Identity Security | How Best to Strengthen Enterprise Security

Identity-related attacks are one of the most common vectors of compromise in modern cyber attacks. In these attacks, threat actors work to steal identities, impersonating real users so they can move laterally and access resources on the network. Identities with greater access and admin-level privileges to valuable data are most likely to be stolen or ransomed.

Enterprises often think they have identity security in place, but many solutions on the market only protect access, rather than digital identities or the greater identity infrastructure. Endpoint detection and response (EDR) and endpoint protection platform (EPP) solutions, for example, protect identity data only to the extent of detecting or stopping malicious tools attempting theft. However, most endpoint security solutions do not stop attackers from conducting identity-based attacks.

This blog post delves into how enterprises can strengthen their security tech stack with robust identity security that focuses on minimizing the identity attack surface, securing Active Directory (AD), and advanced detection and response for identity-based assets.

What Is Identity Security?

When asked what their company does for identity security, many frequently bring up Identity and Access Management (IAM), Privileged Access Management (PAM), or Identity Governance and Administration (IGA) solutions. While useful, these solutions are for authentication, access management, and compliance requirements; they do not protect identities and credentials. Other solutions like multi-factor authentication (MFA) or Single Sign On (SSO) further secure the authentication process, but still leave identity data open to attack.

Let’s use an analogy to clarify. Suppose a network is an office building with many doors. When employees go to the office, they check-in at the front desk to get an access badge showing they work there. As an employee, they can open the doors, but the doors have locks. Employees need explicit permission to open these doors, signified on their access badges as colors matching the doors. They check out the key from a guard at each door to open the lock. The guard checks the colors on the access badge to confirm that the person has permission to get a key to open the door.

Relating this back to the fundamentals of identity security:

  • Authentication is checking in to get the access badge showing they are employees.
  • Access is having the proper color on the badge to get the key for the door.
  • IGA handles procedures to grant access badges and provides an audit trail of who has to access the door.
  • IAM is the guard checking the access badge to validate that the person has permission to get the key to open the door.
  • PAM is a specific color on the access badge for doors that lead to sensitive areas, with a particular key that the guard only gives to the appropriate people and a log book to sign in and out.
  • MFA is when a door requires a key and access code to open.
  • SSO is an access badge with multiple colors showing permission for several doors.

What happens if someone steals or copies a key or access badge? They can get access to the office. None of the controls mentioned above prevent this from happening. In this scenario, nothing stops an attacker from masquerading as a legitimate employee and entering the office.

Identity Security in the Security Stack

To continue with the analogy in the previous section, identity security is the safe that protects the keys and access cards themselves from unwanted targeting by malicious parties and outright theft. It is a secure lanyard that hides the access badge from view, so attackers cannot take pictures and copy it. It can also be thought of as additional precautions that protect the actual credentials so attackers are unable to take advantage of them.

Since there is no universally accepted definition of the term ‘identity security’, a working definition is a category of security controls focusing on securing identity data (such as credentials and passwords) and identity infrastructure (such as directory services like Active Directory).

Cybersecurity secures information systems and networks by reducing existing risk and then managing residual risk. Identity security is no different and provides two core capabilities:

  • Reducing existing risk by addressing identity attack surface vulnerabilities
  • Managing residual risk by detecting and responding to identity-based attacks

Identity security should cover identity data no matter where it resides, whether on the endpoint or on the network in Active Directory. It should be able to detect local credential theft, whether from the operating system (OS) or application credential storage, as well as any  attempts to harvest identity data from domain controllers.

SentinelOne’s Singularity Identity and Ranger AD provide proactive and intelligent identity security capabilities in real-time, helping to reduce risk across the entire identity attack surface.

Ranger AD | How to Reduce Risks Originating from Active Directory

Ranger AD identifies vulnerabilities within the Active Directory and Entra ID (formerly Azure AD) domain controllers and provides remediation assistance to fix them. Ranger AD looks for weak settings, improper access control list entries on objects, and numerous insecure parameters in the AD database that attackers can exploit to progress their attacks.

For example, it can identify if an object has unrestricted rights to replicate the AD database, which can lead to a Golden Ticket, DCSync, or DCShadow attack. Ranger AD can identify if insecure protocols like Server Message Block (SMBv1) are still allowed. Further, it can flag an Entra ID account that has permission to allow external users to access the Azure cloud instance.

Ranger AD checks several hundred settings and can identify over 130 different vulnerabilities. It can automatically fix some of these vulnerabilities with its remediation scripting engine and provides the remediation steps and all references to understand vulnerabilities that require manual intervention. This significantly reduces the identity attack surface available for malicious activity and restricts the attacker’s ability to exploit those vulnerabilities to perform lateral movement.

Ranger AD-Protect is a bundled offering that provides attack detection capabilities for domain controllers. Using data inspection, event log analysis, and behavioral correlation, Ranger AD-Protect can detect attacks originating from any device on the network. It prevents Kerberos-based attacks and AD enumerations in real time. Some examples of these attacks are Golden and Silver Ticket attacks, Pass-the-Hash (PtH) attacks, and enumeration of critical AD users and groups. It is a simple solution that installs on the domain controller but provides critical detection capabilities.

