Cybersecurity can seem like a bit of a zoo these days. There are myriad problems to solve as the landscape changes under our feet with new technologies, evolving business needs, and an attack surface that continues to expand. Into this mix, add more vendors, more consultants and more experts, each with bold statements on how to win the war against cyber threat actors.

Unfortunately, while many of these attempts to make enterprises safer may be genuine, there are a lot of blanket statements out there that can undermine a CISO’s efforts to secure the business. In this post, I will try to tackle the most oft-repeated cybersecurity misconceptions we see thrown at CISOs.

1. Windows Security Is Enough To Secure Your Microsoft Endpoints

Who is the biggest security vendor of them all? Before taking a mental inventory of the major 3rd party players that no doubt immediately spring to mind, it might come as a surprise to realize that they are all outstripped by Microsoft, with its unique position as both OS vendor and vendor of security software for its own OS, variously known as ‘Microsoft Defender’, ‘Windows Defender’, and now ‘Windows Security’.

2021 was another bumper year of Microsoft vulnerabilities, exploits, and breaches, with threat actors taking quick and merciless advantage of Microsoft vulnerabilities in Exchange Server like ProxyLogon and ProxyShell. Those vulnerabilities were followed by PrintNightmare, which in turn was followed by HiveNightmare.

Microsoft Defender did little to halt any of the ransomware attacks by Hafnium and Conti gangs that exploited such vulnerabilities, and the product was itself also in the wars after it was revealed Defender contained a privilege escalation vulnerability for over 12 years.

Recent history suggests that CISOs that rely on an OS vendor to win a fight against ransomware are going to be on the losing side of the battle.

2. Macs are Safe ‘By Design’

Unlike Microsoft, Apple is not in the business of selling security software in an attempt to protect its own products, but it still actively promotes the security of macOS as one of the unique selling points of Macs over other hardware. Accordingly, Apple has a vested interest in discouraging the perception that third party security controls are required for Macs in the enterprise just as much as they are for other endpoints.

Apple admitted earlier this year that macOS does have a problem with malware, and while few companies use Macs as servers or network controllers, thus sparing them the attention of ransomware operators, they are extremely popular among both C-Suite executives and developers. This makes enterprise Macs juicy targets for threat actors interested in high-value targets, and the new macOS malware seen appearing over the last 12 months has mostly been espionage and backdoors directed at specific targets.

Meanwhile, Mac users themselves are largely unaware of the many ways that malware can and does beat the built-in security technologies used by Apple. The Mac’s built-in security relies heavily on code-signing, certificate revocation checks and legacy file signatures. Threat actors have little trouble in bypassing these, and like Microsoft Windows, the complexity of operating system software ensures that critical bugs are patched on an increasingly more frequent basis.

On top of that, the Mac’s built-in security controls offer no visibility to users or admins. As a CISO, how would your admins know if any of the Macs in your fleet were infected with a backdoor, spyware or other macOS malware without external security software to offer that visibility?

3. Prevention Isn’t Possible, and Detection Is Enough

It’s become a trope among legacy AV vendors in their attempts to excuse the failures of AV Suites and EPP to claim that prevention is impossible, and post-infection detection and quarantine is the only realistic goal.

But we are in 2022, we have had machine learning and AI at our disposal for years now, and there is no reason why any CISO should accept that a vendor cannot prevent file-based malware pre-execution or on-execution.

Vendors that rely entirely on signature-based detection should supplement or replace their detection engines with static AI engines that can prevent most types of malicious PE files. More importantly, CISOs should reject vendors that tell them prevention isn’t possible.

4. Zero Trust Is Achievable For Most Organizations

The tried-and-trusted adage that “You are only as strong as your weakest link” gains new poignancy in today’s move to Zero Trust environments. While embracing Zero Trust is part of the right direction in which to travel to reduce your attack surface, the reality is that most organizations cannot effectively implement a complete Zero Trust Architecture (ZTA) across multiple assets and security systems.

Organizations should exercise caution when vendors offer a “Zero Trust SKU”. Beyond the marketing spiel, achieving a ZTA security model requires integration across all technologies. There’s no “plug-and-play” way to transform your organization overnight. Indeed, moving from a legacy perimeter-based security model to a ZTA security model is a multi-year journey, while attacks on businesses occur on a daily basis.

