PinnacleOne ExecBrief | Cyber Strategy in Focus: Talent, Tools, and Intel

Last week, PinnacleOne examined the growing trend towards digital sovereignty, manifesting in national competition to secure and lead increasingly strategic cloud, AI, and space networks.

This week, we consider what the Office of National Cyber Director’s Annual Report means to modern enterprises.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Stratagem

The Office of the National Cyber Director (ONCD) released its inaugural report on the cybersecurity posture of the U.S. last week. The report detailed a contested, complex, and interconnected environment for the U.S. government to navigate. Underlining the greatest hits of last year, like the Volt Typhoon disclosures and multiple takedowns of criminal hacking groups, the report detailed the offensive steps the government took to impact malicious actors. But, most of the content is focused on what the government can do to improve defensive conditions in the U.S. To that end, we have adapted some of the report’s themes for modern enterprise defenders to consider.

Talent

Who are you hiring? The U.S. is a leader in cybersecurity education and talent training. Governments around the world, including China, copied early U.S. efforts to educate a generation of defenders and hackers. The highly-respected National Security Agency, along with many other federal government partners, certified some universities as Centers of Academic Excellence. Their graduates are sure to make excellent hires for corporate cybersecurity teams.

The people hired to run your cybersecurity shop are the most important thing you will spend your budget on. Your team designs the business processes, deploys the tools, conducts hunts, remediates incidents, and protects the bottom-line. But, good talent costs money and cybersecurity teams are frequently hamstrung by the payscale HR sets.

Consider what the U.S. government has done: exempting cybersecurity talent from government pay scales and allowing experts to grow in place. This HR system is two-fold. First, cybersecurity jobs are on a different pay scale than other government jobs to attract qualified candidates. Second, defenders are allowed to grow their compensation in place. Mature teams need experts, and experts need to remain in their domain of expertise to provide value to the organization. Too often, pay increases are only accessible to people as they move up the corporate management ladder. To stop this loss of talent, some government agencies will advance technical experts up the pay scale consistent with the highest-levels of management pay, just to keep that person in place and not incentivize them to pursue management.

Procurement

Use your money wisely and demand more from your suppliers. The U.S. government is moving to use its purchasing power to drive cybersecurity requirements. As a massive purchaser, it is nearly impossible for companies to match the influence of the U.S. government. That said, if industry associations move in concert to require specific features or design protocols to purchase goods, and these requirements are clearly articulated with timelines for implementation, they may well have the intended impact. Coordinating with partners through your industry’s ISAC is a good place to start.

Intelligence

Who can provide you visibility into the things you need to know about the systems you rely on? How does that provider gain information about particular threat actors, their interests, and how do they communicate it to you?

Cyber threat intelligence is often consumed by cybersecurity teams not mature enough to use it. These teams accept whatever cut-rate intelligence they can afford without thought to the provider’s visibility, value to defenders, and timeliness of intelligence. When they do receive an intelligence report, it is often marveled at, categorized, and then forgotten.

Mature teams digest intelligence differently. They understand the frequency at which tools are scanning, collecting, and disseminating. They understand the threat landscape well enough to know which threat actors matter most to them, including when to action intelligence with a threat hunt in their environment and when to ignore it.

The 2024 Annual Report from the Office of the National Cyber Director emphasizes the importance of accurate and timely intelligence distribution to defenders. What is in your hands, is whether the intelligence that reaches your team can be of use.

Going Forward

Companies cannot control the threat environment in which they operate. The reams of technology deployed across corporate enterprises today are almost entirely out of the control of their consumers. But, there are important levers corporate leadership can pull to improve network security: talent, procurement, and intelligence.

Talent is the base of cybersecurity. Top-notch defenders should work in concert with IT teams to determine procurement decisions of tools, hardware, and software in the environment. Finally, those same teams will be mature enough to find good intelligence from providers with the visibility required to provide impactful analysis. The U.S. government may be far different from modern enterprise, but the ONCD’s recent report gives the C-suite much to chew on.

Cloud Native Security | Prioritize Better, Respond Faster, with Verified Exploit Paths™

This week, SentinelOne launched Singularity™ Cloud Native Security (CNS), our agentless Cloud Native Application Protection Platform (CNAPP) uniquely designed to assess cloud environments through the eyes of a threat actor. As attackers increasingly target cloud environments, SentinelOne’s latest solution helps organizations better defend against these attacks.

CNS simulates attack methods to verify exploit pathways, so-called Verified Exploit Paths™. In so doing, CNS reduces the noise of the theoretically possible so that cloud security practitioners can focus on fixing what matters most.

In this blog post, Ely Kahn, VP of Product Management for Cloud Security, AI/ML, and Core Platform, and Anand Prakash, Product Leader for SentinelOne’s Cloud Native Security, explore the value and outcomes of Cloud Native Security. Learn how our agentless CNAPP with a unique Offensive Security Engine™ is set to help security, developers, and cloud teams collaborate and communicate to radically reduce their cloud and container attack surfaces.

Think Like An Attacker | The Vision for Cloud Native Security (CNS)

Ely: Anand, could you outline our overall vision for Cloud Native Security (CNS)?

Anand: For me, Cloud Native Security (CNS) is cloud security that Thinks Like An Attacker.

As organizations build and run their multi-cloud and container environments there are many security concerns: OS and application level vulnerabilities, misconfigured cloud services, overly permissive cloud identities, misconfigured container deployments, leaked credentials … the list goes on. Aside from meeting compliance needs and building cross-functional collaboration workflows with other teams, cloud defenders must ensure visibility across the entire estate to build and enforce security policies. They simply have too much to do and insufficient time or resources. On the other side, attackers have a single and clear remit: to find ONE way in.

Cloud Native Security provides a unified view of all the risks listed above and, importantly, applies an attacker’s mindset to a cloud attack surface to highlight which areas of cloud insecurity represent genuinely exploitable risks. CNS communicates the critical areas of your cloud environment where there’s immediate exploitation potential, providing evidence with screenshots and code snippets. We call these Verified Exploit Paths™.

Sometimes, a CVSS score isn’t sufficient to communicate a risk’s impact. Understanding hundreds of potential theoretical Attack Paths wastes everybody’s time investigating never-exploitable threats. CNS focuses on providing evidence, which not only means no false positives, it helps cloud security teams effectively work with their peers to remediate cloud issues rapidly.

Ely: That autonomous attacker’s mindset is extremely valuable to customers. I think it’s worth talking about how that’s achieving several things for security teams including:

  • Identifying which risks are exploitable and which require alert prioritization
  • Validating the nature of the risk and providing evidence of the attack vector, which automates the finding deconfliction process
  • How the provision of evidence speeds up remediation by providing all teams the “so what” that’s often required to drive action

Now that we’ve got the bigger picture, let’s talk about how Cloud Native Security achieves this.

Instant Visibility and Coverage

Anand: Let’s start with how we first engage with our customers, the onboarding process.

As an agentless CNAPP, CNS onboarding takes minutes, and results are immediate. CNS is an incredibly efficient onboarding wizard that steps customers through onboarding their multi-cloud environments. It provides templates to deploy, and within minutes, allows customers to set up read-access across AWS, Microsoft Azure, Google GCP, Oracle Cloud, Alibaba Cloud, and Digital Ocean.

That’s all CNS requires to return with immediate observability and comprehensive security across cloud infrastructure within minutes. Additionally, CNS automatically detects new accounts, projects, and subscriptions as they’re spun up. This is very important to ensure our customers have complete visibility of their ever-changing estate.

Based on feedback from our customers, they describe a struggle with cloud asset sprawl or, “shadow cloud”. This visibility is the start of all security for me, as you can’t protect what you can’t see, or don’t know if it exists!

CNS provides a full cloud Asset Inventory and an easy-to-navigate graph explorer of the cloud environment. The image below shows the SentinelOne Graph Explorer, which visually analyzes cloud resources. All security issues have a pre-built link view of the potential blast radius of cloud resources affected by an identified vulnerability or misconfiguration. It’s also a convenient and visual method of writing queries or creating custom policies. Any search and view can be converted to reusable security policies in a few clicks.

Cloud Security Posture Management (CSPM)

Ely: Let’s move on to misconfigurations. Cloud misconfigurations can often cause trouble for security and cloud teams. Let’s talk about our cloud security posture management (CSPM).

Anand: To help cloud and security analysts hunt for cloud misconfigurations, CNS has over 2,000 built-in checks, including the ability to easily add custom checks. These checks cover a broad range of cloud services and can be quickly searched by severity, cloud provider, or service type.

For each misconfiguration alert, CNS provides details on the nature of the resource and links to the affected resource within the native Cloud Service Provider console. Alerts include a quick description of the misconfiguration and provide an impact statement on why that particular misconfiguration is dangerous. CNS then lists recommended actions for engineers to remediate. Beyond the recommendations, one-click and automated remediation is available depending on the nature of the misconfiguration.

Currently for each misconfiguration, you can assign a particular analyst, apply labels so that analysts can document their progress, and provide an activity overview to allow users to audit actioning. As expected, CNS also integrates with ITSM providers like Jira to provide alerting workflows that your teams may prefer.

Ely: How are we helping customers from a compliance lens? Cloud posture and misconfigurations are often viewed within the context of compliance.

Anand: They are! While attackers don’t care about compliance, it’s a vital business requirement. To help security analysts easily meet their compliance requirements, CNS includes a dedicated dashboard for your chosen compliance standards. It covers NIST, SOC, ISO, CIS, and many more regulatory frameworks. CNS also includes real-time compliance score tracking over time that can help communicate a team’s progress within your organization.

Agentless Vulnerability Scanning

Anand: In addition to contextualizing cloud assets and hunting for cloud misconfigurations, CNS has agentless vulnerability scanning across running virtual machines and containers. Vulnerability Management checks for vulnerabilities in OS packages, libraries, and running applications, to identify potential security risks. This scanning is continuous to provide an up-to-date view of your cloud health. CNS uses a rich repository of known vulnerabilities from 25+ databases, including CISA KEV, CVE, RedHat, NVD, MSRP, Kubernetes Security, OSVDB, and more. This ensures that organizations are safeguarded against new attack vectors, providing comprehensive protection for their entire cloud estate.

Additionally, our Vulnerability Management includes a software bill of materials (SBOM) detailing a resource’s inventory of components, libraries, and dependencies. Like how we handle misconfigurations, each vulnerability alert has a graphical view of the affected resources and can be assigned and tracked. Each vulnerability has details to contextualize the alert including the CVSS score, the EPSS score, and an overview of the Attack Vector, Attack Complexity, Privileges Required, User Interaction, Confidentiality Impact, Integrity Impact, Availability Impact, and Scope.

Ely: The real value is how CNS prioritizes alerts of vulnerabilities which are public internet-facing, and which vulnerabilities are connected to resources that are also misconfigured, which raises the risk profile of those assets. It’s tying together all the features we have discussed so far.

Now we have discussed cloud visibility and asset inventory, hunting misconfigurations with CSPM, and covered Vulnerability Management. These are all security features that assess running cloud environments. How are we helping customers as they build? For misconfigurations, how can we shift our security left?

Infrastructure as Code (IaC) Scanning

Anand: This is where I like to talk about the opportunity of Infrastructure as Code (IaC) Scanning. Many organizations leverage IaC to build repeatable architecture, Golden IaC templates are a great way to prevent resource misconfigurations. CNS identifies pre-production issues in IaC template files like Terraform and CloudFormation.

To enable this, CNS has multiple integrations with popular Version Control Systems to scan those templates and pinpoint misconfigurations before they reach production. Within the DevOps pipeline, we ensure consistent, repeatable, and appropriate configurations are codified according to best practices. This shift-left approach to security enables cloud and DevOps engineers to address issues and ensure best practices within the build phase.

For issues that are not immediately worrisome and exploitable, I always recommend fixing them via the IaC approach, as it is always safer and less intrusive than making changes to live cloud environments.

Container & Kubernetes Security

Anand: For our clients needing container and Kubernetes security, CNS has simple and quick integration with popular CI/CD platforms to enable vulnerability scans of container images as they are built. By providing developers with feedback early in the development phase, security issues can be remediated before they make it to production.

Another way we can help cloud defenders shift their security left is by scanning container configuration files for Kubernetes (including Helm and manifests) to hunt for Kubernetes misconfigurations. Kubernetes is a widely-adopted container orchestration platform, notorious for overly permissive configurations that create unique security challenges for containerized workloads.

Kubernetes Security Posture Management (KSPM) goes well beyond CSPM which is ill-suited to the intricacies of Kubernetes network configurations and interpod communications. Our KSPM spans from the shift-left scan to real-time visibility of clusters and their activity. The KSPM capabilities within CNS deliver comprehensive visibility into workloads, nodes, pods, containers, and the Kubernetes API, enabling continuous monitoring and evaluation of your Kubernetes security stance.

CNS offers insights into your compliance posture, encompassing CIS Benchmarks for EKS, GKE, and AKS, the managed K8s services from the three leading cloud service providers, as well as the CIS Kubernetes Framework. For example, with CNS, customers pinpoint overly permissive roles, and detect namespaces lacking proper labeling to enforce Kubernetes-specific pod security standards.

Another example of CNS security checks across the build lifecycle is Secret Scanning.

Ely: This is so important – compromised credentials remain one of the primary causes of cloud security failures. It can be incredibly easy to leak API keys or accidentally hard code credentials during development, testing and staging, and the risk profile is massive given their power. From an attacker’s perspective, we often see automated repository scans for credentials, as they can appear in clear text. This is an easy point of entry for threat actors to login rather than hack in into a cloud account, or web application, or part of your cloud infrastructure.

Secret Scanning

Anand: That’s exactly right Ely, and this is something I used to build as well as a bug bounty hunter and ethical hacker. We are proud to announce Cloud Native Security leads the industry with over 750 distinct types of secrets and credentials that we scan for across code repositories and configuration files.

CNS periodically scans codebases within build environments and configuration files as well as public and private repositories of the organization, and public repositories of associated developers, to detect and alert on potential exposure of secrets and prevent credential leakage.

By automatically and meticulously scanning each commit, we ensure peace of mind that leakage is detected within seconds. Additionally, CNS flags for any newly created public repositories, ensuring that any fresh codebases are brought immediately to the attention of security teams for scanning and review.

For each Secret alert, alongside the typical impact, recommended action and alerting options, CNS provides a detailed overview of the sensitive data that has been exposed or is at risk. A concise list view with crucial insights including the specific type of the secret, location, with a linked source, and linked code snippet, file name, discovery time and the user who committed.

Crucially, CNS validates each secret alert, indicating if the exposed data is currently considered “valid” or not. This validation has its own timestamp and can be re-run with the click of the button, allowing analysts to validate risk in real time and monitor how remediation de-risks an environment. By clicking on “Revalidate”, the system will re-scan the secret and update its status accordingly. It’s especially useful when teams believe they’ve remediated a detected secret or when they suspect that the initial detection might have been a false positive.

However, CNS also goes a step further. CNS is able to block and prevent credential leakage in real-time, with enforcement mechanisms to ensure secret-free merges.

Finally, CNS has a revolutionary Offensive Security Engine, the industry’s first autonomous red team approach to cloud security. This is the attacker’s mindset that we began our conversation with.

Offensive Security Engine

Anand: Across all of CNS’ findings, the Offensive Security Engine runs to differentiate between the theoretical and the exploitable. To begin, each reported issue includes a trace of the path through which the insecurity was detected. Via this path, CNS simulates attacker methods with de-fanged attacks. CNS then captures the response to validate the impact of an attack and provide evidence of exploitability. This Verified Exploit Path™ with evidence means that each Offensive Security Engine alert is proof-positive – there’s zero opportunity for false-negatives with these findings. This is prioritization at its finest.

