Feature Spotlight | Combating Email Threats Through AI-Driven Defenses with Armorblox Integration

/0 Comments/in /by

SentinelOne endeavors to protect enterprises from email-based attacks through a data-driven approach and autonomous security. To combat email threats, we are excited to announce our new integration with Armorblox, a disruptive API-based email security platform that uses artificial intelligence (AI), machine learning (ML), and natural language processing (NLP) to detect and prevent modern, advanced BEC attack vectors including vendor email compromise, executive email impersonation, payroll division fraud, credential phishing, and more. The integration is set to provide joint customers with enhanced investigation and response abilities.

Securing the Easy Ways In | Email Security for Enterprises

Email is a popular mode of communication, but it’s also a frequent target for cyberattacks. Targeted email attacks like Business Email Compromise (BEC), impersonation, account takeover, vendor fraud, and phishing attacks pose high financial risks to organizations of all sizes. Able to evade traditional security tools, email-based attacks work by targeting the human aspect of an enterprise and compromising legitimate accounts. As reported by the Armorblox 2022 Email Security Threat Report, the number of Business Email Compromise (BEC) attacks targeting organizations increased by 74% in 2021.

To compound the issue, threat actors leveraging BEC attacks are also exploiting the accelerated move by enterprises from on-prem to hybrid and cloud environments. Clouds are especially susceptible to threats such as phishing, credential stuffing, and password spraying. With these associated risks to consider, the need for robust email security is one of the foremost priorities for enterprises today.

As such, an email security solution is designed to detect and neutralize these threats as an important part of any organization’s cybersecurity posture. However, as organizations adopt best-of-breed solutions for each attack vector, the average SOC has between 25-49 tools from 10+ vendors resulting in operational complexity. Security operations teams are finding themselves inundated with alerts and struggle with managing too many point-specific tools that often do not integrate.

The lack of integrated tools has led to a decrease in efficiency for SOC teams, largely because data stays trapped within individual systems, reducing the effectiveness and productivity across incident triage, investigation, and response. SecOps teams find themselves repetitively checking similar suspicious emails across mailboxes, meticulously inspecting headers and metadata, as well as manually triaging threats. These manual tasks end up being a huge time sink and cause restraints in bandwidth for teams who must prioritize time working on strategic projects.

Prioritization and investigation of threats have suffered, leaving organizations vulnerable to sophisticated attacks and data breaches. This has led to overworked analysts, disjointed infrastructure, and too many missed attacks.

A New Approach | Extended Detection & Response (XDR)

In response, enterprise security teams are turning to Extended Detection and Response (XDR) platforms. XDR presents a new approach featuring a single security platform that collects and correlates data from multiple security tools to provide a more comprehensive view of an organization’s security posture.

XDR can help reduce alert fatigue, speed up incident response times, and improve overall security operations. XDR also streamlines an organization’s security infrastructure by providing a centralized detection and response control plane that integrates with the different point tools in an organization’s environment, enabling SOC teams to be more efficient and effective in their jobs.

XDR platforms use automation to enrich the detection, triage, and investigation of incidents, freeing up human analysts to focus on more complex tasks. In addition, XDR platforms can also automate response procedures, helping security teams contain incidents before they cause significant damage. By automating key security operations tasks, XDR platforms can help security teams work more efficiently and effectively, protecting organizations from a wide range of threats.

Why XDR and Email?

As one of the most common enterprise attack vectors, email security is an important part of any XDR solution. Email solutions provide critical context about a user and their mailbox, helping answer how malicious files arrived on the endpoint. Email security solutions also sandbox attachments pre-delivery, offering a rich source of threat intelligence for improved detection. Through the sharing of intelligence from email and endpoint security solutions, analysts obtain increased visibility and context for threats that would not be addressed in a typical siloed security approach. This allows security teams to remediate and avert propagation, protecting the organization and reducing an incident turning into a full-scale breach.

Behavioral Protection for The Enterprise Attack Surface

The joint integration between SentinelOne and Armorblox presents best-of-breed, machine-learning-based XDR and email security to holistically address advanced attacks that may laterally move across an organization. SentinelOne’s industry-leading XDR platform and Armorblox’s email security platform bring two critical security infrastructures – emails and endpoints – together. It ensures that customers can prevent attacks, investigate hidden threats, and respond across these infrastructures with agility and precision.

“Armorblox pioneers natural language understanding to detect and prevent sophisticated threats, enabling organizations to stop BEC and other financial frauds,” said DJ Sampath, Cofounder and CEO, Armorblox. “Our integration with SentinelOne XDR platform brings unprecedented threat intelligence from email systems to automate investigation and response of threats.”

“Attackers are utilizing known vulnerabilities to compromise enterprise networks at a rapid pace,” said Raj Rajamani, Chief Product Officer, SentinelOne. “Our integration with Armorblox helps enterprises improve their security posture and minimize enterprise risk by improving detection with email intelligence, investigating threats by correlating incidents between email and endpoints, and automating response to file-based threats. With fewer tools, enterprises can better fortify and protect against every edge of the network.”

Armorblox’s behavioral-based protection provides SentinelOne with email-based indicators of compromise and threat enrichment. Within the SentinelOne management console, detected threats are enriched with actionable context to enable security teams to kill malicious processes or network quarantine endpoints across an ecosystem. Security teams gain access to an integrated view of multi-vector threats across an enterprise’s technology stack to simplify security operations.

Email Threat Intelligence Ingestion

Armorblox inspects an organization’s email traffic and uses machine learning (ML) models to analyze it for risks. It applies a set of risk scores across different dimensions such as phishing, malware, impersonation, and data exfiltration. These risk scores help analysts prioritize the investigation of incidents. Armorblox’s integrated sandbox quarantines suspicious email attachments to protect end users, while extracting file attributes and indicators of compromise (IOCs) from malicious files.

