Tag: tactics, techniques and procedures (TTPs)

SAN FRANCISCO – Picus Security has used its pioneering Breach and Attack Simulation (BAS) technology to run over 14 million simulated attacks, and in a published report has noted four “impossible tradeoffs” for security teams. According to the analysis performed by Picus Security, only 6 out of every 10 cyber attacks are prevented statistically by organizations. Trying to shore up defenses against these kinds of attacks put cybersecurity teams in a situation where they must...

Black Hat, Breach and Attack Simulation (BAS), continuous threat exposure management (CTEM), Cybersecurity, Picus Security, Security, Suleyman Ozarslan, tactics, techniques and procedures (TTPs)

Read Full Article

Identity-based security threats are growing rapidly: report

Cybercriminals are increasingly using compromise methods that grant “legitimate” access to target systems, making them harder to detect.

The most dangerous cybersecurity threat of the moment is an attacker with access to legitimate identity information for a given system, according to a report issued today by endpoint security and threat intelligence vendor CrowdStrike.

According to the report, interactive intrusions (which the company defines as those in which an attacker is working actively to accomplish some illicit end on a victim's system), are increasingly implemented using strategies that involve compromised identity information for access to a target. During the past year, both government-backed and organized crime hacking groups have raised their game with improved phishing techniques and social engineering "tradecraft."

"The biggest trend that we've seen is that everything is moving towards identity," said Adam Meyers, head of intelligence at CrowdStrike. "80% of attacks involved identity and compromised credentials."

Those credentials can be compromised in the traditional way, using email phishing and social engineering, or they can be purchased on the dark web, sourced from other types of compromised systems. Once they have access to a target system, cybercriminals use a range of techniques to achieve their ends, and the report said that the use of remote monitoring and management software is sharply on the rise.

"Threat actors understand that there are security tools out there that impede the way they operate," noted Meyers. "So they're trying to use techniques that don't trigger that security." Compromised login IDs are hard to detect, and must generally be discovered by monitoring for unusual account behavior.

A move away from what he described as a "Microsoft monoculture" in the enterprise would be a positive step toward stemming the current flow of identity based attacks, Meyers said.

"Organizations have gone all in with Microsoft, they have good OSes and productivity suites, but a history of poor security," Meyers said.

In particular, Kerberos-based attacks against Windows systems have been on the rise, according to CrowdStrike. The technique of "Kerberoasting" (compromising a Kerberos ticket by cracking its encryption offline) has been particularly successful of late, since Windows uses Kerberos as a key authentication method.

The report also includes information about the growing cloud-based threat posed by the use of privilege escalation tools like LinPEAS, which can be used to enumerate information about a cloud environment, including metadata, network attributes and even security credentials, depending on the service provider and its configuration. CrowdStrike recommends applying on-premises security techniques to all cloud workload instances, including restricting outbound connections from those instances to whitelisted addresses.

Lapsus$ hackers took SIM-swapping attacks to the next level

The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture.

Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.

Among high-profile companies impacted by Lapsus$ are Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, and Globant.

Lapsus$ is described as a loosely-organized group formed mainly of teenagers, with members in the U.K. and Brazil that acted between 2021 and 2022 for notoriety, financial gain, or for fun. However, they also combined techniques of various complexity with “flashes of creativity.”

The Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) finalized its analysis and describes the group’s tactics and techniques in a report that also includes recommendations for the industry.

“Lapsus$ employed low-cost techniques, well-known and available to other threat actors, revealing weak points in their cyber infrastructure that could be vulnerable to future attacks” - Department of Homeland Security Cyber Safety Review Board.

The group used SIM swapping to gain access to a target company’s internal network and steal confidential information like source code, details about proprietary technology, or business and customer-related documents.

In a SIM-swapping attack, the threat actor steals the victim’s phone number by porting it to a SIM card owned by the attacker. The trick relies on social engineering or an insider at the victim’s mobile carrier.

With control over the victim’s phone number, the attacker can receive SMS-based ephemeral codes for two-factor authentication (2FA) required to log into various enterprise services or breach corporate networks.

In the case of Lapsus$, some of the fraudulent SIM swaps were performed straight from the telecommunications provider’s customer management tools after hijacking accounts belonging to employees and contractors.

To obtain confidential information about their victim (name, phone number, customer proprietary network information), members of the group sometimes used fraudulent emergency disclosure requests (EDRs).

An attacker can create a fake EDR by impersonating a legitimate requestor, such as a law enforcement agent, or by applying official logos to the request.

Lapsus$ also relied on insiders at targeted companies, employees, or contractors, to obtain credentials, approve multi-factor authentication (MFA) requests, or use internal access to help the threat actor.

“After executing the fraudulent SIM swaps, Lapsus$ took over online accounts via sign-in and account recovery workflows that sent one-time links or MFA passcodes via SMS or voice calls” - Department of Homeland Security Cyber Safety Review Board.

In one case, Lapsus$ used their unauthorized access to a telco provider to try to compromise mobile phone accounts connected to FBI and Department of Defense personnel.

The attempt was unsuccessful due to extra security implemented for those accounts.

During the research, CSRB’s findings, the group paid as much as $20,000 per week to access a telecommunications provider’s platform and perform SIM swaps.

Although the FBI was not aware of Lapsus$ selling the data they stole or found evidence of victims paying ransoms to the group, CSRB says that some security experts “observed Lapsus$ extorting organizations with some paying ransoms.”

According to CSRB’s findings the group also exploited unpatched vulnerabilities in Microsoft Active Directory to increase their privileges on the victim network.

It is estimated that Lapsus$ leveraged Active Directory security issues in up to 60% of their attacks, showing that members of the group had the technical skills to move inside a network.

While Lapsus$ was characterized by effectiveness, speed, creativity, and boldness, the group was not always successful in its attacks. It failed in environments that implemented application or token-based multi-factor authentication (MFA).

Also, robust network intrusion detection systems and flagging suspicious account activity prevented Lapsus$ attacks. Where incident response procedures were followed, the impact was “significantly mitigated,” CSRB says in the report.

Despite security researchers and experts decrying for years the use of SMS-based authentication as insecure, DHS’ Cyber Safety Review Board highlights that “most organizations were not prepared to prevent” the attacks from Lapsus$ or other groups employing similar tactics.

The Board’s recommendations to prevent other actors from gaining unauthorized access to an internal network include:

Lapsus$ fell silent since September 2022, likely due to law enforcement investigations that led to the arrests of several members of the group.

In March last year, the City of London Police announced the arrest of seven individuals linked to Lapsus$. A few days later, on April 1, two more were apprehended, a 16-year-old and a 17-year-old.

In October, during Operation Dark Cloud, the Brazilian Federal Police arrested an individual suspected to be part of the Lapsus$ extortion group, for breaching the systems of the country’s Ministry of Health.