The retail sector, a cornerstone of the global economy, has faced an unprecedented wave of cyberattacks in recent years. Innovations in e-commerce and payment technology have transformed the way consumers shop, but it has also opened up new avenues for cyber threats.

The consequences of these attacks can reach far beyond the immediate financial losses. Customer trust and brand reputation – some of a retailer’s most valuable assets – are on the line to be irrevocably damaged. In an effort to protect customer and payment card data, retailers also have to abide by strict regulatory requirements, which have added another element to managing modern cyber risks.

This blog post explores how cybercriminals target this lucrative sector, the security challenges retailers face, and key strategies businesses can adopt to protect themselves and their customers from advancing threats.

A Decade of Growing Attacks On The Retail Sector

Over the past decade, the nature of cyber threats targeting the retail sector has evolved. What once consisted of relatively simple scams and basic phishing attempts has now grown into a much more sophisticated landscape fraught with ransomware, extortion, and attacks on software supply chains. Cybercriminals have also adapted their strategies to exploit the ever-expanding digital footprint of retailers.

The brief timeline of cyberattacks on global retailers below shows the growing interest cyber threat actors have for this major sector.

• Target (2013) – Cybercriminals breached Target’s network during the Christmas shopping season, stealing sensitive data from approximately 40 million debit and credit card accounts and personal information of an additional 70 million customers. Attackers gained access through a third-party HVAC vendor’s compromised credentials, highlighting the vulnerability of supply chain connections. Once inside, they installed malware on Target’s point-of-sale systems, allowing them to harvest payment card data as customers made purchases.
• eBay (2014) – eBay, one of the world’s largest online marketplaces, fell victim to a significant cyberattack that exposed the personal information of approximately 145 million users, making it one of the largest data breaches at the time. Cybercriminals gained access to a small number of eBay employee credentials, which allowed them to infiltrate the company’s corporate network. Once inside, they managed to access a database containing user information, including names, addresses, email addresses, and encrypted passwords.
• Home Depot (2014) – Known as one of the largest home improvement retailers in North America, Home Depot fell victim to a massive cyberattack that compromised the credit and debit card information of approximately 56 million customers as well as exposing approximately 53 million customer email addresses. The breach occurred when cybercriminals exploited a third-party vendor’s login credentials to gain unauthorized access to the retailer’s network. Once inside, they deployed malware on the retailer’s point-of-sale (POS) systems, enabling them to steal payment card data during transactions.
• Costco (2015) – The popular wholesale retail giant faced a notable attack wherein threat actors breached Costco’s photo website and compromised the personal information of around 58,000 customers. This breach exposed customer names, addresses, and in some cases, sensitive payment card information.
• Saks Fifth Avenue / Lord & Taylor (2018) – The two luxury department store chains were hit by a major cyberattack orchestrated by a group of cybercriminals known as JokerStash, or Fin7. The attack exposed sensitive information belonging to nearly 5 million customers. The attackers infiltrated the stores’ payment processing systems through a phishing campaign, allowing them to steal vast amounts of customer payment card data. The breach was extensive, impacting customers who had shopped at these retailers between May 2017 and April 2018.
• Under Armor (2018) – The sportswear and athletic apparel manufacturer experienced a cyberattack that raised concerns about the protection of customer information. While the breach didn’t expose financial data or payment information, it did affect millions of user accounts on the company’s popular fitness tracking app, MyFitnessPal. The attack resulted in unauthorized access to user data, including usernames, email addresses, and hashed passwords.
• Ikea (2021) – Globally recognized furniture and home goods retailer faced a cyberattack that targeted one of its subsidiaries, TaskRabbit. TaskRabbit is an online platform that connects customers with freelance labor for various tasks and services. The cyberattack temporarily disrupted TaskRabbit’s operations, impacting its website and mobile app. In response, Ikea promptly shut down the platform while they investigated the breach and took steps to secure customer data.
• Sobeys (2022) – Sobeys, one of Canada’s largest supermarket chains, fell victim to an attack that disrupted its operations and impacted the company’s ability to process transactions. This led to in-store payment processing issues, causing disruptions for both customers and employees. The total amount of losses from the attack was reportedly $25 million in annual net earnings.
• Indigo (2023) – One of Canada’s largest book retailers, Indigo, faced a ransomware event that disrupted their operations and booted payment systems offline, including its e-commerce platform and customer databases. The attack has since been claimed by notorious threat group, LockBit, and confirmed the theft of current and former employee data.
• Hot Topic (2023) – Using credential stuffing tactics, cybercriminals breached the systems of popular alternative fashion retailer, Hot Topic. During the attack, the criminals exploited the reuse of usernames and passwords across different online services, attempting to gain unauthorized access to Hot Topic customer accounts. Any customers who had reused passwords were at risk, as their accounts were vulnerable to unauthorized access.