Singularity Identity | How to Stop Credential Misuse in Active Directory Environments

Singularity Identity secures identities by using concealment and misdirection. Singularity Identity conceals the locally stored credentials from discovery, whether memory-resident or stored locally in applications and the OS.

For example, attackers looking for credentials stored in Chrome, WINSCP, or dozens of supported applications will not find them. It also identifies AD queries attempting to harvest data from the domain controller, such as members of privileged groups, domain controllers, Service Principal Names, and more, and conceals the results. Singularity Identity then provides decoy identity data as lures and bait for local and AD objects so the attackers do not suspect anything is wrong and continue their activities. Attackers that fall for these baits and lures have their attack activity misdirected away from the production assets.

Singularity Identity generates an alert on the SentinelOne console when the attackers attempt to query AD for sensitive or privileged objects or when they try to enumerate and access locally stored credentials. This detection happens during the early part of the attack cycle, during the reconnaissance phase, and provides the earliest possible detection of any security control.

Since Singularity Identity is part of the SentinelOne agent, defenders receive market-leading, AI-driven EDR with first-in-class Identity Threat Detection and Response (ITDR) capabilities. By adding SentinelOne’s extensive cloud offerings, its native Singularity Data Lake, and Purple AI, security operation centers (SOCs) gain the ability to respond to enterprise-wide threats with natural language queries, AI-driven threat hunting, and the ability to look across data from every SentinelOne product and partner solution.

Conclusion

Today’s enterprises have centered their businesses around identity-based infrastructure to scale their day-to-day operations and develop in the long run. At the same time, identity continues to emerge as a principal target for threat actors who exploit vulnerabilities and misuse Active Directory, contributing to some of the most damaging ransomware attacks to date.

To secure the identity layer of their tech stacks, global organizations trust in SentinelOne to close identity-based gaps and build up resilience within their sensitive AD crown jewels. Learn more about SentinelOne’s identity security solutions or request a demo today.

Singularity Identity
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

Image: Varonis.

In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.

On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.

“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”

Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.

Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.

BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.

However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.

The seizure notice now displayed on the BlackCat darknet website.

“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.

“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”

Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.

“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”

BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.

LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.

But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.

Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.

Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.

Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.

PinnacleOne Exec Brief | China’s AI-Enabled Cyber Capabilities

Last week, PinnacleOne examined how contractors like I-Soon (上海安洵) fit into the larger Chinese hacking ecosystem and highlighted key implications for business leaders.

This week, we focus on China’s application of emerging AI tools to augment their rapidly improving cyber capabilities and emphasize the urgency for defenders to keep pace.

Please subscribe to read future issues – and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: China’s AI-Enabled Cyber Capabilities

Highly capable nation state threat actors like China are looking to leverage AI to augment and accelerate their cyber operations. While we make this assessment with high confidence, the specific real-world effects will remain hard to discern and attribute. The UK’s National Cyber Security Centre found in a recent assessment that:

“AI is likely to assist with malware and exploit development, vulnerability research and lateral movement by making existing techniques more efficient. However, in the near term, these areas will continue to rely on human expertise, meaning that any limited uplift will highly likely be restricted to existing threat actors that are already capable. AI has the potential to generate malware that could evade detection by current security filters, but only if it is trained on quality exploit data. There is a realistic possibility that highly capable states have repositories of malware that are large enough to effectively train an AI model for this purpose.”

While use cases like deep fakes and synthetic media for influence operations are overt and more easily detectable, we believe that technical indicators that an attacker like China is using AI to augment other cyber activities may be sparse for some time. Instead, AI tools may improve offensive operations in a way not easily observed by the defender. This is owing to how adversaries are considering using AI for offense.

How China is Using AI for Cyber

Public research indicates that some universities connected to People’s Republic of China (PRC) security services host research institutes and PhDs working on applying AI to “APT attack and defense”. Among the topics covered by some of these schools include using AI to improve the pace at which software vulnerabilities are discovered – a capability that would improve PRC operational tempo, but which would not be easily discernible as an impact of AI by the defenders.

OpenAI’s recent blog post identifying activities by specific threat actors on ChatGPT supports this analysis. Hacking teams used ChatGPT to help debug or write code, perform open source research on foreign intelligence agencies, and translate technical documents. None of the actions outlined by the blog would appear in technical indicators seen by defenders.

Similarly, China has begun hosting competitions to automate vulnerability discovery, exploitation, and patching – another process that would improve operational efficiency but go unseen by the defenders. The timeline below shows the competitions held to automate this process, including through the use of machine learning techniques. Many of the universities conducting research on AI and cyber attack and defense participated in these competitions.

Finally, it is clear that the PRC has built cyber ranges to build and test these capabilities. Peng Cheng Labs hosts a cyber range with significant computational resources, ties to the security services, and an interest in automating attack path decision making with AI. Another cyber range in China, Zhejiang Labs, had a researcher publish about using AI to improve attacks on ICS systems.

