Lapsus$: From Flash in the Pan to Raging Fire

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by Stairwell.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Teenage hackers have breached systems at Caesars Entertainment and MGM Resorts International, two large US resort, entertainment and gaming companies. These incidents showcase how hacking groups comprising young people using Lapsus$-style techniques are becoming one of the greatest cyber security threats to organisations.

Both hacks had significant impact.

Caesars Entertainment reportedly paid a ransom of USD$15m after the group stole personal information from its loyalty program database, including driver licence and social security numbers. The organisation’s SEC filing uses a form of words that we suspect will become standard when paying a data extortion ransom:

We have taken steps to ensure that the stolen data is deleted by the unauthorised actor, although we cannot guarantee this result.

In some respects, Caesars Entertainment got off lightly because it experienced very little business downtime.

By contrast, MGM Resorts, Nevada’s largest employer and operator of the most casinos on the Las Vegas Strip, suffered a series of crippling outages. These included doors and elevators not working, ATMs and its website going down, credit card payment facilities being unavailable and guests being unable to use their room keycards.

Media reporting and a statement from the ALPHV ransomware group said much of this disruption was caused by MGM Resorts’ own attempts to limit further compromise by preemptively shutting down systems.

Various media reports attribute these recent incidents to threat actors variously known as Scattered Spider, Muddled Libra, and UNC3944. The parties involved appear to be working with the ALPHV ransomware group.

These actors appear to be responsible for lots of incidents. Crowdstrike told Reuters it attributed 52 attacks globally to Scattered Spider since March 2022. (Scattered Spider is Crowdstrike's name). Similarly, Mandiant told Reuters that it attributed 100 intrusions in the last two years to UNC3944 (Mandiant's name). Mandiant's report on the 'threat cluster', released just over two weeks ago, says that UNC3944's targeting has expanded to "a wide range of industries including hospitality, retail, media and entertainment, and financial services".

Interesting reporting from CyberScoop attributes these recent breaches to multiple subsets of actors that have sprung out of an online community calling itself "the Com", as opposed to a single group with a fixed membership. The Com appears to be particularly nasty. Per CyberScoop:

The FBI has been involved in multiple investigations involving people associated with the Com for alleged violent activity, Vice reported in May. In a May 2023 affidavit, an FBI agent described the Com as a "group of cyber-criminal actors" that is "geographically diverse" and organises in various subgroups to "engage in various types of criminal activity to include cyber intrusions, SIM swapping, cryptocurrency theft, commissioning real life violence, and Swatting," the practice of sending armed emergency response teams to a victim’s location under false pretences.

The Com ecosystem also had links to the Lapsus$ group, a loosely affiliated group of teenage hackers that was so outrageously successful that it was the subject of a Cyber Safety Review Board (CSRB) report released late last month.

Mandiant's report into the tactics used by UNC3944 describes brutally efficient operations:

UNC3944 relies heavily on social engineering to obtain initial access to its victims. They frequently use SMS phishing campaigns and calls to victim help desks to attempt to obtain password resets or multifactor bypass codes.

The threat actors used commercial residential proxy services to access their victims from the same local area to fly under the radar of security monitoring tools.

The threat actors consistently use legitimate software, including a variety of remote access tools the actors have downloaded from the vendor websites.

The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days. The tempo and volume of systems UNC3944 accesses can overwhelm security response teams.

Once obtaining a foothold, UNC3944 often spends significant time searching through internal documentation, resources, and internal chat logs to surface information that could help facilitate escalating privileges and maintaining presence within victim environments.

UNC3944 often achieves privilege escalation by targeting password managers or privileged access management systems.

These recent incidents show that Lapsus$ wasn't a flash in the pan. Instead, it represented a breakthrough in the techniques threat actors use to overcome standard cyber security practices. These practices are no longer fit for purpose.

For example, attackers used the "Bring Your Own Identity Provider" method we wrote about earlier this month in the MGM Resorts incident. In this attack, the Com hackers acquired Okta Super Administrator account credentials (probably by phishing) and then convinced the MGM Resorts help desk to reset Multi-Factor Authentication (MFA) options. The attackers then used legitimate functionality to enable further follow-on actions.

One policy that would have stopped this attack would be to prevent help desk staff from resetting Super Administrator MFA. This seems blindingly obvious in retrospect, but hadn't previously been a widely exploited loophole.

And although Lapsus$ itself was bad enough, teenage hackers’ collaboration with global ransomware crews is even more worrying. While several individuals involved in Lapsus$ have been arrested and the authorities are pursuing the MGM Resorts and Caesars Entertainment attackers, we don’t think this will deter other teenage hackers. Part of the CSRB's Lapsus$ report dealt with juvenile cybercrime prevention programs, which certainly seem like a good idea but won't yield any immediate benefits.

Our advice is to (re-)read the Lapsus$ report and harden your identity procedures and policies.

Russia Drops the Cyber Hammer for the Sickle

Ukraine's cyber security organisation, the SSSCIP, has identified some new behaviour in its review of Russian cyber tactics over the first half of 2023.

One new trend is what the report describes as "sustained interest" in Ukrainian law enforcement agencies. The SSSCIP believes the goal here is to find out what evidence Ukraine has regarding Russian war crimes and also to understand what information Ukraine has about Russian spies operating in the country.

The report found Russia was more frequently directing cyber operations at the Ukrainian private sector to enhance the monitoring of the outcomes of its kinetic operations, including missile and drone attacks.

This is in contrast to Russia's previous 'kitchen sink' approach of launching both destructive conventional and cyber attacks against critical infrastructure. There was also a shift to gathering intelligence about the Ukrainian supply chain.

These are all more sensible uses of cyber operations and attempt to complement rather than duplicate other capabilities.

Russian threat actors are also focusing on immediate data exfiltration, dumping as many as 21,000 documents and browser credentials within the first 30 minutes after gaining access. After stealing that data, they try to take advantage of established trust relationships by sending malware via email, for example.

The SSSCIP believes this is because Ukrainian detection and response times have improved so much that the Russians don't have time for lateral movement before they are booted off networks.

Another interesting aspect is the Russian focus on the media sector. This primarily targets  individuals and journalists and the SSSCIP says "the goal behind these attacks is to gain control over media resources and accounts, intending to employ them for disinformation campaigns and influence operations".

The report highlights a number of other trends, including more phishing attacks, less malware, more 'living off the land' (abusing legitimate tools already present in the host environment), ongoing targeting of email servers and revisiting previous victims.

Microsoft Security Culture… Still Sucks

The week after we wrote that Microsoft's security culture isn't up to scratch, cloud security firm Wiz discovered a 38TB data leak from the company.

The leak happened because of a misconfigured Azure Shared Access Signature (SAS) token. Mistakes happen, but the architectural decisions here are mind-blowing. Per Wiz's blog:

Generating an Account SAS is a simple process… [T]he user configures the token’s scope, permissions, and expiry date, and generates the token. Behind the scenes, the browser downloads the account key from Azure, and signs the generated token with the key. This entire process is done on the client side; it’s not an Azure event, and the resulting token is not an Azure object.

Because of this, when a user creates a highly-permissive non-expiring token, there is no way for an administrator to know this token exists and where it circulates. Revoking a token is no easy task either — it requires rotating the account key that signed the token, rendering all other tokens signed by the same key ineffective as well. These unique pitfalls make this service an easy target for attackers looking for exposed data.

Besides the risk of accidental exposure, the service’s pitfalls make it an effective tool for attackers seeking to maintain persistency on compromised storage accounts. A recent Microsoft report indicates that attackers are taking advantage of the service’s lack of monitoring capabilities in order to issue privileged SAS tokens as a backdoor. Since the issuance of the token is not documented anywhere, there is no way to know that it was issued and act against it.

Yikes. Patrick, Adam and guest Lina Lau discussed this on last week's Risky Business podcast.

Three Reasons to be Cheerful this Week:

1. Regional effort to tackle Asian scam networks: China, the United Nations, and ASEAN are joining forces to crack down on cyber-enabled scams including what is known as 'pig butchering'. [Additional coverage in the South China Morning Post]
2. Hunt Forward the new norm: The UK government has admitted that it too conducts "hunt forward" operations. These are operations that find and disrupt adversary activity on partner networks and were pioneered by US Cyber Command. The Record has an interview with Lt. Gen. Tom Copinger-Symes, deputy commander of the UK's Strategic Command about the UK's hunt forward and other cyber operations.
3. Blocking outbound NTLM hashes: Microsoft has announced that Windows 11 will soon block sending of NTLM over remote outbound connections. This should block remote attackers from tricking Server Message Block (SMB) clients into sending them a relatively easy to crack NTLM authentication hash.

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Stairwell Principal Reverse Engineer Silas Cutler about Akira's recent server leak and attacker infrastructure.

Shorts

Deduplicating Cyber Incident Reporting

The Record has a good account of a US Department of Homeland Security (DHS) document released last week on harmonising cyber incident reporting to the federal government. Already there are 45 cyber incident reporting requirements across 22 federal agencies, with more proposed, yet some of the requirements are just duplicates of others rather than  providing more necessary information.

The document pretty sensibly suggests rationalising these requirements and having clear and shared definitions for timelines and triggers. It suggests that a single incident reporting portal could be developed. Pretty sensible stuff.

Reducing Hardware Supply Chain Risk

The US Cybersecurity and Infrastructure Security Agency released its first version of the Hardware Bill of Materials (HBOM) framework. It's meant to mitigate supply chain risks for hardware products. Risky Business News has more coverage.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine how US and UK strategies to use cyber power differ but are in some ways mirror images of each other.

From Risky Biz News:

China admits NSA hacked Huawei: China's Ministry of State Security (MSS) published an extremely rare official statement on its WeChat account last week formally accusing the US National Security Agency of hacking and maintaining access to servers at Huawei's headquarters since 2009.

The statement is the first time the Chinese government has confirmed the NSA's Huawei hack—first reported by the New York Times and Der Spiegel back in 2014.

The MSS statement doesn't go into any technical details about the actual hacking but merely recycles information from the NYT and Spiegel reports and the Snowden leaks. It does, instead, spend a lot of time accusing the US of using (and I kid you not) "the despicable tactics of the 'Matrix' to maintain a 'cyber hegemony'."

[more on Risky Business News]

Lazarus steals $54 million from CoinEx crypto-exchange: North Korean hackers known as the Lazarus Group have stolen $54 million from the CoinEx cryptocurrency exchange.

The hack took place on Tuesday, September 12. In a statement, CoinEx said the hackers identified a leak of some of its private keys and used them to steal Ether, Tron, and Matic assets from some of the company's hot wallets.

The company didn't formally link the hack to North Korea, but a blockchain investigator named ZachXBT found that some of CoinEx's stolen funds were sent to the same address that is storing funds stolen from the recent hack of the Stake.com crypto-gambling site.

[more on Risky Business News]

FSB agent detained: Russian authorities have arrested an FSB officer from the city of Perm for taking a bribe from a hacking group to arrange their release from prison and dismissal of their criminal case. The bribe was 100 million rubles, representing more than $1 million. The officer was detained in April this year, and his detention has been extended until November. The name of the criminal gang who paid the bribe is unknown. The gang was detained in February 2022, and it is not related to the REvil and Infraud arrests that took place at the time (likely related to this US case). [h/t Oleg Shakirov; Additional coverage in Kommersant]