Chronicle of an Identity-Based Attack | Singularity™ Identity vs. Cisco Breach

/0 Comments/in /by

While data breaches, ransomware, and supply chain attacks saturate news articles, the risk of identity-based threats is also on the rise. Threat actors are exploiting a common denominator across the current backdrop of remote workforces, IoT, and a global shift towards cloud services – the sheer number of digital identities needed per user, per technology, per organization. Each new identity is another attack vector exploitable by a threat actor and exposes a larger attack surface for many organizations.

In recent news, US networking giant Cisco confirmed that it was breached by a threat actor through a successful identity-based attack on an employee. This blog post explores the lessons learned from this incident, the need for identity threat detection and response (ITDR), and how SentinelOne’s Singularity™ Identity could have prevented the Cisco breach.

Breach Overview | What Happened at Cisco

In Cisco’s analysis detailing the May attack, a threat actor identified as an initial access broker to both UNC2447 and Lapsus$ cyber gangs and the Yanluowang ransomware group gained initial access to the network company’s VPN after successfully gaining control of an employee’s personal Google account.

Cisco stated that the threat group obtained legitimate employee credentials synced in the employee’s browser. Then, the threat actor executed a combination of sophisticated voice phishing attacks and MFA push notifications (also known as MFA fatigue) to achieve VPN in the context of the targeted employee. The threat actor escalated their administrative privileges, planted a variety of hacking tools such as Cobalt Strike and Mimikatz, and added backdoor accounts for future persistence efforts.

Cisco noted that while the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory, no ransomware was deployed and there was no business nor customer impact in this particular event. Cisco’s article did however report that after the group was removed from the environment, they tried to establish email communications with company executives and attempted to regain access in weeks following the initial breach, though all subsequent attempts were unsuccessful.

Lessons Learned from the Cisco Breach

According to Cisco, they were unable to identify losses to any of their products, sensitive customer data, IP, nor supply chain operations. However, this successful identity-based attack is worth discussing from an educational perspective.

This particular type of attack is growing in number and businesses mobilizing their remote workforces on cloud services must be properly equipped to detect when attacks exploit, misuse, or exfiltrate digital identities. The COVID-19 pandemic especially highlighted many organization’s lack of knowledge when it comes to their attack surface. For example:

  • Businesses began or accelerated their migration from on-premises to cloud to support more remote workers than they had ever planned for. Cloud environments are particularly susceptible to identify-based threats such as phishing, credential stuffing, and password spraying.

  • Smart devices continue to become enmeshed in professional workflows and processes. In the early stage of the pandemic, some businesses loosened their bring-your-own-device policies in an attempt to get back to normal operation levels. Businesses that lack proper IoT security (internet of things) inherit the risk of adding more points of access for threat actors, weak password hygiene, unencrypted connections, and more.

It is clear that identity-based attacks are severe and require our attention as more human and non-human identities continue to increase. Identity Threat Detection and Response (ITDR) seeks to address this issue amongst the various threat vectors that make up the greater cybersecurity landscape. The Cisco breach discussed in this post shows the possible impact that a single failure in identity security could have, even on large-scale corporations with robust security measures.

What sets ITDR apart from other detection and response solutions (EPP, MDR, EDR, and NDR) is its ability to detect credential theft and privilege misuse on Active Directory and other vulnerable entitlements that may create avenues for attack. The primary benefits of ITDR solutions are gaining visibility to credential misuse, and exposing poorly managed access entitlements and privilege escalations from the endpoint through to Active Directory and, finally, the cloud environment.

Based on analysis shared by the networking company’s threat intelligence team, Cisco Talos, we break down the specific tactics used by the threat actor and how Singularity™ Identity could have thwarted both the initial access and the subsequent persistence mechanisms.

Step: Initial access to the Cisco VPN was achieved after successfully compromising a Cisco employee’s personal Google account.

Solution:

  • Singularity™ Identity hides credential storage from unauthorized application access to stop credential theft early in the attack cycle.

  • Singularity™ Identity prevents unauthorized access by binding credentials to critical applications across the network.

  • Singularity™ Identity deploys deceptive domain accounts on endpoints. Threat actors attempting to steal valid domain accounts from endpoints will get redirected to the decoys for engagement.

Step: The threat actor bypasssed multi-factor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue. They enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.

Solution:

  • Singularity™ Identity detects bypassing attempts and privilege escalation and alerts on multiple failed attempts to perform a privileged operation by the same user.

Step: Once in the system, the threat actor began to enumerate the Active Directory (AD) environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and the user account context under which they were operating.

Solution:

  • Singularity™ Identity detects user account enumerations against Active Directory. In addition, it includes any targeted Active Directory objects a threat actor may query to understand the privileges and groups.

Step: The threat actor laterally moved into the Citrix environment, compromising a series of Citrix servers, and eventually obtained privileged access to domain controllers (DC). After obtaining access to the DCs, the threat actor dumped NTDS using the “ntdsutil.exe” command.

Solution:

  • Singularity™ Identity detects credential dumping tools. Once identified, it injects deceptive credentials across the enterprise at the actual endpoints. These credentials are strategically cached for threat actors to discover, leading them to decoys for engagement.

  • Singularity™ Identity scans and reports the credentials exposed on the endpoints. It can also remediate such exposure to address the risks of theft.

Step: The threat actor leveraged machine accounts for privileged authentication and lateral movement across the environment, created an administrative user called “z” on the system using the built-in Windows “net.exe” commands, and executed additional utilities such as ADfind or secretsdump. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows endpoints.