Ely: Again this is a revolutionary approach to cloud security. The Offensive Security Engine allows security teams to contextualize their cloud alerts, cut through the theoretical noise and focus on remediating the truly critical exploitable risks first to have maximum positive impact on the business’ cloud posture.

This is outcomes-focused, autonomous security for cloud defenders. With this launch, the agentless security capabilities are part of the greater whole of the Singularity Platform.

Cloud Security in The Singularity Platform

CNS has native integration to the Singularity Data Lake for investigation and custom detection purposes. The findings are in the universal Open Cybersecurity Schema Framework (OCSF) format. This means CNS alerting and findings can be correlated and combined with telemetry and findings from SentinelOne’s agent-based cloud security, our Cloud Workload Security, alongside our Endpoint Security telemetry and additional partner feeds.

Conclusion | Learn How Cloud Native Security Keeps Clouds Secure

Circling back to outcomes, Cloud Native Security (CNS) tackles the challenges customers face in adopting cloud platforms: sprawling asset footprints, too much noise from security alerting, not enough time, and preventable issues being detected too late.

CNS offers customers a breadth of coverage, supporting all major cloud providers, source code repositories, Kubernetes environments, and CI/CD pipelines. Installation is easy and fast, with near instant visibility in returning cloud assets inventory and assessing for issues.

Most importantly, Cloud Native Security provides evidence-based reporting of issues using a unique Offensive Security Engine. Beyond detecting issues, CNS validates which concerns are genuine with evidence of exploitation.

CNS is set to revolutionize cloud security for modern enterprises and provide security professionals with the tools they need to secure today, tomorrow, and beyond. Saving time and maximizing resources with evidence based Verified Exploit Paths™ ensures enterprises can focus on business-critical operations and build up a strong and lasting cloud cyber posture.

Book a demo or contact us today to see how SentinelOne’s Cloud Native Security is set to radically improve enterprise cloud security posture.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

How Did Authorities Identify the Alleged Lockbit Boss?

Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.

Dmitry Yuryevich Khoroshev. Image: treasury.gov.

On May 7, the U.S. Department of Justice indicted Khoroshev on 26 criminal counts, including extortion, wire fraud, and conspiracy. The government alleges Khoroshev created, sold and used the LockBit ransomware strain to personally extort more than $100 million from hundreds of victim organizations, and that LockBit as a group extorted roughly half a billion dollars over four years.

Federal investigators say Khoroshev ran LockBit as a “ransomware-as-a-service” operation, wherein he kept 20 percent of any ransom amount paid by a victim organization infected with his code, with the remaining 80 percent of the payment going to LockBit affiliates responsible for spreading the malware.

Financial sanctions levied against Khoroshev by the U.S. Department of the Treasury listed his known email and street address (in Voronezh, in southwest Russia), passport number, and even his tax ID number (hello, Russian tax authorities). The Treasury filing says Khoroshev used the emails sitedev5@yandex.ru, and khoroshev1@icloud.com.

According to DomainTools.com, the address sitedev5@yandex.ru was used to register at least six domains, including a Russian business registered in Khoroshev’s name called tkaner.com, which is a blog about clothing and fabrics.

A search at the breach-tracking service Constella Intelligence on the phone number in Tkaner’s registration records  — 7.9521020220 — brings up multiple official Russian government documents listing the number’s owner as Dmitri Yurievich Khoroshev.

Another domain registered to that phone number was stairwell[.]ru, which at one point advertised the sale of wooden staircases. Constella finds that the email addresses webmaster@stairwell.ru and admin@stairwell.ru used the password 225948.

DomainTools reports that stairwell.ru for several years included the registrant’s name as “Dmitrij Ju Horoshev,” and the email address pin@darktower.su. According to Constella, this email address was used in 2010 to register an account for a Dmitry Yurievich Khoroshev from Voronezh, Russia at the hosting provider firstvds.ru.

Image: Shutterstock.

Cyber intelligence firm Intel 471 finds that pin@darktower.ru was used by a Russian-speaking member called Pin on the English-language cybercrime forum Opensc. Pin was active on Opensc around March 2012, and authored 13 posts that mostly concerned data encryption issues, or how to fix bugs in code.

Other posts concerned custom code Pin claimed to have written that would bypass memory protections on Windows XP and Windows 7 systems, and inject malware into memory space normally allocated to trusted applications on a Windows machine.

Pin also was active at that same time on the Russian-language security forum Antichat, where they told fellow forum members to contact them at the ICQ instant messenger number 669316.

NEROWOLFE

A search on the ICQ number 669316 at Intel 471 shows that in April 2011, a user by the name NeroWolfe joined the Russian cybercrime forum Zloy using the email address d.horoshev@gmail.com, and from an Internet address in Voronezh, RU.

Constella finds the same password tied to webmaster@stairwell.ru (225948) was used by the email address 3k@xakep.ru, which Intel 471 says was registered to more than a dozen NeroWolfe accounts across just as many Russian cybercrime forums between 2011 and 2015.

NeroWolfe’s introductory post to the forum Verified in Oct. 2011 said he was a system administrator and C++ coder.

“Installing SpyEYE, ZeuS, any DDoS and spam admin panels,” NeroWolfe wrote. This user said they specialize in developing malware, creating computer worms, and crafting new ways to hijack Web browsers.

“I can provide my portfolio on request,” NeroWolfe wrote. “P.S. I don’t modify someone else’s code or work with someone else’s frameworks.”

In April 2013, NeroWolfe wrote in a private message to another Verified forum user that he was selling a malware “loader” program that could bypass all of the security protections on Windows XP and Windows 7.

“The access to the network is slightly restricted,” NeroWolfe said of the loader, which he was selling for $5,000. “You won’t manage to bind a port. However, it’s quite possible to send data. The code is written in C.”

In an October 2013 discussion on the cybercrime forum Exploit, NeroWolfe weighed in on the karmic ramifications of ransomware. At the time, ransomware-as-a-service didn’t exist yet, and many members of Exploit were still making good money from “lockers,” relatively crude programs that locked the user out of their system until they agreed to make a small payment (usually a few hundred dollars via prepaid Green Dot cards).

Lockers, which presaged the coming ransomware scourge, were generally viewed by the Russian-speaking cybercrime forums as harmless moneymaking opportunities, because they usually didn’t seek to harm the host computer or endanger files on the system. Also, there were still plenty of locker programs that aspiring cybercriminals could either buy or rent to make a steady income.

NeroWolfe reminded forum denizens that they were just as vulnerable to ransomware attacks as their would-be victims, and that what goes around comes around.

“Guys, do you have a conscience?,” NeroWolfe wrote. “Okay, lockers, network gopstop aka business in Russian. The last thing was always squeezed out of the suckers. But encoders, no one is protected from them, including the local audience.”

If Khoroshev was ever worried that someone outside of Russia might be able to connect his early hacker handles to his real life persona, that’s not clear from reviewing his history online. In fact, the same email address tied to so many of NeroWolfe’s accounts on the forums — 3k@xakep.ru — was used in 2011 to create an account for a Dmitry Yurevich Khoroshev on the Russian social media network Vkontakte.

NeroWolfe seems to have abandoned all of his forum accounts sometime in 2016. In November 2016, an exploit[.]ru member filed an official complaint against NeroWolfe, saying NeroWolfe had been paid $2,000 to produce custom code but never finished the project and vanished.

It’s unclear what happened to NeroWolfe or to Khoroshev during this time. Maybe he got arrested, or some close associates did. Perhaps he just decided it was time to lay low and hit the reset on his operational security efforts, given his past failures in this regard. It’s also possible NeroWolfe landed a real job somewhere for a few years, fathered a child, and/or had to put his cybercrime career on hold.

PUTINKRAB

Or perhaps Khoroshev saw the coming ransomware industry for the endless pot of gold that it was about to become, and then dedicated himself to working on custom ransomware code. That’s what the government believes.

