The Good, the Bad and the Ugly in Cybersecurity – Week 7

/0 Comments/in /by

The Good

Good news this week comes by way of Spanish law enforcement, which publicly announced the dismantling of a criminal SIM-swapping organization. Investigations into the operation began in March 2021, following official complaints from locations across Spain.

The arrest of eight individuals follows a year-long investigation by the National Police into fraudulent bank transfers. The group’s MO was somewhat different from traditional SIM swapping. In this case, the group sought to extract private information from targets through emails and text messages spoofing banks. The collected data was then used to create fake identity documentation for the next stage in the scam.

Rather than just convincing a carrier to register a different SIM to the target’s number, the gang used their fake documentation to convince employees of phone stores to provide duplicate SIMs, which then gave them access to banking security messages and allowed them to conduct financial transactions. Adding insult to injury, the victims’ devices would be disabled once the gang’s devices were activated with the duplicate SIMs.

The eight detainees – seven from Barcelona and one from Seville – laundered their ill-gotten gains through bank transfers and online payment platforms. Police say that besides the arrests they have also blocked twelve bank accounts associated with the gang’s activities.

The Bad

This week SentinelLabs published research on an Iranian-aligned threat actor called TunnelVision. The research focuses on the threat actor’s exploitation of VMware Horizon Log4j vulnerabilities. The TunnelVision actor has been observed targeting organizations throughout the Middle-East and the United States.

TunnelVision has been actively exploiting the Log4j vulnerability in VMware Horizon to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement.

The research takes a look at how this threat actor evolves their attack techniques making use of 1-day vulnerabilities – bugs in software that have recently been patched by vendors but not yet widely updated by organizations. Once the actors gain initial access, they download tunneling software like ngrok, Plink and FRPC (Fast Reverse Proxy Client). The threat actor also aims to avoid detection in its C2 activity by making use of legitimate public services like pastebin, transfer.sh and webhook.site, among others.

While the group’s activity is not new – other vendors have tracked activity similar to TunnelVision under different, sometimes overlapping, threat actor names – SentinelLabs says that the cluster of activity they have observed is distinct enough to warrant unique attribution.

The Ugly

As tensions continue to rise over the Ukrainian crisis, threat activity in the cyber domain has escalated in the last week. Multiple events have occurred including Ukraine technology service disruptions, potential psychological impact-themed efforts and, of course, disinformation.

Multiple Ukrainian bank services and the Ukrainian Ministry of Defense website were temporarily inaccessible due to a DDoS attack this week. Additionally, fake SMS messages have been circulating in Ukraine claiming a large impact to the ATM services across the country. The true objective of these attacks is unclear; however, one theory is that the attackers were attempting to have a psychological impact on the citizens of Ukraine, as well as draw the attention of media outlets around the world.

Disinformation campaigns are also apparent, with the West noting that Russian-controlled media is being seeded with stories of false provocations against Russian interests. Russia’s Foreign Ministry briefed journalists on Monday saying that “Moscow does not rule out provocations against the self-proclaimed republics in Donbass”. Meanwhile, Russia continues to claim that the U.S., in particular, is being deliberately alarmist and using language that only serves to inflame the situation. The Polish Ministry of Foregin Affairs has also been vocal in calling out Russian disinformation on social media.

One thing that no one is in doubt about, however, is that organizations need to be wary of the potential for cyber attacks related to the ongoing situation. CISA released an advisory Wednesday recommending network defenders review the TTPs and IoCs around suspected MBR wiper activity seen targeting Ukrainian organizations. The potential for malicious cyber activity well-beyond that realm, particularly against U.S. targets, should not be underestimated.

Red Cross Hack Linked to Iranian Influence Operation?

/0 Comments/in /by

A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.

On Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization’s Restoring Family Links services, which works to reconnect people separated by war, violence, migration and other causes.

The same day the ICRC went public with its breach, someone using the nickname “Sheriff” on the English-language cybercrime forum RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff’s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn’t be leaked or sold online.

“Mr. Mardini, your words have been heard,” Sheriff wrote, posting a link to the Twitter profile of ICRC General Director Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can pay.”

RaidForums member “unindicted” aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com

In their online statement about the hack (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.

“In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” the ICRC statement reads.

Asked to comment on Sheriff’s claims, the ICRC issued the following statement:

“Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.”

Update, 2:00 p.m., ET: The ICRC just published an update to its FAQ on the breach. The ICRC now says the hackers broke in on Nov. 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). “This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.”

Original story:

The email address that Sheriff used to register at RaidForums — kelvinmiddelkoop@hotmail.com — appears in an affidavit for a search warrant filed by the FBI roughly a year ago. That FBI warrant came on the heels of an investigation published by security firm FireEye, which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.

“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.”

The FBI says the domains registered by the email address tied to Sheriff’s RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran.

According to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net.

A review of Sheriff’s postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: “Unindicted,” and “threat_actor.” In several posts, Sheriff taunts one FireEye employee by name.

In a Jan. 3, 2022 post, Sheriff says their “team” is seeking licenses for the Cobalt Strike penetration testing tool, and that they’re prepared to pay $3,000 – $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses frequently are used in the run-up to ransomware attacks.

“We will buy constantly, make contact,” Sheriff advised. “Do not ask if we still need)) the team is interested in licenses indefinitely.”

On Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum’s escrow account.

The demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That’s because escrow transactions necessarily force the buyer to make a deposit with the forum’s administrators before proceeding on any transaction.

Sheriff appears to have been part of a group on RaidForums that offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data (PDF screenshot from threat intelligence firm KELA). In a “scam report” filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization.

Instead, the claimant maintains, Sheriff only paid them roughly 25 percent. “The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute,” the affiliate wrote.

In another post on RaidForums, a user aptly named “FBI Agent” advised other denizens to steer clear of Sheriff’s ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) that restrict commerce with people residing in Iran.

“To make it clear, we don’t work with individuals under the OFAC sanctions list, which @Sheriff is under,” the ransomware affiliate program administrator wrote in reply.

RaidForums says Sheriff was referred to the forum by Pompompurin, the same hacker who used a security hole in the FBI’s website last year to blast a phony alert about a cybercrime investigation to state and local authorities. Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and selling access to stolen information.

Reach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never “snitch” on Sheriff.

“I know who he is but I’m not saying anything,” Pompompurin replied.

The information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer.

That person then proceeded to share the information about the connection between Sheriff’s email address and the FBI search warrant, as well as the account’s credentials.

The same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff’s account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff.

It seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.

Simplify Security, Streamline Workflows and Extend Protection with Singularity XDR and Zscaler

/0 Comments/in /by

Historically, most corporate applications and solutions that store corporate data were protected behind the corporate network. The adoption of cloud applications and the mobile workforce has changed this paradigm dramatically. Whereas once it would have been unthinkable to allow employees to access applications outside of the corporate network, today such applications are accessible virtually anywhere thanks to cloud-native solutions. For this reason, the old perimeter that security professionals would set and protect no longer exists, and perimeter-based security models are obsolete.

Pandemic-Enabled Digital Transformation

The  COVID-19 pandemic has accelerated digital transformation efforts for organizations that need to rapidly stand up infrastructure to support an instant remote and later hybrid workforce. IT teams deployed new solutions to enable business continuity, including cloud infrastructure and Software-as-a-Service (SaaS) platforms like Zoom and Office 365.

Organizations adopted solutions that could scale and deploy without needing access to the physical data center, in some cases deploying applications that were exposed to the open internet. In parallel, many organizations needed to provide endpoints for new remote employees and roll out bring your device (BYOD) programs. In reality, securing these new operating environments was a secondary concern.

These radical shifts resulted in users accessing applications and data outside of the traditional corporate network. While some organizations tried to scale their on-premises infrastructure to cope, creating a new perimeter around the new compute-where-you-are environment with legacy tooling requires too much effort and is prohibitively expensive.

The modern organization’s attack surfaces now encompass the cloud, containers, mobile devices, IoT, and storage. As attack vectors multiply, many enterprises address each vector with a best-in-class solution to protect those specific vulnerabilities. However, these point tools don’t connect the dots across the entire technology stack. As a result, security data is collected, analyzed, and investigated in isolation, creating gaps in what security teams can see and detect.

In addition, as the number of deployed security solutions grows in the enterprise, the capacity to manage them and effectively respond to their alerts also grows. Administrators can quickly become overwhelmed by the entirety of data produced from multiple systems and a consistent stream of security alerts. All of this results in long adversary dwell times, potentially causing material damage to an organization.

Security teams need a new way of working, one that enables productivity for end-users and security for the organization—one that provides frictionless protection from endpoint to network to application.

XDR and Zero Trust as Frameworks for Improving Security for Remote Workers

XDR is the evolution of EDR, Endpoint Detection, and Response. While EDR collects and correlates activities across multiple endpoints, XDR broadens the scope of detection beyond endpoints to provide detection, analytics, and response across endpoints, networks, servers, cloud workloads, SIEM, and more.

​​XDR automatically collects and correlates data across multiple security vectors, facilitating faster threat detection so that security analysts can respond quickly before the scope of the threat broadens.  Out-of-the-box integrations and pre-tuned detection mechanisms across multiple different products and platforms help improve productivity, threat detection, and forensics.

Forrester defines Zero Trust as “moving security from a network-oriented, perimeter-based security model to one based on continuous verification of trust.” For organizations, this means rethinking the trust-by-default approach and replacing it with a default-deny posture that only authenticates users to least privilege after assessing multiple sources of risk and context. This approach assumes that attackers are already within the network and ensures that every attempt to access the resources or applications be continuously scrutinized to ensure the request is legitimate.

Fundamentally XDR and Zero Trust solve the same challenge with a different approach and methodology. While Zero Trust is risk-centric and XDR is threat-centric, both involve deep integration of the technology stack to exchange telemetry between solutions and to respond in the face of a changing threat or risk landscape. Both seek to minimize enterprise risk and attack surface while enabling end-user productivity and efficiency.

End-to-End Protection from Endpoint to Cloud

SentinelOne and Zscaler joint solution delivers end-to-end protection from endpoint to cloud while streamlining SOC workflows.

SentinelOne and Zscaler combine to simplify enterprise security across endpoint, network, and cloud, enabling enhanced end-to-end visibility, automated response, and conditional access.

With integration into SentinelOne’s new data platform, Zscaler logs are ingested into SentinelOne. They can then be queried and faceted, allowing security operations teams to quickly triage and respond to attacks.

This joint solution empowers SOC teams to accelerate response with policy-driven actions that remediate threats automatically in Zscaler before an endpoint compromise results in cloud data exfiltration or other damage.

Analysts can trigger automatic and manual response actions from SentinelOne into Zscaler, such as revoking access or moving them into a more restrictive group, automatically limiting an attacker’s ability to infiltrate and launch an attack.

Coordinated user access control via the Zscaler Zero Trust Exchange provides secure conditional access to private and SaaS applications based on Zero Trust principles. Additional Zero Trust integration points include device posture checks by the Zscaler Cloud Connector agent to enable conditional access policies based on whether the SentinelOne agent is installed and running. This approach minimizes the enterprise attack surface with a zero-trust policy for conditional access.

With seamless integration, Zscaler and SentinelOne enable security teams to accelerate investigations and remediate threats without pivoting between consoles. Security Operation Centers can triage, investigate, and remediate threats much more efficiently and with greater confidence.

“Today’s security challenges require defense in depth. SentinelOne and Zscaler are key components in our security stack that help us advance our overall security posture. Together, Singularity XDR and Zscaler automate the triage and investigation functions in the SOC, enabling a small team to respond against threats with speed and accuracy.” — John McLeod, CISO, NOV

Use Case 1: Extended Visibility and Holistic Remediation Between Endpoint and Cloud

This joint solution enables SentinelOne to consume Zscaler logs for expanded visibility and enables security analysts to configure flexible response policies right from the SentinelOne console.

Analysts can quickly and automatically mitigate threats such as limiting user access, quarantining a user, blocking access to one or a group of critical applications, or restricting access to specific applications only with browser isolation.

Here’s how it works:

  • Install the free app from Singularity Marketplace and provide it with Zscaler API credentials.
  • Ingest the Zscaler logs into the SentinelOne Singularity XDR framework
  • Use default or custom policies to trigger response actions by changing user group membership such as predefined restrictive or browser isolated groups. Ensure that users are granted access to enterprise applications and data based on the dynamic conditions of threats and user risk, with speed and consistency.

