Patch Tuesday, March 2024 Edition

Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.

Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.

Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].

On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.

Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.

Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).

Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.

CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.

“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”

A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.

Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.

By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can  “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.

Incognito Darknet Market Mass-Extorts Buyers, Sellers

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

An extortion message currently on the Incognito Market homepage.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

The “Payment Status” page set up by the Incognito Market extortionists.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

New Incognito Market users are treated to an ad for $450 worth of heroin.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”

Five Ways to Inspire Inclusion Through Allyship

On International Women’s Day, we celebrate the diverse talents, skills, and perspectives that women bring to our workplace and our world. This year’s theme is #InspireInclusion – a fitting call to action for women and allies to continue on this journey as we work to enjoy the same rights, opportunities and impact as our male counterparts.

Allyship is defined as the actions, behaviors, and practices that leaders take to support, amplify, and advocate with others, most especially with individuals who don’t belong to the same social identities as themselves. Men are a key part of our strong ally base at SentinelOne, fortified by an amazing group of female leaders who have ascended on their career trajectory in cybersecurity and have committed to taking other women with them on the journey.

Today we want to share five ways to #InspireInclusion through allyship at your organization to enable women to have the same access to successful, fulfilling careers in tech and have game-changing impact on their workplaces and communities.

Change Starts At the Top

According to the Women In Cybersecurity Report, women held 25% of cybersecurity jobs globally in 2022, up from 20% in 2019 and 10% in 2013. When we look at women in leadership, the gap is even wider. According to Women in Tech Network, only 5% of leadership positions in the tech sector are held by women.

At SentinelOne, we prioritize bridging the gender gap at the leadership level knowing it propels our efforts as we continue to diversify at all levels of the organization. Today, over 30% of all VPs at SentinelOne and 39% of the C-Suite leaders are women. Last year, 47% of our newly hired VP+ leaders and 32% of our internal VP+ promotions were also women. Driving massive change like this takes an intentional strategy and the collective efforts of committed allies who believe that equity in the workplace drives better business results.

1 – Commit to Purposeful Talent Acquisition & Development

You can’t wish for 50% of female candidates to walk through your door – you have to work for it! It starts with a diverse candidate slate, which can be extremely challenging in tech and specifically cybersecurity. Our goal is to have the top of the candidate pipeline consist 50-75% of women to increase the likelihood of having at least two female finalists. Critically adjacent to this strategy is having one woman on the interview panel.

Sourcing women early in career is a great strategy to find female talent. Having an internship program funneled by a university recruiting effort is very effective at SentinelOne. Partnering with collegiate chapters of Women in CyberSecurity (WiCyS) to engage candidates across the globe only strengthens this part of our pipeline.

We know that if we don’t work to develop our people and enable them with career opportunities, our competitors will. Losing women to the next opportunity will negate your efforts to bridge the gender gap, so keep them engaged and learning while making space for them to grow within your organization. Robust learning and development opportunities are critical for all, and maybe even more so for women as we try to make progress. A well-laid out career pathing program with defined experiences and skill sets for each level will let women know what needs to be added to their knowledge base to prepare for their next opportunity.

2 – Understand That Mentorship Matters

It’s a zero-cost, high-return strategy to drive gender parity. A win-win on both sides of the equation, both parties can learn and grow through high-quality mentor-mentee relationships. Mentorship is critical in shaping careers, giving women a safe place to ask questions and gain insights that can build confidence and guide them through career challenges.

I encourage you to seek the power of difference in the women you mentor. We often gravitate to the people most like us, but considering a mentee of a different gender, function, level or even organization can contribute to the richness of the relationship. Embracing a growth mindset and being conscious of your bias can be extremely beneficial for both sides of the relationship.

If your organization does not have a formal mentorship program, consider advocating for one. At SentinelOne, we launched MentorOne last year with tremendous success and already established 200+ mentor relationships. If that’s not a feasible option, I urge you to recruit a woman to mentor. A thoughtful quarterly conversation is an investment that could pay dividends for years to come.

3 – Champion & Sponsor Women At All Levels

Making this effort a daily behavior can drive substantial change in your workplace culture. Amplifying the women you know doing great work by giving them credit for their ideas and accomplishments can go a long way in boosting confidence and helping strong performers shape their brand. So often we are onto the next task without recognizing how we accomplished the last one, so celebrate! Reach out to the leaders of high-performing women and share authentic accolades to recognize their impact.

Getting involved with the Employee Resource Groups at your organization is a great way to show your allyship. Our Women’s Inclusion Network at SentinelOne is an army that is 160+ strong, full of women and allies who start conversations that both move the business forward and create a safe space for learning, making space for all voices.

Inviting more women into conversations serves two purposes – instilling confidence and sourcing ideas and solutions to drive your business forward! Asking them to share opinions and ideas is an easy way to build the muscle of confidence. Also be careful not to interrupt someone sharing an idea, even if it’s just to reinforce their point.

If you are new to the sponsorship game, get creative! It can be as simple as attending an event sponsored by an employee resource group and asking a thoughtful question or offering support in the live chat. Just seeing your face in a room or on Zoom can let your female colleagues know that you are an ally. Volunteering is another way to become a champion, sharing your career insights and skill sets to inspire the next generation of tech and cybersecurity professionals.

4 – Embrace the Tough Conversations

Tough conversations are often great catalysts for change. It’s important to speak up – if you hear something, say something. Allowing microaggressions in the workplace only reinforces the age-old problem of imposter syndrome, something 75% of all working women have experienced at some point in their career.