Like many developments in enterprise security, ZTA offers promise but it is no panacea. CISOs should beware vendors that tell them ZTA is a magic bullet that can solve all their security headaches.

5. Mobile Security Is Not a Must

Incredibly, there are vendors (and security practitioners) that still haven’t woken up to the reality of mobile devices in the enterprise. Sometimes, humans act like something doesn’t exist if they simply refuse to see it, but we have been checking our business emails and accessing work data from our mobile devices for years now. Most organizations understand that attempts to stop users conducting work tasks on their mobile devices leads to an unacceptable impact on productivity.

The mobile space is dominated by two main OS vendors, Google and Apple, and both understand the necessity of mobile security, although they take very different approaches to it. Recently, Google explained how an iOS zero-day, zero-click vulnerability had compromised Apple users. The technical level is beyond most skilled programmers and security professionals, let alone ordinary users.

Despite that sophistication, that exploit wasn’t developed by a nation-state actor but by the NSO Group, a private enterprise. In such a climate, where profit-driven attackers can invest that level of expertise into compromising our mobile devices, what business with intellectual property to defend, customer data to protect (and regulatory fines to avoid) can afford to pretend that mobile security is optional?

Mobile attacks are real and CISOs should apply mobile threat defense measures to keep track of user and device behavior and actions.

6. Backups Will Protect You Against Ransomware

The world of information security moves fast, and what was true yesterday (or, to be frank, a few years ago now) is not necessarily true today. Cast your mind back to NotPetya and WannaCry in 2017, and the hard-learned lesson that businesses without backups were setting themselves up as hostages to fortune, or rather the misfortune of being hit by ransomware.

The lesson didn’t go unheeded either by businesses or attackers, and by 2019 we saw the first human-operated ransomware gangs – Maze and DoppelPaymer – pivot to the double-extortion method: denial-of-access to files via encryption with the threat of public data leaks on top. Now, backups didn’t get companies off the hook if they valued the privacy of their data.

Double extortion soon became the standard MO for the majority of ransomware gangs, and some even went so far as to threaten to leak the data of clients or to ransom the clients of victim organizations.

Even so, some organizations were prepared to bite the bullet, risk data leakage, recover from backups and deny criminals a pay-day. Unfortunately, this only led the criminals to raise the stakes to triple extortion: on top of the threat of leaked data and file encryption, they started flooding victim companies with DDoS attacks to force them back to the negotiation table.

The lesson for CISOs is this: ransomware operators are flush with cash from previous victims. They can afford to buy large-scale botnets and hit your network with DDoS till you pay; they can afford to buy Initial Access from other criminals, and they can afford to pay human operators (aka “affiliates”) to carry out attacks. Backups mean nothing in today’s double and triple extortion ransomware threatscape. What matters is preventing compromise in the first place.

7. The Ransomware Threat Can Be Solved By Government

We’ve seen multiple worthy and valiant attempts to fight the growing surge in ransomware coming out of the U.S. government’s new focus on cybercrime.

The Colonial Pipeline attack, the JBS meat-supplier attack and others have created a growing concern for enterprises, as they feel they are left alone in the battle to keep our way of life safe. As laudable as the government’s efforts to take action are, cybercriminals are – by their very nature – undeterred by law enforcement.

No sooner had Biden and Putin discussed a crackdown on criminals that attacked healthcare and other critical infrastructure organizations than new groups emerged specifically to do just that. Where some criminals fear to tread, others will happily take their place if they sniff an opportunity to make money. Federal laws don’t exempt us from locking our own doors.

Yes, government help is always welcome. No, government help isn’t going to alleviate the need for enterprises to protect their businesses against crime.

8. You Don’t Need Humans If You Implement Automation

The cybersecurity skills shortage is real, but while automation can make valuable contributions to productivity and efficacy, automation will never replace the human element in the cybersecurity equation.

Risk is not static, and the risk surface constantly grows and changes as organizations mature and expand their businesses. More services, more production servers, more flow, and more customer data make the challenge to reduce risk an ongoing journey rather than a single task that can be completed with some consolidated effort. As there is no silver bullet to understand enterprise risk or quantify the means to keep a business safe, there will always be a need for cybersecurity talent that can innovate, assess and close these gaps.