Armorblox provides the IOCs from email threats it detects to SentinelOne Singularity XDR. Within Singularity XDR, the IOCs can be used to create STAR™ (Storyline Active Response) rules for alerts and automated responses. These actions include killing processes and quarantining any files matching malicious hashes provided by Armorblox or network quarantining the endpoint.

Threat Enrichment | The SentinelOne & Armorblox Integration

SentinelOne’s Behavioral AI and Storyline™ context produce high-quality alerts that are enriched with user and email threat data from Armorblox. If a user has any contextually-related alerts in Armorblox such as clicking a phishing email, exfiltrating sensitive data, or sending malicious documents, the relevant information will be enriched in the threat’s XDR feed.

SentinelOne Singularity XDR console with Armorblox Enrichment
SentinelOne Singularity XDR console with Armorblox Enrichment
  • The SentinelOne and Armorblox integration is easily configurable for customers by sharing the appropriate API key.
  • Once the API connection is set up, Armorblox’s behavioral-based protection provides SentinelOne with email-based indicators of compromise and threat enrichment.
  • Within the SentinelOne console, detected threats are enriched with actionable context from Armorblox’s related user and threat details. As email-based indicators of compromise from Armorblox are fed into the console, SentinelOne is able to kill malicious processes or network quarantine endpoints across an ecosystem.

Conclusion

Many vendors in the security space use the phrase “powered by AI” but still require a human element in their monitoring and detection process. With the global decrease in cyber expertise, many enterprise’s in-house teams have found themselves increasingly overwhelmed when it comes to scaling up their protective services against advanced email-based attacks. By leveraging AI and ML-based solutions, teams can automate and orchestrate the immense amount of data entailed in email monitoring efforts.

Both SentinelOne and Armourblox are fully autonomous, leveraging the power of behavioral AI to ensure a cohesive view of networks, assets, and business-critical communications. With the SentinelOne and Armorblox integration, joint customers can now synchronize their security posture to stop threats across both endpoints and emails.

Learn how you can bring natural language-based techniques to XDR and enhance your security team’s abilities to detect, investigate and respond to threats by contacting us or booking a personalized demo today.

LABScon 2022 Event Highlights | Advancing Cybersecurity Research for Collective Digital Defense

/0 Comments/in /by

Last week, SentinelLabs launched the very first LABScon with the purpose of challenging the boundaries of threat understanding as we know it today. From September 21 to 24, we connected world-class researchers with top leaders from the infosec industry to share cutting-edge cyber research and learn about new ideas, tools, techniques, and trends.

While the inaugural LABScon was a premier, invite-only event, SentinelLabs will be sharing many of the research papers and video recordings in the weeks ahead. In the meantime, here’s a snappy digest of the main events and research findings presented at LABScon 2022.

Cybersecurity’s Leading Voices on Sharing and Collaboration

Russia’s war on Ukraine has been a major concern across cybersecurity as elsewhere this year, and it was inevitably a topic many wanted to hear more about at LABScon. Award-winning investigative journalist Kim Zetter sat down with Dmitri Alperovitch, Executive Chairman of the Silverado Policy Accelerator and Co-founder & CTO of Crowdstrike, for an in-depth discussion of the war in Ukraine, the involvement of cyber, and corollaries to a possible invasion of Taiwan.

LABScon also saw Morgan Adamski, Director of NSA’s Cyber Collaboration Center, deliver a keynote presentation sharing her views on the future of collaboration between researchers, vendors, and the public sector. By fostering collaborative relationships, the community can improve the way we secure the nation and co-create cybersecurity tradecraft, Morgan told the conference.

Morgan Adamski NSA at LABScon

Chris Krebs, Founding Partner of Krebs Stamos Group and the First Director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), drew on his time as former first director for the DHS and CISA to share in-the-trenches perspectives on modern cybersecurity and its associated government policies.

Mark Russinovich, CTO of Microsoft Azure and the founder of Sysinternals, talked tools, and presented the story of his seminal malware analysis toolkit from its inception to how it has transformed the current malware analysis and forensic investigation landscape. Mark took the opportunity to demo the latest version of Sysmon, 14.1, which has been enhanced in part to help foil Russian cyber activity in Ukraine.

Research & Discovery Highlights

LABScon is an intelligence-focused conference gathering together world-class security researchers to disseminate new ideas, findings, and the latest in threat hunting tools and techniques.

SentinelLabs’ own Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski introduced a previously unknown advanced threat actor dubbed ‘Metador’. This elusive adversary attacks high-value targets using novel malware frameworks and custom-built backdoors. Metador’s known targets include telecommunications, internet service providers, and universities.

Metador at LABScon

The researchers have published a blog post about Metador here.

In Tracking Militants On the Ground Through Online Information, Bellingcat’s Michael Sheldon presented his research on using open source research techniques (OSINT) to track militant groups through the online presence of their members, official releases, and information released by third parties. These case studies show how OSINT has contributed to information collection processes on conflict actors. Michael’s engaging talk also won him best speaker award at LABScon.

Black Lotus Labs is currently tracking an advanced campaign leveraging infected small office/home office (SOHO) routers. In Whose Router Is It Anyway?, Danny Adamitis revealed how the campaign had operated undetected for two years while targeting North American and European networks. Danny’s presentation detailed the discovery of the multistage remote access trojan (RAT), currently dubbed “ZuoRat”, that has been pivoting into local networks and hijacking communications to gain access to additional systems on the LAN. For his efforts, Danny was also awarded “2nd Best Speaker” at LABScon.