Women often face a double standard at work in regards to their behavior. Historically in the workplace, women with confidence and strength were described as pushy and aggressive. If you hear a woman being described in that way, ask yourself, would the same words be used to describe her male counterpart showing the same behavior? If the answer is ‘no’, challenge that in the moment. Be part of the action that helps to build up the brand of a strong woman while taking down the cycle of this double standard.

Give women in your network the gift of direct, in the moment feedback. Women are often juggling so much, multi-tasking the full-time responsibility of family and career. Communicating with honesty, patience and kindness makes even difficult feedback a teachable moment that can change the trajectory of a woman’s career. Be sure to ask probing questions, listening carefully to understand before jumping into working through a solution.

5 – Inspire Inclusion All Year Long 

March is just a moment for celebration. Action planning and execution needs to be top of mind 12 months of the year if we are going to close the gender gap in the workplace.

I challenge all non-birthing parents to start at home by sharing household responsibilities, freeing up time and energy for your partner to also focus on career growth. If your company offers a gender-neutral parental leave, take it to establish your role as a caregiver. Hearing from Sentinel parents who cherished our 16-week benefit is a huge source of pride, knowing the ripple effect it will have on their child’s lifetime.

Just recently, a father returning from parental leave sent me the following thank you note:

“Having this uninterrupted time with my children has strengthened our bond and created cherished memories that will last a lifetime. It has allowed me to return to work feeling refreshed, energized, and even more committed to my role at the company. I witnessed how my wife experienced her postpartum period in a totally different, much more pleasant and relaxing way. I also gained a deeper appreciation for the sacrifices and dedication my wife makes each day to care for our family.”

Happy International Women’s Day from SentinelOne!

Take action, in small ways and big ways, and we will continue to drive progress. Start by joining your organization’s Women’s Inclusion Network and contributing to the conversation. Continually ask how you can help, and seek out an important role in gender parity efforts. Making a commitment to #InspireInclusion is not just something we are doing to improve the workplace – it’s a call to action to improve the world!

The Good, the Bad and the Ugly in Cybersecurity – Week 10

The Good | U.S. Sanctions Spyware Targeting Government Officials & Journalists

This week the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) took a stand against commercial spyware specifically crafted to target government officials, journalists, and policy experts within the nation. Sanctions were placed on individuals and five entities affiliated with Intellexa Alliance for their involvement in the creation, operation, and dissemination of the spyware.

This move comes in response to the threat posed by escalating adoption of commercial spyware, which not only poses significant security risks within the United States, but has also been exploited by foreign entities to abuse human rights, suppress dissident voices around the world, and foster state-sponsored cyber espionage campaigns. According to OFAC, Intellexa boasts a global clientele, including authoritarian regimes, and acted as a consortium of several companies linked to mercenary spyware solutions such as Predator.

Predator spyware is capable of infiltrating both Android and iOS devices through zero-click attacks, granting operators unrestricted access to sensitive data and the ability to monitor designated targets covertly. OFAC disclosed that Predator had been deployed against U.S. government officials, journalists, and policy experts by unspecified foreign actors.

The sanctions target key figures and entities within the Intellexa Alliance, including its founder, a corporate specialist, and various affiliate companies, all of which belong to economic blocklists. A strong follow-up to the Biden administration’s commitment to countering spyware technology, the sanctions place visa restrictions on all individuals involved in the misuse of commercial spyware. This is a significant and first-of-its-kind step in curbing the illicit activities of mercenary spyware companies and rallies international organizations against doing business with or supporting sanctioned entities and individuals.

The Bad | Google AI Technology Stolen by Ex-Employee for China Tech Firms

A 38-year-old Chinese national and a California resident has been indicted for allegedly stealing trade secrets from Google while secretly collaborating with two China-based tech firms.

Linwei “Leon” Ding, a former Google engineer arrested this week, stands accused of illicitly transferring proprietary and confidential data to his personal account while covertly affiliating with companies in China’s artificial intelligence (AI) sector, as stated by the DoJ. Ding purportedly stole over 500 confidential files containing AI trade secrets with the intent of providing an advantage to Chinese companies in the ongoing, global AI race.

The DoJ emphasized that Ding’s actions gave unfair competitive benefits to himself and the affiliated PRC-based companies by stealing information on Google’s supercomputer data center infrastructure used specifically for hosting large and sophisticated AI models.

Ding is accused of concealing the theft by copying data from Google source files to the Apple Notes application on his company-provided MacBook, converting them to PDF files, and then uploading them to his Google account. Ding currently faces four counts of theft of trade secrets, each carrying a maximum penalty of 10 years in prison and up to a $250,000 fine if convicted.

Last year, President Biden issued an executive order on AI, intended to maintain America’s leadership in AI development, particularly in light of competition from nations such as China. Both the U.S. and Chinese governments recognize AI as an emerging technology that is strategically important with vast potential to enhance economic productivity across civilian industries and provide key capabilities for military and intelligence purposes. Theft of trade secrets and intelligence fuels economic espionage and other national-level security concerns related to advancements in AI technology.

The Ugly | BlackCat Ransomware Gang Pulls off Exit Scam

It seems that BlackCat ransomware operators have pulled a vanishing act this week, taking down their darknet website after allegedly scamming $22 million from one of their affiliates, currently attributed with attacking a subsidiary of healthcare giant, UnitedHealth Group.

While the gang has shut down its servers, data leak blog, and ransomware operation negotiation sites, security researchers have called out the likely possibility of an exit scam or an effort in rebranding the entire ransomware-as-a-service (RaaS) operation under a new identity. Source code analysis done on the takedown notice shows that it was taken from an archived leak site and displayed using a Python HTTP server. Further, Europol and the U.K.’s National Crime Agency (NCA) have declined involvement in taking down BlackCat operations.

