PinnacleOne ExecBrief | Enterprise Risk Management in China

Last week, PinnacleOne flagged the ongoing SVR exploitation of their breach of Microsoft.

This week, we examine the geopolitical dynamics and risks facing firms that do business or have key dependencies in China and highlight principles to frame a China-for-China strategy given firm-specific threat models.

Please subscribe to read future issues — and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Enterprise Risk Management in China

China’s civilian intelligence service, the Ministry of State Security (MSS), ventured into public policy analysis when it posted on WeChat this Monday. In its post, the MSS underlined how important private sector cooperation with the security services is to safeguarding national security under the country’s Cybersecurity Law. Some sections even highlighted the need for security assessments for businesses transferring data overseas. An English-language state media outlet went so far as to put out an accompanying piece.

We don’t know what motivated the MSS and state media to highlight the PRC’s Cybersecurity Law – but we do know what they said and its implications.

Despite other parts of state media posting videos of Apple’s CEO Tim Cook walking around Shanghai and saying that China is open for business, the experience of executives trying to navigate the expanding labyrinth of PRC regulations is not so sanguine.

In the course of our advisory work, we have walked alongside a number of key leaders making decisions about how to approach their operations in the PRC. We find that, as China convinces other countries to join its “Community with Shared Future in Cyberspace” initiative, the risks below, the questions they raise, and resulting business decisions will become more pressing and may soon extend to other countries as well.

Business Risks Facing MNC Operations in China

  • Technical Risks: Chinese tech increasingly found throughout the global value chain will create “Bug Doors.” Moves to bifurcate tech stacks will result in more offensive hacking between the PRC and the rest and onshore operations are closely scrutinized.
  • Insider Trust: Arbitrary enforcement of local laws risks the security of IP and the safety of employees and executives — the PRC is sliding back to join other autocracies.
    • Insiders are likely victims of state-backed coercion and manipulation, rather than ill-willed employees.
    • The MSS offers cash payouts to anyone who reports unpatriotic behavior or actions that “endanger national security.” It’s unclear if disgruntled employees reporting employers for perceived actions against China’s interest will be accepted.
    • Know-how and how-to are increasingly prized over raw exfiltrated data, aligned to key strategic industries and political requirements, and in support of China’s geopolitical objectives.
  • Political & Operational Risks: China’s crackdown on capital and increasingly concentrated political power risks stable corporate operations.

Key Principles That Should Frame Any China-for-China Strategy

  • Navigate the Political Landscape: Each industry’s threat profile is different, and each requires its own course towards safety and resilience.
  • Target Resilience: Ensure you have the flexibility to manage future uncertainties by preserving optionality and limiting irreversible decisions, when possible.
  • Evaluate Enterprise Architecture: Determine how to shape the relationship between critical data storage, admin access, business impacts, and network dependencies.
  • Prioritize Strictly: Identifying what capabilities to move and duplicate now will reduce implementation risk.

Strategic Threat Modeling Should Drive De-Risking Decisions

Understand what threats are most likely to present a significant impact on your value chain and prioritize enterprise operations accordingly. This assessment should answer three key questions:

  1. Risks Mitigated: To what extent would localizing a given application, service, or infrastructure element mitigate plausible PRC risks?
  2. Risks Introduced: To what extent would localizing introduce new risks, and how are those evaluated and controlled?
  3. Operating Model Impact: What impact would localizing have on your firm’s operating model, customer delivery, and competitive position?
Firms should apply the following decision rule: Prioritize those applications for PRC localization that maximize known risks, minimize new risks, and limit operating model impact given inherent political and geopolitical uncertainty.

Across all related enterprise architecture de-risking decisions, firms should consider the following options:

  1. Adjusting logical controls to databases, applications, and systems;
  2. Creating hybrid structures for specific databases or apps with instances inside and outside China; or
  3. Conducting a full separation of enterprise networks and connectivity.

These decisions are complex, hard to tangibly justify, and costly. They require the input and buy-in across the executive team with a clear, actionable roadmap that reflects priority mitigations. All activities should be tightly managed internally with senior leadership guidance and sound operational security measures. Lastly, since these are multi-month/year initiatives, firms should regularly adjust their strategies given changes in the threat model and security environment.

The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good | Russian Nationals Sanctioned for Roles in GRU-Linked Influence Campaigns

Two Russian nationals are the latest to be sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) this week for their roles in various malign influence campaigns. Ilya Andreevich Gambashidze, the founder of Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, CEO and owner of Company Group Structura LLC, stand accused of working with the GRU to target audiences across the U.S. and in Europe.

This disinformation operation, known as Doppelgänger, targets audiences in Europe and the U.S. through fake news sites and social media accounts. Doppelgänger is known for persistent and aggressive attacks, closely exploiting current geopolitical and socio-economic events and movements as they receive media attention.

Source: EU DisInfo Lab

The Treasury alleges that Gambashidze and Tupikin played major roles in impersonating government entities and media outlets through a network of at least 60 spoofed sites. Designed to be a close imitation of their legitimate counterparts, the websites even featured working links and cookie consent pages to lull site visitors into a sense of legitimacy.

This is not the first sanction for Gambashidze. He, along with SDA and Structura LLC, were first sanctioned by the EU in 2023 for amplifying propaganda in support of Russia’s war against Ukraine.

With major elections fast approaching for the United States and across EU entities, activity from nation-backed threat actors is predicted to spike, making information warfare an even harder terrain to navigate. Initiatives like public awareness campaigns, social media literacy programs, and strict social media protocols will continue to be significant methods of pushing back the risks of online propaganda and wide-spreading disinformation campaigns.

The Bad | Evasive HTML Smuggling Via Google Sites Seen in Infostealing Campaigns

Threat actors are capitalizing on bogus Google Sites pages and HTML smuggling techniques to distribute AZORult malware, aimed at pilfering sensitive information. Security researchers describe this as an unconventional method, one where the actors embed malicious payloads within separate JSON files hosted on external websites.

AZORult was first spotted in 2016 and often spread through phishing emails, trojanized software installers, and malvertising. It is notably discreet, able to extract credentials, browser history, cookies, and other personal data from cryptocurrency wallets and several specific extensions.

The latest iteration of AZORult involves fake Google Docs that use HTML smuggling to deliver the payload. This method works by manipulating legitimate HTML5 and JavaScript features to launch the malware via a “smuggled” encoded script. Once visitors to the Docs are tricked into opening the pages via phishing emails, the payloads are activated, kickstarting a chain of actions which ultimately execute the scripts that contain the stealer malware.

Detection evasion techniques like this one are gaining popularity within the threat landscape. Last summer, a PRC-linked nation-state was seen using HTML smuggling to deliver the PlugX RAT on foreign affairs ministries and embassies. Nokoyawa operators also favor this method and are known to use it to deliver a password-protected ZIP and deploy their ransomware. SentinelOne customers are protected from Nokoyama.

