “prohibited IP.”

PinnacleOne ExecBrief | The Digital Great Game in the Middle East – AI, Nuclear Energy, and Geopolitical Competition

Last week, PinnacleOne examined the convergence of AI and foreign malign influence efforts on the 2024 year of global elections.

This week, we dive into the new great game emerging in the Middle East over AI, nuclear, and other critical tech.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | The Digital Great Game in the Middle East – AI, Nuclear Energy, and Geopolitical Competition

The United Arab Emirates (UAE) and Saudi Arabia (KSA) are making bold moves in artificial intelligence (AI) and nuclear energy, using their deep pockets to diversify their economies and increase their geopolitical influence. As Sheikh Tahnoon bin Zayed Al Nahyan and Crown Prince Mohammed bin Salman write eye-popping checks and cut strategic tech deals, the West is taking notice and weighing the risks.

The Gulf States’ Trillion-Dollar Tech Play

The UAE and KSA are going all-in on AI and nuclear power (among other strategic industries like smart cities, synthetic biology, and space). Abu Dhabi’s sovereign wealth funds and state-owned enterprises, armed with over $2 trillion in assets, are hunting for cutting-edge tech, securing increasingly pole position in the funding rounds for emerging unicorns and snapping up large portions of the capital stack in leading western tech start-ups. The Abu Dhabi Investment Authority ($993B), Mubadala ($139B), and G42 ($10B) are leading the pack.

The Emirates recently launched a $100 billion AI-focused investment vehicle called MGX, with Mubadala and G42 as foundational partners. The focus of the fund is AI infrastructure, semiconductors, and AI core tech and applications, and will invest in data centers, fiber connections, chip design and manufacturing, frontier models, applications, data, biotech, and robotics.

As Bloomberg recently wrote, Sheikh Tahnoon bin Zayed Al Nahyan’s “conglomerate International Holding Co., or IHC, has investments in everything from Rihanna’s lingerie line to Elon Musk’s SpaceX… is up more than 400-fold since 2019…IHC also makes money from trading on the very exchange where it’s listed. It owns the Abu Dhabi stock exchange’s most active broker. Meanwhile, the emirate’s ADQ fund, which Sheikh Tahnoon chairs, oversees the exchange itself…It’s as if one man directed the New York Stock Exchange as well as two-thirds of the companies in the S&P 500 stock index.”

 

Source: Bloomberg

The Barakah nuclear plant, with its four reactors churning out 5,600MW, is set to power 25% of Abu Dhabi. But the UAE isn’t stopping there – it’s eyeing a spot on the global nuclear stage as an investor and developer, eager to partner with both west and east (including Russia) to pursue its strategic ambitions.

Meanwhile, Saudi Arabia’s $620B Public Investment Fund is eyeing a massive $40B AI fund with Silicon Valley heavyweight Andreessen Horowitz. Nuclear energy is also on the table, as the kingdom looks to diversify and counter Iran, as part of the fraught US-brokered diplomatic grand-bargain with Israel (in a tenuous position now given the Gaza conflict).

High-Stakes Partnerships

The Gulf states are forging high-stakes partnerships with Western tech titans and governments. For example, Microsoft’s $1.5B investment in UAE’s G42 comes with strings attached – G42 must use Microsoft’s cloud and play by security rules. However, many of these security arrangements “remain to be worked out, including how to protect AI model weights, which… currently cannot be encrypted while in use… and [the] technical approaches for doing so remain at least a year away.”

Microsoft has “considered several alternative options to protect its technology, including a ‘vault within a vault’ that would involve physically separating parts of data centers where AI chips and model weights are housed and restricting physical access.” It remains to be seen how this arrangement will evolve as lawmakers and Microsoft’s customers continue to ask questions about the security controls.

France is also opening its doors to Emirati nuclear and AI investments, with Finance Minister Bruno le Maire rolling out the red carpet for senior level meetings, “adding that Paris wanted to work closely with Abu Dhabi on semiconductors and computer chip capabilities.”