Solution:

  • Singularity™ Identity prevents the discovery of AD objects using tools like ADfind and stops the dump of credentials from different credential stores.

  • Singularity™ Ranger AD detects suspicious Service Creation on DCs and reports abusing system services or daemons to execute commands or programs.

Step: On some victim’s endpoints, the threat actor used MiniDump from Mimikatz to dump LSASS. They also leveraged the “wevtutil.exe” utility to identify and clear event logs generated on the system.

Solution:

  • Singularity™ Ranger AD Assessor detects the modification of authentication mechanisms on a domain controller, thwarting threat actors that attempt to patch the authentication process to bypass the authentication mechanisms.

Steps: The threat actor leveraged Remote Desktop Protocol (RDP) and Citrix by modifying the host-based firewall configurations to enable RDP access to systems. They installed additional remote access tools, including TeamViewer, LogMeIn, Cobalt Strike, PowerSploit, Mimikatz, and Impacket. They also added custom backdoor accounts and persistence mechanisms.

Solution:

  • Singularity™ Hologram deploys decoys host production applications (e.g., SSH Servers, VNC, RDP servers).

  • Singularity™ Identity distributes deceptive keys and credentials to these decoy servers to lure attackers away from production systems, including RDP and other remote access tools.

Step: The threat actor dropped a series of payloads that take commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor.

Solution:

  • Singularity™ XDR agents detect dropping payloads using behavioral and static AI engines. Once detected, the connection is terminated, blocking the ability of an attacker to gain access to the remote system. SentinelOne autonomous agents would then remediate the entire chain of activities leading to remote execution attempts.

Step: The threat actor attempted to exfiltrate information from the environment. The data exfiltration during the attack included the contents of a Box folder on the compromised employee’s device and employee authentication data from Active Directory.

Solution:

  • Singularity™ Identity DataCloak prevents unauthorized applications from reading and exfiltrating protected data and storage locations from endpoints.

Learn More About Singularity™ Identity

The attack on Cisco discussed in this post shows that identity-based attacks are a leading threat vector used in data breaches. From the perspective of a threat actor, targeting identity and access management gaps through compromised credentials is the quickest path to reaching a target’s resources and critical data. Attackers are very aware that Active Directory is the crown jewel of a business, granting them the ability to exfiltrate sensitive information, install backdoors, alter security policies, and more.

With the rapid shift to remote working environments and the adoption of hybrid and cloud environments, identity has become the new perimeter, highlighting the importance of visibility. Businesses must be able to detect and respond effectively and protect all of their various digital identities through a comprehensive identity security solution. SentinelOne identifies Identity Threat Detection and Response (ITDR) as the missing link between holistic XDR and zero trust strategies in the mission to protect organizations from threats at every stage of the attack journey.

Leveraging our deep industry knowledge and experience with fighting back privileged escalation and lateral movement, SentinelOne delivers comprehensive identity security as part of Singularity™ XDR for autonomous protection including:

  • Singularity™ Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity™ Identity defends Active Directory & Azure AD domain controllers and domain-joined assets from adversaries aiming to gain privilege and move covertly.

  • Singularity™ Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.

  • Singularity™ Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity™ Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.

SentinelOne extends Singularity™ XDR capabilities to identity-based threats across endpoint, cloud workloads, IoT devices, mobile, and data wherever it resides, setting the standard for XDR and accelerating enterprise zero trust adoption. To learn more about SentinelOne’s identity and deception solutions, please request a demo.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

/0 Comments/in /by

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

More Evil Markets | How It’s Never Been Easier To Buy Initial Access To Compromised Networks

/0 Comments/in /by

From ransomware operators like LockBit and BlackBasta to APTs striking for or against Russian or Chinese interests, threat actors of various stripes all need one thing to get their operations off the ground: initial access to an organization’s network.

Such access can be bought on a variety of trading forums from cyber criminals who specialize in running low-risk phishing campaigns and credential theft operations, or in scanning enterprise networks for known remote code execution (RCE) software vulnerabilities.

Because of the ease with which initial access can now be obtained thanks to poor patch management and lax controls over identity and user credentials, there exists a market where supply is outstripping demand, and vendors involved in selling initial access are lowering their prices in a race to the bottom, making it easier than ever before for threat actors to compromise organizations of all sizes and kinds.

In this post, we reveal what these marketplaces look like from the inside, exposing the ways these traders advertise and sell unauthorized access to organizations.

What Are Initial Access Brokers?

‘Initial Access Brokers’ or IABs typically do not exploit enterprise networks directly but rather sell the access they have harvested to those that do. As a result, various darknet marketplaces, community forums, Telegram channels and surface net communities are teeming with such brokers, competing in a ferocious bazaar to attract and retain new and existing customers.

We have previously explored how such actors focus on the market for buying and selling access to MSP environments. As attacks like Kaseya, Solarwinds, and Wipro have proven, MSPs are a much-sought after target for both financially-motivated cyber criminals and APTs intent on espionage. Since then, we have seen the range of compromised networks expand to cover almost any kind of business or organization, regardless of size.

Companies At Risk From Compromise By Initial Access Brokers

The range of compromised networks we have seen and give examples of below is a worrying indictment of the state of cyber security today. Across these markets, we’ve seen access being sold to government and police computer systems, high courts, banks and critical infrastructure at one end of the scale to online cinemas, casinos, delivery companies, logistics, ISP providers, and local retailers at the other.

In some cases, IABs have surveyed the environments of the victims they are selling access to and even provide the buyer with information on the AV or EDR security solution being used.

initail access vendor

The example above shows a vendor advertising access to a service provider with a customer base of 1.3 million subscribers in the Republic of Mauritius. In an effort to encourage early exploitation, some sales of this nature take on a time-based component in that the seller will raise the price over prescribed intervals, in this case in increments of $500.

In a different example, a threat actor offers access to a UK IT infrastructure solutions and services provider with 15,000 employees at a starting price of $4000.

IAB threat actors possess few scruples when it comes to the nature of their targets, even selling unauthorized access to organizations such as hospitals and children’s hospices.

In other cases, vendors are quite happy to sell access to critical infrastructure, such as in this advertisement offering administrative panel-level access to “dam and aqueduct panels”.

Initial Access via Known Vulnerabilities at Rock Bottom Prices

A common form of advertisement in these markets involves a list of many different organizations offered by the vendor that have been collated by scanning for targets that have not patched against various known remote code execution vulnerabilities.

Some of the vulnerabilities most routinely exploited to gain access to organizations and enterprises are:

  • CVE-2022-26134 – Confluence
  • CVE-2021-26855 (aka ProxyLogon)
  • CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 – Microsoft Exchange
  • CVE-2021-20038 – SonicWall SMA RCE

In other cases, vendors list a range of organizations with individual prices. The means of initial access is not clear, but given the vast range of different organizations, mass phishing campaigns and credential theft are also likely vectors.

On the one hand, the vendor above is selling access to relatively low-interest compromises at rock-bottom prices, like

  • Algeria hosting company; [AV:] Sophos; access type:admin level. Price: $100

On the other, there is potentially devastating data being offered in access for sale to orgnaizations such as

  • Royal Thai Police; online access to the database of detainees, fines, seizures and reports. Price $1000
  • Thailand Police Personnel Department; web access to staff data total 642721. Price $1000

For a mere $250, the same actor offers interested APTs or enterprising cyber criminals access to the Bangladesh Ministry of Emergency Situations management system, which lists “employees, departments, all personal data of employees [and] of their families”.

Others offer discounts for bulk buys, selling access to RDP, cPanels, SSH, and Webmail among other things for as little as $10 per item.

High Value Targets Come at Premium Prices

While there is a bustling market for low-priced access, it remains true in the IAB marketplace as any other that you get what you pay for. The takeaway difference between ‘bottom of the barrel’ bulk sales and the more expensive access is precision.

Bulk sellers offer large quantities of accounts with far less control over what environments the accounts belong to or how effectively they can be monetized. Some buyers want to know exactly what they are getting and are willing to pay a premium for it.

In the next example, the seller is offering access to a high-value target where much of the preliminary work needed for successful exploitation has been done. Accordingly, the vendor is asking for a premium price.

For the right criminal buyer, this provides most of the key information needed. On offer is “Full” network access to a large “central” bank. The vendor claims to have Domain Admin (DA) access with reach to over 10,000 hosts. The seller even makes note of the EDR in use (Symantec, in this case). The price tag, at the time of writing, was a hefty $500,000.

Evil Markets | There’s Something For Everyone

IAB markets are not new, and some vendors and marketplaces have been around long enough to have a surprisingly polished presence.

This vendor aims to make life as easy as possible for potential buyers. Along with each entry, the seller provides access type, user level/context, revenue numbers, and links to Zoominfo. If known, the installed AV/EDR is listed along with helpful hints or potential ways to bypass it, such as “AV Cylance, but rights allow you to turn it off”.

As in any area of commerce, more sophisticated vendors understand the importance of presentation and some marketplaces like Odin offer slick interfaces to facilitate trade.

From simple forum listings to polished web applications offering filtering and sorting options, there’s an evil market trader out there to suit every type of buyer looking for access to compromised organizations.

Does Access For Sale Translate Into Real-World Breaches?

It is not difficult to correlate the items we see for sale in IAB marketplaces and the compromises listed on ransomware operators’ leak sites.

For example, the following victim, a Brazilian company in São Paulo, was listed on an IAB marketplace in March 2022.

Searching the LockBit 3.0 ransomware group’s index in August shows the company’s data has been exfiltrated for ransom, sale or public leaking.

The stolen data amounts to around 68 gigabytes in two zip archives, along with file tree indexes for each.

Conclusion

The trade in access to compromised networks has been around for some time and is not going away anytime soon, and the nature and existence of these markets hold several important takeaways for organizations and security teams.

First, neither location nor size offer protection from cyber criminals. The geographical range of compromised organizations spans pretty much the entire world, and every type and size of business and organization is represented.

Second, protection against initial compromise isn’t optional or ‘nice-to-have’. Organizations that find themselves being traded on these markets are at high risk of finding themselves appearing on ransomware leak sites or suffering breaches with potentially serious financial and reputational harm.

Third, the bar to entry has never been lower. Criminals are happy to sell this access at prices that are little more than pocket change to most threat actors. These low prices mean new players can experiment at low cost, fuelling the cybercrime economy and expanding the number of attackers out there. For security teams, understanding where the barrier of entry is for such threat actors in the organization’s network can go a long way towards structuring effective defenses.

For organizations, it is imperative to ensure that access to networks is protected by a trusted identity solution that can prevent credential misuse, identify vulnerabilities, and trap both remote and insider threat actors through deception technologies. To learn more about how to protect your organization, please visit Singularity™ Identity.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

Request A Demo

When Efforts to Contain a Data Breach Backfire

/0 Comments/in /by

Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico’s second-largest bank was fake news and harming the bank’s reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.

On August 3, 2022, someone using the alias “Holistic-K1ller” posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico’s second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens.