A Catalog of Cyber Threats Faced by Retailers

Retailers these days grapple with a wide variety of threats, including ransomware, phishing scams, point-of-sale (POS) system breaches, supply chain attacks, and even insider threats.

• Ransomware with Double & Triple Extortion – Ransomware attacks can disrupt retailer operations due to service outages caused by encrypted data. In double extortion attacks, cybercriminals additionally steal sensitive data before encrypting it. They then threaten to release this stolen data publicly unless a ransom is paid. Triple extortion takes this one step further with threats to launch distributed denial-of-service (DDoS) attacks against the victim if the ransom demand is not met.
• Supply Chain Attacks – Threat actors target third-party suppliers to infiltrate a retailer’s network, compromising data and operations.
• Insider Threats – Malicious employees or partners can intentionally harm retailers by leaking sensitive data, sabotaging systems, or assisting external attackers.
• Bot Attacks – Bot attacks deploy automated software programs to mimic human behavior, overwhelming websites and disrupting online operations. These malicious bots can scrape prices, abuse promotional offers, and complete fraudulent transactions.
• POS Malware – Point-of-sale (POS) malware compromises POS terminals to steal payment card data during the transaction process.
• Mobile Purchase, In-Store Payment Scams – Cyber criminals exploit mobile apps for fraudulent in-store purchases, often using stolen payment details to make unauthorized transactions.
• Buy Online, Pick Up In-Store Scams – Threat actors manipulate the “buy online, pick up in store” system to collect orders without payment, relying on forged confirmations or identity theft.
• “Add New Payment” Scams – Scammers trick users into adding fraudulent payment methods to online retail accounts, enabling unauthorized transactions.
• Gift Card Fraud – Cybercriminals exploit vulnerabilities in gift card systems, often through brute force attacks or by compromising legitimate gift cards with stolen funds. These attackers manipulate gift card balances, rendering them worthless or transferring funds to their own accounts.

How PCI-DSS Sets Retailers Up For Success

The Payment Card Industry Data Security Standard (PCI-DSS) is a comprehensive set of security standards designed to safeguard the sensitive payment card data of customers during transactions. Developed by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB, PCI-DSS is crucial for any retailers that handle payment card information. PCI-DSS compliance helps retailers create a secure environment for processing payments. With the right controls in place, it helps reduce the risk of costly data breaches, regulatory penalties, and brand damage.

Some key ways in which PCI-DSS supports retailers’ cybersecurity efforts include:

• Data Encryption – PCI-DSS mandates the encryption of cardholder data during transmission and when stored on servers or other devices. This encryption ensures that even if cybercriminals breach the system, the stolen data remains unreadable and unusable.
• Regular Security Assessments – Retailers are required to conduct regular security assessments and vulnerability scans to identify and address potential weaknesses in their payment card systems. This proactive approach helps in detecting and mitigating vulnerabilities before they can be exploited by attackers.
• Access Control – PCI-DSS emphasizes strict access control measures, ensuring that only authorized personnel have access to sensitive payment card data. This reduces the risk of insider threats and unauthorized access.
• Network Security – Retailers must maintain robust network security measures, such as firewalls, intrusion detection systems, and regular security testing, to protect their payment card infrastructure from external threats.