SentinelOne agent detects Nokoyawa

Infostealers like AZORult are another example of how much campaign operators are evolving, experimenting with unorthodox methods to stay evasive. Organizations that have a layered approach to security are positioned best in defense of these novel techniques, heavily reducing where threat actors can go within a system and minimizing their access paths to critical data.

The Ugly | New “AcidPour” Data Wiper Found Targeting Linux Networking Devices

SentinelLabs first discovered AcidRain, a data wiper responsible for taking Eutelsat KA-SAT modems offline in Ukraine during the onset of the 2022 Russian invasion. AcidRain was officially attributed soon after to the Russian government by the EU and its member states.

Now, the researchers are reporting the discovery of the wiper’s latest variant, AcidPour, as it targets Linux x86 IoT and networking devices. Attribution has not yet been confirmed, though the timing of the discovery lines up closely with multiple Ukrainian telecom networks being offline, reportedly since March 13, 2024.

While sharing similarities with its predecessor, AcidPour expands the original set of capabilities to include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic to erase content from RAID arrays and large storage devices.

Data wipers are designed to delete or corrupt data on a targeted system or network, making critical information inaccessible or unusable. Since this is an irreversible process, data wipers are a highly destructive tool capable of disrupting major operations and inflicting financial and reputational damage on the victims. Data wipers are often used for sabotage, espionage, or as a diversionary tactic to cover up other malicious activities.

Two years after the discovery of AcidRain, AcidPour once again highlights the potential for destruction that wipers can cause both within and beyond the combat theater of the Russo-Ukrainian war. AcidPour clearly expands the destructiveness of the malware and shows a refinement in how threat actors are approaching their selected targets – critical infrastructure and communications.

Mozilla Drops Onerep After CEO Admits to Running People-Search Networks

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.

Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube.

Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.

On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.

But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.

Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).

Onerep CEO and founder Dimitri Shelest.

In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.

“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”

KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.

Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”

Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”

“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”

Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.

“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”

Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.

Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.

The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.

On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.

Experiencing a Data Breach? 8 Steps for Effective Incident Response

Experiencing a breach? Call us immediately at 1-855-868-3733.

If you would like to discuss your organization’s security posture, contact us here and our team will be in touch shortly.

Data breaches have been all over the news lately. Understanding how to prevent them—and what to do when they happen—is essential to every organization’s operational success.

A well-prepared enterprise has an incident response plan (IRP) ready to deploy in the event of a breach. These plans involve immediate communication with legal counsel, followed by engagement with an incident response team. SentinelOne advocates for a proactive approach, emphasizing the importance of evidence identification and data preservation to manage the situation effectively.

In this blog post, the SentinelOne Vigilance Respond Team provides key recommendations and best practices for strong breach management, including the eight key steps for responding to breaches. Making the right series of decisions directly after discovery of a breach can help organizational leaders secure their operations and get the support they need.

A Brief Refresher | What Is a Data Breach?

It’s important to start with the basics: What exactly is a data breach? A data breach is an unauthorized access or exposure of sensitive or confidential information. They can be caused by a wide variety of factors, including hacking, malware attacks, malicious insiders, or even innocent human error. Regardless of their origin, the repercussions of successful data breaches are often dangerous and far-reaching, potentially leading to the loss of personal, financial, or proprietary information in the short term, and loss of revenue, brand trust, and reputation in the long run.

Have You Been Breached? | Eight Next Steps to Take During a Security Event

Incident response revolves around structured processes designed to identify and manage cybersecurity incidents. Before such incidents occur, well-prepared organizations will have collaborated with stakeholders, security leads, and department heads to map out business and industry-specific risks and create a response plan tailored to the needs of their business. Incident response plans formally document roles and responsibilities, determine threshold criteria for defining an incident, and plan for containment, business continuity, and ongoing recovery.

When breaches happen, organizational leaders are expected to act fast to preserve evidence and support an efficient investigation. These eight steps are the foundation for a robust and effective response.

1. Engage Legal Counsel & Incident Response

Organizations are required to navigate a complex landscape of legal obligations and both internal and external communication plans. While often varying by region or industry, these obligations usually involve notifying those affected, informing relevant authorities, and taking steps to minimize the spread and mitigate future risks.

Additionally, companies may need to disclose details of the breach to regulatory bodies depending on what compliance frameworks are applicable to them. Always inform your internal or external counsel of a potential cybersecurity event. Once counsel is engaged, contact your incident response retainer provider.

2. Keep Affected Endpoints Online

While reactive legal and compliance considerations are critical immediately after a breach, security leaders can also take on a proactive approach based on preserving data and evidence.

To do so, do not shut down any suspected compromised endpoints. Random Access Memory (RAM) contains valuable evidence but when systems are shut down, that RAM is permanently lost.

3. Disconnect from the Network

Disconnect suspected compromised systems from the network. There are a few ways you can do this:

  • For endpoints deployed by SentinelOne – Quarantine the suspected systems so they can only connect to the SentinelOne platform.
  • For endpoints deployed by other providers – Disconnect wired networks and turn off all wireless connectivity.
  • For all endpoints – Consider segmenting the compromised network from the clean network (e.g., virtual local area networks (VLAN) and network access control lists (ACL). This can assist with continuing business operations for non-impacted networks.

4. Identify & Preserve Evidence

Identify potential sources of evidence in all firewalls, intrusion detection systems (IDS), virtual private networks (VPN), antivirus solutions (AV), event logs). Ensure that they are configured to preserve evidence and will not automatically roll over older logs.

5. Collect IOCs & Samples

Collect all known indicators of compromise (IOCs) and malicious code samples. This may include suspect IP addresses or domains, hashes, PowerShell scripts, malicious executables, ransom notes, and any other known or suspected items that may contribute to an investigation.

6. Prepare for Restoration

Review and prepare to restore network functionality via any backup solutions, if applicable. What is important here is to make an effort to preserve forensic images of compromised systems prior to restoring clean images. Failure to preserve such evidence may hinder a successful investigation. Ensure backups are viable and clean before proceeding with any restoration efforts.

7. Develop a Timeline

Prepare a timeline of known suspect events that shows when the attack is believed to have started and the most recently identified malicious activity.

8. Identify Endpoints

Attempt to identify endpoints that have exhibited suspicious activity, specifically with an effort to identify the first impacted system (patient zero), and potential sources of exfiltration.

Understanding Additional Steps After Breach

The aftermath of a data breach can be complex and difficult to manage, and it can take a significant amount of time and resources to recover from the damage. Be aware that the most difficult part of a data breach isn’t necessarily the evidence preservation, system restoration, or even the legal and financial implications.

When sensitive data is compromised, it can cause serious damage to the business’s reputation and erode customer trust. Following these eight steps is a great way to begin restoring that trust and brand reputation, but keep in mind that this is just the beginning.

Mitigating Future Breaches

To avoid future data breaches, organizations can ensure that strong security measures are put in place across their systems. Recommended best practices include:

  • Investing in robust cybersecurity solutions such as extended detection and response (XDR) and managed detection and response (MDR) ensures a holistic approach to defense.
  • Implementing strong authentication methods such as multi-factor authentication (MFA) or role based access control (RBAC) to prevent unauthorized access to systems and data.
  • Conducting regular security assessments and audits to identify and address vulnerabilities.
  • Regularly monitoring and analyzing network traffic to identify and respond to potential threats.
  • Implementing data encryption and other security controls to protect sensitive data from unauthorized access.
  • Creating and communicating a well-defined incident response plan to key leaders across the organization to guarantee quick and effective response in the face of a potential data breach.
  • Developing partnerships with cybersecurity experts and organizations to gain access to the latest threat intelligence and security solutions.
  • Regularly monitoring and analyzing network traffic to identify and respond to potential threats.
  • Providing training and education to employees on data security and best practices.

Conclusion

Security breaches can come from a number of different sources and the implications are complex and far-reaching. For organizations that have been affected by a data breach, there are immediate steps that ensure evidence is preserved and an effective investigation can take place. Once systems are restored, organizations may need to work with their stakeholders, security providers, and regulatory bodies to deal with legal, financial, and any potential long-term challenges.

As threat actors constantly refine their methods, organizations need to stay responsive. XDR empowers organizations to refine their security approaches and stop attacks before they can become all-out breaches. SentinelOne offers Singularity XDR, a leading solution in the security space powered by autonomous response. Learn how Singularity leverages artificial intelligence (AI) and machine learning (ML) to respond across entire security ecosystems and protect each attack surface.

If you’re currently experiencing a breach, please call us immediately at 1-855-868-3733.

Get In Touch With SentinelOne Experts
Connect with us to discuss unique security needs and how to bolster your organization’s security posture today.

The Not-so-True People-Search Network from China

It’s not unusual for the data brokers behind people-search websites to use pseudonyms in their day-to-day lives (you would, too). Some of these personal data purveyors even try to reinvent their online identities in a bid to hide their conflicts of interest. But it’s not every day you run across a US-focused people-search network based in China whose principal owners all appear to be completely fabricated identities.

Responding to a reader inquiry concerning the trustworthiness of a site called TruePeopleSearch[.]net, KrebsOnSecurity began poking around. The site offers to sell a report containing photos, police records, background checks, civil judgments, contact information “and much more!” According to LinkedIn and numerous profiles on websites that accept paid article submissions, the founder of TruePeopleSearch is Marilyn Gaskell from Phoenix, Ariz.

The saucy yet studious LinkedIn profile for Marilyn Gaskell.

Ms. Gaskell has been quoted in multiple “articles” about random subjects, such as this article at HRDailyAdvisor about the pros and cons of joining a company-led fantasy football team.

“Marilyn Gaskell, founder of TruePeopleSearch, agrees that not everyone in the office is likely to be a football fan and might feel intimidated by joining a company league or left out if they don’t join; however, her company looked for ways to make the activity more inclusive,” this paid story notes.

Also quoted in this article is Sally Stevens, who is cited as HR Manager at FastPeopleSearch[.]io.

Sally Stevens, the phantom HR Manager for FastPeopleSearch.

“Fantasy football provides one way for employees to set aside work matters for some time and have fun,” Stevens contributed. “Employees can set a special league for themselves and regularly check and compare their scores against one another.”

Imagine that: Two different people-search companies mentioned in the same story about fantasy football. What are the odds?

Both TruePeopleSearch and FastPeopleSearch allow users to search for reports by first and last name, but proceeding to order a report prompts the visitor to purchase the file from one of several established people-finder services, including BeenVerified, Intelius, and Spokeo.

DomainTools.com shows that both TruePeopleSearch and FastPeopleSearch appeared around 2020 and were registered through Alibaba Cloud, in Beijing, China. No other information is available about these domains in their registration records, although both domains appear to use email servers based in China.

Sally Stevens’ LinkedIn profile photo is identical to a stock image titled “beautiful girl” from Adobe.com. Ms. Stevens is also quoted in a paid blog post at ecogreenequipment.com, as is Alina Clark, co-founder and marketing director of CocoDoc, an online service for editing and managing PDF documents.

The profile photo for Alina Clark is a stock photo appearing on more than 100 websites.

Scouring multiple image search sites reveals Ms. Clark’s profile photo on LinkedIn is another stock image that is currently on more than 100 different websites, including Adobe.com. Cocodoc[.]com was registered in June 2020 via Alibaba Cloud Beijing in China.

The same Alina Clark and photo materialized in a paid article at the website Ceoblognation, which in 2021 included her at #11 in a piece called “30 Entrepreneurs Describe The Big Hairy Audacious Goals (BHAGs) for Their Business.” It’s also worth noting that Ms. Clark is currently listed as a “former Forbes Council member” at the media outlet Forbes.com.

Entrepreneur #6 is Stephen Curry, who is quoted as CEO of CocoSign[.]com, a website that claims to offer an “easier, quicker, safer eSignature solution for small and medium-sized businesses.” Incidentally, the same photo for Stephen Curry #6 is also used in this “article” for #22 Jake Smith, who is named as the owner of a different company.

Stephen Curry, aka Jake Smith, aka no such person.

Mr. Curry’s LinkedIn profile shows a young man seated at a table in front of a laptop, but an online image search shows this is another stock photo. Cocosign[.]com was registered in June 2020 via Alibaba Cloud Beijing. No ownership details are available in the domain registration records.

Listed at #13 in that 30 Entrepreneurs article is Eden Cheng, who is cited as co-founder of PeopleFinderFree[.]com. KrebsOnSecurity could not find a LinkedIn profile for Ms. Chen, but a search on her profile image from that Entrepreneurs article shows the same photo for sale at Shutterstock and other stock photo sites.

DomainTools says PeopleFinderFree was registered through Alibaba Cloud, Beijing. Attempts to purchase reports through PeopleFinderFree produce a notice saying the full report is only available via Spokeo.com.

Lynda Fairly is Entrepreneur #24, and she is quoted as co-founder of Numlooker[.]com, a domain registered in April 2021 through Alibaba in China. Searches for people on Numlooker forward visitors to Spokeo.

The photo next to Ms. Fairly’s quote in Entrepreneurs matches that of a LinkedIn profile for Lynda Fairly. But a search on that photo shows this same portrait has been used by many other identities and names, including a woman from the United Kingdom who’s a cancer survivor and mother of five; a licensed marriage and family therapist in Canada; a software security engineer at Quora; a journalist on Twitter/X; and a marketing expert in Canada.

Cocofinder[.]com is a people-search service that launched in Sept. 2019, through Alibaba in China. Cocofinder lists its market officer as Harriet Chan, but Ms. Chan’s LinkedIn profile is just as sparse on work history as the other people-search owners mentioned already. An image search online shows that outside of LinkedIn, the profile photo for Ms. Chan has only ever appeared in articles at pay-to-play media sites, like this one from outbackteambuilding.com.