There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto.

But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach.

“The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” reads a letter the Breach administrator said they received from Group-IB. “We ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.”

The administrator of Breached is “Pompompurin,” the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Hacker-K1ller’s sales thread because Group-IB was sending emails complaining about it.

“They also attempted to submit DMCA’s against the website,” Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.”

Banorte did not respond to requests for comment. Nor did Group-IB. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old.

“There has been no violation of our platforms and technological infrastructure,” Banorte said. “The set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.”

That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change.

“Is there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,” asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. “Who does it? Instead of helping, they pushed the organization from the hill.”

Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach.

“If the data wasn’t real….did the bank think a cease and desist would result in the listing being removed?” Seifried wondered on Twitter. “I mean, isn’t selling breach data a worse crime usually than slander or libel? What was their thought process?”

A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data).

At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online.

It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data — e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And it’s certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously.

But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naiveté about how the cybercrime underground works.

Detecting a Rogue Domain Controller – DCShadow Attack

/0 Comments/in /by

In our earlier Protecting Against Active Directory DCSync Attacks blog post, we have seen how attackers can replicate permissions and completely control Active Directory (AD) infrastructure using DCSync attacks. Another devastating technique that attackers explore against AD is the DCShadow attack. It is a method of manipulating AD data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a legitimate Domain Controller (DC).

A DCShadow attack allows an attacker with domain or enterprise admin privileges to create rogue DC in the networks. Once registered, a rogue DC is used to inject domain objects (such as accounts, access control lists, schemas, credentials, or access keys) and replicate changes into AD infrastructure.

How Does a DCShadow Attack Work?

DCShadow attack shares similarities with the DCSync attack, which is already present in the lsadump module of an open-source tool Mimikatz. A post-exploitation attack requires domain admin or enterprise admin privileges on an endpoint. The following attack flow was demonstrated with detailed steps at the Bluehat IL 2018 conference by Vincent LE TOUX and Benjamin Delpy.

  1. Registering the DC by creating two objects in the CN=Configuration partition and altering the SPN of the computer used.
  2. Pushing the data, triggered using DrsReplicaAdd, Kerberos Credentials Collector (KCC), or other internal AD events.
  3. Removing the object previously created to demote the DC.

Attackers can perform a DCShadow attack by installing Mimikatz on a compromised Windows endpoint and starting the mimidrv service. To play the role of fake Domain Controller, an attacker can execute the following commands to register and start a service with appropriate privileges.

!+
!processtoken
token::whoami

Let us take one scenario and see how an attacker attempts a persistence attack by modifying the primaryGroupID attribute. An attacker can run the lsadump::dcshadow command to modify the value of primaryGroupID to 512.

The following command can make domain standard users be a member of the domain admin group.

lsadump::dcshadow /object:POC User5 /attribute:primaryGroupID /value:512

First, let us verify the primary group ID value before pushing AD data. As shown in the image below, we can use the net group command to verify and confirm that the user POC User5 is not part of the Admin group.

We will replicate the changes from the rogue domain controller to the legitimate one by executing the following command.

lsadump::dcshadow /push

Let us verify again net group command output. As you can see, the same user POC User5 will be part of the Domain Administrator group.

net group "Domain Admins" /domain

It is just as simple as shown above. Once an endpoint is a member of a domain administrator or privileged group, it gets higher privileges in the domain and can compromise the entire domain.

TrickBot is an example of a modular malware that used Mimikatz’s lsadump module to collect valuable information and carry out attacks, such as DCSync, DCShadow, and the Kerberos Golden Ticket compromise.

Detecting a DCShadow Attack

The DCShadow technique can avoid detections and bypass SIEM logging mechanisms since changes from a rogue DC are not captured. The technique changes or deletes replication and other associated metadata to obstruct forensic analysis. The SentinelOne Singularity™ Identity solution detects DCShadow attacks targeting AD and identifies suspicious user behaviors. The solution also triggers high-fidelity alerts and reports on rogue Domain Controllers that can pose a serious risk to the organization’s domain information.

Mitigation Strategies

Security administrators can examine what real or rogue DC is as a mitigation strategy. Delete the computer object that is not a genuine Domain Controller. It is also important to verify the presence of computer objects in the Domain Controller OU and nTDSDSA objects in the configuration partition of the AD.

The following investigation steps can also help security administrators to mitigate DCShadow attacks.

  • Capture network traffic and analyze the packets associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non-DC hosts.
  • Investigate Directory Service Replication (DRS) events 4928 and 4929 using Event Viewer on the DC. Observe Destination DRA and Source DRA distinguished name (DN) and validate the legitimate DN from Active Directory Users and Computers. Find out any unauthorized DRA replication between domain controllers.
  • Monitor for Mimikatz command usage, for example, lsadump::dcshadow.
  • Monitor for SPN scanning tools usage. For example, the simple command setspn -Q HTTP/* allows an attacker to find HTTP SPNs.
  • Investigate the usage of Kerberos Service Principal Names (SPNs). Two types of SPNs can clearly indicate DCShadow attack. A SPN is beginning with “GC/” is associated with services by computers not present in the DC organizational unit (OU) and a SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2).

Conclusion

Attackers can utilize the DCShadow technique and perform more advanced attacks to establish backdoors for persistence. The organization must implement continuous monitoring solutions, regularly review system activities such as monitoring AD object creation/replication and alert the security team to take necessary mitigations.

For more information, please visit Singularity™ Identity.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

Request Demo

The Good, the Bad and the Ugly in Cybersecurity – Week 33

/0 Comments/in /by

The Good

This week, the Department of Justice extradited a Russian national alleged to be an operator of an illegal cryptocurrency exchange.

