TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #48
Events for the week of June 10th, 2024
The crucial five strategic threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share and enjoy reading about these events. Please reach out if you have any questions!
1. White House report dishes deets on all 11 major government breaches from 2023
Overview: The number of cybersecurity incidents reported by US federal agencies rose 9.9 percent year-on-year (YoY) in 2023 to a total of 32,211, per a new White House report, which also spilled the details on the most serious incidents suffered across the government. Of the total number of incidents, the majority (38 percent) were classed as "improper usage," meaning a system was used in a way that violated the agency's acceptable use policies. The report stated that agencies have the capability to detect when security policies are being violated, but not the ability to prevent it from actually happening.
Area of Impact: General knowledge of governmental breaches for 2023 for all infosec professionals, recommended read for anyone involved with DFIR.
TRIAGE: The graphic breaking down attacks between FY 2022 and 2023 would be useful to report in a general threat sharing/threat intelligence briefing for all organizations. The two easy takeaways from this report are that phishing, as the 2nd largest attack vector is still a very prominent issue everywhere, and that improper use, at over 1/3 of the total attacks, is the reason we need to continue to chase security awareness training with all employees. Neither of these problems appears to really be “fixable” long term, as we have had training on both for many years now without major changes in overall impacts.
2. Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake
Overview: Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.
Area of Impact: More details around the actual attack should be used as discussions points for all security teams trying to protect their orgs from attack and 3rd party threats.
TRIAGE: The debate between the attackers, the DFIR firms called in to assist and the affected organizations continues to unfold as different groups release details and then those details are denied or confirmed. The biggest takeaway from all of this, outside of the awareness of how crazy an attack can get when it involves multiple 3rd party suppliers with system level access, is to look deeper at software supply chain security and using defense in depth systems like MFA for all accounts. This also potentially involved an ex-employee account without proper cleanup and protections, so this is just as much an IAM and GRC discussion as it is a technical discussion for your engineering and operations teams.
3. Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested
Alt Source: Suspected 'Scattered Spider' hacker, 22, reportedly arrested in Spain
Overview: A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years. “He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point he controlled Bitcoins worth $27 million.”
Area of Impact: More positive news on the law enforcement front in taking down members of threat groups.
TRIAGE: The more distributed nature of this threat group as compared to say, a state-sponsored Russian APT, makes detecting individuals specifically tied to the group and targeting them with law enforcement actions a bit more challenging. I have said it recently tied to other law enforcement actions, but it seems like we are seeing an uptick in recent moves to actual arrests. Hopefully this ads some level of pressure to threat group actors over their actions and probable repercussions if detected and identified.
4. Former IT employee gets 2.5 years for wiping 180 virtual servers
Overview: A former quality assurance employee of National Computer Systems (NCS) was sentenced to two years and eight months in prison for reportedly deleting 180 virtual servers after being fired. Nagaraju Kandula, 39, pleaded guilty to deleting the virtual servers in an attempt to sabotage the firm's systems out of spite for getting fired from NCS, causing damages estimated to $678,0000.
Area of Impact: Perfect example for IAM teams on why we need to track and invalidate all ex-employee accounts and admin level accounts they also could use for remote access.
TRIAGE: This would make a perfect security tabletop scenario if you need a different subject than the 12th tabletop on ransomware in a row. As I noted, it is a perfect example to use for insider threat and for why policies need to exist in all orgs to handle employees with elevated rights and their accounts after leaving the organization, no matter how it happens. Individuals setup with system admin level rights should be flagged for increased monitoring around the time of departure, whether that was by choice or by termination.
5. Two major Microsoft security events:
Microsoft shelves Recall feature release after security uproar
Overview: Microsoft will not release its controversial Recall feature next week after backlash from security researchers and privacy experts. Recall was slated to be released on June 18 as part of a new line of Windows 11 Copilot+ devices. The feature allows the device to screenshot every action a person takes on their PC and was initially hailed by the tech giant as a way to “recreate moments from the past.”
Microsoft in damage-control mode, says it will prioritize security over AI
Overview: Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be "more important even than the company’s work on artificial intelligence." Satya Nadella, Microsoft's CEO, "has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security," Smith told Congress. His testimony comes after Microsoft admitted that it could have taken steps to prevent two aggressive nation-state cyberattacks from China and Russia.
Area of Impact: All organizations using Microsoft operating systems are affected by major OS changes or improvements such as the new Recall solution when it was first proposed. Everyone on the security team needs to be aware of systems like this and how they will demand attention and protections if pushed forward without built-in security configurations and controls.
TRIAGE: The second story above is very closely tied to the first story around the announcement of Recall, the massive public backlash from the infosecurity community that led to Microsoft pulling their release plans. Microsoft also admitted that security configurations need to be added for encryption by default/at rest and MFA for accessing the software in the first place. They originally stated they were officially focusing on security back in the late 2000’s and have now had to double down on that plan with the recent attacks and missteps. It seems like maybe the “focus on security” 15 years ago was not anywhere near as in-depth as it should have been, as everyone in the infosec industry can easily agree with considering the lack of maturity in the space around their systems in general.