Security Impact on Western Firms

None of the technologies being researched by actors in the PRC and covered here would provide technical indicators that AI was used to enable the attack. Instead, vulnerabilities discovered and exploited – and the attack paths taken by attackers – will continue to look “normal.”

Near term, evidence of AI in offensive operations may only be discernable in the operational pace and efficiency of operations – analysis that would require more complete knowledge of PRC hacking operations than any one cybersecurity firm may possess.

The impact of China’s efforts will be to accelerate the pace and effectiveness of their overall cyber operations. This will exacerbate the existing significant challenge the U.S. and its allies already face in confronting broad-scale and aggressive PRC cyber activity. It should motivate a sense of urgency in driving development and adoption of AI-enabled defensive tools and capabilities by public and private organizations across the Western world.

The Good, the Bad and the Ugly in Cybersecurity – Week 9

The Good | US Bans Sale Of Personal Data To China & Others

The Biden administration this week took steps to ban data brokers from trading personal information of U.S. citizens to nations on a list of ‘countries of concern’, currently expected to be China, Russia, Iran, North Korea, Cuba and Venezuela. The Executive Order to protect Americans’ sensitive personal data was issued on Wednesday.

The government says that hostile foreign powers are leveraging AI to weaponize sensitive data bought in bulk from commercial data brokers. The data is then used for surveillance, scams, blackmail and privacy violations. Authoritarian governments can make use of such data to target journalists, dissidents and political activists.

AG Merrick Garland said that the EO will allow the Justice Department to block countries that pose a threat to U.S. national security and prevent them from harvesting sensitive personal data such as personal health and financial data, biometrics and genomic data. However, critics say the EO doesn’t go far enough and fails to prevent other countries from harvesting the same data and exposing it to those in the prescribed list.

The Justice Department says the EO is a ‘targeted national security measure’ aimed at blocking specific adversaries. The EO also allows the program to exempt certain categories of data from the transfer ban, “such as those ordinarily incident to financial services, in order to allow low-risk commercial activity to continue unimpeded”.

The exact scope of the regulations will be worked out in an ANPRM, which is open to public comment

The Bad | BlackCat is Back, LockBit Lingers On

Law enforcement action to take down ransomware operators looks to have taken a setback this week as authorities warn that BlackCat RaaS has embarked on a new campaign targeting the healthcare sector. Meanwhile, despite last week’s high-profile raid on LockBit, the gang appear to be still in business.

First appearing in November 2021, BlackCat has established itself as one of the most prolific ransomware threats today. The advisory describes how BlackCat (aka ALPHV) affiliates use advanced social engineering techniques to gain initial access. These include posing as helpdesk or IT and staff and using phone calls and smishing techniques to steal credentials from employees.

Once inside the target network, the threat actors use remote access software such as AnyDesk and Splashtop to facilitate data exfiltration. Dropbox and Mega have also been observed as vehicles to move or download victim data. CobaltStrike and Brute Ratel C4 are used to beacon out to the attackers C2.

BlackCat ransomware execution chain (Windows version)

According to CISA, some affiliates extort victims solely through threats to expose stolen data, while others deploy ransomware to lock files and systems as well. In both cases, data is either deleted or destroyed unless the victims have backups or rollback systems in place.

In December, the Justice Department announced that it had severely disrupted BlackCat/ALPHV by seizing its infrastructure and releasing a decryptor; however, it appears the gang have been able to recover. Similarly, LockBit operators have this week responded to last week’s seizure of its infrastructure by publishing links to a new blog and data leak site and issuing a rambling rebuttal of claims that it was no longer operational.

The cat-and-mouse will inevitably continue; meanwhile, organizations can take proactive steps to exempt themselves from the cybercrime cycle by implementing recommended security controls.

The Ugly | APT29 Targeting Cloud for Initial Access

The advanced threat actor behind the SolarWinds breach among others, Russian intelligence agency SVR (aka APT 29, NobleBaron, The Dukes), is now targeting cloud services for initial access, the U.K.’s National Cyber Security Centre warned this week.

In a move that mirrors the wider enterprise trend away from on-prem servers in favor of cloud infrastructure, the Russian-backed threat actor has looked to supplement its traditional means of initial access such as exploiting software vulnerabilities with cloud-specific techniques and tactics.

The NCSC says these tactics include targeting service accounts with brute force and password spraying attacks. Service accounts with weak or default credentials are attractive since they cannot be protected with MFA as there is no human user to authenticate them. Dormant or inactive accounts, such as when an employee has left but the account has not been deactivated, have also been targeted.

Other tactics observed include stealing cloud-based authentication tokens. Once authenticated, these tokens remain valid for a period of time without needing further authentication. Once the SVR operators have gained initial access, they will frequently enroll new devices on the cloud tenant.

Tactic ID Technique Procedure
Credential Access T1110 Brute forcing The SVR use password spraying and brute forcing as an initial infection vector.
Initial Access T1078.004 Valid Accounts: Cloud Accounts The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts.
Credential Access T1528 Steal Application Access Token The SVR use stolen access tokens to login to accounts without the need for passwords.
Credential Access T1621 Multi-Factor Authentication Request Generation The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account.
Command and Control T1090.002 Proxy: External Proxy The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs.
Persistence T1098.005 Account Manipulation: Device Registration The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts.