The indictment against Khoroshev says he used the hacker nickname Putinkrab, and Intel 471 says this corresponds to a username that was first registered across three major Russian cybercrime forums in early 2019.

KrebsOnSecurity could find no obvious connections between Putinkrab and any of Khoroshev’s older identities. However, if Putinkrab was Khoroshev, he would have learned from his past mistakes and started fresh with a new identity (which he did). But also, it is likely the government hasn’t shared all of the intelligence it has collected against him (more on that in a bit).

Putinkrab’s first posts on the Russian cybercrime forums XSS, Exploit and UFOLabs saw this user selling ransomware source code written in C.

A machine-translated ad for ransomware source code from Putinkrab on the Russian language cybercrime forum UFOlabs in 2019. Image: Ke-la.com.

In April 2019, Putkinkrab offered an affiliate program that would run on top of his custom-made ransomware code.

“I want to work for a share of the ransoms: 20/80,” Putinkrab wrote on Exploit. “20 percent is my percentage for the work, you get 80% of the ransoms. The percentage can be reduced up to 10/90 if the volumes are good. But now, temporarily, until the service is fully automated, we are working using a different algorithm.”

Throughout the summer of 2019, Putinkrab posted multiple updates to Exploit about new features being added to his ransomware strain, as well as novel evasion techniques to avoid detection by security tools. He also told forum members he was looking for investors for a new ransomware project based on his code.

In response to an Exploit member who complained that the security industry was making it harder to profit from ransomware, Putinkrab said that was because so many cybercriminals were relying on crappy ransomware code.

“The vast majority of top antiviruses have acquired behavioral analysis, which blocks 95% of crypto-lockers at their root,” Putinkrab wrote. “Cryptolockers made a lot of noise in the press, but lazy system administrators don’t make backups after that. The vast majority of cryptolockers are written by people who have little understanding of cryptography. Therefore, decryptors appear on the Internet, and with them the hope that files can be decrypted without paying a ransom. They just sit and wait. Contact with the owner of the key is lost over time.”

Putinkrab said he had every confidence his ransomware code was a game-changer, and a huge money machine.

“The game is just gaining momentum,” Putinkrab wrote. “Weak players lose and are eliminated.”

The rest of his response was structured like a poem:

“In this world, the strongest survive.
Our life is just a struggle.
The winner will be the smartest,
Who has his head on his shoulders.”

Putinkrab’s final post came on August 23, 2019. The Justice Department says the LockBit ransomware affiliate program was officially launched five months later. From there on out, the government says, Khoroshev adopted the persona of LockBitSupp. In his introductory post on Exploit, LockBit’s mastermind said the ransomware strain had been in development since September 2019.

The original LockBit malware was written in C (a language that NeroWolfe excelled at). Here’s the original description of LockBit, from its maker:

“The software is written in C and Assembler; encryption is performed through the I/O Completion Port; there is a port scanning local networks and an option to find all DFS, SMB, WebDAV network shares, an admin panel in Tor, automatic test decryption; a decryption tool is provided; there is a chat with Push notifications, a Jabber bot that forwards correspondence and an option to terminate services/processes in line which prevent the ransomware from opening files at a certain moment. The ransomware sets file permissions and removes blocking attributes, deletes shadow copies, clears logs and mounts hidden partitions; there is an option to drag-and-drop files/folders and a console/hidden mode. The ransomware encrypts files in parts in various places: the larger the file size, the more parts there are. The algorithms used are AES + RSA.

You are the one who determines the ransom amount after communicating with the victim. The ransom paid in any currency that suits you will be transferred to your wallets. The Jabber bot serves as an admin panel and is used for banning, providing decryption tools, chatting – Jabber is used for absolutely everything.”

CONCLUSION

Does the above timeline prove that NeroWolfe/Khoroshev is LockBitSupp? No. However, it does indicate Khoroshev was for many years deeply invested in countless schemes involving botnets, stolen data, and malware he wrote that others used to great effect. NeroWolfe’s many private messages from fellow forum members confirm this.

NeroWolfe’s specialty was creating custom code that employed novel stealth and evasion techniques, and he was always quick to volunteer his services on the forums whenever anyone was looking help on a malware project that called for a strong C or C++ programmer.

Someone with those qualifications — as well as demonstrated mastery of data encryption and decryption techniques — would have been in great demand by the ransomware-as-a-service industry that took off at around the same time NeroWolfe vanished from the forums.

Someone like that who is near or at the top of their game vis-a-vis their peers does not simply walk away from that level of influence, community status, and potential income stream unless forced to do so by circumstances beyond their immediate control.

It’s important to note that Putinkrab didn’t just materialize out of thin air in 2019 — suddenly endowed with knowledge about how to write advanced, stealthy ransomware strains. That knowledge clearly came from someone who’d already had years of experience building and deploying ransomware strains against real-life victim organizations.

Thus, whoever Putinkrab was before they adopted that moniker, it’s a safe bet they were involved in the development and use of earlier, highly successful ransomware strains. One strong possible candidate is Cerber ransomware, the most popular and effective affiliate program operating between early 2016 and mid-2017. Cerber thrived because it emerged as an early mover in the market for ransomware-as-a-service offerings.

In February 2024, the FBI seized LockBit’s cybercrime infrastructure on the dark web, following an apparently lengthy infiltration of the group’s operations. The United States has already indicted and sanctioned at least five other alleged LockBit ringleaders or affiliates, so presumably the feds have been able to draw additional resources from those investigations.

Also, it seems likely that the three national intelligence agencies involved in bringing these charges are not showing all of their cards. For example, the Treasury documents on Khoroshev mention a single cryptocurrency address, and yet experts interviewed for this story say there are no obvious clues connecting this address to Khoroshev or Putinkrab.

But given that LockBitSupp has been actively involved in Lockbit ransomware attacks against organizations for four years now, the government almost certainly has an extensive list of the LockBit leader’s various cryptocurrency addresses — and probably even his bank accounts in Russia. And no doubt the money trail from some of those transactions was traceable to its ultimate beneficiary (or close enough).

Not long after Khoroshev was charged as the leader of LockBit, a number of open-source intelligence accounts on Telegram began extending the information released by the Treasury Department. Within hours, these sleuths had unearthed more than a dozen credit card accounts used by Khoroshev over the past decade, as well as his various bank account numbers in Russia.

The point is, this post is based on data that’s available to and verifiable by KrebsOnSecurity. Woodward & Bernstein’s source in the Watergate investigation — Deep Throat — famously told the two reporters to “follow the money.” This is always excellent advice. But these days, that can be a lot easier said than done — especially with people who a) do not wish to be found, and b) don’t exactly file annual reports.

The Good, the Bad and the Ugly in Cybersecurity – Week 19

The Good | Russian-Based APT28 & LockBit Developer Condemned and Charged by International Enforcement

International law enforcement agencies took a hard stance against GRU-linked threat actors this week with the official condemnation of APT28 (aka Strontium, Fancy Bear, Forest Blizzard) and identification and sanctioning of LockBit ransomware’s administrator and developer.

NATO and the EU, joined by the U.S. and U.K., formally condemned the Russian threat group known as APT 28 for a long-term cyber espionage campaign against various European countries. In particular, Germany and the Czech Republic highlighted an email-based attack last year on various government agencies as well as organizations across the military, air and space, and IT sectors in NATO member countries, NATO fast reaction corps, and Ukraine. APT 28 has also been known to target critical infrastructures in various other EU member states.

The 2023 attack leveraged CVE-2023-23397, a zero-day vulnerability in Microsoft Outlook, to steal credentials, perform lateral movement in victim networks, and exfiltrate sensitive emails from specific accounts. NATO called on the Russian state to “respect their international obligations and commitments to uphold international law and act within the framework for responsible state behavior in cyberspace.”

From the DoJ, the identity of the developer and administrator behind the notorious LockBit ransomware group has finally been unveiled. Russian national Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) is also being sanctioned by various international enforcement agencies with the U.S. Department of State offering a reward up to $10 million for information leading to his arrest or conviction.