In Demystifying Threats to Satellite Communications in Critical Infrastructure, MJ Emanuel delved into the fascinating world of satellite communications, an integral part of many industry control systems, and how their usage in critical infrastructure continues to be misunderstood by the industry. MJ’s session discussed how trust relationships between satellite provider ecosystems could be leveraged by a threat actor, and how attacks on these systems directly impact our critical infrastructure processes. Danny also nabbed third place in our Best Speaker awards.

APTs, and More APTs

Donald ‘Mac’ McCarthy highlighted a case study showing how a state-sponsored RAT was designed to accept a C2 using CNAME records. His presentation, CNAME and Control | Open Source Context, examined the encoding and detection methodology which discovered the Chinese state actor’s attack on the Defense Industrial Base (DIB) and related entities.

In APT 42: Wild Kittens and Where to Find Them, Mandiant threat intelligence researchers Ashley Zaya and Emiel Haeghebaert teamed up to give a primer on APT42, a cluster of threat activity linked to the Iranian government. APT42 has focused on conducting credential theft operations against Western think tanks and academics, government officials, and high-profile individuals within Iran as well as in the United Kingdom, Israel, and the United States.

PwC lead researcher Kris McConkey delivered an exclusive exposé on Chinese-based advanced persistent threat actors in Chasing Shadows: The Rise of a Prolific Espionage Actor. The talk detailed the rise and operations of dominant players in the international corporate espionage world.

SentinelLabs’ own Tom Hegel rounded out the full day of talks on Thursday with new intel on a cyber mercenary group known as Void Balaur. Tom’s presentation, The Sprawling Infrastructure of Void Balaur revealed how the hack-for-hire gang has been expanding its infrastructure and focusing on a wide variety of industries that have political interests tied to Russia. Void Balaur often makes use of multi-factor authentication ploys to seek access to email and social media accounts. Tom has published his research here.

A full list of all the research papers and participants appears on the LABScon home page.

Event Specials | Awards & Gala Highlights

At LABScon, bringing together the brightest minds of the industry also meant taking a few moments to recognize the incredible efforts being made to keep our community secure. First, we were pleased to award Dmitri Alperovitch with the SentinelLabs MVP award in recognition of his continuing work to advance cyber policy and education through his Silverado Policy Accelerator and Hopkins Alperovitch Institute initiatives.

SentinelLabs was also delighted to present a Lifetime Achievement award to Mark Russinovich for his work in furthering malware analysis understanding.

No Burnout Here

LABScon is about threat intelligence, knowledge, and sharing, but it’s also about community. Building and maintaining relationships across the infosec industry is an essential part of successfully defending and protecting everyone against cyber threats. At LABScon, we found some innovative ways to help everyone feel like part of the family and share in some fun.

From a cybercrime-themed gala party to epic swag, here’s a glimpse into the after-hours activities that went on after a hard day’s learning and sharing!

Why LABScon?

Security research events such as LABScon hold increasing significance in the infosec space. We hosted LABScon to provide a venue for advanced security collaboration and encourage practitioners, researchers and vendors alike to examine the threat landscape for what it is and then push past our current boundaries. Here’s what some of our guests thought about LABScon 2022:

And that’s a wrap on our very first LABScon event! SentinelOne would like to give a special thanks to all of our sponsors who helped make this very first LABScon event a successful one. LABScon 2022 was sponsored by Stairwell, Luta Security, Cisco Talos, GreyNoise, HP Wolf Security, Aesir, Binarly, Team Cymru, and ReversingLabs. We’ll see you next year! #LABScon23

Selected research papers from LABScon 2022 will be coming soon on SentinelLabs. Follow @LABScon to stay tuned!

Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

/0 Comments/in /by

Back in August, researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com. In this post, we review the details of this ongoing campaign and publish the latest indicators of compromise.

Coinbase Campaign Turns to Crypto.com

North-Korean linked APT threat actor Lazarus has been using lures for attractive job offers in a number of campaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed ‘Operation Dream Job’.

While those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic. Decoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our friends at ESET back in August 2022, with indications that the campaign dated back at least a year. Last week, SentinelOne observed variants of the malware using new lures for vacancies at Crypto.com.

Decoy document advertising positions on crypto.com
Decoy document advertising positions on crypto.com

First Stage and Persistence

Although it is not clear at this stage how the malware is being distributed, earlier reports suggested that threat actors were attracting victims via targeted messaging on LinkedIn.

The first stage dropper is a Mach-O binary that is a similar template to the safarifontsagent binary used in the Coinbase variant. The first stage creates a folder in the user’s Library called “WifiPreference” and drops a persistence agent at ~/Library/LaunchAgents/com.wifianalyticsagent.plist, targeting an executable in the WifiPreferences folder called wifianalyticsagent.

Persistence agent com.wifianalyticsagent
Persistence agent com.wifianalyticsagent

The LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush, but changes the target executable location and the agent file name. Analysis of the binary shows that these details are simply hardcoded in the startDaemon() function at compile time, and as such there are likely to be further variants extant or forthcoming.

The startDaemon() function hardcodes the persistence agent details
The startDaemon() function hardcodes the persistence agent details

The WifiPreference folder contains several other items, including the decoy document, Crypto.com_Job_Opportunities_2022_confidential.pdf.

The PDF is a 26 page dump of all vacancies at Crypto.com. Consistent with observations in the earlier campaign, this PDF is created with MS Word 2016, PDF version 1.5. The document author is listed as “UChan”.

The PDF decoy was created with MS Word 2016
The PDF decoy was created with MS Word 2016

The first stage malware opens the PDF decoy document and wipes the Terminal’s current savedState.

open '/Users/tritium/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_confidential.pdf' && 
rm -rf '/Users/tritium/Library/Saved Application State/com.apple.Terminal.savedState'

The second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”; this mirrors the same architecture seen in the Coinbase variant, which used a second stage called “FinderFontsUpdater.app”. The application uses the bundle identifier finder.fonts.extractor and has been in existence since at least 2021.

