Unweaving A Complex Web of Threats | Understanding Today’s Cyber Attacker Interdependency

/0 Comments/in /by

The dynamics of cyber threats have taken on a new level of complexity, driven by the escalating interdependency among various types of threat actors. In a thriving cybercrime-as-a-service (CaaS) economy, attackers are sharing their malicious tradecraft through readily available kits and tools and collaborating efficiently by leveraging shared services conveniently accessible on the dark web.

For enterprises, growing levels of interdependence amongst cybercriminals poses new challenges on the cybersecurity front. As threat actors pool their resources and knowledge, the sophistication and scale of attacks has been seen rising exponentially. The sharing of malicious tools and services also shortens the time it takes for new threats to emerge.

In this post, we explore the complex and growing web of interconnection that links sophisticated nation-state actors, threat gangs, and all levels of cyber criminals together. Understanding the shape of today’s cyber threat landscape is an essential prerequisite for all modern cyber defenders.

How Attackers Share Knowledge & Malicious Tradecraft

In recent years, the availability of cybercrime services has become firmly established amongst various levels of cybercriminals, leading to significant specialization within criminal networks and fostering cooperation among illicit vendors.

Cybercrime-as-a-service (CaaS) models allow attackers to share technical knowledge and malicious tradecraft through dark markets. This ecosystem operates much like a legitimate business, where aspiring attackers can purchase or rent tools, techniques, and expertise to launch their own campaigns.

Illicit service providers can efficiently serve numerous criminal entities by providing obfuscation, IoT botnet rentals, phishing services, backdoor generators, and more. These offerings are frequently marketed or sold on private forums and the dark web.

Navigating the Dark Web | Breeding Grounds for A New Wave of Cybercrime

A fertile ground for modern cybercrime, the dark web serves as a hub where cybercriminals can sell and share expertise, tools, and stolen data. These illicit spaces have driven interdependency among cybercriminals and amplified the scale and complexity of cyber threats.

Most popularly powered by TOR and .onion addresses, other darknet services are out there that can support criminal enterprises, including I2P (the Invisible Internet Project) and Hyphanet. While such services also serve legitimate purposes for anonymous and private network connections, internet privacy and censorship resistance, there is no doubt that the cybercriminals have benefited hugely from their availability.

Monetizing Breaches | The Emergence of Initial Access Brokers

While dark markets facilitate the tools, code, and services needed to perform cyberattacks, Initial Access Brokers (IABs) sell unauthorized access to compromised systems, enabling buyers to initiate their attacks. Their emergence has introduced a layer of monetization to data breaches, which underscores the transformation of cyber threats into a vastly profitable commodity.

Initial Access Brokers also offer a marketplace for stolen credentials and software vulnerabilities, which empower a broader range of attackers with diverse expertise. With such ready access to potential targets, cybercriminals are able to exploit these gateways to rapidly launch new campaigns.

Outsourcing Expertise for Profit | The Role of Cyber Affiliates

The shift in how threat actors collaborate is also attributed to cyber affiliates; individuals or groups that leverage their skills to assist in cyber attacks in exchange for a share of the profits. This decentralized approach enables specialization within the criminal ecosystem, where different actors contribute their expertise to create a more diversified and potent threat ecosystem.

Affiliates serve as integral components within the ransomware-as-a-service (RaaS) framework. Affiliates leverage the specialized resources and tools provided by the RaaS platform, enabling them to launch sophisticated campaigns even without advanced technical skills.

In return for their services, affiliates share a portion of the ransom payments with the RaaS operators. This collaboration amplifies the reach and severity of ransomware attacks since affiliates operate autonomously under the RaaS umbrella, expanding the threat landscape and generating profits for both parties involved.

Behind the Scenes | The Enablers Behind Cybercriminals

Beneath the surface of the cybercrime landscape lies a network of enablers that fuel their malicious operations. Crypter developers, for example, create tools that attempt to disguise malware, in the hopes of evading detection by less-sophisticated security software.

Malware kits and droppers offer pre-packaged malicious code, further lowering the barrier to entry to cybercrime and attracting a new breed of would-be criminals with less technical knowledge.

Bulletproof hosting plays a pivotal role in interconnecting cybercriminals. This type of hosting service provides a safe haven for illegal online activities by offering infrastructure that is resistant to takedowns and law enforcement actions. Bulletproof hosting providers set up their infrastructure in jurisdictions that are known to have lenient or inadequate internet regulations in place, making it difficult for authorities to shut down or seize their servers. The hosts generally have minimal content monitoring or restrictions, allowing cybercriminals to host illegal content, malware distribution, phishing sites, and other malicious activities.

By providing a reliable and secure platform, bulletproof hosting providers attract a range of cybercriminals, including those involved in malware distribution, phishing campaigns, and other illicit operations. This fosters an environment where cybercriminals can collaborate, share resources, and even coordinate attacks, making their collective impact much larger than if they had operated independently.

VPNs are among the most common services used by malware operators and scammers. Criminal VPN providers work by hosting proxies that users can route their traffic through to conceal their IP address as well as the content of the traffic. These services are typically advertised specifically to attackers on the darkweb.

Anonymizing Transactions | The Role of Cryptocurrency In The Threat Arena

Behind the explosion of cybercrime in recent years is the ability of criminals to move money without oversight. Cryptocurrency like bitcoin has transformed how threat actors manage their ill-gotten gains and conduct various illegal activities. Given its decentralized nature, anonymity, and ease of use, cryptocurrency has become a unifying means of handling criminal proceeds across diverse criminal activity.

Crypto wallets securely store digital assets and enable anonymous transactions through unique addresses. Mixers, or tumblers, shuffle multiple transactions, ensuring that the origin of funds is difficult to trace. Threat actors also use crypto swappers to convert from one cryptocurrency to another, which adds an additional layer of complexity. These tools collectively help cybercriminals mask their financial activities, making the detection and tracking of illegal proceeds more challenging for authorities to pin down.

Conclusion

The increasing interdependence observed among cybercriminals reflects the intricate nature of the modern cybercrime landscape. It also demonstrates the urgency for organizations to establish end-to-end cybersecurity strategies that are capable of safeguarding various attack surfaces autonomously.

While disruption of the cybercrime ecosystem is primarily a task for collaborative law enforcement and government policy, security leaders can play their part by ensuring that their solutions provide deep visibility across all systems, detect and respond to threats in real-time, and can scale as needed as the organization grows.

SentinelOne is ready to help security leaders defend their organizations against every level of cyberattack. To learn how we can help you build a robust security posture, contact us today or book a demo.

From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families

/0 Comments/in /by

The evolution of the ransomware landscape has seen a shift from the more traditional approach involving Windows payloads to ones targeting other platforms, most notably Linux. In this shift, ransomware operators are shortening the time gaps between different payload releases and bringing feature parity across diverse platforms.

Strategically dipping into code from well known ransomware families such as Conti, Babuk, or Lockbit, ransomware operators are reusing and modifying codebases to create novel attack techniques. As more cases of this come to light, it is critical for security teams to stay vigilant and adaptive in their defenses.

In this post, we highlight several recent ransomware families that have unleashed their Linux/ESXi-focused payloads shortly upon launch of their operations. Understanding the capabilities of these payloads is an important step in gauging future risk and key to enabling security teams to prepare their defenses accordingly.

The Rise of the Linux Ransomware Threat

Looking back just four or five years, prominent ransomware operators’ primary focus was devices running Windows. Non-Windows flavors of their payloads required extra skill and time to develop and release. Such is not the case now, with languages like Rust and Go allowing for quick multi-platform ports for eager malware developers.

The state of the threat landscape as we see it today includes ransomware operators  releasing payloads for multiple platforms simultaneously. In this approach, there are no longer significant gaps of time between the usual Windows-targeted payloads and the Linux-focused and/or ESXi payloads. In addition, it is now standard for payloads across platforms to exhibit feature parity. Out of the gate, these Linux and ESXi-focused lockers contain all the requisite functionality of their Windows counterparts.

Modern ransomware operators are also increasingly reusing builders and code (sometimes leaked) or modifying codebases to suit their needs while maintaining the primary code as a model. Security researchers note that the primary families from which these have been derived are Conti, Babuk, LockBit. These variants are capable of targeting both Linux and VMWare ESXi environments, with the aim of encrypting the virtual machines (VMs) hosted on ESXi servers that are often crucial to business operations and services.

Typically, attackers exploit vulnerabilities in ESXi, weak credentials, or other security vulnerabilities to gain access to the virtualized environment. The ability to efficiently target and encrypt virtual machines is highly attractive to ransomware operators. Fully-virtualized infrastructure can be encrypted and compromised in minutes with the right, and robust, payloads.

MONTI Locker

MONTI locker has a history going back to mid-2022, with a number of attacks on VMware ESXi servers.

The most recent versions of MONTI ESXI Ransomware support a variety of command-line arguments, many of which are carryovers from Conti, from which MONTI Locker borrows code. The operators behind MONTI Locker have shown signs of moving in a more bespoke direction as of late, however.

Researchers recently documented a sample that appears to shed the old Conti-based encryptor along with a few of the command-line parameters. These more recent samples have removed the --size, --log and --vmlist parameters.

Available command-line parameters for MONTI Locker include:

Argument Function
— path Path to file / volumes
–whitelist List of virtual machines to skip (can accept .txt file input)
–vmkill Toggle termination of virtual machines
–vmlist Accepts a list (.txt file) of virtual machine names
–detach Detach from the screen/terminal
–log Create a log file
–prockiller Toggles termination of processes with handles open on targeted files (for encryption)
–size Partial file encryption, toggles percentages between 10 and 50
–world-id= Targeting specific World IDs within VMWare
August 2023 MONTI Locker help screen
August 2023 MONTI Locker help screen

Also of note is MONTI Locker’s ability to update the MOTD file (Message of the Day) on affected servers. This file (/etc/motd) controls what users see upon login to vCenter, for example. Post-infection, servers encrypted with MONTI Locker will display the configured ransom note.

MOTD and Index.html references in MONTI Locker
MOTD and Index.html references in MONTI Locker

MONTI Locker’s overall attack volume is lower than some of the other threats in this post. Their targeting is quite selective, and they are adept at playing the long game when it comes to the overall lifespan of their infection campaigns. As we will note with Akira, it will be interesting to see how MONTI Locker evolves outside of Conti as well as how quickly those changes will come to fruition.

Akira Ransomware

Linux variants of the Akira ransomware family have been observed since June of 2023 though the broader operations go back to April. Initial delivery of Akira ransomware occurs via exploitation of vulnerable, publicly available, services and applications. The group has also been known to target weaknesses in multi factor authentication (or a lack there-of) . Akira attackers do not discriminate when it comes to victimology. As of this writing, they have targeted educational institutions as well as those in the financial, manufacturing, real estate, and medical industries.

Traditionally, Akira ransomware payloads are borrowed from Conti. The Linux versions of Akira ransomware use the Crypto++ library to handle encryption on devices. Akira provides a short command set that does not include any options to shutdown VMs prior to encryption. They do, however, allow the attacker some control over speed of encryption and the likelihood of practical recovery by the victim via the -n parameter. The greater that value, the more of the file gets encrypted, meaning slower speed and a lower likelihood of the victim recovering without proper decryption tools.

Available command-line parameters for Akira include:

Argument Function
— encryption_path, -p Path to file / folders
–encryption_percent, -n Partial encryption, sets percentage of file to be encrypted
–share_file, -s Shared-drive path (on network) to be encrypted
–fork Spawn a child process for encryption
Akira’s minimal output with EP and Path parameters
Akira’s minimal output with EP and Path parameters
Akira command-line parameters
Akira command-line parameters

Akira is often recognized by their retro-style branding and themes. The operators have past interactions with Conti and the Conti source code is peppered throughout that of Akira. It will be interesting to monitor and see how their non-Windows payloads evolve over time, and if and how much they will deviate from the Conti base.

Trigona Linux Locker

Trigona is a ransomware family first observed in June 2022. A multi-extortion group, Trigona hosts a public blog of victims as well as their stolen data. Their malware payloads have been observed on Windows and Linux.

Of all the families discussed here, Trigona had the longest gap between releases of their original Windows payloads and the Linux-focused versions of their ransomware. While Trigona has the widest gap between releases of their Windows and Linux payloads, they are in no way behind other ransomware families.

Trigona’s Linux-focused payloads are lean and efficient and they include the most robust logging and testing-output options across the families discussed in this post. The group is aggressive with their campaigns and demands and we continue to monitor as the group updates their tools for these and potentially other platforms.

The /erase option with Trigona is available on both Windows and Linux variants. This option is oft-overlooked, yet it perhaps should not be. Security teams should be aware that this option allows for the ransomware to function as a wiper of sorts.

With the Trigona payloads, the /erase option will fully delete the file, making it essentially non-recoverable. This behavior is somewhat tailorable with the combined use of the /full option. Without the latter, only the first 512KB of a given file will be overwritten with NULL bytes. When combined with the /full parameter, the entire contents of the file will be overwritten. Files affected as such will be given the ._erased extension as opposed to the usual ._locked extension.

Available command-line parameters for Trigona include:

Argument Function
/full Full file encryption (as opposed to the first 512KB)
/sleep Sets number of seconds to wait before full execution
/fast Partial encryption
/erase Overwrite data (wipe).
/is_testing Sets testing/debugging flag
/test_cid Force use of specific Computer ID (for testing and debugging)
/test_vid Force use of specific Victim ID (for testing and debugging)
/allow_system Toggle encryption of system paths
/shdwn Force the shutdown of system once encryption completes
/path Required – Sets target path to encrypt
/log Specify path for log file
Trigona launched with basic /path parameter
Trigona launched with basic /path parameter
Trigona’s final log
Trigona’s final log
Trigona command-line parameters
Trigona command-line parameters

Abyss Locker

Abyss Locker ransomware operations emerged in March 2023, aggressively targeting VMware ESXi environments. Initial delivery of Abyss Locker payloads occurs through various means including phishing email or exploitation of vulnerable, publicly available services and applications.

Abyss Locker payloads for Linux, are derived from the Babuk codebase and function in a very similar fashion. In addition, the encryption features in Abyss are based on those found in HelloKitty ransomware. At this time, it is not known how formal cooperation occurs between Abyss Locker, HelloKitty, and Vice Society. Abyss Locker contains calls specific to the esxcli command-line tool which is used for management of virtual devices.

VMware ESXi commands in Abyss Locker
VMware ESXi commands in Abyss Locker

Abyss Locker uses the esxcli command-line tool and allows for multiple modes of virtual machine and process termination.

esxcli vm process list
esxcli vm process kill -t=force -w=%d
esxcli vm process kill -t=hard -w=%d
esxcli vm process kill -t=soft -w=%d

These commands affect how ‘graceful’ the shutdown of targeted VMs will be. As per VMware’s documentation, the soft option is typically most desired. The hard option performs an immediate shutdown (assuming privilege) while the force option should only be used as a last resort. Abyss will make use of any and all of these if needed.

Available command-line parameters for Abyss Locker include:

Argument Function
-m Partial encryption (5-10-20-25-33-50)
-v verbose
-d Switch to daemon
Start Path to start encryption in

-v creates a verbose “work.log” file showing the chosen encryption modes and benchmarks around the timing of encryption for each file encountered.

Abyss Locker’s work.log file
Abyss Locker’s work.log file
Abyss Locker Command Options
Abyss Locker Command Options

Abyss Locker’s payloads are speedy and efficient in terms of just how quickly the devices are encrypted overall. As this group continues to tweak their payloads, we expect to see more of them appearing in custom-branded, Vice Society-style campaigns.

Conclusion

In this post, we have examined several prominent Linux and VMWare ESXi-focused ransomware families, diving into the usage and command-line syntax of the specific payloads. By highlighting the understood lineage where possible and focusing on the parameters available, security teams can get a “hands-on, look and feel” for the payloads, enhancing their threat detection capabilities.

The divergence of attacks using Windows payloads to those targeting other platforms signals how the ransomware landscape continues to evolve. As threat actors continue to iterate on their strategies to evade detection, it is critical for security leaders to stay ahead of these trends.

Enterprises globally trust SentinelOne for strong preventative and detection controls required to combat increasingly sophisticated threats. SentinelOne’s Singularity™ Platform is capable of both detecting and preventing the malicious behaviors associated with the threats described in this post. To learn more about Singularity™, contact us today or book a demo to see it in action.

Linux Ransomware File Samples

MONTI Locker
a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef
f1c0054bc76e8753d4331a881cdf9156dd8b812a
Akira
9180ea8ba0cdfe0a769089977ed8396a68761b40
Trigona
0144800f67ef22f25f710d181954869f1d11d471
55f47e767dd5fdd1a54a0b777b00ffb473acd329
62e4537a0a56de7d4020829d6463aa0b28843022
Abyss Locker
40ceb71d12954a5e986737831b70ac669e8b439e

Cyber Attacks on Financial Institutions | Why Banks Are Caught in the Crosshairs

/0 Comments/in /by

In recent years, there has been a significant uptick in the frequency and sophistication of attacks on the financial and banking industry. The following statistics illustrate the current breadth and depth of cyber attacks by various types of threat actors on financial entities:

  • Financial institutions were the second most impacted sector based on the number of reported data breaches last year. Institutions in the U.S., Argentina, Brazil, and China were most affected. As of December 2022, finance and insurance organizations globally experienced 566 breaches, leading to over 254 million leaked records.
  • Ransomware attacks on financial services have increased from 55% in 2022 to 64% in 2023, which is nearly double the 34% reported in 2021. Only 1 in 10 attacks were stopped before encryption took place, making a total of 81% of organizations a victim of data encryption.
  • Data breaches cost the finance sector the second highest costs amongst all others at $5.9 million.

This blog explores the rise in cyber attacks on the banking and financial industries, their far-reaching consequences, and what these high-target entities can do to protect against the evolving tactics of threat actors.

Understanding the Risks Faced by the Financial Sector

In their 2022 Cybersecurity and Financial System Resilience report, the Federal Reserve Board actively notes all potential risks and emerging threats that affect the state of the U.S. economy. At no surprise, cybersecurity concerns topped the list, calling out Ransomware-as-a-Service (RaaS) and sophisticated Distributed Denial of Service (DDoS) attacks as the biggest risks to financial institutions’ ability to operate and safeguard customer data.

  • RaaSRaaS is characterized by heightened sophistication, rapid proliferation, and difficulty of attribution. RaaS empowers threat actors to establish templates that could be considered “franchised” threats. Accomplished threat actors license their software to other malicious parties, typically in exchange for a portion of the ransom proceeds. This threat model provides less advanced threat actors with many more ways of disrupting businesses. Victims that decline ransom payment often find themselves with the burden of reconstructing their infrastructure in order to reinstate normal business operations.
  • DDoS Attacks – In sophisticated DDoS attacks, the attacker aims to render a machine or network resource unavailable to legitimate users by overwhelming the target or its surrounding infrastructure with traffic. The United States’ financial services sector has long been a target of DDoS attacks, which has also affected associated external entities and other stakeholders.