In a press release, the Justice Department’s Criminal Division announced that they had extradited Alexander Vinnik, an alleged cryptocurrency money launderer, “after more than five years of litigation” from Greece back to the United States. Vinnik faces charges of owning, operating, and overseeing BTC-e, a criminal cryptocurrency exchange, and laundering over $4 billion with his associates.

According to an indictment from 2017, BTC-e enabled users to anonymously trade bitcoin, attracting cyber criminals around the world, who used these anonymous transactions to cash out their proceeds from various identity theft schemes, ransomware attacks, breaches, and incidents. These funds and criminals have been linked to fraud, identity theft, tax refund fraud schemes, public corruption, and drug trafficking.

Vinnik was charged and initially taken into custody in Greece in July 2017.  He made his first appearance in federal court this week in San Francisco.

This extradition is another major step in the Justice Department’s ongoing efforts to disrupt cyber crime, and a win for international coordination against threat actors around the world. We thank both American and Greek law enforcement officials for continuing to stand up to cyber criminals, and hope that the following investigation and trial brings answers and closures to victims impacted by criminals that used BTC-e.

The Bad

On Monday, 7-Eleven stores all over Denmark were forced to close due to an incident that impacted their cash registers and payment systems.

In a statement posted on the official 7-Eleven Denmark Facebook page, the company disclosed the cyber attack, saying it meant that “we cannot use checkouts and/or receive payment”. 7-Eleven stated that it was working with both the police and external experts to mitigate the attack. As things stand, the company does not believe any customers, partners or suppliers have been directly affected, though the situation is still fluid as the investigation continues.

While no further official updates were available at the time of writing, a Reddit user claiming to be a 7-Eleven employee based in Strøget, Denmark appeared to corroborate the details, saying the checkout systems were not working, and that because 7-Eleven stores “run with the same system,” they were forced to close. The reddit post has since been deleted.

This incident is a sobering reminder that enterprises need to regularly evaluate and deploy security systems that can provide full visiblity across their environments and proactively identify threats before they cause widespread outages.

The Ugly

VMware users are being warned about multiple vulnerabilities that could allow an attacker to cause some serious damage to an organization’s environment.

In a recent security advisory, VMware warned users about a critical authentication bypass vulnerability (CVE-2022-31656) affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. Researchers believe that the bug could allow an attacker to gain administrative access and form an attack chain by exploiting other remote code execution (RCE) flaws. The researcher behind CVE-2022-31656 followed up this week with a detailed explanation of the vulnerability.

POC by Petrus Viet

VMware has issued updates to address CVE-2022-31656 and eight additional vulnerabilities, including CVE-2022-31658, a JDBC injection vulnerability that allows a threat actor with administrator and network access to execute remote code, CVE-2022-31659, a SQL injection RCE vulnerability, CVE-2022-31665, another RCE vulnerability, three privilege escalation vulnerabilities (CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664), a URL injection vulnerability (CVE-2022-31657), and a path traversal vulnerability (CVE-2022-31662), both rated as moderate.

This string of security flaws drives home the severe damage that attack chains can pose when a cyber criminal gains administrative access to targeted environments. In light of this string of security flaws, it’s crucial that enterprises using VMware products listed here take immediate mitigation action.

Sounding the Alarm on Emergency Alert System Flaws

/0 Comments/in /by

The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.

A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. It had the username and password for the system printed on the machine.

The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals.

“I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. “But nothing ever happened. I decided I wasn’t going to tell anyone about it yet because I wanted to give people time to fix it.”

Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021.

“I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,”’ Pyle recalled. “I went back to see if this was still a problem, and it turns out it’s still a very big problem. So I decided that unless someone actually makes this public and talks about it, clearly nothing is going to be done about it.”

The EAS encoder/decoder devices Pyle acquired were made by Lyndonville, NY-based Digital Alert Systems (formerly Monroe Electronics, Inc.), which issued a security advisory this month saying it released patches in 2019 to fix the flaws reported by Pyle, but that some customers are still running outdated versions of the device’s firmware. That may be because the patches were included in version 4 of the firmware for the EAS devices, and many older models apparently do not support the new software.

“The vulnerabilities identified present a potentially serious risk, and we believe both were addressed in software updates issued beginning Oct 2019,” EAS said in a written statement. “We also provided attribution for the researcher’s responsible disclosure, allowing us to rectify the matters before making any public statements. We are aware that some users have not taken corrective actions and updated their software and should immediately take action to update the latest software version to ensure they are not at risk. Anything lower than version 4.1 should be updated immediately. On July 20, 2022, the researcher referred to other potential issues, and we trust the researcher will provide more detail. We will evaluate and work to issue any necessary mitigations as quickly as possible.”

But Pyle said a great many EAS stakeholders are still ignoring basic advice from the manufacturer, such as changing default passwords and placing the devices behind a firewall, not directly exposing them to the Internet, and restricting access only to trusted hosts and networks.

Pyle, in a selfie that is heavily redacted because the EAS device behind him had its user credentials printed on the lid.

Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation.

“The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”

One of the Digital Alert Systems devices Pyle sourced from an electronics recycler earlier this year was non-functioning, but whoever discarded it neglected to wipe the hard drive embedded in the machine. Pyle soon discovered the device contained the private cryptographic keys and other credentials needed to send alerts through Comcast, the nation’s third-largest cable company.

“I can issue and create my own alert here, which has all the valid checks or whatever for being a real alert station,” Pyle said in an interview earlier this month. “I can create a message that will start propagating through the EAS.”

