Good day, folks! It’s been more of the same for security practitioners around the world. Increasing rates of ransom, leaks, and vulnerability announcements continue to climb. That said, interesting new news hit this week, with mixed results for cyber crime outfits. Let’s talk about ALPHV and Scattered Spider and look at some good guidance on MFA. We’ll also take a look at the other fun developments.

Ransomware dynamics continually in flux

Cyber crime giveth, cyber crime taketh away!Spanish police arrested Tyler Buchanan, a Scottish SIM-swapper. As one of the alleged ring leaders of Scattered Spider, he’s a popular guy. Scattered Spider has been in the news a ton lately, taking ransoms from over 130 organizations in the past couple of years, notably MGM and Caesars casinos, LastPass, DoorDash, and many more.

Scattered Spider’s background in SIM-swapping is particularly troublesome as it prepares them well to tackle enterprises. SIM-swapping involves fooling the phone company into moving your number to a hacker-controlled SIM card. Cell companies need more than the request – they want personal information to help verify you are the rightful owner. SIM swappers are adept at digging that information up, through stolen information from other breaches certainly, but more commonly we do it to ourselves – they simply check into our over-shared details on social media.

Scattered Spider applies these same techniques to social engineering focused attacks like those on MGM and Caesars. They do their homework, find weak spots in the process, and confidently pose as someone who belongs in the environment. While law enforcement has arrested Tyler and other collaborators, more are on the loose. And it appears as though this is a very competitive underground, with rivals competing for breaches and even ordering Violence-as-a-Service against each other. Nice people!

The “how’d they do that?” piece

Meanwhile, ALPHV Group’s more recent TTPs get a very thorough write-up in The DFIR Report’s latest on their IcedID campaign. In one of the most elaborate (by ATT&CK plotting standards) operations, The DFIR Report folks conducted a master-class in understanding how ALPHV conducted this op, which also offers a lot of insights as to how we can stop them. Keep in mind, ALPHV supposedly exited the business after orchestrating both the breach of Change Healthcare and their ‘exit scam’ that saw them hosing their accomplices, but we can learn a lot from this operation and certainly expect ALPHV to resurface after reinventing themselves.

MFA-related help

I think we’re all learning that not all MFA is created (or configured) equal. Even Duo, an advanced and capable MFA offering, requires proper configuration to ensure it is delivering phish-resistant and resilient multi-factor authentication. Scattered Spider and many other firms are leveraging phishing in all of its variations (voice, email, text, etc.) to bypass improperly configured or overly lax MFA processes. Cisco’s Talos released a very informative piece that goes a long ways towards helping understand where all of these bypasses come from. Most importantly, they offer guidance on how and where to implement MFA for best results, in a vendor-agnostic way.

This week in AI

As we race to both harness and counter AI in so many aspects of technology, AI’s propensity to hallucinate and susceptibility to poisoning are getting a lot of attention. One thing I hadn’t counted on but find both funny and frightening, is that some may be full of it. Wired’s report “Perplexity is a Bullshit Machine” makes a good case for not just putting guardrails on the tech, but also calling for ethics in the companies and developers who unleash them on us.

I think this is a good cautionary tale for security vendors and practitioners. Pay attention to how your security ecosystem protects their AI from malicious influence. Take note of how they mitigate hallucinations. And ensure they are ethical. You’d hate to have an AI engine ignore important aspects of your environment or make recommendations purely based on bullshit.

Things I am keeping an eye on

  • T-Mobile is denying claims that they were breached recently, despite IntelBroker claiming they have source code to post. There may be a service provider T-Mobile uses who was hacked, and it could explain the big uptick in breaches by IntelBroker in recent weeks (Europol, AMD, Apple, and more). There may be some links to Confluence products, but that is not yet confirmed. Odds are, however, that IntelBroker focuses on service providers to their victims, not the victim environments themselves.
  • Another week, another cryptocurrency exchange hitting major bumps. Kraken is blaming a security researcher for the loss of $3M in digital assets, claiming that they are refusing to return them after exploiting an “extremely critical” 0-day flaw while participating in a bug bounty. It seems the researcher shared the flaw with 2 other folks who used it to make off with the loot.
  • The NSO Group – an Israeli firm who for years denied abuse of their Pegasus spyware, finally caved in legal proceedings brought by WhatsApp. It turns out Citizen Lab and others were spot on – Pegasus is used all over, and targets include government and military officials. Even worse, NSO seems to let almost anyone willing to pay enough to use this stuff.
  • CISA has released some great new guidance in concert with several partner organizations to help us improve network access security. With the glut of VPN-related hacks and CVEs, this is very welcome and informative.
  • The French government appears to be serious about purchasing Atos’ cybersecurity division in an effort to improve their national security posture and to salvage the financially-struggling company’s most vital division. This seems weird at first, but I think it is bold and may offer some good lessons learned for the rest of the Western World. Russia and China are certainly not new to this sort of arrangement.

Good Reads

I’m going to cheat here. I am still reading my Children of Ash and Elm history about the Vikings, and it is really insightful – I had no idea that the “Viking Age” was most likely precipitated by a series of massive volcano eruptions in El Salvador and elsewhere (~536-546 AD) that triggered a 3-year winter and obscured the stars for decades.

I am also revisiting one of the best podcasts out there, Hardcore History by Dan Carlin. The episodes come out 1 per every few months, but there is no better storyteller out there. His most recent episode on Alexander the Great is phenomenal, especially the background on Phillip II (his father) and Olympias (his mother. That would have been an ‘interesting’ family dynamic for sure.

Conclusion

I hope this was a helpful update. Next week I plan to focus more on a recent threat actor rather than on a massive spread of news, so we’ll see how that goes. have a great week, folks!