Threats Without Borders - Issue 166
Cybercrime Investigation Newsletter, Week ending January 21, 2024
The week’s major news is that Microsoft has confirmed they were hacked by a "Nation State." The attack was carried out through a password spray technique, which allowed the hackers to enter a legacy non-production test account. They then used this account’s permissions to access a few Microsoft employee email accounts, including those of senior leadership and cybersecurity teams. A password spray attack is a type of brute-force attack that relies on the predictability of weak passwords to gain unauthorized access.
In a password spray attack, the attacker tries to guess a user's password by systematically testing a list of commonly used and easily guessable passwords. This approach differs from traditional brute-force attacks that focus on a single account and try various passwords. In password spray attacks, the attacker aims to access multiple accounts by using a small list of frequently used passwords.
Password spray attacks have a key advantage in their stealthy execution. Instead of rapidly attempting numerous passwords for a single user account, the attacker employs a slow and methodical approach. This approach involves testing one password at a time across multiple accounts, which helps the attacker avoid triggering the lockout mechanism caused by too many wrong passwords. Since the attack is carried out slowly, it can go undetected for an extended period, spanning days, months, or even years.
The attacks are time-consuming and computer processor intensive but otherwise dead simple:
1. Create a long list of usernames that are associated with the target organization.
2. Develop a password list that is customized for the specific organization, including common and easily guessable passwords.
3. Identify the login access port within the network that the attacker wishes to exploit.
4. Utilize a password spray tool to systematically test the selected passwords across the identified usernames.
Here are two fundamental strategies that can help defend against password spray attacks:
1. Utilize Strong and Unique Passwords: Encourage users to create passwords that are both strong and unique, and are not easily guessable. Avoid using commonly used passwords such as “ABC123” or “Password1.” Implementing password policies that enforce complexity and periodic updates can significantly reduce the risk of successful password spray attacks.
2. Enable multi-factor authentication (MFA): Implementing multi-factor authentication adds an extra layer of security by requiring users to provide additional verification beyond just a password. Even if an attacker can guess a password, they would still need to bypass the second authentication factor, such as a code sent to a mobile device, enhancing overall account protection.
Wow, they look familiar. Right?
Password spray attacks exploit the vulnerabilities of weak and easily guessable passwords. Using strong passwords and enabling multi-factor authentication will significantly reduce your risk.
Some News…
The new National Cyber Director plans to eliminate the four-year college degree requirement to alleviate the cybersecurity talent shortage. That’s nice, but the problem isn’t the degree requirement. It’s all of the other bs that HR and hiring managers write into the job advertisements. Entry-level jobs that require three years of experience. So-called “hybrid” positions require four days per week in the office -in New York City. My favorite are the “mid-level” positions that require the applicant to have experience in every cyber discipline, from Forensics to Incident Response to Threat Intelligence to Reverse Engineering, with a CISSP and seven years of managing people. https://news.clearancejobs.com/2024/01/18/national-cyber-director-wants-to-address-cybersecurity-talent-shortage-by-removing-degree-requirement/
A Pennsylvania man socially engineered a woman into giving him access to their Snapchat account. He admitted to using an app that allowed him to send text messages to victims posing as a Snapchat representative. He then downloaded and sold the victims’ explicit images. https://www.justice.gov/usao-mdpa/pr/pottsville-man-sentenced-18-months-imprisonment-hacking-snapchat-accounts-dozens
Scammers contact owners who have posted about their missing animals online and claim to have found the pet. They then demand ransom money for the pet's return. It's too bad they don’t actually have the pet. Double victimization - your loved pet is gone, and so is your money! https://www.bitdefender.com/blog/hotforsecurity/heartless-scammers-prey-on-hundreds-of-lost-pet-owners-demanding-ransoms-or-else/
The Securities and Exchange Commission (SEC) released an updated statement concerning the takeover of their X account: Yes, it resulted from a SIM Swap Attack, and Yes, they failed to have multi-factor authentication enabled for the account. Do they need to file an 8-K? https://www.sec.gov/secgov-x-account
This social engineering scheme is where threat actors call hospital IT help desks pretending to be employees and requesting password resets. They provide stolen personal information to verify identity. The goal is to enroll new devices to receive multifactor authentication codes and gain access to billing employee email accounts so they can divert legitimate payments to fraudulent bank accounts. https://www.bankinfosecurity.com/aha-rise-in-scams-targeting-help-desks-for-payment-fraud-a-24133?&web_view=true
Apple iOS 17.3 is available and contains the new Stolen Device Protection feature. This feature depends on geolocation, so be prepared to give Apple full permission. https://support.apple.com/en-us/HT212510
J.P. Morgan Chase Bank now has 62,000 employees who have some effort in cybersecurity and cybercrime prevention. Oh, and a budget of 15 BILLION dollars to do it. Holy Moly. https://www.cnn.com/2024/01/17/investing/jpmorgan-fights-off-45-billion-hacking-attempts-each-day/index.html
Last Minute Entry - Breaking News
Loan Depot reports a breach that exposed 16.6 million customer records. https://techcrunch.com/2024/01/22/loandepot-millions-sensitive-personal-data-ransomware/
Cool Job
Director of Information Security - Milton Hershey School. (Great organization, awesome people) https://mhs.taleo.net/careersection/m_ex/jobdetail.ftl?job=44923
Cool Tool
Search the Internet Archive for images - Go Way Back. https://rootabout.com/
Irrelevant
The history of Jello. Coffee flavored - I’ll pass. https://www.midcenturymenu.com/the-timeline-of-jell-o-flavors-from-1897-to-1999/
Welcome new subscribers!
What’s with the name? The first 24 issues of the newsletter were published under the generic name “Matt’s Newsletter.” But one night, while enjoying a well-crafted Old Fashioned, the phrase “Threats Without Borders” came to me as an apt description for cybercrime. The Internet allows criminal threat actors to victimize others anywhere in the world, regardless of physical location or geo-political nationality. Your country’s physical border is benign and irrelevant!
Thank you for reading another issue. I’ll see you next Tuesday!
Matt
“A GOOD PLAN VIOLENTLY EXECUTED NOW IS BETTER THAN A PERFECT PLAN EXECUTED NEXT WEEK”
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.