Khoroshev’s sanctioning follows the joint operation earlier this year disrupting LockBit ransomware infrastructure and operations. Before the seizure of its public-facing websites and servers, Khoroshev and his affiliates were instrumental in LockBit’s rise to one of the world’s most prolific ransomware variants and operations, worth billions of dollars in damages and loss.

Source: Reuters

The Bad | Novel Cuckoo Infostealer Exhibits Spyware Capabilities on macOS Devices

An emerging malware dubbed “Cuckoo” is targeting Apple macOS devices, designed with a dual-purpose of stealing information and acting as spyware. Cuckoo is a universal Mach-O binary capable of running on both Intel and Arm-based Macs. Observed distribution vectors show that the binary is hosted across a smattering of websites that claim to convert music from paid streaming devices to MP3 files for download.

Cuckoo is adept at exploiting osascript to prompt users for their system password and running commands to gather sensitive data like hardware information, currently running processes, and installed apps. It can also take screenshots and harvest from iCloud Keychain (Apple’s password management system), Apple Notes, web browsers, crypto wallets, and popular apps like Steam, Telegram, and Discord.

Infostealers targeting macOS usually do not work towards establishing persistence, but such behavior is crucial to spyware. Cuckoo sets persistence through a LaunchAgent that runs when the user logs in and every 60 seconds during login.

New analysis from SentinelLabs reports a rise in Cuckoo samples and trojanized apps, with new ones appearing daily since the original Cuckoo stealer was first reported late last month. These trojanized apps advertise dubious services and are able to trick users past warnings from Apple Gatekeeper. SentinelLabs also confirms that at the time of writing, the latest version of XProtect (version 2194) is unable to block execution of Cuckoo malware. SentinelOne customers are protected from macOS Cuckoo Stealer.

As a best practice, users should always proceed with caution when downloading apps from unknown, third-party developers. With the rise in malware targeting macOS devices over the last few years, it is essential now to ensure that Macs are fully protected with an advanced security solution just like other operating systems.

The Ugly | Two New F5 Flaws Leave BIG-IP Next Central Manager Open to Remote Exploits & Device Takeover

Multi-cloud and application security vendor, F5, has released fixes for two high-severity vulnerabilities found in BIG-IP Next Central Manager, the main component in controlling BIG-IP Next load balancers and app instances in both on-prem and cloud environments. Both CVE-2024-26026 (an SQL injection flaw) and CVE-2024-21793 (an OData injection flaw) could allow execution of malicious SQL commands on unpatched devices through the BIG-IP Next Central Manager API.

In an SQL injection attack, attackers inject the malicious queries into input fields or parameters to manipulate the database to execute unauthorized commands. This can lead to unauthorized access, data leakage, and even complete control over the database. These attacks are often leveraged to extract sensitive information or tamper with data within the database, posing significant risks to the security and integrity of the targeted web applications.

Security researchers have noted how the vulnerabilities would first be exploited to obtain full administrative control of the Next Central Manager before creating rogue administrative accounts hidden from the Manager user interface (UI). These “invisible” accounts would then allow attackers to establish persistence in the environment, even if the legitimate admin account password was reset in the UI and the system patched. F5 has recommended its users to patch immediately, or to restrict Next Central Manager access to trusted users only over a secure network until the updates can be installed.

Source: Eclypsium

In the past two years, several critical-level F5 flaws have made headlines. One flaw from October 2023 in the BIG-IP configuration utility allowed remote code execution and another from May 2022 targeted networks across government agencies and private sector organizations, prompting CISA to issue a warning to all Federal Civilian Executive Branch Agencies (FCEB) affected.

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites, cracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that researchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware.

In this post, we review Cuckoo Stealer’s main features and logic from a detection point of view and offer extended indicators of compromise to aid threat hunters and defenders. At the time of writing the latest version of XProtect, version 2194, does not block execution of Cuckoo Stealer malware. SentinelOne customers are protected from macOS Cuckoo Stealer.

More Cuckoo Stealers Appearing

Since the initial report on the emergence of this family of malware on April 30, we have seen a rise in new samples and trojanized applications from the initial four originally reported by Kandji to 18 unique trojanized applications at the time of writing, with new samples appearing daily.

The trojanized apps are various kinds of “potentially unwanted programs” offering dubious services such as PDF or music converters, cleaners and uninstallers (a full list appears in the IoCs at the end of this post) such as:

  • App Uninstaller.app
  • DumpMedia Amazon Music Converter.app
  • FoneDog Toolkit for Android on Mac.app
  • iMyMac PDF Compressor.app
  • PowerUninstall.app
  • TuneSolo Apple Music Converter.app

As reported previously, these applications contain a malicious binary in the MacOS folder named upd. The most recent binaries – in ‘fat’ and ‘thin’ versions for both Intel x86 and arm64 architectures – are ad hoc codesigned and their parent applications all share the same bundle identifier, upd.upd.

Apple’s codesign utility will provide identical output for all these samples:

codesign -dv file
…
Identifier=upd.upd
Format=Mach-O thin (x86_64)
CodeDirectory v=20400 size=1536 flags=0x2(adhoc) hashes=38+7 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

Some protection is offered to unsuspecting users by Apple’s Gatekeeper, which will by default throw a warning that the application is not notarized. The malware authors have anticipated this and provided the user with instructions on how to run the application.

macOS Cuckoo Stealer Gatekeeper

The malware is written in C++ and was created in build 12B45b of Xcode, version 12.2, a rather old version that was released in November 2020, using a device still running macOS 11 Big Sur (build 20A2408) from the same year.

The code signature and the application’s Info.plist containing this information make current samples relatively easy to identify.

Simple Obfuscation Helps Cuckoo to Hide in Apple’s Nest

A noticeable characteristic of the malware is the heavy use of XOR’d strings in an attempt to hide its behavior from simple static signature scanners. The samples use different XOR keys (see the list of IoCs at the end of this post) of varying lengths to decrypt the main strings and functionality dynamically.

Though the binary is stripped and lacks function names, the decrypt routine is readily identifiable from the large number of cross references to it in the rest of the code. Current samples call the decrypt routine precisely 223 times.

Cuckoo decryption function
Cuckoo decryption function

By breaking on this function in a debugger, it is relatively straightforward to output the decrypted strings to understand the malware’s behavior.

However, not all obfuscated strings are processed through this function. The decryption key and routine can be found independently in other places in the code as well.

Of the few unobfuscated strings in the current binary is one that represents an array of file extensions, indicating the kind of information the malware authors are interested in stealing.

{"txt", "rtf", "doc", "docx", "xls", "xlsx", "key", "wallet", "jpg", "dat", "pdf", "pem", "asc", "ppk", "rdp", "sql", "ovpn", "kdbx", "conf", "json"}

Looking for cross references to ‘wallet’ (one of the items in the array), we find the array is consumed in a function which calls both the decrypt function and another function that implements the same XOR routine and key.

macOS Cuckoo in function decryption

In radare2, we can find all references to the XOR key via grepping the output of the ax command for the string’s address.

Finding cross references in radare2
Finding cross references in radare2

Cuckoo Stealer Observable Behavior

Despite these attempts at obfuscation, analysis of Cuckoo Stealer reveals that, unsurprisingly, it uses many of the same techniques as other infostealers we have encountered in the last 12 months or so. In particular, it makes various uses of AppleScript to duplicate files and folders of interest and to steal the user’s admin password in plain text.

SentinelOne detects Cuckoo stealer
SentinelOne detects Cuckoo Stealer

This is achieved through a simple AppleScript dialog using the “hidden answer” option, a ploy that macOS attackers have been using since at least 2008, as we observed recently in relation to Atomic Stealer.

With Cuckoo Stealer, if the user enters anything other than a valid admin password, the malware will repeatedly display the dialog until the right password is provided. This remains true even if the user presses the ‘Cancel’ button.