The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a C2 server. The Coinbase variant used the domain com.concrecaptial[.]com. In the Crypto.com sample, this has changed to market.contradecapital[.]com.

Hardcoded C2 in the third-stage downloader
Hardcoded C2 in the third-stage downloader

The payload is written to the WifiPreference folder as WifiCloudWidget. Unfortunately, due to the C2 being offline when we analysed the sample, we were unable to retrieve the WifiCloudWidget payload.

The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets. The binaries are all universal Mach-Os capable of running on either Intel or M1 Apple silicon machines and signed with an ad hoc signature, meaning that they will pass Apple’s Gatekeeper checks despite not being associated with a recognized developer identity.

The wifianalyticsagent sample passes Gatekeeper with an ‘ad hoc’ signature
The wifianalyticsagent sample passes Gatekeeper with an ‘ad hoc’ signature

Staying Protected Against Lazarus Malware

SentinelOne customers are protected against the malware variants used in this campaign. For those not currently protected by SentinelOne, security teams and administrators are urged to review the indicators of compromise at the end of this post.

Conclusion

The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges. This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018. Operation In(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.

Indicators of Compromise

SHA 1 Name/Description
57684cc460d4fc202b8a33870630414b3bbfafc 1st Stage, xxx
65b7091af6279cf0e426a7b9bdc4591679420380 Crypto.com_Job_Opportunities_2022_
confidential.pdf
1f0f9020f72aa5a38a89ffd6cd000ed8a2b49edc 2nd Stage, WifiAnalyticsServ
1b32f332e7fc91252181f0626da05ae989095d71 3rd stage, wifianalyticsagent

Communications
market.contradecapital[.]com

Persistence
~/Library/LaunchAgents/com.wifianalyticsagent.plist

File paths

~/Library/WifiPreference/WifiAnalyticsServ.app
~/Library/WifiPreference/WifiCloudWidget
~/Library/WifiPreference/wifianalyticsagent
~/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_
confidential.pdf

Labels and Bundle Identifiers
iTunes_trush
finder.fonts.extractor

Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S.

/0 Comments/in /by

A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019.

On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Kloster, a.k.a. Denis Emelyantsev, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.

A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Kloster’s personal blog, which featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world.” Kloster’s blog even included a group photo of RSOCKS employees.

“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

The Bulgarian news outlet 24Chasa.bg reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko, and that the accused asked to be handed over to the American authorities.

“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in an American court.”

Launched in 2013, RSOCKS was shut down in June 2022 as part of an international investigation into the cybercrime service. According to the Justice Department, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers; later in its existence, the RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers, the DOJ said.

The Justice Department’s June 2022 statement about that takedown cited a search warrant from the U.S. Attorney’s Office for the Southern District of California, which also was named by Bulgarian news outlets this month as the source of Kloster’s arrest warrant.

When asked about the existence of an arrest warrant or criminal charges against Kloster, a spokesperson for the Southern District said, “no comment.”

Update, Sept. 24, 9:00 a.m. ET: Kloster was named in a 2019 indictment (PDF) unsealed Sept. 23 by the Southern District court.

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

24Chasa said the defendant’s surname is Emelyantsev and that he only recently adopted the last name Kloster, which is his mother’s maiden name.

As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010.

Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, the defendant in this case probably knows quite a bit about other top players in the botnet spam and malware community.

A Google-translated version of the Rusdot spam forum.

Despite maintaining his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.

“America is looking for me because I have enormous information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”

The Bulgarian court agreed, and granted his extradition. Kloster’s fiancee also attended the extradition hearing, and reportedly wept in the hall outside the entire time.

Kloster turned 36 while awaiting his extradition hearing, and may soon be facing charges that carry punishments of up to 20 years in prison.

The Good, the Bad and the Ugly in Cybersecurity – Week 39

/0 Comments/in /by

The Good

This week saw the inaugural LABScon – a security conference intent on fostering the advancement of cybersecurity research to build a stronger collective digital defense. LABScon is hosted by SentinelLabs, the research arm of SentinelOne, with the aim of bringing together researchers and experts from across the industry to share and disseminate critical threat intelligence and knowledge.

The multi-day event featured talks from prominent infosec voices including Mark Russinovich (Microsoft Azure), Chris Krebs (Krebs Stamos Group), Dmitri Alperovitch (Silverado Policy Accelerator), and Thomas Rid (Alperovitch Institute), among others.

On the second day of the event, SentinelLabs researchers revealed their discovery of a previously unknown advanced threat actor. Dubbed ‘Metador’, the shady group attacks high-value targets in the telecoms, networking, and education sectors using novel malware frameworks and custom-built backdoors.

The researchers said that the advanced nature of the actor’s toolset was difficult to detect and challenging to reverse engineer, warning that we have likely only seen the tip of the iceberg of intrusions attributable to Metador. Describing the group as the “1%ers” in reference to their elite status, the researchers called on the infosec community to review their telemetry and collaborate on learning more about this new adversary.

Security research events such as LABScon are significant in the infosec space as they provide a venue for advanced security collaboration and encourage practitioners, researchers and vendors alike to push the envelope of threat landscape understanding.

The Bad

This week, New York emergency response and ambulance service provider, Empress EMS, disclosed a ransomware attack resulting in the exfiltration of sensitive patient files.

As the files contained protected health information (PHI) like patient names, insurance information, and social security numbers, Empress EMS has reached out to affected individuals offering credit monitoring services and recommending that they review their healthcare statements for any discrepancies regarding charged services. Investigations report that the breach and encryption were followed by double-extortion efforts.