In light of these tactical changes, defenders are advised to ensure that MFA and 2SV (two-step verification) are used wherever possible; that token validity periods are set to a minimum, and that user and system accounts are regularly reviewed and dormant or inactive accounts removed. Further detailed mitigations are provided by NCSC here.

Fulton County, Security Experts Call LockBit’s Bluff

The ransomware group LockBit told officials with Fulton County, Ga. they could expect to see their internal documents published online this morning unless the county paid a ransom demand. LockBit removed Fulton County’s listing from its victim shaming website this morning, claiming the county had paid. But county officials said they did not pay, nor did anyone make payment on their behalf. Security experts say LockBit was likely bluffing and probably lost most of the data when the gang’s servers were seized this month by U.S. and U.K. law enforcement.

The LockBit website included a countdown timer until the promised release of data stolen from Fulton County, Ga. LockBit would later move this deadline up to Feb. 29, 2024.

LockBit listed Fulton County as a victim on Feb. 13, saying that unless it was paid a ransom the group would publish files stolen in a breach at the county last month. That attack disrupted county phones, Internet access and even their court system. LockBit leaked a small number of the county’s files as a teaser, which appeared to include sensitive and sealed court records in current and past criminal trials.

On Feb. 16, Fulton County’s entry — along with a countdown timer until the data would be published — was removed from the LockBit website without explanation. The leader of LockBit told KrebsOnSecurity this was because Fulton County officials had engaged in last-minute negotiations with the group.

But on Feb. 19, investigators with the FBI and the U.K.’s National Crime Agency (NCA) took over LockBit’s online infrastructure, replacing the group’s homepage with a seizure notice and links to LockBit ransomware decryption tools.

In a press briefing on Feb. 20, Fulton County Commission Chairman Robb Pitts told reporters the county did not pay a ransom demand, noting that the board “could not in good conscience use Fulton County taxpayer funds to make a payment.”

Three days later, LockBit reemerged with new domains on the dark web, and with Fulton County listed among a half-dozen other victims whose data was about to be leaked if they refused to pay. As it does with all victims, LockBit assigned Fulton County a countdown timer, saying officials had until late in the evening on March 1 until their data was published.

LockBit revised its deadline for Fulton County to Feb. 29.

LockBit soon moved up the deadline to the morning of Feb. 29. As Fulton County’s LockBit timer was counting down to zero this morning, its listing disappeared from LockBit’s site. LockBit’s leader and spokesperson, who goes by the handle “LockBitSupp,” told KrebsOnSecurity today that Fulton County’s data disappeared from their site because county officials paid a ransom.

“Fulton paid,” LockBitSupp said. When asked for evidence of payment, LockBitSupp claimed. “The proof is that we deleted their data and did not publish it.”

But at a press conference today, Fulton County Chairman Robb Pitts said the county does not know why its data was removed from LockBit’s site.

“As I stand here at 4:08 p.m., we are not aware of any data being released today so far,” Pitts said. “That does not mean the threat is over. They could release whatever data they have at any time. We have no control over that. We have not paid any ransom. Nor has any ransom been paid on our behalf.”

Brett Callow, a threat analyst with the security firm Emsisoft, said LockBit likely lost all of the victim data it stole before the FBI/NCA seizure, and that it has been trying madly since then to save face within the cybercrime community.

“I think it was a case of them trying to convince their affiliates that they were still in good shape,” Callow said of LockBit’s recent activities. “I strongly suspect this will be the end of the LockBit brand.”

Others have come to a similar conclusion. The security firm RedSense posted an analysis to Twitter/X that after the takedown, LockBit published several “new” victim profiles for companies that it had listed weeks earlier on its victim shaming site. Those victim firms — a healthcare provider and major securities lending platform — also were unceremoniously removed from LockBit’s new shaming website, despite LockBit claiming their data would be leaked.

“We are 99% sure the rest of their ‘new victims’ are also fake claims (old data for new breaches),” RedSense posted. “So the best thing for them to do would be to delete all other entries from their blog and stop defrauding honest people.”

Callow said there certainly have been plenty of cases in the past where ransomware gangs exaggerated their plunder from a victim organization. But this time feels different, he said.

“It is a bit unusual,” Callow said. “This is about trying to still affiliates’ nerves, and saying, ‘All is well, we weren’t as badly compromised as law enforcement suggested.’ But I think you’d have to be a fool to work with an organization that has been so thoroughly hacked as LockBit has.”

Simplifying the Security Analyst Experience with Open Cybersecurity Schema Framework (OCSF)

In this blog, we dive into how the Open Cybersecurity Schema Framework (OCSF) improves the security analyst experience. By standardizing third party cybersecurity data through OCSF, SentinelOne enhances efficiency and effectiveness, enabling customers like Liberty Group to prioritize security operations over data acquisition challenges.

This exploration offers insights into the real-world benefits and potential of OCSF in elevating the cybersecurity landscape.

Understanding the OCSF Framework

The Open Cybersecurity Schema Framework (OCSF) is designed to standardize and streamline the way cybersecurity data is structured and shared across different security tools and platforms, enhancing interoperability and efficiency in threat detection, analysis, and response. It’s tackling a fundamental challenge in the security analytics space: the absence of a common, agreed-upon format and data model for logs and alerts across vendors. This lack of standard language in cybersecurity tooling and services creates a challenge for cybersecurity professionals and a lot of manual work.

The OCSF approach emphasizes both proactive defense and reactive response to cyber threats. With the goal of fostering adaptability and resilience in modern enterprises, OCSF works by integrating open systems for flexibility with closed systems for confidentiality and integrity. Combining these elements enables enterprises to be dynamic; adjusting quickly to evolving threats while balancing protection with the needs of the business.

Without the OCSF, security teams must compile data from multiple entities and standardize it to collect meaningful insights. This makes OCSF standardization crucial for the long-term health of defenders. It is a critical first step towards reducing the time and effort it takes to standardize security telemetry and log activity across tools and services, regardless of vendor.

We’re Committed to Making Things Easier with OCSF

SentinelOne’s goal is to improve efficiency and effectiveness of the analyst experience across the incident lifecycle. We recognize that the shift to adopting the OCSF makes the job of security analysts easier and simpler — ultimately supporting their ability to protect the organization from attacks. That’s why we’re committed to the OCSF and are leading the way by building this open standard into our Security AI platform from the ground up.

The Singularity Platform is a unified security AI platform, bringing a single agent, data lake, and console together for security operations. Singularity Data Lake powers this platform at every level. Using the Singularity Marketplace, customers can access a wide range of data connectors that transform third party data sources to OCSF standards, out-of-the-box, with no manual coding or extensive development required.

Singularity Data Lake is a cloud-native, high-performance, and scalable data lake that operates on a massively parallel query engine. It breaks down complex queries and runs computations simultaneously before returning answers to analysts with ~96% return rate on queries within a second. That’s up to 10x faster than legacy SIEM and XDR providers.

Adopting OCSF open standards allow for data portability, ensuring that organizations can future-proof their security tooling. You never know what’s needed next to secure the business, and building on a common data language gives businesses the confidence to add to Singularity Platform as the central hub for security operations. With OCSF, Singularity Data Lake provides the platform for future innovation.

A Real-World Scenario | Streamlining Data Sources in the Singularity Platform

Data adhering to OCSF also streamlines the process of creating custom detections. In the Singularity Platform, custom detections are named STAR rules (Storyline Active Response) which empower security teams to create alerts by querying data they ingest into the Singularity Data Lake. Since our data conforms to OCSF, security teams can write one STAR rule that covers multiple data sources.

Let’s look at a simple STAR rule meant to track several source IP addresses across an environment that ingests logs from multiple vendor products into the Singularity Data Lake. From OCSF documentation, the standardized field name used for source IP address is src_endpoint.ip so, we’ll use that in our query. When we execute this query, notice that results from multiple vendor logs sources are automatically included (SentinelOne, Okta, and Fortinet).

The query is tuned to minimize the result set. Then, we can create a STAR rule to generate alerts without the need to specify the log source. This essentially future-proofs the STAR rule so it is effective at finding this source IP address in additional log sources added to the data lake in the future.

To ensure alerts generated by the STAR rule are acted upon immediately, we can leverage automatic response actions, such as network quarantine.

Now with OSCF, we can simplify the creation of custom rules across multiple data sources. Even when additional sources are added, this detection will persist across them all. Analysts can write rules once and apply them universally, regardless of the addition of new security data to the Singularity Data Lake.

What’s the Bottom Line?

Having a common schema for the cybersecurity industry is a significant step forward in our ability to respond to and hunt for threats. Adopting OCSF puts cyber defenders and enterprise leaders on the same page at the same time, so that ultimately they are equipped with the best tools for the job.

Leveraging OCSF, SentinelOne commits to:

  • Greater efficiency – Our commitment to the OCSF drastically cuts data processing time. Now, data is normalized from the get-go, speeding up analysis and the ability to respond to threats.
  • Comprehensive coverage – Without a common framework for cybersecurity data, there’s a risk that important information might be overlooked or misinterpreted. By adopting the OCSF, we help to ensure data is complete, so customers can accurately interpret insights, regardless of the tools they use.
  • Scalability – As an organization grows, so does the complexity of its cybersecurity infrastructure. A standardized schema like the OCSF aims to provide a scalable approach to data management, so security systems can evolve without losing the ability to communicate effectively.
  • Smarter team allocation – OCSF removes the need to hire or train people on vendor specific language normalization efforts, allowing people to get back to what they’re best at — protecting the enterprise.

Liberty Group | Our Customers Are Leading the Way

Our customers are ready for the opportunity OSCF provides; customers like Owen Connolly, CISO from Liberty Group.

Owen and his team manage a vast security infrastructure to protect its steel and mining business. The real challenge, however, lies in the incredible amounts of  overhead time required to parse information between all their platforms before normalizing data across all ingested data.