Use Case 2: Zero Trust Conditional Access Based on Endpoint Security Posture

The SentinelOne and Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) integration enable seamless conditional access, ensuring that the trusted identity on a trusted device can directly access authorized corporate applications without exposing the network.

The guiding principles of Zero Trust are to assume that attackers are already in the network, which means never implicitly trusting users or applications before verifying. Assuming that the environment is already compromised, nothing should be trusted until users, devices, and applications demonstrate their trustworthiness.

Zscaler and SentinelOne combine best-in-class Zero Trust access control with unparalleled visibility, AI-powered detection, and automated response across endpoints, applications, and cloud workloads. SentinelOne continuously checks policy and enforces compliance on the endpoint. At the time of access, Zscaler checks whether SentinelOne is installed and running, considers the endpoint’s security posture, and grants access to corporate applications.

Here’s how it works:

  • SentinelOne secures endpoints with enterprise-grade prevention, detection, response, and hunting.
  • Zscaler Client Connector (ZCC) verifies the presence of SentinelOne by using device posture as an additional authorization vector for access control. Zscaler ZIA and ZPA can be configured to allow only compliant endpoints – ones that pass the posture check – to access selected applications.
  • Zscaler admins can specify (for Windows and Mac workstations) that SentinelOne is installed and running for an endpoint to be granted access to critical business applications.

Parting Thoughts

With attack vectors multiplying due to hybrid work models and BYOD programs, enterprises struggle to secure increasing numbers of vulnerable assets inside and outside the traditional network perimeter. SentinelOne and Zscaler help organizations prevent, detect, and respond to threats more quickly and effectively by providing a comprehensive view of threats across the cloud and endpoints.

Together, SentinelOne and Zscaler provide joint customers with increased SOC efficiency, streamlined workflows, and enhanced threat protection across endpoint, cloud, and network.

To learn more, check out the SentinelOne and Zscaler joint solution brief or attend our upcoming webinar.

Solving for X(DR) | Modernizing Security Operations with SentinelOne and Zscaler
Webinar: Thursday, March 3rd at 10:00am PST / 1:00pm EST

Register Now

Everything You Need To Know Before Buying Scoop Rockers For Your Child

/0 Comments/in /by

Comfortable kids’ chairs do not need to look traditional – and scoop rockers prove it! If your child is restless and not able to sit at the table long enough, it is worth having a look at these chairs. They are built with children’s active lifestyles in mind – their seats are scooped to provide optimal comfort, like seating on a rocking chair.

If you’re interested in getting scoop rockers for your kids, we’ve got all the information you need to know before buying one.

What are scoop rockers?

Scoop rockers are a fun, unique seating option for kids while reading, playing video games, or watching television. Scoop rockers are chairs that look like a bowl of a giant spoon: they do not have armrests or a base. It’s a phenomenal seating option for small children and kids with special needs.

They are pretty comfortable and offer a different experience than traditional chairs because of their scooped back. It’s kind of an unstable seating for kids, but it has a significant benefit: the risk of your child falling off is almost none because they’re literally inside the bowl. The other benefit? Your kids will love them!

Typically, these chairs are recommended for children ages 3 to 10 years old.

Where can you buy scoop rockers?

Scoop Rockers are available for purchase online through Amazon.

Check The Price on Amazon

What are some things to consider when buying scoop rockers?

When purchasing scoop rockers for your children, consider the following:

  • The weight limit. Most have a weight limit of 100 to 150 pounds.
  • The size of the chair. Taller kids will need bigger chairs with longer leg spans.
  • The chair’s durability. If you want to ensure that your scoop rocker lasts for more than one child, make sure the material is high quality and durable.
  • The chair’s appearance. Choose a design or color that you know will go with most of your kids’ furniture.
  • Your budget when buying scoop rockers.

Scoop Rockers are available at a wide range of prices. Some are very inexpensive, while others may be more expensive depending on the materials used to make them and their durability.

Are scoop rockers safe?

The Scoop Rockers are non-toxic and made out of BPA- and phthalate-free plastic and are absolutely safe for little ones.

It’s also extremely unlikely that a child or adult would be able to pull off or break one of the scoops; they’re are designed to withstand up to 150lbs of pressure each. The plastic is sturdy, flexible, and durable. The weight of an adult sitting down won’t cause the scoops to fall off or break under normal circumstances.

How to clean scoop rockers?

Scoop rockers can be cleaned with standard household cleaners, such as mild dish soap and a damp cloth. Most of the scoop rockers are made of plastic and vinyl, making them easy to clean.

How to store scoop rockers?

Scoop rockers are very easy to store. You can stack them or lean them against each other. They are also small enough to fit under the bed or in the closet, which is helpful if you don’t have much room.

Why would I buy scoop rockers?

They look fun! If you’re looking for something new for your children’s bedroom or living area, scoop rockers are a perfect choice. They’re easy to move around (and fun!) and they also come in a wide variety of colors and styles to match any kid’s personality or decor style.

Why scoop rockers?

  • They are comfortable and safe for children of almost any age (from the time they can sit up by themselves and keep good posture on their own to prepubescence).
  • The scoop itself absorbs some of the weight of a child as they sit, making it feel like they’re sitting on a cushion.
  • The design is durable, made from high-quality materials that are extremely unlikely to break or be pulled off under normal circumstances.
  • They are easy to clean (just use mild dish soap and a damp cloth)
  • They’re small enough to fit under the bed or in the closet, allowing you to store them away when guests come over
  • Kids also love how fun and unique they are!

The post Everything You Need To Know Before Buying Scoop Rockers For Your Child appeared first on Comfy Bummy.

Wazawaka Goes Waka Waka

/0 Comments/in /by

In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists.

Wazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger.

In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”

The same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,” a possible reference to the now-defunct Maze Ransomware gang.

The background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice Department called the “largest known data breach conspiracy ever prosecuted.”

The @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three videos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook). The man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (also at The Record), and a security researcher from Cisco Talos.

At the beginning of the videos, Matveev holds up his left hand to demonstrate that his ring finger is missing. This he smugly presents as evidence that he is indeed Wazawaka.

