Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
eSentire Warns Ukraine & its Western Allies of Conti’s Long History of Disrupting Critical Infrastructure. Could Conti Be the Perpetrator Who Attacked 3 Oil Storage & Transport Companies in January?
On February 25, one day after Russia’s full-scale invasion into the Ukraine, the notorious Conti Ransomware Gang (formerly known as Ryuk) posted a warning on their data leak site declaring its support for Russia, stating if anyone organized a cyberattack or any war activities against Russia, they would use “all possible resources to strike back at the critical infrastructures of an enemy.” Later that evening, Conti revised its message slightly proclaiming how they condemned the ongoing war, and yet they would use their full capacity to retaliate if there were any attempts to target critical infrastructure in Russia or any Russian-speaking region of the world. On February 27, someone leaked 60,000 chat logs and financial data pertaining to Conti’s activities between January 29, 2021, and February 27, 2022. It is now suspected that it was a Ukrainian security researcher who leaked the data. As a result, some security researchers reported on March 3 that some of Conti’s back-end infrastructure has been taken down by the Conti operators. This doesn’t come as a surprise to eSentire’s security research team, the Threat Response Unit (TRU) because many of the IP addresses for Conti’s servers were shared in the leaked chats. However, the Conti Gang is highly skilled, they are seasoned ransomware operators, they have deep pockets, and several members appear to maintain good relationships with representatives from the U.S. judicial system and the Russian government. See Image 1 and 2.
Image 1—Chat between Conti Operator Mango describing his connections with the Russian community in Brooklyn, NY including a major court judge and a lawyer.
Image 2: Chat between Conti Gang members, Mango and Professor, discussing tracking those who are against the Russian Federation and Mango asking if they are supporting Russia.
Even if the Conti operators dismantle portions of their infrastructure and even go as far as to shut down their operation, TRU believes that they will simply reactivate their operation with new infrastructure and give their Ransomware as a Service a new name. eSentire continues to warn the Ukraine and its Western Allies that if Conti Gang members, loyal to Russia, want to seriously disrupt businesses and critical infrastructure organizations, they certainly possess the skills, the tools and the experience to do so. Conti has a long track record of seriously disrupting critical services, and the threat group continues to target critical infrastructure, in addition to other businesses key to the supply chain. Many security researchers believe Conti first came on the ransomware scene in 2018 under the name of Ryuk. However sometime in 2020, it is believed that the threat actors running Ryuk either split into two groups, rebranded or decided to begin using the “Conti” name. It is also interesting to note that the Conti ransomware code is extremely similar to the Ryuk code base. In addition, the initial Conti ransom note to victims used the same template utilized by Ryuk in earlier attacks.
TRU reports that from November 27, 2021, to February 27, 2022, the Conti Gang claims to have compromised 50+ new victims, and two-thirds of the organizations are based in Europe and the U.K. The remaining victims are in the U.S., Canada, Australia and New Zealand. Most disturbing is a notification that Conti posted on their leak site on February 7, 2022, where they stated they had compromised international terminal operator, SEA-Invest. The Belgium-based company operates terminals in 24 seaports across Europe and Africa, handling liquid bulk (oil and gas), fruit & food, breakbulk, and dry bulk. SEA-Invest reported they had suffered a cyberattack against their IT networks on Sunday, January 30. They said that “all 24 of the seaports they run across Europe and Africa were affected by the attack,” according to the BBC. In TRU’s experience, they have never seen a top ransomware gang claim to have compromised a victim when they have not.
Coincidentally, during the same January 28 weekend, three other large international oil storage/transport companies reported being hit by a significant cyberattack which disrupted their IT systems. The three victims include the Germany-based sister companies, Oiltanking Deutschland GmbH and Mabanaft Deutschland GmbH, and the Netherlands-based company, Evos. News articles chronicling the attack said that Oiltanking’s 11 German terminals were operating at "limited capacity,” and as a result of the attack, it shut down Oiltanking’s loading and unloading process. The loading and unloading process of oil is computerized and it is not possible to shift back to manual controls. Oiltanking Deutschland GmbH supplies 26 companies in Germany with fuel, including 1,955 Shell gas stations. Reuters reported that Shell Deutschland GmbH had been able to “re-route to alternative supply depots” during the attack. However, Oiltanking Deutschland said it had declared “force majeure” because its German terminals were operating on a limited basis. The activation of “force majeure” excuses a company from meeting contractual obligations in an extraordinary event that is beyond its control.
Mabanaft Deutschland GmbH is the leading independent importer and wholesaler of petroleum products in Germany. Press reports said It also declared “force majeure” because the majority of its inland supply activities in Germany were affected. Aral, the largest petrol station network in Germany with around 2,300 stations, said during the incident they began “supplying its stations from alternative sources in light of the disturbance, “ according to a spokesperson for its owner British Petroleum PLc.
To add fuel to the fire, during the same January weekend Netherlands-based Evos, which stores, handles and distributes oil and gas, confirmed in early February that their IT network also got hit by a cyberattack. One news report stated that a spokesperson for Evos claimed that the cyberattack on their IT systems affected its IT services at terminals in Terneuzen, Ghent and Malta and have "caused some delays in execution".
Rob McLeod, VP of eSentire’s Threat Response Unit (TRU) research team, wonders if the cyberattacks that hit Oiltanking, Mabanaft and Evos weren’t also ransomware attacks, and if they weren’t perhaps carried out by the Conti Ransomware Gang? “Conti claimed to have attacked SEA-Invest and during the same weekend, three other oil storage and transportation companies, in the same general region of Europe, get hit by a serious cyberattack,” said McLeod. “The timing is uncanny, and it is plausible that the Conti Ransomware Gang could be behind these latter attacks.” The reasons include:
Image 3. A graphic representation of a simplified kill chain and the specialists involved in a Ransomware-as-a-Service operation, such as Conti.
"As history shows, the Conti threat actors have no compunction about attacking critical infrastructure and seriously disrupting healthcare services, city and county residential programs, school systems, emergency services and oil and gas distribution. Companies and organizations must be prepared to combat these very serious ransomware threats, especially in light of the conflict raging between Russia and Ukraine," said Keplinger. "That requires approaching security as an arms race, in which technology of opposing interests are continually evolving in response to each other. Organizations need to monitor the threat landscape to see what threat actors are doing, assess gaps in their security as they pertain to the latest evasion techniques, and address those gaps through direct implementation – and all three of these processes must be ongoing. The eSentire TRU accomplishes this through the Threat Intelligence team and the Tactical Threat Response team."
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more about how we protect legal firms globally? Connect with an eSentire Security Specialist.