AD Security Assessments and Attack Paths | How to Achieve Greater Visibility

/0 Comments/in /by

Active Directory (AD) has become a primary target for attackers launching identity-centric attacks. Fortunately, there are several tools available to help enterprise security teams get clearer visibility into their Active Directory instances and address any vulnerabilities they uncover.

One popular tool in use by analysts is Attack Path graphs, which can be used to show the possible paths an attacker can take to escalate from a standard user all the way to a highly privileged account, such as a prized Domain Admin.

While this kind of visualization can be helpful, it is no substitute for an Active Directory assessment tool that not only closes vulnerabilities but encourages best practices. To illustrate the difference, in this post we’ll compare both approaches across two example scenarios that represent common situations found in the enterprise.

Case Study: Basic Privilege Escalation

In the first scenario, we’ll look at a simple Attack Path and compare it to the results of an AD security assessment for the same issue.

In our first example, a compromised standard user ‘Bob’ happens to be a member of a larger Engineering group, which is a subset of a CAD Tools group. Due to poor configuration and separation of privileges, this group is also a member of a Service Installers group, which itself happens to be a member of the Domain Admins group.

Clearly, even though Bob is supposed to have only Standard User privileges, this nested set of relationships allows an attacker who compromises Bob’s account to gain Domain Admin rights.

At this point, let’s explore the context an AD security assessment tool can provide in a situation like this, and how administrators might be able to use this information to mitigate this issue and prevent it from happening again.

An AD security assessment tools will provide:

  • A list of all users that have privileged access. This would comprise all members from the nested groups of all privileged groups.
  • A list of groups nested within the privileged group to be removed. This is the shortcut the administrator needs to mitigate the issue.
  • The best practice of not nesting groups into privileged groups. This eliminates choke points so that it’s more difficult for members to be granted unintentional privileged access. This is the guidance the administrator needs to prevent the issue.

The second and third items are the most critical. If we simply removed the Service Installers group from the Domain Admins group, (along with any others that may also be nested), the compromised standard user account would no longer be a Domain Admin. By addressing the vulnerability and following best practices, administrators would no longer have to examine graphs and determine where to prune group memberships, essentially making the graph irrelevant.

Case Study: Credentials Cracking

Let’s examine another simple Attack Path.

In the attack path above, a user’s computer (COMPUTER 1) has been compromised. From there, an attacker successfully cracks the computer’s local administrator account credentials. The attacker then uses that local administrator account’s password to login to another computer (COMPUTER 2), which was (mis)configured for ease of administration with the same credentials. On COMPUTER2, the attacker cracks the Domain Admin account’s hash, successfully elevating their access.

An Active Directory security assessment tool can quickly mitigate this risk by relaying the following information to an analyst:

  • LAPS (Local Administrator Password Solution) was not detected to be configured in Active Directory. If it was, this would have prevented the attacker from moving from COMPUTER1 to COMPUTER2 using the same local administrator password. Making sure every local administrator account has a different, rotating password is a best practice. LAPS would meet this need.
  • A Domain Admin account had logged into a workstation in the past, leaving a hash behind that the attacker could use. The best practice recommended here is to only use Domain Admin accounts to logon to domain controllers and to clear all hashes on workstations and member servers.

By following the mitigation steps and best practice recommendations of an AD security assessment tool, an administrator can eliminate the potential Attack Path of an attacker and prevent them from exploiting these misconfigurations and vulnerabilities.

Active Directory Risks That Attack Paths Miss

Attack Paths are crafted to show known attacks, whereas closing vulnerabilities eliminates both these and, often, unknown vectors, too. Consequently, it’s more important to eradicate vulnerabilities and follow best practices.

The pictures that Attack Paths paint are an incomplete representation of the actual Active Directory security situation. Graphs showing how the organization could be vulnerable are not as effective as tools that can ensure the AD infrastructure is not exposed nor will be in the future.

Below are some examples of attacks that would not be suitable for elaborate Attack Path graphs, yet it is vital for an AD security assessment to detect each of them.

  • Brute force password attacks – An assessment should detect credentials which use commonly known passwords, dictionary words, or attempts to enter every possible character combination until a password has been “guessed”.
  • Unconstrained delegation exposures – When an AD user or computer object has been delegated to any service using Kerberos. If compromised, this can allow the attacker to impersonate the authenticated account to any service.
  • Protecting your Active Directory from AdminSDHolder attacks – Adding users or groups to the AdminSDHolder template in Active Directory that is “stamped” on every privileged user and group’s ACL, giving them rights over those accounts.

Singularity™ Ranger® AD scans the Active Directory environment for vulnerabilities such as these and many more, guiding administrators on how to mitigate them and ensuring best practices to prevent them in the future.

Conclusion

While Attack Paths are interesting graphs that can enlighten administrators as to how potential attacks can take place on the network, they are no substitute for a proactive approach that eliminates known vulnerabilities and enforces best practices. Singularity Ranger AD finds vulnerabilities and guides administrators to close them, and keep them closed.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

LEARN MORE

How Malicious Android Apps Slip Into Disguise

/0 Comments/in /by

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

At issue is a mobile malware obfuscation method identified by researchers at ThreatFabric, a security firm based in Amsterdam. Aleksandr Eremin, a senior malware analyst at the company, told KrebsOnSecurity they recently encountered a number of mobile banking trojans abusing a bug present in all Android OS versions that involves corrupting components of an app so that its new evil bits will be ignored as invalid by popular mobile security scanning tools, while the app as a whole gets accepted as valid by Android OS and successfully installed.

“There is malware that is patching the .apk file [the app installation file], so that the platform is still treating it as valid and runs all the malicious actions it’s designed to do, while at the same time a lot of tools designed to unpack and decompile these apps fail to process the code,” Eremin explained.

Eremin said ThreatFabric has seen this malware obfuscation method used a few times in the past, but in April 2023 it started finding many more variants of known mobile malware families leveraging it for stealth. The company has since attributed this increase to a semi-automated malware-as-a-service offering in the cybercrime underground that will obfuscate or “crypt” malicious mobile apps for a fee.

Eremin said Google flagged their initial May 9, 2023 report as “high” severity. More recently, Google awarded them a $5,000 bug bounty, even though it did not technically classify their finding as a security vulnerability.

“This was a unique situation in which the reported issue was not classified as a vulnerability and did not impact the Android Open Source Project (AOSP), but did result in an update to our malware detection mechanisms for apps that might try to abuse this issue,” Google said in a written statement.

Google also acknowledged that some of the tools it makes available to developers — including APK Analyzer — currently fail to parse such malicious applications and treat them as invalid, while still allowing them to be installed on user devices.

“We are investigating possible fixes for developer tools and plan to update our documentation accordingly,” Google’s statement continued.

Image: ThreatFabric.

According to ThreatFabric, there are a few telltale signs that app analyzers can look for that may indicate a malicious app is abusing the weakness to masquerade as benign. For starters, they found that apps modified in this way have Android Manifest files that contain newer timestamps than the rest of the files in the software package.

More critically, the Manifest file itself will be changed so that the number of “strings” — plain text in the code, such as comments — specified as present in the app does match the actual number of strings in the software.

One of the mobile malware families known to be abusing this obfuscation method has been dubbed Anatsa, which is a sophisticated Android-based banking trojan that typically is disguised as a harmless application for managing files. Last month, ThreatFabric detailed how the crooks behind Anatsa will purchase older, abandoned file managing apps, or create their own and let the apps build up a considerable user base before updating them with malicious components.

ThreatFabric says Anatsa poses as PDF viewers and other file managing applications because these types of apps already have advanced permissions to remove or modify other files on the host device. The company estimates the people behind Anatsa have delivered more than 30,000 installations of their banking trojan via ongoing Google Play Store malware campaigns.

Google has come under fire in recent months for failing to more proactively police its Play Store for malicious apps, or for once-legitimate applications that later go rogue. This May 2023 story from Ars Technica about a formerly benign screen recording app that turned malicious after garnering 50,000 users notes that Google doesn’t comment when malware is discovered on its platform, beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it.

“The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders,” Ars’ Dan Goodin wrote. “Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.”

The Ars story mentions one potentially positive change by Google of late: A preventive measure available in Android versions 11 and higher that implements “app hibernation,” which puts apps that have been dormant into a hibernation state that removes their previously granted runtime permissions.

Mac Admins | Why Apple’s Silent Approach to Endpoint Security Should be a Wake-Up Call

/0 Comments/in /by

If there’s one thing that everyone should be able to agree on about Apple, it is that the company really does think different when it comes to the design of its products, and this is nowhere more obvious than in the company’s approach to endpoint security. Users will find no Defender-like security center built into macOS, and admins and IT teams will search in vain for Apple web portals to log into or extra licenses to buy for ‘top tier’ telemetry.

Unlike rival OS vendors, Apple does endpoint security when – and where – admins and users aren’t looking. This approach has served Apple well from a marketing perspective – there’s a widespread if somewhat misplaced belief that macOS is more secure than Windows – but for small to medium-sized enterprises relying entirely on Apple to keep them safe, this lack of visibility is something to be addressed.

In this post, we’ll shed light on three areas of macOS security that are crucial to understand for businesses that do not currently deploy additional endpoint protection on their macOS devices.

Apple’s Approach to Platform Security

Last updated in May 2022, Apple’s most recent public documentation about protecting against malware on macOS states that its malware defenses are structured in three layers:

Service Technologies
Prevent launch or execution of malware App Store, or Gatekeeper combined with Notarisation
Block malware from running on customer systems Gatekeeper, Notarisation and XProtect
Remediate malware that has executed XProtect

None of the technologies responsible in these layers has much in the way of user or admin-controlled granularity: it’s not possible, for example, to allow or exclude specific applications or code across users or devices. On a single device, a user can make extremely broad system policy decisions (such as allow or deny all apps sourced from outside the App Store), but even then – unless the system is administered by an MDM solution – that policy can be overridden by local users, even without administrator rights.

More concerning from an enterprise security perspective is that there is little visibility into what code has been blocked, when and why, nor is it obvious when these scans are being performed or how effective they have been.

This is a particular worry in terms of malware remediation, which happens silently in the background without warning to the user. In an enterprise setting, this is simply not sufficient: security teams need to understand when malware was introduced to the system, how long it was there and where malware came from if they are to adequately defend the enterprise.

1. XProtect Signatures | Missing Out On the Latest Malware

According to Apple,

macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly.

The last update to Apple’s XProtect.bundle which contains these YARA signatures was made on June 29th, though the update may have not been released till some days later depending on location of the device.

Unfortunately, this update did not include any changes to the file signatures that Apple says power XProtect’s blocking abilities. The YARA file bears the same hash as version 2166, updated last February.

If one were to go by the version numbers, there should have been 7 updates to XProtect’s YARA rules in the last 12 months, but in fact only three have actually been observed in our test machines. Moreover, the difference between version 2165 released last November and the version available today is a mere three additional rules for only two malware families: one for Keysteal and two for a cryptominer known to Apple as Honkbox.

Since both SentinelOne and many other vendors have reported on multiple new macOS malware strains in the last few months alone, it should be concerning to users and admins relying entirely on XProtect’s rules that they are so far behind the rest of the industry.

2. XProtectRemediator | Hiding Infections After-the-Fact

Despite the lack of updates to Apple’s primary malware blocking tool, the company has been updating its MRT-replacement tool XProtectRemediator more regularly. XProtectRemediator runs at intervals of around 6 hours per day, looking for a small collection of known malware families.

While the increased attention there is an improvement on the old MRT.app, the focus on remediation rather than blocking should be of concern to enterprise security teams. 6 hours is far too long for infostealers to be in the organization, particularly as they take only seconds to do their work. Session cookies are primary targets for threat actors to worm their way further into organizations and turn compromises from a single Mac into a serious breach, such as happened recently at CircleCI.

As noted above, there is no user interface on macOS for understanding what malware has been remediated, when or how it was introduced into the system. However, as of macOS Ventura, system administrators without 3rd party visibility tools can attempt to leverage the eslogger tool introduced with macOS 13.

Unfortunately, eslogger was not built with enterprise scale in mind. It will require some building of infrastructure and external tools in order to bring results from across a fleet into a central database that could be monitored and mined for data. There are better 3rd party tools built for the job that will require less investment and give greater return.

In either case, unless security teams are proactive, Apple’s XProtectRemediator will silently remove malware that it discovers without alerting the user or the administrator that an infection had ever occurred. Similarly, the tool will neither warn of nor log suspicious or malicious activity that it hasn’t been explicitly programmed to detect.

Relying on silent remediation is a high-risk strategy for both enterprises and Apple. A risk of a false positive in this situation could cause serious harm to users and businesses, so it is likely that Apple has designed the tool extremely conservatively in terms of what it will detect and silently remove.

For enterprises, the inability to receive alerts and the difficulty of inspecting logs means there is little chance of catching infections missed by XProtectRemediator, of tracking down the root cause of those that it removes, or of further investigating the incident and its impact on the organization.

3. XProtectBehaviorService | Hidden Behavioral Detections

A recent addition to Apple’s malware detection technologies which the company has not publicly documented yet goes by the name of XProtectBehaviorService.

At present, the service merely silently logs details of applications that violate certain pre-programmed behavioral rules, currently defined in /usr/libexec/syspolicyd.

These rules, internally referred to as “bastion rules”, log violations in a hidden sqlite database located at /var/protected/xprotect/XPdb. It is commendable that Apple is logging access to data held in enterprise applications like Slack and Teams, as well as various browser and chat apps. The question remains, however, as to what access Apple intends to give users – and more importantly admin, IT and security teams – to this service and the information it gathers as it develops further.

For example, those logs were put to good use recently by incident responders investigating an APT intrusion that infected four macOS Ventura systems and which was neither blocked by XProtect nor removed by XProtectRemediator.

Although that data is now there to be found by incident responders, it falls on those responsible for security to gather it and learn how to use it. It serves as a case in point of how IT teams that continue to rely entirely on Apple for protection must still proactively engage with the macOS devices in their fleet and mine them for the hidden logs and telemetry that Apple stashes away.

Conclusion

Apple’s approach to security is, like many other things it does, different to other OS vendors. That’s neither a good thing nor a bad thing in itself; what matters is that admins are aware of how their OS is dealing with security events. A nice, quiet system doesn’t necessarily mean a safe and secure system.

Knowing what’s happening on the company’s endpoints is the first step to securing them, and there are a lot more security-related events occurring under the hood of macOS than is obvious to the casual observer.

As a vendor, it should come as no surprise that we urge organizations to deploy additional security on their macoS devices: naturally, we believe in what we do and the reasons for doing it. But even those that are not yet ready to heed that message can take away a vital lesson from this discussion: actively engage with the Macs in the fleet, mine them for logs and ensure that the in-house security team knows at least as much as Apple does about what’s happening on the organization’s Macs.

To learn more about how SentinelOne can help protect the Macs in your fleet, contact us or request a free demo.

Illicit Brand Impersonation | A Threat Hunting Approach

/0 Comments/in /by

Since the start of 2023, brand impersonation has become the center of many questions we receive from everyday network defenders. While at the start of the year we reported on the heavy spike in malicious Google search ads, the activity continues to this day across many platforms, and does not get as much attention as it deserves. Additionally, while tracking more capable and often state-sponsored threat actors, we continually observe brands being impersonated for illicit use, including credential phishing and malware delivery.

Consequently, organizations find themselves grappling with two critical challenges: first, identifying and thwarting illicit brand impersonation aimed at targeting them, and second, effectively safeguarding their networks and users. Security and threat researchers face a similar, albeit magnified, responsibility as they handle these concerns for numerous entities.

Let’s explore some examples of opportunistic and targeted threat actors impersonating trusted brands and how security researchers can make use of new tooling for the purposes of hunting and tracking them moving forward.

New Tools and Monitoring Techniques

VirusTotal has released a new feature called NetIoc, essentially expanding the well known YARA engine to network telemetry and data. VirusTotal is a core resource for researchers, security vendors, network defenders, and even investigative journalists. With the incorporation of this new capability, it becomes imperative for others to familiarize themselves with and harness its full potential. Moreover, it exemplifies an approach that other security tools can and, indeed, should emulate in the context of engineering solutions for network data detection opportunities.

Many opportunities for hunting my favorite threat actors come to mind with this new capability. While APTs consume most of my attention, they are not the most common threat or concern for the majority of network defenders. For that, let’s look at some malicious activity impacting far more organizations.

Mimicking Trusted Pages

In February of this year, we wrote about a campaign targeting cloud service credentials, specifically AWS logins. While the delivery of this is quite rare for the moment, being a direct Google advertisement, attackers continue to innovate through many other ways including phishing emails and non-Google ads to name only two.

Fake AWS Login Page
Fake AWS Login Page

So how can we detect illicit login pages such as these? First, we have to note that many phishing pages reuse the content from the services they mimic, such as URL icons, body content, and images. If the VirusTotal scanner catches it fast enough, we can track down some commodity activity with this in mind.

import "vt"
rule aws_monitor {
	condition:
        vt.net.domain.new_domain and
        (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon
        or
        vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon
        or
        for any link in vt.net.url.outgoing_links: ( link matches /signin.aws.amazon.com.*/ )
        or
        vt.net.domain.raw matches /aws/)
}

This rule will trigger on any new URL which contains the same favicon used on the AWS login page or docs page, or contains an outgoing link to the legitimate AWS sign in page.

The main fear here is the potential for false positives or negatives, but that can be tuned with additional conditions of vt.net.domain.new_domain to weed out common legitimate domain hits, using VT tags, or simply reducing the condition specifics.

In many cases we’ve observed, a reuse of the favicon combined with a new domain can be quite wide and catch lots of interesting activity.

import "vt"
rule aws_monitor_2 {
    condition:
        vt.net.domain.new_domain and
        (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon
        or
        vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon
        )
}

AWS is just one example, threat hunters could instead use this for less common pages of value like download sites or internal intranet employee logins.

Reused Characteristics of Infrastructure – Commodity Targeting

One useful way to identify automated and often large-scale phishing campaign infrastructure is through monitoring and alerting on actor specific characteristics of their phishing sites.

Earlier this month Malwarebytes reported on malicious Google ads mimicking USPS with very realistic links, ultimately seeking mass collection of financial details. Looking into one of these domains (super-trackings[.]com), notice the reuse of a Yandex Tracker ID used for normal website analytics; however, this ID is owned by the specific threat actor associated with the USPS phishing campaign. The specific tracker is reused across the common tracking.php files, not the domain landing page.

Yandex Tracker 93030690
Yandex Tracker 93030690

We can look back historically by searching for the tracker directly in VirusTotal. With many URL results, we can extract the following unreported phishing domains tied to the same actor:

uspps-onlynee[.]biz
hetclick[.]biz
uspps-only[.]ink
www.uspps-only[.]ink
super-trackings[.]com
uspps-onlyne[.]ink
usps.tracking-check[.]me
tracking-checks[.]me
goodstracks[.]me
usps-onlines[.]biz
diy-trackng[.]com

Instead of querying VirusTotal manually for this tracker within new URLs, let’s instead monitor proactively to get alerts as soon as they are seen. For that, we can make use of a very simple rule monitoring for that same tracker.

import "vt"
rule usps_phisher_tracker {
    condition:
        for any tracker in vt.net.url.trackers: (
          tracker.id == "93030690")
}

A tracker can easily be changed by an actor, but the above example was used by the attacker from April to July 2023, so clearly they are rolled into new campaigns more than we might expect, depending on the attacker and campaign of course.

Reused Characteristics of Infrastructure – APTs

Even our more interesting APTs can be tracked in similar reuse of characteristics across their campaigns. Let’s take a look at Kimsuky, one of a number of North Korean attributed threat actors we actively monitor.

In May of this year, we wrote about Kimsuky evolving reconnaissance capabilities in a new global campaign, which was an interesting campaign making use of a new malware component we call ReconShark. In some of the malicious URLs, we can see the actor making use of a config.php file, reusing a small script for warning to enable JavaScript and acting as an input for credential theft functionality.

Kimsuky’s config.php
Kimsuky’s config.php

The new VT templates save us time here, as we can hit a single button to get the rule nearly written for us:

VirusTotal NetIoc Template
VirusTotal NetIoc Template

Passing in our config.php SHA256 hash, and renaming, we get the following rule:

rule apt_nk_kimsuky_phishing_script {

    condition:
        vt.net.url.new_url and
        vt.net.url.downloaded_file.sha256 == "256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a"

}

While beta testing NetIoc with this rule, the file triggered across many unreported Kimsuky controlled URLs, and can also be found going back multiple years. In fact, while testing live detections, MalwareHunterTeam also happened to catch one, highlighting the pivot potential to malicious Kimsuky attributed .hwp documents. This domain was later reported on by the AhnLab team. So not only does the technique work, it can lead to the discovery of interesting new APT brand-impersonating campaigns.

MalwareHunterTeam Kimsuky Linked Tweet
MalwareHunterTeam Kimsuky Linked Tweet

Here is a list of Domains/URLs which contain our Kimsuky .php file. Be warned, some of these are legitimate but compromised domains and go back a few years:

namsouth[.]com
nknews[.]pro/config.php
reasope[.]org/config.php
voesami[.]com/config.php
bit-albania[.]com/config.php
yonsei[.]lol/sss.php
jacobsenfamilyholdings[.]com/config.php
okbus.or[.]kr/config/config.php
renaissancenft[.]io/wp-content/plugins/download-plugin/plugins.php
stmwa[.]de/work/config/data.php
csmss[.]org/admin/uploads/award/award28.php
167.172.113[.]157/
108.179.214[.]134/
174.138.30[.]233/
absolutemedia[.]net.au/
absolutemedia[.]net.au/testing/wp-content/intelmanagertools.exe
absolutemedia[.]net.au/testing/wp-includes/Spectrum
absolutemedia[.]net.au/testing/flash-x32-adobe-add-on.exedl.netprog.net
absolutemedia[.]net.au/testing/flash-x32-Adobe-add-on.exe
eskulap-jarocin[.]pl/
blogtify[.]com/wp-includes/config.php
kevinspie.co[.]kr/data/category/faq/faq.php
hankevin.cafe24[.]com/data/category/faq/faq.php
educacionit[.]com/images-clientes/4O4.php
naturamosana[.]be/css/main.php
wincenty-faber[.]pl/ksiki/ksiki-dla-dzieci
wincenty-faber[.]pl/dla-dzieci
escolarainhadleonor[.]eu/aee/
wincenty-faber[.]pl/dla-dzieci/publikowane-w-ksikach/90
217.219.131[.]139/db.php
chromatogramma[.]ru/book/export/html/3
aprendizajevirtual.une[.]net.co/lang/language.php

This approach, again, may need fine-tuning depending on context, but it offers a good example of one way to do such tracking. There are many other methods available for successfully tracking Kimsuky brand impersonation and other actors including hostname similarities against their normally targeted organizations, or even URL patterns of known toolkits to name a few. Happy Hunting!

Conclusion

The persistent use of brand impersonation by opportunistic and sophisticated threat actors for illicit activities like credential phishing and malware distribution warrants greater awareness and technical capabilities.

By leveraging the latest tooling and staying vigilant, security and threat researchers can play a pivotal role in mitigating these risks for numerous organizations. As we continue to confront these challenges, it is essential to foster collaboration, knowledge sharing, and innovative solutions to stay ahead in the ever-evolving threat landscape.

The Nightmare Of Destructive Malware | From Wiper To SwiftSlicer

/0 Comments/in /by

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit their research to showcase their talents and bring their insights to a wider audience.

In today’s guest post, researcher Natacha Bakir (Senthorus/Cefcys) digs into the destructive world of wipers: a special class of malware that has neither espionage nor financial gain in mind, but exists solely to destroy data and disrupt the services provided by an organization to its consumers. From MeteorExpress to AcidRain and HermeticWiper, the current increase in the use of wipers since the start of Russia’s invasion of Ukraine has been unprecedented and is a subject worthy of greater attention.

In February 2022, Ukraine was targeted by a new malware named ‘HermeticWiper’. Amid reports of ransomware incidents increasing by 62% in 2021, and the number of ransomware attacks estimated at 236.1 million in the first half of 2022, this new malware, as sophisticated as it was, had a simple goal: to erase the target’s disks.

While wipers have been known for over 10 years, a significant rise in this destructive kind of malware has been noted since 2022. In this post, I will briefly discuss the history of wiper malware before focusing on the the techniques used in some of the most recent attacks.

History of Wipers

2012 was an important year for wipers. On August 15th, Shamoon wiped 30000 systems within a day. The New York Times estimated that 75% of the victim’s computers had been wiped. At the time, it was one of  the most destructive attacks ever seen. A group calling itself “Cutting Sword of Justice” claimed responsibility for the attack, blaming the al-Saud regime for crimes against humanity.

In 2015, an attack on the Ukraine Power grid caused a power outage for nearly a quarter of a million people. It was coordinated with a Denial-of-service attack on a call center to deny consumers up-to-date information on the blackout.

In 2022, WhisperGate wiper targeted multiple organizations in Ukraine. The wiper was later seen throughout the world.

Source: Trellix

The WhisperGate wiper had a decoy ransom note to mislead Incident Response teams. The wiper analyzes the victim’s environment enumerating OS attributes and disks to improve their access and gain the desired privileges to disarm the victim and attack.

In February 2022, HermeticWiper was dropped on victims via a compressed package, creating the EaseUS driver file, and enumerating the physical drives. The driver then loads and runs as a service. The driver is used through execution codes [dwIoControlCode] to overwrite the master boot record (MBR) and the master file table (MFT) before restarting the system.

In January 2023, ESET researchers uncovered a new wiper attack targeting Ukraine called SwiftSlicer. The wiper uses Active Directory Group Policy and is written in Go. ESET attributed this attack to Sandworm.

Wiper Techniques

Wipers primary goal is to destroy data. This can cause disruption and service outage affecting not just the organization targeted but entire populations. Wipers can also be deployed after an initial attack, in order to erase evidence. Although wipers can be disguised as ransomware and ask for a ransom, they don’t offer the capability to recover data and the goal is not financial gain, but rather a diversionary tactic while data is erased.

Depending on the hacker’s goal (discretion, speediness), several techniques of wiping are used, including:

  • enumerating the filesystem
  • overwriting the disks with other data like zero (0x00) bytes
  • corrupting MBR and MFT
  • fragmenting disks
  • using driver to gain kernel access
  • pass order through IOCTL DeviceIoControl() function.
HermeticWiper Architecture
HermeticWiper Architecture
Hermetic Wiper disassembly
Hermetic Wiper disassembly
SwiftSlicer
SwiftSlicer disassembly

Given the simplicity of the goal, Wipers can be written in many different programming languages. Although SwiftSlicer is written in Go, similarities in the malware’s functionality can clearly be seen.

The Ukrainian CERT-UA reports that SwiftSlicer was distributed to network computers through GPO (Group Policy Object), the same method used to deploy most of the malware mentioned in this article.

They also noted that the malware targets the %CSIDL_SYSTEM_DRIVE%WindowsNTDS folder, showing that SwiftSlicer tries to destroy files and bring down the entire Windows domain.

SwiftSlicer targets Windows system drivers
SwiftSlicer targets Windows system drivers

Why Write a Wiper in Go?

Go is increasingly used in malware programming. With Go, malware developers can write code once and compile binaries from the same codebase for multiple platforms. As a result, they can target different operating systems like Unix, Linux, Windows and those that work on mobile.

In addition, Go programs can be difficult to analyze. The arguments are not passed through registers but are directly copied onto the stack at the correct position. Further, Go functions can have multiple return values, so static analysis is limited. Typically, when reversing go malware, analysts will need to use dynamic analysis, such as isolating interesting functions by name and using a debugger to break on interesting calls to inspect the program’s state.


Conclusion

Wiper malwares are not new, and even Russia’s use of them against Ukraine can be dated back to interference in the Ukraine Presidential Election of 2014. However, the extent of the use of wipers by Russian APT groups, especially Sandworm, against Ukrainian targets is something not seen previous to this conflict.

Whether used for sabotage or cyberwarfare, wipers cross the boundary of the virtual to the real, with the potential to wreak devastating effects on those far beyond the organization targeted.

The Good, the Bad and the Ugly in Cybersecurity – Week 30

/0 Comments/in /by

The Good | SEC Says Cyber Incidents Must Be Disclosed Within 4 Days

The Securities and Exchange Commission has announced that it is adopting new rules that will require companies to disclose cyberattacks within four days.

In a press release on Wednesday, the SEC said the new rules require “registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”

It is hoped prompt reporting will increase transparency for investors and potentially accelerate improvements in cyber defenses as details of breaches become more widely shared.

CISA announced new rules to report cyber incidents in 4 days

The new incident response rules require that publicly-traded companies reveal:

  • The date of discovery and status of the incident (ongoing or resolved)
  • A concise description of the incident’s nature and extent
  • Any data that may have been compromised, altered, accessed, or used without authorization
  • The impact of the incident on the company’s operations
  • Information about ongoing or completed remediation efforts by the company

Companies are not required to reveal specifics about their incident response plans or vulnerabilities such as zero days or n-days that could influence their response or remediation actions. The rules also allow for postponement of disclosure if it would pose “a significant risk to national security or public safety”. That determination is at the discretion of the US Attorney General.

Other caveats include allowing smaller companies an additional 180 days before they are required to provide Form 8-K disclosures. The rules, first proposed last year, are set to come into force in December.

The Bad | Millions of Cloud Container Workloads Vulnerable to New Ubuntu Bugs

Researchers this week disclosed two kernel-level vulnerabilities impacting, they say, up to 40% of Ubuntu cloud workloads. The bugs, dubbed ‘GameOver(lay), are said to be easy to exploit and allow for local privilege escalation.

The two flaws, CVE-2023-2640 and CVE-2023-32629, relate to the OverlayFS module in Ubuntu, a popular Linux filesystem widely used in cloud containers. OverlayFS is a file system commonly used with Docker that lays one filesystem on top of another. This allows users to modify the upper file system while keeping the base system intact, useful in cloud workloads where it is often desirable to provide an isolated layer for an application to run in that will not affect or modify the host system.

Researchers at Wiz discovered that Ubuntu’s modifications to OverlayFS make it possible to ‘trick’ the kernel into copying a privileged executable from one layer and writing it to another where it no longer requires privileges to execute.

Wiz discovers Ubuntu GameOverlay bug

Worse, the researchers say that exploits written in 2020 for a similar vulnerability will now work on any Ubuntu instance vulnerable to the two newly discovered flaws, providing local attackers with ready-made weapons.

Versions susceptible to the bugs range from Ubuntu 18.04 to 23.04. The researchers say that the number of releases available for Ubuntu make it challenging to determine all impacted versions, but a work-in-progress list is available here.

Ubunutu has issued patches for the vulnerabilities as of July 24th and admins are urged to update as soon as possible.

The Ugly | Federal Agencies Urged to Patch Actively Exploited Zero Day

CISA has this week told federal agencies to patch by August 15th a maximum severity bypass vulnerability found in Ivanti’s Endpoint Manager Mobile (EPMM) software, previously branded MobileIron Core. The warning comes after the bug was used to compromise twelve Norwegian government ministries.

EPMM is used by organizations to allow access to enterprise email and other applications on mobile devices. The zero-day vulnerability, patched this week and tagged as CVE-2023-35078, allows remote attackers to obtain Personally Identifiable Information (PII), add admin accounts, and make configuration changes through certain exposed API paths, which can be reached remotely without authentication.

It has been reported that there may be almost 3000 vulnerable instances of the software exposed on the public internet, with dozens belonging to U.S. local and state agencies. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, noting that it poses a significant risk to the federal enterprise as malicious cyber actors are known to be exploiting the bug in the wild.

CISA’s warning to federal agencies should also be heeded by enterprise users of the EPMM/MobileIron Core software. Ivanti has released security patches and warned that all supported, unsupported and end-of-life releases are impacted. Users who cannot upgrade are urged to discontinue use of the product. A security advisory with further details is available to Ivanti customers.

Understanding the Evolution of Modern Business Email Compromise Attacks

/0 Comments/in /by

Business email compromise (BEC) exploits the main common denominator found across every technology, tool, and process – the humans that interact with it. Taking advantage of human decision making habits and emotions, BEC has remained one of the most lucrative attack methods seen in today’s cyber threat landscape.

This May, the FBI issued a public warning against BEC schemes, which they described as being one of the most financially damaging online crimes, capitalizing on the fact that email communication remains a steadfast tool for modern businesses. In fact, recent reports show that the market for BEC is expected to grow from a value of $1.1 billion in 2022 to an estimated $2.8 billion by 2027.

Like with all methods of cyberattack, threat actors continue to develop the tools of their trade and iterate on their processes to become more cost effective, efficient, and profitable. BEC attacks have also evolved in the last few years to exploit new vulnerabilities and bypass traditional security measures. In this post, learn how these email-based attacks have evolved over the past two decades to adapt to changing security solutions, the latest tactics and techniques threat actors are using in current BEC scams, and ways to protect against them in the long run.

Emails From Nigerian Princes to High-Profile Attacks | How Business Email Compromise Has Evolved

In the early 2000s, the world saw some of the earliest phases of BEC scams take form. While the term “BEC” might not have been coined then, the fundamental elements in these attacks were already in motion. Early examples of social engineering tactics used in emails include:

  • The Nigerian Prince Scam – One of the earliest and most notorious forms of BEC attacks is the “Nigerian Prince” or “419 scam”. It began as early as the 1980s through postal mail but transitioned to email in the early 2000s. Scammers claimed to be Nigerian princes or government officials seeking assistance to transfer a large sum of money out of their country. They promised to share the fortune with the recipient in return for a small fee to cover legal or administrative costs. This classic scam capitalized on people’s greed and willingness to believe in unlikely windfalls.
  • Lottery and Inheritance Scams – Similar to the Nigerian Prince scam, these earlier forms of BEC attacks involved emails informing recipients that they had won a lottery or inherited a large sum of money from a distant relative. To claim the prize or inheritance, victims were asked to provide personal information or pay a fee upfront, leading to identity theft and financial loss.
  • Overpayment Scams – In these attacks, scammers posed as potential customers or clients and contacted businesses regarding purchasing their products or services. They would then send a check or make a payment for an amount higher than the agreed-upon price and request the excess to be refunded. The initial payment would later bounce or be canceled, leaving the business out of pocket.
  • Executive Impersonation – Early instances of executive impersonation involved scammers pretending to be high-ranking executives or business partners within an organization. They would instruct employees to perform certain tasks, such as transferring funds or sharing sensitive information, under the guise of confidentiality or urgency.

Early BEC scams were relatively simple and didn’t require sophisticated techniques from cyber criminals to launch successful attacks. Seeing how profitable these scams were and how easily they could be tailored to targeted higher profile targets, BEC attacks soon expanded to affect every industry vertical. According to the IC3, BEC fraud now costs global businesses just over $50 billion dollars with reports of scams reported in all 50 states and in 177 countries. The IC3 has also classified the threat of BEC as one of the leading categories of cybercrime by financial losses.

Macro socio-economic trends have also fostered an environment where modern BEC scams thrive. Since the COVID-19 pandemic, more workplaces and individuals conduct their business virtually, creating additional avenues of attack for BEC scammers. Rising use of cryptocurrency now also plays a role in the BEC, specifically in investment scams.

Right now, experts say that the number of emails sent per day is projected to increase to over 370 billion by 2025. Whether used for personal and business communication or to support massive e-commerce and e-marketing industries, emails are clear targets in modern malware campaigns, advanced persistent threats (APTs), phishing attacks, identity theft, and more.

Current Top Trends In Business Email Compromise Attacks

Today’s world is saturated by connection with billions of internet-connected devices linking everyone and everything together at all hours of the day. Considering global collaboration, smart mobile devices, and the accessibility provided by cloud technologies, emails are still the one, simple way to reach many at once making BEC attacks as relevant as ever.

As technology has advanced, BEC scammers have also furthered their craft. Many BEC scams are now much more sophisticated, involving multi-stage attacks and misuse of artificial intelligence (AI) and machine learning (ML) along with targeting more attractive groups such as vendors, big banks, and government entities. This section explores some of the top trends found in recent BEC attacks that enterprises need to stay alert for.

Multi-Stage AiTM & BEC Attacks

Security professionals are seeing multi-stage, adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attacks against financial institutions and large banks. In these types of campaigns, threat actors seek to exploit trusted relationships between partnered organizations to bypass multi-factor authentication (MFA) measures.

Attacks like these feature a complex combination of both AiTM and BEC tactics to abuse the relationship between vendors, suppliers, and enterprise partners in order to commit financial fraud. After using AiTM phishing to bypass MFA mechanisms, threat actors connect to and take over their victim’s account, resetting authentication methods to devices under their control and creating new email rules to send out malicious emails to the next layer of victims in the attack chain.

The Use of Black Hat AI Tools In BEC Attacks

After a dramatic entrance in late 2022, ChatGPT and other generative AI tools are now being misused by cyber criminals to create improved spoof content for malicious emails and sites. Most recently, a black hat generative AI tool called WormGPT has caught the attention of cyber attackers who are using it to make their fake emails sound more convincing, personalized to the intended victim, and error-free; all to reduce the likelihood of being flagged as suspicious.

Though companies like OpenAI have strict disclaimers against the use of their software for illegal actions, researchers and hackers are now jailbreaking the language models to get around safety rules. In the case of WormGPT, this tool is designed specifically for malicious activities and first seen circulating in darknet forums. Such spin off AI tools are making BEC attacks more accessible by lowering the entry threshold to a wider spectrum of cybercriminals.

“Second Hop” Crypto-Based BEC Attacks

There are two variations of BEC scams involving cryptocurrency: direct transfers to a crypto exchange (CE) that is similar to traditional BEC models, and ‘second hop’ transfers. In the latter, victims are hit with social engineering tactics to give up personal identifiable information (PII). Threat actors then use the stolen information to open new cryptocurrency wallets in the victim’s name and then proceed to reroute the money and cash out. In both variations, victims are unaware that the funds being sent are converted to cryptocurrency.

Avoiding “Impossible Travel” Flags With Local IP Addresses

To increase the chances of a successful email-based intrusion, threat actors are attempting to bypass “impossible travel” flags by purchasing IP addresses that correspond to the locations of their victims. Impossible travel flags are security mechanisms that detect and alert when a user’s account is accessed from two different geographical locations within a short period, which is seen as a key indicator of unauthorized access. Using this tactic, threat actors are able to avoid detection and more easily create backdoors in the compromised system.

Timing BEC Campaigns With Summer Vacations

New research has shed light on the quick rise of BEC attacks across Europe, illustrating that European organizations were seeing a greater volume and frequency of such attacks compared to their U.S. counterparts. Between June 2022 and May 2023, researchers found that European organizations were attacked an average of 10 times per 1000 mailboxes, and especially in the month of August, when most Europeans tend to schedule their annual holiday.

Exploiting this cultural difference in vacation preferences, threat actors were found to be focusing their efforts on European businesses that would be operating with less-than-usual staff. Given the high concentration of employees being away on vacation, attackers could increase their chances of success by taking advantage of people being away from their computers as well as those who were likely more distracted during the ‘slower’ month.

BEC Is Extending Past Traditional Platforms

The FBI have warned about BEC scammers expanding their tactics beyond conventional platforms by taking advantage of the shift to remote work during and post-pandemic. Traditionally, social engineering relied on phone and email exchanges, but now, virtual meeting platforms have become the new grounds for attack.

First, the attacker gains access to a senior leader’s email account, typically a C-suite or member of the Board, and uses it to arrange virtual meetings with employees. During the meeting, the scammer displays a static image of the senior leader or uses deep fake audio to claim technical difficulties. Finally, the scammer instructs employees to transfer funds to fraudulent bank accounts.

How XDR Tackles The Challenge of Email Security Risks

Businesses often deploy individualized security solutions for their email defenses, causing visibility gaps and incomplete risk understanding. In such cases, manual intervention to address suspicious emails becomes not just time-consuming but also advantageous for cybercriminals.

That’s where Extended Detection and Response (XDR) comes in. Unlike isolated solutions, XDR, when coupled with email security, offers comprehensive threat detection and response. It doesn’t merely focus on endpoint activity but delves into the context of malware delivery.

XDR solutions, like vigilant cyber detectives, spot suspicious activities across attack surfaces and provide detailed incident reports. Integration with email security enables better understanding of attack vectors and potential threat actors, and allows for faster, automated responses to compromised user accounts.

SentinelOne has invested to fulfil the potential of XDR solutions, investing in comprehensive platforms like Singularity. The fusion of XDR into our cybersecurity strategies is indeed becoming the new norm for tackling evolving digital threats.

Conclusion

The steady rise of BEC attacks in recent years highlights the evolving sophistication of cybercriminals and the need for businesses to stay vigilant in safeguarding their assets and sensitive information. As these attacks continue to surge, it’s essential for organizations to understand the evolving tactics used by threat actors as well as the potential vulnerabilities within their email platforms.

Given the ever-changing threat landscape, businesses are looking farther ahead than just implementing defensive measures like multi-factor authentication, email authentication protocols, secure email gateways, and strong password policies. This is where XDR capabilities emerge as a critical part of a stronger cyber strategy.

As businesses navigate evolving threat tactics and techniques, adopting a multi-dimensional security strategy that combines robust preventive measures with XDR capabilities becomes a vital one. To learn more about how Singularity XDR is able to provide businesses with an effective strategy against increasingly sophisticated BEC risks, book a demo or contact us today.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Learn More

Announcing AI-Powered Threat Detection for NetApp

/0 Comments/in /by

SentinelOne is pleased to announce general availability (GA) of Threat Detection for NetApp. Part of the new Singularity™ Cloud Data Security product line, this novel security solution applies SentinelOne’s proprietary AI models to scan files and detect malware stored on NetApp arrays, stopping its spread before it begins. Supported as part of the NetApp Partner Connect Program, Threat Detection for NetApp delivers high-performance inline file scans complete in milliseconds for an optimal, low latency user experience.

This blog post explores the key benefits of this solution and how it improves risk management, reduces recovery costs, and helps businesses meet compliance requirements. It also covers initial steps for setting up Threat Detection for NetApp.

NetApp for AI-powered threat detection

Disrupting the Storage Security Market

Considering the volume of vital data hosted in networked storage and the number of users with access from endpoints running various operating systems (OSs) and from every corner of an enterprise, a single malicious file can quickly spread across an organization. Absent a security solution, users could unwittingly access and spread the malware such that it resurfaces repeatedly.