The story goes that Wazwaka at one point made a bet wherein he wagered his finger, and upon losing the bet severed it himself. It’s unclear if that is the real story about how Wazawaka lost the ring finger on his left hand; his remaining fingers appear oddly crooked.

“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in the video. “By the way, it is my voice in the background, I just love myself a lot.”

In one of his three videos, Wazawaka says he’s going to release exploit code for a security vulnerability. Later that same day, the @fuck_maze account posted a link to a Pastebin-like site that included working exploit code for a recently patched security hole in SonicWall VPN appliances (CVE-2021-20028).

When KrebsOnSecurity first started researching Wazawaka in 2021, it appeared this individual also used two other important nicknames on the Russian-speaking crime forums. One was Boriselcin, a particularly talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.

The other handle that appeared tied to Wazawaka was “Orange,” the founder of the RAMP ransomware forum. I just couldn’t convincingly connect those two identities with Wazawaka using the information available at the time. This post is an attempt to remedy that.

On Aug. 26, 2020, a new user named Biba99 registered on the English language cybercrime forum RaidForums. But the Biba99 account didn’t post to RaidForums until Dec. 31, 2020, when they announced the creation of the Babuk ransomware affiliate program.

On January 1, 2021, a new user “Babuk” registered on the crime forum Verified, using the email address teresacox19963@gmail.com, and the instant message address “admin@babuk.im.” “We run an affiliate program,” Babuk explained in their introductory post on Verified.

A variety of clues suggest Boriselcin was the individual acting as spokesperson for Babuk. Boriselcin talked openly on the forums about working with Babuk, and fought with other members of the ransomware gang about publishing access to data stolen from victim organizations.

According to analysts at cyber intelligence firm Flashpoint, between January and the end of March 2021, Babuk continued to post databases stolen from companies that refused to pay a ransom, but they posted the leaks to both their victim shaming blog and to multiple cybercrime forums, an unusual approach.

This matches the ethos and activity of Wazawaka’s posts on the crime forums over the past two years. As I wrote in January:

“Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias ‘Uhodiransomwar’ can be seen posting download links to databases from companies that have refused to negotiate after five days.”

Around Apr. 27, 2021, Babuk hacked the Washington Metropolitan Police Department, demanding $4 million in virtual currency in exchange for a promise not to publish the police department’s internal data.

Flashpoint says that on April 30, Babuk announced they were shuttering the affiliate program and its encryption services, and that they would now focus on data theft and extortion instead. On May 3, the group posted two additional victims of their data theft enterprise, showing they are still in operation.

On May 11, 2021, Babuk declared negotiations with the MPD had reached an impasse, and leaked 250 gigabytes worth of MPD data.

On May 14, 2021, Boriselcin announced on XSS his intention to post a writeup on how they hacked the DC Police (Boriselcin claims it was via the organization’s VPN).

On May 17, Babuk posted about an upcoming new ransomware leaks site that will serve as a “huge platform for independent leaks,” — i.e., a community that would publish data stolen by no-name ransomware groups that don’t already have their own leaks/victim shaming platforms.

On May 31, 2021, Babuk’s website began redirecting to Payload[.]bin. On June 23, 2021, Biba99 posted to RaidForums saying he’s willing to buy zero-day vulnerabilities in corporate VPN products. Biba99 posts his unique user ID for Tox, a peer-to-peer instant messaging service.

On July 13, 2021, Payload[.]bin was renamed to RAMP, which according to Orange stands for “Ransom Anon Market Place.” Flashpoint says RAMP was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.” [links added]

“Babuk noted that this new platform will not have rules or ‘bosses,’” Flashpoint observed in a report on the group. “This reaction distinguishes Babuk from other ransomware collectives, many of which changed their rules following the attack to attract less attention from law enforcement.”

The RAMP forum opening was announced by the user “TetyaSluha. That nickname soon switched to “Orange,” who appears to have registered on RAMP with the email address “teresacox19963@gmail.com.” Recall that this is the same email address used by the spokesperson for the Babuk ransomware gang — Boriselcin/Biba99.

In a post on RAMP Aug. 18, 2021, in which Orange is attempting to recruit penetration testers, he claimed the same Tox ID that Biba99 used on RaidForums.

On Aug. 22, Orange announced a new ransomware affiliate program called “Groove,” which claimed to be an aggressive, financially motivated criminal organization dealing in industrial espionage for the previous two years.

In November 2021, Groove’s blog disappeared, and Boriselcin posted a long article to the XSS crime forum explaining that Groove was little more than a pet project to mess with the media and security industries.

On Sept. 13, 2021, Boriselcin posted to XSS saying he would pay handsomely for a reliable, working exploit for CVE-2021-20028, the same exploit that @fuck_maze would later release to Twitter on Jan. 25, 2022.

Asked for comment on this research, cyber intelligence firm Intel 471 confirmed that its analysts reached the same conclusion.

“We identified the user as the Russian national Михаил Павлович Матвеев aka Mikhail Pavlovich Matveev, who was widely known in the underground community as the actor using the Wazawaka handle, a.k.a. Alfredpetr, andry1976, arestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen, mrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999,” Intel 471 wrote.

As usual, I put together a rough mind map on how all these data points indicate a connection between Wazawaka, Orange, and Boriselcin.

A mind map connecting Wazawaka to the RAMP forum administrator “Orange” and the founder of the Babuk ransomware gang.

As noted in January’s profile, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.

The Good, the Bad and the Ugly in Cybersecurity – Week 6

/0 Comments/in /by

The Good

This week’s good news sees the end of the road for four notorious darknet trading markets from the unlikely but welcome work of Russian law enforcement agencies. Darknet markets Ferum Shop, Sky-Fraud, Trump’s Dumps and UAS (Ultimate Anonymity Services) specialized in credit card fraud and credential theft.

According to a report, the take downs were the handiwork of Russia’s Ministry of Internal Affairs’ Department “K”. Aside from shuttering the sites, Russian authorities also announced the arrest of six individuals on charges of “illegal circulation of means of payment”. Russia’s Article 187 of the Criminal Code act states that offences relating to illegal card trading are punishable by imprisonment of up to seven years.

