The Good

Former Canadian government employee, Sebastian Vachon-Desjardins, pleaded guilty this week to ransomware crimes that had earned him $21 million in Bitcoin and $500,000 in seized cash. For over 10 months, Vachon-Desjardins operated as an affiliate for Netwalker, a Russian-speaking ransomware gang that targeted organizations in more than 30 countries during the height of the COVID-19 pandemic.

Vachon-Desjardins has been sentenced to a 20-year prison term in the United States after admitting to four charges including conspiracy to commit wire fraud, conspiracy to commit computer fraud, intentional damage to a protected computer system, and sending a demand in relation to damaging a protected computer.

Vachon-Desjardins was one of Netwalker’s most prolific affiliates according to U.S. court filings. Netwalker’s targets included schools, hospitals, emergency services, law enforcement agencies, and businesses, all of which were on the receiving end of ransom demands in exchange for the return of their encrypted data. With as many as 400 entities affected and a collected total of $40 million in ransom payments, Vachon-Desjardins himself was found to have received a third of the proceeds.

The DOJ’s press release noted that Netwalker’s attacks specifically took advantage of the global pandemic crisis to extort victims. The U.S. District Judge who doled out the sentence went above the 12 to 15-year prison term suggested by federal guidelines with the intention of deterring cybercriminals on the whole. The Assistant Attorney General of the Justice Department explained, “Today’s sentence demonstrates that ransomware actors will face significant consequences for their crimes and exemplifies the Department’s steadfast commitment to pursuing actors who participate in ransomware schemes.”

The Bad

This week, the FBI warned of a rise in ‘pig butchering’, a scam focused on stealing increasing amounts of crypto from user accounts over an extended period of time. The FBI’s public service announcement aims to raise awareness amongst investors as more incidents are reported.

‘Pig butchering’ is still a relatively new scam but uses age-old social engineering tactics. The ‘pigs’ in this case are unsuspecting investors who are contacted by fraudsters through social media. Fraudsters then work to establish long-term relationships with these individuals either through fake friendships, the promise of romantic connections, or even going as far as impersonating a real acquaintance.

The victims are eventually convinced to invest in cryptocurrency on counterfeit platforms which are designed to show huge returns on funds. Spurred on, they’re encouraged to make more investments, thus ‘fattening up’ the size of the target. Only upon withdrawal do the investors realize they have been scammed as the fraudster ceases communication and shuts down the fake crypto exchange platform. The consequences of these scams are usually significant with the victim’s losses ranging from thousands to millions of dollars.

The FBI is warning investors to verify the validity of any unsolicited investment opportunity and to check that domain names in links point to legitimate financial institutions. Threat actors typically use a technique called typosquatting that relies on misspelled URLs with a slight deviation from a legitimate website address to trick victims into visiting malicious sites. Cyber criminals running ‘Get rich quick’ investment scams also commonly try to persuade victims to download malicious apps on the pretext of offering some tool needed for investing.

Caution is the first line of defense, here, and as the old adage has it, if an opportunity sounds too good to be true, it most probably is.

The Ugly

Reports have emerged this week that men eligible for enlistment in Russia began leveraging cybercrime services soon after President Vladimir Putin called for a partial mobilization of troops to fight in Ukraine. Resorting to illegal online marketplaces, many men who have not fled are soliciting falsified exemptions while those who have are reportedly turning to identity-masking tools to protect themselves from discovery.

Since the invasion in February, opportunistic scammers have taken advantage of the sociopolitical climate to exploit people who are trying to survive the war. So far, some scammers have claimed to sell forged documents on the dark web that would allow Russian men to evade the draft while others have pledged to mask their buyers’ records in enlistment office databases – all in exchange for a fee as well as the buyer’s passport. After payment is made, the scammers stop communication and likely use the stolen money and identities to perpetuate their schemes.

Cyber intelligence firm, KELA, also reported on a number of cybercrime forums claiming to provide fake documents and medical reports, as well as connecting buyers to job opportunities that would result in a postponed draft.

New services appeared on cybercrime forums, following #Russia’s military #draft. Users can:
– Check if they are banned from crossing the border
– Buy a certificate about having HIV, hepatitis, etc.
– Find a job enabling to postpone the draft
– Find assistance in leaving Russia pic.twitter.com/YcHtEbsBZy

— KELA (@Intel_by_KELA) September 29, 2022

The call for partial mobilization has created an environment where Russian citizens are seeking illegal means to avoid the order. Underground markets and darknets are prospering as new scams surge. Cybercrime has long played off of human emotions such as fear, uncertainty, and desperation and, as the conflict in Ukraine continues, it seems cybercrime forums will continue to exploit desperate individuals living in wartime.

A Guest Post by Mark Harris, former Senior Director Analyst at Gartner

In the cyber security industry, there is a never-ending cat-and-mouse game between adversaries who create new exploits and defenders who devise ways to stop them. As soon as a defender finds a way to stop one type of cyber attack, the adversaries create a new type of attack. As a result, cyber security is a never-ending cat-and-mouse game, with defenders always playing catch-up. New products and solutions are constantly emerging to address rising threats, while existing products adapt or merge with other solutions. The goal is to stay one step ahead of the attackers, but it’s an ongoing battle that is unlikely to ever be won definitively without an effective cybersecurity strategy.

This multi-part blog series provides an overview and guidance on how to develop a successful cybersecurity strategy for your organization. In Part 1, we focus on why organizations need to extend protection beyond the endpoint to stay ahead of adversaries.

The XDR Advantage

Endpoint Detection and Response (EDR) has quickly become an integral part of endpoint protection (EPP), but as attackers have got more sophisticated, detection and response has needed to evolve beyond just the endpoint; extended Detection and Response (XDR)  provides three key capabilities.

1. Combine alerts from multiple security tools into a single incident to improve the efficiency and effectiveness of security teams. Reducing the gap in visibility and the time taken to investigate and triage incidents meaning incidents are contained more quickly.
2. Correlate “weak” signals (low priority alerts) from multiple security sources to create new detections that may not be identified when those signals are in a silo or viewed in isolation.
3. Automatically respond to threats detected across multiple products.

For example, a user trying to log in to a machine and failing may mean they’ve forgotten their password. But if multiple users try and fail, that could be an attacker. If a user then successfully logs in and starts running administration tools to download files or change configuration, then it’s a much stronger indication that an attacker is in the network.

Those multi-events and the subsequent detection should be presented as a single incident that needs investigation. The response also needs to be automatic and  could be to isolate the affected machine and force the user to re-authenticate.

Moving Beyond SIEM and SOAR

For many years the main tool for the security operations center (SOC) was Security Information Event Management (SIEM), but these tools were often more focused on log collection than correlation and relied on the SOC team expertise to manage and process the large volume of data and alerts. Any response would often need to be handled through a separate security orchestration, automation, and response (SOAR) tool.

These tools required dedicated, highly skilled teams to sift through the vast amount of information to try and identify incidents. More often than not, SIEM and SOAR are used post-incident to understand and remediate what happened rather than a detection and response capability.

EDR addressed a lot of the overhead of managing endpoint focused threats; collecting events and data in a central cloud-based infrastructure gave security teams the ability to hunt for threats across an entire organization, giving them visibility to reduce the time to detect a threat significantly. SentinelOne’s automation and remediation means threats can be quickly identified and resolved often with minimal effort allowing security teams more time to carry out these investigations.

In the case of managed service providers or SentinelOne’s own Vigilance service, that visibility is across all customers using the service.  Storyline not only provides security teams with curated automated correlation but also the ability to quickly and easily add new rules specific to their organization.

Protecting the Organization, Not Just the Device

Today, threat actors are not just targeting individual, single machines; they are targeting an organization as a whole. The first machine to be compromised is just the starting point. From that initial entry, the attacker can carry out further surveillance and move through the network to identify valuable data before stealing it. Whilst EDR tools are very effective, there only needs to be one weak link for the attacker to exploit.

Ensuring that endpoint protection and EDR are deployed on every single machine is one of the biggest challenges for IT operations teams. Although achieving that 100% deployment is rarely achievable for all but the smallest of organizations, tools like SentinelOne Ranger provide the visibility into the network to find any unmanaged or unauthorized devices.

XDR goes beyond just the endpoint and provides the integration and correlation of events and alerts across a wide range of security tools to improve visibility, reduce the time to detect even further and then respond quickly. The IBM data breach report estimates that deploying XDR can reduce the time to detect by a month.

What Do Vendors Mean By “XDR”?

While the need for XDR is clear, vendors don’t all agree on what the term means or how XDR solutions should be delivered. The term ‘XDR’ is perhaps one of the most overused terms in cybersecurity today.

There are a number of interpretations of how to deliver XDR.

1. Single Vendor XDR – All the security tools are provided by a single vendor. There is limited integration with other tools, usually limited to just ingesting logs and alerts. Choosing a single vendor XDR solution is a complex, risky and expensive approach. Migrating security tools takes time, and existing licenses will have to be paid whilst the migration is done. There is also no guarantee that the solutions from a single vendor will meet an organization’s needs.
2. SIEM XDR – Several of the SIEM vendors are combining traditional SIEM functionality with SOAR and claiming XDR, but these solutions don’t have automated threat detection capabilities.
3. Managed XDR – Managed service providers can provide the capabilities of XDR by integrating multiple tools into their services. Although it may deliver on the outcomes, the service relies on the MSP SOC team and functionality.
4. Open XDR Platform – Provides a platform that can integrate multiple products from different vendors and correlate those events. To be effective, the integration needs to be both ways, receiving alerts from a product but also being able to automatically send response actions. One of the key advantages of an OpenXDR platform is that rather than replacing existing solutions, they can be integrated into the platform, and the benefits of XDR are realized much sooner.

SentinelOne has built an open XDR  platform that provides a flexible and scalable solution. Singularity XDR integrates with both the broad range of SentinelOne products and services as well as with leading third party security providers such as Mimecast for Email security. It includes the automation, AI and ML capabilities to quickly get the benefits of XDR and provide a scalable, extensible platform to build upon.

Conclusion

XDR is the natural progression of EDR, moving beyond the endpoint to the rest of the security infrastructure, including identity and cloud security. XDR is a journey, and as threats evolve the XDR platform needs to be able to grow and adapt. XDR isn’t necessarily just selecting a solution, it’s choosing a strategy and a strategic partner. SentinelOne provides that vision and strategy to help organizations deliver on the promise of XDR and protect the whole organization.

If you would like to learn more about SentinelOne Singularity XDR platform, contact us for more information or request a free demo.

About the Author

Mark Harris is a Cybersecurity advisor and former Senior Director Analyst at Gartner with over 25 years of experience. At Gartner Harris was the author of a variety of market shaping research for Endpoint Protection and EDR including the EPP Magic Quadrant and Critical Capabilities as well as Market Guides and research on ransomware and other threats.

From small to medium businesses to critical infrastructure entities, more organizations are relying on MSPs to monitor, manage, and safeguard their data. In May, the Five Eyes intelligence alliance published a joint cybersecurity advisory warning MSPs about their role in growing supply chain attacks. Cybersecurity authorities and law enforcement agencies from across the United States, United Kingdom, Canada, Australia, and New Zealand reported MSPs being the targets of increased cyber threats including supply chain attacks, ransomware, and nation-state cyber espionage campaigns.

MSP organizations make up a significant portion of the collective cyber defense industry. In this post, we outline key actions that MSPs should be taking to shore up their defenses to ensure they are keeping themselves, and by extension, their customers safe from increasingly advanced cyberattacks.

MSPs | A Springboard for Malicious Cyber Threats

Managed Service Providers (MSPs) got their start during the dot-com era of the late 1990s. What began as internet service providers (ISPs) offering their clients firewall appliances and the operative services to go along with them later kickstarted the concept of managed security services. With time, MSPs evolved to full security service providers supporting organizations globally. Small to medium sized organizations needing support to build up their cybersecurity posture have turned to MSPs for affordable, scalable solutions and expert protection.