Attack vectors are also constantly evolving. Three years ago, organizations relied on static analysis of PEs and other executable files to detect and prevent malware. Soon after, we started seeing fileless, script-based attacks, and lateral movement attempts successfully penetrating enterprise networks. A massive storm of supply chain attacks, like SolarWinds, Kaseya, and more have added yet another dimension to risk management. Meanwhile, the ransomware economy created a massive network of affiliates that used new spam techniques to bypass traditional solutions.

Yes, humans need technology to help scale, maximize productivity, eliminate mundane tasks, and create focus on critical items needing attention, but the best case scenario is that cybersecurity automation will reduce the growing landscape and attack surface.

CISOs will still need smart people who can connect, operate and triage all that attackers (with their own automation tools to hand) will continue to throw at us.

9. MDR Is All You Need To Stay Safe

While automation will never replace the need for human analysts, there is a converse to that, too: humans will never be able to detect, respond and remediate identifiable attacks as fast as computers. We need to use our human and computer resources in ways that are appropriate to the tasks each is best suited to.

Humans will do far better at triaging the edge cases, unknowns and false positives, but on-device AI that never sleeps and works at the speed of your CPU will beat attackers much faster than a remote MDR analyst in the cloud getting a delayed and partial feed of your network telemetry.

Yes, MDR offers added-value to a good next-gen AI endpoint protection agent. No, MDR is no substitute for on-device, autonomous protection, as the 2020 MITRE results convincingly proved.

Conclusion

There’s no escaping the fact that cybersecurity is a complex business, but getting the basics right is the first step. Reduce your dependencies on OS vendors, deploy on-device endpoint protection that offers visibility across your entire estate, and retain cybersecurity talent: these are all sound starting points for every CISO.

Meanwhile, try to see through the misconceptions that are passed around on a regular basis. I’ve called out nine of the most common ones I hear in this post, but there are undoubtedly far more howling in the wind. What other well-intentioned statements that do more harm than good are out there? We’d love to hear your thoughts on LinkedIn, Twitter, and Facebook!

2021 was a year in which everything escalated. The pandemic triggered more separation, more isolation, and a general unease in our ability to discern the good from the bad. In cybersecurity, we saw a sharp increase in the number of threat actors riding the wave of the ransomware economy, more governments using cyber space to influence nation state politics, and definitely more software vulnerabilities. The combined effect of these has made breaches easier and security harder.

So where will 2022 lead us? Our predictions last year weren’t far off the mark, so as we look forward to another year in the trenches of cybersecurity, we gather some of SentinelOne’s best researchers and thought leaders once again to read the tea leaves of the central motifs they see coming to bear in 2022.

We Haven’t Reached ‘Peak Ransomware’ Yet

Ransomware operators have, throughout the last year, continued to display their absolute lack of compunction. Numerous high-profile attacks in 2021 demonstrated that these actors will seize any opportunity to profit. In 2022, expect the availability of highly-critical vulnerabilities such as log4j, which have exposed countless environments while greatly enhancing attackers’ toolsets, to be making the headlines more than once.

This past year also saw the wider and accelerated adoption of malware written in Rust and Go programming languages. One of the main benefits of this practice is, naturally, cross-platform compatibility. A few recent examples of this include BlackCat/AlphaVM ransomware, RansomEXX ransomware and ElectroRAT. We are trending towards a majority of these threats being multiplatform out of the gate. As we progress into 2022, expect to see a greater number of new, cross-platform malware families emerge.

Targeting of healthcare entities (hospitals, medical research facilities, private clinics) will continue to be a critical issue. While on the surface many threat operators claim to avoid attacking medical-centric targets, the reality is far less altruistic. We continue to see ransomware infecting these environments, at times costing lives. In 2022, expect to see no let up in aggressive, unscrupulous ransomware operations targeting organizations regardless of the impact on public safety.

We will also continue to see the identity of these operations blur, with various groups continuing to hide in the open while attempting to circumvent any new penalties or sanctions through frequent re-branding of their operations. Jim Walter, Senior Threat Researcher, SentinelLabs

You Can’t Spend Or Arrest Your Way Out Of Cybersecurity

We’ve seen the number of ransomware attacks rise steadily, despite enterprises spending millions. Although the US government assembling the ransomware task force was done out of good intention, it’s demonstrated that arresting the cybercriminals responsible, such as the alleged member of the REvil ransomware gang, is not going to be enough.