These carding sites, some of which have been in business since 2013, are estimated to have collectively made over $263 million. UAS specialized in trading credentials for RDP (Remote Desktop Protocol) accounts, a common entrypoint for ransomware attackers.

It’s been a tough year so far for darknet markets, with CanadaHQ kicked into touch last week, and potentially more seizures to come promised by Russian authorities, who left the message “Кто из вас следующий” embedded in the html of the seized sites.

    CLOSED



    
    

        #

The message translates as “Which of you is next?”.

The Bad

It may have been a bad week for carding markets, but the news hasn’t been great for those still operating Magento 1 e-commerce stores, either. Over 500 stores running the platform were breached with payment skimmer malware, according to a report released on Tuesday.

The hackers used known vulnerabilities to gain access to the stores. In one case, they abused a flaw in the Quickview plugin to run an SQL injecton and PHP Object Injection attack to gain control of the target store.

Researchers say the attackers found a clever trick to execute the malicious code after adding it to the store’s database: browsing the Magento sign up page. Having compromised a store, the attackers left multiple backdoors on the system—as many as 19 separate backdoors—to ensure reentry if the attack were discovered.

According to researchers, the following files were either added or edited to contain malicious code:

/api.php
/api_1.php
/install.php
/sc_api.php
/phpinfo.php
/adminer.php
/app/code/core/Mage/Page/Block/Html.php
/errors/api.php
/media/api.php
/media/catalog/category/test.jpeg
/media/catalog/category/panch.jpg
/js/api.php
/js/cartcheckout.php
/skin/api.php
/skin/adminhtml/default/default/images/loader.php
/skin/adminhtml/default/default/controller.php
/skin/frontend/default/default/upldr.php
/skin/frontend/base/default/conf.php
/var/importexport/customer.csv

Once a store is compromised, shoppers are presented with a fake payment popup. Payments that are intended for the store are instead sent to the attacker at

hxxps://naturalfreshmall[.]com/payment/Payment.php

While the Magento 1 platform reached End-Of-Life over 18 months ago, thousands of merchants continue to use it and the latest breach comes after over 2000 Magento 1 stores were hacked back in September 2020. All e-commerce traders still using Magento 1 are urged to upgrade to Magento 2 without delay.

The Ugly

It’s well-known that there are APTs that attack organizations, governments and on occasion individuals in order to conduct espionage or even steal money, but APTs that conspire to plant false evidence and imprison civil rights activists is behavior that is only recently starting to come to light. This week, SentinelLabs’ researchers disclosed how activists in India had been targeted repeatedly over ten years by an APT with the aim of planting false evidence on their devices.

Researchers say that the ModifiedElephant APT engages in long-term surveillance to plant incriminating files on its targets, who are then conveniently arrested. The group operates primarily through phishing with malicious attachments and unsophisticated, off-the-shelf malware that targets Windows and Android devices.

This isn’t the first time the SentinelLabs researchers have identified an APT acting with the primary intent of planting false evidence on its targets. In September 2021, they also reported on a Turkish-nexus state actor they dubbed ‘EGoManiac’, finding that the actor was responsible for a cluster of two campaigns that targeted Turkish journalists.

One thing both cases seem to share in common is a connection to private sector offensive actors. EGoManiac appeared to have connections with the now defunct Hacking Team, while  some of ModifiedElephant’s targets were also infected with the now infamous NSO Group’s Pegasus mobile spyware.

While this kind of activity doesn’t appear to be new – some of the cases go back to 2010 – it’s an aspect of APT activity that has rarely been brought to light before, so all credit to the researchers for bringing it to public attention. To paraphrase our Russian law enforcement friends mentioned above, which of you APTs is next?

Ingenuity Bouncer – Quality Baby Bouncers!

/0 Comments/in /by

The Bouncer is a great item to have with you and your baby. It keeps them safe and secure while allowing for some bouncy movement at the same time. It is like a big swing that you can set up anywhere with you. The bouncy chair also helps train your baby’s legs and feet for standing – which they will one day need to stand on their own two feet!

The company that stands behind the Ingenuity brand, Kids2 Inc, is built on family. Their goal is to make fun products for your child while also being safe! On top of their innovative solutions, they are also very conscious of what parents look for in baby products. Kids2 Inc wants to make sure that their products are easy to use while still cost-efficient! We all know how expensive children can be, so this is an excellent point of consideration.

The Ingenuity Bouncers are great bouncy chairs for your baby. They come in several different styles, all with their unique features and each one with the Ingenuity standard of quality that parents know and love. Let’s take a look at some of the best Ingenuity Bouncers available today:

Ingenuity SmartBounce

With this bouncer, you can take care of a baby hands-free! The Ingenuity SmartBounce will gently rock and swaddle your baby in 2-speed automatic soothing motions that mimic mom’s natural movements, making your little one feel at peace.

The 3-point safety harness on the bouncing seat ensures your baby stays safe and secure while you can relax. Let’s not forget that the baby needs some fun, too: that’s why this Ingenuity automatic bouncer comes with 11 melodies and soothing nature sounds, as well as toys on a pivot bar.

In addition to being a very safe bouncer with a 3-point harness, the Ingenuity SmartBounce works on batteries. This is great because you can easily carry spare batteries in your bag when out and about. No more worrying about the bouncer running the electricity bill up. This bouncer rocks, bounces, swaddles, and entertains your baby – it even has an automatic turn-off mode to save battery life.

The seat pad on this baby bouncer is machine washable, making it simple to keep clean. Last but not least: it is fantastic to look at, and the colors are fabulous! Perfect for newborns and babies up to 6 months.

How to assemble Ingenuity automatic bouncer

This bouncer seat is straightforward to put together, but if you run into any trouble, we are happy to offer guidance.

Download SmartBounce User Manual

The bouncer seat comes in a box with all the parts and a manual to help you assemble it. It is a great idea to look at the manual before using the Ingenuity automatic bouncer to take care of any safety concerns.

Inspect your Ingenuity baby bouncer carefully when you get it home from the store and before first-time use to ensure that no parts are missing and that there is no visible damage.

Ingenuity Cradling Bouncer

When there’s a baby in the picture, it is challenging to keep up with your everyday chores! Keep your baby happy and within view with a bouncer explicitly designed for daily activities.