Now, cybersecurity has become a necessity for businesses operating in today’s ever-changing landscape. Legacy solutions such as anti-virus and anti-malware can no longer stave off advanced threat actors who do not discriminate based on the size of a target. For many organizations, the task of building a strong cybersecurity defense with limited resources can be daunting. This is where MSPs have come in to support.

So what makes MSPs such an attractive target for modern threat actors? Advanced Persistent Threat (APT) groups have set their sights on MSPs’ provider-customer network access. Customers of MSPs depend on their providers to store their data, manage communication platforms, and support their IT infrastructure. Due to the access MSPs have to all of their customer’s networks, threat actors see MSP businesses as a single entry point to a variety of targets – not stopping their attack on the MSP’s customers, but oftentimes, attacking their customer’s customers, too.

The Inherent Risks of MSP’s Service Pillars

In general, MSPs provide continuous security monitoring and management services to the customers they serve. Most MSPs offer subscription-based service models allowing them to tailor the support to the specific needs of each customer. Many businesses choose to work with MSPs to augment the abilities of their own in-house IT teams, others seek support achieving 24/7/365 coverage, and many rely on access to cybersecurity experts to help them maintain and manage all aspects of a cyber ecosystem.

MSPs, at the core, provide the following cybersecurity-focused services:

• Continuous Intrusion Detection & Response
• Identity & Privilege Access Management
• Firewall Management & Monitoring
• Patch & Vulnerability Management
• Virtual Private Network (VPN) Management
• Risk Evaluation & Compliance Management
• Cybersecurity Expertise & Education

To provide these services, MSPs require their customers to provide them with privileged access to networks and trusted connectivity. With this in mind, threat actors capitalize on vulnerable MSPs rather than trying to target each of an MSP’s customers directly. After a successful breach, threat actors may also conduct cyber espionage on the MSP and its customers to prepare for future activities such as ransomware attacks and double extortion.

The Nature of Supply Chain Attacks

Cybercriminals are often opportunistic and always looking for ways to reach lucrative targets using the path of least resistance. Attacks against MSP businesses are emerging as cybercriminals leverage MSP’s intimate level of access to customer networks as an initial access vector. When one vulnerable service provider is successfully breached, suddenly all their downstream customers are at immediate risk of attack. The cascading effect on multiple victim networks is the defining risk of a supply chain attack. With the promise of greater rewards for less work, supply chain attacks will continue to be popular with cybercriminals.

Supply chain attacks have become more prevalent and made headlines by targeting critical infrastructure sectors globally in the last few years. As an extension to President Biden’s Executive Order on improving U.S. cybersecurity, the White House recently issued guidance on strengthening cybersecurity protections specifically combating supply chain attacks. The Executive Order was followed by a directive released by the National Institute of Standards and Technology (NIST) which outlines major security controls and practices for MSP adoption.

Key Defenses to Expect from MSP Businesses

With supply chain risks expected to continue, businesses turning to MSPs must ensure their providers put strategic safeguards in place to reduce these risks. MSPs are contractually obligated to ensure that their security architecture, governance, and capabilities are up to industry standards and need to regularly re-evaluate their cybersecurity strategy and processes to make sure they can meet recommended cybersecurity measures and controls.

1. Preventing Initial Compromise & Targeted Attacks

An MSP’s first step to preventing compromise is to harden vulnerable devices and remote access tools such as VPNs (virtual private networks). Vulnerability scanning is integral to this prevention as it helps MSPs protect their data as they continue to use their day-to-day software and web-facing applications. Targeted attacks such as password spraying, brute force attacks, and phishing campaigns can also be mitigated when MSPs shore up their internet-facing remote desktop (RDP) services.

2. Promoting Holistic Cyber Hygiene

MSPs should operate on cyber hygiene best practices to ensure the longevity of their operations. This means keeping internal tools and software up to date. Patching should be completed in a timely manner especially for firewall and VPN appliances.

MSPs should also establish app-based MFA for all devices and remote monitoring and management (RMM) tools and monitor often for failed login attempts – a typical sign of malicious activity.

Additionally, both the MSP and their customers should practice strict password management to ward off any malicious attempts at credential stuffing. Password management may include requirements for complexity, rotation, and expiration cycles.

3. Implementing a Zero Trust Model

The purpose of the zero trust model is to minimize the exposure of a network’s most sensitive data to unnecessary access. Each user is only given the level of access they require to perform their tasks. First, zero trust architecture requires all users and machines to authenticate before need-to-know permissions can be granted. Second, zero trust involves segmenting a network to isolate each part from the rest, making the entire network secure against threat actors attempting to spread laterally across systems.

4. Executing Proper Offboarding Procedures

IT offboarding entails the removal of obsolete accounts, instances, and tools should they no longer be required by a business. Accounts with shared passwords must be deleted, and in the case of employee transition, their user accounts will also need to be revoked. Port scanning tools and automated system inventories can help with the offboarding process as businesses perform regular audits on their network infrastructure.

5. Managing Regular Backups

Both MSPs and their customers should make sure they have redundant backup copies of all essential data and infrastructure such that the system or any part of it can be restored in the event of failure, loss or compromise. Backups should be stored remotely, either in the cloud or on a dedicated physical server. Best practices recommend both.

It is vital that backups are on separate systems, are encrypted, and frequently reviewed for anomalous access and data integrity. It’s also important to ensure that the backup policy is documented and that backups are made on a regular schedule.

As ransomware attacks evolve, many threat actors are exfiltrating their victim’s sensitive data in addition to encrypting it, ensuring they have additional leverage to collect the ransom demanded. This type of ransomware attack tactic is called double extortion and leaves the targeted MSP or client with the risk of having the stolen data published.

Triple extortion ransomware adds another element to the frenzy with the attackers directly approaching a victim’s clients or suppliers and demanding ransom from them as well. Their threat? Publication of their sensitive information and, increasingly, the launch of a Distributed-Denial-of-Service (DDoS) attack.

While backups are no longer enough to thwart ransomware attacks that exfiltrate and threaten to leak data, having regular backups means that businesses that have been hit by such attacks can still access data, carry out emergency communication processes, and implement their incident response plan, including resuming affected services.

6. Improving Internet of Things (IoT) Security

While the IoT industry has boomed in the past decade with internet and cloud-connected devices, the integration of smart devices to the workplace, and even smart vehicles and buildings, represents another risk factor. IoT devices suffer from a number of security issues, including known default passwords, outdated or vulnerable firmware, and public internet-facing ports. Further, IoT devices are often left unprotected as their restricted hardware resources are unsuitable for running endpoint security solutions. These extensions of a network could each become a potential access point for a threat actor to exploit. MSPs and their customers should ensure they implement network asset discovery to gain visibility into connected IoT devices and block those that are unauthorized.

7. Planning for Incident Response & Recovery

Having a clear, actionable plan in place in the case of a security event can determine how effectively a business responds to and recovers from cyber attack. Incident responses (IR) plans are crucial for building up cyber resilience and can help businesses identify the people, processes, and technologies that need to be bolstered. Plans should be practiced on a scheduled basis and updated often to ensure it is up to speed with current business requirements and newly-identified cyber attack trends.

8. Establishing 24/7 Autonomous Detection & Response

As threat actors continue to evolve and upgrade their methods of attack, MSPs need to establish an effective response strategy. In case of a security event, having a fast response time could mean the difference between breach and business continuity. MSPs often augment their in-house team with a robust detection and response solution to ensure the most efficient response time possible to protect their customers.

Conclusion

With the cyber threat landscape always in a state of flux and threat actors using increasingly sophisticated methods of attack, MSPs offer affordable and scalable protection to fit the needs of their customers. MSPs that base their security services on robust solutions such as XDR are able to prevent, detect, and respond to advanced persistent threats across their customer’s entire attack surface.

To effectively serve all its customers, MSPs globally have turned to SentinelOne’s Singularity Platform, allowing them to proactively resolve modern threats at machine speed. Learn how SentinelOne works with best-in-class security service providers to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more.

The Good

Good news this week from Meta (aka Facebook). The social media giant has taken down some 1600 accounts and disrupted a Russian disinformation campaign spread across 60 fraudulent news websites. The campaign, Meta says, spread fake stories and Russian propaganda regarding the war on Ukraine. The Facebook accounts were removed for what the company calls “coordinated inauthentic behavior”.

Meta says the operation began in May and centered around impersonating legitimate websites of news organizations including Der Spiegel, The Guardian and Bild. The fake sites used a technique known as “typosquatting” to mimic legitimate domain names such as theGuardian.com with fakes like Guardian[.]co[.]com. The fake news sites posted articles criticizing Ukraine and arguing that Western sanctions on Russia would backfire. The articles and related memes were then shared on the now-removed Facebook and Instagram accounts, as well as on Telegram and Twitter.

Notably, as known domains were taken down or blocked, the actors behind the campaign attempted to set up replacement websites, “suggesting persistence and continuous investment in this activity across the internet”, the report says. In some cases, the disinformation content was amplified through the Facebook Pages of a number of Russian embassies.

Mass online disinformation campaigns have now become a regular tool of nation-state actors, and it’s unlikely we’ll see a reversal of that trend anytime soon. Of the few remedies we have to protect civil society and informed discourse aside from public awareness is active countermeasures as we’ve seen Meta take this week. Well done to them.

The Bad

The APT group variously known as TA410, Witchetty and LookingFrog has been up to some new tricks involving steganography and malware hidden in an image of the old Windows flag logo.

According to researchers, a bitmap image of the Windows flag logo was hosted on Github and laced with code for a backdoor. Hosting the image on a trusted public service avoids suspicious traffic to an attacker’s C2 (Command & Control) server, and hiding the malware in an iconic image helps the payload to remain hidden from casual inspection.

The payload hidden in the image is decrypted with an XOR key and delivers a full-featured backdoor with the ability to move and delete files, start and stop processes, exfiltrate data and manipulate Windows Registry keys.

Researchers say the threat actors have been attacking targets in the Middle East, including at least one government agency, since February 2022. Initial compromise exploits the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers. The actors steal credentials by dumping the contents of LSASS from memory, and then pivot via lateral movement to install further malware on computers across the network.

Unfortunately, it remains the case that many organizations have still failed to patch against ProxyShell and ProxyLogon vulnerabilities, and until they do, they and their customers remain at high risk of compromise from both APT and cybercrime threat actors.

The Ugly

Speaking of ProxyShell and ProxyLogon, this week news broke of two new MS Exchange zero days that one researcher has dubbed ProxyNotShell. Microsoft confirmed the vulnerabilities shortly after as CVE-2022–41040 and CVE-2022–41082.

Starting a new thread for two Exchange zero days being exploited in the wild.

Calling it ProxyNotShell for details explained within, aka CVE-2022-41040 and CVE-2022-41082. #ProxyNotShell pic.twitter.com/Mzjm1qXtEA

— Kevin Beaumont (@GossiTheDog) September 30, 2022

ProxyNotShell uses the same path and Server-Side Request Forgery (SSRF)/Remote Code Execution (RCE) pair as the earlier ProxyShell. However, in this case the attacker needs to be authenticated to exploit the vulnerabilities – any valid non-admin email credentials will suffice. CVE-2022-41040 enables the authenticated attacker to remotely trigger CVE-2022-41082, which allows remote code execution when PowerShell is accessible.

Researchers spotted the vulnerability being exploited in the wild in August 2022 against critical infrastructure and other targets, although attribution at this time remains unknown.

The vulnerabilities impact organizations running on-prem Microsoft Exchange Server 2013, 2016, and 2019 and a public-facing Outlook Web App. It is estimated that worldwide there could be up to 250,000 Exchange servers vulnerable to ProxyNotShell. Microsoft says it is “working on an accelerated timeline to release a fix”. In the meantime, impacted organizations should follow the mitigation advice here.