Comcast told KrebsOnSecurity that “a third-party device used to deliver EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher.

“We’ve conducted a thorough investigation of this matter and have determined that no customer data, and no sensitive Comcast data, were compromised,” Comcast spokesperson David McGuire said.

The company said it also confirmed that the information included on the device can no longer be used to send false messages to Comcast customers or used to compromise devices within Comcast’s network, including EAS devices.

“We are taking steps to further ensure secure transfer of such devices going forward,” McGuire said. “Separately, we have conducted a thorough audit of all EAS devices on our network and confirmed that they are updated with currently available patches and are therefore not vulnerable to recently reported security issues. We’re grateful for the responsible disclosure and to the security research community for continuing to engage and share information with our teams to make our products and technologies ever more secure. Mr. Pyle informed us promptly of his research and worked with us as we took steps to validate his findings and ensure the security of our systems.”

The user interface for an EAS device.

Unauthorized EAS broadcast alerts have happened enough that there is a chronicle of EAS compromises over at fandom.com. Thankfully, most of these incidents have involved fairly obvious hoaxes.

According to the EAS wiki, in February 2013, hackers broke into the EAS networks in Great Falls, Mt. and Marquette, Mich. to broadcast an alert that zombies had risen from their graves in several counties. In Feb. 2017, an EAS station in Indiana also was hacked, with the intruders playing the same “zombies and dead bodies” audio from the 2013 incidents.

“On February 20 and February 21, 2020, Wave Broadband’s EASyCAP equipment was hacked due to the equipment’s default password not being changed,” the Wiki states. “Four alerts were broadcasted, two of which consisted of a Radiological Hazard Warning and a Required Monthly Test playing parts of the Hip Hop song Hot by artist Young Thug.”

In January 2018, Hawaii sent out an alert to cell phones, televisions and radios, warning everyone in the state that a missile was headed their way. It took 38 minutes for Hawaii to let people know the alert was a misfire, and that a draft alert was inadvertently sent. The news video clip below about the 2018 event in Hawaii does a good job of walking through how the EAS works.

Day 2 of Black Hat USA | People vs. Cybersecurity – Exploring Enhanced Email Protection and Surveillance Abuse

/0 Comments/in /by

Las Vegas, have you been enjoying this year’s Black Hat USA event so far? The SentinelOne team is pumped to enter our second day with you both in person, and virtually. Each year, Black Hat brings security researchers and defenders, hackers and cyber enthusiasts all together for a week of intensive training, cutting-edge technical briefs, and interactive demos and business halls. We like to say that there’s something for everyone at an event like this!

On Day One of Black Hat 2022, we unveiled a new partnership with asset intelligence company, Armis, launched our latest autonomous solution, XDR Ingest, and hosted two threat research sessions focused on data-focused security and the realities of cyber war. For today’s blog, we’ll cover Day Two of our time here and share all the details about special announcements and speaker sessions so you don’t miss a thing.

Event Announcements

SentinelOne Integrates with Proofpoint for Enhanced Ransomware Protection

We are pleased to announce a new integration with SentinelOne Singularity XDR and Proofpoint’s Targeted Attack Protection (TAP) security solution. With this integration, enterprises receive multi-layered detection and response from email to endpoint, cloud, and identity management, protecting both your greatest assets and risks: your people. Proofpoint TAP offers unique visibility into email-based threats and streams data to the SentinelOne Singularity XDR platform for defense-in-depth protection.

According to recent Proofpoint research, 83% of organizations experienced at least one successful email-based phishing attack in 2021 alone. With threats coming from various sources, threat actors continue to target the weakest link they can find – humans. The integration aligns Proofpoint and SentinelOne together to solve this problem by securing email inboxes and preventing threats associated with their users.

For more information, visit www.sentinelone.com. You can also learn more about Proofpoint’s people-centric solutions at www.proofpoint.com.

Event Highlights

Catch our final industry-leading threat research session at Black Hat today!

“Charged by an Elephant – An APT Fabricating Evidence to Throw You in Jail”

SentinelOne Speakers: Juan Andres Guerrero-Saade, Tom Hegel
Where: South Pacific F (Level 1)
When: Thursday, August 11, 3:20pm-4:00pm

Session Summary: It’s easy to forget the human cost of state-sponsored threats operating with impunity. While we often think of espionage, intellectual property theft, or financial gain as the objectives of these cyber operations, there’s a far more insidious motivation that flies under the radar – APTs fabricating evidence to frame and incarcerate vulnerable opponents. This talk focuses on the activities of ModifiedElephant, a threat actor operating for at least a decade with ties to the commercial surveillance industry. This cluster of activity represents a critically underreported dimension of how technology can be abused to silence critics.

Congrats to both Juan Andres and Tom for a great turn out at yesterday’s sessions!

Catch the S1 Team Before You Go!

It’s the final day at this year’s Black Hat so stop by the SentinelOne booth (#1120) before the day is out. Whether you’d like to chat more about our collaborations with Armis and Proofpoint or get a live demo of our new XDR Ingest solution, we’d love to connect with you. There’s still time to schedule a meeting with our executives and R&D squad here.

And, as always, we’ve got lots of event swag to giveaway too! Make sure you come visit us and pick up your exclusive, S1-branded Black Hat t-shirt and more.

Meet With Us

.progress-bar { display: none !important; }

 

It Might Be Our Data, But It’s Not Our Breach

/0 Comments/in /by

Image: Shutterstock.

A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm’s analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn’t theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company.