An excerpt from the Federal Reserve Board’s report highlights this concern, amplified through the lens of current geopolitics:

The rising number of advanced persistent threats increases the potential for malicious cyber activity within the financial sector. These threats may result in incidents that affect one or more participants in the financial services sector simultaneously and have potentially systemic consequences. Such incidents could affect the ability of targeted firms to provide services and conduct business as usual, presenting a unique challenge to operational resilience. These incidents can also threaten the confidentiality, integrity, and availability of the targeted firm’s data.

Banks and financial institutions can face significant short and long-term financial damages when they experience a cyberattack. These damages can result from a variety of factors, including operational disruptions, reputational harm, legal and regulatory consequences, and increased cybersecurity investments.

Immediate & Ongoing Fees

A single, successful cyberattack can lead to immediate financial consequences that directly impact a company’s financial performance. Costs are associated with the severity of the attack and the extent of the data exposure, leading to both immediate and long-term repercussions.

  • Ransom Payments – In the scenario of a ransomware attack, the average payout cost has surged to $1.6 million on average compared to the previous year’s average of over $272,000. 43% of surveyed companies in the same report confirmed paying the ransom.
  • Forensic Analysis & Investigation Fees – Organizations often engage cybersecurity experts to identify the nature and scope of the breach, analyze the attack vectors, and trace the attacker’s activities.
  • PR & Crisis Management Fees – After a breach, organizations may engage public relations and communication experts to manage the institution’s public image and respond to media inquiries. This also involves notifying affected customers, partners, and stakeholders about the breach, potential data exposure, and recommended actions.
  • Legal Expenses – Small to medium-sized businesses with no in-house legal team may seek legal advice to navigate the legal implications of the breach, including potential liability, regulatory compliance, and contractual obligations.
  • Customer Compensations & Cost of Remediation – Depending on the information compromised during the attack, organizations may offer credit monitoring and identity protection services to affected customers to mitigate potential identity theft. This can include assisting customers in resolving fraudulent transactions or unauthorized account access for a period after the breach.
  • Increased Premiums – Post-attack, companies may be forced to pay higher premiums for their cyber insurance coverage.

Regulatory & Legal Consequences

Financial entities and banks are mandated to follow applicable compliance frameworks such as PCI-DSS. After a breach, they will be subject to paying fines imposed by regulatory authorities for non-compliance with data protection and cybersecurity regulations. Those that fall victim to a cyberattack face substantial regulatory and legal consequences. Regulatory bodies impose fines and penalties for failing to safeguard customer data, comply with industry-specific cybersecurity standards, and promptly report breaches. These financial repercussions can amount to millions of dollars, severely impacting an institution’s bottom line.

In terms of legal implications, affected parties including customers and partners may initiate lawsuits to claim damages resulting from data breaches. Legal defense costs, settlements, and potential reputational damage from such actions can lead to long-lasting financial strain.

Disruption to Business Operations & Reputational Damages

Cyber attacks disrupt services, delay transactions, and lock up day-to-day operations. The more critical the attack is on the systems, the greater the cost to operations. In the immediate aftermath of an attack, resources may need to be redirected towards remediation, taking away from core business activities. Other than direct financial losses, indirect costs while rebuilding systems and restoring data, some additional cybersecurity measures require significant investments, which can put a strain on budgets.

The value of customer trust can’t be measured and a tarnished reputation is one of the most costly consequences of a data breach. The ongoing cost of a data breach is largely reflected in the competitive landscape as the victim organizations see a decrease in their brand value and market share. For publicly traded firms, this cost is mirrored in stock price fluctuations.

As news of a data breach is reported, damage to the victim organization starts to go beyond dollars and cents. The perception of poor security measures can lead clients to doubt the organization’s ability to safeguard their sensitive information, potentially causing customer churn. From a stakeholder’s perspective, negative media coverage amplifies the impact, eroding the organization’s credibility. Extending beyond the immediate aftermath, breaches can massively influence customer decisions, partnership opportunities, and market sentiment.

Building Cyber Resilience In Big Banks & Financial Giants

To better defend the nation’s critical infrastructure from ongoing attacks, the U.S. government has implemented programs such CISA’s Shields Up!, the Office of the National Cyber Director (ONCD), and the Cyber Safety Review Board (CSRB), and most recently, the new U.S. Cyber Trust Mark.

At the enterprise-level, security leaders can use the following checklist to assess their organization’s cybersecurity posture as it stands and improve any identified gaps.

1. Response & Recovery | How fast can we regroup post-cyber attack?

Financial institutions can be susceptible to cyberattacks even with preventative controls in place. To build long-lasting resilience, security leaders are encouraged to design, maintain, and consistently review plans to ensure business continuity in the event that a threat actor succeeds. This includes:

  • Well documented incident response plans (IRP), communication matrices, and post-attack workflows. Focus on system and operations recovery and a chain of command that includes all necessary leads needed to facilitate the response plan.
  • Good relationships with federal and local law enforcement entities and any cybersecurity resources available for the specific industry.
  • Contacts for cyber forensics and any post-incident recovery experts that can be engaged as needed.
  • Implementing a regular schedule to conduct cyber recovery exercises, audits, and red team and penetration testing.
  • Consider cyber insurance as a risk management strategy to identify, measure, and monitor ongoing cyber risk exposure.

2. Network & System Security | How protected are we from cyber intruders?

Many organizations adopt an “assume breach” mentality where defenders operate under the assumption that their systems have already been compromised. This is a proactive approach which acknowledges the ever-present risk of cyberattacks and focuses on detecting and mitigating intruders as quickly as possible. By assuming a breach has occurred, defenders strategically deploy continuous monitoring, anomaly detection, and threat hunting techniques to identify malicious activities early on. In essence, “assume breach” empowers defenders to stay one step ahead of adversaries in the dynamic landscape of cybersecurity. Building up the necessary network configurations and system hardening includes the following key aspects:

  • Securing all network components to ensure that only approved ports, protocols, and services are allowed.
  • Reviewing, adjusting, and disabling (if necessary) any default user accounts and settings before system use.
  • Performing vulnerability scans to cover all network and hardware components, firmware, and operating systems.
  • Adhering to a strict patch management schedule.
  • Adding threat detection and prevention capabilities to email systems to combat common email attack vectors such as phishing, whaling, spoofing, etc.
  • Segmenting critical network components and services, particularly any business-critical and/or highly sensitive elements of the environment.

3. Identity & Access Management | How do we secure against illegitimate users?

The increase in phishing attacks and the effectiveness of threat actors in infiltrating login credentials mean that financial institutions must implement the right controls for identity and access management. This includes authentication controls for customers, employees, and any third-party access to sensitive systems. To build up a strong set of identity and access management controls:

  • Implement multi-factor authentication (MFA) policies, network segmentation, and role-based access control (RBAC). This significantly enhances security by adding an additional layer of authentication beyond just passwords and minimizes the risk of unauthorized access to critical systems and data.
  • Use the Principle of Least Privilege (PoLP), where users should be only granted the minimum level of access required to perform their responsibilities. This principle reduces the rolling impact should an account become compromised.
  • Set up means for continuous monitoring, regular account audits, and encryption protocols. Real-time monitoring of user activities and access patterns allow security teams to quickly detect and respond to potential signs of breach. Using strong encryption protocols for authentication ensures that sensitive information like passwords is transmitted securely.

Conclusion

As geopolitical and socio-economic sands continue to shift, the targeting of financial institutions and the banking sector by sophisticated and well-funded threat actors continues to be a top concern.

Threat actors continue to refine their techniques and our defense against these attacks needs to evolve in parallel. Enhancing cybersecurity measures, information sharing, and early threat detection are now pivotal to both safeguarding financial systems and mitigating geopolitical tensions.

To learn more about how SentinelOne can maximize visibility across full environments and automate a powerful response against complex threats, book a demo or contact us today.

Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders.

/0 Comments/in /by

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which is a paid version of Thinkst that is powered by a small hardware device designed to be installed on the local network as a canary token server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens

XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App

/0 Comments/in /by

XLoader is a long-running malware-as-a-service infostealer and botnet that has been around in some form or another since 2015. Its first macOS variant was spotted in 2021 and was notable for being distributed as a Java program. As we noted at the time, the Java Runtime Environment hasn’t shipped by default on macOS since the days of Snow Leopard, meaning the malware was limited in its targeting to environments where Java had been optionally installed.

Now, however, XLoader has returned in a new form and without the dependencies. Written natively in the C and Objective C programming languages and signed with an Apple developer signature, XLoader is now masquerading as an office productivity app called ‘OfficeNote’.

In this post, we examine how this new variant works and provide indicators for threat hunters and security teams. SentinelOne customers are automatically protected from this new variant of XLoader.

XLoader Distribution

The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg. The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C).

The application was signed on 17 July, 2023; however, Apple has since revoked the signature. Despite that, our tests indicate that Apple’s malware blocking tool, XProtect, does not have a signature to prevent execution of this malware at the time of writing.

OfficeNote app
OfficeNote’s revoked Apple Developer signature.

Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild.

XLoader submissions to VirusTotal July 2023
XLoader submissions to VirusTotal July 2023

Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months. Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months.

XLoader Dropper and Persistence Module

When executed, the OfficeNote application is hardcoded to throw an error message indicating that the application is non-functional. Meanwhile, the malware drops its payload and installs a persistence agent, behavior that is immediately detected by the SentinelOne agent.

XLoader is immediately detected as a threat by the SentinelOne agent
XLoader is immediately detected as a threat by the SentinelOne agent

This error message is hardcoded using a stack string technique, typical of previous versions of XLoader.

Hardcoded error message constructed on the stack
Hardcoded error message constructed on the stack

At this point, however, the malware has already been busy dropping the payload and LaunchAgent. The payload is deposited in the user’s home directory as ~/73a470tO and executed. It creates a hidden directory and constructs a barebones minimal app within it, using a copy of itself for the main executable. Although the name of the payload is hardcoded into the dropper, the names of the hidden directory, app and executable are randomized on each execution.

Execution of OfficeNote and creation of a hidden application
Execution of OfficeNote and creation of a hidden application as seen in the SentinelOne console

Meanwhile, a LaunchAgent is also dropped in the User’s Library folder. This agent is similar to that used in the previous version of XLoader, providing a start value to the executable. This ensures that the binary can distinguish between its first run and subsequent runs.

XLoader LaunchAgent for persistence
XLoader LaunchAgent for persistence

XLoader Payload Behavior

As in previous versions, the malware attempts to steal secrets from the user’s clipboard via the Apple API NSPasteboard and generalPasteboard. It targets both Chrome and Firefox browsers, reading the login.json file located in ~/Library/Application Support/Firefox/Profiles for Firefox and ~/Library/Application Support/Google/Chrome/Default/Login Data for Chrome. As with other infostealers we’ve observed recently, Safari is not targeted.

XLoader uses a variety of dummy network calls to disguise the real C2. We observed 169 DNS name resolutions and 203 HTTP requests. Among the many contacted hosts the malware reaches out to are the following suspicious or malicious IP addresses.

23[.]227.38[.]74
62[.]72.14[.]220
66[.]29.151[.]121
104[.]21.26[.]182
104[.]21.32[.]235
104[.]21.34[.]62
137[.]220.225[.]17
142[.]251.163[.]121

XLoader also attempts to evade analysis both manually and by automated solutions. Both the dropper and payload binaries attempt to prevent debuggers attaching with ptrace’s PT_DENY_ATTACH (0x1f).

XLoader attempts to prevent analysts reverse engineering the malware
XLoader attempts to prevent analysts reverse engineering the malware

On execution, the malware executes sleep commands to delay behavior in the hope of fooling automated analysis tools. The binaries are stripped and exhibit high entropy in an attempt to similarly thwart static analysis.

The XLoader binaries exhibit high entropy in the __text section
The XLoader binaries exhibit high entropy in the __text section

Conclusion

XLoader continues to present a threat to macOS users and businesses. This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise.

IT and security teams are advised to deploy a trusted third party security solution to prevent and detect malware such as XLoader. To see how SentinelOne can help protect the macOS devices in your fleet, contact us or request a free demo.

Indicators of Compromise

SHA1 Description
26fd638334c9c1bd111c528745c10d00aa77249d Mach-O Payload
47cacf7497c92aab6cded8e59d2104215d8fab86 Mach-O Dropper
5946452d1537cf2a0e28c77fa278554ce631223c Disk Image
958147ab54ee433ac57809b0e8fd94f811d523ba Mach-O Payload

FilePaths
~/73a470tO

Developer ID
MAIT JAKHU (54YDV8NU9C)

Network Communications

23[.]227.38[.]74
62[.]72.14[.]220
66[.]29.151[.]121
104[.]21.26[.]182
104[.]21.32[.]235
104[.]21.34[.]62
137[.]220.225[.]17
142[.]251.163[.]121

www[.]activ-ketodietakjsy620[.]cloud
www[.]akrsnamchi[.]com
www[.]brioche-amsterdam[.]com
www[.]corkagenexus[.]com
www[.]growind[.]info
www[.]hatch[.]computer
www[.]kiavisa[.]com
www[.]lushespets[.]com
www[.]mommachic[.]com
www[.]nationalrecoveryllc[.]com
www[.]pinksugarpopmontana[.]com
www[.]qhsbobfv[.]top
www[.]qq9122[.]com
www[.]raveready[.]shop
www[.]spv88[.]online
www[.]switchmerge[.]com

The Good, the Bad and the Ugly in Cybersecurity – Week 33

/0 Comments/in /by

The Good | DigiHeals Aims to Boost Resilience of Healthcare Sector to Fight Off Cyber Attacks

The healthcare sector has borne a particularly tough brunt of attacks over the last few years as ransomware-wielding cybercriminals have sought easy-pickings from often-under-resourced public services. Good news this week, then, as the Biden-Harris administration’s ARPA-H project has launched a digital health security initiative to help ensure patients continue to receive care in the wake of a medical facility cyberattack.

The initiative, dubbed DigiHeals, aims to encourage proposals for proven technologies developed for national security and apply them to civilian health systems, clinical care facilities, and personal health devices.

The aim is to focus on cutting-edge security protocols, vulnerability detection, and automatic patching in order to limit the ability for threat actors to attack digital health software, with the ultimate objective being to ensure continuity of care for patients in the wake of a cyberattack on a medical facility.

Aside from a lack of cybersecurity resources, healthcare services present unique problems for digital defense, as medical facility networks are typically made up of a vast patchwork of disparate devices, systems, and services. The DigiHeals project hopes to encourage submissions from researchers, both amateur and professional, from a wide range of fields and expertise. Accepted proposals related to vulnerability detection, software hardening, and system patching, as well as the expansion or development of security protocols, will receive funding and further support from the project.

The Bad | Actively Exploited Citrix Vulnerabilities May Pose Threat Evan After Patching

Bad news for Citrix users this week as CISA are warning that cyber adversaries are making widespread use of two n-day vulnerabilities, CVE-2023-24489 and CVE-2023-3519. Neither are new, but in-the-wild exploitations are on the rise, with some admins having patched their systems but failing to check whether they had already been breached.

CVE-2023-3519 is a vulnerability in Citrix’s networking product NetScalers, first disclosed last month. Researchers say that almost 70% of patched NetScalers still contain a backdoor, indicating that admins applied the patch after the bug had been successfully exploited and did not check or discover the compromise.

According to the researchers, it appears an adversary exploited the bug in an automated fashion in mid-July, dropping webshells on vulnerable systems. The webshells allow for the execution of arbitrary commands, even if the NetScaler is subsequently patched or rebooted.

Equally concerning, CVE-2023-24489 is a bug with a CVSS score of 9.1 out of 10 affecting the Citrix Content Collaboration tool ShareFile. Exploitation allows an unauthenticated attacker to remotely compromise customer-managed ShareFile storage zones controllers.

CISA advised on Wednesday that the bug was being actively exploited. Researchers at GreyNoise reported a steep spike in attacker activity around CVE-2023-24489 after the advisory went public, indicating that attackers are racing against time to exploit vulnerable instances before security teams plug the gap.

Researchers believe there are anywhere between 1000-6000 vulnerable instances that are accessible from the public internet.

In both cases, admins are urged both to patch without delay and to investigate whether a compromise may have already occurred.

The Ugly | Free Cloud Storage Services Abused By Threat Actors Phishing for Microsoft Credentials

Cloud security is in the spotlight again this week as cloud storage service Cloudflare R2 has reportedly seen a 61-fold increase in hosted phishing pages in the last six months. R2, which offers a similar service to Azure blob and AWS S3, is being used for campaigns that primarily phish for Microsoft login credentials, although Adobe, Dropbox and other cloud apps’ login pages have also been targeted.

The massive increase may relate to the fact that R2, a relatively new entrant in the field of cloud storage, offers some free services to attract customers that threat actors have found useful to abuse. First, fake login pages are hosted on a free subdomain that can be reused without limit. The domains all have the pattern:

https://pub-.r2.dev

Second, Cloudflare offers a free CAPTCHA service called Turnstile to help legitimate websites reduce spam. The threat actors have deployed Turnstile to prevent URL scanners and internet analyzers from examining the phishing pages’ content and marking them as dangerous. The use of the CAPTCHA has the added bonus of making the site seem more legitimate to unsuspecting users.

In addition, victims are redirected to the phishing pages from other malicious websites, and the former only serve up the fake login pages if the referring sites are recognized as the source. Researchers say that referring web pages include a timestamp after a hash (#) symbol in the URL. If the URL parameter is missing, the visitor is instead redirected to Google’s home page, helping to ensure only intended victims can see the phishing content.

Source: Netskope

The news comes as the same researchers report that the number of cloud apps being abused to deliver malware has increased to 167, with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly topping the list. Amazon AWS login pages were also recently targeted in a cloud phishing campaign using Google ads, underlying the efforts attackers are now making to capitalize on the rise of cloud services in the enterprise.

Karma Catches Up to Global Phishing Service 16Shop

/0 Comments/in /by

You’ve probably never heard of “16Shop,” but there’s a good chance someone using it has tried to phish you.

A 16Shop phishing page spoofing Apple and targeting Japanese users. Image: Akamai.com.

The international police organization INTERPOL said last week it had shuttered the notorious 16Shop, a popular phishing-as-a-service platform launched in 2017 that made it simple for even complete novices to conduct complex and convincing phishing scams. INTERPOL said authorities in Indonesia arrested the 21-year-old proprietor and one of his alleged facilitators, and that a third suspect was apprehended in Japan.

The INTERPOL statement says the platform sold hacking tools to compromise more than 70,000 users in 43 countries. Given how long 16Shop has been around and how many paying customers it enjoyed over the years, that number is almost certainly highly conservative.

Also, the sale of “hacking tools” doesn’t quite capture what 16Shop was all about: It was a fully automated phishing platform that gave its thousands of customers a series of brand-specific phishing kits to use, and provided the domain names needed to host the phishing pages and receive any stolen credentials.

Security experts investigating 16Shop found the service used an application programming interface (API) to manage its users, an innovation that allowed its proprietors to shut off access to customers who failed to pay a monthly fee, or for those attempting to copy or pirate the phishing kit.

16Shop also localized phishing pages in multiple languages, and the service would display relevant phishing content depending on the victim’s geolocation.