The underlying mechanism for how the password is checked was nicely elucidated by Kandji researchers here. The scraped password is then saved in clear text in a file named pw.dat in a hidden subfolder of the User’s home directory. The hidden folder’s name is a combination of .local- and a randomly generated UUID identifier. For example:

~/.local-6635DD81-94DD-59E3-9D84-20BD41C51999/

The following regexes can be used to find paths or commands containing this pattern:

.local-[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}/

// alternatively:
.local-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/

In addition, the malware also attempts to install a persistence LaunchAgent with the label com.user.loginscript. The name of the property list file itself will take the form of the parent application bundle. For example, the trojan DumpMedia Spotify Music Converter.app will create a plist called ~/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist, while iMyMac Video Converter.app will write the same plist out as com.immyac.videoconverter.plist.

Cuckoo Stealer Launch Agent
Cuckoo Stealer LaunchAgent

This persistence agent will point to a copy of the upd binary located in the same hidden .local- directory mentioned above.

The malware also makes use of several Living Off the Land utilities including xattr, osascript and system_profiler for discovery.

Command Arguments
awk /Hardware UUID/{print $(NF)}
launchctl load -w “/Users/user1/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist”
osascript -e ‘display dialog “macOS needs to access System Settings” default answer “” with title “System Preferences” with icon caution with hidden answer’
system_profiler SPHardwareDataType | awk ‘/Hardware UUID/{print $(NF)}’
xattr -d com.apple.quarantine “/Users/user1/.local-6635DD81-94DD-59E3-9D84-20BD41C51999/DumpMediaSpotifyMusicConverter”
SentinelOne detects Cuckoo Stealer
Cuckoo Stealer execution chain

SentinelOne Protects Against Cuckoo Stealer

SentinelOne Singularity detects Cuckoo Stealer and prevents its execution when the policy is set to Protect/Protect. In Detect mode, the agent will allow analysts to observe and investigate malicious behavior, as shown below.

SentinelOne Console detects Cuckoo Stealer

Agent version 23.4.1.7125 and later offer an extensive set of behavioral indicators including reference to MITRE TTPs specific to macOS infostealers.

Conclusion

The actors behind the Cuckoo Stealer campaign have clearly invested some resources into developing a novel infostealer rather than buying any of the ready-made offerings currently circulating in various Telegram channels and darknet forums. This, along with the rising numbers of samples we have observed since initial reporting of this threat, suggests that we will likely see further variants of this malware in the future.

Enterprises are advised to use a third party security solution such as SentinelOne Singularity to ensure that devices are protected against this and other threats targeting macOS devices in the fleet.

To learn more about how SentinelOne can help protect your organization, contact us or request a free demo.

Indicators of Compromise

Bundle Identifier
upd.upd

Observed Application Names
App Uninstaller.app
DumpMedia Amazon Music Converter.app
DumpMedia DeezPlus.app
DumpMedia Pandora Music Converter.app
DumpMedia Spotify Music Converter.app
DumpMedia Video Converter.app
DumpMedia YouTube Music Converter.app
FoneDog Data Recovery.app
FoneDog iPhone Cleaner.app
FoneDog PDF Compressor.app
FoneDog Toolkit for Android on Mac.app
FoneDog Toolkit for iOS on Mac.app
FoneDog Video Converter.app
iMyMac PDF Compressor.app
iMyMac Video Converter.app
PowerUninstall.app
TunesFun Apple Music Converter.app
TuneSolo Apple Music Converter.app

Observed Mach-Os (SHA1)
04a572b2a17412bba6c875a43289aac521f7b98d
0e3e58a2b19072823df2ec52f09e51acf0d0d724
127c486eab9398a2f42208d96aa12dd8fcfb68b5
1ef1f94d39931b6e625167b021a718f3cfe6bb80
1f49bb334ebcec6b2493d157caf90a8146fb68d9
219f57e9afe201ad4088340cd5b191223d4c4227
24c311abe5d93d21172a6928ba3a211528aa04f9
266f48c38efbb5a6d49fb74194c74fe68d02d62a
298c9ab225d7262a2106bc7bec0993eaa1210a0d
2a422057790bae755c3225aff3e47977df234b11
2c7ec5358b69f8e36c35c53501e4ba6efce25689
2cdda89c50c2aa1eb4b828350b7086748c58fe08
35d75565de813e89a765718ed31c1bfebfd3c11c
4cf895c391557498d2586cee3ace3c32a3a83a4e
4cfdf872051900df8a959b95a03f6c906ad4596e
50360b325aad398a5d580a2adc9aef597eb98855
5220a53c1930ea93849caa88850cb6628a06cd90
57a1f3d3cbbc33b92177660ee620bff4f1c5b229
63eb1abe69b11c8ae04092ccf822633d1e1ff648
69c6c1f09f8a1ad61f1c48527ff27e56847a716f
6aba0ebabccea1902ba2ab7ac183a4bd22617555
71fddbccb15904b14b5773e689f611bfd5a0d111
82c70c956f5f66cf642991285fd631a9094abbf4
873fd2fc21457e707832c859534d596a7c803a46
8bab36fe676c8296ef3889d5ef0afcc4b3f017f3
8bc02ae4262eaf2cbb2454709db7f95cebcc9432
8bee44d0e4e22d3a85cfb9d00d00cb7d85433c9d
8c10459be56dde03c75cda993a489373a8251abf
9ac058d4541aa0e7ba222d25c55c407451f318a7
9d4b45104b3eb3734cb0ba45ca365b95a4c88505
9efa91a0cba44334b1071344314853699155814f
ac755f6da9877a4fc161d666f866a1d82e6de1b0
ac948abaa90b4f1498e699706407ac0c6d4164c7
b49a69fa41a2d7f5f81dbc2be9ea7cfc45c1f3df
b4bd11aa174d1a2f75aff276a2f9c50c4b6a4a1d
b4da5459ccd0556357f8ccd3471a63eebfa6e3b7
b65880c2aecc15db8afa80f027ed0650be23e8f9
bd5cdf05db06c3a81b0509e9f85c26feb34cea81
c5c8335ed343d14d2150a9ba90e182ca739bde8a
c8a6e4a3b16adf5be7c37b589d36cb2bd9706a92
c98d92e01423800404c77f6f82d62e5e7516d46d
cd04a6df24ab7852267619d388dee17f20c66deb
cf069bcafb6510282c8aeab7282e19abc46d558f
db180e1664e566a3393d884a52b93b35bb33911e
db19034d60973d0bcaa237c24252fe969803bc7c
dfed0ca9d883a45a40b2c23c29557ac4679ef698
e57b537f5f3307c6c59f5477e6320f17a9ba5046
e68f0f0e6102a1cd78d5d32ec7807b2060d08f79
e6fa7fcbaf339df464279b8090f6908fed7b325a
e9180ee202c42e2b94689c7e3fb2532dd5179fad
ecca309e0b43cd7f4517a863b95abf7b89be4584
f4999331606b753daaf6d6ad84917712f1420c85
f6e9081e36ca28bf619aebb40a67c56a2de2806e
fad49cac81011214d7fe3db7fc0bd663ef7bb353

Observed XOR Keys
0dhIscuDmR6xn3VMAG9ZYjBKC4VDeXGbyDyWjHM
4E72G6aXPne5ejcUgAfae6khJB3c871V0QUmkI
6neCM1yILp7V3BbMpgfgYYE6KY
7ricF8bWO0eBNiKEravcj2iIXohSNt
7Y9lGDAyEf9vxEmFgRqpDwYM52NFPbsUc
GXMSjRLvCPrrFnc1xa3xvYd43DfM8
HhvDDxmmfm7QuLH4rP63Fzn2eyW5BzuM3N
Hnyl2YPkOMLTNOndVtQwON
JB3k62Vtqymx09aJtnF9lZrCeIc
JsGqCdROAT1VDpSnxrAyZY45uQvRFP
LydNPzURb22Lxk4fxPkdd
MTGpOAycVm9btlQyEa5xVQPiz
Qmi5gstd6Oc27AJLXJQtEqGMxXzHUx
QssogTgvuTaZzPYZQynw0d
aZeTZw0X2lXM083cgmJQvnmCn9kmt
coOwAdmPtzt5Ps9rvUGOMEeFYajX2nJaismV
rzdbcSkVHXHefChUJQFGjAm12oinXwlyH2sHfiY
vLiOnPSKZ1bqjlp1dwuDvmmeQ3QN

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Think Like an Attacker with SentinelOne’s Cloud Native Security (CNS)

SentinelOne is very excited to announce the general availability (GA) of Singularity Cloud Native Security!