Through the HITECH Act, the U.S. Department of Health and Human Services (HHS) must publish breaches involving unsecured PHI affecting 500 or more individuals. So far, the Empress breach has affected 318,558 individuals.

While Empress EMS did not disclose the identity of the hackers that infiltrated their systems, the report points to the Hive ransomware group having published their victim’s data in late July. The breach unfortunately comes right on the heels of a warning issued just this April by the HHS about Hive’s aggressive, financially-motivated attacks disproportionately targeting healthcare organizations.

So, what happens when emergency services have their own emergencies? The question is a brutal one, throwing the reality of cyberattacks on healthcare into stark relief. When medical services and practitioners are impeded by cyberattacks, it’s people’s lives on the line. As the industry further digitizes its health record management, clinical support, prescription and dispensing, telemedicine, and health surveillance systems, healthcare providers will need to establish robust cybersecurity solutions to safeguard their increasingly complex data environments.

The Ugly

Once in a while, cybercriminals have to contend with the trouble of insider threats, too. News came out this week detailing a data leak coming from “an allegedly disgruntled developer” within the LockBit ransomware operation itself.

The “developer” leaked a builder for the newest version of the LockBit encryptor, which had been tested and launched in June and boasted new anti-analysis features, a ransomware bug bounty program, and all-new methods for encryption.

Reports noted that VX-Underground was given a copy of the builder and communicated directly with a public representative of LockBit operations. The representative denied that LockBit had been hacked, claiming rather that a disgruntled developer who was unhappy with the group’s leadership chose to leak the builder.

The ramifications of this leak will be fairly severe for the LockBit gang as competing threat actors will seek to leverage the builder to launch their own attacks. Worse for the rest of us, the new encryptor enables anyone with the code to build and launch their own ransomware operations as it includes the encryptor, decryptor, and specialized hacking tools needed for a threat campaign. Reports show that the builder allows any user to customize a ransomware campaign to their exact needs and link a ransom note directly to their own hacking infrastructure.

News of this insider leak lends yet another peek into the inner workings of cyber criminal enterprises, the last major incident in this vein occurring early this February when sixty thousand of Conti group’s chat messages were exposed. Ransomware operations closely resemble many professional establishments in having product testing processes, bug bounty programs, and even dealing with acts of vengeful employees through public relations representatives.

The rise of Ransomware-as-a-Service (RaaS) groups shows the alarming advancement and professionalization of cybercriminals. As low and medium-level threat actors increasingly turn to RaaS groups to launch complex campaigns, robust cybersecurity solutions are no longer a nice-to-have for organizations – they’re an absolute necessity.

Investing in Tomorrow | Why We Started S Ventures

/0 Comments/in /by

Today, we are excited to launch S Ventures, a $100M fund investing in the next generation of category-defining security and data companies.

Tomer Weingarten co-founded SentinelOne nearly ten years ago with the premise that the cybersecurity challenges facing the world could only be solved through the power of data and AI. Within data and AI, we gain new insights and more intelligent approaches to accomplishing the day-to-day tasks that limit the potential of security and IT teams. Tomer and the greater SentinelOne team saw our role as more than just a technology vendor, but a force for good within cybersecurity. We remain a founder-led business, and our approach to security has led to us becoming one of the fastest-growing public software companies on the market.

We’ve also seen how AI and data empower security and adjacent disciplines; our DataSet product, originating from our acquisition of Scalyr in 2021, is the backend infrastructure powering ingestion, investigation, and analytics capabilities in our Singularity XDR platform. We’ve also externalized this technology to help DevOps, engineering, and IT teams solve the same data use cases we did.

As we look ahead to the next decade and beyond, we see the potential for AI and data to be applied to many challenges – this drives the need to build an entirely new ecosystem of companies. With a significant part of SentinelOne’s success a result of our partner-first approach to the business, we believe we can take this one step further to innovate beyond our own four walls.

Our initial portfolio companies share our mission to tackle enterprise-level challenges with innovative, intelligent approaches:

  • Torq accelerates complex threat response workflows through a no-code security automation platform
  • Laminar delivers a cloud data security platform that discovers, protects, secures, and monitors sensitive data in everything built and run in the cloud
  • Armorblox combats email threats and email data loss using natural language processing and AI
  • Noetic Cyber provides teams with unified visibility and actionable insights into the security posture of all assets across cloud and on-premises systems

SentinelOne has forged the journey from startup to hypergrowth, and we are now looking to leverage this experience in providing valuable help to companies and founders charting their own paths today.

Some of the value we will offer through S Ventures includes:

  • Access to SentinelOne experts and leaders – lessons from building and running a hypergrowth company, being on the front lines of security, and building data platforms that solve real customer pain points
  • Enhanced exposure across the SentinelOne ecosystem – CISOs, customers, and partners
  • Product integration and GTM enablement – through the Singularity Marketplace and access to the DataSet platform to build and grow data-intensive products

Our motto is to be a “force for good” for our customers, employees, shareholders, partners, and society.  With S Ventures, we want to be a force multiplier in helping establish, guide, and scale an entirely new generation of security and data companies.

To learn more about S Ventures, visit us here.

S Ventures
Investing in the next generation of category-defining security and data companies.

Learn More

SIM Swapper Abducted, Beaten, Held for $200k Ransom

/0 Comments/in /by

A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities.

The SIM-swapper known as “Foreshadow” pleading for his life.

The grisly kidnapping video has been circulating on a number of Telegram chat channels dedicated to SIM-swapping — the practice of tricking or bribing mobile phone store employees into diverting a target’s phone number, text messages and calls to a device the attackers control.

The teen, known to the SIM-swapping community by the handle “Foreshadow,” appears to have served as a “holder” — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams.

“Yo, Dan, please bro send the 200k,” Foreshadow said in the video, which was shot on Sept. 15 in the backseat of a moving car. Bleeding from a swollen mouth with two handguns pointed at his head, Foreshadow pleaded for his life.

“They’re going to kill me if you don’t,” Foreshadow continued, offering to get a job as a complicit mobile store employee or “plug” to help with future SIM-swaps. “I’ll pay you back. Just let me know what you need. I got you, for real. Any work for free. Whatever. However long you need me, too. I’ll apply to any store you need me to apply to. I can be a plug. I don’t care if I get caught by the cops or anything. I’ll get that money back for you. I used to do that work.”

It’s not clear where in the world the hostage video was recorded. But at one point in the video, the vehicle’s radio can be heard in the background mentioning WMIB, which is a hip-hop station in South Florida that serves both Ft. Lauderdale and Miami.

As Foreshadow’s hostage video began making the rounds on SIM-swapping Telegram channels, a rumor surfaced that Foreshadow had died after being shot in the leg. It soon emerged that Foreshadow had not died, and that he was cooperating with the Federal Bureau of Investigation (FBI). Members of the SIM-swapping community were then warned to delete any messages to or from Foreshadow. One of those messages read:

JUST IN: FORESHADOW IS NOT DEAD!!!!

HES CURRENTLY CO-OPERATING WITH THE FBI DUE TO HIM BEING KIDNAPPED AND AN ATTEMPT TO EXTORT HIM FOR 200K

IF YOU HAVE CHATS WITH HIM CLEAR THEM

Foreshadow appears to be a teenager from Florida whose first name is Justin. Foreshadow’s main Telegram account was converted from a user profile into a channel on Sept. 15 — the same day he was assaulted and kidnapped — and it is not currently responding to messages.

Foreshadow’s erstwhile boss Jarik told KrebsOnSecurity that the youth was indeed shot by his captors, and blamed the kidnapping on a rival SIM-swapper from Australia who was angry over getting shortchanged of the profits from a previous SIM-swapping escapade.

The FBI did not immediately respond to requests for comment.

Foreshadow’s experience is the latest example of a rapidly escalating cycle of physical violence that is taking hold of criminal SIM-swapping communities online. Earlier this month, KrebsOnSecurity detailed how multiple SIM-swapping Telegram channels are now replete with “violence-as-a-service” offerings, wherein denizens of the underground hire themselves out to perform various forms of physical violence — from slashing tires and throwing a brick through someone’s window, to conducting drive-by shootings, firebombings and home invasions.

On Aug. 12, 2022, 21-year-old Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested by the FBI and charged with stalking in connection with several of these violence-as-a-service jobs. Prosecutors say the defendant fired a handgun into a Pennsylvania home, and helped to torch another residence in the state with a Molotov Cocktail — all allegedly in service of a beef over stolen cryptocurrency.

Earlier this month, three men in the United Kingdom were arrested for attempting to assault a local man and steal his virtual currencies. The local man’s neighbor called the cops and said the three men were acting suspiciously and that one of them was wearing a police uniform. U.K. police stopped the three men allegedly fleeing the scene, and found a police uniform and weapons in the trunk of the car. All three defendants in that case were charged with “intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”

Dina Temple-Raston and Sean Powers over at The Record recently interviewed several members of the SIM-swapping community about this escalation in violence. That story is also available on the Click Here podcast — Throwing Bricks for $$$: Violence-as-a-Service Comes of Age.

CISO Wins | A 5-Phase Ramp up Strategy for Success on a New Job

/0 Comments/in /by

At the helm of a business’s overarching security strategy is their Chief Information Security Officer – a key C-suite role responsible for assessing, planning, and maintaining the safety and digital growth of the enterprise. With the surge of cyberattacks across all industry verticals, more businesses are hiring CISOs to help step up their offense and defense against threat actors.

CISOs ensure the safety and continuity of a business’s operations and data. CISOs are constantly reevaluating their strategy based on the fluctuations of the threat landscape and, in tandem, adjusting how the business monitors and responds to potential attacks. With such work ahead and so many facets of cybersecurity to consider, new CISOs joining a business need to have a plan in place so they can maximize their resources and effectiveness.

The cybersecurity domain is a vast one, so having the right ramp-up strategy can help a new CISO identify main priorities and get started on achieving their goals. For CISOs joining a business, the first three months are significant in establishing credibility as well as a path forward for the business’s security posture. This post outlines a ramp-up strategy structured in five key phases CISOs can use to ensure their first 90 days are successful.

1. Discover | Get to Know the Organization and People

New CISOs on the job will seek to understand their company, identify key subject matter experts, and most critically, take time to listen and learn to those they speak to. Intel is a new CISO’s best friend – the more information collected about the company, the better. To perform a valuable discovery, CISOs may ask questions like:

  • What cybersecurity processes, technology, and teams exist? Where does the cybersecurity program stand, if it exists?
  • What cybersecurity-related challenges does the company face currently? Are the roadblocks or reasons for these challenges identifiable? What is the frequency and/or scale of these challenges?
  • What is business critical and must be protected first? This may include intellectual property, customer databases, how revenue is generated, and critical project data that fall under regulatory compliance controls.

Each business is going to have a unique mission, vision, and industry-specific security requirements that need to be taken into consideration by a new CISO. Most of the discovery phase will require CISOs to get to know the security leaders and teams. By holding interviews with these key roles, a new CISO can start to understand where they stand in overall cybersecurity strategy itself, learn about the security culture of the company, and develop the scope and expectations of their work.