Milwaukee-based cybersecurity consultancy Hold Security said it intercepted a 1.6 gigabyte compressed file on a popular dark web file-sharing site. The largest item in the archive is a 3.6 gigabyte file called “dbfull,” and it contains 28.5 million records, including 22.8 million unique email addresses and 23 million unique SSNs. There are no passwords in the database.

Hold Security founder Alex Holden said a number of patterns in the data suggest it relates to AT&T customers. For starters, email addresses ending in “att.net” accounted for 13.7 percent of all addresses in the database, with addresses from SBCGLobal.net and Bellsouth.net — both AT&T companies — making up another seven percent. In contrast, Gmail users made up more than 30 percent of the data set, with Yahoo addresses accounting for 24 percent. More than 10,000 entries in the database list “none@att.com” in the email field.

Hold Security found these email domains account for 87% of all domains in the data set. Nearly 21% belonged to AT&T customers.

Holden’s team also examined the number of email records that included an alias in the username portion of the email, and found 293 email addresses with plus addressing. Of those, 232 included an alias that indicated the customer had signed up at some AT&T property; 190 of the aliased email addresses were “+att@”; 42 were “+uverse@,” an oddly specific reference to a DirecTV/AT&T entity that included broadband Internet. In September 2016, AT&T rebranded U-verse as AT&T Internet.

According to its website, AT&T Internet is offered in 21 states, including Alabama, Arkansas, California, Florida, Georgia, Indiana, Kansas, Kentucky, Louisiana, Michigan, Missouri, Nevada, North Carolina, Ohio, Oklahoma, Tennessee, Texas and Wisconsin. Nearly all of the records in the database that contain a state designation corresponded to those 21 states; all other states made up just 1.64 percent of the records, Hold Security found.

Image: Hold Security.

The vast majority of records in this database belong to consumers, but almost 13,000 of the entries are for corporate entities. Holden said 387 of those corporate names started with “ATT,” with various entries like “ATT PVT XLOW” appearing 81 times. And most of the addresses for these entities are AT&T corporate offices.

How old is this data? One clue may be in the dates of birth exposed in this database. There are very few records in this file with dates of birth after 2000.

“Based on these statistics, we see that the last significant number of subscribers born in March of 2000,” Holden told KrebsOnSecurity, noting that AT&T requires new account holders to be 18 years of age or older. “Therefore, it makes sense that the dataset was likely created close to March of 2018.”

There was also this anomaly: Holden said one of his analysts is an AT&T customer with a 13-letter last name, and that her AT&T bill has always had the same unique misspelling of her surname (they added yet another letter). He said the analyst’s name is identically misspelled in this database.

KrebsOnSecurity shared the large data set with AT&T, as well as Hold Security’s analysis of it. AT&T ultimately declined to say whether all of the people in the database are or were at some point AT&T customers. The company said the data appears to be several years old, and that “it’s not immediately possible to determine the percentage that may be customers.”

“This information does not appear to have come from our systems,” AT&T said in a written statement. “It may be tied to a previous data incident at another company. It is unfortunate that data can continue to surface over several years on the dark web. However, customers often receive notices after such incidents, and advice for ID theft is consistent and can be found online.”

The company declined to elaborate on what they meant by “a previous data incident at another company.”

But it seems likely that this database is related to one that went up for sale on a hacker forum on August 19, 2021. That auction ran with the title “AT&T Database +70M (SSN/DOB),” and was offered by ShinyHunters, a well-known threat actor with a long history of compromising websites and developer repositories to steal credentials or API keys.

Image: BleepingComputer

ShinyHunters established the starting price for the auction at $200,000, but set the “flash” or “buy it now” price at $1 million. The auction also included a small sampling of the stolen information, but that sample is no longer available. The hacker forum where the ShinyHunters sales thread existed was seized by the FBI in April, and its alleged administrator arrested.

But cached copies of the auction, as recorded by cyber intelligence firm Intel 471, show ShinyHunters received bids of up to $230,000 for the entire database before they suspended the sale.

“This thread has been deleted several times,” ShinyHunters wrote in their auction discussion on Sept. 6, 2021. “Therefore, the auction is suspended. AT&T will be available on WHM as soon as they accept new vendors.”

The WHM initialism was a reference to the White House Market, a dark web marketplace that shut down in October 2021.

“In many cases, when a database is not sold, ShinyHunters will release it for free on hacker forums,” wrote BleepingComputer’s Lawrence Abrams, who broke the news of the auction last year and confronted AT&T about the hackers’ claims.

AT&T gave Abrams a similar statement, saying the data didn’t come from their systems.

“When asked whether the data may have come from a third-party partner, AT&T chose not to speculate,” Abrams wrote. “‘Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,’” AT&T told BleepingComputer.

Asked to respond to AT&T’s denial, ShinyHunters told BleepingComputer at the time, “I don’t care if they don’t admit. I’m just selling.”

On June 1, 2022, a 21-year-old Frenchman was arrested in Morocco for allegedly being a member of ShinyHunters. Databreaches.net reports the defendant was arrested on an Interpol “Red Notice” at the request of a U.S. federal prosecutor from Washington state.

Databreaches.net suggests the warrant could be tied to a ShinyHunters theft in May 2020, when the group announced they had exfiltrated 500 GB of Microsoft’s source code from Microsoft’s private GitHub repositories.

“Researchers assess that Shiny Hunters gained access to roughly 1,200 private repositories around March 28, 2020, which have since been secured,” reads a May 2020 alert posted by the New Jersey Cybersecurity & Communications Integration Cell, a component within the New Jersey Office of Homeland Security and Preparedness.