Cloud Native Security (CNS), our agentless Cloud Native Application Protection Platform (CNAPP) based on our recent PingSafe acquisition, is now integrated into the Singularity Platform and available to new and existing customers via our unified security console, the Singularity Operations Center. If you’re a new customer, we’d love to show you how CNS improves cloud security.

This announcement reinforces our continuous commitment to deliver security innovation to our customers. General availability of CNS comes within the first 100 days post-acquisition (we’re at Day 94!) and we are pleased to say that SentinelOne customers can now access these critical capabilities to help them radically reduce their cloud attack surface and improve their cloud security posture.

“SentinelOne CNS has been a value add for Observe.AI from day one. Its offensive security engine is one of a kind and a big differentiator. As soon as we onboarded SentinelOne CNS for proof of value, it not only reduced the noise that was evident with other scanners, but it also helped prioritize security issues, saving countless hours for developers and security engineers.

Its offensive security approach can be an eye-opener for infrastructure teams, providing deeper insights into the external cloud attack surface. I highly recommend SentinelOne CNS for securing cloud resources.” Krutin Karia, Head of Security, Observe.AI

Prioritizing Cloud Health Through Evidence-Based Security

With rapid agentless onboarding across 6 different cloud environments, Cloud Native Security consolidates and correlates a range of cloud security capabilities:

  • Rapid onboarding with multi-cloud support
  • Cloud Asset Inventory and mapping with easy-to-understand graph visualizations
  • Vulnerability Scanning
  • Cloud Security Posture Management (CSPM)
  • Secrets Scanning
  • Infrastructure as Code (IaC) Scanning, including VCS integration
  • Container Image Security, including CI/CD integration
  • Software Bill of Materials (SBOM)
  • Kubernetes Security Posture Management (KSPM)
  • Cloud Detection and Response (CDR)
  • Integration with Singularity Data Lake for accelerated investigations via Purple AI

Cloud Native Security leverages a unique attacker’s mindset to identify and verify risks that require immediate attention and action.

Cloud Native Security is powered by the Offensive Security Engine™, which delivers crucial value and an industry-first for customers: Verified Exploit Paths™. Where cloud alerts typically consist of overwhelming noise, are time-intensive to validate, and prone to false positives, the Offensive Security Engine differentiates between theoretical and exploitable risks by providing proof of exploitability with each alert.

 

This evidence-based approach to prioritization and alert validation surfaces remediation opportunities for security practitioners to immediately and concretely increase their cloud security posture. This is another key innovation from SentinelOne that empowers security practitioners by minimizing dependence on human vetting.

By combining the agentless Cloud Native Security alongside our hyper-performant, user-mode agent-based Cloud Workload Security and Cloud Data Security, customers can enjoy visibility and security controls from code to cloud, with powerful capabilities to prevent, detect, and respond across the cloud lifecycle.

Learn More

This is SentinelOne’s comprehensive CNAPP vision – agentless and agent-based cloud security combined to provide the world’s most powerful AI-powered cloud threat protection. Learn more about SentinelOne’s Cloud Security portfolio here or book a demo with our expert team today.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

U.S. Charges Russian Man as Boss of LockBit Ransomware Group

The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.

Image: U.K. National Crime Agency.

Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the Justice Department.

The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.

The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”

The unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help LockBit victims decrypt infected systems.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.

Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.

One of the victims LockBitSupp continued extorting was Fulton County, Ga. Eve LockBit’s darknet sites. Following the FBI raid, LockbitSupp vowed to release sensitive documents stolen from the county court system unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.

LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.

KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.

“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”

LockBitSupp, who now has a $10 million bounty on his head from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.

But Justice Department officials say LockBit never deleted its victims data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.

Khoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

Matveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has a standing $10 million reward offer for information leading to Matveev’s arrest.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF).

In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

The Justice Department is urging victims targeted by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file an official complaint, and to determine whether affected systems can be successfully decrypted.

PinnacleOne ExecBrief | Digital Sovereignty and Splinternets in Cloud, AI & Space

Last week, PinnacleOne reviewed the collision of commercial interests and state competition in space.

This week, we step back and examine the growing trend towards digital sovereignty, manifesting in national competition to secure and lead increasingly strategic cloud, AI, and space networks.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Digital Sovereignty and Splinternets in Cloud, AI, and Space

The concept of digital sovereignty has gained significant traction in recent years as nations seek to assert greater control over critical economic and military capabilities at the technical frontier. This trend – driven by geopolitical competition and the strategic importance of data, cloud computing, artificial intelligence (AI), and space technologies – has significant implications for global businesses. As nations pursue sovereign capabilities across these domains, corporate leaders must navigate an increasingly complex and fragmented digital and security landscape.

Data/Cloud Sovereignty

Nations are establishing sovereign cloud services to maintain control over their data and ensure compliance with local regulations and privacy requirements. The partnership between Microsoft and G42 in the United Arab Emirates exemplifies this trend, offering secure access to cloud and AI features while adhering to local data sovereignty requirements. Microsoft is also expanding its Azure services footprint in the UAE via Khazna Data Centers, a joint venture between G42 and e& to support this initiative.

In the words of Secretary Raimondo, “When it comes to emerging technology, you cannot be both in China’s camp and our camp.” It remains to be seen which side will end up benefiting more from this deal, given how much the U.S. had to offer to (apparently) woo G42 from its Chinese entanglements. Nevertheless, the forces of geopolitical network competition are clearly multipolar – this gives middle powers juice to make deals with multinational cloud providers on favorable terms, including respect for data sovereignty and localization of frontier capabilities.

AI Sovereignty

The strategic importance of AI is leading more nations to pursue AI sovereignty, recognizing the need to develop and (attempt to) control this transformative technology. Industry leaders like Jensen Huang of Nvidia and Arvind Krishna of IBM have advocated for countries to build their own “sovereign AI” capabilities, tailored to their specific language, cultural, and business needs.

Leading and guiding AI technologies is seen as critical for defending national interests and ensuring economic and military security. Examples of sovereign AI strategies include India’s plan to organize and make available Indian data for AI model creation, Singapore’s Southeast Asia AI plan, the Netherlands’ generative AI vision, and Taiwan’s sovereign model strategy to counter the influence of Chinese AI tools. As a sign of the times, some tech investors are eyeing the idea of “sovereign computational stacks” which float aboard undersea-cable connected platforms that help sanctioned entities skirt regulators.

Space Sovereignty

Nations are also seeking to establish their own satellite constellations for secure, reliable, and high-bandwidth communications, commercial space-based observation, scientific, and defense purposes. The United States’ Proliferated Warfighter Space Architecture (PWSA), a secure low-Earth orbit (LEO) network, and China’s plans for a LEO broadband constellation highlight the growing importance of space sovereignty in the LEO domain, currently dominated by SpaceX. The European Union has also approved plans for the IRIS 2 constellation, a multi-orbit satellite system designed to bolster Europe’s governmental and institutional communication services and digital sovereignty.

The Emirates has formed their own national space champion, Space42, by merging their AI-driven geospatial intelligence provider Bayanat with Yahsat, the UAE’s principal satellite firm. The link between space and AI is explicit per the Space42 chairman, “Building upon its enormous capabilities, the new entity is poised to play a significant role in realizing the ambitious objectives outlined by the National Space Strategy 2030 and the National Strategy for Artificial Intelligence 2031”.