This ensures stakeholders, leadership, and security staff all see what the tenure of the CISO will look like going forward. Building these relationships early in the onboarding process is invaluable to creating trust and establishing a new CISO’s personal commitment and identification to the business’s security values.

2. Assess | Identify and Measure Processes, Gaps, and Opportunities

In the assessment phase, things will get much more granular for a new CISO. This is when CISOs will need to start understanding the current maturity of the company’s security strategy and identify what is and isn’t working in terms of people, process, and technology. Typically, new CISOs will conduct formal security assessments to measure and review:

  • Strengths and gaps in the current strategy and security program activities
  • What industry and business-specific risks exist and how they are currently being avoided, transferred, mitigated, or accepted
  • Any captured metrics showing data security and privacy practices that are tied to the company’s goals and objectives
  • Tools and solutions in use, what the company’s security tech covers, and how well they are deployed and managed
  • Past performance and responsiveness to cyber incidents, recorded benchmarks, and any incident response or business continuity plans

When it comes to understanding the organization’s attack surface, CISOs often employ inventory discovery tools capable of scanning entire networks to locate connected IoT devices as well as protected and unprotected endpoints. Tools like this enable a new CISO to work efficiently to start reducing risk – a core responsibility linked to most company’s business goals.

The other aspect for new CISOs to consider in the assessment phase is to take note of recent threat intel gathered by the cybersecurity community. A new CISO will take into consideration new and developing cyber breaches, global and industry-specific threat trends, documented tactics, techniques, and procedures (TTP), indicators of compromise (IoCs), zero-day vulnerabilities, and attack patterns to inform their initial security assessment.

3. Plan | Build the Plan and Prioritize the Goals

After conducting their own security assessment and analyzing the data, a new CISO’s next step will be to draft the strategy or upgrade an existing one based on their findings. A holistic cybersecurity strategy typically showcases:

  • A detailed analysis of findings based on data gathered in the assessment phase. This may include year-over-year statistics, security metrics and how they are related to business objectives, as well as overviews describing both sufficient and insufficient areas of the existing security strategy.
  • A roadmap including both short-term goals and long-term initiatives. Short-term goals will focus on areas of security that most urgently need to be addressed or remediated. Goals and projects on the roadmap will be accompanied by measurable outcomes, metrics, and a budget.

CISOs lead the business’s security program by developing and deploying company-wide initiatives that firm up policy frameworks and help spread awareness about the importance of secure work practices. New CISOs coming into a business will usually frame their initiatives around the company’s overall goals. This may include, but is not limited to:

  • Improving the customer’s experience – When customers engage with businesses, they trust that their user data and digital records will be secured and handled appropriately. CISOs need to build their strategy with customer needs in mind and ensure that transactions and data management and storage are in line with industry-specific compliance requirements.
  • Increasing operational efficiency – Businesses will rely on their new CISO to keep up with new, leading-edge technologies and solutions that may help with automating operations and staying ahead of cyberthreats. CISOs are also expected to embed incoming cyber intelligence into the rolling strategy, keeping the latest threat vectors, attacks, and cyber trends at the forefront of planning efforts.
  • Driving growth – CISOs play a significant part in driving consistent business growth. When the business builds cyber resilience and has strong defenses in place, it can focus on other areas of operation. CISOs help their business embrace digital adoption to safeguard networks and sensitive customer and employee data. Any policies, frameworks, and technology a new CISO implements should support other business units in working more efficiently and safely.
  • Reducing risk – Threat intelligence helps build secure operations. When developing a new cybersecurity strategy, CISOs will need to factor incoming threat intelligence into their risk management plans and install the right defenses needed for the business to continue operating successfully in the age of hyper connectivity.

A crucial part of this phase is communicating the proposed strategy to stakeholders and obtaining buy-in and agreement on the priorities identified. The strategy’s direction and goals, as well as headcount, financial requirements, and schedule, will need to be approved by the business’s leadership before it is rolled out to the rest of the security directors and managers.

4. Execute | Measure and Communicate Progress and Wins

Successful execution of the new CISO’s cybersecurity strategy requires consistent measurement of the baseline metrics approved in the planning phase. CISOs will lead the effort in setting clear expectations, capturing accurate metrics, and demonstrating progress towards the goals and initiatives.

Regular reporting is a key responsibility new CISOs will need to meet. Reporting should show a portfolio of security metrics and status updates on the development towards all goals on the roadmap. Reports will show evidence of the strategy’s success and highlight any recent wins and emerging challenges while providing an explanation of the tactics or technology used to address obstacles.

As the security landscape evolves, CISOs will also need to adjust their roadmaps at regular intervals and communicate changes to both stakeholders and security initiative leaders. Long-term goals on roadmaps are often subject to changes in business objectives, budget, and both internal and external factors.

5. Maintain | Review the Plan and Iterate for the Future

New CISOs manage their resources to focus on tangible accomplishments – more initial success early in their tenure builds credibility, leading to more buy-in from stakeholders and adoption by directors and managers. This is the positive cycle for improving the security posture across the business. Often, information security is assigned as a responsibility of a few security leads, which creates gaps in knowledge across a business’s various departments. Security is a shared responsibility across all employees in an organization, with the CISO upholding regular awareness campaigns and building support systems.

Once the strategy is put into motion, a new CISO can start to focus on keeping the security of the business as agile as possible. As cyber trends continue to fluctuate and new intel comes in, new CISOs must evolve their plans to meet future requirements of the business. New intel and research give rise to opportunities for improvement and the CISO will spearhead the effort in making the business more adaptable and responsive to the ever-changing threat landscape.

A significant part of this evolution includes enhancing the in-house security team and technology. CISOs will work with other parts of the business to ensure that new hires and promotions are in alignment to the growing cybersecurity strategy and that an appropriate training and ongoing cyber education program are in place to support the growing team.

