Found 87 bookmarks
Newest
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
This report uncovers a set of related threat clusters linked to PurpleHaze and ShadowPad operators targeting organizations, including cybersecurity vendors. In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze. At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time. A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities. The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors. We attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat actors. We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174. This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors.
#sentinelone#EN#2025#China#PurpleHaze#ShadowPad#APT15#UNC5174
·sentinelone.com·
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption
Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption
On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data. We apologize for the disruption caused by this service interruption. The root cause of the disruption was a software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform. It was not a security-related event. The majority of SentinelOne services experienced full or partial downtime due to this sudden loss of network connectivity to critical components in all regions. We’d like to assure our commercial customers that their endpoints were protected throughout the duration of the service disruption and that no SentinelOne security data was lost during the event. Protected endpoint systems themselves did not experience downtime due to this incident. A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.
#sentinelone#EN#2025#incident#root-cause#RCA#Global#Service#Interruption#software#flaw
·sentinelone.com·
Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption
Update on May 29 Outage
Update on May 29 Outage
UPDATE 2 (7:41 PM UTC): Access to consoles has been restored for all customers following today’s platform outage and service interruption. We continue to validate that all services are fully operational. UPDATE 1 (6:10 PM UTC): Services are actively being restored and consoles are coming online. On May 29, 2025, SentinelOne experienced an outage that is impacting commercial customer consoles. The following message has been sent to all customers and partners. Communications are being updated real-time in our support portal and will be updated here as necessary. We are aware of ongoing console outages affecting commercial customers globally and are currently restoring services. Customer endpoints are still protected at this time, but managed response services will not have visibility. Threat data reporting is delayed, not lost. Our initial RCA suggests this is not a security incident. We apologize for the inconvenience and appreciate your patience as we work to resolve the issue.
#sentinelone#EN#Outage#2025
·sentinelone.com·
Update on May 29 Outage
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
DragonForce ransomware group is targeting major UK retailers. Learn about this evolving threat and what steps can be taken to mitigate risk. In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions. DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia. In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations. Background DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded. The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage. Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom. Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
#sentinelone#EN#2025#DragonForce#Ransomware#Gang#analysis
·sentinelone.com·
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves. In recent months, SentinelOne has observed and defended against a spectrum of attacks from financially motivated crimeware to tailored campaigns by advanced nation-state actors. These incidents were real intrusion attempts against a U.S.-based cybersecurity company by adversaries, but incidents such as these are neither new nor unique to SentinelOne. Recent adversaries have included: DPRK IT workers posing as job applicants ransomware operators probing for ways to access/abuse our platform * Chinese state-sponsored actors targeting organizations aligned with our business and customer base This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
#sentinelone#EN#2025#report#PurpleHaze#China#DPRK
·sentinelone.com·
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
Kryptina's adoption by Mallox affiliates complicates malware tracking as ransomware operators blend different codebases into new variants. Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina. The affiliate made superficial changes to source code and documentation, stripping Kryptina branding but retaining core functionality. The adoption of Kryptina by Mallox affiliates exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants. * This original research was presented by the author at LABScon 2024 in Scottsdale, Arizona.
#sentinelone#EN#2024#Kryptina#RaaS#Mallox#Ransomware#analysis#LABScon2024
·sentinelone.com·
Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware