Verizon’s annual Data Breach Investigations Report has historically compared and contrasted small and medium businesses (SMB) against large organizations. Not this year. The reason: Both SMBs and large enterprises are increasingly sharing similar attack surfaces. With much of the same services and infrastructures, the difference between the two boils down to the available resources.

Where larger companies may have entire teams of cybersecurity analysts or full-fledged security operation centers (SOCs), many SMBs rely on a single IT person to manage their security. Or, companies may outsource cybersecurity to managed service providers (MSPs) who may not yet have the required skills or services in place to plan, build out, and manage a full cyber program.

In this blog post, we examine the most common types of cybersecurity threats SMBs face today and share a list of top 5 cybersecurity tips that SMBs can follow to start building a more robust cyber posture against modern threats.

Types of Cybersecurity Threats for Small Businesses

In a 2023 Data Breach Investigations Report, researchers found that the top patterns of cybersecurity threats for small businesses (less than 1,000 employees) were system intrusion, social engineering, and basic web application attacks – representing 92% of breaches. Several types of attacks including, phishing, malware, watering hole attacks, and drive-by downloads drive these categories of threats.

Phishing

Phishing attacks continue to grow year-over-year and remain one of the main methods threat actors use to gain entry into their victims’ systems alongside vulnerability exploitation and stolen credentials.

The National Vulnerability Database (NVD) is a critical – yet often overlooked – element of an organization’s security defenses. Established to provide a catalog of known software vulnerabilities, it has become an authoritative source of vulnerability intelligence. However, the NVD faces a troubling backlog of vulnerabilities raising existential concerns about its efficacy.

This blog post takes a dive into what this means for organizations, what actions the industry leaders are taking to mitigate the challenges, and how solutions like Singularity Vulnerability Management are set to help businesses identify and prioritize all types of risk across their attack surfaces.

A Brief History of the NVD

Launched in 2005 by the National Institute of Standards and Technology (NIST), the NVD was created as a repository for the U.S. government to standardize and communicate information on publicly disclosed vulnerabilities. Utilizing the Common Vulnerabilities and Exposures (CVE) system, the NVD provides a centralized source for identifying and evaluating security flaws. Over the years, the NVD has evolved, integrating additional metrics such as the Common Vulnerability Scoring System (CVSS) to assess vulnerabilities’ severity and prioritize remediation efforts.

One of the most important benefits of the NVD is standardization, ensuring that all stakeholders from researchers, security teams, and security vendors, are on the same page regarding how they identify and mitigate vulnerabilities. The NVD enables organizations of all sizes to improve their security posture by offering open access to vulnerability data.

This democratization of information allows smaller businesses, which may lack extensive cybersecurity resources, to leverage the same vulnerability data as larger enterprises. To support the dissemination of this information, the NVD offers integration of vulnerability data via public APIs that many vendors integrate into their IT and Security products. The NVD API has its own set of challenges at enterprise scale with API rate limiting and occasional API call failures.

Market research soon to be published in the first annual SentinelOne Cloud Security Report shows that cloud security professionals are drowning in data, yet lacking insights. While many point-specific solutions like cloud security posture management (CSPM), cloud detection and response (CDR), and cloud workload protection platforms (CWPP) are now mainstream, organizations are struggling with data silos as they seek to derive meaning from a long list of cloud security alerts. SentinelOne’s AI-powered CNAPP, Singularity Cloud Native Security (CNS) solves each of these pain points.

In this blog post, learn how Singularity Cloud Security combines the rapid insights and value realization of an agentless CNAPP, with the stopping and forensics power of a runtime agent, to realize AI-powered protection for modern cloud operations. SentinelOne consolidates security data from native and third-party security sources into the Singularity Data Lake.

Agentless CNAPP and The Attacker’s Mindset

Singularity Cloud Native Security (CNS) from SentinelOne is an agentless CNAPP with a unique Offensive Security Engine that thinks like an attacker, to automate red-teaming of cloud security issues and present evidence-based findings. We call these Verified Exploit Paths. Going beyond simply graphing attack paths, CNS finds issues, automatically and benignly probes them, and presents its evidence.

The Offensive Security Engine might indicate something like, “We found this misconfigured Amazon EC2 instance. We were able to curl out to our dummy C2 server and install a random file. Here is the proof.” With this, cloud security practitioners can prioritize their backlog better and focus on what is truly important rather than tread water in a sea of theoretical noise.

Containers are popular because they are easy to build, test, and operate across a wide variety of infrastructure. Increasingly, serverless infrastructure services like AWS Fargate are preferred for containerized workload operations, because they allow organizations to focus their resources on innovation, while outsourcing the infrastructure management to their cloud service provider.

In this blog post, learn about SentinelOne’s Singularity Cloud Workload Security (CWS) for Serverless Containers, a real-time cloud workload protection platform (CWPP) for containerized workloads, running on AWS Fargate for Amazon ECS and Amazon EKS. Powered by AI, CWS detects runtime threats like ransomware, zero-days, and fileless exploits in real-time, and streamlines machine-speed response actions.

The Challenge | Maintaining Cloud Workload Availability

Organizations of all sizes increasingly deploy containerized cloud workloads to serverless infrastructure services such as AWS Fargate. Whether running on Amazon ECS (Elastic Container Service) or Amazon EKS (Elastic Kubernetes Service), these ephemeral workloads, although short-lived, still represent a vulnerable attack surface. Automated runtime attacks can exploit vulnerabilities and spread in seconds. Simply examining configurations is insufficient when machine-speed attacks threaten to disrupt cloud operations in seconds. Therefore, they require real-time threat detection and response, to stop the spread and maintain the integrity and availability of cloud workloads.

Moreover, short-lived workloads can challenge incident response (IR) procedures unless there is a forensic data record of workload telemetry for IR specialists to follow. Here again, agentless inspection falls short. Only an agent can serve as the flight data recorder of workload telemetry. These are two of the primary value propositions of a CWPP agent: real-time threat detection and response, and a forensic record of workload telemetry.

However, serverless infrastructure services restrict or prohibit access to the underlying infrastructure. This constraint necessitates an agent architecture tailored to the specific use case of containerized workloads running on serverless infrastructure.

Politically-motivated hacktivist groups are increasingly utilizing ransomware payloads both to disrupt targets and draw attention to their political causes. Notable among these hacktivist groups is Ikaruz Red Team, a threat actor that is currently leveraging leaked ransomware builders.

In attacks occurring over recent months, we have observed Ikaruz Red Team and aligned groups such as Turk Hack Team and Anka Underground (aka Anka Red Team) conduct attacks against Philippine targets and hijack branding and imagery belonging to the government’s Computer Emergency Response Program (CERT-PH).

In this post, we profile this hacktivist group and its recent actions, highlighting the threat actor’s methodology, social media activity and relevance within the wider geopolitical context.

Geopolitical Context & Affiliations

Ikaruz Red Team (IRT), under various identities, has targeted entities in the Philippines through defacements, small-scale DDoS attacks and now ransomware attacks. This behavior, between 2023 and present day (2024), is part of the larger wave of hacktivist groups targeting the region, as documented by Resecurity in April 2024. Resecurity ties these more recent observations to the greater geopolitical landscape, in the context of rising tensions with China, noting that the Philippines’ strategic significance in the Indo-Pacific makes it an attractive target for actors bent on civil disruption.

Over the last year or so, the Philippines has experienced an increase in scattered hacktivist attack campaigns. Previously identified hacktivist groups such as Robin Cyber Hood, Philippine Exodus (aka PHEDS), Cyber Operations Alliance, and Philippine Hacking University have been claiming credit for a variety of ransomware attacks, misinformation campaigns and espionage. On April 8th, the Philippine’s National Privacy Commission (NPC) launched an investigation into a breach of critical government infrastructure through an attack on the Department of Science & Technology by a previously unknown hacktivist identifying itself as #opEDSA.

Last week, PinnacleOne considered what the Office of National Cyber Director’s Annual Report means to modern enterprises.

This week, we highlight the convergence of AI and foreign malign influence efforts on the 2024 year of global elections.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | AI and Foreign Election Interference

The 2024 U.S. elections (and many other global elections) face a threat landscape defined by foreign influence actors using time-tested tactics augmented by emerging AI tools to undermine the democratic process. On May 15, 2024, officials from the Intelligence Community, FBI, and CISA testified before the Senate Select Committee on Intelligence to draw public attention to the evolving threat.

The Good | International Law Enforcement Charge Crypto Criminals & Take Down a New Iteration of BreachForums

In the past week, law enforcement agencies took down cryptocurrency thieves responsible for a multi-million dollar theft from the Ethereum blockchain, and seized a second iteration of the notorious hacking platform, BreachForums.

The DoJ has unsealed an indictment charging Anton Peraire-Bueno (24) and James Pepaire-Bueno (28) with conspiracy to commit wire fraud and conspiracy to commit wire fraud and money laundering. The brothers allegedly manipulated the blockchain in 12-seconds to pilfer $25 million worth of cryptocurrency in a first-of-its-kind attack.

This was done by tampering with the transaction validation processes on the blockchain, altering pending transactions, and rejecting requests by victims to return the stolen funds. Prior to the attack on the blockchain, the brothers focused on performing reconnaissance on their victims, learning their identities and trading behaviors. If found guilty, each of the brothers face a maximum sentence of 20 years in prison for each count.

A little over a year has passed since the arrest of Conor Brian Fitzpatrick “Pompompurin”, owner and administrator of BreachForums. This week, the FBI have seized the hacking forum for a second time. Working with international law enforcement partners, the FBI have shut down a Telegram channel belonging to Fitzpatrick’s successor, “Baphomet”, along with the second iteration of the BreachForums website. Authorities are currently investigating the site’s backend data and have issued a call for new information.

This iteration of BreachForum, run from June 2023 to May 2024, operated as a clearnet marketplace where cybercriminals could buy, sell, and trade illicit contraband such as hacking tools, compromised databases, stolen access devices, and various illegal services. As forums and dark markets continue to rise and fall multiple times, organizations are reminded to keep their defenses up to safeguard their sensitive data.

Last week, the SentinelOne team wrapped up another exciting year at RSA Conference 2024. The four-day event was, as usual, an invaluable opportunity to connect with leaders across the community, share stories, and learn from each other. This year’s event garnered attendees numbering 40,000 strong from more than 130 countries, showing just how much expertise is available to be shared.

For those who couldn’t join us in San Francisco, our recap blog captures all of the event highlights including snippets from exclusive keynote sessions and all the announcements from SentinelOne.

RSAC 2024 | Understanding “The Art of Possible” in the Cyber World

This year’s theme for the event was “the art of possible”, a phrase that inspires hope while also serving as a warning to never underestimate what is possible by our cyber adversaries.

Community unlocks possibility and, thinking about the theme as it applies to cybersecurity, we are reminded to celebrate new technologies and leverage the strength of the collective whole and remain vigilant in the face of growing threats and risks.

Delivering The Future of Autonomous Security with Purple AI & Singularity Data Lake

It’s no surprise that many of the conversations at RSAC 2024 revolved around the topic of artificial intelligence (AI) and its impact on the cybersecurity landscape. SentinelOne was thrilled to announce innovative new capabilities within our Singularity Platform, designed to empower IT teams to take a predictive and autonomous stance against incoming threats:

Running a business means accepting all of its fluctuating risks and uncertainties. For business leaders, one of the major challenges is managing their cybersecurity posture in an ever-changing threat landscape. With rapid digitalization and increasingly opportunistic attackers to consider, small to medium-sized businesses (SMBs) can be especially vulnerable.

Based on recent reports, over 40% of cyberattacks target today’s SMBs and only 14% of these organizations have the right response plans and policies to properly face the threat. While many business owners invest in cyber insurance, traditional insurance policies are no longer enough to provide the coverage needed in the current climate.

This blog post dives into why modern business leaders are investing in cyber warranties to round out their cyber defense strategies and fill in the gaps for cyber financial protections needed in a worst-case-scenario. Also, learn more about SentinelOne’s newly launched Breach Response Warranty available for businesses of all levels of endpoint counts.

Taking the Proactive Approach with Cyber Warranties | Why Cyber Insurance Alone Isn’t Enough

Although both cyber insurance and cyber warranties offer financial compensation in the case of a breach, they aim to serve different purposes. Where cyber insurance covers financial losses resulting in data breaches or attacks that have already occurred, cyber warranties are a pledge from security vendors.

Cyber insurance can also sometimes require lengthy paperwork and approval cycles with timelines for compensation being drawn out. Warranties can plug this time gap and provide immediate relief and event payout to help cover the deductible for cyber insurance coverage.

On April 26, 2024, SentinelOne marked a significant milestone in security management with the launch of the Singularity Operations Center, the new unified security console. This major update to the Singularity Platform is now generally available (GA) to all cloud-native customers, representing a pivotal shift to a more integrated and efficient analyst experience for security teams.

This blog post introduces the many features of Operations Center and delves into how it centralizes security management with unified alerts, asset inventory management, a correlation engine, and our contextualized Singularity Graph to accelerate detection, triage, and investigation. Operations Center significantly boosts analyst productivity with enterprise-wide visibility and control, setting a high standard against other vendors with fragmented systems.

One Console, One Platform

Implementing disconnected tools for different attack surfaces and use cases has led to complex navigation, operational inefficiencies, and less visibility across security ecosystems. Using disparate tools has also generated data spread across multiple consoles, forcing analysts to continuously context switch and making it more difficult to understand their whole security landscape. Together, these pain points detract security teams from their ability to focus on everyday tasks while also creating slower, error-prone, and more manual triage and investigation processes. We built the Singularity Platform and Operations Center to help eliminate noise and workflow disruptions while providing best-in-class protection for organizations everywhere.

The Singularity Platform is an AI-powered cybersecurity platform with one console and one data lake for a truly unified experience. We worked closely with over 200 organizations to ensure the design of Operations Center prioritizes and empowers security analysts, threat hunters, security administrators, incident responders, and SOC managers, considering their everyday tasks through workflow-based navigation. Through our Design Partner Program, our active users, ranging from advanced to early-career analysts across different industries, play a vital role in the product development process to ensure our improvements enhance the overall analyst function.

Gain End-to-End Visibility and Control

One of the core philosophies of Operations Center is centralization. Consolidating security operations through intuitive and integrated design provides a single view across the enterprise. The new unified alert management page enables security teams to conduct faster and more comprehensive investigations by managing and responding to security alerts in one location.

This week, SentinelOne launched Singularity Cloud Native Security (CNS), our agentless Cloud Native Application Protection Platform (CNAPP) uniquely designed to assess cloud environments through the eyes of a threat actor. As attackers increasingly target cloud environments, SentinelOne’s latest solution helps organizations better defend against these attacks.

CNS simulates attack methods to verify exploit pathways, so-called Verified Exploit Paths. In so doing, CNS reduces the noise of the theoretically possible so that cloud security practitioners can focus on fixing what matters most.

In this blog post, Ely Kahn, VP of Product Management for Cloud Security, AI/ML, and Core Platform, and Anand Prakash, Product Leader for SentinelOne’s Cloud Native Security, explore the value and outcomes of Cloud Native Security. Learn how our agentless CNAPP with a unique Offensive Security Engine is set to help security, developers, and cloud teams collaborate and communicate to radically reduce their cloud and container attack surfaces.

Think Like An Attacker | The Vision for Cloud Native Security (CNS)

Ely: Anand, could you outline our overall vision for Cloud Native Security (CNS)?

Anand: For me, Cloud Native Security (CNS) is cloud security that Thinks Like An Attacker.

Last week, PinnacleOne examined the growing trend towards digital sovereignty, manifesting in national competition to secure and lead increasingly strategic cloud, AI, and space networks.

This week, we consider what the Office of National Cyber Director’s Annual Report means to modern enterprises.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | Stratagem

The Office of the National Cyber Director (ONCD) released its inaugural report on the cybersecurity posture of the U.S. last week. The report detailed a contested, complex, and interconnected environment for the U.S. government to navigate. Underlining the greatest hits of last year, like the Volt Typhoon disclosures and multiple takedowns of criminal hacking groups, the report detailed the offensive steps the government took to impact malicious actors. But, most of the content is focused on what the government can do to improve defensive conditions in the U.S. To that end, we have adapted some of the report’s themes for modern enterprise defenders to consider.

The Good | Russian-Based APT28 & LockBit Developer Condemned and Charged by International Enforcement

International law enforcement agencies took a hard stance against GRU-linked threat actors this week with the official condemnation of APT28 (aka Strontium, Fancy Bear, Forest Blizzard) and identification and sanctioning of LockBit ransomware’s administrator and developer.

NATO and the EU, joined by the U.S. and U.K., formally condemned the Russian threat group known as APT 28 for a long-term cyber espionage campaign against various European countries. In particular, Germany and the Czech Republic highlighted an email-based attack last year on various government agencies as well as organizations across the military, air and space, and IT sectors in NATO member countries, NATO fast reaction corps, and Ukraine. APT 28 has also been known to target critical infrastructures in various other EU member states.

The 2023 attack leveraged CVE-2023-23397, a zero-day vulnerability in Microsoft Outlook, to steal credentials, perform lateral movement in victim networks, and exfiltrate sensitive emails from specific accounts. NATO called on the Russian state to “respect their international obligations and commitments to uphold international law and act within the framework for responsible state behavior in cyberspace.”

From the DoJ, the identity of the developer and administrator behind the notorious LockBit ransomware group has finally been unveiled. Russian national Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) is also being sanctioned by various international enforcement agencies with the U.S. Department of State offering a reward up to $10 million for information leading to his arrest or conviction.

Khoroshev’s sanctioning follows the joint operation earlier this year disrupting LockBit ransomware infrastructure and operations. Before the seizure of its public-facing websites and servers, Khoroshev and his affiliates were instrumental in LockBit’s rise to one of the world’s most prolific ransomware variants and operations, worth billions of dollars in damages and loss.

Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites, cracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that researchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware.

In this post, we review Cuckoo Stealer’s main features and logic from a detection point of view and offer extended indicators of compromise to aid threat hunters and defenders. At the time of writing the latest version of XProtect, version 2194, does not block execution of Cuckoo Stealer malware. SentinelOne customers are protected from macOS Cuckoo Stealer.

More Cuckoo Stealers Appearing

Since the initial report on the emergence of this family of malware on April 30, we have seen a rise in new samples and trojanized applications from the four originally reported by Kandji to 18 unique trojanized applications at the time of writing, with new samples appearing daily.

The trojanized apps are various kinds of “potentially unwanted programs” offering dubious services such as PDF or music converters, cleaners and uninstallers (a full list appears in the IoCs at the end of this post) such as:

As reported previously, these applications contain a malicious binary in the MacOS folder named upd. The most recent binaries – in ‘fat’ and ‘thin’ versions for both Intel x86 and arm64 architectures – are ad hoc codesigned and their parent applications all share the same bundle identifier, upd.upd.

It’s been little more than a week since Apple rolled out an unprecedented 74 new rules to its XProtect malware signature list in version 2192. A further 10 rules were appended in version 2193 on April 30th. Cupertino’s security team were clearly hoping that a concerted effort would serve to disrupt prolific adware distributor Adload’s assault on macOS devices. Those behind the adware, however, appear to have pivoted quickly as dozens of new Adload samples are already appearing that evade Apple’s new signatures.

In this post, we take a look at one variant of these new samples that is almost entirely undetected on VirusTotal at this time. We hope this exposure will both help inform security teams looking to keep adware nuisances out of their environment and serve to boost detection recognition across other vendor engines.

Apple’s Massive Adload Signature Update

With XProtect version 2192, Apple added 74 new rules to XProtect.yara. While a few of these were targeted at other malware and adware distributors, the vast majority targeted adware widely known as Adload.

Well, there are 74 new rules in XProtect v2192 , so it's going to take me a bit to update https://t.co/Fgr7MGgRL2 with sample hashes, but interesting to see Apple trying to disrupt Adload's entire codebase. pic.twitter.com/n0eX6FfSEh

— Phil Stokes ⫍⫎ (@philofishal) April 25, 2024

Last week, PinnacleOne examined the state of aviation cybersecurity given recent incidents and federal action.

This week, we boost our view into orbit and dive into the intersection of cybersecurity and geopolitical risk facing the rapidly expanding space economy.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus: Commercial Industry in Contested “Space”

In early April, the United States Space Force (USSF) released their first Commercial Space Strategy, embarking on a major shift in its approach to space operations, one that recognizes the pivotal role of the private sector in driving innovation. This USSF move to integrate commercial space solutions into “hybrid architectures” will raise critical issues of “dual-use capabilities” facing cyber and counterspace threats from China and Russia across peacetime, crisis, and conflict.

The Good | U.S. Govt Sends Spyware Abusers, Cybercriminals, and Crypto Launderers to Court

The U.S. government this week took three decisive actions against cyber criminals: a visa ban on thirteen spyware makers and sellers, sanctions against four Iranian nationals for their roles in recent cyberattacks, and an official charge for two cryptomixers.

Following the February announcement to set visa restrictions on commercial spyware developers and vendors, the Department of State has cracked down on the first thirteen individuals and their families. Excluding visa applications in this case effectively bans those who are linked to such operations from entering the U.S. The abuse of spyware has been a rising issue in recent years as adversaries use it to target persons of interest such as journalists, human rights advocates, academics, and government employees.

Two front companies and four individuals were sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for their association to cyber activities supporting the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) over the span of five years. Collectively, the identified threat actors have targeted over a dozen U.S. organizations, including the U.S. government and defense contractors through spear phishing and malware attacks, compromising over 200,000 employee accounts.

Up to $10 Million Reward & Possible Relocation

These individuals conducted malicious cyber ops against U.S. firms and government agencies on behalf of Iran’s IRGC.

Threat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend, ransomware affiliates are actively re-monetizing stolen data outside of their original RaaS agreements, especially as financial squabbles between threat actors emerge in the ransomware economy. The affiliates in such instances are starting to work with third-parties or external data leak services in order to re-extort victims who have already paid the ransom to the original attackers.

This blog post examines how affiliate attackers are embracing this new third-party extortion method, illustrated most recently by the ostensibly back-to-back cyberattacks on Change Healthcare and the emergence of services like RansomHub and Dispossessor.

ALPHV Exit Scam & Re-Extortion by RansomHub

In February 2024, a subsidiary of healthcare giant UnitedHealth Group (UHG) was forced to take down its IT systems and various services. The root of the disruption was a cyberattack by a BlackCat (aka ALPHV) affiliate on Change Healthcare, a healthcare technology platform used by the subsidiary.

Post-attack, ALPHV ransomware operators reportedly took down their data leak blog, servers, and operation negotiation sites, and failed to pay the affiliate their agreed share of the ransom.

Purportedly, Change Healthcare paid out the $22 million ransom demand, only to be targeted a second time just weeks after recovering from the initial attack. This time around, the ransomware attack was claimed by a threat actor working in conjunction with RansomHub, a new extortion group claiming to hold 4 terabytes of the victim’s sensitive data including personally identifiable information (PII) of active U.S. military personnel, patient records, and payment information.

Last week, PinnacleOne reviewed escalation dynamics in the Middle East.

This week, we turn our attention to domestic critical infrastructure with a look at recent developments in aviation cybersecurity.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: This email address is being protected from spambots. You need JavaScript enabled to view it.

Insight Focus | Aviation Cybersecurity

The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long nationwide ground stop last year caused by a software update at United Airlines, a network-wide outage at WestJet caused by a service provider, and a ransomware breach at Sabre.

The Good | DoJ Indicts Cryptojacking Criminal and Botnet Operator Supporting Ransomware Actors

The DoJ doled out two indictments this week: the first announcing the arrest of Charles O. Parks III for his role in an elaborate cryptojacking scheme, the second, charging Alexander Lefterov, owner and operator of a major botnet.

Parks was charged with wire fraud, money laundering, and illegal transactions, tallying up to a maximum of 30 years in prison. According to the DoJ, the basis of Parks’ scheme was renting $3.5 million worth of cloud servers through a number of fake LLCs in order to mine nearly $1 million in cryptocurrency.

After tricking the cloud service providers (CSPs) into escalating his privileges, Parks was given access to services equipped with powerful graphics cards that were then used to mine Monero, Litecoin, and Ether. The mined funds were laundered through purchasing NFTs and converting them through traditional banks and various crypto exchanges to fund a lavish lifestyle.

Lefterov was indicted by a federal grand jury for aggravated identity theft, computer fraud, and conspiracy to commit wire fraud. Through the large-scale botnet he maintained, the Moldovan national and his associates have been linked to thousands of compromised computers across the U.S.

Using credentials harvested from the infected computers, Lefterov and his co-conspirators targeted victims’ financial accounts across banking, payment processing, and retail platforms to steal money. In tandem, Lefterov allegedly leased his botnet to other cybercriminals for ransomware distribution, later receiving a share of the profits from successful attacks.