This abrupt disappearance follows reports of a purported $22 million ransom payment received from UnitedHealth’s Change Healthcare unit, with allegations that the group reneged on sharing the proceeds with an affiliate involved in the attack. Speculations emerged from a disgruntled affiliate, known as ‘notchy’, who accused BlackCat of embezzling funds after their account suspension on the RAMP cybercrime forum, which also hints at the possibility of an exit scam and eventual rebranding.

So far, the cyber defense community has seen BlackCat ransomware run through various life cycles and monikers, including DarkSide/BlackMatter. The latest occurred in December of 2023 when BlackCat’s servers were hacked by the FBI and an international law enforcement operation seized their Tor negotiation and data leak sites. However, the gang was able to restart its operations. With a speculated exit scam to evade consequences and a possible rebrand on the way, organizations are reminded of the resilience and adaptability of modern ransomware operations.

PinnacleOne ExecBrief | Malicious Insider Threat to Strategic Enterprises

Last week, PinnacleOne examined China’s application of emerging AI tools to augment their rapidly improving cyber capabilities and emphasized the urgency for defenders to keep pace.

This week, we focus on the recent arrest of a PRC national indicted for theft of Google AI IP and we identify lessons learned for firms to improve malicious insider threat detection and response.

Please subscribe to read future issues — and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: Malicious Insider Threat to Strategic Enterprises

The recent indictment and arrest of a PRC national for theft and transfer of Google’s AI related trade secrets illustrates the nature and scope of the insider threat facing strategic enterprises.

The case shows how relatively unsophisticated techniques were able to evade Google’s data loss prevention system and insider threat program, and how a delayed response increased risk.

Firms working at the leading edge of technology (like frontier AI model labs) and those in the crosshairs for strategic geopolitical targeting must catch up to the scale of the threat, immediately.

Google’s Insider Detection and Investigation Failures

  1. An indicted lead software engineer, Ding Linwei worked on confidential LLM infrastructure and software systems that trained and ran Google Brain, DeepMind, and Anthropic IP.
  2. He exfiltrated over 500 confidential files by copying data from Google source files into the Apple Notes application on his Google-issued MacBook laptop, converted those notes into PDF files, and uploaded them from the Google network into a separate, personal Google drive account, which evaded detection by Google’s data loss prevention systems.
  3. He also had a fellow employee use his access badge to scan into his assigned Google office building while he was in China conducting business activities using the stolen information.
  4. Ding was only investigated by Google when he uploaded files from the Google network to a second personal account while he was in the PRC, but his access was not subsequently limited. He arrived in China on October 29th, but his presence was not detected until December 8th, 2023.
  5. Google suspended his network access and remotely locked his laptop 27 days after the investigation began, three days after he resigned, and only when Google discovered that Ding had presented his business plan at a Beijing investor conference as CEO of a company that would focus on the same technology stolen from Google.

Lessons Learned

  1. The attack surface goes beyond narrow trust boundaries and access control for crown jewels and extends across distributed or 3rd-party networks and infrastructure.
  2. Malicious insiders may spend years in the firm enhancing their access and conducting covert collection – more overt indicators tend to only arise after the horse has left the barn.
  3. Physical correlation of network detections enhanced by AI are necessary but not sufficient. Expert counterintelligence investigators must discern and mitigate at speed to mitigate enterprise risk.
  4. Tradecraft for lone wolf commercial espionage is less sophisticated than a foreign intelligence operation, but it was nevertheless successful in this case – the accelerating economic returns from AI businesses will exponentially increase the financial incentive for insider employees to steal.
  5. Frontier model labs and other firms working on strategic and prized technologies should consider (as an ideal, if potentially unreachable goal) security controls that mirror those used to protect government special access programs, including strict compartmentalization, personal reliability examinations, travel monitoring and reporting, comprehensive network monitoring, and continuous insider threat hunting. Design programs with the future value of the tech in mind.

Insider Threat Mitigation

Firms should develop and assess a comprehensive set of insider threat scenarios tailored to their threat model, technical controls, organizational design, and internal culture. See below for some example threat scenarios that span nation-state and lone-wolf/commercial threat actor profiles, plausible targets and objectives, and attack paths/exploitation methods.

Insider Threat Scenarios for Security Control Validation and Program Assessment

These scenarios are by no means comprehensive but should serve as a starting point for firms to validate controls and develop a roadmap for process, technology, and organizational improvements. In 2022, PinnacleOne worked with a firm exiting Russia to test over 100 insider scenarios. We found their detection and response capabilities (alerts, triage, escalation, etc.) mostly inadequate. We are also currently helping a systemically important SaaS firm assess and improve their insider trust program.

Implications for Geopolitically Targeted Multinationals

China has an explicit strategy to target industries via insider and cyber espionage to transfer valuable IP and know-how that supports economic competitiveness and military capabilities. The set of firms that fall into this geopolitical bullseye are known, but the list is expanding and the political incentives to pursue more aggressive targeting will continue to grow.

Insider threats extend beyond IP theft and include intentional weakening of cybersecurity controls (e.g., cloud misconfigurations by IT insiders) or even covert sabotage of products or services (where such sabotage might support tactical objectives in a conflict scenario). The threat is real and growing.

A Close Up Look at the Consumer Data Broker Radaris

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

Formed in 2009, Radaris is a vast people-search network for finding data on individuals, properties, phone numbers, businesses and addresses. Search for any American’s name in Google and the chances are excellent that a listing for them at Radaris.com will show up prominently in the results.

Radaris reports typically bundle a substantial amount of data scraped from public and court documents, including any current or previous addresses and phone numbers, known email addresses and registered domain names. The reports also list address and phone records for the target’s known relatives and associates. Such information could be useful if you were trying to determine the maiden name of someone’s mother, or successfully answer a range of other knowledge-based authentication questions.