Ingenuity Cradling Bouncer is a safe spot for your baby: it provides a secure environment, and the 3-point harness keeps your baby safe. The soft fabric seat is comfortable and gentle on your baby’s delicate skin. It also has a head support area to help keep them supported when they fall asleep.

This baby bouncer also comes with two built-in comfort vibration settings that allow you to soothe your baby easily. Some parents also love that this bouncer has a vibration feature because it makes their life easier, which means happier babies and more time for everyday chores.

There is a removable toy bar with toys that your baby can play with, and there are 8 soothing melodies you both will love. You can easily switch between movement and vibration modes with the push of a button.

The Ingenuity Cradling Bouncer is also super easy to clean, making it perfect for busy parents on the go! The bouncer seat cover is machine washable. This baby bouncer also takes up minimal space, allowing you to use it anywhere in the house.

You will need 3 “C” batteries that are not included in the box to use this baby bouncer. However, it is worth mentioning that the Ingenuity Cradling Bouncer uses minimum energy so that the batteries will go a long way.

Ingenuity cradling bouncer manual and assembly

The user manual comes with detailed diagrams and instructions to guide you through the assembly process.

Download Cradling Bouncer Manual

The Ingenuity cradling bouncer requires minimal assembly. The frame comes with the fabric seat already installed. You just need to attach the toys and batteries, and you’re ready to go. It should take up about 5-7 minutes for the whole process.

If you need to wash the fabric seat, it is easily removed and machine washed. The frame may require a quick wipe down to keep it looking good as new.

Ingenuity Bouncity Bounce

A perfect substitute for parents’ arms: the Ingenuity Bouncity Bounce is a great option for parents looking to give their baby a bouncing seat that is lightweight and easy to move around.

When you need a cozy place for your baby to relax and play, the Ingenuity Buncity Bounce seat is a great solution. Your baby will feel extra safe and secure in this bouncing seat, thanks to its 3-point harness system.

The plush, removable headrest helps keep newborns comfortable. You can easily remove, wash and replace the seat pad for easy cleaning. As the child grows and begins to kick those legs, the baby can create their own steady bounce. This will help strengthen their leg muscles while having fun at the same time!

Moreover, the Ingenuity Bouncity seat has a vibration mode with adjustable intensity levels. It also comes equipped with both music and plush toys to keep your child entertained and happy during playtime.

The Ingenuity Bouncity Bounce seat requires just 1 “C” battery to operate. This provides about 100 hours of power, which means you won’t need to replace the batteries often.

Ingenuity Bouncity Bounce Manual and Assembly

The user’s manual has comprehensive illustrations to assist you with the installation. All in all, it should take up about 5-7 minutes to install this seat.

Download Bouncity Bounce User Manual

The Ingenuity bouncy seat requires minimal assembly before use. It is an easy task, even for those not technically inclined or DIY savvy.

The plush seat pad is easily removable and machine washable. The bouncer does not require any special maintenance either, so you don’t have to worry about waking up in the middle of the night for a routine clean-up.

Ingenuity InLighten Baby Bouncer

The Ingenuity InLighten Baby Bouncer has some cool features that come in handy for new parents. It has two vibration settings that can be turned on or off by the push of a button. It also has a removable headrest that can be quickly dealt with by machine washing it when necessary.

The comfortable, cradling bouncing chair is covered in soft velours to hug your infant. The Ingenuity InLighten bouncer seat can accommodate your child from infancy to 20 pounds.

Your baby will enjoy kicking and playing in this baby bouncer, as it is full of surprises: the dazzling lights that dance over the canopy toy bar, the spinning mobile with removable plush toys, and the melodies that keep your baby entertained.

The Ingenuity InLighten bouncer also includes a set of tranquil melodies, nature sounds, and white noise to allow your child to relax and sleep. Soothing vibrations add to the calming atmosphere.

Ingenuity InLighten Baby Bouncer Manual and Assembly

The Ingenuity InLighten bouncer is easy to install and only takes a couple of minutes with simple instructions illustrated in the user’s manual.

Download InLighten User Manual

Assembly time usually takes no more than 5 minutes. The bouncer is not bulky or heavy so that you can carry it around with you to different house rooms for convenience.

The Ingenuity InLighten Baby Bouncer requires 3 “D” batteries to operate. They are not included in the package, so be ready to spend some extra bucks to buy them.

Which Ingenuity Baby Bouncer to choose?

All Ingenuity baby bouncers come with their benefits. Depending on your baby’s needs, convenience and preferences, you can pick the best model that will suit their lifestyle. If we were to choose ComfyBummy’s favorites, we would go with:

  • Ingenuity SmartBounce
  • InLighten Baby Bouncer

The Ingenuity SmartBounce is an automatic baby bouncer that emulates the natural motions of parents when comforting their children. With this model, you will bounce your child without any difficulties. Your baby will be cradled and comfortable.

The Ingenuity InLighten Baby Bouncer is also worth purchasing if you want a bouncer with many features. It is very engaging and entertaining for your infant, so it can significantly contribute to your kid’s development.

These amazing devices have many benefits that first-time moms may not even be aware of, but for those with an experienced hand, they are the only way to go. They provide a safe place for your baby to play or sleep, soothe them with a gentle rocking motion, and help to develop their motor skills. These great features combine to make the best baby bouncers money can buy!

The post Ingenuity Bouncer – Quality Baby Bouncers! appeared first on Comfy Bummy.

Russian Govt. Continues Carding Shop Crackdown

/0 Comments/in /by

Russian authorities have arrested six men accused of operating some of the most active online bazaars for selling stolen payment card data. The crackdown — the second closure of major card fraud shops by Russian authorities in as many weeks — comes closely behind Russia’s arrest of 14 alleged affiliates of the REvil ransomware gang, and has many in the cybercrime underground asking who might be next.

Dept. K’s message for Trump’s Dumps users.

On Feb. 7 and 8, the domains for the carding shops Trump’s Dumps, Ferum Shop, Sky-Fraud and UAS were seized by Department K, a division of the Ministry of Internal Affairs of the Russian Federation that focuses on computer crimes. The websites for the carding stores were retrofitted with a message from Dept. K asking, “Which one of you is next?”