Perhaps because Cocodoc and Cocosign both sell software services, they are actually tied to a physical presence in the real world — in Singapore (15 Scotts Rd. #03-12 15, Singapore). But it’s difficult to discern much from this address alone.

Who’s behind all this people-search chicanery? A January 2024 review of various people-search services at the website techjury.com states that Cocofinder is a wholly-owned subsidiary of a Chinese company called Shenzhen Duiyun Technology Co.

“Though it only finds results from the United States, users can choose between four main search methods,” Techjury explains. Those include people search, phone, address and email lookup. This claim is supported by a Reddit post from three years ago, wherein the Reddit user “ProtectionAdvanced” named the same Chinese company.

Is Shenzhen Duiyun Technology Co. responsible for all these phony profiles? How many more fake companies and profiles are connected to this scheme? KrebsOnSecurity found other examples that didn’t appear directly tied to other fake executives listed here, but which nevertheless are registered through Alibaba and seek to drive traffic to Spokeo and other data brokers. For example, there’s the winsome Daniela Sawyer, founder of FindPeopleFast[.]net, whose profile is flogged in paid stories at entrepreneur.org.

Google currently turns up nothing else for in a search for Shenzhen Duiyun Technology Co. Please feel free to sound off in the comments if you have any more information about this entity, such as how to contact it. Or reach out directly at krebsonsecurity @ gmail.com.

A mind map highlighting the key points of research in this story. Click to enlarge. Image: KrebsOnSecurity.com

ANALYSIS

It appears the purpose of this network is to conceal the location of people in China who are seeking to generate affiliate commissions when someone visits one of their sites and purchases a people-search report at Spokeo, for example. And it is clear that Spokeo and others have created incentives wherein anyone can effectively white-label their reports, and thereby make money brokering access to peoples’ personal information.

Spokeo’s Wikipedia page says the company was founded in 2006 by four graduates from Stanford University. Spokeo co-founder and current CEO Harrison Tang has not yet responded to requests for comment.

Intelius is owned by San Diego based PeopleConnect Inc., which also owns Classmates.com, USSearch, TruthFinder and Instant Checkmate. PeopleConnect Inc. in turn is owned by H.I.G. Capital, a $60 billion private equity firm. Requests for comment were sent to H.I.G. Capital. This story will be updated if they respond.

BeenVerified is owned by a New York City based holding company called The Lifetime Value Co., a marketing and advertising firm whose brands include PeopleLooker, NeighborWho, Ownerly, PeopleSmart, NumberGuru, and Bumper, a car history site.

Ross Cohen, chief operating officer at The Lifetime Value Co., said it’s likely the network of suspicious people-finder sites was set up by an affiliate. Cohen said Lifetime Value would investigate to determine if this particular affiliate was driving them any sign-ups.

All of the above people-search services operate similarly. When you find the person you’re looking for, you are put through a lengthy (often 10-20 minute) series of splash screens that require you to agree that these reports won’t be used for employment screening or in evaluating new tenant applications. Still more prompts ask if you are okay with seeing “potentially shocking” details about the subject of the report, including arrest histories and photos.

Only at the end of this process does the site disclose that viewing the report in question requires signing up for a monthly subscription, which is typically priced around $35. Exactly how and from where these major people-search websites are getting their consumer data — and customers — will be the subject of further reporting here.

The main reason these various people-search sites require you to affirm that you won’t use their reports for hiring or vetting potential tenants is that selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically don’t include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

There are a growing number of online reputation management companies that offer to help customers remove their personal information from people-search sites and data broker databases. There are, no doubt, plenty of honest and well-meaning companies operating in this space, but it has been my experience that a great many people involved in that industry have a background in marketing or advertising — not privacy.

Also, some so-called data privacy companies may be wolves in sheep’s clothing. On March 14, KrebsOnSecurity published an abundance of evidence indicating that the CEO and founder of the data privacy company OneRep.com was responsible for launching dozens of people-search services over the years. OneRep still has not responded to that reporting.

Finally, some of the more popular people-search websites are notorious for ignoring requests from consumers seeking to remove their information, regardless of which reputation or removal service you use. Some force you to create an account and provide more information before you can remove your data. Even then, the information you worked hard to remove may simply reappear a few months later.

This aptly describes countless complaints lodged against the data broker and people search giant Radaris. On March 8, KrebsOnSecurity profiled the co-founders of Radaris, two Russian brothers in Massachusetts who also operate multiple Russian-language dating services and affiliate programs.

The truth is that these people-search companies will continue to thrive unless and until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century. Duke University adjunct professor Justin Sherman says virtually all state privacy laws exempt records that might be considered “public” or “government” documents, including voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman said.

S Ventures Invests in Auguria to Solve SecOps Overload

We are excited to announce S Ventures investment in Auguria to empower the vision of achieving 90%+ efficiency in SOC investigations and reducing SIEM costs. Auguria is driving the transformation of traditional security operations by optimizing data for human and AI consumption with the industry’s first Security Knowledge Layer.

SecOps’ Data Dilemma | How to Manage Costs and Maximize Security?

Security fundamentally revolves around managing and analyzing vast quantities of data. Security teams tasked with safeguarding digital assets amass extensive datasets from diverse origins, such as system logs, network traffic, threat intelligence feeds, and endpoint telemetries. The volume of this collected data is on an ever-upward trajectory.

Amidst this data deluge, a significant challenge emerges: distinguishing data related to genuine threats from the multitude of benign noise. This task is not only complex but also critical for effective threat detection and response. Consequently, many organizations opt to retain all gathered data, erring on the side of caution. This approach, however, leads to a substantial increase in SIEM costs.

To mitigate these burgeoning SIEM expenses, a practical strategy involves the meticulous identification and elimination of duplicate, repetitive data, followed by the strategic categorization of the remaining data based on its necessity for either immediate investigation or long-term storage for forensic and compliance purposes. Only the most interesting and anomalous log data and events, those crucial for real-time analysis, dashboards, active threat hunting, and prompt incident response, should be allocated to the priciest data storage solutions.

How Does Auguria Solve the SecOps Data Problems?

Auguria’s Security Knowledge Layer, or Auguria SKL™, instantly identifies whether an event is unique or bears similarities to others through transforming data into vector embeddings and pairing it with insight and organization. Auguria uses AI and ML to reduce data noise, lowering storage and processing costs. This allows existing teams to do more with less. At the core of Auguria’s platform is a vector database and embedding engine, powered by the unique security knowledge model and ontology distilled from extensive real-world security operations experience.

Sitting between XDR, SIEM, or data lake, Auguria provides “grounded” methods that de-noise, rank, and prioritize security events and alerts – optimizing data for both human and AI consumption. This strategy significantly improves the signal-to-noise ratio, thereby enhancing the reliability of alerts for SOC analysts as well as making it easier to hunt for the malicious activity related to it.

By enabling autonomous security operations, Auguria is setting new benchmarks for operational efficiency, driving superior outcomes and ROI for security teams. We are excited to support Auguria in delivering on its vision!