With Threat Detection for NetApp, businesses can minimize these unnecessary recovery costs. In addition, compliance regulations typically require that the organization use a security solution to protect their means of storage. The solution is designed to address customer’s most underserved pain points and focuses on the following key features:

  • Uncompromising security. Reliance on signatures renders organizations vulnerable. Therefore, our solution must deliver the best protection available against novel and unknown malware.
  • High speed performance. Low latency is key to a good user experience. To this point, NetApp invests heavily in performance optimization for a streamlined customer experience.
  • Easy management. Administration must be simple. Deployment and configuration must be done once. Existing SentinelOne customers expressed strong interest in a “familiar feel” to the existing management console.
Threat Detection for NetApp: AI-Powered Cloud Data Security

NetApp uses a dedicated OS for their filers, ONTAP, so traditional endpoint agents are incompatible. This is why storage vendors provide a dedicated protocol for security solutions. Conformance to this protocol increases barriers to market entry, and so legacy solutions have dominated an underserved market for years. Innovation waned, even as threat actors evolved.

Legacy solutions to filer security are insufficient for many reasons:

  1. They rely upon AV signatures which are easily evaded.
  2. Frequent signature updates are an administrative nightmare.
  3. Poor scanning performance negatively impacts user experience when accessing the filer.
  4. Legacy solutions often require a separate security management console, further increasing administrative overhead.
  5. They often lack features to facilitate management, ease of use, and visibility.

Setup & Configuration

Threat Detection for NetApp communicates directly with the SentinelOne management console. Unlike alternative endpoint security solutions, SentinelOne allows customers to manage storage security alongside the rest of their user endpoints and cloud workloads and achieve a seamless, intuitive security management experience without the administrative overhead of additional console components. No learning curve is required.

Initial setup of Threat Detection for NetApp assumes familiarity with NetApp network management concepts such as Vscan, logical interface (LIF), and storage virtual machine (SVM). For more details, consult the NetApp ONTAP documentation and work closely with a NetApp system administrator.

To get started, an administrator first downloads and runs the latest Threat Detection for NetApp Installer package to the Windows Vscan server having the NetApp ONTAP Connector. Upon running the installer, enter the Site or Group Token when prompted. User credentials must have local admin privileges.

High Performance, Streamlined Administration

Along with the other solutions within the Singularity Platform, Threat Detection for NetApp combines high performance with intuitive administration. From threats and mitigation actions, to exclusions, blocklists, agent management and more, Singularity users can expect the same trusted capabilities that now support NetApp storage arrays too. To help save time, Threat Detection for NetApp respects existing user block lists or exclusions that are already configured, removing the burden of rebuilding them again.

In addition to existing management features, the solution also provides valuable threat metadata for greater insights and analysis. For example, metadata points to the exact endpoint which copied the malicious file to your storage.  It doesn’t matter if that endpoint is unprotected or outside your organization; if it found its way to NetApp storage, SentinelOne will point to it.

Customers can also configure policies to automate how Threat Detection for NetApp responds to threats. That is, configuring the agent policies for Detect Mode or Protect Mode. In the following example, the agent is configured to respond to both Suspicious and Malicious Threats as categorized by the agent’s onboard AI models in Protect Mode. Upon detecting a threat, the agent will automatically quarantine any suspicious or malicious files. Customers are in complete control of their security policy choices, configuring the automation level that works best for their specific use cases.

Two Protection Mode Policies: Detect and Protect

The below GIF shows the agent in action. A user attempts to upload 3 executable files from a Windows pane on the left to a NetApp volume on the right. For illustrative purposes, the files are simply named benign.exe, malicious.exe, and malicious2.exe. The user copies the 3 files, and drops them simultaneously to the protected volume. Upon refresh of the Windows pane on the right, the only remaining file is benign.exe. Both of the malicious files were automatically quarantined in real time, without any human intervention required to detect or stop the spread.

The following image shows what the threat detection and response would look like in the SentinelOne console for the file malicious2.exe. The agent’s AI assigns a confidence level of ‘Malicious’ and automatically encrypts and moves the file to a predefined quarantine folder.

Threat Detection & Mitigation Event in the SentinelOne Console

Should security personnel wish to conduct further analysis, downloading the malicious file is straightforward from within the management console as shown.

1-Click File Fetch

Analysts can just as easily unquarantine files with a single click in the console via Actions > Unquarantine. This will return the file to its original location and remove its associated quarantine restrictions. Should the analyst choose, they can just as easily add an Exclusion to prevent scanning of this file in the future via Actions > Add To Exclusions.

1-Click Quarantine
1-Click Exclusion

Uncompromising Cloud Data Security Performance

As storage vendors invest millions of dollars to save every possible millisecond, Threat Detection for NetApp was built with special attention to performance. Rigorous third-party testing benchmarks and validates this, ensuring that the solution can complete a file scan operation within milliseconds to achieve an optimal, low-latency user experience that does not compromise on security. Since file scanning is inline, a file will not be released to the user until the file scan has completed. Even customers that have an extremely busy filer can set up a scanner pool with multiple scanners and maintain high performance levels.

Conclusion

With the launch of the Cloud Data Security product line, SentinelOne customers can now seamlessly manage cloud data security alongside user endpoints, cloud workloads, and identity. With Threat Detection for NetApp, malware can no longer hide on file storage.

Unlike lesser alternatives, Threat Detection for NetApp goes beyond signature-based AV that is easily evaded, and uses the power of AI to examine files and protect organizations from advanced threats. From a single management console, machine-speed performance, and autonomous mitigation, SentinelOne continues to deliver adaptive cybersecurity across hybrid cloud footprints.

To learn more about Threat Detection for NetApp, the SentinelOne Singularity Platform, or to request a demo, contact us today.

Who and What is Behind the Malware Proxy Service SocksEscort?

/0 Comments/in /by

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.

Image: Lumen’s Black Lotus Labs.

In a report released July 12, researchers at Lumen’s Black Lotus Labs called the AVrecon botnet “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history,” and a crime machine that has largely evaded public attention since first being spotted in mid-2021.

“The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying and ad fraud,” the Lumen researchers wrote.

Malware-based anonymity networks are a major source of unwanted and malicious web traffic directed at online retailers, Internet service providers (ISPs), social networks, email providers and financial institutions. And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device.

Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source. Proxy services also let users appear to be getting online from nearly anywhere in the world, which is useful if you’re a cybercriminal who is trying to impersonate someone from a specific place.

Spur.us, a startup that tracks proxy services, told KrebsOnSecurity that the Internet addresses Lumen tagged as the AVrecon botnet’s “Command and Control” (C2) servers all tie back to a long-running proxy service called SocksEscort.

SocksEscort[.]com, is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.

The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.

Spur tracks SocksEscort as a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay. Usually, these users have no idea their systems are compromised.

Spur says the SocksEscort proxy service requires customers to install a Windows based application in order to access a pool of more than 10,000 hacked devices worldwide.

“We created a fingerprint to identify the call-back infrastructure for SocksEscort proxies,” Spur co-founder Riley Kilmer said. “Looking at network telemetry, we were able to confirm that we saw victims talking back to it on various ports.”

According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies.

“When Lumen released their report and IOCs [indicators of compromise], we queried our system for which proxy service call-back infrastructure overlapped with their IOCs,” Kilmer continued. “The second stage C2s they identified were the same as the IPs we labeled for SocksEscort.”

Lumen’s research team said the purpose of AVrecon appears to be stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.

“This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw,” Lumen’s Black Lotus researchers wrote.

Preserving bandwidth for both customers and victims was a primary concern for SocksEscort in July 2022, when 911S5 — at the time the world’s largest known malware proxy network — got hacked and imploded just days after being exposed in a story here. Kilmer said after 911’s demise, SocksEscort closed its registration for several months to prevent an influx of new users from swamping the service.