Currently, consumer reports advertised for sale at Radaris.com are being fulfilled by a different people-search company called TruthFinder. But Radaris also operates a number of other people-search properties — like Centeda.com — that sell consumer reports directly and behave almost identically to TruthFinder: That is, reel the visitor in with promises of detailed background reports on people, and then charge a $34.99 monthly subscription fee just to view the results.

The Better Business Bureau (BBB) assigns Radaris a rating of “F” for consistently ignoring consumers seeking to have their information removed from Radaris’ various online properties. Of the 159 complaints detailed there in the last year, several were from people who had used third-party identity protection services to have their information removed from Radaris, only to receive a notice a few months later that their Radaris record had been restored.

What’s more, Radaris’ automated process for requesting the removal of your information requires signing up for an account, potentially providing more information about yourself that the company didn’t already have (see screenshot above).

Radaris has not responded to requests for comment.

Radaris, TruthFinder and others like them all force users to agree that their reports will not be used to evaluate someone’s eligibility for credit, or a new apartment or job. This language is so prominent in people-search reports because selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically do not include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and another people-search service Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

An excerpt from the FTC’s complaint against TruthFinder and Instant Checkmate.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

“All the while, the companies touted the accuracy of their reports in online ads and other promotional materials, claiming that their reports contain “the MOST ACCURATE information available to the public,” the FTC noted. The FTC says, however, that all the information used in their background reports is obtained from third parties that expressly disclaim that the information is accurate, and that TruthFinder and Instant Checkmate take no steps to verify the accuracy of the information.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

WHO IS RADARIS?

According to Radaris’ profile at the investor website Pitchbook.com, the company’s founder and “co-chief executive officer” is a Massachusetts resident named Gary Norden, also known as Gary Nard.

An analysis of email addresses known to have been used by Mr. Norden shows he is a native Russian man whose real name is Igor Lybarsky (also spelled Lubarsky). Igor’s brother Dmitry, who goes by “Dan,” appears to be the other co-CEO of Radaris. Dmitry Lybarsky’s Facebook/Meta account says he was born in March 1963.

The Lybarsky brothers Dmitry or “Dan” (left) and Igor a.k.a. “Gary,” in an undated photo.

Indirectly or directly, the Lybarskys own multiple properties in both Sherborn and Wellesley, Mass. However, the Radaris website is operated by an offshore entity called Bitseller Expert Ltd, which is incorporated in Cyprus. Neither Lybarsky brother responded to requests for comment.

A review of the domain names registered by Gary Norden shows that beginning in the early 2000s, he and Dan built an e-commerce empire by marketing prepaid calling cards and VOIP services to Russian expatriates who are living in the United States and seeking an affordable way to stay in touch with loved ones back home.

A Sherborn, Mass. property owned by Barsky Real Estate Trust and Dmitry Lybarsky.

In 2012, the main company in charge of providing those calling services — Wellesley Hills, Mass-based Unipoint Technology Inc. — was fined $179,000 by the U.S. Federal Communications Commission, which said Unipoint never applied for a license to provide international telecommunications services.

DomainTools.com shows the email address gnard@unipointtech.com is tied to 137 domains, including radaris.com. DomainTools also shows that the email addresses used by Gary Norden for more than two decades — epop@comby.com, gary@barksy.com and gary1@eprofit.com, among others — appear in WHOIS registration records for an entire fleet of people-search websites, including: centeda.com, virtory.com, clubset.com, kworld.com, newenglandfacts.com, and pub360.com.

Still more people-search platforms tied to Gary Norden– like publicreports.com and arrestfacts.com — currently funnel interested customers to third-party search companies, such as TruthFinder and PersonTrust.com.

The email addresses used by Gary Nard/Gary Norden are also connected to a slew of data broker websites that sell reports on businesses, real estate holdings, and professionals, including bizstanding.com, homemetry.com, trustoria.com, homeflock.com, rehold.com, difive.com and projectlab.com.

AFFILIATE & ADULT

Domain records indicate that Gary and Dan for many years operated a now-defunct pay-per-click affiliate advertising network called affiliate.ru. That entity used domain name servers tied to the aforementioned domains comby.com and eprofit.com, as did radaris.ru.

A machine-translated version of Affiliate.ru, a Russian-language site that advertised hundreds of money making affiliate programs, including the Comfi.com prepaid calling card affiliate.

Comby.com used to be a Russian language social media network that looked a great deal like Facebook. The domain now forwards visitors to Privet.ru (“hello” in Russian), a dating site that claims to have 5 million users. Privet.ru says it belongs to a company called Dating Factory, which lists offices in Switzerland. Privet.ru uses the Gary Norden domain eprofit.com for its domain name servers.

Dating Factory’s website says it sells “powerful dating technology” to help customers create unique or niche dating websites. A review of the sample images available on the Dating Factory homepage suggests the term “dating” in this context refers to adult websites. Dating Factory also operates a community called FacebookOfSex, as well as the domain analslappers.com.

RUSSIAN AMERICA

Email addresses for the Comby and Eprofit domains indicate Gary Norden operates an entity in Wellesley Hills, Mass. called RussianAmerican Holding Inc. (russianamerica.com). This organization is listed as the owner of the domain newyork.ru, which is a site dedicated to orienting newcomers from Russia to the Big Apple.

Newyork.ru’s terms of service refer to an international calling card company called ComFi Inc. (comfi.com) and list an address as PO Box 81362 Wellesley Hills, Ma. Other sites that include this address are russianamerica.com, russianboston.com, russianchicago.com, russianla.com, russiansanfran.com, russianmiami.com, russiancleveland.com and russianseattle.com (currently offline).