“Auguria can be game-changing for SOC analysts and incident responders, as it pinpoints where one should look for the most actionable data and discards the noises.” Josh Blackwelder, Deputy CISO at SentinelOne

How Did We Learn About Auguria and How Does S Ventures Fit In?

Our journey with Auguria’s core team began at RSA 2022 where Keith Palumbo and Chris Colter first unveiled their visionary concept. Both Keith and Chris are as impressive as the technology they are building. They started Skout Forensics in 2010, which was acquired by Cylance in 2012. Chris has extensive digital forensics experience working across PwC and most recently, SentinelOne, where he tackled complex cybersecurity investigations. Keith combines a legal and business background with years in data investigations, bringing a unique perspective to Auguria. These diverse experiences and skills will drive Auguria to the forefront of security innovation and will enable them to attract top-tier talent.

Conclusion

Auguria is empowering customers to conduct threat investigations with unparalleled cost efficiency, thereby diminishing their dependence on traditional SIEM technologies. New solutions like Auguria SKL™ further the abilities of SecOps analysts by synthesizing the power of AI with the skill of expert-level human defenses.

As SentinelOne’s S Ventures continues to invest in the next generation of security, data, and AI companies, we look forward to seeing Auguria SKL™ augment SecOps teams by delivering hyper-fast and automated security event data comprehension. Please join us in congratulating Auguria on their launch out of a stealth, seed investment round and vision to redefine the standards of digital security to pave the way for a safer tomorrow.

S Ventures
Investing in the next generation of category-defining security and data companies.

PinnacleOne ExecBrief | Nation-State Targeting of Enterprise Cloud

Key Takeaways

  • The Russian Foreign Intelligence Service (SVR) continues to intensively exploit their breach of Microsoft, leveraging access to source code, internal systems, and sensitive data including Microsoft executive’s emails and customer secrets. This poses severe risks to organizations using Microsoft’s products and services.
  • Microsoft’s communications have been minimal and inadequate, likely because it lacks a full understanding of the implications of its breach.
  • The SVR is actively exploiting stolen information (at an increased scale via password sprays) to target enterprise cloud customers in government and industry for further compromise.
  • This is the latest in a string of breaches against Microsoft by nation-state threat actors, including China, highlighting systemic weaknesses in Microsoft’s security posture and customer protections.
  • Immediate actions by MS customers are needed, including enforcing MFA, auditing for suspicious activity, disabling unused accounts and devices, and considering third-party security capabilities.

Microsoft’s Security and Public Communications Failures

Microsoft’s recent disclosure of additional information on the Russian SVR breach, three months after it began, raises acute concerns about the scale and scope of the incident. In an SEC filing and blog post, Microsoft shared that the SVR gained access to source code repositories, internal systems, and sensitive data including executive emails. However, key questions remain unanswered:

  1. What source code was accessed and was it modified to introduce supply chain vulnerabilities?
  2. What customer secrets were exposed and how is Microsoft notifying impacted organizations?
  3. How did the SVR pivot from breaching an unused test tenant to accessing executive emails and critical internal systems?
  4. Does Microsoft have full confidence the SVR has been completely evicted from its networks?

Microsoft’s lack of transparency leaves customers unable to accurately assess risks to their own organizations from this incident. Microsoft has so far communicated the bare minimum required by law. The paucity of details suggests Microsoft does not have a good handle on the situation and likely cannot answer fundamental questions about the impact of the breach.

This fits a troubling pattern – in 2023, Chinese state-sponsored hackers breached Microsoft email servers and used that access to steal sensitive data from U.S. government agencies. Just as with the SVR incident, Microsoft said very little, leaving customers frustrated and concerned.

Experts have been sounding alarm bells about Microsoft’s security weaknesses for some time. The company is a huge target for nation-state attackers, yet struggles with fundamental security hygiene like enforcing multi-factor authentication and network segmentation. Microsoft’s authentication systems seem to be a particular issue. Nation-state actors are exploiting these gaps to clear effect.

Meanwhile, organizations are growing ever-more reliant on Microsoft, trusting the company not just for office software but for mission-critical cloud infrastructure, identity and access management, and security tools. This concentration of risk and responsibility in Microsoft is deeply concerning in light of repeated security failures.

Microsoft’s track record does not inspire confidence in its ability to defend against determined nation-state adversaries, who are now actively targeting Microsoft clients.

Recommendations for Senior Executives

Given the severe risks and Microsoft’s failure to provide sufficient information and assurances, organizations should take immediate defensive actions:

  1. Enforce MFA everywhere, with no exceptions. Compromising credentials is the top technique the SVR and other advanced threats use for initial access.
  2. Audit and monitor all user identities and device registrations in Azure AD and M365. Look for any suspicious activity like reactivated dormant accounts or new device registrations. Remove any unused accounts and devices.
  3. Reduce privilege as much as possible. Only grant admin rights where absolutely necessary and avoid standing privileges. Enforce conditional MFA access and one-time passwords and move to a zero trust identity model.
  4. Review all Azure security settings and compare to best practice guides from NSA, CISA, and CIS. Centralize all log and audit data for automated analytics, monitoring, and threat hunting.
  5. Implement email data loss prevention and encryption tools to prevent sensitive data from being exfiltrated via email.
  6. Consider third-party security tools to complement Microsoft’s native capabilities. Having multiple layers of defense from different vendors is prudent.
  7. Update incident response and disaster recovery plans to account for the potential of compromised Microsoft systems being unavailable or untrustworthy. Have fallback crisis communication and collaboration systems in place.
  8. Brief senior leadership and the board on Microsoft risks and your organization’s response plan. Ensure the C-suite understands the potential business impact.

Conclusion

The SVR breach of Microsoft is a stark reminder of the serious risks posed by sophisticated nation-state adversaries targeting major cloud providers. Over reliance on any single vendor, even one as prominent as Microsoft, can be catastrophic.

Microsoft’s opacity in its breach disclosure and history of security missteps means customers cannot simply take the company at its word that the situation is under control. Organizations must take proactive steps to mitigate risks and reduce their attack surface as much as possible.

Ultimately, a defense-in-depth approach with multiple layers of security controls and aggressive monitoring for threats is needed to combat determined nation-state actors. Senior leaders must be engaged and willing to make hard choices, including potentially diversifying away from Microsoft where it cannot meet the organization’s security and resilience needs. Failing to act decisively in the wake of this breach would be an abdication of the duty to protect the enterprise.

The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good | Top LockBit Ransomware Admin Charged & Ordered to Pay Restitutions

Russian-Canadian cybercriminal Mikhail Vasiliev has been sentenced to nearly four years in prison for his involvement in the LockBit ransomware operation. Initially arrested in November 2022, Vasiliev has pled guilty to eight charges, including cyber extortion, mischief, and weapons-related allegations.

Court sketch of Mikhail Vasiliev by John Mantha

Within LockBit, Vasiliev held a significant administrative role, participating in numerous high-profile attacks totalling over $100 million in ransom demands, which primarily affected businesses across Canada. Alongside a four-year sentence, he must pay $860,000 in restitution to his Canadian victims and faces extradition to the United States for further charges. American prosecutors have Vasiliev lined up to receive up to five years in a US prison for conspiring to intentionally damage protected computers and transmitting ransom demands.

LockBit, a notorious ransomware-as-a-service (RaaS) operation, has extorted at least $120 million in ransom payments from over 2000 victims in the last 3 years alone. The gang experienced major setbacks just last month, though, when a joint law enforcement operation seized its main infrastructure and arrested key affiliates. While the group quickly resumed operations on new leak sites to maintain activity, analysis suggests that most data leaked post-operation belonged to victims from before the takedown, indicating the threat groups’ struggle to regain momentum.

Currently, the Department of State is offering rewards up to $15 million for information that could lead to the arrest of other LockBit key leaders and affiliates. Two suspected members of LockBit, Ruslan Astamirov and Mikhail Matveev, were also apprehended in 2023 though only Astamirov has been officially charged for deploying LockBit ransomware. Matveev remains at large facing cyber sanctions and a 20-year prison term in the event of arrest and conviction.

The Bad | Almost 13 Million Authentication Secrets Exposed on GitHub

Threat actors are increasingly exploiting GitHub and repositories as a conduit for malicious activities. In a recent report detailing the issue of secrets sprawl, the findings show that in 2023 alone, GitHub users inadvertently exposed a 12.8 million authentication and sensitive secrets across over 3 million public repositories, with only 1.8% of users rectifying the issue upon receiving alerts.

These exposed secrets include critical data such as passwords, API keys, TLS/SSL certificates, OAuth tokens, and encryption credentials – all of which, if obtained by a threat actor, lead to unauthorized access and costly data breaches. This data corroborates another report from summer of 2023 pointing to compromised credentials as the root cause of 50% of recorded attacks in the first half of last year.

Just this week, security researchers observed a new phishing campaign that delivered remote access trojans (RATs) like VCURMS and STRRAT via a malicious Java-based downloader. The attackers behind these RATs are employing sophisticated tactics, leveraging public services such as GitHub and Amazon Web Services (AWS) to store malware and evade detection.

Millions of organizations rely on source code management platforms like GitHub for software development, version control, and continuous integration and deployment (CI/CD). The abuse of such platforms speaks to a concerning trend where threat actors leverage public infrastructure for malicious purposes.

Securing DevOps platforms and open-source code repositories involves implementing access controls, updating dependencies, and enforcing strong authentication. Threat intelligence and security monitoring tools help detect and respond to suspicious activities, while solutions like XDR offer comprehensive protection against cyber threats and infrastructure abuse.

The Ugly | One-Day Flaws Exploited by Money-Hungry ‘Magnet Goblin’ Threat Actor

A financially motivated threat actor dubbed ‘Magnet Goblin’ has been exploiting one-day vulnerabilities in public-facing servers to distribute custom Linux malware. Magnet Goblin’s adoption of the flaws has been quick: Security researchers confirmed cases where the one-days were already being leveraged to gain initial entry.

In one instance, Magnet Goblin integrated an exploit for the Ivanti Connect Secure RCE bug (CVE-2024-21887) just a day after a proof-of-concept (PoC) was published online. This exploit facilitated arbitrary code execution, enabling the group to compromise systems that had not yet patched to the latest updates. Magnet Goblin’s exploits extend beyond Ivanti, targeting platforms like Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and potentially Apache ActiveMQ.

The group is currently deploying custom remote access trojans (RATs) and backdoors, including variants of the Nerbian family such as NerbianRAT and MiniNerbian. Upon execution, NerbianRAT establishes communication with a command-and-control (C2) server, allowing malicious activities like executing commands, modifying connection intervals, and updating configurations.

Source: Check Point

Over the years, the Linux OS has attracted threat actors for its ubiquity, powering a significant portion of servers, cloud infrastructure, and IoT devices which, in turn, provides a large attack surface. Its open-source nature also allows actors to study its codebase, identifying vulnerabilities and developing tailored exploits. With emerging threat actors like Magnet Goblin adding to the threat landscape who take advantage of the chaos that follows released PoCs, having a strict patch management process in place becomes a critical factor in staying ahead of one-day flaws.

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.

A testimonial on onerep.com.

Customer case studies published on onerep.com state that it struck a deal to offer the service to employees of Permanente Medicine, which represents the doctors within the health insurance giant Kaiser Permanente. Onerep also says it has made inroads among police departments in the United States.

But a review of Onerep’s domain registration records and that of its founder reveal a different side to this company. Onerep.com says its founder and CEO is Dimitri Shelest from Minsk, Belarus, as does Shelest’s profile on LinkedIn. Historic registration records indexed by DomainTools.com say Mr. Shelest was a registrant of onerep.com who used the email address dmitrcox2@gmail.com.

A search in the data breach tracking service Constella Intelligence for the name Dimitri Shelest brings up the email address dimitri.shelest@onerep.com. Constella also finds that Dimitri Shelest from Belarus used the email address d.sh@nuwber.com, and the Belarus phone number +375-292-702786.

Nuwber.com is a people search service whose employees all appear to be from Belarus, and it is one of dozens of people-search companies that Onerep claims to target with its data-removal service. Onerep.com’s website disavows any relationship to Nuwber.com, stating quite clearly, “Please note that OneRep is not associated with Nuwber.com.”

However, there is an abundance of evidence suggesting Mr. Shelest is in fact the founder of Nuwber. Constella found that Minsk telephone number (375-292-702786) has been used multiple times in connection with the email address dmitrcox@gmail.com. Recall that Onerep.com’s domain registration records in 2018 list the email address dmitrcox2@gmail.com.

It appears Mr. Shelest sought to reinvent his online identity in 2015 by adding a “2” to his email address. A search on the Belarus phone number tied to Nuwber.com shows up in the domain records for askmachine.org, and DomainTools says this domain is tied to both dmitrcox@gmail.com and dmitrcox2@gmail.com.

Onerep.com CEO and founder Dimitri Shelest, as pictured on the “about” page of onerep.com.

A search in DomainTools for the email address dmitrcox@gmail.com shows it is associated with the registration of at least 179 domain names, including dozens of mostly now-defunct people-search companies targeting citizens of Argentina, Brazil, Canada, Denmark, France, Germany, Hong Kong, Israel, Italy, Japan, Latvia and Mexico, among others.

Those include nuwber.fr, a site registered in 2016 which was identical to the homepage of Nuwber.com at the time. DomainTools shows the same email and Belarus phone number are in historic registration records for nuwber.at, nuwber.ch, and nuwber.dk (all domains linked here are to their cached copies at archive.org, where available).

Nuwber.com, circa 2015. Image: Archive.org.

A review of historic WHOIS records for onerep.com show it was registered for many years to a resident of Sioux Falls, SD for a completely unrelated site. But around Sept. 2015 the domain switched from the registrar GoDaddy.com to eNom, and the registration records were hidden behind privacy protection services. DomainTools indicates around this time onerep.com started using domain name servers from DNS provider constellix.com. Likewise, Nuwber.com first appeared in late 2015, was also registered through eNom, and also started using constellix.com for DNS at nearly the same time.

Listed on LinkedIn as a former product manager at OneRep.com between 2015 and 2018 is Dimitri Bukuyazau, who says their hometown is Warsaw, Poland. While this LinkedIn profile (linkedin.com/in/dzmitrybukuyazau) does not mention Nuwber, a search on this name in Google turns up a 2017 blog post from privacyduck.com, which laid out a number of reasons to support a conclusion that OneRep and Nuwber.com were the same company.

“Any people search profiles containing your Personally Identifiable Information that were on Nuwber.com were also mirrored identically on OneRep.com, down to the relatives’ names and address histories,” Privacyduck.com wrote. The post continued:

“Both sites offered the same immediate opt-out process. Both sites had the same generic contact and support structure. They were – and remain – the same company (even PissedConsumer.com advocates this fact: https://nuwber.pissedconsumer.com/nuwber-and-onerep-20160707878520.html).”

“Things changed in early 2016 when OneRep.com began offering privacy removal services right alongside their own open displays of your personal information. At this point when you found yourself on Nuwber.com OR OneRep.com, you would be provided with the option of opting-out your data on their site for free – but also be highly encouraged to pay them to remove it from a slew of other sites (and part of that payment was removing you from their own site, Nuwber.com, as a benefit of their service).”

Reached via LinkedIn, Mr. Bukuyazau declined to answer questions, such as whether he ever worked at Nuwber.com. However, Constella Intelligence finds two interesting email addresses for employees at nuwber.com: d.bu@nuwber.com, and d.bu+figure-eight.com@nuwber.com, which was registered under the name “Dzmitry.”

PrivacyDuck’s claims about how onerep.com appeared and behaved in the early days are not readily verifiable because the domain onerep.com has been completely excluded from the Wayback Machine at archive.org. The Wayback Machine will honor such requests if they come directly from the owner of the domain in question.

Still, Mr. Shelest’s name, phone number and email also appear in the domain registration records for a truly dizzying number of country-specific people-search services, including pplcrwlr.in, pplcrwlr.fr, pplcrwlr.dk, pplcrwlr.jp, peeepl.br.com, peeepl.in, peeepl.it and peeepl.co.uk.

The same details appear in the WHOIS registration records for the now-defunct people-search sites waatpp.de, waatp1.fr, azersab.com, and ahavoila.com, a people-search service for French citizens.

The German people-search site waatp.de.

A search on the email address dmitrcox@gmail.com suggests Mr. Shelest was previously involved in rather aggressive email marketing campaigns. In 2010, an anonymous source leaked to KrebsOnSecurity the financial and organizational records of Spamit, which at the time was easily the largest Russian-language pharmacy spam affiliate program in the world.

Spamit paid spammers a hefty commission every time someone bought male enhancement drugs from any of their spam-advertised websites. Mr. Shelest’s email address stood out because immediately after the Spamit database was leaked, KrebsOnSecurity searched all of the Spamit affiliate email addresses to determine if any of them corresponded to social media accounts at Facebook.com (at the time, Facebook allowed users to search profiles by email address).

That mapping, which was done mainly by generous graduate students at my alma mater George Mason University, revealed that dmitrcox@gmail.com was used by a Spamit affiliate, albeit not a very profitable one. That same Facebook profile for Mr. Shelest is still active, and it says he is married and living in Minsk (last update: 2021).

The Italian people-search website peeepl.it.

Scrolling down Mr. Shelest’s Facebook page to posts made more than ten years ago show him liking the Facebook profile pages for a large number of other people-search sites, including findita.com, findmedo.com, folkscan.com, huntize.com, ifindy.com, jupery.com, look2man.com, lookerun.com, manyp.com, peepull.com, perserch.com, persuer.com, pervent.com, piplenter.com, piplfind.com, piplscan.com, popopke.com, pplsorce.com, qimeo.com, scoutu2.com, search64.com, searchay.com, seekmi.com, selfabc.com, socsee.com, srching.com, toolooks.com, upearch.com, webmeek.com, and many country-code variations of viadin.ca (e.g. viadin.hk, viadin.com and viadin.de).

The people-search website popopke.com.

Domaintools.com finds that all of the domains mentioned in the last paragraph were registered to the email address dmitrcox@gmail.com.

Mr. Shelest has not responded to multiple requests for comment. KrebsOnSecurity also sought comment from onerep.com, which likewise has not responded to inquiries about its founder’s many apparent conflicts of interest. In any event, these practices would seem to contradict the goal Onerep has stated on its site: “We believe that no one should compromise personal online security and get a profit from it.”

The people-search website findmedo.com.

Max Anderson is chief growth officer at 360 Privacy, a legitimate privacy company that works to keep its clients’ data off of more than 400 data broker and people-search sites. Anderson said it is concerning to see a direct link between between a data removal service and data broker websites.

“I would consider it unethical to run a company that sells people’s information, and then charge those same people to have their information removed,” Anderson said.

Last week, KrebsOnSecurity published an analysis of the people-search data broker giant Radaris, whose consumer profiles are deep enough to rival those of far more guarded data broker resources available to U.S. police departments and other law enforcement personnel.

That story revealed that the co-founders of Radaris are two native Russian brothers who operate multiple Russian-language dating services and affiliate programs. It also appears many of the Radaris founders’ businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

KrebsOnSecurity will continue investigating the history of various consumer data brokers and people-search providers. If any readers have inside knowledge of this industry or key players within it, please consider reaching out to krebsonsecurity at gmail.com.

Exploiting Repos | 6 Ways Threat Actors Abuse GitHub & Other DevOps Platforms

For millions of organizations today, source code management platforms like GitHub play a fundamental role in software development, operating as a central hub for both proprietary and open-source code repositories, enabling collaboration, version control and continuous integration and deployment (CI/CD).

In this blog post, we explore the less-discussed side of these essential platforms, where threat actors leverage their features for malicious activities, to stage cyber attacks and steal sensitive data. By understanding the ways threat actors abuse such platforms, organizations can better equip themselves to protect their repositories and mitigate the potential risks associated with code sharing and CI/CD platforms.

Current Threat Landscape | SaaS Abuse On the Rise

The compromise of open-source software projects is becoming more prevalent, with threat actors targeting libraries distributed via package managers and public repositories like PyPI, Crate.io, and GitHub. After infiltrating these trusted resources, threat actors can inject vulnerabilities into widely-used software, potentially compromising the security of many more associated applications and systems.

Beyond the cyber threat on open-source platforms, a broader trend has emerged: Legitimate internet services and critical platforms are frequently exploited by threat actors for malicious activities. GitLab and BitBucket, used for source code management and version control, have also suffered from bugs leading to opportunities for threat actors to gain access to sensitive data, propagate malware, and orchestrate various forms of cybercrime.

