Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Cyber criminals and nation-state hackers alike have the cyber security firm in their sights– and the company is not alone.
Cyber security firm SentinelOne has shared details of a wide range of malicious cyber campaigns it has been the target of, highlighting the increasingly adversarial nature of operating as a security vendor.
The company has, in fact, drawn the attention of many different forms of threat actors in recent months, including being the target of a North Korean fake IT worker scam, in addition to ransomware operators and Chinese-backed hackers targeting its customer base.
“Talking about being targeted is uncomfortable for any organisation. For cyber security vendors, it’s practically taboo. But the truth is security vendors sit at an interesting cross-section of access, responsibility, and attacker ire that makes us prime targets for a variety of threat actors, and the stakes couldn’t be higher,” SentinelOne said in a recent blog post.
“When adversaries compromise a security company, they don’t just breach a single environment – they potentially gain insight into how thousands of environments and millions of endpoints are protected.”
DPRK workers
Fake IT scam campaigns, where agents working for the Democratic People’s Republic of Korea (DPRK) take up dozens of remote jobs in order to channel their wages to the North Korean government, are nothing new, but it’s worth noting that even cyber security companies are not immune.
What SentinelOne has been doing has been attempting to actively engage its hiring teams in the process, and this filters out any malicious applications. Monitoring of suspicious applicants was proactive and targeted, allowing SentinelOne to observe the DPRK operatives’ tradecraft in action.
“A key takeaway in working on this investigation was the value of intentionally creating inroads and sharing threat context with different teams not normally keyed into investigations,” SentinelOne said.
“Rather than cluelessness, we encountered an intuitive understanding of the situation as recruiters had already been filtering out and reporting ‘fake applicants’ within their own processes.”
According to SentinelOne, it’s essential to work with the entirety of a business, from sales to recruiting, in order to combat this growing threat. However, once other teams were brought, the anomalies that pointed to fake workers became easier to spot.
Ransomware smarts
Something else that SentinelOne has observed is that ransomware operators are ready and willing to acquire access to endpoint detection and response platforms from all the major vendors – SentinelOne included.
Once this access is gained – whether via criminal access brokers or posing as legitimate companies to purchase access – ransomware operators are able to change configurations and minimise detection chances, as well as test their malware against the software of their most common opponents.
This is nothing new, however, but how the bad guys gain this access is growing in sophistication.
“Recent leaks related to Black Basta further underscore this trend,” SentinelOne said.
“The group’s operators were observed testing across multiple endpoint security platforms – including SentinelOne, CrowdStrike, Carbon Black, and Palo Alto Networks – before launching attacks, suggesting a systematic effort to evaluate and evade security tools prior to deployment.”
One of the lessons SentinelOne learnt through this is the importance of bringing all aspects of the sales process under the security umbrella. Engaging with resellers, for instance, allows for visibility of questionable sales requests.
“Across every function – whether it’s HR, sales, engineering, or security – cyber threat intelligence is no longer a backroom function,” SentinelOne said.
Nylon Typhoon
While the name may not inspire confidence, this Chinese hacking group has also been observed targeting SentinelOne and a company that is part of its logistics supply chain.
This same actor has also targeted a government in south Asia, attempting to deploy a Windows backdoor written in the Go programming language.
“This adversary is known for its global targeting of critical infrastructure sectors, such as telecommunications, information technology, and government organisations – victimology that aligns with our multiple encounters with PurpleHaze,” SentinelOne said.
A second Chinese threat actor, which SentinelOne tracks as ShadowPad, was also observed targeting the same logistics firm, though no intrusion into SentinelOne’s network infrastructure was detected.
“Nevertheless, this case underscores the fragility of the larger supplier ecosystem that organisations depend upon and the persistent threat posed by suspected Chinese threat actors, who continuously seek to establish strategic footholds to potentially compromise downstream entities,” SentinelOne said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