Recently, the U.S. State Department offered a reward of up to $10 million “for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.” While not officially linked to the Russian Federation, DarkSide was able to operate inside Russia with the apparent implicit approval of the government. The use of State Department funds underscores the desire to keep the military option in reserve while using diplomatic and other means to identify and bring to justice transnational organized crime actors.

Continued ransomware activity throughout 2022 will prove that we can’t spend or arrest our way out of cyberattacks. Instead, we must change our way of thinking. The problem isn’t the problem, it’s the way we think about the problem. And that’s not what matters. It’s how our adversaries think about the problem that really counts.

We need to think critically about the problems we are trying to solve to beat cybercriminals at their own game. Playing inside the lines isn’t going to cut it – it’s time to think outside of the box and fight machine with machine.  Morgan Wright, Chief Security Advisor, SentinelOne

Software Dependencies Are Your Weakest Link

From the end of last year with SolarWinds to the end of this year with Log4j2, the alarm bells have been ringing loud and clear: software dependencies are a massive blindspot and a major vector for supply chain attacks.

The likelihood of widely-used software components being secure out-of-the-box is low at best. Even with the best of intentions, the mindset of those that create and share useful modules, plug-ins, packages and other utility code is rarely security-focused. On top of that, the ability of an enterprise to be able to test and evaluate every piece of software that enters their network is limited for most, including the federal government.

2022 represents both an opportunity and a threat: we can tackle the problem with technology and visibility across our entire cyber estate, or we can continue as we’ve been going along, waiting for the next well-crafted nation-state attack like Sunburst or the next “universal vulnerability” like Log4j2. Overworked SOC teams and admins may vote with their feet. Migo Kedem, VP of Growth and Founder of SentinelLabs, SentinelOne

APTs Getting Down to Business

Working in the trenches of cybersecurity research, it’s easy to get carried away with flashy and innovative operations. It’s easy to forget that ‘APT’ is a euphemism for a strata of intelligence collection operators well entrenched in the national apparatus of the majority of countries worldwide. After all, some of the more notable APTs have been around for nearly a quarter of a century.

Instead of romanticizing them as rogue outfits of wily hackers, many of these nation-state adversaries are entrenched in bureaucracies, they have objectives to meet, and–contrary to popular researcher belief–their primary goal isn’t to impress us.

This past year, nation-state adversaries learned a tried-and-true formula that being unimpressive and downright mundane (at least in the early stages of their operations) inevitably increases their return-on-investment. In other words, if your infection vector is an email ($0) with some JavaScript loaders for Cobalt Strike or Metasploit ($0), allowing you to validate victims, lookout for security solutions, begin basic collection, and deploy second-stage tools where they won’t be burned, then whatever persistence and collection you accomplish represents a booming ROI.

Moreover, it’s easier to blend into the noise of ‘business-as-usual’ when you’re just another APT doing intellectual property theft with no zero-day exploits, custom tooling, or notable antics. How many threat hunters will get out of bed to make it their business to track those folks when there are flashy high-end actors out there to blog about?

I’m afraid that 2022 will further slide us into the more mundane aspects of cyberespionage – as a pervasive but low-grade, constant but unremarkable onslaught of collection efforts from all sides that we’ve essentially grown used to. Juan Andres Guerrero-Saade, Principal Threat Researcher, SentinelLabs

Private Espionage Businesses Will Continue To Flourish

Private espionage businesses will encounter many setbacks due to their increased attention over the last year, but that will neither deter nor prevent the growth of such a lucrative and in-demand trade. We can expect researchers to uncover new and less-reported businesses selling surveillance-for-hire technology and resources around the globe with little regard for real-world impact.

While some well-known companies such as Russia’s Positive Technologies, Singapore’s Computer Security Initiative Consultancy, Israel’s Candiru, and perhaps most famously, the NSO Group, have experienced crippling government sanctions or negative media coverage during 2021, we can expect these and others to rebrand, split, or generally evolve with the opportunity of profits in mind. This type of business will not go away in 2022. Tom Hegel, Senior Threat Researcher, SentinelLabs

Securing the Intricacies of Enterprise Cloud Dependency

Enterprises will need to adopt cloud native security faster and respond to these threats from the front lines as customer data privacy on cloud-native servers will be put to the test. The on-going cloud-credential stealing feast will continue, and we will see cloud-native ransomware implemented by abusing weak permissions and stolen Azure and AWS API credentials.