In Owen’s words, “Before SentinelOne, much of our time was spent analyzing data across multiple systems due to the technical cost of getting an integrated view, rather than focusing on security operations.” He continues, “Having a platform that provides OCSF-ready data connectors is a game changer and allows my team to focus on detection, triage, investigation, and response rather than data architecture.”

Future-Proof Your Security Strategy

Here at SentinelOne, we want to do what’s right for the cybersecurity industry. When we improve the analyst experience, we empower them to focus on what matters most — defending the enterprise. Cyber defenders face an ever-changing landscape, working to stay steps ahead of malicious actors and the unknown nature of developing threats. By aligning our products to Open Source standards, we’re leveling the playing field. SentinelOne’s adoption of OCSF builds momentum towards a future where today’s leaders can plug in the tools they need without the burden of complexity to slow them down. We hope that more vendors will join us on this journey.

SentinelOne is trusted by global enterprises across a variety of industries and organizations with complex security requirements. Learn more about how Singularity Data Lake empowers businesses to centralize and transform data into actionable intelligence for cost-effective, high-performance security and log analytics here.

Calendar Meeting Links Used to Spread Mac Malware

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at Calendly, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.

KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him Doug.

Being in the cryptocurrency scene, Doug is also active on the instant messenger platform Telegram. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were Ian Lee, from Signum Capital, a well-established investment firm based in Singapore. The profile also linked to Mr. Lee’s Twitter/X account, which features the same profile image.

The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then.

When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.

Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.

“Some of our users are facing issues with our service,” the message read. “We are actively working on fixing these problems. Please refer to this script as a temporary solution.”

Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages.

It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.

In a post to its Twitter/X account last month, Signum Capital warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.

The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding he’d been tricked — backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.

But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers.

“When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”

Image: SlowMist.

SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.

“Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed “BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group.

“A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.

The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from Recorded Future finds the Lazarus Group has stolen approximately $3 billion in cryptocurrency over the past six years.

While there is still far more malware out there today targeting Microsoft Windows PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include X-Protect, Apple’s built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.

“Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,” security firm SentinelOne wrote in January.

According to Chris Ueland from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for Cryptowave Capital (cryptowave[.]capital).

The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.

As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: If you didn’t go looking for it, don’t install it. Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.

On that last front, I’ve found it’s a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes to the software maker’s privacy policies or user agreements before choosing to install updates.

Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Lee’s real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.

If you’re approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.

Image: SlowMist.

February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs

February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.

In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.

Ransomware Reporting and Underreporting

February 2024 has seen several impactful ransomware attacks reported, including:

Actor Targeted Industry
LockBit Medical
BackMyData Medical
Black Basta Automotive
Cactus Manufacturing

Concerns remain, however, that many ransomware incidents are unreported. Particularly in cases where an organization is experiencing its first cybercrime incident, there may be a tendency to believe that disclosing the breach may be more damaging than paying the attackers.

For any organization feeling that pressure, it is worth reviewing advice from the NCSC about why transparency matters to victims. It is also worth reviewing Google’s journey from victim to major contributor to cyber safety: the formation of its Project Zero initiative and Threat Analysis Group were direct consequences of its experience of a cyber attack from a Chinese APT.

In a statement on January 31st, CISA Director Jan Easterly told a House Select Committee that “Every victim of a cyber incident should report it to CISA or FBI, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security”. Easterly stressed, and we couldn’t agree more, that business leaders must treat cyber risks as core business risks and recognize that “managing them is a matter of both good governance and fundamental national security”.

Software Products Under Active Exploitation

Improving the design of software products such that exploitable flaws become “a shocking anomaly” was also part of Easterly’s vision for a safer cyber future.

February saw a trend in attacks leveraging enterprise tools for remote, authenticated access, aka RMMs (Remote Monitoring and Management). Both APT groups and ‘lower tier’ crimeware actors continue to exploit vulnerabilities in Ivanti’s Connect Secure and Policy Secure products.

ConnectWise’s ScreenConnect has also been targeted for mass exploitation thanks to multiple RCE flaws that are trivial to exploit. In addition, alarm was raised this month after a response to a breach at AnyDesk found evidence of compromised production systems.

CVEs and updates that organizations are prioritizing include:

Ivanti Connect Secure CVE-2024-21893
ConnectWise ScreenConnect CVE-2024-1708
ConnectWise ScreenConnect CVE-2024-1709
AnyDesk Recommended update to 7.0.15 and 8.0.8

Emerging Trends and Tactics

AI continues to push the boundaries of cybersecurity for both attackers and defenders. On top of LLM chat assistants and natural language image generators comes Sora, the first generative AI model that can create realistic video – currently up to 60 seconds – from text prompts. According to OpenAI, “Sora is capable of generating entire videos all at once or extending generated videos to make them longer.”

The potential for deep fakes in an election year is one obvious area of concern, but the wider implications of a text-to-video service are perhaps even greater. OpenAI says it is building tools to help detect misleading content as well as reject prompts that violate usage policies, but based on the rapid proliferation of ‘evil ChatGPTs’ (see WormGPT, DarkGPT, and Predator AI for examples) that may be no more than a sticking plaster solution. Sora is still in beta but is currently available to red teamers to help assess the potential risks such a service could cause.

February also saw OpenAI, in conjunction with Microsoft, report on the malicious use of AI by state-affiliated threat actors. Groups associated with four different nations were discovered to be trying to leverage OpenAI for harmful purpose:

China  Charcoal Typhoon / Salmon Typhoon
Iran Crimson Sandstorm
North Korea Emerald Sleet
Russia Forest Blizzard

The use of AI by threat actors largely revolves around improving productivity and automating existing tasks that are labor intensive, such as generating social engineering content. To date, it has not been used to produce novel attacks. However, we are still very much in the early stages of understanding the capabilities of this new technology.

The fact that it is already being leveraged by both state-sponsored actors and financially-motivated cybercriminals emphasizes the need for defenders to keep pace with AI’s evolution.

We encourage defenders to review SentinelOne’s recommendations for Safe, Secure, and Trustworthy AI. For specific TTPs related to artificial intelligence systems, see the new MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework.

Law Enforcement & Policy | Significant Actions

The U.S government in February announced a Visa Restriction policy for individuals involved in the misuse of commercial spyware. The policy covers not only the use of spyware, but also anyone “believed to facilitate or derive financial benefit from the misuse of commercial spyware” and “developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware”.

The move reflects mounting concerns about the rise of private sector offensive actors (aka hack-for-hire groups) and the safety of mobile devices.

Coordinated action by U.S. and U.K. law enforcement to disrupt LockBit operations generated plenty of headlines in the third week of February, but early signs are that the group is not down and out yet. On February 24, 2024, LockBit released a series of statements concerning the disruption.

The group claimed the FBI was unable to compromise all of their infrastructure, allowing the group to reestablish and maintain primary operations. The statements included functional links to a blog site and data portals to support their claims that the ransomware operator was still in business.

LockBit’s disruption may yet turn out to be temporary, following the trend set by direct actions against Hive, ALPHV and others.

lockbit fbi response
Excerpt of LockBit’s February 24, 2024 ‘Statement’

In further signs of an escalating, policy-driven offensive to tackle cybercrime, the United States Department of State has offered a ten million dollar bounty for information relating to Hive ransomware operators and co-conspirators. On February 9th, the U.S. Department of Justice disclosed the dismantling of Warzone RAT, the seizure of supporting data and infrastructure, and the filing of charges against key players tied to the operation.

Conclusion

Coordinated action by the U.S. and other governments is certainly having an impact on cybercriminals’ operations, but there are still more threat actors out there that we can count, and there’s a long way to go in this battle to capture, thwart and discourage digital attackers.

February’s quick takeaway for busy readers: patch before a breach occurs, and report it when it does.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.

PinnacleOne ExecBrief | China’s Hacking Ecosystem

Last week, PinnacleOne collaborated with SentinelLabs to unpack the leak of internal files from a firm (I-Soon) that contracts with Chinese government security agencies to hack global targets.

In this ExecBrief, we examine how I-Soon (上海安洵) fits into the larger Chinese hacking ecosystem and highlight key implications for business leaders.

Please subscribe to read future issues— and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: China’s Hacking Ecosystem

The leak of I-Soon’s internal files provided security researchers concrete details revealing the maturing nature of China’s cyber espionage ecosystem. The files–including chat logs between hackers offering pilfered data and complaining about poor compensation–showed explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire. [PinnacleOne’s own Dakota Cary was in demand last week, quoted for comment in the FT, CNN, BBC, AP, Bloomberg, NBC News, NPR, Newsweek, The Record, Cyberscoop, KrebsonSecurity, DarkReading, and more.]

This company is one of many that contract with government agencies, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army. As China’s appetite for foreign data and ambitions to become a global cyber power have grown, so has this burgeoning private industry of hackers-for-hire and an associated market for a torrent of stolen information.

What The I-Soon Leaks Show

Some of the leaks show how private operators sometimes independently–and perhaps opportunistically–exploit foreign targets, seeking a government buyer only after the data has been acquired. The chat logs from I-Soon employees demonstrate how the company, in need of cash to pad its books, conducted independent operations on the expectation (or hope) that a government customer would buy their wares. In the case presented by the chat logs, no buyer apparently materialized and such operations were the exception, not the rule. Many of the apparent victims could be tied directly to government agencies soliciting their penetration by I-Soon.

Some media outlets are overemphasizing this “entrepreneurial” data theft and sale as the overarching condition of China’s hack-for-hire market. These outlets are wrong. It is important not to over interpret the findings from this one company’s activities.

What Really Drives PRC Cyber Targeting

It remains the case that China’s national security, geopolitical, and economic objectives drive a strong set of demand signals that shape its public and private cyber operations against western targets across the full spectrum of technology and industry sectors.

Some sectors are targeted for intellectual property, scientific information, or competitive intelligence, while others fall into the military bullseye for strategic prepositioning in advance of conflict scenarios. Of course, a large effort is also devoted to domestic and overseas political monitoring, control, and repression. We see private actors like I-Soon responding with cyber solutions to meet all of these demand signals.

How PRC Political Demands Translate into Targeting Requirements

China’s approach to cyberespionage incorporates broad swaths of the party-state apparatus and translates into both legal and covert activities to meet politically-defined technology targeting requirements (see graphic below).

The top-level policy document that sets the strategic demand signal is the National People’s Congress Five-Year Plan, which establishes strategic goals by sector, against which individual government ministries release their own detailed Five-Year Plans. Different industries, academic institutions, state-owned enterprises (SOEs), and provincial and municipal governments interpret these plans and operationalize them according to their own, wildly diverse, policy processes.

The two most important ministries for technology development (and cyberespionage targeting requirements) are the Ministry of Science and Technology (MOST) and the Ministry of Industry and Information Technology (MIIT). These ministries oversee an archipelago of research institutes and academic institutions and interact with the foreign affairs and security departments to support their efforts.

In particular, a cadre of Science and Technology Diplomats is deployed overseas to help identify and target technologies and industries of interest, while domestic academic institutions coordinate with S&T Conversion Centers to support technology transfer and indigenization activities. Meanwhile, private industry and SOEs conducting their own research efforts request assistance from MOST/MIIT and insert their own technology requirements to help shape government funding and targeting priorities.

At this level, legal means like joint venture agreements, acquisitions, and talent poaching are preferred, even if conducted with subterfuge or obfuscation via third party cut-outs. However, government research institutes, the “Seven Sons” of national defense universities, and military SOEs typically prefer illicit means. These consumers may utilize the PLA’s own hacking units or request the Ministry of State of Security (MSS) for support.

This complex web of activities generates a massive, continuous flow of internal scientific, technical, and industrial targeting requirements that drive licit and illicit technology transfer and IP theft activities. Companies like I-Soon represent the tip of the iceberg.

What This Means for Business Executives

China has a whole-of-government effort to capture market share in strategic industries, “seize the commanding heights” of emerging critical technologies, and reduce its external dependencies on adversaries while increasing adversary dependencies on China.

This is all in service of a grand strategy to climb and dominate global value chains, expand geoeconomic influence, and rewrite the economic and security architecture of the world system.

As a result, the set of sectors and firms that find themselves in the geopolitical and cyberespionage bullseye will continue to grow, as will the intensity of the offensive operations targeted against them.

As the I-Soon leaks demonstrate, it isn’t just well-resourced state-actors that firms have to contend with. The fact that underpaid, moderately skilled independent hackers can achieve as much success as the I-Soon files show should be a loud wake-up call to global executives about the resilience of their security posture.

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman Robb Pitts said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.

UNFOLDING DISASTER

In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware group’s leader LockBitSupp announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.

“The FBI decided to hack now for one reason only, because they didn’t want to leak information fultoncountyga.gov,” LockBitSupp wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

A screen shot released by LockBit showing various Fulton County file shares that were exposed.

LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trump’s criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.

George Chidi writes The Atlanta Objective, a Substack publication on crime in Georgia’s capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.

Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.

“The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,” Chidi wrote. “Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.”

LockBitSupp also denied assertions made by the U.K.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they don’t believe the ransomware group will hold up its end of the bargain.

The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” LockBitSupp wrote. “As a result of which access was gained to the two main servers where this version of PHP was installed.”

LockBitSupp’s FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton County’s new countdown timer.

LockBit’s new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.

“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” LockBitSupp wrote. “All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

DOX DODGING

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

After the NCA and FBI seized LockBit’s site, the group’s homepage was retrofitted with a blog entry titled, “Who is LockBitSupp? The $10M question.” The teaser made use of LockBit’s own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.

However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSupp’s identity.

On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBit’s leaders, and up to $5 million is offered for information on affiliates.

In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.

“They assert the FBI / NCA UK / EUROPOL do not know their information,” Vx-Underground wrote. “They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.”

TROUBLE ON THE HOMEFRONT?

In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.

Earlier this year, someone used LockBit ransomware to infect the networks of AN-Security, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.

LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as “Clop.” But the incident no doubt prompted closer inspection of LockBitSupp’s activities by Russian authorities.

Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.

A posted by the XSS administrator saying LockBitSupp wanted him dead.

INTERVIEW WITH LOCKBITSUPP

KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.

LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.

“I have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,” LockBitSupp told KrebsOnSecurity. “It is not necessary to kill him to punish him, there are more humane methods and he knows what they are.”

Asked why he was so certain the FBI doesn’t know his real-life identity, LockBitSupp was more precise.

“I’m not sure the FBI doesn’t know who I am,” he said. “I just believe they will never find me.”

It seems unlikely that the FBI’s seizure of LockBit’s infrastructure was somehow an effort to stave off the disclosure of Fulton County’s data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.

Also, in reporting on the attack’s disruption to the office of Fulton County District Attorney Fanny Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.

Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.

Fulton County is still trying to recover systems and restore services affected by the ransomware attack. “Fulton County continues to make substantial progress in restoring its systems following the recent ransomware incident resulting in service outages,” reads the latest statement from the county on Feb. 22. “Since the start of this incident, our team has been working tirelessly to bring services back up.”