As we examined last week, these developments have significant implications for the blurred lines between commercial interests and national imperatives as the space domain becomes increasingly contested and potentially a field of conflict.

Compliance and Cybersecurity Challenges

As nations assert digital sovereignty, companies operating globally will face a complex web of data governance, privacy, and operational regulations across multiple jurisdictions. Compliance with diverse requirements for data localization, storage, processing, and access will be a significant challenge. Moreover, the fragmentation of digital infrastructure and the proliferation of sovereign systems may introduce new cybersecurity risks, as companies must ensure the security and integrity of their data and systems across multiple platforms and jurisdictions.

Market Access and Data Flow Implications

The rise of sovereign cloud services, AI capabilities, and space and terrestrial communication networks may restrict the free flow of data across borders and limit market access for foreign companies. Nations may prioritize domestic providers or impose barriers to entry for foreign firms, particularly in strategic sectors. For example, China’s LEO broadband constellation could hinder outside attempts to garner market share within the country or its allies. Executives must anticipate potential disruptions to their global operations and supply chains while exploring partnerships or localization strategies to maintain access to key markets.

Navigating the Fragmented Digital Landscape

The proliferation of sovereign digital infrastructures could lead to a fragmented global digital landscape, often referred to as the “splinternet”. This fragmentation may hinder interoperability, collaboration, and innovation across borders, impacting the ability of multinational companies to leverage digital technologies effectively. Leaders must consider the long-term implications of a splintered digital ecosystem and develop strategies to navigate this increasingly complex environment while ensuring the security and resilience of their digital assets.

Strategic Considerations for Corporate Leaders

  1. Assess compliance and cybersecurity requirements – Evaluate the impact of digital sovereignty regulations in each market and ensure compliance with data governance, privacy, and operational requirements while addressing the cybersecurity challenges posed by fragmented digital infrastructures.
  2. Mitigate market access risks – Anticipate potential disruptions to global operations and supply chains due to restricted data flows and market access barriers. Consider partnerships or localization strategies to maintain a presence in key markets.
  3. Adapt to a fragmented digital landscape – Develop strategies to navigate the complexities of a splintered digital ecosystem, addressing interoperability challenges, potential barriers to collaboration and innovation, and the cybersecurity implications of operating across multiple sovereign platforms.
  4. Invest in resilient and secure digital infrastructure – Build resilient and adaptable digital infrastructure that can withstand the challenges posed by digital sovereignty trends and ensure the security and integrity of data and systems across multiple jurisdictions.
  5. Engage in policy dialogues – Actively participate in policy discussions and industry forums to advocate for balanced approaches that safeguard national interests, promote global collaboration and innovation, and address the cybersecurity challenges posed by digital sovereignty.

Going Forward

The pursuit of digital sovereignty by nations has significant implications for the global digital landscape, potentially leading to a fragmented “splinternet” and introducing new cybersecurity and enterprise architecture challenges. Corporate leaders must navigate an increasingly complex web of compliance requirements, market access barriers, interoperability issues, and cybersecurity risks.

By proactively assessing the impact of digital sovereignty trends, adapting strategies accordingly, investing in secure and resilient digital infrastructure, and engaging in policy dialogues, executives can position their organizations to thrive in an increasingly complex and fragmented digital world.

Why Your VPN May Not Be As Secure As It Claims

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

Image: Shutterstock.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

ANALYSIS

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.

“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.

Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.

“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.

“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”

MITIGATIONS

According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.

Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.

“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”

Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.

In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.

“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”

Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.

“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”

A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.

The Good, the Bad and the Ugly in Cybersecurity – Week 18

The Good | Law Enforcement Set New IoT Device Protections, Charge Ex-NSA Spy, and Sentence REvil Affiliate to Prison

Global law enforcement agencies made significant strides this week, improving the minimum safety standards to protect tech consumers and officially sentencing two major cybersecurity criminals.

Tech manufacturers in the U.K. are now legally required to protect internet-connected devices against the risk of default passwords. The latest legislation prohibits weak passwords on smartphones, TVs, appliances, and more to ensure ongoing protection against credentials-based cyberattacks. Manufacturers must also provide a point of contact for reporting security issues and state when devices will receive important security updates. Those that fail to meet the provisions will now face recalls and penalty fees up to £10 million, or 4% of their global annual revenue – whichever is higher. The U.K. is the first country in the world to ban default credentials from IoT devices.

An ex-NSA employee caught trying to sell classified secrets to Russia has been formally sentenced to over 20 years in prison. The DoJ charged Jareh Sebastian Dalke, 32, for attempted espionage while he was employed as an information systems security designer for under two months. During his short tenure with the agency, Dalke met with what he thought was a Russian agent to exchange top-secret National Defense Information (NDI) documents for a sum of $85,000 and establish future opportunities to sell more documents.

Yaroslav Vasinskyi has been sentenced for deploying REvil ransomware over 2500 attacks, including the one on Kaseya in 2021. Demanding a combined $700 million from various U.S. victims, Vasinskyi and his co-conspirators often threatened to publish sensitive data to drive a higher rate of ransom. The Ukrainian national is charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering.

The Bad | Attackers Plant Millions of Malicious Repositories in Docker Hub Loaded with Malware

Millions of malicious “imageless” containers planted within Docker Hub have been redirecting unsuspecting users to phishing and malware sites for years. This week, security researchers reported on three large-scale malware campaigns specifically targeting the container image registry popular with developers and open source contributors globally.

According to the report, the containers were published over a five-year period and the campaigns have been running since early 2021. They account for approximately 20% of the malicious content found across 15 million repositories hosted on Docker Hub. The imageless containers identified by researchers have no content, only documentation ranging from spam to malware and phishing websites.

Each of the three campaigns employ different tactics to mislead users and distribute the malicious repositories. Using lures such as pirated content, video game cheats, educational e-books, and online diary-hosting services, the payloads ultimately contact a command and control (C2) server to transmit system metadata and obtain links to cracked software. Currently, researchers suspect the attacks are part of a larger operation that may involve monetization schemes via adware or third-party software distribution.

Source: JFrog

Security researchers note that these campaigns work by capitalizing on Docker Hub’s good name and credibility, which makes it all the more difficult to separate the legitimate containers from those triggering phishing and malware installation attempts. Continued misuse of Docker Hub by threat actors emphasizes the need for stricter moderation and better content screening mechanisms on such platforms.

As the trend of malware exploiting vulnerabilities in open-source ecosystems climbs, security experts warn users to exercise caution when downloading packages by reviewing the designated tags for trusted content.

The Ugly | CISA Warns Against Critical GitLab Account Takeover Flaw Under Active Exploit

Ongoing attacks are plaguing GitLab instances this week caused by a critical severity vulnerability tracked as CVE-2023-7028 (CVSS 10.0). Confirming the active exploits, CISA has issued a warning about the flaw, adding it to their KEV catalog and urging all federal civilian executive branch (FCEB) agencies to remediate the risks within three weeks.

CVE-2023-7028 was first disclosed by GitLab in January and allows attackers to seize control of accounts. The flaw stems from improper access control, which then enables remote, unauthenticated attackers to send password reset emails to accounts, all without user interaction. Attackers could also exploit this vulnerability to infiltrate Continuous Integration and Continuous Delivery (CI/CD) pipelines, potentially leading to supply chain attacks.

At time of writing, the GitLab has released fixes for versions 16.5.6, 16.6.4, and 16.7.2 with older versions being patched retroactively. While there have been no reports of ransomware attacks linked to the account takeover flaw, CISA’s warning underscores the severity of the risks it poses.

Given the nature of the platform, GitLab houses mass amounts of source code and API keys – all of which could be abused by attackers to breach organizations and carry out software supply chain attacks. According to Shadowserver, over 2100 servers are still exposed to the vulnerability. Organizations using GitLab are urged to prioritize patching, consult their incident response guide, and check for signs of breach immediately.

Source: Shadowserver