Retailers from around the world trust SentinelOne’s Singularity platform to help them meet PCI-DSS cybersecurity controls and protect their business and customers from disruptive attacks. Read more about how Singularity measures against PCI-DSS requirements in a report conducted by Tevora, a security and risk management consulting firm, and a reputable PCI Qualified Security Assessor (QSA) and HITRUST Assessor.

SentinelOne Singularity XDR – A Comprehensive Solution for Retailer Protection

SentinelOne Singularity XDR offers a robust, all-encompassing solution that protects organizations from attacks. By extending coverage to all access points – from endpoints and users to cloud workloads and other devices – Singularity XDR delivers unparalleled visibility and security.

Key features of SentinelOne Singularity XDR that help defend against ATO attacks include:

• Endpoint Protection – Secure endpoints with advanced machine learning algorithms that detect and block malicious activities in real-time.
• User Behavior Analytics – Analyze user behavior patterns to identify potential account takeover attempts and take immediate action to prevent unauthorized access.
• Cloud Workload Security – Protect your cloud infrastructure with automated CWPP enforcement, real-time monitoring, and threat detection, ensuring a secure environment for user accounts and sensitive data.
• Integration with Existing Security Infrastructure – SentinelOne Singularity XDR seamlessly integrates with existing security stack, enhancing the organization’s overall defense against cyber threats.

Conclusion

The ecosystem for attacks on the retail sector has steadily transformed over the past decade. These attacks can have devastating consequences, from disrupting operations and causing financial losses to eroding customer trust and triggering legal consequences.

Robust cybersecurity measures can help retailers defeat cyber attacks. This includes endpoint protection with real-time detection and mitigation, cloud workload security, and compliance with frameworks such as PCI-DSS.

To learn more about how SentinelOne’s Singularity XDR platform can help protect your organization, contact us or request a demo.

The Good | International Operation Takes Down Multi-Layered Qakbot Infrastructure

Qakbot, a long-established malware and botnet infrastructure in the cyber threat ecosystem, was toppled this week after a successful global operation led by US authorities.

Dubbed “Operation Duck Hunt”, the joint operation involved redirecting the botnet’s communication to FBI-controlled servers. The FBI seized the botnet’s critical infrastructure along with approximately $8.6 million in cryptocurrency and were able to uninstall the malware from some 700,000 infected devices – 200,000 of which were situated in the US.

In its first form circa 2008, Qakbot (aka Qbot, Quackbot, Pinkslipbot, and TA750) emerged as a banking trojan aimed at pilfering banking credentials, website cookies, and credit card data for financial fraud. Over time, the trojan evolved into a C2-based malware delivery service for other threat actors, providing initial network access for ransomware attacks, data theft, and a diverse range of malicious cyber activities. Qakbot has been observed partnering with various ransomware operators including BlackCat, Black Basta, Conti, REvil, and RansomEXX.

Qakbot victims span organizations across several sectors including governments and healthcare providers. Propagation of the malware relies on phishing campaigns, incorporating tactics like reply-chain email attacks, where cybercriminals hijack email threads, respond with their own messages, and embed malicious attachments that install the Qakbot malware to the victim’s device.

Major takedowns like this one do much to shake up the cybercrime ecosystem, even though it is expected that threat groups will evolve and regroup. However, the success of Operation Duck Hunt underscores how effective global law enforcement collaboration can be in the ongoing fight against cyber threats.

The Bad | Ransomware Operators Target Critical Citrix NetScaler Vulnerability

Unpatched, Internet-facing Citrix NetScaler systems are under further attack this week by unconfirmed threat actors in what appears to be an ongoing ransomware campaign. The attack chain involves exploiting a critical code injection vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), which affects NetScaler ADC and Gateway servers and could enable unauthenticated remote code execution (RCE).

So far, the vulnerability has been used to perform a domain-wide attack where payloads were injected into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). Citrix’s security bulletin recommends customers to install the patched versions of NetScaler ADC and NetScaler Gateway immediately to minimize potential threats.