According to cyber intelligence analysts at Flashpoint, that same message was included in the website for UniCC, another major and venerated carding shop that was seized by Dept. K in January.

Around the same time Trump’s Dumps and the other three shops began displaying the Dept. K message, the Russian state-owned news outlet TASS moved a story naming six Russian men who were being charged with “the illegal circulation of means of payment.”

TASS reports the six detained include Denis Pachevsky, general director of Saratovfilm Film Company LLC; Alexander Kovalev, an individual entrepreneur; Artem Bystrykh, an employee of Transtekhkom LLC; Artem Zaitsev; an employee of Get-net LLC; and two unemployed workers, Vladislav Gilev and Yaroslav Solovyov.

None of the stories about the arrests tie the men to the four carding sites. But Flashpoint found that all of the domains seized by Dept. K. were registered and hosted through Zaitsev’s company — Get-net LLC.

“All four sites frequently advertised one another, which is generally atypical for two card marketplaces competing in the same space,” Flashpoint analysts wrote.

Stas Alforov is director of research for Gemini Advisory, a New York firm that monitors underground cybercrime markets. Alforov said it is most unusual for the Russians to go after carding sites that aren’t selling data stolen from Russian citizens.

“It’s not in their business to be taking down Russian card shops,” Alforov said. “Unless those shops were somehow selling data on Russian cardholders, which they weren’t.”

A carding shop that sold stolen credit cards and invoked 45’s likeness and name was among those taken down this week by Russian authorities.

Debuting in 2011, Ferum Shop is one of the oldest observed dark web marketplaces selling “card not present” data (customer payment records stolen from hacked online merchants), according to Gemini.

“Every year for the last 5 years, the marketplace has been a top 5 source of card not present records in terms of records posted for sale,” Gemini found. “In this time period, roughly 66% of Ferum Shop’s records have been from United States financial institutions. The remaining 34% have come from over 200 countries.”

In contrast, Trump’s Dumps focuses on selling card data stolen from hacked point-of-sale devices, and it benefited greatly from the January 2021 retirement of Joker’s Stash, which for years dwarfed most other carding shops by volume. Gemini found Trump’s Dumps gained roughly 40 percent market share after Joker’s closure, and that more than 87 percent of the payment card records it sells are from U.S. financial institutions.

“In the past 5 years, Ferum Shop and Trump’s Dumps have cumulatively added over 64 million compromised payment cards,” Alforov wrote. “Based on average demand for CP and CNP records and the median price of $10, the total revenue from these sales is estimated to be over $430 million. Due to the 20 to 30% commission that shops generally receive, the administrators of Ferum Shop and Trump’s Dumps likely generated between $86 and $129 million in profits from these card sales.”

The arrests of the six men comes less than two weeks after Russian law enforcement officials detained four suspected carders — including Andrey Sergeevich Novak, the reputed owner of the extremely popular and long-running UniCC carding shop.

In 2018, the U.S. Justice Department charged Novak and three dozen other defendants thought to be key members of “Infraud,” a huge cybercrime community online that prosecutors say cost merchants and consumers more than half a billion dollars.

Unicc shop, which sold stolen credit card data as well as Social Security numbers and other consumer information that can be used for identity theft. It was seized by Dept. K in January 2020.

Flashpoint said the recent arrests represent the first major actions against Russia-based cybercriminals since March 2020, when the FSB detained more than thirty members of an illicit carding operation, charging twenty-five of them with “illegal circulation of means of payment.”

Dumps, or card data stolen from compromised point-of-sale devices, have been declining in popularity among fraudsters for years as more financial institutions have issued more secure chip-based cards. In contrast, card-not-present data stolen from online stores continues to be in high demand, because it helps facilitate fraud at online retailers. Gemini says the supply of card-not-present data rose by 50 percent in 2021 versus 2020, fed largely by the success of Magecart e-skimmers that target vulnerabilities in e-commerce sites.

Alforov says while the carding shop closures are curiously timed, he doubts the supply of stolen card data is going to somehow shrink as a result. Rather, he said, some of the lower-tier card shops that were previously just resellers working with Trump’s Dumps and others are now suddenly ramping up inventory with their own new suppliers — very likely thanks to the same crooks who were selling cards to the six men arrested this week in Russia.

“What we’re seeing now is a lot of those reseller shops are coming to the market and saying, ‘We don’t have that order data we were getting from Ferum Shop but now have our own vendors,’” Alforov said. “Some of the lesser tier shops are starting to move up the food chain.”

KPMG Leverages SentinelOne to Tackle Cyber Risk

/0 Comments/in /by

When it comes to modern cyber attacks, the best offense is a good defense. Every day, more businesses around the globe learn that breach response plans alone aren’t enough to constitute an adequate—let alone comprehensive—cybersecurity capability. To stay protected against increasingly sophisticated and frequent cyber attacks, organizations must build their programs to be resilient today, and prepared for whatever may come tomorrow.

Helping clients securely navigate this digital world is what’s driving the Cyber Security Services practice at KPMG. For over 30 years, KPMG LLP (KPMG) has been a global leader in helping organizations mitigate risk and grasp opportunities. The KPMG Cyber Security Services team has been involved in many of the most high-profile breaches across 16 countries worldwide.

Ed Goings, U.S. & Global Lead of Cyber Response Services, and David Nides, Cyber Security Services Principal, pride themselves on delivering “high quality, highly effective digital forensics and incident response to KPMG clients globally.” Simultaneously, Ed & David’s teams work with clients on building cyber strategy: proactive measures for long-term resilience, such as building and testing cyber incident response plans, performing purple team exercises, creating ransomware resiliency programs, and improving incident preparedness. “Whether they’re new or existing, clients come to KPMG as their trusted advisor for cyber challenges and issues,” emphasizes David.

To follow through on this objective, KPMG must be empowered by technology that delivers visibility, ease of deployment, ease of use, and quality of service they need across a comprehensive Cyber Security Services portfolio. SentinelOne, an industry leader in detection and response technology, has emerged as a piece of this puzzle.

Identifying, Understanding, and Closing Security Gaps with Compromise Assessment

If ransomware has taught us anything, it’s that the cost of cybersecurity only grows by waiting until the moment of impact. Conducting a compromise assessment across the full enterprise estate can help us understand our current risk posture and identify if any active threats are present in the environment. While these assessments can be particularly insightful for incoming CISOs wanting an accurate baseline of their inherited environment or for organizations with new and changing risk following a merger or acquisition, there’s never a bad time to do due diligence.

At KPMG, data-rich compromise assessments start with deploying SentinelOne’s Sentinel Agent across the complete enterprise environment. This rollout is markedly faster than what’s possible with most compromise assessments, thanks to the agent’s Singularity Ranger capability. What might otherwise take days, if not weeks, now takes just a handful of hours.

Ranger, SentinelOne’s network discovery and attack surface control solution, “enables us to provide the client a means of self-deploying SentinelOne within the environment through self-propagation of the agent. Ranger covers not only known assets, but also unknown assets,” says David.

“Especially in larger IT estates, there tends to be a bit of shadow IT, which often stems problems and poses a significant risk. These types of environments or the systems within them are usually an afterthought or candidly not even known. With Ranger Pro, as long as those assets are deployed to the network, they’re covered in an automated fashion.”
David Nides, Cyber Security Services Principal, KPMG

Proactive Monitoring and Threat Hunting to Uncover Hidden Threats

Following deployment, the team performs a short period of active monitoring and proactive threat hunting as part of the compromise assessment. A critical component of threat hunting is having the data to baseline ‘normal’ and find outliers. Attackers often want to blend in with ordinary users to acquire user credentials from phishing campaigns, so understanding a user’s typical behavior is a useful benchmark for investigating anomalous file access or login events.

SentinelOne’s EDR and XDR telemetry and intuitive hunting workflows enable even the most covert attacker activity to be uncovered. With the ability to retain raw, benign data for extended periods of time, KPMG can also leverage historical data that can be leveraged to map advanced threat campaigns across time. It also enables the performance of post-breach monitoring for extended periods of days after the security incident, to sustain containment and eradication of the threat actor.

Investigating and Analyzing Threats at Enterprise Scale

While proactive security practices will take you a long way in staying protected against threats, incidents are almost as certain as death and taxes. For KPMG, lending authority and expertise to clients in response to an imminent security event is its bread and butter. Whether a client wants to dive deeper into a potential email compromise that led to money transfer out of the organization or contain and identify the root cause of a proliferating ransomware attack, Ed & David’s team relies on solid, scalable EDR technology to drive their breach response operations from one end of the incident response lifecycle to the other.

“We leverage SentinelOne as one of our EDR platforms. In many responses, our clients may already have an EDR in their environment, but if they’re calling us, it’s normally because they do not have a mature solution or an effective solution that has the desired coverage. SentinelOne is one of our go to solutions to deploy.”
Ed Goings, U.S. & Global Lead of Cyber Response Services, KPMG

Since the name of the game is rapid response and recovery, KPMG particularly values toolsets and workflows that will accelerate their incident response process.

Having the Right Data for Streamlined Investigations

With SentinelOne’s data platform following the acquisition of Scalyr, David and the team have been able to integrate KPMG’s proprietary Digital Responder (KDR) tool for triaging forensic endpoint data at scale with SentinelOne’s data ingestion, correlation, and analysis capabilities. “More times than not, we get pulled into an incident after it’s already occurred,” David explains. “SentinelOne’s data platform provides the ability to go back in time en masse and deploy tools and scripts to do true enterprise forensics.”

When KPMG Digital Responder forensic data is sent to data platform for investigation and analysis—it can be done all within the same SentinelOne ecosystem, without sending data back and forth to KPMG for processing. This availability has significantly streamlined investigations for KPMG, turning what used to take days into mere minutes. The result is getting more clients—no matter how expansive their environment—from deployment and investigation to containment and eradication faster.

Monitoring for Threats and Maintaining Risk Posture

Since cyber risk mitigation isn’t just a point-in-time exercise, it’s crucial to have a program in place for around-the-clock security monitoring, especially if your operations span the globe. In both pre-and-post-breach scenarios, KPMG helps clients build and manage their security operations, as well as the intelligence and response workflows underlying them, using EDR technology they trust for immediate breach response.

If you would like to learn more about Ranger, STAR, and the SentinelOne Singularity XDR platform, contact us for more information or request a free demo.

Microsoft Patch Tuesday, February 2022 Edition

/0 Comments/in /by

Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month’s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.

While none of the patches address bugs that earned Microsoft’s most dire “critical” rating, there are multiple “remote code execution” vulnerabilities that Redmond believes are ripe for exploitation. Among those is CVE-2022-22005, a weakness in Microsoft’s Sharepoint Server versions 2013-2019 that could be exploited by any authenticated user.

“The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it ‘Important,’” said Allan Liska, senior security architect at Recorded Future. “However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.”

Kevin Breen at Immersive Labs called attention to CVE-2022-21996, an elevation of privilege vulnerability in the core Windows component “Win32k.”

“In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,” Breen said. “February sees more patches for the same style of vulnerability in this same component. It’s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month’s update. Either way, we have seen attackers leverage this vulnerability so it’s safer to err on the side of caution and update this one quickly.”

Another elevation of privilege flaw CVE-2022-21989 — in the Windows Kernel — was the only vulnerability fixed this month that was publicly disclosed prior to today.

“Despite the lack of critical fixes, it’s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,” said Greg Wiseman, product manager at Rapid7. “Remote code execution vulnerabilities are also important to patch, even if they may not be considered ‘wormable.’ In terms of prioritization, defenders should first focus on patching server systems.”

February’s Patch Tuesday is once again brought to you by Print Spooler, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed “PrintNightmare” that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since.

One important item to note this week is that Microsoft announced it will start blocking Internet macros by default in Office. This is a big deal because malicious macros hidden in Office documents have become a huge source of intrusions for organizations, and they are often the initial vector for ransomware attacks.

As Andrew Cunningham writes for Ars Technica, under the new regime when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013.

“Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros,” Cunningham wrote. “The change will be previewed starting in April before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June.”

January’s patch release was a tad heavier and rockier than most, with Microsoft forced to re-issue several patches to address unexpected issues caused by the updates. Breen said while February’s comparatively light burden should give system administrators some breathing room, it shouldn’t be viewed as an excuse to skip updates.

“But it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,” Breen said.

For a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.