A Serial Tech Investment Scammer Takes Up Coding?

/0 Comments/in /by

John Clifton Davies, a 60-year-old con man from the United Kingdom who fled the country in 2015 before being sentenced to 12 years in prison for fraud, has enjoyed a successful life abroad swindling technology startups by pretending to be a billionaire investor. Davies’ newest invention appears to be “CodesToYou,” which purports to be a “full cycle software development company” based in the U.K.

The scam artist John Bernard a.k.a. Alan John Mykailov (left) in a recent Zoom call, and a mugshot of John Clifton Davies from nearly a decade earlier.

Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of startups into giving him tens of millions of dollars.

John Bernard’s real name is John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice. For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago.

The Private Office of John Bernard” let it be known to investment brokers that he had tens of millions of dollars to invest in tech startups, and he attracted a stream of new victims by offering extraordinarily generous finder’s fees to brokers who helped him secure new clients. But those brokers would eventually get stiffed because Bernard’s company would never consummate a deal.

John Bernard’s former website, where he pretended to be a billionaire tech investor.

Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called The Inside Knowledge GmbH — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

A variety of clues suggest Davies has recently adopted at least one other identity — Alan John Mykhailov — who is listed as chairman of a British concern called CodesToYou LTD, incorporated in May 2022. The CodesToYou website says the company employs talented coders in several countries, and that its programmers offer “your ultimate balance between speed, cost and quality.”

The team from CodesToYou.

In response to questions from KrebsOnSecurity, CodesToYou’s marketing manager — who gave their name only as “Zhena” — said the company was not affiliated with any John Bernard or John Clifton Davies, and maintained that CodesToYou is a legitimate enterprise.

But publicly available information about this company and its leadership suggests otherwise. Official incorporation documents from the U.K.’s Companies House represent that CodesToYou is headed by an Alan John Mykhailov, a British citizen born in March 1958.

Companies House says Mykhailov is an officer in three other companies, including one called Blackstone Corporate Alliance Ltd. According to the Swiss business tracking service business-monitor.ch, Blackstone Corporate Alliance Ltd. is currently the entity holding a decision-making role in John Bernard’s fake due diligence company — The Inside Knowledge GmbH — which is now in liquidation.

A screen shot of the stock photos and corporate-speak on John Bernard’s old website. Image: Archive.org

Also listed as a partner in Blackstone Corporate Alliance Limited is Igor Hubskyi (a.k.a. Igor Gubskyi), a Ukrainian man who was previously president of The Inside Knowledge GmbH.

The CodesToYou website says the company’s marketing team lead is Maria Yakovleva, and the photo of this employee matches the profile for the LinkedIn account name “Maria Y.” That same LinkedIn profile and photo previously listed Maria by a different first and last name — Mariya Kulikova; back then, Ms. Kulikova’s LinkedIn profile said she was an executive assistant in The Private Office of Mr. John Bernard.

Companies House lists Alan John Mykhailov as a current officer in two other companies, including Frisor Limited, and Ardelis Solutions Limited. A cached copy of the now-defunct Ardelis Solutions website says it was a private equity firm.

CodesToYou’s Maria also included Ardelis Solutions in the work history section of her LinkedIn resume. That is, until being contacted by this author on LinkedIn, after which Maria’s profile picture and any mention of Ardelis Solutions were deleted.

Listed as head of business development at CodesToYou is David Bruno, a Canadian man whose LinkedIn profile says he is founder of an organization called “World Privacy Resource.” As KrebsOnSecurity reported in 2020, Bruno was at the time promoting himself as the co-CEO of a company called SafeSwiss Secure Communication AG, and the founder of another tech startup called Secure Swiss Data.

Secure Swiss Data’s domain — secureswissdata.com — is a Swiss concern that sells encrypted email and data services. According to DomainTools.com, that website name was registered in 2015 by The Inside Knowledge GmbH. In February 2020, a press release announced that Secure Swiss Data was purchased in an “undisclosed multimillion buyout” by SafeSwiss Secure Communication AG.

A cached copy of the Ardelis Solutions website, which said it was a private equity firm and included similar stock images as John Bernard’s investment website.

When reached in 2020 and asked about his relationship to Mr. Bernard, Mr. Bruno said the two were business partners and that he couldn’t imagine that Mr. Bernard would be involved in anything improper. To this day Mr. Bruno is the only person I’ve spoken to who has had anything positive to say about Mr. Bernard.

Mr. Bruno did not respond to requests for comment this time around, but his LinkedIn profile no longer makes any mention of Secure Swiss Data or SafeSwiss — both companies he claimed to run for many years. Nor does it mention CodesToYou. However, Mr. Bruno’s former company SafeSwiss is listed as one of the six “portfolio” companies whose services are promoted on the CodesToYou website.

In mid-2021, Bruno announced he was running for public office in Ontario.

“The Kenora resident is no stranger to the government as he contributed to Canada’s new Digital Charter, Bill C-11, which is a new Cyber Security policy,” reported Drydennow.com, a news website that covers Northwestern Ontario. Drydennow says the next federal election is expected to be held on or before Oct. 16, 2023.

John Clifton Davies was convicted in 2015 of swindling businesses throughout the U.K. that were struggling financially and seeking to restructure their debt. For roughly six years, Davies ran a series of firms that pretended to offer insolvency services, but instead simply siphoned what little remaining money these companies had.

The very first entity mentioned in the technology portfolio advertised on the CodesToYou website is called “MySolve,” and it purports to offer a “multi-feature platform for insolvency practitioners.”

Mr. Davies’ fourth wife, Iryna Davies, is listed as a director of one of the insolvency consulting businesses in the U.K. that was part of John Davies’ 2015 fraud conviction. Prior to his trial for fraud, Davies served 16 months in jail before being cleared of murdering his third wife on their honeymoon in India: Colette Davies, 39, died after falling 80 feet from a viewing point at a steep gorge in the Himachal Pradesh region of India.

Mr. Davies was charged with murder and fraud after he attempted to collect GBP 132,000 in her life insurance payout, but British prosecutors ultimately conceded they did not have enough evidence to convict him.

The scams favored by Davies and his alter egos are smart because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And all the best cons begin as an idea or possibility planted in the target’s mind.

It’s also a reliable scam because companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. On top of that, many victims will likely be too ashamed to admit their duping. Victims who do press their case in court and win then face the daunting challenge of collecting damages from a slew of ephemeral shell corporations.

The latest Bernard victim to speak publicly — a Norwegian company hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad. As part of that scam, Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

If you liked this story, check out my previous reporting on John Bernard/Davies:

Due Diligence That Money Can’t Buy

Who is Tech Investor John Bernard?

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million

Investment Scammer John Davies Reinvents Himself?

Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams

A Spectrum of Possibility | SentinelOne Celebrates World Autism Month

/0 Comments/in /by

April is World Autism Month, dedicated to increasing understanding and acceptance of people on the spectrum. According to a new study published by Autism Research, 1 in 100 children globally are diagnosed with Autism Spectrum Disorder (ASD) and that number increases to 1 in 36 in the United States.

As we work to create a more inclusive world and workplace, customizing things like the interview process, working norms, retention strategies, and social expectations, allows us to increase the awareness and acceptance of neurodiverse individuals and uncover an amazing untapped resource of diverse talent.

SentinelOne is proud to foster a workplace culture where all people can fulfill their potential. Our advantage comes from designing with the intent to protect everyone, everywhere, and knowing that inclusion transforms the customer experience.

In this blog post, meet three Sentinels who are eager to share their personal experiences with ASD, hoping to welcome more neurodiverse candidates to join us in our mission to Secure Tomorrow™ as we determine the future of cybersecurity – together.

Meet Aubrey Robertson, People Operations Specialist

Aubrey Robertson, People Operations Specialist, has been with SentinelOne for 18 months and is based in Eugene, Oregon. As a People Operations Specialist, she handles information updates in Workday and assists in onboarding and offboarding employees, consultants, contractors, and interns.

“Being diagnosed with Autism well into my adulthood opened a door to a myriad of resources, leading me to understand my feelings and challenges more deeply,” said Aubrey. “On days where I feel overwhelmed, I analyze what triggered me to avoid that in the future.”

Aubrey believes stereotypes in the media are not accurate and create an unrealistic expectation that people with Autism all have obvious social deficits that coexist with a redeeming academic or savant quality.

“Autism in real life often doesn’t look the way it’s portrayed in popular culture,” said Aubrey. “This trope creates a real-life expectation that all autistic people are geniuses in a particular subject and socially awkward in a way that’s endearing. The expectation for an autistic person to possess these qualities can be damaging.”

Aubrey believes that the unconscious bias towards neurotypical behavior creates an implied social expectation for people with ASD to mask symptoms, causing exhaustion, burn out, and anxiety. She feels fortunate to have the self awareness and coping skills to thrive in our inclusive environment at SentinelOne.

To support someone with ASD in the workplace, Aubrey suggests trying to engage them in different ways. Instead of sitting across from one another during conversation, try sitting side by side on a sofa or a bench where it’s socially acceptable not to maintain eye contact, which does not come naturally to people on the spectrum.

“For me, worrying about what to do with my hands or my facial expressions makes me so self-conscious that I lose track of the conversation entirely,” said Aubrey. “If I have something to hold and eat, a fidget toy, or a passive card game to play while chatting, that helps keep my mind off my social quirks and allows me to be present as my authentic self.

Aubrey describes ASD as different for everyone. Things like gender, age, level of intervention, and basic personality traits make no two people alike. If you have a direct report or teammate who is open with their diagnosis, Aubrey suggests asking them what accommodations they would find helpful to be more successful and comfortable at work.

“I find large group meetings very intimidating if I don’t know what to expect,” said Aubrey. “If meetings could be prefaced with a detailed agenda at least a day in advance, that would be a dream come true.”

Aubrey also suggests inclusive strategies like using Mentimeter for group feedback, offering frequent breaks during longer group meetings, and replacing ice breakers with something less intimidating for introverted teammates.

“I can recognize when I need a break and have techniques to charge my social battery,” said Aubrey. “When I’m in a highly social situation, I’m using 80% of my energy to blend in socially and can’t efficiently access the problem-solving or creativity centers in my brain. Offering safer and more inclusive ways to share discussion feedback will ensure you’re getting everyone’s best thoughts.”

Aubrey encourages those living with ASD to be open with teammates, family, and friends about needs and share helpful strategies for success.

“Chances are, people will understand and want to accommodate your needs,” said Aubrey. “Your needs deserve equal respect. You can and should expect a reasonable amount of comfort, even when it must be achieved through extra effort.”

Meet Christof Jacques, Senior Solutions Engineer

Christof Jacques, Senior Solutions Engineer, supports sales teams in Belgium and Luxembourg by creating meaningful experiences and solutions for our customers. Christof was diagnosed with ASD at 38 years old.

“I learned from my diagnosis that it’s ok to respect my limits,” said Christof. “This mindset makes it easier for me to excel in other areas and use my energy more efficiently. I think that’s valuable advice for everyone.”

After being diagnosed with Asperger’s Syndrome, Christof learned all that he could. Reading books helped him understand himself and confirmed why some day-to-day tasks were so challenging. Social gatherings are also challenging for Christof to navigate. He said it’s not easy to explain why he won’t attend a social event, but he’s learned that it is ok to say no.