ComFi is tied to Comfibook.com, which was a search aggregator website that collected and published data from many online and offline sources, including phone directories, social networks, online photo albums, and public records.

The current website for russianamerica.com. Note the ad in the bottom left corner of this image for Channel One, a Russian state-owned media firm that is currently sanctioned by the U.S. government.

AMERICAN RUSSIAN MEDIA

Many of the U.S. city-specific online properties apparently tied to Gary Norden include phone numbers on their contact pages for a pair of Russian media and advertising firms based in southern California. The phone number 323-874-8211 appears on the websites russianla.com, russiasanfran.com, and rosconcert.com, which sells tickets to theater events performed in Russian.

Historic domain registration records from DomainTools show rosconcert.com was registered in 2003 to Unipoint Technologies — the same company fined by the FCC for not having a license. Rosconcert.com also lists the phone number 818-377-2101.

A phone number just a few digits away — 323-874-8205 — appears as a point of contact on newyork.ru, russianmiami.com, russiancleveland.com, and russianchicago.com. A search in Google shows this 82xx number range — and the 818-377-2101 number — belong to two different entities at the same UPS Store mailbox in Tarzana, Calif: American Russian Media Inc. (armediacorp.com), and Lamedia.biz.

Armediacorp.com is the home of FACT Magazine, a glossy Russian-language publication put out jointly by the American-Russian Business Council, the Hollywood Chamber of Commerce, and the West Hollywood Chamber of Commerce.

Lamedia.biz says it is an international media organization with more than 25 years of experience within the Russian-speaking community on the West Coast. The site advertises FACT Magazine and the Russian state-owned media outlet Channel One. Clicking the Channel One link on the homepage shows Lamedia.biz offers to submit advertising spots that can be shown to Channel One viewers. The price for a basic ad is listed at $500.

In May 2022, the U.S. government levied financial sanctions against Channel One that bar US companies or citizens from doing business with the company.

The website of lamedia.biz offers to sell advertising on two Russian state-owned media firms currently sanctioned by the U.S. government.

LEGAL ACTIONS AGAINST RADARIS

In 2014, a group of people sued Radaris in a class-action lawsuit claiming the company’s practices violated the Fair Credit Reporting Act. Court records indicate the defendants never showed up in court to dispute the claims, and as a result the judge eventually awarded the plaintiffs a default judgement and ordered the company to pay $7.5 million.

But the plaintiffs in that civil case had a difficult time collecting on the court’s ruling. In response, the court ordered the radaris.com domain name (~9.4M monthly visitors) to be handed over to the plaintiffs.

However, in 2018 Radaris was able to reclaim their domain on a technicality. Attorneys for the company argued that their clients were never named as defendants in the original lawsuit, and so their domain could not legally be taken away from them in a civil judgment.

“Because our clients were never named as parties to the litigation, and were never served in the litigation, the taking of their property without due process is a violation of their rights,” Radaris’ attorneys argued.

In October 2023, an Illinois resident filed a class-action lawsuit against Radaris for allegedly using people’s names for commercial purposes, in violation of the Illinois Right of Publicity Act.

On Feb. 8, 2024, a company called Atlas Data Privacy Corp. sued Radaris LLC for allegedly violating “Daniel’s Law,” a statute that allows New Jersey law enforcement, government personnel, judges and their families to have their information completely removed from people-search services and commercial data brokers. Atlas has filed at least 140 similar Daniel’s Law complaints against data brokers recently.

Daniel’s Law was enacted in response to the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge (his mother). In July 2020, a disgruntled attorney who had appeared before U.S. District Judge Esther Salas disguised himself as a Fedex driver, went to her home and shot and killed her son (the judge was unharmed and the assailant killed himself).

Earlier this month, The Record reported on Atlas Data Privacy’s lawsuit against LexisNexis Risk Data Management, in which the plaintiffs representing thousands of law enforcement personnel in New Jersey alleged that after they asked for their information to remain private, the data broker retaliated against them by freezing their credit and falsely reporting them as identity theft victims.

Another data broker sued by Atlas Data Privacy — pogodata.com — announced on Mar. 1 that it was likely shutting down because of the lawsuit.

“The matter is far from resolved but your response motivates us to try to bring back most of the names while preserving redaction of the 17,000 or so clients of the redaction company,” the company wrote. “While little consolation, we are not alone in the suit – the privacy company sued 140 property-data sites at the same time as PogoData.”

Atlas says their goal is convince more states to pass similar laws, and to extend those protections to other groups such as teachers, healthcare personnel and social workers. Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states would limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminals charges against media outlets that publish the same type of public and governments records that fuel the people-search industry.

PEOPLE-SEARCH CARVE-OUTS

There are some pending changes to the US legal and regulatory landscape that could soon reshape large swaths of the data broker industry. But experts say it is unlikely that any of these changes will affect people-search companies like Radaris.

On Feb. 28, 2024, the White House issued an executive order that directs the U.S. Department of Justice (DOJ) to create regulations that would prevent data brokers from selling or transferring abroad certain data types deemed too sensitive, including genomic and biometric data, geolocation and financial data, as well as other as-yet unspecified personal identifiers. The DOJ this week published a list of more than 100 questions it is seeking answers to regarding the data broker industry.

In August 2023, the Consumer Financial Protection Bureau (CFPB) announced it was undertaking new rulemaking related to data brokers.

Justin Sherman, an adjunct professor at Duke University, said neither the CFPB nor White House rulemaking will likely address people-search brokers because these companies typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“These dossiers contain everything from individuals’ names, addresses, and family information to data about finances, criminal justice system history, and home and vehicle purchases,” Sherman wrote in an October 2023 article for Lawfare. “People search websites’ business pitch boils down to the fact that they have done the work of compiling data, digitizing it, and linking it to specific people so that it can be searched online.”

Sherman said while there are ongoing debates about whether people search data brokers have legal responsibilities to the people about whom they gather and sell data, the sources of this information — public records — are completely carved out from every single state consumer privacy law.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman wrote. “Tennessee’s consumer data privacy law, for example, stipulates that “personal information,” a cornerstone of the legislation, does not include ‘publicly available information,’ defined as:

“…information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”

Sherman said this is the same language as the carve-out in the California privacy regime, which is often held up as the national leader in state privacy regulations. He said with a limited set of exceptions for survivors of stalking and domestic violence, even under California’s newly passed Delete Act — which creates a centralized mechanism for consumers to ask some third-party data brokers to delete their information — consumers across the board cannot exercise these rights when it comes to data scraped from property filings, marriage certificates, and public court documents, for example.

“With some very narrow exceptions, it’s either extremely difficult or impossible to compel these companies to remove your information from their sites,” Sherman told KrebsOnSecurity. “Even in states like California, every single consumer privacy law in the country completely exempts publicly available information.”

Below is a mind map that helped KrebsOnSecurity track relationships between and among the various organizations named in the story above:

A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge.

Identity Security | How Best to Strengthen Enterprise Security

Identity-related attacks are one of the most common vectors of compromise in modern cyber attacks. In these attacks, threat actors work to steal identities, impersonating real users so they can move laterally and access resources on the network. Identities with greater access and admin-level privileges to valuable data are most likely to be stolen or ransomed.

Enterprises often think they have identity security in place, but many solutions on the market only protect access, rather than digital identities or the greater identity infrastructure. Endpoint detection and response (EDR) and endpoint protection platform (EPP) solutions, for example, protect identity data only to the extent of detecting or stopping malicious tools attempting theft. However, most endpoint security solutions do not stop attackers from conducting identity-based attacks.

This blog post delves into how enterprises can strengthen their security tech stack with robust identity security that focuses on minimizing the identity attack surface, securing Active Directory (AD), and advanced detection and response for identity-based assets.

What Is Identity Security?

When asked what their company does for identity security, many frequently bring up Identity and Access Management (IAM), Privileged Access Management (PAM), or Identity Governance and Administration (IGA) solutions. While useful, these solutions are for authentication, access management, and compliance requirements; they do not protect identities and credentials. Other solutions like multi-factor authentication (MFA) or Single Sign On (SSO) further secure the authentication process, but still leave identity data open to attack.

Let’s use an analogy to clarify. Suppose a network is an office building with many doors. When employees go to the office, they check-in at the front desk to get an access badge showing they work there. As an employee, they can open the doors, but the doors have locks. Employees need explicit permission to open these doors, signified on their access badges as colors matching the doors. They check out the key from a guard at each door to open the lock. The guard checks the colors on the access badge to confirm that the person has permission to get a key to open the door.

Relating this back to the fundamentals of identity security:

  • Authentication is checking in to get the access badge showing they are employees.
  • Access is having the proper color on the badge to get the key for the door.
  • IGA handles procedures to grant access badges and provides an audit trail of who has to access the door.
  • IAM is the guard checking the access badge to validate that the person has permission to get the key to open the door.
  • PAM is a specific color on the access badge for doors that lead to sensitive areas, with a particular key that the guard only gives to the appropriate people and a log book to sign in and out.
  • MFA is when a door requires a key and access code to open.
  • SSO is an access badge with multiple colors showing permission for several doors.

What happens if someone steals or copies a key or access badge? They can get access to the office. None of the controls mentioned above prevent this from happening. In this scenario, nothing stops an attacker from masquerading as a legitimate employee and entering the office.

Identity Security in the Security Stack

To continue with the analogy in the previous section, identity security is the safe that protects the keys and access cards themselves from unwanted targeting by malicious parties and outright theft. It is a secure lanyard that hides the access badge from view, so attackers cannot take pictures and copy it. It can also be thought of as additional precautions that protect the actual credentials so attackers are unable to take advantage of them.

Since there is no universally accepted definition of the term ‘identity security’, a working definition is a category of security controls focusing on securing identity data (such as credentials and passwords) and identity infrastructure (such as directory services like Active Directory).

Cybersecurity secures information systems and networks by reducing existing risk and then managing residual risk. Identity security is no different and provides two core capabilities:

  • Reducing existing risk by addressing identity attack surface vulnerabilities
  • Managing residual risk by detecting and responding to identity-based attacks

Identity security should cover identity data no matter where it resides, whether on the endpoint or on the network in Active Directory. It should be able to detect local credential theft, whether from the operating system (OS) or application credential storage, as well as any  attempts to harvest identity data from domain controllers.

SentinelOne’s Singularity Identity and Ranger AD provide proactive and intelligent identity security capabilities in real-time, helping to reduce risk across the entire identity attack surface.

Ranger AD | How to Reduce Risks Originating from Active Directory

Ranger AD identifies vulnerabilities within the Active Directory and Entra ID (formerly Azure AD) domain controllers and provides remediation assistance to fix them. Ranger AD looks for weak settings, improper access control list entries on objects, and numerous insecure parameters in the AD database that attackers can exploit to progress their attacks.

For example, it can identify if an object has unrestricted rights to replicate the AD database, which can lead to a Golden Ticket, DCSync, or DCShadow attack. Ranger AD can identify if insecure protocols like Server Message Block (SMBv1) are still allowed. Further, it can flag an Entra ID account that has permission to allow external users to access the Azure cloud instance.

Ranger AD checks several hundred settings and can identify over 130 different vulnerabilities. It can automatically fix some of these vulnerabilities with its remediation scripting engine and provides the remediation steps and all references to understand vulnerabilities that require manual intervention. This significantly reduces the identity attack surface available for malicious activity and restricts the attacker’s ability to exploit those vulnerabilities to perform lateral movement.

Ranger AD-Protect is a bundled offering that provides attack detection capabilities for domain controllers. Using data inspection, event log analysis, and behavioral correlation, Ranger AD-Protect can detect attacks originating from any device on the network. It prevents Kerberos-based attacks and AD enumerations in real time. Some examples of these attacks are Golden and Silver Ticket attacks, Pass-the-Hash (PtH) attacks, and enumeration of critical AD users and groups. It is a simple solution that installs on the domain controller but provides critical detection capabilities.

Singularity Identity | How to Stop Credential Misuse in Active Directory Environments

Singularity Identity secures identities by using concealment and misdirection. Singularity Identity conceals the locally stored credentials from discovery, whether memory-resident or stored locally in applications and the OS.

For example, attackers looking for credentials stored in Chrome, WINSCP, or dozens of supported applications will not find them. It also identifies AD queries attempting to harvest data from the domain controller, such as members of privileged groups, domain controllers, Service Principal Names, and more, and conceals the results. Singularity Identity then provides decoy identity data as lures and bait for local and AD objects so the attackers do not suspect anything is wrong and continue their activities. Attackers that fall for these baits and lures have their attack activity misdirected away from the production assets.

Singularity Identity generates an alert on the SentinelOne console when the attackers attempt to query AD for sensitive or privileged objects or when they try to enumerate and access locally stored credentials. This detection happens during the early part of the attack cycle, during the reconnaissance phase, and provides the earliest possible detection of any security control.

Since Singularity Identity is part of the SentinelOne agent, defenders receive market-leading, AI-driven EDR with first-in-class Identity Threat Detection and Response (ITDR) capabilities. By adding SentinelOne’s extensive cloud offerings, its native Singularity Data Lake, and Purple AI, security operation centers (SOCs) gain the ability to respond to enterprise-wide threats with natural language queries, AI-driven threat hunting, and the ability to look across data from every SentinelOne product and partner solution.

Conclusion

Today’s enterprises have centered their businesses around identity-based infrastructure to scale their day-to-day operations and develop in the long run. At the same time, identity continues to emerge as a principal target for threat actors who exploit vulnerabilities and misuse Active Directory, contributing to some of the most damaging ransomware attacks to date.

To secure the identity layer of their tech stacks, global organizations trust in SentinelOne to close identity-based gaps and build up resilience within their sensitive AD crown jewels. Learn more about SentinelOne’s identity security solutions or request a demo today.

Singularity Identity
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

Image: Varonis.

In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.

On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.

“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”

Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.

Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.

BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.

However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.

The seizure notice now displayed on the BlackCat darknet website.

“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.

“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”

Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.

“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”

BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.

LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.

But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.

Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.

Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.

Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.

PinnacleOne Exec Brief | China’s AI-Enabled Cyber Capabilities

Last week, PinnacleOne examined how contractors like I-Soon (上海安洵) fit into the larger Chinese hacking ecosystem and highlighted key implications for business leaders.

This week, we focus on China’s application of emerging AI tools to augment their rapidly improving cyber capabilities and emphasize the urgency for defenders to keep pace.

Please subscribe to read future issues – and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: China’s AI-Enabled Cyber Capabilities

Highly capable nation state threat actors like China are looking to leverage AI to augment and accelerate their cyber operations. While we make this assessment with high confidence, the specific real-world effects will remain hard to discern and attribute. The UK’s National Cyber Security Centre found in a recent assessment that:

“AI is likely to assist with malware and exploit development, vulnerability research and lateral movement by making existing techniques more efficient. However, in the near term, these areas will continue to rely on human expertise, meaning that any limited uplift will highly likely be restricted to existing threat actors that are already capable. AI has the potential to generate malware that could evade detection by current security filters, but only if it is trained on quality exploit data. There is a realistic possibility that highly capable states have repositories of malware that are large enough to effectively train an AI model for this purpose.”

While use cases like deep fakes and synthetic media for influence operations are overt and more easily detectable, we believe that technical indicators that an attacker like China is using AI to augment other cyber activities may be sparse for some time. Instead, AI tools may improve offensive operations in a way not easily observed by the defender. This is owing to how adversaries are considering using AI for offense.

How China is Using AI for Cyber

Public research indicates that some universities connected to People’s Republic of China (PRC) security services host research institutes and PhDs working on applying AI to “APT attack and defense”. Among the topics covered by some of these schools include using AI to improve the pace at which software vulnerabilities are discovered – a capability that would improve PRC operational tempo, but which would not be easily discernible as an impact of AI by the defenders.

OpenAI’s recent blog post identifying activities by specific threat actors on ChatGPT supports this analysis. Hacking teams used ChatGPT to help debug or write code, perform open source research on foreign intelligence agencies, and translate technical documents. None of the actions outlined by the blog would appear in technical indicators seen by defenders.

Similarly, China has begun hosting competitions to automate vulnerability discovery, exploitation, and patching – another process that would improve operational efficiency but go unseen by the defenders. The timeline below shows the competitions held to automate this process, including through the use of machine learning techniques. Many of the universities conducting research on AI and cyber attack and defense participated in these competitions.

Finally, it is clear that the PRC has built cyber ranges to build and test these capabilities. Peng Cheng Labs hosts a cyber range with significant computational resources, ties to the security services, and an interest in automating attack path decision making with AI. Another cyber range in China, Zhejiang Labs, had a researcher publish about using AI to improve attacks on ICS systems.