Various 16Shop lures for Apple users in different languages. Image: Akamai.

For example, in 2019 McAfee found that for targets in Japan, the 16Shop kit would also collect Web ID and Card Password, while US victims will be asked for their Social Security Number.

“Depending on location, 16Shop will also collect ID numbers (including Civil ID, National ID, and Citizen ID), passport numbers, social insurance numbers, sort codes, and credit limits,” McAfee wrote.

In addition, 16Shop employed various tricks to help its users’ phishing pages stay off the radar of security firms, including a local “blacklist” of Internet addresses tied to security companies, and a feature that allowed users to block entire Internet address ranges from accessing phishing pages.

The INTERPOL announcement does not name any of the suspects arrested in connection with the 16Shop investigation. However, a number of security firms — including Akamai, McAfee and ZeroFox, previously connected the service to a young Indonesian man named Riswanda Noor Saputra, who sold 16Shop under the hacker handle “Devilscream.”

According to the Indonesian security blog Cyberthreat.id, Saputra admitted being the administrator of 16Shop, but told the publication he handed the project off to others by early 2020.

16Shop documentation instructing operators on how to deploy the kit. Image: ZeroFox.

Nevertheless, Cyberthreat reported that Devilscream was arrested by Indonesian police in late 2021 as part of a collaboration between INTERPOL and the U.S. Federal Bureau of Investigation (FBI). Still, researchers who tracked 16Shop since its inception say Devilscream was not the original proprietor of the phishing platform, and he may not be the last.

RIZKY BUSINESS

It is not uncommon for cybercriminals to accidentally infect their own machines with password-stealing malware, and that is exactly what seems to have happened with one of the more recent administrators of 16Shop.

Constella Intelligence, a data breach and threat actor research platform, now allows users to cross-reference popular cybercrime websites and denizens of these forums with inadvertent malware infections by information-stealing trojans. A search in Constella on 16Shop’s domain name shows that in mid-2022, a key administrator of the phishing service infected their Microsoft Windows desktop computer with the Redline information stealer trojan — apparently by downloading a cracked (and secretly backdoored) copy of Adobe Photoshop.

Redline infections steal gobs of data from the victim machine, including a list of recent downloads, stored passwords and authentication cookies, as well as browser bookmarks and auto-fill data. Those records indicate the 16Shop admin used the nicknames “Rudi” and “Rizki/Rizky,” and maintained several Facebook profiles under these monikers.

It appears this user’s full name (or at least part of it) is Rizky Mauluna Sidik, and they are from Bandung in West Java, Indonesia. One of this user’s Facebook pages says Rizky is the chief executive officer and founder of an entity called BandungXploiter, whose Facebook page indicates it is a group focused mainly on hacking and defacing websites.

A LinkedIn profile for Rizky says he is a backend Web developer in Bandung who earned a bachelor’s degree in information technology in 2020. Mr. Rizky did not respond to requests for comment.

The New Frontline of Geopolitics | Understanding the Rise of State-Sponsored Cyber Attacks

/0 Comments/in /by

The rise of nation-state cyber attacks has become a defining feature of modern geopolitics. With blurred lines between advanced persistent threats (APTs) and cybercrime, understanding this complex landscape has become a critical element in building a strong cybersecurity strategy. According to recent reports on the rise of state-sponsored cyber attacks, nation-state actors targeting critical infrastructures have doubled from 20% to 40% in the past two years alone. As for the costs? Organizations are estimating a total of $1.6 million per cyber incident.

Not only is the frequency and financial consequences of such attacks accelerating, the threat landscape in which these nation-state actors now operate is also shifting. Cyber warfare and the use of cyberweapons in the ongoing Russo-Ukrainian war, for example, have magnified the intersection of conflict across geopolitical and digital surfaces.

The challenge is that nation-state threat actors are well-funded and possess specialized skills, focusing their attacks on high-value targets including government and military entities, think tanks, universities, and those providing critical infrastructure services.

This post explores how nation-state sponsored attacks have evolved over recent years to become a threat not just to individual targets but to all organizations, as well as to the civil, economic and political fabric of our society. Sharing our collective knowledge on how such groups operate and the impacts they have can help the cyber defense community better understand and mitigate these sophisticated threats.

A Shadowy Threat | A Brief History of Cyber Espionage & Nation-State Attacks

Cyber espionage, a stealthy practice dating back to the very beginnings of internet connectivity, has undergone substantial changes in recent years, fueled by rapid advancements in technology and evolving global dynamics.

The origins of cyber espionage trace back to the 1980s when the French intelligence agency, led by the “Farewell Dossier”, exploited a KGB officer’s computer to gather critical information on Soviet activities. At the same time, a German hacker group known as the Chaos Computer Club exposed vulnerabilities in government and military systems. These incidents marked the inception of digital espionage and highlighted the potential of exploiting interconnected networks to gather intelligence. These early instances foreshadowed the evolution of cyber espionage into a formidable global concern in the decades that followed.

Cyber espionage has since evolved into a potent tool for nation-state threat actors and a critical security issue for organizations, with implications sounding across political, economic, and societal domains.

Subsequently, state-sponsored hacking campaigns, corporate espionage, and intellectual property (IP) theft have become rampant, with the potential to disrupt critical service industries and compromise national security. The interconnected nature of the modern world amplifies this impact as a breach in one corner of the globe can trigger far-reaching consequences.

As nations, corporations, and civilians have become increasingly reliant on digital infrastructure, the stakes have escalated, making targeted, state-sponsored cyber attacks a top-tier and global security concern. To safeguard against this escalating threat, international cooperation, robust cybersecurity measures, and innovative defense strategies are crucial in this new era of digital spycraft.

The Big Players | Navigating The Complex Landscape of APTs

By some estimates, there could be over a hundred different APT groups worldwide, but when we look at where most activity that threatens our interests originates from, there are four major nation-states that have been in the game longer than the rest.

Between them, China, Russia, North Korea and Iran have developed some of the most sophisticated and comprehensive threat activity and cyber tradecraft that businesses in all sectors have to face today.

China

China’s cyber threat is not only broad and persistent but also evolving. The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment paints a clear picture of the cyber threat posed by the People’s Republic of China (PRC), noting that:

“China’s cyber espionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.”

The annual report contains a stark warning.

“China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”

Emerging in the early 2000s, Chinese-based threat groups rapidly matured in terms of tactics, techniques, and targets. The infamous Titan Rain campaign of the mid-2000s marked a watershed moment, exposing China’s cyber capabilities as it targeted U.S. defense and technology sectors. This trend continued with APT1, linked to the Chinese military, launching widespread attacks on various industries.

As time progressed, the Chinese cyber espionage ecosystem diversified. From 2006 to the present day, APT10 (aka Red Apollo/Stone Panda) has been reported targeting a wide-range of companies across multiple continents, including healthcare, defense, aerospace and government sectors. APT17 (DeputyDog) is a threat group sponsored by the Jinan bureau of the Chinese Ministry of State Security. First seen in 2009, it was attributed for the Operation Aurora and CCleaner supply chain attacks in 2017. APT41 (aka Winnti Group) was first seen in 2012 and combines financially-motivated cybercrime with information theft and espionage.

In general, Chinese APT groups have been known to use tactics like living-off-the-land (LOTL), where they abuse native tools like PowerShell and WMI to evade detection, and to develop comprehensive programs for vulnerability research and exploitation.

Most recently, Chinese threat groups are known to be disguising traffic to malicious servers through botnets of compromised IoT devices and to use DNS, HTTP and TCP/IP hijacking. Security researchers have found that Chinese threat groups tend to focus on security, networking and virtualization tools to obtain and maintain stealthy access to targeted organizations’ internal networks.

Some notable recent case studies of Chinese-based APT groups and campaigns include:

  • Aoqin Dragon – Operating since 2013, Aoqin Dragon targets government, education, and telecommunication organizations in Southeast Asia and Australia. Their tactics include document exploits and fake removable devices. They seek initial access through document exploits and use techniques like DLL hijacking and DNS tunneling to evade detection.
  • WIP19 Espionage – This Chinese-speaking threat group has been targeting telecommunications and IT service providers in the Middle East and Asia, using stolen certificates to sign novel malware such as SQLMaggie and ScreenCap.
  • Operation Tainted Love – An evolution of tooling associated with Operation Soft Cell, Chinese cyber espionage groups attacked telecommunication providers in the Middle East using well-maintained, versioned credential theft capability and a new dropper mechanism.

Russia

In the late 2000s, the notorious APT28 (Sofacy) and APT29 (NobleBaron, The Dukes) threat groups gained notoriety for their state-sponsored activities such as targeting government agencies, think tanks, and critical infrastructures worldwide. These groups have since been implicated in high-profile incidents, including mass supply chain attacks and interference in U.S. presidential elections. The U.S. government has noted that such activity is an extension of Russia’s larger geopolitical goals.

“Moscow has conducted influence operations against U.S. elections for decades, including as recently as the U.S. midterm elections in 2022. It will try to strengthen ties to U.S. persons in the media and politics in hopes of developing vectors for future influence operations.”

The Russian APT landscape evolved with groups like Turla, whose history of activity has been suggested to span almost 30 years, beginning with Moonlight Maze in 1996. Later, APT28 (linked to Russia’s GRU military intelligence unit) and APT29 (now understood to be operated under the auspices of Russia’s Foreign Intelligence Service, SVR) continued their activities, adapting their tactics and diversifying their targets to encompass sectors beyond politics. APT groups like Gamaredon and Sandworm have also emerged, exhibiting a blend of cyber espionage and disruptive operations.

As geopolitical tensions continue to heighten, Russian APT groups have become increasingly adept at utilizing supply chain attacks, zero-day exploits, and deception techniques. They have also exploited global events, such as the COVID-19 pandemic, to launch tailored and themed attacks.

Presently, Russian-based APT groups continue to engage in a broad spectrum of cyber operations, spanning espionage, disinformation, and potential sabotage. Russia’s focus on targeting critical infrastructure, including underwater cables and industrial control systems, has been noted in intelligence assessments.

“Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”

Some notable case studies of Russian APT groups and campaigns include:

  • HermeticWiper Malware – This destructive malware was used against Ukrainian organizations, manipulating the MBR to cause boot failure. This attack reflects Russia’s willingness to deploy destructive tools against neighboring countries.
  • APT28 (Sofacy) – Known for its espionage and influence capabilities, APT28 has been particularly focused on targeting critical infrastructure, including underwater cables and industrial control systems in the U.S. and allied countries through the use of malware like X-Agent.
  • APT29 (Nobelium/NobleBaron) – Involved in the 2014 White House attack, this group has targeted various government, military, energy, and media organizations, using tools like CozyDuke. In 2021, the group was attributed with being behind the Solarwinds supply chain attack.
  • Snake Implant – A sophisticated cyber espionage tool created and deployed by Russia’s Federal Security Service, FSB. Found in over 50 countries including the U.S., Snake malware is used to collect sensitive intelligence from high priority targets.

North Korea

North Korea’s cyber program poses a sophisticated threat, adapting to global trends in cybercrime as a whole. Their journey began in the early 2000s with the Lazarus group,  which has operated since 2009 and is responsible for some of the most notorious cyberattacks in history, including the 2014 hack on Sony Pictures and the 2017 outbreak of WannaCry. They added stealing cryptocurrency to their bow in 2017. At the end of 2019, SentinelLabs connected the Lazarus and TrickBot groups, showing how the DPRK was extending to collaborate with cybercrime groups and take over funds to support their government.

Lazarus and its subgroups like BlueNoroff, APT38 and Andariel (Silent Chollima), continue to evolve, demonstrating a growing sophistication in their tactics and techniques. They have expanded their target scope beyond high-profile attacks to include financial institutions, cryptocurrency exchanges, and global infrastructure. BlueNoroff, in particular, has become notorious for conducting large-scale heists to fund the regime’s activities, with attacks on ATMs and banks using the SWIFT messaging system.

In recent years, North Korean APT groups have further diversified, with increasing focus on supply chain attacks, cryptocurrency theft, and the exploitation of zero-day vulnerabilities. The evolution of North Korean APTs highlights their adaptability and the intertwining of cyber operations with broader geopolitical strategies.

Other North Korean subgroups include ScarCruft (aka Inky Squid, APT37, or Group123) and Kimsuky.  Some notable case studies of North Korean-based APT groups and campaigns include:

  • ScarCruft & Lazarus Group – SentinelLabs identified a North Korean intrusion into a Russian missile engineering organization, NPO Mashinostroyeniya. This case involved two instances of compromise, including the use of a Windows backdoor dubbed OpenCarrot.
  • Kimsuky’s Reconnaissance Capabilities – Utilizing a new malware component called ReconShark, North Korean APT Kimsuky has targeted organizations across Asia, North America, and Europe.
  • JumpCloud Intrusion – This intrusion into the cloud-based IT management service JumpCloud is linked to North Korean APT activity, showcasing the DPRK’s focus on supply chain targeting.

Iran

Iran-based APT groups have steadily gained prominence in the realm of cyber espionage. Their beginnings date back to the late 2000s, when groups like APT33 (Elfin) and APT34 (OilRig) first emerged onto the scene. These early campaigns were characterized by targeting foreign governments, critical infrastructure, and regional rivals such as the Shamoon wiper attacks of 2012 conducted against Saudi Aramco and Rasgas.

As the years progressed, Iranian APT groups increased in sophistication and breadth. APT34, for instance, diversified its focus to include industrial espionage, particularly targeting sectors like energy and telecommunications. The group’s activities revealed Iran’s intent to bolster its domestic industries and capabilities. MuddyWater (aka TA450) likely began its earliest operations around 2017 with a focus on espionage attacks on Middle Eastern targets initially but later expanding to Belarus, Turkey and Ukraine.

In a geopolitical context, tensions spurred Iran-based APT groups to engage in more aggressive and disruptive activities. APT33, in particular, was implicated in destructive attacks against targets in the Middle East and beyond. The emergence of APT35 (Charming Kitten), for instance, signaled a shift towards influence operations and spear phishing campaigns against political dissidents, journalists, and human rights organizations.

Iranian APT groups have showcased their adaptability by incorporating innovative tactics such as domain spoofing, social engineering, and leveraging cloud infrastructure for command and control. This agility has enabled them to effectively navigate the evolving cybersecurity landscape and continue their operations despite international scrutiny.

Today, Iran-based APT groups remain a significant player in the world of cyber espionage, combining state-sponsored activities with disruptive operations that incorporate tactics such as domain spoofing, social engineering, and leveraging cloud infrastructure for command and control. Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a significant threat. Recent Iranian state-sponsored activities include destructive malware and ransomware operations.

Some notable recent case studies of Iranian-based APT groups and campaigns include:

  • APT33 – Known for destructive malware and ransomware operations on the aerospace and energy sectors, Iran’s cyber capabilities have grown significantly. They are known for their use of tools like DropShot to conduct campaigns against organizations in Saudi Arabia and the US, in particular.
  • TunnelVision – An Iranian-aligned threat actor operating in the Middle-East and the U.S. using timely-exploitation of recent vulnerabilities such as Log4j and ProxyShell.
  • MuddyWater – Uses a suite of open-source malware and DNS Tunneling to conduct espionage and other malicious activity. Believed to be sponsored by the Iranian Ministry of Intelligence (MOIS).

Counting the Cost | The Widespread Impact of State-Sponsored Cyber Attacks

Nation-states, driven by political agendas, have harnessed cyber espionage as a powerful tool to gather intelligence, influence events, and undermine rivals. This has led to a heightened sense of vulnerability among nations and catalyzed international tensions. Cyber attacks sponsored by nation states have had a profound impact across various aspects of global security, economy, and geopolitics.

Industry & Sector-Specific Impacts

Over the years, there have been many reported cases of government agencies, energy grids, financial institutions, and healthcare systems falling prey to targeted attacks, jeopardizing both economic stability and public safety. Some examples include:

  • Healthcare – North Korean ransomware campaigns against healthcare organizations during the COVID-19 pandemic underscore the willingness of nation-state actors to target essential services.
  • Telecommunications – Chinese APTs targeting telecom providers in the Middle East and Asia reveal a strategic interest in monitoring communications and gathering intelligence.
  • Defense – The compromise of Russian defense companies by North Korean actors illustrates the global reach and strategic focus of state-sponsored cyber espionage.

Economic Impacts

Cyber espionage’s impact on the global economy has redefined the dynamics of trade, innovation, and security. Businesses lose billions annually when intellectual property is compromised and the increasing number of supply chain attacks disrupt manufacturing and distribution networks to an alarming degree.

  • Financial Losses – Cyber espionage activities have led to billions of dollars in financial losses.
  • Intellectual Property Theft – China’s cyber espionage campaigns have reportedly stolen intellectual property worth hundreds of billions of dollars annually from U.S. companies.
  • Cryptocurrency Heists – North Korea’s cybercrime activities, including cryptocurrency heists, have reportedly generated funds that support the regime’s military programs.

Security & Geopolitical Impacts

Nation-states exploit digital vulnerabilities to influence elections, gather classified intelligence, and disrupt rival activities. This has blurred the traditional boundary between physical and virtual warfare and reshaped power dynamics in the cyber arena, allowing smaller nations to wield disproportionate influence far beyond their physical borders.

  • Critical Infrastructure Attacks – Nation-state actors have targeted critical infrastructure, such as energy grids and transportation systems. Iran’s attack on Saudi Aramco in 2012 is a prime example.
  • Election Interference – Russian interference in U.S. elections through cyber means including the 2016 U.S. Presidential Election has been well-documented, highlighting the potential for cyber espionage to influence democratic processes.
  • Supply Chain Compromises – The SolarWinds attack, attributed to Russia, affected thousands of organizations, including U.S. government agencies, demonstrating the vulnerability of global supply chains.

Blurring the Lines | Overlaps Between APTs & Cybercrime

The lines between APT and cybercrime have become increasingly vague. This shift has been influenced by a combination of factors, including the increasing sophistication of cybercriminals, evolving motivations, and the lucrative nature of certain cyber activities.  While APTs were historically associated with state-sponsored espionage and sophisticated attacks on political or strategic targets, they now exhibit a broader range of activities resembling cybercrime tactics.

Motivations have diversified, with state-backed groups engaging in cybercriminal activities to generate revenue and fund their ongoing operations. Some APT groups have embraced ransomware attacks, sometimes exploiting the profitability of extorting victims for financial gain but also as a technique of misattribution, disguising stealthy nation-state activity behind a front of common cybercrime. In this context, it is worth noting that cyber criminals themselves have learned from the APT playbook, displaying more advanced and targeted techniques akin to APTs, reflecting their growing ability to source advanced tools and breach high-profile targets.

The availability of advanced tooling through leaks such as Shadow Brokers has also played a pivotal role, enabling cybercriminals to harness APT-like tools and tactics. Access to sophisticated malware, zero-day exploits, and advanced social engineering toolkits and services through dark markets has empowered threat actors of all stripes to execute attacks once the exclusive domain of state-sponsored actors.