“For me, there are a lot of things that are complicated that shouldn’t be,” said Christof. “I think it’s important for employers to understand that social events can be challenging. Participating should not be a factor for promotions or recognition.”

Christof has been open and active in leading conversations about ASD at SentinelOne in the two years since he joined. When his manager learned of his diagnosis, he approached Christof to ask how he could be more accommodating.

“The question itself shows that you care,” said Christof. “It was cool that it was asked. It’s important to underline that every person is different. So, what is important to me might not be to someone else. If you work with someone with Autism, ask them what can help them.”

When asked to share insight about creating an inclusive workplace, Christof said remote work options are helpful for those who find frequent interruptions challenging. He also said clear communication with added context is also helpful.

“Be patient,” said Christof. “There may be a need to explain and re-explain. Allow teammates the opportunity to think through a problem and come back with a response. Depending on their energy level, they may need time to process.”

Meet Erin Kelly, Head of Internal Communications & Talent Brand

Erin Kelly, Head of Internal Communications & Talent Brand, has been with SentinelOne for just over a year. With 25 years of communication experience and 17 years of experience with Autism, Erin credits her ability to break down complex topics in compelling, clear, and concise ways to raising a child with communication challenges.

“When I create content, I imagine the audience to have no experience with the subject matter,” said Erin. “I strive to tell stories and deliver explanations in the right order with an appropriate level of detail – too much of anything can be overwhelming.”

Erin suspected something was different about her son’s development when he stopped using the 20 words he had racked up at two years old, and his irritability increased to an almost constant level.

“My toddler stopped talking and was super cranky,” said Erin. “About four weeks into his tantrum spell, Jack started banging his head on hard floors. I took him to Children’s Hospital of Philadelphia and waited a few weeks for doctors to tell me what I already knew. Jack had Autism.”

Erin describes the years that followed as an uphill race against time. The team of therapists sent by the state of New Jersey described Jack’s first five years as the most critical and coached her to dedicate time and resources into maximizing his potential.

Jack had 30+ hours of intervention for the better part of his childhood. He started talking again at five years old and hasn’t stopped since. Jack was mainstreamed in middle school and graduated from high school last year.

“Finding a place where Jack can feel included academically, socially, and recreationally is a challenge without end,” said Erin. “He is 19 and still struggles to find his place. While he continues to strengthen coping strategies, I would love the world to meet him halfway with greater understanding and acceptance.”

Erin believes that kindness, active listening, open communication, and structured settings can go a long way in making the workplace more inclusive for people of all abilities. Strong people practices create a better culture for all – not just those living with ASD.

“Jack has a photographic memory, an incredible attention to detail, and a great work ethic,” said Erin. “These are all awesome qualities in the workplace. That said, eye contact, social situations, and group conversations can be problematic. Making it ok to be socially different – and even distant – would be a great start.”

Having a People Business Partner who feels comfortable helping teammates navigate the world of accommodations is also critical for success. Remote work has opened a world of possibilities for those who may be perceived as introverted and excel in a smaller controlled environment.

“Investing in talented people and giving them the space and confidence to be their authentic self at work is a best practice for everyone, not just people on the spectrum,” said Erin. “People of all abilities want to make an impact and feel included at work. Fostering inclusion is good for our people and for our business.”

How Businesses Can Expand Their Spectrum of Possibility

Fostering a truly inclusive workplace means examining how we can embed awareness and acceptance of neurodiverse individuals. The key in building this space focuses on open communication, asking for suggestions and strategies, and mutual respect.

Broadening your talent base means setting up all people in a company for success where they can reach their full potential and grow with the business. SentinelOne is dedicated to the continuous growth of its inclusive workplace culture and is proud to provide a space where all Sentinels will always feel welcomed.

The Good, the Bad and the Ugly in Cybersecurity – Week 13

/0 Comments/in /by

The Good

The Biden administration signed a new executive order this week; the latest in an effort to prohibit U.S. government agencies from buying and using commercial spyware operationally. Targeting spyware’s increasing threat to national security and its implication in human rights abuse, the President called for an international coalition focused on combating spyware as a whole.

Governments across the globe have been known to collect troves of sensitive data for law enforcement and intelligence purposes. As use of spyware grew to meet these needs, the tools have inevitably been made available to opposing entities who have used them to meet their goals of abuse and oppression.

Spyware has long been marked as a high-level issue. The order emphasized that commercial spyware poses counterintelligence and security risks to the U.S. government if used by foreign governments or persons to gain access to U.S. computers and its data without authorization. Further, spyware is often used to collect information on political figures, dissents, activists, academics, journalists, or members of marginalized communities for the purpose of intimidation.

While President Biden’s executive order does allow some exceptional use cases, it represents a clear step towards the clamp down on using commercial spyware for non-testing purposes. The impact of modern-day technology on government systems and human rights continues to grow and it is likely that more issues will arise from these intersections and highlight the continued need to regulate, oversee, and audit new advancements in technology.

The Bad

A new comprehensive toolset is being sold to threat actors through private Telegram channels, SentinelLabs researchers reported this week. Dubbed ‘AlienFox’, this toolset enables actors to perform scans for misconfigured servers and extract API keys and secrets from AWS, Google, and Microsoft.

Analyzing three versions of AlienFox, researchers noted that the malware is being used to enumerate misconfigured hosts through security scanning services such as LeakIX and SecurityTrails. The AlienFox operators search for vulnerable services that are associated with widely-used frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Finally, the operators leverage various scripts provided in the toolset to harvest credentials and sensitive data from configuration files that are exposed on compromised servers of cloud-based email platforms.

Currently, the most recent version of the toolset has been able to establish persistence on a compromised Amazon Web Services (AWS) account, escalate privileges, and automate a spam campaign. This version also has added an account-checking capability along with an automated cryptocurrency wallet seed cracker for Ethereum and Bitcoin.

Wallet seed generation in ETH.py
Wallet seed generation in ETH.py

The cyber defense community continues to see a rise in attacks on cloud services, particularly for the purpose of expanding subsequent threat campaigns. This is reflected in AlienFox’s highly modular nature, which is observed to be accommodating new features and improvements to attract new buyers and secure renewals from existing ones. Organizations can defend themselves from AlienFox tools by establishing strict configuration management and least privilege practices. Leveraging a Cloud Workload Protection Platform (CWPP) on virtual machines and containers is also key in detecting suspicious activity with the OS before full compromise can occur.

The Ugly

An ongoing cyberattack has occupied the emergency response of international VoIP software developer, 3CX, for the past week as threat actors leverage a trojanized version of their 3CX DesktopApp. The full impact of the continuing attack is unknown so far, though 3CX’s suite of products service over 12 million users in 190 countries with big names like the UK’s National Health Service, Ikea, and American Express as part of their clientele.

A report published by SentinelLabs researchers explains that use of the trojanized 3CX DesktopApp is just the first stage in the multi-stage supply chain attack currently tracked under the campaign name, SmoothOperator.

Infection begins with an MSI installer being downloaded from the official 3CX website or a user pushes an update to an already-installed desktop application. Following initial infection, the actors behind SmoothOperator take advantage of a DLL side-loading technique designed to pull icon file (ICO) payloads appended with Base64 data from GitHub. The malware uses these Base64 strings to download the final payload which then steals credentials and sensitive data housed in popular browsers.

3CX has since released a security alert announcing the imminent release of a new build. In the meantime, the company advises its users to uninstall the desktop app or switch over to the PWA agent in the meantime. In a blog post by 3CX posted the same day, the company divulged that the issue was seemingly associated with one of the bundled libraries compiled into the Electron Windows App via GIT.

The SmoothOperator supply chain campaign is a developing story and more details may come to light in coming days. SentinelOne customers are protected against SmoothOperator with no additional action required.

German Police Raid DDoS-Friendly Host ‘FlyHosting’

/0 Comments/in /by

Authorities in Germany this week seized Internet servers that powered FlyHosting, a dark web offering that catered to cybercriminals operating DDoS-for-hire services, KrebsOnSecurity has learned. FlyHosting first advertised on cybercrime forums in November 2022, saying it was a Germany-based hosting firm that was open for business to anyone looking for a reliable place to host malware, botnet controllers, or DDoS-for-hire infrastructure.

A seizure notice left on the FlyHosting domains.

A statement released today by the German Federal Criminal Police Office says they served eight search warrants on March 30, and identified five individuals aged 16-24 suspected of operating “an internet service” since mid-2021. The German authorities did not name the suspects or the Internet service in question.

“Previously unknown perpetrators used the Internet service provided by the suspects in particular for so-called ‘DDoS attacks’, i.e. the simultaneous sending of a large number of data packets via the Internet for the purpose of disrupting other data processing systems,” the statement reads.

News of a raid on FlyHosting first surfaced Thursday in a Telegram chat channel that is frequented by people interested or involved in the DDoS-for-hire industry, where a user by the name Dstatcc broke the news to Fly Hosting customers:

“So Flyhosting made a ‘migration’ with it[s] systems to new rooms of the police ;),” the warning read. “Police says: They support ddos attacks, C&C/C2 and stresser a bit too much. We expect the police will take a deeper look into the files, payment logs and IP’s. If you had a server from them and they could find ‘bad things’ connected with you (payed with private paypal) you may ask a lawyer.”

An ad for FlyHosting posted by the the user “bnt” on the now-defunct cybercrime forum BreachForums. Image: Ke-la.com.

The German authorities said that as a result of the DDoS attacks facilitated by the defendants, the websites of various companies as well as those of the Hesse police have been overloaded in several cases since mid-2021, “so that they could only be operated to a limited extent or no longer at times.”

The statement says police seized mobile phones, laptops, tablets, storage media and handwritten notes from the unnamed defendants, and confiscated servers operated by the suspects in Germany, Finland and the Netherlands.

KrebsOnSecurity has asked the German police for more information about the target of their raids. This post will be updated in the event they respond.

The apparent raids on FlyHosting come amid a broader law enforcement crackdown on DDoS-for-hire services internationally. The U.K.’s National Crime Agency announced last week that it’s been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen DDoS-for-hire domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services.

SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack

/0 Comments/in /by

By Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom & SentinelLabs

Executive Summary

  • As of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular voice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX) platform.
  • Behavioral detections prevented these trojanized installers from running and led to immediate default quarantine.
  • The trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of writing.
  • At this time, we cannot confirm that the Mac installer is similarly trojanized. Our ongoing investigation includes additional applications like the Chrome extension that could also be used to stage attacks.
  • The compromise includes a code signing certificate used to sign the trojanized binaries.
  • Our investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling set of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat clusters.

Background

3CXDesktopApp is a voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX, a business communications software company. The company website claims that 3CX has 600,000 customer companies with 12 million daily users. 3CX lists customer organizations in the following sectors:

  • Automotive
  • Food & Beverage
  • Hospitality
  • Managed Information Technology Service Provider (MSP)
  • Manufacturing

The 3CX PBX client is available for Windows, macOS, and Linux; there are also mobile versions for Android and iOS, as well as a Chrome extension and a Progressive Web App (PWA) browser-based version of the client.

PBX software makes an attractive supply chain target for actors; in addition to monitoring an organization’s communications, actors can modify call routing or broker connections into voice services from the outside. There have been other instances where actors use PBX and VOIP software to deploy additional payloads, including a 2020 campaign against Digium VOIP phones using a vulnerable PBX library, FreePBX.

Campaign Overview

As others have noted, SentinelOne began automatically detecting and blocking the activity over the span of the week, prior to our active investigation of the campaign.

As we actively analyze the malicious installer, we see an interesting multi-stage attack chain unfolding. The 3CXDesktopApp application serves as a shellcode loader with shellcode executed from heap space. The shellcode reflectively loads a DLL, removing the “MZ” at the start. That DLL is in turn called via a named export ‘DllGetClassObject’ with the following arguments:

1200 2400 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) 3CXDesktopApp/18.11.1197 
Chrome/102.0.5005.167 Electron/19.1.9 Safari/537.36”

as well as the size of this User-Agent string.

This stage will in turn download icon files from a dedicated Github repository:

https://github[.]com/IconStorages/images

These ICO files have Base64 data appended at the end. That data is then decoded and used to download another stage. At this time, the DLL appears to be a previously unknown infostealer meant to interface with browser data, likely in an attempt to enable future operations as the attackers sift through the mass of infected downstream customers. We have issued a takedown request for this repository.

The final stage (cad1120d91b812acafef7175f949dd1b09c6c21a) implements infostealer functionality, including gathering system information and browser information from Chrome, Edge, Brave, and Firefox browsers. That includes querying browsing history and data from the Places table for Firefox-based browsers and the History table for Chrome-based browsers.

Infostealer strings used to query for History and Places tables
Infostealer strings used to query for History and Places tables

SentinelOne Protects Against SmoothOperator

Recommendations

For SentinelOne customers, no action is needed. We’ve provided technical indicators to benefit all potential victims in hunting for the SmoothOperator campaign.

Indicators of Compromise

URL github[.]com/IconStorages/images
Email cliego.garcia@proton.me
Email philip.je@proton.me
Domain akamaicontainer[.]com
Domain akamaitechcloudservices[.]com
Domain azuredeploystore[.]com
Domain azureonlinecloud[.]com
Domain azureonlinestorage.com
Domain convieneonline[.]com
Domain dunamistrd[.]com
Domain glcloudservice[.]com
Domain journalide[.]org
Domain msedgepackageinfo[.]com
Domain msstorageazure[.]com
Domain msstorageboxes[.]com
Domain officeaddons[.]com
Domain officestoragebox[.]com
Domain pbxcloudeservices[.]com
Domain pbxphonenetwork[.]com
Domain pbxsources[.]com
Domain qwepoi123098[.]com
Domain Soyoungjun[.]com
SHA-1 20d554a80d759c50d6537dd7097fed84dd258b3e
SHA-1 bf939c9c261d27ee7bb92325cc588624fca75429
SHA-1 cad1120d91b812acafef7175f949dd1b09c6c21a

Meeting the TSA Cybersecurity Requirements for Airports and Aircraft with SentinelOne Singularity XDR

/0 Comments/in /by

The recent announcement by the Transportation Security Administration (TSA) mandating new cybersecurity requirements for airports and aircraft highlights the need for robust cybersecurity measures in the aviation industry. These requirements apply to all U.S. airports and airlines that operate commercial flights, with non-compliance resulting in penalties, legal action, and reputational damage.

This post delves deeper into the new TSA cybersecurity requirements and how SentinelOne Singularity XDR can help enterprises and federal agencies meet these requirements.

The New TSA Cybersecurity Requirements

The new cybersecurity amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.

The amendment emphasizes performance-based measures, requiring impacted entities to assess the effectiveness of these measures proactively.

The TSA cybersecurity requirements aim to strengthen the security of aviation systems and protect against cyber threats. The requirements include:

  • Stronger access controls
  • Regular vulnerability assessments
  • Incident response plans
  • Adoption of cybersecurity best practices, such as encryption and multi-factor authentication
  • Micro-segmentation to reduce the attack surface

The emergency amendment mandates the following actions for impacted TSA-regulated entities:

  • Develop network segmentation policies and controls to ensure that operational technology systems can continue to operate safely in the event that an information technology system has been compromised, and vice versa
  • Create access control measures to secure and prevent unauthorized access to critical cyber systems
  • Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations
  • Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology

The new requirements highlight the need for a comprehensive and proactive cybersecurity approach. By leveraging solutions such as SentinelOne Singularity XDR, enterprises in the aviation industry can improve their security posture, meet the new TSA cybersecurity requirements, and ensure compliance.

SentinelOne Singularity XDR for Meeting the TSA Cybersecurity Requirements

SentinelOne Singularity XDR is a comprehensive solution that can help enterprises in the aviation industry improve their security posture, meet the new TSA cybersecurity requirements, and ensure compliance.

The following are the key functionalities of SentinelOne Singularity XDR and their business outcomes that can help enterprises meet these requirements:

Scalability and Manageability

SentinelOne’s firewall control solution is highly scalable and easy to manage. It has a central management architecture that simplifies policy management and ensures consistency, making it easier to meet the TSA’s requirements. Unlike Microsoft solutions, which can be difficult to manage, SentinelOne supports cross-OS management, enabling enterprises to manage micro-segmentation policies dynamically across multiple operating systems, including Windows, macOS, and Linux.

Business Outcomes:

  • Reduced operational overheads
  • Improved security posture
  • Simplified policy management

Easy-to-Implement Micro-Segmentation

Micro-segmentation is critical to reducing the attack surface in enterprise environments.

SentinelOne Singularity XDR provides easy-to-implement micro-segmentation, which improves visibility and strengthens overall security posture.

Business Outcomes:

  • Reduced attack surface
  • Improved visibility
  • Strengthened overall security posture

Dynamic Policy Assignment Based on Endpoint Tags and Location Awareness

Dynamic policy assignment based on endpoint tags and location awareness is essential to managing micro-segmentation effectively. SentinelOne Singularity XDR enables enterprises to dynamically and automatically determine what firewall policies to assign to specific machines based on location, simplifying policy management and enhancing security.

The tagging of policy assignments across different scopes and the ability to assign policies per application instead of per machine makes SentinelOne Singularity XDR a highly scalable solution.

Business Outcomes:

  • Improved efficacy of security policies
  • Reduced time spent managing endpoint policies
  • Enhanced security posture

Advanced Multi-Tenancy and Inherited Policies

SentinelOne Singularity XDR’s advanced multi-tenancy provides a centralized console for managing security policies, alerts, and incidents for multiple customers, making it ideal for enterprises with multiple sub-agencies, such as federal agencies. Additionally, SentinelOne Singularity XDR supports inherited policies, which are dynamically assigned per application, making it easier to manage policies across large-scale environments.

Business Outcomes:

  • Streamlined security operations
  • Simplified policy management
  • Reduced operational overheads

Conclusion

The TSA cybersecurity requirements mandate robust cybersecurity measures to protect against cyber threats in the aviation industry. SentinelOne Singularity XDR can help enterprises meet these requirements by providing advanced multi-tenancy, dynamic policy assignments based on endpoint tags, and easy-to-implement micro-segmentation.

By leveraging these functionalities, enterprises can improve their security posture, reduce the risk of cyber attacks, and ensure compliance with the new TSA cybersecurity requirements.

To learn more about how SentinelOne https://www.sentinelone.com/platform/singularity-xdrSingularity XDR can help your enterprise meet compliance, contact us or request a demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Learn More

UK Sets Up Fake Booter Sites To Muddy DDoS Market

/0 Comments/in /by

The United Kingdom’s National Crime Agency (NCA) has been busy setting up phony DDoS-for-hire websites that seek to collect information on users, remind them that launching DDoS attacks is illegal, and generally increase the level of paranoia for people looking to hire such services.

The warning displayed to users on one of the NCA’s fake booter sites. Image: NCA.

The NCA says all of its fake so-called “booter” or “stresser” sites — which have so far been accessed by several thousand people — have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.

“However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators,” reads an NCA advisory on the program. “Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement.”

The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990.

“Going forward, people who wish to use these services can’t be sure who is actually behind them, so why take the risk?” the NCA announcement continues.

The NCA campaign comes closely on the heels of an international law enforcement takedown involving four-dozen websites that made powerful DDoS attacks a point-and-click operation.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen booter business domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services. In connection with that operation, the NCA also arrested an 18-year-old man suspected of running one of the sites.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The United Kingdom, which has been battling its fair share of domestic booter bosses, started running online ads in 2020 aimed at young people who search the Web for booter services.

As part of last year’s mass booter site takedown, the FBI and the Netherlands Police joined the NCA in announcing they are running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

The First Line of Defense | Crafting an Impactful Incident Response Plan

/0 Comments/in /by

Cybersecurity incidents are no longer black swan events in today’s world. In recent decades, they have become so common that few organizations are spared from the rippling effects of successful cyberattacks.

Having a strong incident response strategy is a crucial line of defense organizations have against threat actors. Depending on the type of incident and how impactful it is on the targeted organization, there are a large number of moving parts that make up the incident response process.

This blog post describes the essential elements of an effective cyber incident response plan. While there is no one way to build a cyber incident response plan, there are many key elements that security leaders can include to lead their organizations towards cyber preparedness.

The Importance of Having an Incident Response Plan

At its core, the incident response cycle involves detecting and identifying cyber threats followed by mitigation or containment, analysis, and lessons learned. Every cyber incident is different, and each one should be treated as a learning experience for the cyber incident response team.

If cyber incidents are not properly contained, they have the potential to cause significant impacts on the organization. Impacts can linger after the initial attack causing, in severe cases, loss of new business, damage to the organization’s reputation and branding, complex lawsuits, and even bankruptcy.

Treat Cyber Risk As A Strategic Risk

When planning cyber incident response, understanding the ‘why’ behind cybersecurity makes for a stronger foundation upon which leaders can build strategies, policies, and processes. As an example, let’s use Simon Sinek’s Golden Circle to frame out their approach to incident response. Sinek’s model consists of the following three questions in this order: Why? How? What?

  1. Why do we need cybersecurity in the organization? Leaders may answer that they must protect the confidentiality, integrity, and availability of their organization’s information and resources.
  2. How can we do that? Many organizations approach cybersecurity holistically, focusing on people, processes, and technology.
  3. What does that do to business? Senior leadership may tie security to meeting their mission and objectives as it helps them serve their customers and protect their stakeholder’s interests with trust and transparency.

When organizational leaders treat cyber risk as a strategic risk, it sets the tone within the organization to think about security before carrying out any task. In the case of cyber incident response, starting with ‘why’, empowers teams to take a proactive approach to incident response rather than a reactive approach.

Lay Out The Responsibilities of the Incident Response Team

The collective goal of a cybersecurity incident response team is to minimize the disruption and losses by identifying the incident in a timely manner and effectively mitigating the incident as quickly as possible.

Such a team commonly comprises experts from various business units. A collaborative effort is then coordinated to bring an incident to a quick resolution before the organization suffers from financial and reputational losses.

Though incident response teams will look different based on the size, industry, and needs of the business, they are typically responsible for the following key tasks:

  • Establishing Processes, Plans & Procedures – The incident response team takes into consideration the ‘why’ that leaders have defined. Processes are then tailored to meet that ‘why’ and identify clearly what an incident means to the organization. Using this, incident prioritization matrices and playbooks can be created based on likely security scenarios relevant to the business and industry.
  • Upkeeping An Incident Response Inventory – Incident response teams need to be aware of trending cyber threats and keep themselves updated on all critical assets within the organization. The availability of incident analysis resources such as network diagrams, contacts lists, and application inventory is a key success factor for incident response.
  • Incident Analysis – Incident response teams regularly evaluate and monitor for indicators of compromise and perform data collection activities for analysis. During active incidents, the team is responsible for determining if third-party support is needed to contain the threat. A security operations center (SOC) team plays a key role in this arena by identifying the incident indicators and responding to the incident timely. In recent times, organizations are using AI technology in their security stack to reduce mean-time-to-containment and respond to cyber threats effectively.
  • Communications & Reporting – Incident response teams follow predetermined channels for communications during and after a security incident. These channels will have outlined what needs to be reported, when it needs to be reported, and to whom it needs to be reported. As per the defined responsibilities, internal and external communications can be handled by the incident response team with direction from legal and PR teams. Notifying the appropriate cyber insurance providers, third party incident support, legal, and regulatory authorities as required can save organizations from liabilities and financial burdens.

Depending on the organization’s size, maturity, and industry, some roles within an incident response team can be overlapped. This is why defining responsibilities for each of the roles within the incident response plan is crucial to its success.

Determine Involvement From Internal & External Parties

A common misconception is that incident response is limited to IT and security teams, and no other parties are actively involved in dealing with a cyber incident. For a strong and cohesive incident response effort, incident response teams work best by knowing when to involve key contacts from other departments to carry out the plan.

Internal Dependencies

Incident response is a shared responsibility and champions from each department will need to be informed and trained in how best to support the incident response team during an active security event.

Internal dependencies refer to communications between the incident response team and representatives from IT, Physical Security, Legal, Risk Management, Human Resources, Public & Media Relations, Board of Advisors, and any other applicable head of department.

External Dependencies

External dependencies involve non-employees and non-owners of the company. This group refers to customers, vendors, third-party incident response partners, cyber insurance providers, legal representation, regulatory agencies, and law enforcement. The messaging to customers and vendors must be carefully directed by the Public & Media Relations team in consultation with the Legal team to ensure an approved and unified message is delivered across the board.

Involving cyber insurance providers and any third-party response partners is key from a financial perspective and from a response perspective. Often, incident response team members, including defined point of contacts, are responsible for notifying the proper regulatory bodies and law enforcement as legally required to avoid fines.

Define The Scope for Future Improvement

While it is important to document processes and policies before cyberattacks occur, incident response teams are also integral in improving them in the case of an incident. The team ensures that senior leadership makes time to evaluate lessons learned after incidents and close the loop on any identified gaps and remediation tasks.

By holding lessons learned sessions, incident response teams can help leaders evaluate performance effectiveness, identify systemic challenges, and improve capabilities going forward. This is an invaluable element in improving an organization’s security posture over time that is often overlooked. Defining the scope for future improvement looks like:

  • Post Incident Activities – It is important to understand what worked and what did not during the incident response process. Any suggestions to streamline the process or plan can help improve the overall incident response plan for future, similar events. Keeping a log of the incidents may also prove valuable to organizations to approach response in a more structured and streamlined manner as it creates a measurable benchmark teams can reference again.
  • Actionable Metrics – Defining metrics around incident categories allows organizations to take a look at their risk assessment process, which can help senior leaders iterate required controls and mitigation measures. Tracking similar types of incidents and understanding if the time per incident has decreased are strong indicators that prove the current incident response is working.
  • Updated Training & New Exercises – Carrying cross-functional periodic training and tabletop exercises can help the teams to prepare better and aid in identifying the gaps. Most importantly, it allows teams to understand how they need to communicate with each other and collaborate during the incident.

Conclusion

Successful incident response requires collaboration across an organization’s internal and external parties. As cyber incident response teams work on reducing the time-to-containment, it is essential for organizations to think about incident response holistically. A top-down approach where senior leadership encourages a culture of strong security encourages every department to do their part to support in case of an incident.

Security leaders from all industry verticals have partnered with SentinelOne to augment their security vision and safeguard their company’s critical data. As incident response teams and leaders work together to build security resilience and implement long-term initiatives, SentinelOne’s industry experts are on hand to assist organizations as they stand up their new strategies. Contact us for more information, or sign up for a demo today.

The Good, the Bad and the Ugly in Cybersecurity – Week 12

/0 Comments/in /by

The Good

Dark forum site operator, ‘Pompompurin’, was arrested this week by U.S. law enforcement on the charge of conspiracy to commit access device fraud. One Conor Brian Fitzpatrick was arrested in his home where he admitted this alias and to owning and administrating the website, BreachForums, well-known across the cybercrime ecosystem for hosting stolen databases and selling personal data for fraudulent activities. Officials reported that Fitzpatrick had been under close investigation for over a year before the arrest.

Source

After the DoJ announced the successful seizure of the RaidForums website in April of 2022, it was widely speculated that Fitzpatrick created BreachForums as its successor. Since then, BreachForums has gained notoriety for being one of the most active hacker forums available to cybercriminals.

Under the Pompompurin alias, Fitpatrick quickly filled in the gap of selling and leaking sensitive information through social media, propelling the site to becoming one of the largest data leak forums of its kind. Fitzpatrick has also been connected to various high-profile cyberattacks, including those involving the FBI, Twitter, and popular online stock trading platform, Robinhood. At the time of its takedown, BreachForums had more than 330000 members, 47000 threads, and almost one million posts.

Though the site is now defunct, these seizures remain critical in the uphill fight against increasingly sophisticated cybercrime syndicates. BreachForums was just one of many leak sites and dark marketplaces causing ongoing damage to government organizations and enterprises of all industries. Just as BreachForums rose from the ashes of RaidForums, it is vital for businesses to remain vigilant with protecting their data from opportunistic threat actors as new forums inevitably continue to propagate.

The Bad

A new Go-based, DDoS-focused malware dubbed ‘HinataBot’ hit the scene this week, taking its name from the popular anime series, Naruto. According to researchers, the threat actors behind the new malware were first observed in December of last year and have since started to develop their own malware approximately two months ago. Current indications point to the malware’s active evolution as it is updated by its authors and operators.

HinataBot is written in Golang and is the latest in emerging Go-based threats that continue to proliferate in the cyber underground. Go is increasingly in use by attackers for its high performance and support for multiple architectures. Security researchers have noted that Go-based malware presents extra challenges to analyze and reverse engineer.

So far, samples of the malware have been discovered in HTTP and SSH honeypots, where they have been observed abusing weak credentials and old remote code execution (RCE) vulnerabilities from as far back as nearly a decade ago. Analysis on the infection process for HinataBot has shown exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), as well as exposed Hadoop YARN servers.

The discovery of HinataBot brings to light the responsibilities of organizations to deepen their visibility surrounding deployed services as well as weak spots in their overall infrastructure. In this case, nearly 10-year old vulnerabilities are still being exploited as threat actors continue to use overlooked or low-hanging resources to evade detection, build on new functionalities, and get a high return on through small investments.

The Ugly

In a joint technical report released this week by SentinelLabs researchers and QGroup GmbH, telecom providers in the Middle East have become the latest target in a long-running cyberattack campaign dubbed Operation Tainted Love. Based on the investigations, this campaign has been attributed to Chinese-based cyber espionage threat actors.

Initial attack vectors observed in the string of cyberattacks began with the infiltration of Internet-facing Microsoft Exchange servers to deploy web shells for command execution. After securing a foothold, the attacker conducted a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities.

In the latest attacks on Middle Eastern telecom providers, the actors have been seen deploying a custom variant of Mimikatz called mim221 to facilitate lateral movement techniques and privilege escalation as well as all-new anti-detection and credential theft capabilities. Special-purpose modules like these underscore the threat actor’s drive to advance their toolset with a marked focus on stealth. Techniques noted by SentinelLabs researchers included in-memory mapping of malicious images to evade EDR API hooks and file-based detections, the termination of Event Log threads instead of the host process to inhibit logging without raising suspicions, and staging a credential theft capability in the LSASS process itself by abusing native Windows capabilities.

mim221 execution overview
mim221 Execution Overview

Telecom providers find themselves frequently in the crosshairs of attack for the large amounts of personal client data they hold and sensitive information transmitted. This campaign is expected to continue as the Chinese-linked threat actors upgrade their malware and zero in on strategic targets in the Middle East.

Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

/0 Comments/in /by

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.

In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.

Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question.

On Feb. 28, 2023, researchers at the Chinese security firm DarkNavy published a blog post purporting to show evidence that a major Chinese ecommerce company’s app was using this same three-exploit chain to read user data stored by other apps on the affected device, and to make its app nearly impossible to remove.

The three Samsung exploits that DarkNavy says were used by the malicious app. In November 2022, Google documented these three same vulnerabilities being used together to compromise Samsung devices.

DarkNavy likewise did not name the app they said was responsible for the attacks. In fact, the researchers took care to redact the name of the app from multiple code screenshots published in their writeup. DarkNavy did not respond to requests for clarification.

“At present, a large number of end users have complained on multiple social platforms,” reads a translated version of the DarkNavy blog post. “The app has problems such as inexplicable installation, privacy leakage, and inability to uninstall.”

On March 3, 2023, a denizen of the now-defunct cybercrime community BreachForums posted a thread which noted that a unique component of the malicious app code highlighted by DarkNavy also was found in the ecommerce application whose name was apparently redacted from the DarkNavy analysis: Pinduoduo.

A Mar. 3, 2023 post on BreachForums, comparing the redacted code from the DarkNavy analysis with the same function in the Pinduoduo app available for download at the time.

On March 4, 2023, e-commerce expert Liu Huafang posted on the Chinese social media network Weibo that Pinduoduo’s app was using security vulnerabilities to gain market share by stealing user data from its competitors. That Weibo post has since been deleted.

On March 7, the newly created Github account Davinci1010 published a technical analysis claiming that until recently Pinduoduo’s source code included a “backdoor,” a hacking term used to describe code that allows an adversary to remotely and secretly connect to a compromised system at will.

That analysis includes links to archived versions of Pinduoduo’s app released before March 5 (version 6.50 and lower), which is when Davinci1010 says a new version of the app removed the malicious code.

Pinduoduo has not yet responded to requests for comment. Pinduoduo parent company PDD Holdings told Reuters Google has not shared details about why it suspended the app.

The company told CNN that it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” and said there were “several apps that have been suspended from Google Play at the same time.”

Pinduoduo is among China’s most popular e-commerce platforms, boasting approximately 900 million monthly active users.

Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — Google Play.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” a Google spokesperson said in a statement to Reuters, adding that the Play version of the app has been suspended for security concerns.

However, Google Play is not available to consumers in China. As a result, the app will still be available via other mobile app stores catering to the Chinese market — including those operated by Huawei, Oppo, Tencent and VIVO.

Google said its ban did not affect the PDD Holdings app Temu, which is an online shopping platform in the United States. According to The Washington Post, four of the Apple App Store’s 10 most-downloaded free apps are owned by Chinese companies, including Temu and the social media network TikTok.

The Pinduoduo suspension comes as lawmakers in Congress this week are gearing up to grill the CEO of TikTok over national security concerns. TikTok, which is owned by Beijing-based ByteDance, said last month that it now has roughly 150 million monthly active users in the United States.

A new cybersecurity strategy released earlier this month by the Biden administration singled out China as the greatest cyber threat to the U.S. and Western interests. The strategy says China now presents the “broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”