Blog  

What We're Reading

Cyber Reads Roundup – March 2022

It feels like action on the internet is on overdrive this month. Global unrest is definitely having repercussions in the cyber world. Read on for the articles our team has been passing around this month.

Lapsus$ Found a Spreadsheet of Passwords as They Breached Okta, Documents Show

The Lapsus$ hackers used compromised credentials to break into the network of authentication giant Okta. 366 of its corporate customers are affected by the breach, or about 2.5% of its customer base. Recent documents recovered by Tech Crunch show the details of the compromise, which were discovered in VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021.

According to the timeline, the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager. The hackers used this info to create a new Sykes user account and added the account to a user group called “tenant administrators,” which have broad access to the organization, likely to create a “backdoor” account to Sitel’s network that the hackers could use if they were later discovered and locked out.

“In recent weeks, the Lapsus$ hacking group has been all over the news, thanks to breaches involving Nvidia, Samsung, Ubisoft, Okta, and even Microsoft. This article is fascinating because it shows the type of information that can be tempting for threat actors. CounterCraft has been using fake spreadsheets with passwords as breadcrumbs since day one.” — Fernando, Founder

Source: Tech Crunch, March 28

DEV-0537 criminal actor targeting organizations for data exfiltration and destruction

The teams at Microsoft Security have been actively tracking a large-scale social engineering and extortion campaign by Lapsus$ against multiple organizations with some seeing evidence of destructive elements. As this campaign has accelerated, Microsoft teams have been focused on detection, customer notifications, threat intelligence briefings, and sharing with industry partners to understand the actor’s tactics and targets.

DEV-0537, Microsoft’s terminology for LAPSUS$, is known for using a pure extortion and destruction model without deploying ransomware payloads. Interestingly, DEV-0537 doesn’t seem to cover its tracks, instead announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft. Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.

The social engineering and identity-centric tactics leveraged by DEV-0537 require detection and response processes that are similar to insider risk programs–but also involve short response timeframes needed to deal with malicious external threats. Read Microsoft’s blog to see the tactics, techniques, and procedures (TTPs) they have observed across multiple attacks and compromises as well as risk mitigation strategies and recommendations.

“It’s interesting to note how some of the methods used to gain initial access are sometimes difficult to address with traditional security products, and wonderful to see how they fit with deception technology. The more human-based methods, including paying employees at targeted organizations or suppliers/partners is really difficult to address, but having a minefield around the users will help to show them up. The reconnaissance methods, also, could have been a great point to detect the attack attempt and lure the attackers to the deception environment.” — A member of our threat intel team

Source: Microsoft, March 23

Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks

Symantec’s Threat Hunter team has uncovered the most advanced piece of malware ever seen from China-linked actors. It appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets. Backdoor.Daxin allows the attacker to perform various communications and data-gathering operations on the infected computer and has been used as recently as November 2021 by attackers linked to China. Daxin’s capabilities appear to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.

“This advanced malware uses some of the state-of-the-art techniques that CounterCraft has come across for persistence, exploring target environments and managing Command and Control routing so that detection is difficult. This ups the game for Blue teams as you have to spot and defend ultra stealthy opponents.” — Dan, Founder and CSO

Source: Symantec, March 2

Google Discovers Threat Actor Working as an ‘Initial Access Broker’ for Conti Ransomware Hackers

Google’s Threat Analysis Group has observed a financially motivated threat actor working as an intermediary for the Russian hackers, which it refers to as “Exotic Lily.” The threat group acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim’s network, ransomware gangs like Conti can focus on the execution phase of an attack.

Initial access is gained through email campaigns, in which the group masquerades as a legitimate organization and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to “.us,” “.co” or “.biz.” In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces.

“What is important in this attack (apart from demonstrating, once again, the level of professionalization the cybercrime industry has reached, where gangs exist just to sell hacked access to other gangs that actually execute the attacks) is that even if “Exotic Lily” gang performs their attacks through email campaigns, they take care to not only use spoofed domains that are nearly identical to the real ones, but also to set up social media profiles with AI-generated images of human faces to make them look more credible.” — Member of the development team

Source: Tech Crunch, March 18

Cybersecurity Firm Says Chinese Hackers Breached Six US State Agencies

Local government agencies of at least six US states have been breached by a Chinese government-backed hacking group. They are composed of “health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems,” said the FBI and US Cybersecurity and Infrastructure Security Agency (CISA). The way in was a critical software flaw. This shows how difficult it can be to keep state-backed hackers from accessing US networks — even when US officials are sounding the alarm about a potential threat, as well as being a reminder that foreign governments aren’t letting up in targeting US networks. It is believed to be an espionage operation by China’s civilian intelligence agency.

“This article emphasizes how difficult it can be to keep state-backed hackers from accessing US networks — even as US officials are vocally warning against these potential threats. This backs what we are seeing on a daily basis. Deception can be a great tool against these kinds of APTs.” — Fernando, Founder

Source: CNN, March 9

Don’t miss next month’s roundup. Follow us on LinkedIn, Twitter, or sign up for our newsletter to stay in touch.

What We're Reading
What we’re talking about this month

Like Jim Morrison said, this is the end. But you can...