Danny Adamitis, principal information security researcher at Lumen and co-author of the report on AVrecon, confirmed Kilmer’s findings, saying the C2 data matched up with what Spur was seeing for SocksEscort dating back to September 2022.

Adamitis said that on July 13 — the day after Lumen published research on AVrecon and started blocking any traffic to the malware’s control servers — the people responsible for maintaining the botnet reacted quickly to transition infected systems over to a new command and control infrastructure.

“They were clearly reacting and trying to maintain control over components of the botnet,” Adamitis said. “Probably, they wanted to keep that revenue stream going.”

Frustratingly, Lumen was not able to determine how the SOHO devices were being infected with AVrecon. Some possible avenues of infection include exploiting weak or default administrative credentials on routers, and outdated, insecure firmware that has known, exploitable security vulnerabilities.

WHO’S BEHIND SOCKSESCORT?

KrebsOnSecurity briefly visited SocksEscort last year and promised a follow-up on the history and possible identity of its proprietors. A review of the earliest posts about this service on Russian cybercrime forums suggests the 12-year-old malware proxy network is tied to a Moldovan company that also offers VPN software on the Apple Store and elsewhere.

SocksEscort began in 2009 as “super-socks[.]com,” a Russian-language service that sold access to thousands of compromised PCs that could be used to proxy traffic. Someone who picked the nicknames “SSC” and “super-socks” and email address “michvatt@gmail.com” registered on multiple cybercrime forums and began promoting the proxy service.

According to DomainTools.com, the apparently related email address “michdomain@gmail.com” was used to register SocksEscort[.]com, super-socks[.]com, and a few other proxy-related domains, including ip-score[.]com, segate[.]org seproxysoft[.]com, and vipssc[.]us. Cached versions of both super-socks[.]com and vipssc[.]us show these sites sold the same proxy service, and both displayed the letters “SSC” prominently at the top of their homepages.

Image: Archive.org. Page translation from Russian via Google Translate.

According to cyber intelligence firm Intel 471, the very first “SSC” identity registered on the cybercrime forums happened in 2009 at the Russian language hacker community Antichat, where SSC registered using the email address adriman@gmail.com. SSC asked fellow forum members for help in testing the security of a website they claimed was theirs: myiptest[.]com, which promised to tell visitors whether their proxy address was included on any security or anti-spam block lists.

DomainTools says myiptest[.]com was registered in 2008 to an Adrian Crismaru from Chisinau, Moldova. Myiptest[.]com is no longer responding, but a cached copy of it from Archive.org shows that for about four years it included in its HTML source a Google Analytics code of US-2665744, which was also present on more than a dozen other websites.

Most of the sites that once bore that Google tracking code are no longer online, but nearly all of them centered around services that were similar to myiptest[.]com, such as abuseipdb[.]com, bestiptest[.]com, checkdnslbl[.]com, dnsbltools[.]com and dnsblmonitor[.]com.

Each of these services were designed to help visitors quickly determine whether the Internet address they were visiting the site from was listed by any security firms as spammy, malicious or phishous. In other words, these services were designed so that proxy service users could easily tell if their rented Internet address was still safe to use for online fraud.

Another domain with the Google Analytics code US-2665744 was sscompany[.]net. An archived copy of the site says SSC stands for “Server Support Company,” which advertised outsourced solutions for technical support and server administration. The company was located in Chisinau, Moldova and owned by Adrian Crismaru.

Leaked copies of the hacked Antichat forum indicate the SSC identity tied to adriman@gmail.com registered on the forum using the IP address 71.229.207.214. That same IP was used to register the nickname “Deem3n®,” a prolific poster on Antichat between 2005 and 2009 who served as a moderator on the forum.

There was a Deem3n® user on the webmaster forum Searchengines.guru whose signature in their posts says they run a popular community catering to programmers in Moldova called sysadmin[.]md, and that they were a systems administrator for sscompany[.]net.

That same Google Analytics code is also now present on the homepages of wiremo[.]co and a VPN provider called HideIPVPN[.]com.

Wiremo sells software and services to help website owners better manage their customer reviews. Wiremo’s Contact Us page lists a “Server Management LLC” in Wilmington, DE as the parent company. Records from the Delaware Secretary of State indicate Crismaru is CEO of this company.

Server Management LLC is currently listed in Apple’s App Store as the owner of a “free” VPN app called HideIPVPN. The contact information on Crismaru’s LinkedIn page says his company websites include myiptest[.]com, sscompany[.]net, and hideipvpn[.]com.

“The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store. “Now, we provide you with an even easier way to connect to our VPN servers. We will hide your IP address, encrypt all your traffic, secure all your sensitive information (passwords, mail credit card details, etc.) form [sic] hackers on public networks.”

Mr. Crismaru did not respond to multiple requests for comment. When asked about the company’s apparent connection to SocksEscort, Wiremo responded, “We do not control this domain and no one from our team is connected to this domain.” Wiremo did not respond when presented with the findings in this report.

Russia Sends Cybersecurity CEO to Jail for 14 Years

/0 Comments/in /by

The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions.

Ilya Sachkov. Image: Group-IB.com.

In 2003, Sachkov founded Group-IB, a cybersecurity and digital forensics company that quickly earned a reputation for exposing and disrupting large-scale cybercrime operations, including quite a few that were based in Russia and stealing from Russian companies and citizens.

In September 2021, the Kremlin issued treason charges against Sachkov, although it has refused to disclose any details about the allegations. Sachkov pleaded not guilty. After a three-week “trial” that was closed to the public, Sachkov was convicted of treason and sentenced to 14 years in prison. Prosecutors had asked for 18 years.

Group-IB relocated its headquarters to Singapore several years ago, although it did not fully exit the Russian market until April 2023. In a statement, Group-IB said that during their founder’s detainment, he was denied the right to communicate — no calls, no letters — with the outside world for the first few months, and was deprived of any visits from family and friends.

“Ultimately, Ilya has been denied a chance for an impartial trial,” reads a blog post on the company’s site. “All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny. As a result, we might never know the pretext for his conviction.”

Prior to his arrest in 2021, Sachkov publicly chastised the Kremlin for turning a blind eye to the epidemic of ransomware attacks coming from Russia. In a speech covered by the Financial Times in 2021, Sachkov railed against the likes of Russian hacker Maksim Yakubets, the accused head of a hacking group called Evil Corp. that U.S. officials say has stolen hundreds of millions of dollars over the past decade.

“Yakubets has been spotted driving around Moscow in a fluorescent camouflage Lamborghini, with a custom licence plate that reads ‘THIEF,’” FT’s Max Seddon wrote. “He also ‘provides direct assistance to the Russian government’s malicious cyber efforts,’ according to US Treasury sanctions against him.”

In December 2021, Bloomberg reported that Sachkov was alleged to have given the United States information about the Russian “Fancy Bear” operation that sought to influence the 2016 U.S. election. Fancy Bear is one of several names (e.g., APT28) for an advanced Russian cyber espionage group that has been linked to the Russian military intelligence agency GRU.

In 2019, a Moscow court meted out a 22-year prison sentence for alleged treason charges against Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial, and the supposed reason for the treason charges has never been disclosed.

Following their dramatic arrests in 2016, some media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.

That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee.