The Good, the Bad and the Ugly in Cybersecurity – Week 21

The Good | Leaders of Crypto Investment Scam Arrested & Charged for $73 Million Laundering Scheme

This week, the tables were turned on two alleged cyber ‘pig butcherers’ who could now face time in the iron pen. The DoJ indicted Daren Li (41) and Yicheng Zhang (38) for their alleged roles leading a global syndicate that has laundered over $73 million through cryptocurrency investment scams. Both Li and Zhang are charged with conspiracy to commit money laundering and six counts of international laundering. If convicted, they face 20 years in prison on each count.

Source: Department of Justice

Pig butchering scams involve criminals building up trust with targeted victims via social media and messaging or dating platforms to convince them to invest in fraudulent schemes. After falling for the bait, the criminals then steal their victims’ cryptocurrency, draining the compromised wallets.

According to court documents, Li and Zhang transferred millions of their victims’ cryptocurrency to U.S. bank accounts connected to shell companies. The funds were then moved through various domestic and international accounts and crypto platforms in order to obscure their origins. Communications uncovered during the investigation revealed details on the operations, including commissions, victim information, and interactions with U.S. financial institutions.

In 2023 alone, the U.S. Secret Service recovered more than $1.1 billion from scam operations and the IC3 reported that investment fraud investment scams rose from $3.31 billion in 2022 to $4.57 billion last year. As schemes revolving around financial fraud become increasingly common and complex, cyber defenders reiterate the importance of learning how to spot predatory behavior online, staying vigilant with securing digital assets and identities, verifying the legitimacy of brokerages before investing, and reporting suspicions of fraud immediately.

The Bad | Threat Actors Exploit Legitimate Cloud Services to Deliver Malware in Emerging Campaign

In a new attack campaign, popular cloud storage services like Google Drive and Dropbox are being exploited to stage malicious payloads. Dubbed “CLOUD#REVERSER”, security researchers this week broke down how the campaign uses VBScript and PowerShell to perform command and control-like (C2) activities within the storage platforms to manage file uploads and download.

Attacks begin with a phishing email containing a ZIP archive file that includes an executable disguised as a Microsoft Excel file. This is done through making use of the hidden right-to-left override (RLO) Unicode character (U+202E) so that the order of the characters in the string are reserved. In this case, the victims receiving the email would see the file name RFQ-101432620247fl*U+202E*xslx.exe as RFQ-101432620247flexe.xlsx and open the file thinking it is a legitimate Excel spreadsheet. This is not a new trick, but it is less commonly seen in 2024.

Executing this file drops a total of eight payloads, one of which includes a decoy Excel file and an obfuscated VBScript that displays the .xlsx file to continue the deception. From there, a series of additional scripts allow the threat actor to establish persistence on the system, connect to the actor-controlled Google Drive and Dropbox accounts, fetch files from the storage services, and maintain connection to the actor’s command and control (C2) server.

CLOUD REVERSER stage 1
CLOUD#REVERSER Stage 1 (VirusTotal)

These developing attacks highlight the trend of threat actors abusing SaaS platforms to deliver malicious payloads under the guise of legitimate network traffic. By embedding multi-stage downloaders that run code within widely-used cloud platforms, the threat actors can ensure they have persistent access for data exfiltration while keeping a low profile.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

The Ugly | Military & Government Orgs Repeatedly Targeted by New PRC-Linked Threat Actor Over 6 Years

Details on a previously undocumented threat group called “Unfading Sea Haze” emerged this week when cybersecurity researchers reported on a series of attacks across countries bordering the South China Sea. So far, eight high-level organizations in critical sectors have been repeatedly targeted over the last six years with the attackers’ exploiting poor credential hygiene and unpatched devices and web services in particular.

Unfading Sea Haze is currently not linked to any known APT group, but appears to share similar goals, techniques, geopolitical victimology, and choice of tools known to be associated with Chinese-speaking threat actors. This includes the use of Gh0st RAT malware and running a tool called SharpJHandler, often employed by PRC-based APT41.

So far, Unfading Sea Haze has been observed sending spear phishing emails containing Windows shortcut (LNK) files. When launched, these files execute commands to retrieve the next-stage payload, a backdoor called “SerialPktdoor”, which then runs PowerShell scripts and manages files remotely. Also characteristic of Unfading Sea Haze attacks is use the Microsoft Build Engine (MSBuild) to execute files filelessly and minimize the risk of detection, and scheduled tasks to load a malicious DLL and establish persistence.

Other tools in the group’s arsenal include “Ps2dllLoader”, keylogger called “xkeylog”, a web browser data stealer, a monitoring tool keyed to the presence of portable devices, and a custom data exfiltration program named “DustyExfilTool”. The widely varied and complex toolkit points to a certain level of sophistication. Researchers note that the combination of both custom and commercial tools is indicative of a cyber espionage campaign, aimed at gathering sensitive information from military and government entities.

Organizations can mitigate the risks threat groups like Unfading Sea Haze pose with the SentinelOne Singularity platform.

Good security hygiene such as timely patch management, strong authentication methods, and secure credentials is also highly recommended.

Stark Industries Solutions: An Iron Hammer in the Cloud

The homepage of Stark Industries Solutions.

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”

This graphic comes from a recent report from NETSCOUT about DDoS attacks from Russian hacktivist groups.

As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.

The NoName DDoS group advertising on Telegram. Image: SentinelOne.com.

A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.

PROXY WARS

Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.

Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.

Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses  available for rent across the globe.

Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.

Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.

“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”

Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.

“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.

CLOUDY WITH A CHANCE OF BULLETS

Richard Hummel is threat intelligence lead a NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.

“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,’” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”

Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.

Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.

“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”

But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.

“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”

MERCENARIES TEAM

Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.

Ivan Neculiti, as pictured on LinkedIn.

Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”

“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”

Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.

“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”

DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.

An ad for war.md, circa 2009.

Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.

DON CHICHO & DFYZ

The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.

Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.

DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.

Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.

The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.

Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.

Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.

Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.

Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.

“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.

Below is a mind map that shows the connections between the accounts mentioned above.

A mind map tracing the history of the user Dfyz. Click to enlarge.

Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”

“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”

CORRECTIV ACTION

The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri.

Image credit: correctiv.org.

The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.

“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.

“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”

Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.

PEACE HOSTING?

Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.

DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.

This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.

Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.

“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”

“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”

In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.

Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.

Mr. Nesterenko took exception to Recorded Future’s report.

“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”

Recorded Future said they updated their story with comments from Mr. Nesterenko, but that they stand by their reporting.

Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.

In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.

Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.

“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.

A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.

PEERING INTO THE VOID

A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).

Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.

A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.

Proxyline dot net.

Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.

Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.

EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.

Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.

Image: Interisle Consulting.

A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.

The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.

It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).

For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”

A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.

Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.

According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ruis the seventh-oldest domain in the entire history of the Runet.

Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.

“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”

Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.

The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.

Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.

“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”

PinnacleOne ExecBrief | AI and Foreign Election Interference

Last week, PinnacleOne considered what the Office of National Cyber Director’s Annual Report means to modern enterprises.

This week, we highlight the convergence of AI and foreign malign influence efforts on the 2024 year of global elections.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | AI and Foreign Election Interference

The 2024 U.S. elections (and many other global elections) face a threat landscape defined by foreign influence actors using time-tested tactics augmented by emerging AI tools to undermine the democratic process. On May 15, 2024, officials from the Intelligence Community, FBI, and CISA testified before the Senate Select Committee on Intelligence to draw public attention to the evolving threat.

Their top-line message: Foreign adversaries – primarily Russia, China, and Iran, and their commercial enablers – are increasingly attempting to undermine democratic systems through both cyber interference targeting election infrastructure as well as covert influence efforts aimed at civil societies.

At the same time, these government leaders and outside experts (including our very own Chris Krebs) are confident that the 2024 election will be technically secure. Krebs noted on Face The Nation yesterday that while the 2020 election was deemed safe and secure, the current election systems are even more robust due to continued investments and improvements. However, his concerns remain focused on the growing influence capabilities of foreign actors:

“On influence, the scope, the scale, the technology available to our adversaries, including AI and deep fakes, [makes it] a much more precarious threat environment. The Chinese are active. The Russians are very active. They’ve been using deep fakes in Europe. We’ve seen AI [generated content] pop up in [elections in] Moldova, Slovakia, in Bangladesh. So it is going to be a tool.

My sense, however, is that threats that are AI powered or AI enabled, will be much like what happened in New Hampshire with the Robocall. It will be immediately detected, it will be investigated quickly, and it will be prosecuted. And that’s what’s happening right now.

I think the biggest concern though, is that this is cumulative. It’s accretive. So, rather than one single catastrophic AI-enabled event, it’s gonna be a steady drum beat where we, where the voters, the public are just going to lose confidence and trust in the overarching information ecosystem.”

Intensifying Influence Operations

This concern is merited as recent intelligence and observed operations show that threat actors have expanded well beyond traditional propaganda, adopting sophisticated tactics to sow discord and interfere with U.S. elections, including:

For example, recent PRC campaigns used AI to target voters in Taiwan and the U.S. with false information laundered through fake social media accounts, intending to identify and exploit divisive domestic political issues and shape election results. Last month, Belgian and Czech leaders called for urgent action to push back on Russian interference in advance of the European elections in June.

The Czech government imposed sanctions on individuals accused of attempting to bribe members of the European Parliament to promote Russian narratives. In January, the European Parliament opened an investigation of a Latvian representative, reported to be serving as a Russian agent since at least 2004.

Increased Incentives and Capabilities

Foreign adversaries view election interference as a cost-effective and plausibly deniable means to achieve their strategic goals and now have powerful new tools at their disposal. The combination of synthetic media tools and powerful LLMs (many open-source) can be used to democratize and proliferate the sort of cross-language disinformation and media manipulation activities that took the Internet Research Agency an entire building full of fluent English speakers and media designers to execute. The barrier to run a “troll farm” is falling precipitously.

Further, many adversaries have (and still are) collecting bulk data on western publics. Feeding this trove of information into sophisticated analytics engines may enable more precise targeting of selected populations and even individuals for bespoke influence, at a larger scale. While currently not directly observed, these sorts of future malign influence operations will be harder to discover, attribute, and counter.

As a result, the threat landscape continues to intensify, with a growing number of foreign actors, including non-state entities, engaging in election interference. In addition, more commercial firms (wittingly and unwittingly) are used by foreign actors to support influence operations, increasing their sophistication and making tracking more difficult.

U.S. Efforts to Counter Election Threats

The U.S. government has taken significant steps to bolster its defenses, including:

Recommendations for Cybersecurity Professionals and Election Officials

To effectively counter evolving threats, cybersecurity professionals and election officials must:

  • Stay informed about the latest adversary tactics, techniques, and procedures;
  • Join in close collaboration with intelligence, law enforcement, and private sector partners;
  • Actively participate in information sharing initiatives, such as the EI-ISAC;
  • Leverage CISA’s cybersecurity services and resources;
  • Invest in training and awareness programs for staff;
  • Continuously update and fortify cybersecurity defenses;
  • Leverage tools to detect and attribute synthetic media and AI-enabled influence efforts;
  • Work with government partners to establish attribution and response frameworks.