The blurring of these lines underscores the complex and dynamic nature of the cyber threat landscape. Traditional distinctions between APTs and cybercrime are changing and this crystallizes the challenge of the cybersecurity community to adopt a more holistic and adaptive approach to defense.

Conclusion | Guarding Against State-Sponsored Cyber Attacks

State-sponsored cyber attacks have evolved into a critical, global issue due to their potential to disrupt economies, compromise national security, and manipulate geopolitical dynamics. A cyber attack in one corner of the world can quickly reverberate across borders, affecting governments, industries, and individuals worldwide.

In response, various international policies and agreements have been established such as the Paris Call for Trust and Security In Cyberspace. The United Nations (UN) has also discussed norms of responsible state behavior in cyberspace, encouraging cooperation and restraint. Additionally, regional organizations and alliances, such as the European Union (EU) and NATO, have developed cyber defense strategies and mechanisms for organizations to share critical information.

Governments have also intensified their efforts to prevent and mitigate cyber espionage risks. The private sectors are investing heavily in cybersecurity measures, including threat intelligence sharing and vulnerability management. Various countries have implemented laws and sanctions to deter cyber espionage, promising to take legal action against state-sponsored cyber activities.

Enterprises facing the rippling effects of cyber espionage must adopt a multi-layered defense approach. Investing in robust cybersecurity measures, such as advanced, autonomous detection and response solutions, encryption, and regular security assessments, is crucial.

Outside of choosing the right tech, collaboration with cybersecurity partners and industry peers to share threat intelligence and best practices helps to enhance the community’s overall resilience. As technology continues to evolve, an adaptive mindset, continuous monitoring, and a commitment to cybersecurity readiness can safeguard enterprises against the far-reaching impacts of cyber espionage.

Enterprises worldwide have turned to SentinelOne’s Singularity™ Platform to proactively resolve modern risks at machine speed. Learn how SentinelOne works to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more. Contact us or book a demo today.

Announcing Threat Detection for Amazon S3 | AI-Powered Data Protection

/0 Comments/in /by

SentinelOne recently announced the launch of the new Singularity™ Cloud Data Security product line to help customers gain visibility and provide protection for their cloud data, storage, downstream applications, and users from risks associated with unscanned files. Threat Protection for NetApp provides protection for NetApp arrays, and Threat Detection for Amazon S3, which will be highlighted here, provides protection for S3 buckets. Both services provide powerful, low-latency security for cloud storage in a highly efficient and simple user experience.

Why Does Amazon S3 Require Protection?

Amazon S3 is one of the most commonly used AWS services. Due to its flexible, scalable, and available nature, it is possible to store and access nearly any object type from anywhere. With this flexibility, there are a variety of use cases for the service, but in today’s environments, we see Amazon S3 being used more by applications than by humans looking for storage. S3 buckets being used by applications house critical application data for apps themselves but also sensitive data. Uptime and performance are mission critical.

Earlier this year, Amazon S3 turned 17 years old, and AWS shared that it currently holds more than 280 trillion objects and has an average of over 100 million requests per second. As part of the shared responsibility model, AWS ensures that the infrastructure itself is secure, and even ensures data integrity within S3. However, the security of what is in the bucket and its potential spread to downstream applications or workflows is the responsibility of the customer.

Many Amazon S3 users and security teams think of configuration management as the primary security challenge, and this used to be a bigger issue with buckets with sensitive data accidentally made public. AWS, though, has implemented new measures to encourage proper configuration. To combat this data loss risk,  many organizations use a Cloud Security Posture Management (CSPM) solution to scan for potential misconfigurations, which is an important element of a defense-in-depth strategy. However, CSPM alone is not enough to prevent S3 from being an attack surface.

The sheer volume of data stored in S3, most of it unscanned and accessible to downstream applications and workflows (including user endpoints), poses a security risk to organizations in terms of malware, ransomware, remote access trojans (RATs), supply chain attacks, and more. Without additional protection, an organization’s S3 buckets can become an accidental staging area for malware.

Threat Detection for Amazon S3

With Threat Detection for Amazon S3, organizations can decrease risk and increase visibility when it comes to the objects in their buckets. Reducing risk is important and so is meeting compliance requirements including data sovereignty. The solution was designed to meet the business, security, and cloud architecture needs of customers, focusing on the following features:

  • AI-Driven Threat Detection – Powerful, AI-driven threat detection goes beyond traditional signature-based approaches, which are easily evaded, and protects the organization from threats faster.
  • Automation, Flexibility, and Scalability – Scan new files added to buckets automatically. Inventory and protect buckets, including new buckets automatically as they are created, based on configurable policy based approaches.
  • High Performance, Low Overhead – Easily deploy into cloud-native architectures using CloudFormation Templates with low ongoing overhead and minimal additional compute costs. Files are scanned quickly, keeping applications running smoothly.
  • Compliance-Ready – Scanning completed in customer cloud; no sensitive data or files leave the organization’s cloud environment.
  • Centralized Management Experience – Delivered in a simple, unified management experience within the SentinelOne console, where customers can also manage the protection of cloud workloads, endpoints, and identity.

Existing solutions in the market have left many customers frustrated due to poor security performance such as a signature-only approach and a lack of visibility into the resources and their protection status. Other challenges include sluggish scanning or unnatural deployment patterns that slow applications down, or require time consuming re-architecture.

Easy Deployment & Ongoing Security Without Maintenance

Getting Started

Threat Detection for Amazon S3 is centrally managed in the SentinelOne management console. To get started, onboard an AWS account or organization and create a Stackset to deploy and create an ARN role for SentinelOne to access your cloud environment.

The next step is to select the relevant CloudTrail that will be used by SentinelOne to analyze your cloud environment data and provide an inventory of your S3 buckets. Once done, users will receive multiple CloudFormation templates to be deployed, one for each region that the account’s S3 buckets reside in. Once deployed, the admin can then configure the policy to select which buckets will be protected for malware or fully scanned. Admins can also invoke an ad-hoc scanning of a bucket.

Scanning and Policy Configuration

In a true “set it and forget it” approach, scanning of S3 buckets is triggered by configuring a cloud policy that will automatically scan every file added to the indicated bucket according to a predefined rule. For example, all buckets tagged as production should be automatically scanned and monitored for new files.

Configuring policy or rules is done in the SentinelOne management console. Policies can filter resources based on any AWS metadata such as tags, regions, “name contains”, OU, org, etc. There are a variety of policy based options available. For example, organizations could choose to apply scanning to new files, and quarantining of all suspected malicious files to all “production” tagged buckets, or to all buckets in a specific region due to compliance requirements. By using a tag-based approach, users save time by automating the policy application vs. applying policies to each bucket by name.

A policy-based approach makes it easy to apply protection and remediation rules

These options are configured at the policy level. When a suspicious or malicious file is identified in a bucket with a “Quarantine” policy enabled, the service will encrypt the file and move it to a customer-defined quarantine bucket. The file is also removed from the original bucket. If the policy is set not to quarantine, the service will tag the malicious file and create a threat in the SentinelOne management console.

Once the scanning service is done, it reports the findings into the SentinelOne Singularity™ console incidents page. If a file needs to be unquarantined, a user with appropriate privileges can unquarantine with one click, and also add an exclusion to the file for future scans.

Status of all connected Amazon S3 buckets is easy to see in the SentinelOne console

Autoscaling & High Volume Scanning

Whether you are scanning a high-volume of files entering your S3 bucket or performing an on-demand scan, this solution has a built-in, auto-scaling feature to ensure files are being scanned for malware as quickly as possible while minimizing cost.

The actual files never leave the organization’s AWS accounts. This service sends metrics, metadata, and logs from your AWS accounts to Singularity™ Cloud. Once a malicious file is detected, the file name, path, and the relevant user ID that uploaded the file are sent to the Singularity™ Cloud console for display. This ensures all compliance and data sovereignty requirements are met with respect to hosting your data in your environment.

Scanning Existing Files

After deploying the solution and configuring the policy definition, the appropriate policy will be applied to the buckets in the inventory: new file scanning, existing file scanning, both, or no scanning. An ad hoc scan on existing files can easily be initiated on demand from the Singularity console.

Simple, Powerful Security For Simple Storage Service

Configuration scanning is not enough – danger resides in the data itself, being passed downstream. The popularity and flexibility of Amazon S3 leads to a potentially broad attack surface for many organizations that have not begun scanning and securing the data residing in their buckets. Regardless of cloud maturity or S3 use cases, organizations now have a simple and scalable solution to protect their data, their users, and their businesses with Threat Detection for Amazon S3.

Simple deployment, powerful AI-driven threat detection and response with in-line and in-bucket scanning will enable customers to protect their Amazon S3 buckets, critical business applications, and users from malware, ransomware, remote access trojans (RATs) and more.

To learn more about Threat Detection for Amazon S3, read the solutions brief, request a demo, or contact us today.

Understanding XDR | A Guided Approach for Enterprise Leaders

/0 Comments/in /by

Cyber adversaries operate with a level of finesse and precision that can catch organizations off guard. In seconds, they can lure unsuspecting employees or partners with malicious files, exploit existing vulnerabilities to breach a network, and start moving laterally within a system to up their credentials.

The impact of ransomware attacks extends beyond mere disruption; they come with a hefty price tag. According to IBM “Cost of a Data Breach Report 2023,” businesses are losing a staggering $4.45 million; a 15% increase over the past 3 years. The substantial challenge for organizations lies in their security infrastructure, which is often an assortment of disparate platforms and multiple isolated solutions. Having a disjointed setup leads to a fragmented view of the organization’s unique risk and threat profiles.

This is where the concept of eXtended Detection and Response (XDR) emerges as a solution. XDR offers a novel approach to mitigating threats by gathering and harmonizing data across endpoints and diverse security solutions. This results in comprehensive visibility and enables automated responses, accelerating how organizations combat cyber threats.

In this post, we outline the essential ways XDR works and explore its transformative potential on the security strategies of modern enterprise businesses. Tailored to address the complex and interconnected nature of today’s threat landscape, XDR presents an opportunity for security leaders to enhance their organization’s security posture.

What Makes XDR Right For Modern Businesses?

Expanding on the foundations of traditional Endpoint Detection and Response (EDR) capabilities, eXtended Detection and Response (XDR) takes a progressive leap by automating and seamlessly integrating insights from an array of supplementary security tools. This fusion, which encompasses network and user analytics solutions, facilitates the correlation of threats across an organization’s entire network. Data is amalgamated and fortified by robust security analytics, serving as the catalyst for triggering automated responses to potential threats. XDR also helps security teams automate root cause analysis, equipping teams with the agility needed to respond promptly and effectively – a key factor in stopping security events from being all-out catastrophes.

Amid the landscape of remote and hybrid work arrangements, which inadvertently expand the attack surface, the role of XDR has become pivotal. Since the COVID-19 pandemic, industries have seen a heightened vulnerability stemming from increased access points and the accelerated adoption of hybrid and cloud environments. Organizations find themselves in the crosshairs of relentless attacks, making it necessary to build robust, end-to-end security defenses.

Beyond strengthening security measures, XDR also plays a pivotal role in alleviating the growing cybersecurity skills shortage. This is achieved through amplified analyst productivity via streamlined automation and a unified workflow. Implementing XDR significantly reduces the manual effort required to track threats across multiple systems, replacing it with an intuitive central console, allowing teams to holistically manage threats across their entire spectrum of solutions.

XDR vs. The Cyber Kill Chain

In the cyber kill chain (aka cyber attack lifecycle), the intrusion and enumeration phases make up the critical juncture where proactive measures are pivotal. During these stages, the threat actors haven’t yet moved deeply into the compromised network or blended in with normal network activities.

However, as the actors advance to the lateral movement phase, the task of detection becomes more challenging. At this point, threat actors often employ evasion tactics, ingraining themselves deeply within the network’s architecture. This phase is often characterized by the use of living-off-the-land techniques, where threat actors harness existing legitimate processes and tools within the environment to solidify their foothold.

Over the years, threat actors have shortened the time between intrusion and lateral movement; a testament to their increasing sophistication and resourcefulness. For cyber defenders, this means that detecting the first signs of compromise during the enumeration and intrusion stages becomes the linchpin of effective defense strategy.

Reconnaissance & Enumeration

Before initiating the attack, malicious actors choose their target and search for exploitable vulnerabilities within their operations. This includes identifying unpatched vulnerabilities, misconfigurations, exposed administrative accounts, and other potential weaknesses.

What XDR Does:

  • Comprehensive Visibility – XDR aggregates data from various sources, including endpoints, networks, cloud environments, and user behavior. By integrating insights from these diverse security solutions, XDR provides a comprehensive view of the entire IT landscape. This holistic perspective enables security teams to identify anomalous activities and potential reconnaissance attempts across multiple attack vectors.
  • Behavioral Analytics – XDR leverages advanced behavioral analytics and machine learning algorithms to establish baseline patterns of normal behavior for users, applications, and systems. When threat actors attempt reconnaissance by deviating from these established patterns, XDR can quickly detect unusual or unauthorized activities. This ensures that any deviations indicative of reconnaissance activities are promptly flagged for investigation.
  • Real-Time Monitoring – XDR continuously monitors network traffic, user interactions, and system behavior in real time. This proactive monitoring allows security teams to identify and respond to suspicious activities, including reconnaissance attempts, as they occur. Real-time alerts enable immediate action to be taken before threat actors can gather significant intelligence about the target environment.
  • Threat Intelligence Integration – XDR integrates threat intelligence feeds and databases, enabling organizations to stay updated on the latest attack trends, tactics, and techniques. This integration enhances the detection of reconnaissance activities by correlating observed behaviors with known threat actor tactics, ensuring that potential threats are recognized and addressed promptly.
  • Automated Responses – XDR’s automation capabilities empower security teams to respond rapidly to detected threats. In the case of reconnaissance attempts, XDR can automatically trigger predefined response actions, such as isolating compromised endpoints, blocking suspicious IP addresses, or initiating deception techniques to divert attackers away from critical assets.
  • Threat Hunting – XDR supports proactive threat hunting by allowing security analysts to query and investigate historical data. This capability enables the identification of subtle indicators of threat activities that might have been missed during real-time monitoring. Threat hunters can uncover patterns or anomalies that might signify ongoing or past reconnaissance attempts.

Initial Intrusion & Enumeration

Building on insights gathered during the preparation phase, threat actors tailor their intrusion techniques to capitalize on the specific weaknesses they’ve identified in their targets. Once inside the target system, threat actors move swiftly to establish their presence, gauge the extent of their current permissions, and gauge the level of privileges required for lateral movement. Time becomes a critical factor as actors strive to solidify their position and enhance their access rights.

What XDR Does:

  • Detection of Suspicious Activities – XDR continuously monitors network traffic, endpoint behaviors, user activities, and other data sources in real time. It uses advanced behavioral analytics and machine learning algorithms to establish baseline patterns of normal behavior. Any deviations from these patterns, indicative of suspicious or unauthorized activities associated with the initial intrusion, are promptly identified and flagged for investigation.
  • Real-Time Alerts – Upon detecting anomalous behaviors, XDR generates real-time alerts that notify security teams about potential intrusion attempts. These alerts provide crucial information about the nature of the threat, the affected systems, and the attack vector, enabling rapid response and mitigation.
  • Incident Prioritization – XDR’s threat detection capabilities allow it to prioritize alerts based on the severity and potential impact of the intrusion. This ensures that security teams focus their efforts on addressing the most critical threats first, minimizing the attacker’s window of opportunity.
  • Correlation of Data – XDR integrates data from various sources, such as endpoints, network logs, and cloud environments. By correlating information from multiple domains, XDR provides a comprehensive view of the attack, enabling security teams to understand the attacker’s tactics, techniques, and potential objectives.
  • Automated Response Actions– XDR’s automation capabilities come into play during the initial intrusion phase. Upon detecting a potential intrusion, XDR can automatically initiate predefined response actions. These actions may include isolating compromised endpoints, blocking suspicious IP addresses, or triggering additional security measures to prevent lateral movement.

How Enterprise Businesses Can Get Started With XDR

Implementing XDR for enterprise businesses requires a well-structured approach to ensure its effectiveness. Here are key strategies to consider when adding XDR capabilities to an existing tech stack.

1 – Define Objectives and Use Cases

Start by clearly defining the organization’s cybersecurity objectives and identifying specific use cases where XDR can provide the most value. Determine the critical assets and data that need protection and the potential threat scenarios to be addressed.

Tailor use cases to the organization’s unique risk profile and industry challenges. This strategic foundation ensures that the chosen XDR solution aligns precisely with the organizational priorities and sets the stage for a focused and effective implementation that addresses the most pressing cybersecurity concerns.

2 – Assess Current Security Landscape

Conduct a comprehensive assessment of current security infrastructure, including existing tools, technologies, and processes. Identify gaps, redundancies, and look for areas for improvement where XDR can fill in or enhance defense mechanisms.

Evaluate where XDR can integrate with current security solutions to optimize data collection and correlation across endpoints, networks, and cloud environments. This assessment provides a clear understanding of the organization’s strengths and weaknesses, enabling leaders to tailor the XDR implementation to fill critical security gaps that may have been overlooked.

3 – Plan for Deployment

Develop a comprehensive deployment plan that outlines the rollout strategy for XDR across different environments; endpoints, networks, and cloud, for example. Consider a phased approach to minimize disruptions and ensure smooth adoption. This means allocating resources for deployment, including personnel, time, and budget. Establish clear communication channels among IT, security teams, and stakeholders to ensure alignment and manage expectations.

4 – Configure, Customize & Perform Ongoing Optimization

Following the deployment of a new XDR solution, it is important to configure and customize the system to optimize its effectiveness. Begin by tailoring alert thresholds, correlation rules, and automated response actions to align with the organization’s unique security policies and priorities.

Leverage the XDR solution’s capabilities to create specific use-case scenarios and regularly review and refine configurations based on real-world insights and evolving threat landscapes. Collaboration between security analysts and IT teams ensures fine-tuning that maximizes threat detection accuracy and minimizes false positives.

Conclusion

Extended Detection and Response (XDR) has emerged as a leading solution in defending organizations against modern cyber attacks. As the cybersecurity landscape continues to shift and threat actors deploy increasingly sophisticated tactics to exploit vulnerabilities and breach defenses, a traditional, siloed approach to security is nowhere near enough. XDR’s comprehensive and integrated approach ushers in a new approach to security where data across endpoints, networks, and clouds converge to provide a holistic vantage point. This is the key vantage point in detecting the very first indications of a cyber intrusion, before the attack can even begin to escalate.

With threat actors continually evolving their tactics, organizations must remain agile and adaptive. XDR’s ability to integrate with existing security solutions and its scalability ensures that as new threats emerge, the organization can seamlessly incorporate new tools and threat intelligence feeds. By analyzing patterns and trends across diverse data sources, XDR enables organizations to fine-tune their security strategies, anticipate potential vulnerabilities, and strategically allocate resources to maximize protection.

SentinelOne offers Singularity XDR, a leading solution in the security space powered by autonomous response. Learn how Singularity leverages artificial intelligence and machine learning to respond across entire security ecosystems and protect each attack surface. Book a demo or contact us for more information.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Learn More