Security Impact on Western Firms

None of the technologies being researched by actors in the PRC and covered here would provide technical indicators that AI was used to enable the attack. Instead, vulnerabilities discovered and exploited – and the attack paths taken by attackers – will continue to look “normal.”

Near term, evidence of AI in offensive operations may only be discernable in the operational pace and efficiency of operations – analysis that would require more complete knowledge of PRC hacking operations than any one cybersecurity firm may possess.

The impact of China’s efforts will be to accelerate the pace and effectiveness of their overall cyber operations. This will exacerbate the existing significant challenge the U.S. and its allies already face in confronting broad-scale and aggressive PRC cyber activity. It should motivate a sense of urgency in driving development and adoption of AI-enabled defensive tools and capabilities by public and private organizations across the Western world.

The Good, the Bad and the Ugly in Cybersecurity – Week 9

The Good | US Bans Sale Of Personal Data To China & Others

The Biden administration this week took steps to ban data brokers from trading personal information of U.S. citizens to nations on a list of ‘countries of concern’, currently expected to be China, Russia, Iran, North Korea, Cuba and Venezuela. The Executive Order to protect Americans’ sensitive personal data was issued on Wednesday.

The government says that hostile foreign powers are leveraging AI to weaponize sensitive data bought in bulk from commercial data brokers. The data is then used for surveillance, scams, blackmail and privacy violations. Authoritarian governments can make use of such data to target journalists, dissidents and political activists.

AG Merrick Garland said that the EO will allow the Justice Department to block countries that pose a threat to U.S. national security and prevent them from harvesting sensitive personal data such as personal health and financial data, biometrics and genomic data. However, critics say the EO doesn’t go far enough and fails to prevent other countries from harvesting the same data and exposing it to those in the prescribed list.

The Justice Department says the EO is a ‘targeted national security measure’ aimed at blocking specific adversaries. The EO also allows the program to exempt certain categories of data from the transfer ban, “such as those ordinarily incident to financial services, in order to allow low-risk commercial activity to continue unimpeded”.

The exact scope of the regulations will be worked out in an ANPRM, which is open to public comment

The Bad | BlackCat is Back, LockBit Lingers On

Law enforcement action to take down ransomware operators looks to have taken a setback this week as authorities warn that BlackCat RaaS has embarked on a new campaign targeting the healthcare sector. Meanwhile, despite last week’s high-profile raid on LockBit, the gang appear to be still in business.

First appearing in November 2021, BlackCat has established itself as one of the most prolific ransomware threats today. The advisory describes how BlackCat (aka ALPHV) affiliates use advanced social engineering techniques to gain initial access. These include posing as helpdesk or IT and staff and using phone calls and smishing techniques to steal credentials from employees.

Once inside the target network, the threat actors use remote access software such as AnyDesk and Splashtop to facilitate data exfiltration. Dropbox and Mega have also been observed as vehicles to move or download victim data. CobaltStrike and Brute Ratel C4 are used to beacon out to the attackers C2.

BlackCat ransomware execution chain (Windows version)

According to CISA, some affiliates extort victims solely through threats to expose stolen data, while others deploy ransomware to lock files and systems as well. In both cases, data is either deleted or destroyed unless the victims have backups or rollback systems in place.

In December, the Justice Department announced that it had severely disrupted BlackCat/ALPHV by seizing its infrastructure and releasing a decryptor; however, it appears the gang have been able to recover. Similarly, LockBit operators have this week responded to last week’s seizure of its infrastructure by publishing links to a new blog and data leak site and issuing a rambling rebuttal of claims that it was no longer operational.

The cat-and-mouse will inevitably continue; meanwhile, organizations can take proactive steps to exempt themselves from the cybercrime cycle by implementing recommended security controls.

The Ugly | APT29 Targeting Cloud for Initial Access

The advanced threat actor behind the SolarWinds breach among others, Russian intelligence agency SVR (aka APT 29, NobleBaron, The Dukes), is now targeting cloud services for initial access, the U.K.’s National Cyber Security Centre warned this week.

In a move that mirrors the wider enterprise trend away from on-prem servers in favor of cloud infrastructure, the Russian-backed threat actor has looked to supplement its traditional means of initial access such as exploiting software vulnerabilities with cloud-specific techniques and tactics.

The NCSC says these tactics include targeting service accounts with brute force and password spraying attacks. Service accounts with weak or default credentials are attractive since they cannot be protected with MFA as there is no human user to authenticate them. Dormant or inactive accounts, such as when an employee has left but the account has not been deactivated, have also been targeted.

Other tactics observed include stealing cloud-based authentication tokens. Once authenticated, these tokens remain valid for a period of time without needing further authentication. Once the SVR operators have gained initial access, they will frequently enroll new devices on the cloud tenant.

Tactic ID Technique Procedure
Credential Access T1110 Brute forcing The SVR use password spraying and brute forcing as an initial infection vector.
Initial Access T1078.004 Valid Accounts: Cloud Accounts The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts.
Credential Access T1528 Steal Application Access Token The SVR use stolen access tokens to login to accounts without the need for passwords.
Credential Access T1621 Multi-Factor Authentication Request Generation The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account.
Command and Control T1090.002 Proxy: External Proxy The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs.
Persistence T1098.005 Account Manipulation: Device Registration The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts.

In light of these tactical changes, defenders are advised to ensure that MFA and 2SV (two-step verification) are used wherever possible; that token validity periods are set to a minimum, and that user and system accounts are regularly reviewed and dormant or inactive accounts removed. Further detailed mitigations are provided by NCSC here.