A Fraught Year for Elections

The 2024 elections will test the United States’ ability to safeguard its democratic institutions against foreign cyber threats and influence operations. By staying informed, collaborating with partners, leveraging resources, and strengthening defenses, cybersecurity professionals and election officials can play a vital role in ensuring the integrity of the electoral process. Prioritizing the development of robust attribution and response frameworks will be essential to effectively counter these threats and maintain public confidence in the democratic system.

Ikaruz Red Team | Hacktivist Group Leverages Ransomware for Attention Not Profit

Politically-motivated hacktivist groups are increasingly utilizing ransomware payloads both to disrupt targets and draw attention to their political causes. Notable among these hacktivist groups is Ikaruz Red Team, a threat actor that is currently leveraging leaked ransomware builders.

In attacks occurring over recent months, we have observed Ikaruz Red Team and aligned groups such as Turk Hack Team and Anka Underground (aka Anka Red Team) conduct attacks against Philippine targets and hijack branding and imagery belonging to the government’s Computer Emergency Response Program (CERT-PH).

In this post, we profile this hacktivist group and its recent actions, highlighting the threat actor’s methodology, social media activity and relevance within the wider geopolitical context.

Geopolitical Context & Affiliations

Ikaruz Red Team (IRT), under various identities, has targeted entities in the Philippines through defacements, small-scale DDoS attacks and now ransomware attacks. This behavior, between 2023 and present day (2024), is part of the larger wave of hacktivist groups targeting the region, as documented by Resecurity in April 2024. Resecurity ties these more recent observations to the greater geopolitical landscape, in the context of rising tensions with China, noting that the Philippines’ strategic significance in the Indo-Pacific makes it an attractive target for actors bent on civil disruption.

Over the last year or so, the Philippines has experienced an increase in scattered hacktivist attack campaigns. Previously identified hacktivist groups such as Robin Cyber Hood, Philippine Exodus (aka PHEDS), Cyber Operations Alliance, and Philippine Hacking University have been claiming credit for a variety of ransomware attacks, misinformation campaigns and espionage. On April 8th, the Philippine’s National Privacy Commission (NPC) launched an investigation into a breach of critical government infrastructure through an attack on the Department of Science & Technology by a previously unknown hacktivist identifying itself as #opEDSA.

More widely, as we detail below, IRT shares close associations with Anka Red Team and Turk Hack Team, a pro-Hamas hacktivist collective that has gained increased notoriety since the onset of the Israel-Hamas war.

Ikaruz Red Team Ransomware Activity

Within this context, Ikaruz Red Team, previously known primarily for web defacements and nuisance attacks, appears to be engaged in launching small-scale ransomware attacks with leaked LockBit builders. The group has been actively distributing modified LockBit 3 ransomware payloads and advertising data leaks from a variety of organizations in the Philippines.

Ikaruz Red Team FaceBook posting (.ph victims and ransomware used)
Ikaruz Red Team FaceBook posting (.ph victims and ransomware used)

Ikaruz Red Team ransom notes use the original LockBit template almost entirely intact with the exception of the top line, where the LockBit ransomware name is replaced by ‘Ikaruz Red Team’. Modifying the config.json file prior to building the LockBit payloads allows for this simple modification within the ransom notes.

A standard LockBit ransomware note modified by Ikaruz Red Team
A standard LockBit ransomware note modified by Ikaruz Red Team

All contact details in the analyzed ransom notes are left to the default TOX IDs, Jabber IDs, and email addresses present in the LockBit builder. This is indicative of a threat actor with little interest or perhaps ability to engage in the kind of follow-up and victim negotiations typical of serious ransomware operators and affiliates, suggesting instead that the motivation is more to sow disruption and garner attention through social media postings.

Between January and September of 2023, Ikaruz Red Team claimed responsibility for attacks on multiple Philippine entities. Besides LockBit, the group’s social media postings indicate the use of JellyFish (aka Medusa), Vice Society, ALPHV, BianLian, 8base, and Cl0p ransomware families.

Some of the reported attacks were publicly announced on IRT’s social media accounts, as well as being listed on the larger ransomware platforms’ respective data leak sites.

Observed payloads are standard LockBit 3.0 LBE.3 executables packaged as self-extracting RAR files with a custom IRT .ico file.

Ikaruz Red Team icon file
Ikaruz Red Team icon file

This bundled .ico file is meant to replace the stock LockBit icon resource on encrypted files. However there appears to be an error in referencing the resource, or the author omitted the inclusion of the required RED.png file.

RED.png error upon execution of the ransomware
RED.png error upon execution of the ransomware

When executed under typical circumstances, the payload will extract the embedded LockBit payload (lb3.exe) and launch it. The ransomware will then rapidly traverse available local and mounted shared volumes, encrypting applicable files and data.

Encrypted files are given a .Uc2RrigQ extension with the specific Ikaruz Red Team LockBit payload we reviewed. The same .Uc2RrigQ string is appended to the names of the ransom notes (e.g., Uc2RrigQ4.README.txt). Per typical LockBit execution, the desktop wallpaper is also replaced with condensed instructions referencing the dropped ransom note.

Co-opting of Hack4Gov Imagery

As part of its attempts to draw attention, IRT has co-opted imagery and branding developed by the Philippine’s Department of Information and Communications Technology (DICT) and CERT-PH as part of a Hack4Gov challenge. HackForGov, started in 2023, is an annual government-sponsored CTF (Capture-the-Flag) competition hosted in Manila and aimed at building the country’s cybersecurity capacity.

DICT Youtube Videos on Hack4Gov 2023 Challenges
DICT Hack4Gov 2023 videos on YouTube

Ikaruz Red Team has co-opted much of this imagery and branding into their defacements and social media profiles. For example, an IRT Twitter/X profile under the name ‘Ikaruz Reginor’ heavily incorporates the same imagery, as does the group’s Zone-Xsec defacement entries, which claim affiliation to team “HACK4GOV.PH”.

Zone-Xsec Entries for “Ikaruz”
Zone-Xsec Entries for “Ikaruz”

This threat actor is neither a participant in nor affiliated with the official HACK4GOV challenges in any way. We can only speculate as to the reasons behind co-opting official government images and branding, but perhaps two plausible theories would be as an attempt to mock the government’s efforts at improving cybersecurity resilience or an effort to cloak malicious activities behind official-looking iconography. These are, of course, neither mutually exclusive nor exhaustive possibilities.

Tracking Ikaruz Red Team Across Social Media

The threat actor utilizes various social media platforms and identities to engage with its audience and promote its political causes. The aliases “IkaruzRT” and “Ikaruz Reignor” are the most prevalent. This persona is active on popular forums including (the currently defunct) BreachForums and Zone-Xsec. Various public profiles also exist on GitHub, Facebook, Iris, X/Twitter, and Imgur.

The ‘ikaruzrt’ profile on BreachForums has actively posted regarding availability of data leaks from victims in the Philippines between August of 2023 and January of 2024.

ikaruzrt BreachForums profile
ikaruzrt BreachForums profile

These postings on BreachForums include a September 2023 post advertising the breach of Yakult Philippines Incorporated. This appears to be a repost of data listed on Cl0ps data leak site in July 2023.

A related Ikaruz Red Team GitHub repository was created in mid-2023 and has historically contained code for webshells and defacement tools featuring 403/404 error code bypass features. Note that the co-opted Hack4Gov imagery extends to this platform also.

Ikaruz Red Team GitHub repositories
Ikaruz Red Team GitHub repositories

Hack4Gov reference in IRT PHP code
Hack4Gov reference in IRT PHP code

Across the group’s social media footprint, IRT claims affiliation or alignment with other hacktivist groups, in particular Anka Red Team, Anka Underground Team and Turk Hack Team.

Telegram banner (2021) upon channel creation (Anka UnderGround Team)
Telegram banner (2021) upon channel creation (Anka UnderGround Team)

Turk Hack Team, established in 2004, is a prolific, Turkish-aligned, hacktivist group known primarily for website defacements and DDoS attacks, including the mass-defacement of nearly 3000 Dutch websites in the “Netherlands Operation” and the notable DDoS attack against Crédit Agricole. Under the banner of “Anka Red Team”, this hacktivist collective has drawn more attention since the onset of the Israel-Hamas war through its support of Palestinian group Hamas.

Conclusion

Politically-motivated attacks targeting the Philippines have been on the rise, especially in the last year. Individual actors like Ikaruz Red Team aligning themselves with previously known groups such as Turk Hack Team and PHEDS are becoming increasingly destructive in their actions.

This destruction, ranging from government data breaches to small-scale ransomware attacks, is being facilitated by the open availability of leaked ransomware builders such as LockBit and ready-to-go scripts for DDoS attacks and web defacements.

For hacktivists, ransomware serves an entirely different purpose from that of financial gain, aiding instead their desire to cause disruption and make political statements against those they consider enemies or those who are deemed to be supporters of these perceived enemies.

Within the hacktivist landscape, Ikaruz Red Team fits into a larger movement of threat actors committing unsophisticated yet damaging attacks targeting the Philippines region. There is indication that a broader cluster of these behaviors may be part of rising regional tensions with China and a desire to destabilize Philippine critical infrastructure.

Indicators of Compromise

SHA1 Description
133388ea2bd362993198bba461c7273a2a3af1ec ransom note
2454820aef7c6289af85758df89976718013a5a4 ransom note
267ed8df557c41cd322d4ed5dd1764018c74f611 ransom note
41b2e3f0ddb3ceef2cddb09ca9edf4334461720c webshell (github)
57cc1ef9f762b1db9999772356cd8e6a70cb9964 ransom note
5b830b5d5577ad8186e9ba4f7fdeee0b32c535e3 test.php
8596a6bb124e56f6d545b77e74c3b23f6f578f55 RED.ico
8bc4fadf5a929103b0c25c5f2f02da9c9ca67a1f ransom note
a379e55be365ece1ca2b8f72b6c54bb8b5bfe4e9 lb3.exe
b65183cc886185a8c34860f68d3289d8e9dd84e3 LockBit 3.0 (Ikaruz Red Team)
Singularity™ Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.

Why Your Wi-Fi Router Doubles as an Apple AirTag

Image: Shutterstock.

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.

They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.

UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.

Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.

A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.

The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.

A heatmap of Starlink routers in Ukraine. Image: UMD.

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.

“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.

“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.

Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.

UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:

“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.

“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”

Apple did not respond to requests for comment. But in late March 2024, Apple quietly tweaked its privacy policy, allowing people to opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID).

Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending “_nomap” to the network’s name.

Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.

“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.

“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.

“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”

The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.

“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”

A copy of the UMD research is available here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 20

The Good | International Law Enforcement Charge Crypto Criminals & Take Down a New Iteration of BreachForums

In the past week, law enforcement agencies took down cryptocurrency thieves responsible for a multi-million dollar theft from the Ethereum blockchain, and seized a second iteration of the notorious hacking platform, BreachForums.

The DoJ has unsealed an indictment charging Anton Peraire-Bueno (24) and James Pepaire-Bueno (28) with conspiracy to commit wire fraud and conspiracy to commit wire fraud and money laundering. The brothers allegedly manipulated the blockchain in 12-seconds to pilfer $25 million worth of cryptocurrency in a first-of-its-kind attack.

This was done by tampering with the transaction validation processes on the blockchain, altering pending transactions, and rejecting requests by victims to return the stolen funds. Prior to the attack on the blockchain, the brothers focused on performing reconnaissance on their victims, learning their identities and trading behaviors. If found guilty, each of the brothers face a maximum sentence of 20 years in prison for each count.

A little over a year has passed since the arrest of Conor Brian Fitzpatrick “Pompompurin”, owner and administrator of BreachForums. This week, the FBI have seized the hacking forum for a second time. Working with international law enforcement partners, the FBI have shut down a Telegram channel belonging to Fitzpatrick’s successor, “Baphomet”, along with the second iteration of the BreachForums website. Authorities are currently investigating the site’s backend data and have issued a call for new information.

Source: FBI

This iteration of BreachForum, run from June 2023 to May 2024, operated as a clearnet marketplace where cybercriminals could buy, sell, and trade illicit contraband such as hacking tools, compromised databases, stolen access devices, and various illegal services. As forums and dark markets continue to rise and fall multiple times, organizations are reminded to keep their defenses up to safeguard their sensitive data.

The Bad | North Korean APT Kimsuky Abuses Facebook Messenger in Latest Social Engineering Campaigns

Threat actors have found a new way to abuse social media to carry out their cyberattacks. In their latest string of attacks, a DPRK-linked APT known as Kimsuky used fake Facebook accounts to deliver malware via Messenger. Security researchers noted that the campaign leveraged the identity of a real individual in order to specifically target activists within North Korean human rights groups and anti-North Korean sectors.

Unlike traditional spear phishing attacks, this campaign employs Facebook Messenger to lure victims into opening private documents shared by the fake persona. The documents are hosted on OneDrive and pretend to be related to a trilateral summit involving Japan, South Korea, and the U.S. Their use of MSC files, an uncommon file type to carry out the attack, points to Kimsuky’s attempts to avoid detection.

Once opened by the victim, the MSC file triggers a connection to a server controlled by the attackers, displaying a decoy document while executing background commands for persistence and data collection. All of the gathered data is finally exfiltrated to the command and control (C2) server to further harvest IP addresses, User-Agent strings, and HTTP request timestamps, before delivering the payloads.

Source: Genians (Kimsuky’s Facebook-based ReconShark attack)

Kimsuky’s latest exploits call back to activity from last spring, such as ReconShark, which also targeted specific individuals through spear phishing emails, a file reconnaissance and data exfiltration campaign using RandomQuery malware, and a social engineering campaign stealing Google ad subscription credentials of a reputable news service focusing on North Korea. The DPRK-linked APTs continued commitment to developing their social engineering attacks highlights the need for organizations to remain vigilant, collaborate with their security partners, and invest in solutions including advanced detection capabilities.

The Ugly | New Lunar Toolset Deployed by GRU-Linked Actors Targets European Government Agencies

Reports have surfaced this week detailing cyber intrusions of various European foreign affairs ministries. The campaign leverages two previously unknown backdoors, both of which have been active since at least 2020.

Researchers have dubbed the backdoors “LunarWeb” and “LunarMail”, and attribute the campaign with medium confidence to Turla, an APT connected to the Russian Federal Security Service (FSB). Turla (aka Krypton, UNC4210, or Secret Blizzard) has been known to target high profile entities including governments and diplomatic organizations in Europe, Central Asia, and the Middle East.

Initial infection occurs through spear phishing emails carrying Microsoft Word files with malicious macro code to install the LunarMail backdoor. This VBA macro then ensures persistence on the infected system by creating an Outlook add-in that is activated when the email is launched. Researchers also noted the potential abuse of Zabbix, an open-source solution for network and application monitoring, to deploy the LunarWeb payload.

Once active, Lunar backdoors enable direct communication with the C2 server, allowing for lateral movement within the network using stolen credentials and compromised domain controllers. These backdoors are tailored for long-term surveillance, data theft, and maintaining control over compromised systems, particularly in high-value sectors. A complete list of IoCs can be found here.

Source: ESET (The two observed Lunar toolset compromise chains)

Recent findings state that Russian-sponsored threats currently pose the greatest amount of risk to election infrastructure. Their goals also include amplifying GRU-linked interests and retaliating against perceived adversaries. In February, SentinelLabs uncovered a Russia-aligned influence operation network dubbed Doppelgänger employing disinformation tactics to influence public opinions within Germany. As major elections are around the corner for both the U.S. and EU members, malicious activities from nation-backed actors are expected to climb, making socio-economic and geopolitical terrains even more complex to navigate.

RSAC 2024 Recap | Advancing the Power of Possibility Through Community

Last week, the SentinelOne team wrapped up another exciting year at RSA Conference 2024. The four-day event was, as usual, an invaluable opportunity to connect with leaders across the community, share stories, and learn from each other. This year’s event garnered attendees numbering 40,000 strong from more than 130 countries, showing just how much expertise is available to be shared.

For those who couldn’t join us in San Francisco, our recap blog captures all of the event highlights including snippets from exclusive keynote sessions and all the announcements from SentinelOne.

RSAC 2024 | Understanding “The Art of Possible” in the Cyber World

This year’s theme for the event was “the art of possible”, a phrase that inspires hope while also serving as a warning to never underestimate what is possible by our cyber adversaries.

Community unlocks possibility and, thinking about the theme as it applies to cybersecurity, we are reminded to celebrate new technologies and leverage the strength of the collective whole and remain vigilant in the face of growing threats and risks.

Delivering The Future of Autonomous Security with Purple AI & Singularity Data Lake

It’s no surprise that many of the conversations at RSAC 2024 revolved around the topic of artificial intelligence (AI) and its impact on the cybersecurity landscape. SentinelOne was thrilled to announce innovative new capabilities within our Singularity Platform, designed to empower IT teams to take a predictive and autonomous stance against incoming threats:

  • AI-Powered Anomaly Detection – Purple AI surfaces correlated risks from integrated log sources.
  • Automated Alert Triage – The technology analyzes trillions of anonymized data signals at a global scale to evaluate how security analysts assess and respond to similar alerts and provides automated verdicts and recommended actions.
  • AI-Powered Response Recommendations and Hyper Automation Rules – Using global similarity analyses, Purple AI provides intelligent response recommendations based on how others have responded to similar alerts and smart recommendations to turn those actions into hyper automation rules to put response actions in autonomous mode.
  • 24/7 Auto-Investigations – Through zero-touch auto-investigation capabilities, Purple AI eliminates the need for human-driven investigations and empowers security teams to focus on validating and mitigating threats at scale.
  • Mandiant Threat Intelligence – Building on our existing OEM partnership, the Singularity platform integrates leading threat intelligence from Mandiant (part of Google Cloud) to provide the latest and most comprehensive security insights. This includes detailed adversarial TTPs, enrichment of all security alerts and enhancing threat hunting capabilities. Intelligence will also be accessible through Purple AI, boosting the platform’s proactive and automated functions in private preview later this quarter, with general availability later this year.

Combining the power of Singularity Data Lake and Purple AI, these capabilities help transform security operations by offering new autonomous capabilities in the Singularity Platform. Regardless of an organization’s size, budget, or resources, the latest features ensure they can respond to advanced threats and adopt a proactive approach, anticipating and mitigating issues before they bloom into full-out cyber events.

Further, Purple AI, SentinelOne’s advanced AI security solution is now embedded across the Singularity Platform and accessible via a new unified security console, Singularity Operations Center. The Operations Center console is a significant stride forward to simplifying the analyst workflow by unifying alert triage and workflows across all event collections.

Now generally available, the Operations Center works by consolidating security management with unified alerts, inventory management, correlation engine, and a contextualized Singularity Graph to accelerate advanced SOC capabilities including detection, triage, and investigation.

Redefining Cloud Security

Attacks on cloud environments continue to soar as threat actors zero in on the concentration of business-critical data and services held in clouds. To help cloud teams, developers, and security professionals reduce their cloud and container attack surfaces, we announced the launch of Singularity™ Cloud Native Security (CNS) – our agentless Cloud Native Application Protection Platform (CNAPP) uniquely designed to assess cloud environments through the eyes of a threat actor.

With rapid agentless onboarding across 6 different cloud environments, CNS consolidates and correlates a range of cloud security capabilities:

  • Rapid onboarding with multi-cloud support
  • Cloud Asset Inventory and mapping with easy-to-understand graph visualizations
  • Vulnerability Scanning
  • Cloud Security Posture Management (CSPM)
  • Secrets Scanning
  • Infrastructure as Code (IaC) Scanning, including VCS integration
  • Container Image Security, including CI/CD integration
  • Software Bill of Materials (SBOM)
  • Kubernetes Security Posture Management (KSPM)
  • Cloud Detection and Response (CDR)
  • Integration with Singularity Data Lake for accelerated investigations via Purple AI

One of the major challenges security teams face is cutting through a very noisy attack surface, spending time on separating truly critical and exploitable risks from theoretical attack paths. CNS uses a unique Offensive Security Engine™ that safely simulates attacker behaviors to provide evidence-based false-positive free Verified Exploit Paths™ so security teams can prioritize their time and prevent attacks more effectively.

SentinelOne & CISA | Improving the Nation’s Cybersecurity Posture

Chris Krebs Joins CISA’s Cyber Safety Review Board

The Cyber Safety Review Board (CSRB) was born as a result of President Biden’s Executive Order “Improving the Nation’s Cybersecurity”, administered by CISA on behalf of the Secretary of Homeland Security. At RSAC 2024, we announced that Chris Krebs, SentinelOne’s Chief Intelligence and Public Policy Officer, has joined the CSRB alongside private sector and senior officials from the DoD, NSA, DoJ, FBI, and more.

The objective of the CSRB focuses on fact-finding, conducting independent reviews before issuing recommendations in the wake of major cyber incidents across U.S. entities and organizations. CISA Director Jen Easterly welcomed Krebs to the CSRB stating that “his cybersecurity expertise and experience will be instrumental in the continuing evolution of the CSRB as a catalyst for positive change in the cybersecurity ecosystem.”

Krebs joined SentinelOne in November 2023, helping executives understand the realities of operating in the modern global business landscape by providing unbiased insights and transformative risk management strategies. Prior, he held the role of inaugural director at the Department of Homeland Security’s CISA and worked alongside businesses and government agencies to protect against an expanding set of cybersecurity threats. Before joining the DHS, Krebs led Microsoft’s U.S. cybersecurity policy efforts. Currently, he co-chairs the Aspen Institute’s U.S. Cybersecurity Working Group and is a CBS News Contributor.

SentinelOne Makes a Pledge for CISA’s Secure by Design

SentinelOne joined 67 other leaders across the security industry in signing CISA’s Secure by Design pledge at RSAC 2024, a voluntary commitment where the biggest names in tech today promised to take actions within one year to make their products and services more secure. The pledge seeks to complement and build on existing software security best practices, buckling down on the idea of continuously improving the nation’s cybersecurity.

The scope of the pledge includes improving seven aspects of on-prem software products and services, defined in the CISA’s Secure by Design principles. SentinelOne is proud to add our statement of support:

“In today’s rapidly evolving and increasingly complex threat landscape, security cannot be an afterthought. It has to come first. As a vendor of cybersecurity products that tens of thousands of organizations rely on to keep their organizations safe, we believe it is our ethical duty to design products with a security-first mindset and to uphold the highest standards in delivering them, and in signing the Secure by Design Pledge, we are signaling our commitment to doing so.” Ric Smith, Chief Product and Technology Officer

Celebrating the Cybersecurity Community at RSAC 2024

The cybersecurity industry works hard, overcoming ever-evolving threats and risks to protect what’s most important. We take a moment to recognize and celebrate the ongoing collaboration and contributions from the entire community. Here are some highlights from the event!

Chris Krebs was joined by Chris Mullin, NBA Hall of Famer and Golden State Warriors Alumni at the SentinelOne executive happy hour.
RSAC wouldn’t be the same without the annual FOMO Party. This year’s bash featured Chris Clouse as opening DJ and EDM legend deadmau5 as headliner.
Holly Bittinger, our resident Product Communications Specialist, hangs out with Tina Hausmann (representing Aston Martin in F1 Academy in 2024) and Jessica Hawkins (Team Head of F1 Academy and Driver Ambassador for Aston Martin).

Thank You, RSAC – See You In 2025!

From the entire team at SentinelOne, we’d like to thank all of our customers, esteemed panelists, fellow vendors, and hosts for another amazing year with RSAC. These events continue to reflect the energy and drive that make up the tight-knit cybersecurity community we are all a part of. As we close out our time with RSAC 2024, we hope to continue the spirit of exchanging ideas, sharing experiences, and learning from one another to keep improving.

We’re already looking forward to next years’ event and welcome everyone to keep the conversation going on our social media channels and at our demo sessions. Be sure to learn more about all of SentinelOne’s latest security offerings as we invest in a more secure future.

Singularity™ Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.

Securing Peace of Mind with Breach Response Warranty

Running a business means accepting all of its fluctuating risks and uncertainties. For business leaders, one of the major challenges is managing their cybersecurity posture in an ever-changing threat landscape. With rapid digitalization and increasingly opportunistic attackers to consider, small to medium-sized businesses (SMBs) can be especially vulnerable.

Based on recent reports, over 40% of cyberattacks target today’s SMBs and only 14% of these organizations have the right response plans and policies to properly face the threat. While many business owners invest in cyber insurance, traditional insurance policies are no longer enough to provide the coverage needed in the current climate.

This blog post dives into why modern business leaders are investing in cyber warranties to round out their cyber defense strategies and fill in the gaps for cyber financial protections needed in a worst-case-scenario. Also, learn more about SentinelOne’s newly launched Breach Response Warranty available for businesses of all levels of endpoint counts.

Taking the Proactive Approach with Cyber Warranties | Why Cyber Insurance Alone Isn’t Enough

Although both cyber insurance and cyber warranties offer financial compensation in the case of a breach, they aim to serve different purposes. Where cyber insurance covers financial losses resulting in data breaches or attacks that have already occurred, cyber warranties are a pledge from security vendors.

Cyber insurance can also sometimes require lengthy paperwork and approval cycles with timelines for compensation being drawn out. Warranties can plug this time gap and provide immediate relief and event payout to help cover the deductible for cyber insurance coverage.

Vendors can offer different kinds of cyber warranties such as:

  • Service-Based Warranties – These are associated with specific products and services. For example, warrantied products and services are guaranteed to be free from known vulnerabilities.
  • Scope-Based Warranties – These outline specific conditions or sets of controls that the buyer must adhere to in order for the warranty to be considered valid.
  • Limited Liability Warranties – These hold the provider responsible for damages or losses that result from a cyberattack or breach if the attack was related to a covered product or service.

In terms of risk management, SMBs cannot rely on the reactive nature of cyber insurance policies, which only provide relief after a cyber incident has already happened. On average, an incident can cost SMBs up to $653,000 – a considerable amount of capital that many businesses cannot afford to pay to keep afloat post-attack.

To build up effective and scalable cyber resilience, businesses need to take a proactive approach that helps to prevent cyberattacks from occurring. Many leaders are bolstering their strategy by investing in cyber warranties, which act like guarantees from vendors that their solutions will keep them secure and round out their risk profile.

SentinelOne’s Breach Response Warranty Is Now Available

At SentinelOne, we understand that securing peace of mind requires more than delivering the best technology and cybersecurity expertise. We’re proud to introduce our Breach Response Warranty, the latest service enhancement we offer providing additional coverage and assurance of financial relief should a worst-case scenario occur. This is just one more way we are confidently partnering with you.

Coverage and Eligibility

Our Breach Response warranty is offered to both our direct customers and Managed Security Service Providers (MSSPs). Coverage amounts are tiered by endpoint counts to cover all of our Complete, Vigilance, and WatchTower customers at no additional cost to the customer.

Comprehensive Recovery Expense

Our third-party insurance partner underwrites our warranty and provides up to $1 million of financial relief to ensure business continuity. That means if a breach occurs due to a lapse in our service, our warranty will be triggered to cover operational and legal expenses incurred to restore data and systems and gain compliance with data privacy for a quick recovery.

Comprehensive Endpoint Detection

Unlike many solution providers, our warranty covers physical and virtual devices across multiple operating systems, including Windows, Linux, Mac, and cloud workloads (containers). Our comprehensive protection ensures that all endpoints are covered regardless of the platform.

Conclusion | How to Invest In SentinelOne’s Warranty Program

As threat actors become more sophisticated and well-funded, businesses can bolster their cyber resilience and overall posture by partnering with security vendors that offer integrated warranties for their solutions and services. In assuming a more proactive approach to building their tech stacks, business leaders take on a competitive advantage over those with gaps in their risk profiles.

A combination of a cyber warranty-backed tech stack and cyber insurance coverage gives business leaders the assurance needed to operate confidently in today’s digital environment.

The SentinelOne Breach Response Warranty reflects our commitment to partnering closely with businesses of all sizes to secure their digital assets. Experience true peace of mind with our industry-leading security solutions, now covered by a comprehensive warranty. Please refer to the Breach Response Warranty Agreement for detailed information and specific inquiries. Stay protected and stay secure with SentinelOne.

Patch Tuesday, May 2024 Edition

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30051 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Update, May 15, 8:28 a.m.: Corrected misattribution of CVE-2024-30051.

Unify the Analyst Experience with Singularity Operations Center

On April 26, 2024, SentinelOne marked a significant milestone in security management with the launch of the Singularity Operations Center, the new unified security console. This major update to the Singularity Platform is now generally available (GA) to all cloud-native customers, representing a pivotal shift to a more integrated and efficient analyst experience for security teams.

This blog post introduces the many features of Operations Center and delves into how it centralizes security management with unified alerts, asset inventory management, a correlation engine, and our contextualized Singularity Graph to accelerate detection, triage, and investigation. Operations Center significantly boosts analyst productivity with enterprise-wide visibility and control, setting a high standard against other vendors with fragmented systems.

One Console, One Platform

Implementing disconnected tools for different attack surfaces and use cases has led to complex navigation, operational inefficiencies, and less visibility across security ecosystems. Using disparate tools has also generated data spread across multiple consoles, forcing analysts to continuously context switch and making it more difficult to understand their whole security landscape. Together, these pain points detract security teams from their ability to focus on everyday tasks while also creating slower, error-prone, and more manual triage and investigation processes. We built the Singularity Platform and Operations Center to help eliminate noise and workflow disruptions while providing best-in-class protection for organizations everywhere.

The Singularity Platform is an AI-powered cybersecurity platform with one console and one data lake for a truly unified experience. We worked closely with over 200 organizations to ensure the design of Operations Center prioritizes and empowers security analysts, threat hunters, security administrators, incident responders, and SOC managers, considering their everyday tasks through workflow-based navigation. Through our Design Partner Program, our active users, ranging from advanced to early-career analysts across different industries, play a vital role in the product development process to ensure our improvements enhance the overall analyst function.

Gain End-to-End Visibility and Control

One of the core philosophies of Operations Center is centralization. Consolidating security operations through intuitive and integrated design provides a single view across the enterprise. The new unified alert management page enables security teams to conduct faster and more comprehensive investigations by managing and responding to security alerts in one location.

Without pivoting to multiple tabs and consoles, analysts benefit from a single queue comprised of alerts from SentinelOne native solutions in addition to ingested partner alerts. Customers can use Singularity Marketplace to ingest alerts from industry-leading partner solutions, such as Proofpoint TAP, ExtraHop Reveal(x), Microsoft Defender Suite, Palo Alto Firewall, and more. By understanding the full scope of an alert and its attributes, such as severity level, event indicators, origin, and more specific details, users can facilitate rapid response and surface holistic insights.

Organizations also require deep insight into all the assets in their environment to fully understand their attack surface, identify coverage gaps, and reduce potential risks. In the Operations Center, security teams can now centrally oversee and manage all assets in a unified inventory, which includes managed endpoints, cloud resources, identity assets, and network-discovered devices. To accelerate triage and investigation, analysts have access to an up-to-date inventory page that contains essential asset properties for easy review, criticality assignment, organizational tagging, and direct actions, such as initiating security scans.

Accelerate Detection, Triage, and Investigation

SentinelOne’s goal with Operations Center is to optimize efficiency at every stage of the analyst experience, from preparation and detection to recovery. We are introducing our new correlation engine to help detect complex cyber threats earlier and in real time, preventing breaches and minimizing damage. It correlates activities from multiple data sources and events and identifies patterns that indicate malicious intent to generate a more detailed and reliable alert. The correlation engine saves time and accelerates triage and investigation for analysts, eliminating the need to manually search through thousands of logs to validate specific criteria.

When investigating a potential threat, users now benefit from our Singularity Graph, an interactive graph that correlates and contextualizes security alerts and assets. Analysts can write their own queries or leverage the graph library for out-of-the-box queries to conduct faster investigations. The visual graphs enable the discovery of deeper contextual insights with a visual representation of the relationship between threats and their connections to assets currently in the organization. Users can easily click on any asset or alert for more detailed information and quickly take action to mitigate threats.

Singularity Operations Center is a testament to our commitment to delivering the most advanced AI-powered security platform:

  • Consolidate Security Operations – Centralize workflows through integrated and intuitive design for complete visibility and control across the enterprise, including workplace and cloud environments.
  • Streamline Incident Response – Accelerate detection, triage, and investigation with contextual insights for rapid response and risk reduction.
  • Simplify Configuration Management – Improve productivity and save time by efficiently managing configuration, settings, and policies from one location.

Enable Now to Elevate Security Operations

The Singularity Operations Center is Generally Available to current cloud-native customers as an opt-in toggle. Existing customers can visit the Customer Portal to learn how to enable the new console and navigation.

Learn More

Not a customer, but want to see more? Meet our team for a demo to see how you can get started with the Singularity Platform, or visit our self-guided product tours.

Singularity Platform
Singularity™ enables unfettered visibility, industry-leading detection, and autonomous response. Discover the power of AI-powered, enterprise-wide cybersecurity.