On-Premise Active Directory will continue to fade away, while Azure Active Directory is pushed towards major adoption. As companies like Okta and JumpCloud get further buy-in, they’ll start facing increased interest from every stripe of hacker looking to gain access to large swaths of victims at once.

From the defenders perspective, API Security solutions will become a necessity. XDR adoption will grow via MSSPs forcing threat hunters to adopt more automations. These will provide coverage for the new data sources and will enable defenders to face the new battle-terms. Rafel Ivgi, Principal Security Technologist, SentinelLabs

More Targeted Attacks On Enterprise Macs (and Other Apple Devices Near You)

Unsurprisingly, and as we predicted last year, there has been a glut of macOS and iOS vulnerabilities disclosed in 2021 due to the increased scrutiny of Apple’s platforms by both security researchers and threat actors. Stealing the show during 2021 was NSO’s Pegasus zero-click iMessage exploit, in which a zero-day vulnerability (CVE-2021-30860) in Apple’s Core Graphics framework was used to construct an entire emulated computer architecture.

Meanwhile, although Macs have never been at the heart of most companies’ network or server infrastructures, the Mac has become a firm-favorite among developers and C-Suite level executives – an enticing combination for threat actors interested in high-value targets.

At the same time, iOS and macOS security is woefully misunderstood by Apple users, including in the enterprise. While Mac users at least have the ability to install 3rd-party EDR products for detection and protection against malware, few choose to do so, persuaded by a strong “Macs are safe by design” marketing message from Apple. Lulled into believing that the Mac’s legacy AV scanner XProtect and the regularly-bypassed Gatekeeper and Notarization technologies are somehow enough, users leave themselves and their organizations vulnerable to attacks. The fact is, the Mac’s built-in defenses are far from adequate, as even Apple admitted earlier this year.

Recent history has shown that threat actors with the most resources – nation-states – are willing to spend those resources on targeting dissidents, journalists and political opponents. Whether it’s buying NSO spyware like Pegasus or creating Mac-specific backdoors like macOS.Macma, governments (or their proxies) have been the main driver of targeted attacks against Apple’s platforms so far. However, where nation-states go, criminals soon follow.

These three factors – increased attention on Apple device vulnerabilities, wider use of Macs in the enterprise, and the false sense of security that Macs are safe and don’t need 3rd-party protection – will lead to more high-value, targeted attacks against Apple device users in 2022.  Phil Stokes, macOS Threat Researcher, SentinelLabs

Conclusion

While this year saw the U.S. government making some valiant efforts to try and tackle the long-standing challenges of cybersecurity, it is enterprises that are the first and last line of defense, needing to stay focused on growth and commercial expansion while not risking it all by getting breached and losing trust and material funds.

Whatever challenges 2022 brings, we all need to ensure that we are taking care of the basics: strong preventative measures, clear Incident Response and Disaster Recovery planning, and let’s not forget to take care of our people on the front line! From all of us at SentinelOne, we wish you a happy and secure New Year!

If you would like to learn how SentinelOne can protect your organization, contact us or request a free demo.

It’s been a busy year for the SentinelLabs research team, with 45 posts published throughout 2021 on crimeware, APT actors, software vulnerabilities, and macOS malware, not to mention releasing a few community tools for reverse engineering and threat hunting.

Ransomware and APT actors have dominated much of our year, along with some spectacular vulnerabilities that have impacted enterprises worldwide. We’ve seen novel attacks targeting macOS and threat actors setting their sights on Docker containers and cloud workloads.

As ever, you can find all our research and threat intelligence posts over at SentinelLabs, but for a quick recap on some of the main highlights, take a scroll through our 2021 timeline below.

January

In early January, we broke news of macOS.OSAMiner, a long-running cryptominer campaign targeting macOS users. What made this particular campaign so effective at staying undetected for at least five years was its use of run-only AppleScripts. SentinelLabs’ research showed how researchers can reverse these opaque executables and revealed previously hidden IoCs.

February

Zeoticus ransomware was causing trouble prior to 2021 but had received little attention from researchers. Unusually, Zeoticus executes fully even if the device is air-gapped or fails to have internet connectivity. SentinelLabs detailed how this Windows-specific malware had evolved, and described its execution and persistence methods.

In February, SentinelLabs also revealed a privilege escalation vulnerability in Microsoft’s flagship security product, Windows Defender. The bug, CVE-2021-24092, had remained unreported for 12 years and likely affected around a billion devices.

March

More macOS malware came to light in March in the form of SentinelLabs’ discovery of XcodeSpy, a targeted attack on iOS software developers using Apple’s Xcode IDE. A malicious Xcode project was found to be installing a customized backdoor with the ability to record the victim’s microphone, camera and keyboard.

April

While Windows vulnerabilities are a fairly common occurrence, SentinelLabs’ report of a new NTLM relay attack was, surprisingly, classed as a “Won’t Fix” by Microsoft in April. The vulnerability affects every Windows system and could allow attackers to escalate privileges from user to domain admin.

On the crimeware front, this month SentinelLabs also published an update on Avaddon RaaS and detailed APT activity relating to Zebrocy.

May

As we kicked into the summer months, adversary activity also started to ramp up beginning with Agrius, a new threat actor SentinelLabs observed operating against targets in Israel. Agrius actors dropped a novel wiper named ‘Apostle’, which later evolved into a fully functional ransomware.

Also in May, SentinelLabs researchers disclosed CVE-2021-21551, a single CVE to track multiple BIOS driver privilege escalation flaws impacting hundreds of millions of Dell computers.

June

Building off earlier research around APT actor Nobelium (aka APT29, The Dukes), SentinelLabs discovered that the same threat actor (tracked by SentinelLabs as ‘NobleBaron’) was engaged in supply-chain attack activity via a poisoned update installer for electronic keys used by the Ukrainian government.

Also this month, SentinelLabs presented evidence that an attack on Russia’s FSB that had been widely-attributed to Western “Five Eyes” agencies was far more likely to have been of Chinese origin, probably from threat actor TA428.

July

Cyberwar took an unusual turn in July when Iran’s train system was paralyzed by an attack from a mysterious wiper. The attackers taunted the Iranian government as hacked displays instructed passengers to direct their complaints to the phone number of the Iranian Supreme Leader Khamenei’s office. SentinelLabs researchers were able to reconstruct the majority of the attack chain and sketch the outline of a new adversary.

This month also saw the Labs team disclose CVE-2021-3438 – a high severity flaw in HP, Samsung, and Xerox printer drivers – and offer an in-depth analysis of Conti ransomware.

August

ShadowPad is a privately sold modular malware platform and used in infamous campaigns such as CCleaner, NetSaran and the ASUS supply-chain attacks. SentinelLabs researchers produced a ground-breaking report on the origin, use and ecosystem of ShadowPad.

One of the busiest months of the year for our researchers, August also saw us dislose a massive macOS adware campaign undetected by Apple, a ransomware campaign targeting healthcare providers, and HotCobalt – a denial-of-service vulnerability affecting Cobalt Strike.

September

In another in-depth investigation into cyberespionage and APT activity, SentinelLabs broke the story of a Turkish-nexus threat actor that targeted journalists to place malware and incriminating documents on their devices immediately prior to their arrest.

We also reported on new variants of both Apostle ransomware and the Zloader banking trojan, as well as disclosing CVE-2021-3437.

October

Both Karma ransomware and Spook ransomware were new players in 2021’s ransomware ecosystem. Karma has targeted numerous enterprises across different industries this year. SentinelLabs explored the links between Karma and other well known malware families such as NEMTY and JSWorm.

Meanwhile, SentinelLab’s investigation into Spook ransomware found that the operator published details of all victims regardless of whether they paid or not.

November

APTs targeting macOS are a far rarer sight than on Windows, but this November saw news break of a targeted attack against pro-democracy activists in Hong Kong with a novel macOS malware dubbed “Macma”. SentinelLabs dove in and revealed further IoCs not previously reported to aid defenders and threat hunters.

SentinelLabs also disclosed multiple separate vulnerabilities this month: CVE-2021-43267 – a remote Linux kernel heap overflow – and the related VirtualBox vulnerabilities CVE-2021-2145, CVE-2021-2310, and CVE-2021-2442.

December

Unsurprisingly, we rounded out the year with yet another novel ransomware threat. While most actors in this space have adopted the double-extortion method – demand a ransom for encrypted files, then threaten to leak the data if the victim doesn’t pay up – the operators behind Rook were particularly candid about their motivations, stating “We desperately need a lot of money”. SentinelLabs researchers offered the first technical write up of Rook, covering both high-level features and its ties to Babuk ransomware.

We also discovered and disclosed multiple vulnerabilities in AWS and other major cloud services that implement USB over Ethernet.

Conclusion

2021 was some year for everyone involved in fighting cybercrime and defending enterprises. From APTs and bugs to malware and ransomware, we’ve all had plenty to do to keep up with the unfolding cybersecurity threats this year. SentinelLabs continues in its commitment to keep you up to date with the latest research and threat intelligence.

We’ll be back shortly after the New Year. In the meantime, we wish everyone a happy and secure New Year and 2022. Be sure to keep your organization, endpoints, network and cloud infrastructure safe with SentinelOne’s award-winning Singularity platform, and keep your security team up-to-date with SentinelLabs’ original and timely research.

The Good

We have a few nifty victories for law enforcement this week. First off, an individual that heralds from Massachusetts, Flavio Candido da Silva, recently pled guilty to aggravated identity theft and conspiracy to commit wire fraud in a Boston federal court. Da Silva is alleged to be part of a larger team responsible for the theft of identities and the manufacture and distribution of falsified documents. The case relates to charges laid back in May when nineteen individuals were charged with conspiracy to open fraudulent driver accounts at multiple rideshare and delivery companies.

In some cases, identifying information used to feed fake accounts was obtained directly from victims through social engineering. The actors would gain access to victims’ identification documents by posting as an alcohol delivery service or deliberately causing minor vehicle accidents. The fraudulent accounts were used to further spoof income documents for these newly-created fake workers. There is potentially a lengthy jail term tied to this one, which hopefully will serve as a deterrent to those thinking of engaging in cybercrime.

The week would not be complete without mention of Log4j. There have been some important updates around this threat from the wider community, including CISA’s Mitigating Log4Shell and Other Log4j-Related Vulnerabilities, which was updated on December 22nd. Their advisory serves as a launching point for various other Joint Cybersecurity and JCDC advisories. As always, the latest bleeding edge updates will be posted on the SentinelOne blog.

The Bad

On top of the extra workload IT admins have been dealing with thanks to the ongoing log4j2 vulnerability, this week’s bad news is particularly unwelcome as it involves another “patch the thing we already patched” scenario from Microsoft. This week’s new fire hazard comes courtesy of two Active Directory domain controller bugs. The bugs were addressed last month, but it turns out they can still be exploited by attackers and allow the take over of Windows Domain Controllers.

The two flaws, which have a severity rating of 7.5, are tracked as CVE-2021-42278 and CVE-20210-42287. The new advisory comes in the wake of a publicly available exploit being published back on December 12th.

SAM Name impersonation (CVE-2021-42278) allows attackers to tamper with the SAM-Account-Name attribute used to log users into a system in the AD domain. Meanwhile, KDC Bamboozling (CVE-20210-42287) allows a potential attacker to impersonate a domain controller directly. According to Microsoft:

OK folks, you know the drill. Patch the patch, and ensure you have reliable endpoint protection in place.

The Ugly

As if things aren’t bad enough on the ransomware scene, it gets even uglier when actors find new ways to bypass or disable certain security tools. In that context, we shine a light on AvosLocker, which emerged in June 2021 as a new RaaS (Ransomware as a Service) operator.

In an effort to improve the success rate of encryption, AvosLocker decided to do what any good IT admin would do when encountering a problem on a device: boot it in Safe Mode!

According to researchers, in some cases AvosLocker was forcing victim machines to reboot in Safe Mode with networking, and installing the remote management tool AnyDesk. This allows the attackers to control the target machines remotely while security tools that don’t run in Safe Mode are inactive.

The attackers were also seen running a tool called PDQ Deploy to push customized batch scripts out to target devices to assist in disabling a number of endpoint security solutions before rebooting into Safe Mode. Once booted, the victim machines run the ransomware payload and files are encrypted.

Endpoint security tools affected by the technique, the researchers say, include:

• Windows Defender
• Carbon Black
• Bitdefender
• Trend Micro
• Kaspersky
• Symantec
• Cylance

AvosLocker does not succeed on devices protected by SentinelOne.

This serves as a good reminder that all these ransomware actors are constantly at work, even when not being highlighted in the news. For additional information on ransomware and potential solutions, start here.