Notable Cases of Recent Repo Hacks

Some prominent cyber attacks that leveraged shared code repositories include:

  • Pro-Russia hacktivist group NoName057(16) made headlines by leveraging GitHub to host its toolkit and enticing key contributors with payments.
  • The Rust development community fell victim to the CrateDepression supply-chain attack, which specifically targeted organizations using GitLab Continuous Integration (CI) pipelines.
  • The 3CX SmoothOperator supply chain attack involved pulling encrypted C2 details hidden in icon files hosted in a dedicated GitHub repository.
  • The recent ‘everything’ package prank exposed the potential for GitHub to be used in denial-of-service attacks, highlighting the broader repercussions of such abuse on global software ecosystems.
  • Secret Gists and git commit commands have been used to deliver C2 commands and retrieve malware payloads.
  • A GitHub leak reported earlier this year impacted major brands like Toyota, Mercedes Benz, Binance, and X (formerly Twitter), exposing sensitive proprietary code and credentials.

1. Hosting Malware & Phishing Campaigns

The most obvious misuse of code sharing platforms is hosting malware in plain sight. Threat actors create repositories that appear benign at first glance but can be used to trick developers into downloading and executing code that holds malware or facilitates phishing schemes. Poisoned projects can help attackers reach far more victims if developers unwittingly build bad code into legitimate software, as well as target specific enterprises.

Robust code review processes are essential for detecting malicious code within repositories. Automated scanning tools can further enhance security by identifying known malware signatures and suspicious patterns. To combat the risk of phishing, educating developers and users about common schemes is crucial, especially when users are interacting with code from untrusted sources.

GitHub Malware Advisory
GitHub Malware Advisory

2. Hosting Command & Control (C2)

Public repositories can serve as a strategic platform for threat actors to distribute or host command-and-control (C2) servers, or more commonly to serve as channels by which to distribute C2 URLs, fallback commands or configuration files.

The ability to blend in with legitimate network traffic and sidestep domain block lists makes public code repositories highly attractive. In addition, high uptime and ubiquity of the services make GitHub and similar platforms ideal for attackers’ decentralized C2 infrastructure. Tactics such as dead drop resolvers and obfuscated domains embedded within web services help adversaries to obscure back-end C2 infrastructure from discovery through malware binary analysis.

Organizations can implement network traffic monitoring and anomaly detection systems to help identify unusual patterns indicative of C2 communication. Additionally, leveraging threat intelligence feeds to block known malicious IP addresses and domains associated with C2 infrastructure can enhance defense mechanisms. Defenders should also conduct regular auditing and proactively revoke access for suspicious accounts or repositories.

3. Credential Theft & Supply Chain Attacks

Code repositories have become a prime target for threat actors targeting credential theft and supply chain attacks.

Git repositories can contain not only proprietary code but also sensitive credentials like API keys, passwords, and cryptographic keys.

To defend against such risks, organizations can adopt robust authentication mechanisms such as multi-factor authentication (MFA) and OAuth to safeguard their user accounts and credentials. Implementing a secrets management solution can also support more secure storage and management of sensitive credentials, reducing exposure to potential attackers. Security leaders can also consider deploying code signing and verification mechanisms to ensure the integrity of software supply chains.

4. Cloning & Manipulating GitHub (& Other) Repos

Adversaries may inject malicious code directly into exposed libraries or submit fraudulent pull requests, introducing backdoors, executing code injection attacks, or leverage proof-of-concept code, often itself hosted on public repositories like GitHub, to expliot vulnerabilities in open source code.

Attackers have been seen cloning GitHub repositories and adding malicious code to forks designed to infect developer systems and pilfer sensitive files that included software keys.

In another case, suspicious commits in hundreds of GitHub repositories were discovered to be carrying malicious code. All of the commit messages were created by attackers to disguise their exfiltration of secrets to a C2 server before they injected web-form password-stealing malware into JavaScript files.

Regularly updating and patching dependencies is critical for addressing known vulnerabilities and security issues. Security defenders are also advised to stay informed on emerging security alerts providing updates related to third-party libraries used by their organizations.

Software composition analysis (SCA) tools can enhance security by scanning repositories for vulnerable dependencies and automating remediation or flagging issues for manual review.

5. Abuse of GitHub Actions & CI/CD Pipelines

Threat actors have exploited GitHub’s continuous integration/continuous deployment (CI/CD) pipelines and automation features, such as GitHub Actions, to automate malicious activities and orchestrate attacks. By leveraging these capabilities, they deploy malware, exfiltrate data, or execute unauthorized commands within CI/CD workflows.

To combat these risks, enforce least privilege access controls to restrict the execution of CI/CD workflows and automation scripts and reduce the attack surface. Pre-defined templates and secure coding practices can also help prevent injection attacks and unauthorized code execution.

Security teams may also adopt logging and auditing features in order to more thoroughly track changes and activities within CI/CD pipelines. GitHub’s guide to security hardening for GitHub Actions provides further advice, as does CISA’s guide on how to defend CI/CD environments.

6. Distributed Denial of Service (DDoS) Attacks

Public hosting infrastructure and version control systems have been increasingly exploited to orchestrate distributed-denial-of-service (DDoS) attacks. Flooding repositories or services with a high volume of requests disrupts normal operations, degrades performance, and renders services unavailable to legitimate users.

In the case of the GMP project, an open source arithmetic library, servers came under attack by several hundred IP addresses owned by Microsoft, causing a surge of network traffic and slowed associated programs linked to the library to a crawl.

Note by principal author of GMP to the project’s mailing list
Note by principal author of GMP to the project’s mailing list

Deploying web application firewalls (WAFs) and implementing rate limiting mechanisms can help mitigate DDoS attacks targeting public repositories and services. Content delivery networks (CDNs) can enable organizations to distribute traffic and absorb volumetric attacks, reducing the impact on GitHub’s infrastructure.

Security teams are also recommended to implement network-level defenses such as traffic filtering and IP reputation blocklisting, which aid in preventing malicious traffic and safeguarding public infrastructure from disruption.

Conclusion

Defending Continuous Integration/Continuous Delivery environments is an essential part of an enterprise’s security posture. Implementing least privilege access controls to restrict unauthorized actions, prioritizing on regularly updating and patching dependencies are key to mitigating vulnerabilities, along with enforcing strong authentication mechanisms to protect user accounts and credentials for resources hosted on source code management platforms.

Utilizing threat intelligence feeds and security monitoring tools designed to proactively identify and respond to suspicious activities are also key to minimizing the risk of exploitation and data breaches. Solutions like XDR can play a large role in protecting organizations from cyber threats originating from public infrastructure abuse and exploitation by providing comprehensive visibility, advanced analytics, automated response, and centralized management capabilities.

Learn more about Singularity XDR by booking a demo with us today, or contacting our expert team directly.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.