Alongside the exploit, the attackers have also employed tactics such as distributing obfuscated PowerShell scripts, PHP web shells, and leveraging a malware staging service called BlueVPS. The pattern of these attacks closely resembles a campaign reported in early August, in which around 2,000 Citrix NetScaler systems were backdoored.

According to cybersecurity researchers, the attacks from this week and earlier last month may be tied to the FIN8 hacking group, which specializes in ransomware campaigns targeting retail, food services, and hospitality industries.

This surge in ransomware attacks coincides with the trend of cybercriminals exploiting low-hanging security vulnerabilities found in popular software. Ransomware groups such as FIN8 also continue to use customized and/or updated malware strains to refine their attack methodologies and encrypt stolen data faster, highlighting the need for organizations to focus their cybersecurity strategy on real-time detection and response capabilities.

The Ugly | China-Backed Actors Attack Local Government Agencies Using Barracuda Flaw

Chinese threat actors are currently suspected of launching a chain of targeted attacks on local government and government-affiliated organizations globally through a zero-day vulnerability (CVE-2023-2868, CVSS score: 9.8) in the Barracuda Email Security Gateway (ESG).

Security researchers this week revealed that a significant portion of the breached appliances belonged to North American-based agencies from all levels of government including state, provincial, county, tribal, and municipal. While local government targeting makes up about 7% of all affected organizations, this figure rises to nearly 17% within the US alone.

The primary motivation behind the attacks was espionage. The threat actor, tracked as UNC4841, engaged in targeted data exfiltration from systems linked to prominent users in government and high-tech sectors.

The vulnerabilities in the Barracuda ESG were first disclosed on May 20, with the company issuing patches and remote fixes. However, it was later discovered that the zero-day had been exploited since at least October 2022, employing new malware variants like SeaSpy, Saltwater, and SeaSide to gain unauthorized access.

While Barracuda has not found evidence of new ESG appliances being compromised after patching, the law enforcement authorities warn that the patches are insufficient, and the vulnerability continues to be exploited. Barracuda customers are advised to isolate and replace any compromised appliances quickly, check their networks for indications of potential breaches, and rotate all enterprise-privileged credentials to minimize the risk of attacks.

2023 has been no stranger to cyber threats and both the rates and sophistication of attacks launched have only continued on their upward trajectories. Based on findings from a recent Cyber Threat Intelligence Index report, threats like ransomware, data breaches, and software vulnerabilities have all made major impacts on the landscape this year. As global enterprises have scaled up the amount of data they produce and store, threat actors have kept a watchful eye for new opportunities for attack.

In this post, learn about some of the most pressing cyber threats seen targeting the endpoint, identity, and cloud surfaces from the first three quarters of this year. By dissecting the causes and impacts of these notable attacks, enterprise and security leaders can better secure their data, systems, and networks against advanced threats down the line.

Endpoint-Based Attacks

Endpoint attacks have evolved into a critical concern, posing substantial threats to businesses across all industry verticals. As the amount of endpoints multiply and remote work opportunities continue to be the norm, the endpoint attack surface expands and leaves organizations vulnerable to a range of threats.

Attacks on endpoints exploit vulnerabilities within privileged computers, smartphones, and internet of things (IoT) devices. Major threats that loom over the endpoint attack surface include ransomware, phishing scams, zero-day exploits, fileless malware, and Denial-of-Service (DoS) attacks.

Ransomware Attacks

In the first three quarters of 2023, ransomware has targeted multiple critical infrastructure and major companies, including those listed below:

• San Francisco’s Bay Area Rapid Transit (Vice Society) – San Francisco’s BART was hit in January by a ransomware attack claimed by the Vice Society group. While no service disruption occurred, stolen data was posted online. BART confirms no impact on services or internal systems, but concerns from the incident have arisen due to potential backdoor access to critical systems.
• Reddit (BlackCat Ransomware) – ALPHV ransomware group, also known as BlackCat, claimed responsibility for a February cyberattack on Reddit. The attack, initiated through a successful phishing campaign, resulted in the theft of 80GB of data, including internal documents, source code, and employee and advertiser information. The group had announced its intent to leak the stolen data after failed attempts to extort $4.5 million from Reddit for its deletion.
• Dole Food Company – Dole Food Company confirmed a ransomware attack that occurred in February, which compromised an undisclosed number of employee records. While the impact was limited, production plants in North America were temporarily shut down due to the attack. The incident affected Dole’s workforce data, as reported in their annual filing with the SEC.
• United States Marshals Service (USMS) – Described as a major incident, the ransomware attack on the US Marshals Service, a federal law enforcement agency within the Department of Justice, compromised sensitive law enforcement data, including legal process returns, administrative data, and personally identifiable information (PII) of subjects associated with USMS investigations, third parties, and certain USMS employees.
• City of Oregon (Royal Ransomware) – In May, the City of Oregon encountered a ransomware attack when county data was encrypted. Election and 911 dispatch remained under control, but all other government operations were impacted. Restoring systems were calculated at the cost of millions for software reloads and network reconstruction. Claimed by Royal Ransomware, the attackers demanded a ransom for data access, with the specific amount not disclosed by county officials.
• Enzo Biochem – The New York-based biotech company suffered a ransomware attack in April compromising test data and personal information of approximately 2.5 million individuals. Names, test data, and 600,000 social security numbers were accessed. The attack on Enzo closely followed a separate attack on pharmacy giant, PharMerica, in May that saw the sensitive data of nearly 6 million people exposed.

So far, the FBI, CISA, and NSA, in partnership with other enforcement agencies, have issued the following joint cybersecurity advisories on the following ransomware in the past three quarters:

• Royal – Cybercriminals have targeted US and international organizations with Royal ransomware since September 2022. After infiltrating networks, they disable antivirus and exfiltrate data before deploying ransomware. Ransom instructions come after encryption via a .onion URL, demanding varied amounts from $1M to $11M in Bitcoin. Royal ransomware has been observed targeting critical sectors like manufacturing, communications, healthcare, and education.
• LockBit 3.0 – LockBit 3.0 (aka LockBit Black) operations follow a Ransomware-as-a-Service (RaaS) model and is a more evasive and modular continuation of its predecessors LockBit and LockBit 2.0. Affiliates that use LockBit 3.0 have been seen employing a variety of TTPs to attack a wide range of businesses in critical infrastructure sectors.
• BianLian – BianLian is a cybercriminal group conducting ransomware attacks on US and Australian critical infrastructure since June 2022. Known for ransomware development, deployment, and data extortion, they often exploit valid Remote Desktop Protocol (RDP) credentials, utilize open-source tools for reconnaissance, and exfiltrate data using FTP, Rclone, or Mega. In 2023, BianLian shifted from using a double-extortion model to exfiltration-based extortion, threatening to release data if ransom isn’t paid. They have targeted professional services and property development sectors in previous campaigns.
• Cl0p – Since emerging in February 2019, CL0P ransomware has evolved and now operates as a Ransomware-as-a-Service (RaaS), initial access broker (IAB) selling access to compromised networks, and a large botnet operator targeting the financial sector. Initially known for double extortion, they changed tactics in 2021 to focus on data exfiltration. Cl0p has compromised over 3,000 U.S. and 8,000 global organizations.
• QakBot – Also known as Qbot, Quackbot, Pinkslipbot, and TA750, Qakbot has caused numerous global malware infections since 2008. Initially a banking trojan, it evolved into a versatile botnet and malware variant used for reconnaissance, data exfiltration, lateral movement, and delivering ransomware. It targets various sectors, including financial and emergency services, commercial facilities, as well as the election infrastructure subsector, selling compromised device access to further affiliate threat actors’ goals.