Conclusion

Chief Information Security Offers are a critical pillar in a business’s defenses. New CISOs transitioning into an organization will have a lot to account for, even if there is already a cybersecurity strategy or program in place. Having a set of clearly defined steps can help new CISOs plan and execute their work in a streamlined manner and make best use of the first 90 days of their tenure.

The ramp up strategy described above can help new CISOs move their company towards a stronger security posture. The five key phases – discover, assess, plan, execute, and maintain – serve as a broad outline that newly appointed CISOs can use to start planning and executing on their vision for security. For more in-depth guidance, SentinelOne offers free ebooks for new CISOs including 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success.

CISOs around the globe have partnered with SentinelOne to augment their security vision and safeguard their critical data. As new CISOs begin to pursue security resilience, shore up urgent vulnerabilities, and implement long-term initiatives such as endpoint protection, cloud security, detection and response capabilities and more, SentinelOne’s industry experts are on hand to assist CISOs as they stand up their new strategies. Contact us for more information, or sign up for a demo today.

90 Days | A CISO’s Journey to Impact

Read the eBook

Botched Crypto Mugging Lands Three U.K. Men in Jail

/0 Comments/in /by

Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence to settle scores and disputes.

Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.

“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the Lincolnshire Police. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”

Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and “with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”

KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.

Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.

“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”

The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.

Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.

“They had a list of people they wanted to hit consecutively as far as I know,” he said.

The foiled robbery is the latest drama tied to members of certain criminal hacking communities who are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.

Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.

Prosecutors say Patrick McGovern-Allen recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.

The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. Joseph James O’Connor, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.

Robert Lewis Barr, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.

In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.

The Good, the Bad and the Ugly in Cybersecurity – Week 38

/0 Comments/in /by

The Good

This week, ten individuals and two entities were sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for their roles in a variety of malicious cyber acts, including ransomware activity. The individuals are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and tracked under a number of threat actor names, including TunnelVision and APT 35.

The individuals and entities have been responsible for a number of campaigns throughout 2021, targeting and compromising U.S.-based transportation providers, healthcare practices, emergency service providers, and educational institutions. The sanctioned cyber actors were observed exploiting Microsoft Exchange vulnerabilities such as ProxyShell to attack and disrupt the services of an electric utility company, among others.

The IRGC-affiliated group is comprised of employees and associates of Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System), OFAC said. The ten individuals were named as “Mansour, Ali Ahmadi, Mohammad Ahmadi, Mahdavi, Rashidi, Khatibi, Nikaein, Mostafa, Mojtaba, and Shakeri”.

Three of the ten sanctioned individuals–Mansour, Khatibi, and Nikaein–have also been indicted with violating the Computer Fraud and Abuse Act (CFAA) and conspiring to violate the CFAA. A reward of up to $10 million is being offered for information leading to their identification or location.

The Bad

North Korean threat actor Lazarus has been up to its old tricks again in a continuation of its Operation Dream Job campaign, first observed in 2020. Now, the threat actors are using a trojanized version of the PuTTY SSH client to infect victims who fall for a fake Amazon job assessment.

The original Operation Dream Job campaign lured unsuspecting employees of prominent U.S. defense and aerospace companies with fake job offers in an attempt to install backdoors and spyware. Now, researchers have discovered that the Lazarus group’s latest ruse is to send emails to targets with a lucrative job offer at Amazon. The respondents then chat with the attackers via WhatsApp, where they are requested to take an assessment test and to download an ISO file called amazon_assessment.iso.

The .iso file includes a “readme.txt” with an IP address, login credentials and a PuTTY.exe executable. The executable contains a working version of the open-source SSH console application but has also been modified to infect the victim with a Themida-packed DLL. The malicious DLL contains shellcode that results in opening a backdoor on the victim’s device to allow the attackers to conduct espionage and other malicious activities. The backdoor is configured with three C2 URLs:

hxxps://hurricanepub[.]com/include/include.php
hxxps://turnscor[.]com/wp-includes/contacts.php
hxxps://www.elite4print[.]com/support/support.asp

It is not known at this point how widespread the campaign is, but further details and IoCs are available here.

The Ugly

This week’s Patch Tuesday was notable for more than the usual fixes of zero days and other Microsoft bugs, with MSFT revealing that this year the company had patched 1000 CVEs already, reaching “a sizable milestone for the calendar year” and a stark reminder of just how big an attack surface the OS vendor’s sprawling suite of products provides. Also notable was what was not patched: a bug in Microsoft Teams desktop client that allows attackers to access authentication tokens and accounts with multi-factor authentication (MFA) turned on.

The Teams vulnerability is present across OS platforms Windows, Linux and macOS and revolves around the fact that Teams stores user authentication tokens in clear text on the user’s local drive in locations that are unprotected by user access or TCC controls, meaning they can be read not just by someone with access to the machine but by other processes, including malicious ones, running as the same user.

The locations for each platform being:

Windows

%AppData%MicrosoftTeamsCookies
%AppData%MicrosoftTeamsLocal Storageleveldb

Linux

~/.config/Microsoft/Microsoft Teams/Cookies
~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

macOS

~/Library/Application Support/Microsoft/Teams/Cookies
~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb

Researchers discovered that these locations contain valid authentication tokens, account information, session data, and marketing tags that can be scraped by info-stealing malware and used to login remotely, bypassing MFA and gaining full access to the user’s account.

Microsoft, for their part, have said that the vulnerability “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network”. Make of that what you will, but with news just in that Uber are investigating a breach that involved socially-engineering a user with MFA turned on, maximum coverage across all attack surfaces should be top of mind. Security teams worried about the Teams vulnerability can find mitigation advice here.