It should be noted that Mubadala is the majority shareholder in chipmaker GlobalFoundaries, which is building a semiconductor facility in France with STMicroelectronics. France is now looking to jointly invest with the UAE in “cloud computing and data processing and that the strategic partnership would see more scientists and researchers at the Abu Dhabi campus of the Paris Sorbonne.”

For the West, it’s a tempting proposition, getting access to the Gulf’s deep pockets and booming digital markets along with a chance to outmaneuver China. But, the risks are real. Sensitive tech and know-how could slip through the cracks, and the western tech and innovation ecosystem may find itself strategically dependent on investment flows from an authoritarian partner known to be geopolitically promiscuous.

Balancing Act with Beijing

As the U.S. and China jockey for tech supremacy, the Gulf states are walking a tightrope. They’re courting American giants like Microsoft, but also keeping lines open to Beijing. Case in point: Saudi Arabia’s finance minister, Mohammed Al-Jadaan, just wrapped up high-level talks in China, focused on economic collaboration. The meeting, which brought together heavy hitters from the Saudi Central Bank, Capital Market Authority, and National Development Fund, underscores the kingdom’s delicate balancing act.

The West is watching warily. The Microsoft-G42 deal is an explicit attempt to try to box out China, but will it work? The tangled web of interests and alliances in the region makes it an ambiguous and ever shifting affair. As the Gulf states push more “chips” on the geopolitical table, they’re likely to keep playing both sides, seeking to maximize their own interests and extract concessions from western firms looking to do politically favored deals.

The G42-Microsoft Kenya Deal | A Case Study in Digital Sovereignty

The recent $1B investment by G42 and Microsoft in Kenya’s digital infrastructure is a prime example of the tech competition unfolding in the Global South. The deal, which includes a green data center, AI research, skills training, and connectivity investments, is being touted as a milestone in Kenya’s digital transformation.

Beneath the surface though, thorny questions of digital sovereignty and network competition loom large. The involvement of unnamed “UAE ecosystem partners” in Kenya’s fiber cable infrastructure raises eyebrows. Will these be U.S.-aligned firms, cementing Kenya’s place in the Western tech sphere? Or, will Chinese players sneak in, tilting the balance of surveillance and digital economic power?

The answers could have far-reaching implications. As countries like Kenya become battlegrounds in the global AI and digital infrastructure race, their choices about tech partners and standards will shape the geoeconomic and technological map. The G42-Microsoft deal is a test case, a preview of the complex trade-offs and power plays that will define the digital future.

Navigating the AI-Nuclear Nexus

For the West, the Gulf states’ AI and nuclear ambitions are a strategic contest. The prize: a slice of the region’s riches and a tech edge over China. The price: sharing sensitive tech with opaque, autocratic regimes.

To play this game and win, the West needs to strike a delicate balance. Robust safeguards and constant vigilance are a must to keep cutting-edge capabilities in AI, semiconductors, and nuclear tech from falling into the wrong hands. Data access, tech leakage, and research collaboration all need tight controls.

Equally important is a coherent, values-driven strategy. Engaging with the Gulf states can’t just be about chasing short-term profits or geopolitical points. It needs to align with the West’s long-term interests and principles. That means tough conversations about human rights, transparency, and responsible tech stewardship.

Conclusion

The Gulf states are making a trillion-dollar gambit on an AI and nuclear-powered future. For the West, it’s an opportunity and a risk. Navigating this landscape will require a deft touch, balancing short-term gains with long-term strategic imperatives.

As Saudi and Emirati money pours into AI labs, venture ecosystems, and nuclear reactors, and cutting-edge chips and algorithms flow back in return, the stakes couldn’t be higher. The choices made now – in boardrooms from Silicon Valley to Riyadh, in the government corridors from Washington to Abu Dhabi – will shape the global balance of power.

The challenge for the West is to engage with eyes wide open, to seize the moment while safeguarding its crown jewels. It must be a partner to the Gulf states, but also a principled leader, setting the rules of the road for an AI-enabled, nuclear-powered world. Only then can it hope to emerge as a true victor in the age of algorithms and atoms. The new Digital Great Game is on.