3CX Supply Chain Attack

In a supply chain attack discovered in March dubbed “SmoothOperator”, actors associated with the North Korean regime compromised the infrastructure of the 3CX Private Automatic Branch Exchange (PABX) platform. The VoIP software development company is used by more than 600,000 globally and has over 12 million daily users including organizations across the automotive, food and beverage, hospitality, managed information technology service provider (MSP), and manufacturing industries.

The actors used this access to insert malicious code into the 3CX endpoint clients, which were downloaded as updates by victims using the software. The backdoored version applied stealthy steganography by encoding a payload stub in an .ico image file hosted on a public code repository hosted at github[.]com/IconStorages/images, which let the malware obtain the active C2 server address. Long-reaching software supply chain attacks like these demonstrate how threat actors work innovatively to exploit network access and distribute malware.

ESXi & Linux Ransomware

Ransomware groups such as AvosLocker, Black Basta, BlackMatter, Hello Kitty, LockBit, RansomEXX, REvil, and the now-defunct Hive have all continued to target VMware ESXi servers throughout 2023. Since 2021, organized ransomware groups have expanded targeting to include Linux systems thanks to the high likelihood of critical services or sensitive data. Disruption of Linux systems can lead to service outages, placing increased pressure on victims to pay a ransom.

These attacks often target the intersection of endpoint and cloud services, including on-premises Linux servers and hypervisors like VMWare ESXi. SentinelLabs’ research found that the availability of Babuk ransomware source code has made an outsized impact on the ESXi threat landscape. Many other Linux families are proliferating, including recent Linux additions by actors behind Abyss, Akira, Monti, and Trigona.

Identity-Based Attacks

Targeting the core of digital trust and authentication, identity-based attacks continue to rise in the cyber threat landscape. These attacks exploit weaknesses in user identities, credentials, and authentication processes and seek to gain unauthorized access to sensitive data and systems.

Enterprises around the world have exponentially grown the number of digital identities used in day-to-day operations, each one widening this attack surface. These identities are most vulnerable to threats such as phishing (and all of its variations), credential stuffing, identity theft, (fueled by social engineering), and attacks on single-sign-on (SSO) systems and multi-factor authentication (MFA) protocols.

Microsoft Exchange Online & Azure AD Vulnerability

This summer, details emerged on attacks against several US government agencies by an actor tracked as STORM-0558, a China-aligned espionage-motivated actor. The attacks abused several components to Microsoft permissions, including broad application scopes and a stolen signing key, which enabled the actors to mint session tokens to affected organizations’ Microsoft services. The original reports suggested only Exchange Online was impacted, though researchers found the flaw impacted other types of Azure Active Directory applications, including all applications that support individual (non-organization) account authentication.

BingBang

BingBang is an issue in Azure Active Directory (AD) application scopes where the default configuration may expose applications to undesired access. Researchers found that the default configuration for many Azure applications meant that any Azure AD user could access applications.

To remediate the issues outlined in BingBang, organizations using Azure AD authentication should verify what levels of access are delegated to applications, focusing first on sensitive and critical applications.

Cloud-Based Attacks

Cloud-based attacks continue to be a prominent and concerning trend, targeting vulnerabilities within cloud technologies and infrastructures. These attacks aim to compromise sensitive data housed by enterprise businesses, disrupt operations, or gain unauthorized access.

Cloud environments are vulnerable to threat actors working to exploit weak access controls to infiltrate cloud repositories. Distributed-Denial-of-Service (DDoS) attacks, capable of overwhelming cloud servers and causing widespread service disruptions, are also a major threat to modern clouds. Most notably in 2023, there has been a significant increase in cloud infostealers where financially motivated tools steal data from vulnerable or misconfigured cloud environments.

Cl0p Ransomware

In May 2023, the Cl0p (aka Clop) ransomware group made waves by exploiting a zero-day vulnerability in the MOVEit file transfer server application, which runs on Windows servers. The exploit chain delivers a Microsoft Internet Information Services (IIS) .aspx webshell to the server’s MOVEitTransferwwwroot directory, which steals files from the server as well as connected Azure Blob Storage. SentinelOne’s report provides queries that organizations can use to identify potential exploitation by the Cl0p group.