“Though the breach was largely dismissed as insignificant, some images of the directory listing appear to contain source code for Azure, Office, and some Windows runtimes, and concerns have been raised regarding access to private API keys or passwords that may have been mistakenly included in some private repositories,” the alert continues. “Additionally, Shiny Hunters is flooding dark web marketplaces with breached databases.”

Last month, T-Mobile agreed to pay $350 million to settle a consolidated class action lawsuit over a breach in 2021 that affected 40 million current and former customers. The breach came to light on Aug. 16, 2021, when someone starting selling tens of millions of SSN/DOB records from T-Mobile on the same hacker forum where the ShinyHunters would post their auction for the claimed AT&T database just three days later.

T-Mobile has not disclosed many details about the “how” of last year’s breach, but it said the intruder(s) “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”

A sales thread tied to the stolen T-Mobile customer data.

Day 1 of Black Hat USA 2022 | Asset Intel, Data-Focused Security & the Realities of Cyber War

/0 Comments/in /by

Hello, Las Vegas! We’re so excited to be in town again for the 25th annual Black Hat USA event! The main conference, spanning August 10 and 11, is a hybrid event this year, offering both virtual and in-person activities for its attendees. Black Hat invites hackers, researchers, security gurus, and anyone interested in cybersecurity to two full days of leading-edge briefings, exclusive demos from developers, and business halls encouraging you to bump shoulders with fellow defenders and experts from the InfoSec community.

Like years before, Black Hat 2022 is sure to be packed with the latest in cyber training, trends, research, development, and thought leadership. Here’s our guide to make sure that you’re up to date with the event agenda so you don’t miss out on anything essential.

Event Announcements

SentinelOne Partners with Armis for Unparalleled Asset Intelligence

The SentinelOne team is pleased to announce our new partnership with Armis, a leading platform specializing in providing unified asset intelligence. In this collaboration, our organizations aim to protect businesses from modern threats and ensure unmatched visibility and risk reduction across endpoints, cloud, mobile, IoT, OT devices, and more.

When it comes to security operations, context, visibility, and coverage are absolutely vital in reducing your attack surface, even as networks become more complex. We’re proud to say that this partnership will help mitigate the unique challenges of asset visibility and control, particularly in the healthcare, manufacturing, and critical infrastructure verticals.

For more information on our partnership with Armis, check out www.s1.ai/marketplace and www.armis.com/sentinelone/.

SentinelOne Unveils XDR Ingest to Transform Data-Defined Cybersecurity

Today, SentinelOne proudly unveils XDR Ingest, a disruptive step in the journey to democratizing XDR. XDR Ingest provides our customers with a limitless data platform to ingest, retain, correlate, search, and action all enterprise security data from any source, in both real-time and historical search.

Together with Singularity XDR, XDR Ingest offsets the cost of log storage and eliminates unnecessary data duplication. As organizations continue to bolster their XDR strategies, XDR Ingest helps organizations overcome the costs and limitations of traditional SIEM and log management products.

Learn more about our launch of XDR Ingest at Black Hat by visiting the SentinelOne booth (#1120) or by requesting a demo at https://www.sentinelone.com/.

Event Highlights

Gift cards are king. We’re giving away $25 gift cards all week for this event! Claim yours in three easy steps:

  1. Take a selfie with any SentinelOne branding you see outside of the Expo Hall.
  2. Post it on your socials with the hashtags #S1BlackHat22 and #BHUSA.
  3. Visit booth #1120 and get your badge stamped.

The first 200 attendees who show us their posts will walk away with one gift card just for them. We’ll be waiting!

Come visit or tune into our industry-leading threat research sessions.

“Scaling SOC and IR Teams to Defend Kubernetes Based Workloads”

SentinelOne Speakers: Lance Knittig, Chris Boehm
Where: Mandalay Bay 1
When: Wednesday, August 10, 11:30am-12:20pm

Learn more

“Real ‘Cyber War’: Espionage, DDoS, Leaks, & Wipers in the Russian Invasion of Ukraine”

SentinelOne Speakers: Juan Andres Guerrero-Saade, Tom Hegel
Where: Islander EI (Level 1)
When: Wednesday, August 10, 3:20pm-4:00pm

Learn more

“Charged by an Elephant – An APT Fabricating Evidence to Throw You in Jail”

SentinelOne Speakers: Juan Andres Guerrero-Saade, Tom Hegel
Where: South Pacific F (Level 1)
When: Thursday, August 11, 3:20pm-4:00pm

Learn more

Work hard, play hard. Team SentinelOne is bringing the party to you!

Hazel Lounge Takeover with Armis & Torq

Where: Hazel Lounge (Mandalay Bay by the main elevators)
When: Wednesday, August 10, 4:00pm-9:00pm

Register here

Level Up Premiere After Party with ZeroFox and more!

Where: Skyfall Lounge, Delano Hotel
When: Wednesday, August 10, 8:00pm to midnight

Register here

Let’s Meet at Black Hat

There’s something for everyone at Black Hat USA. Whether you’re going to learn about cutting-edge research and trends, looking for thought leadership and expert advice on circulating cyber issues, or trying to build up your InfoSec social network, we’re excited to meet you there.

Swing by booth #1120 and chat with the SentinelOne team about all things security and how you’re ready to get the only answer to the latest threats in the cyber landscape. With autonomous endpoint protection, start preventing the threats you’re learning about this week. Schedule a meeting with our executives and R&D squad to meet us at Black Hat!

Meet With Us

.progress-bar { display: none !important; }