The attack demonstrated a significant shift where traditionally endpoint-focused ransomware actors wrote code specifically to target cloud storage services. The impact was massive, with more than 500 organizations and the data of 34 million individuals compromised, making it one of the biggest threat campaigns of 2023.

Cloud Infostealers

Throughout 2023, there has been a consistent rise in prevalence of cloud infostealers, which seek credentials from misconfigured or vulnerable cloud services. Some notable examples include:

• AlienFox – AlienFox is a comprehensive tool built on Androxgh0st code snippets and sold through Telegram channels. Attackers run the modular, Python-based toolset remotely against exposed cloud services. AlienFox primarily targets credentials that attackers can abuse to conduct spam attacks, API keys, and secrets from popular services including AWS SES and Microsoft Office 365. A comprehensive breakdown of targeted services can be found in SentinelLabs’ full report.
• Legion – An offshoot from the same code origin as AlienFox, Legion shares much of the same, spam-centric features. Like AlienFox, Legion is distributed to buyers who frequent Telegram channels.
• TeamTNT Doppelgänger – The infamous TeamTNT seemingly returned in 2023 with a cloud stealer that targets credentials from a variety of popular cloud and development services. While attribution remains difficult with publicly available tools like these, the actor behind recent campaigns has demonstrated active development and adaptation to new attack surfaces, such as Google Cloud and Azure service account credentials. These recent campaigns use dynamic DNS hosting provider AnonDns for command-and-control (C2). Most of the tools are Bash or Shell scripts, though the group occasionally leverages binaries, such as a Golang executable (SHA1: 2ed9517159b89af2518cf65a93f3377dea737138) that enables propagation. The recent campaigns suggest the actor may have different motives. While the original TeamTNT prolifically delivered cryptocurrency mining malware with a minor focus on credential harvesting, the newer campaigns conduct more credential harvesting and environment enumeration than cryptomining.

Conclusion | How SentinelOne Measures Up to 2023 Cyber Attacks

Instability within the geopolitical and economic landscape have all led to significant challenges in securing global enterprises this year. What’s clear from the attacks listed in this blog post is that transnational and organized cyber criminals continue to develop their threat operations to execute high-impact attacks by extorting ransoms, disrupting governments and critical services, and exposing sensitive data. Continuing to share threat intelligence on past and ongoing threats allows security and enterprise leaders to better understand where their gaps and weaknesses are so as to prepare for similar attacks in the future.

Facing these challenges, business leaders this year are much more aware of their organizations’ cyber risks than they were in 2022 and, most importantly, more willing to address them. Leaders are focused on minimizing business disruption and reputational damage and devoting more resources than before to bolstering day-to-day cyber defenses. This encompasses the strengthening of controls around third-party access, establishing cyber risk management and accountability, as well as investing in advanced cybersecurity solutions.

SentinelOne is trusted by enterprises in every industry vertical, providing the protection they need to stay ahead of modern threat actors. In one platform, SentinelOne’s Singularity XDR unites endpoint, identity, and cloud protection into an efficient cybersecurity solution. Request a demo or contact us to learn more about how Singularity leverages the power of AI to detect and respond to today’s threats.

The Good | Lapsus$ Teen Members Found Responsible for High-Profile Cyber Crime Spree

This week, a London jury found 18 year-old Arion Kurtaj of Oxford, UK to be responsible for a series of cyberattacks against major firms, including Uber, Nvidia, and Rockstar Games. Additional charges include computer intrusion, fraud, and the demand for millions of US dollars in ransom backed by the threat of leaking sensitive information.

Kurtaj holds several online aliases, including teapotuberhacker, White, and Breachbase and is estimated to have made over 300 BTC from various illicit activities. Much of these ill-gotten profits, however, were reportedly lost to rival hackers and gambling. Alongside Kurtaj, a second teenager has been convicted for their association with Lapsus$ and breaching several companies.

Described by the court as a loose and unorganized collective of young “digital bandits”, Lapsus$ is thought to have members operating within the UK and possibly Brazil. Over the years, the group has targeted multiple high-profile organizations such as Microsoft, Okta, Cisco, T-Mobile, and Samsung. Since their emergence in December of 2021, members have been observed attacking government, technology, telecom, media, retail, and healthcare sectors for both notoriety and financial gain.

According to reports, Kurtaj and the unnamed 17 year-old first met online and committed cyber trespassing, sneaking into cellphone network operator servers. This soon escalated to ransoms and the use of swiped data to break into several cryptocurrency wallets. Prosecutors have noted the groups’ juvenile desire to defy and taunt victims, often leaving offensive messages after infiltrating systems. Kurtaj, who is autistic and deemed not fit to stand trial, did not appear in court to give evidence. Jurors were asked to determine whether the teen committed the alleged acts rather than to determine if he did so with criminal intent. These cases have simultaneously highlighted the vulnerability of teenage hackers and the need to enhance cyber defenses across the web.

The Bad | macOS Malware “XLoader” Returns Disguised As Productivity App

A new variant of the macOS malware known as “XLoader” has been discovered, now masquerading as an office productivity app called “OfficeNote”. In findings published this week, SentinelOne found that this version of XLoader is hidden within an Apple disk image named OfficeNote.dmg and signed with the developer signature “MAIT JAKHU (54YDV8NU9C).” Initially identified in 2020, XLoader functions as an information stealer and keylogger, operating under the Malware-as-a-Service (MaaS) model and succeeding the infamous Formbook malware.

XLoader was first seen targeting macOS in 2021, when it was distributed by attackers as a Java program. The new XLoader variant uses the C and Objective C programming languages to avoid the limitations caused by the requirement for Java Runtime Environment, which isn’t installed by default on Mac devices. SentinelOne noted several instances of this artifact on VirusTotal throughout July 2023, suggesting a widespread campaign.

The malware pretends to be an office application named OfficeNote but in reality, installs a Launch Agent in the background for persistent execution. Once active, XLoader captures clipboard data and information stored in directories linked to popular web browsers that could be exploited or sold to other threat actors. To evade analysis, XLoader employs evasion techniques against both manual and automated analysis. It also incorporates sleep commands to delay execution in an attempt to avoid detection.

SentinelOne concluded that XLoader remains a threat to macOS users and businesses, emphasizing the need for continued vigilance against such cyber threats. Customers of SentinelOne are automatically protected from this new variant of XLoader.

The Ugly | US & UK Critical Infrastructure Targeted By Lazarus Group’s New RAT

DPRK-backed Lazarus Group has exploited a patched critical security vulnerability in Zoho ManageEngine ServiceDesk Plus with the purpose of distributing a remote access trojan (RAT) named QuiteRAT. The targets of these attacks include internet backbone infrastructure and healthcare organizations in Europe and the US, according to reports by security researchers this week. Additionally, in-depth analysis of the group’s attack infrastructure uncovered a new threat called CollectionRAT.

QuiteRAT, a successor to MagicRAT and TigerRAT, exhibits similar capabilities but with a significantly smaller file size. The malware is built on the Qt framework, which adds complexity to its code and makes analysis more challenging for cyber defenders. The attacks, observed in early 2023, involved exploiting CVE-2022-47966, a vulnerability that emerged just five days before the first attack in a proof-of-concept (PoC) to deploy QuiteRAT from a malicious URL. Unlike MagicRAT, QuiteRAT lacks a built-in persistence mechanism and requires the server to issue commands for ongoing activity on compromised hosts.

The Lazarus Group is also observed incorporating open-source tools and frameworks for initial access in their attacks as opposed to using them solely post-compromise. The reports indicate the use of the open-source DeimosC2 framework and CollectionRAT for various malicious activities, such as gathering metadata, executing commands, managing files, and delivering payloads.

Despite the well-documented nature of Lazarus’s tactics, researchers noted that the groups’ continued use of the same infrastructure shows the threat actor has confidence in the continued success of their operations.