State of Cybercrime

The Storm-0558 Rages On

Episode Summary

The Storm-0558 incident has proven to be even more widespread than initially reported. While Microsoft originally stated that only Outlook.com and Exchange Online were affected, Wiz Research has discovered that the compromised signing key may have allowed the cybercriminal group to forge access tokens for SharePoint, Teams, OneDrive, and every other app that supports logging in with Microsoft credits. Watch our team of experts during this State of Cybercrime episode that assesses the reach of this incident and teaches you what you should do to make sure you are safe and secure.

Episode Transcription

[00:00:00]

David Gibson: Hey Matt, how's it going? 

Matt Radolec: Hello there, David and hello to our audience. I'm doing great. How are you? 

David Gibson: I'm doing good. 

Hey, if you hear echo where, let me know we're doing it from the New York office today, so hopefully my noise canceling headphones work. 

Matt Radolec: While everybody's checking in and letting us know where they're from before we get started today, I wanted to do a special shout out to our producers.

Haley, Frank and Megan. I know that you guys are traveling this week with David. [00:01:00] And me and the audience, we sure do appreciate you guys helping us make this episode possible today. 

And I think, the topic kind of speaks for itself, right? The storm rages on. So I wonder, David, if that means we're gonna talk about Storm again. 

David Gibson: Nah.

Matt Radolec: We'll go through our normal segments today. One of them will be, is there any good news? And I'll tell you all about that in a second. We'll jump on the highway to the danger zone, probably talk about Storm just to warn you.

Then we'll talk about some vulnerable vulnerabilities and we always say time at the end for Q&A so please feel free to use the chat or the Q&A. We love interacting with you, our audience, you guys are what makes the show possible, so we really appreciate it. So let's crack straight into it.

In our first segment, we always like to cover some good news in cybersecurity. There is often a lot of doom and gloom. Just this rainy picture, this very stormy picture of how the world of cybersecurity is. But we do have some good news to share. First and foremost is I think The Justice Department, safe to say, is catching up with the crypto times and making sure that age old saying, if you do the crime you're gonna do the time [00:02:00] applies to cryptocurrency related crimes as well.

NCET or the National Cryptocurrency Enforcement Team will become a permanent part of the criminal justice and investigative arm of the Department of Justice. Acting director, and if anybody knows how to pronounce this and I get it wrong, let me know. Claudia Quiroz pretty good. Takes over for recently, transferred to another role Eun Young Cho i and a notable takedowns, if you probably haven't heard of NCET yet, include the charges against the founder of Bitzlato and the investigations in the activities occurring at Binance.

I, for one, am rooting for NCET. I kind of like saying the full national cryptocurrency enforcement team 'cause it sounds fancy. Although, you know, I wonder if it's just another department inside the Department of Justice that's gonna have their own SWAT team. But I guess time will tell and we'll find out.

David Gibson: Yeah. And if you recognize this reference to the TV show that was from the late 1800s, please chat it in there. That's that's my job to put in references that no one will understand. Yeah. 

David, I do think [00:03:00] sometimes your people are out there and they do get it. Oh.

Look, we got two, Megan and John that recognize this from Dragon. I did not, by the way, all, so as our producers were going through the run of show for today, I said, what's this? Is it James Bond? Is it a bond that I don't recognize? But it looks like a couple of people do get the reference there.

But I got I got, I get to say just the facts, Matt. 

Matt Radolec: So is that something from the show? 

David Gibson: Yeah. 

Matt Radolec: Okay, I got it. I got it. Just the facts. Give us just the facts here in the danger zone, David, what's going on in the banking sector? 

David Gibson: What is going on in the banking sector? This is, I think one of the first open source supply chain attacks.

At least that's what they're saying. There was some malicious code that the attackers went to some pretty good lengths to actually get this code injected and downloaded into the bank. They basically wrote some software for some banking software or for the banking application and uploaded it to NPM.

And then they created a LinkedIn profile that made it look [00:04:00]like they were an employee at the bank. And then the bank actually downloaded the malware, right? So they basically thought this malware was their code and downloaded, if I'm understanding it correctly. And then the code was actually pretty clever too.

The first code basically said, okay, what host am I running on? What domain am I running on? And then went out through Azure CDN, which bypassed some of the, basically, it went on the allow list and downloaded the second stage payload, which contained havoc.

And that, that of course is a remote shell, right? And then started to do its damage right through that C2 package there. If I had that right. 

Really , it's a supply chain attack, but it's piggybacking on some open source software that the bank thought was written by somebody that was not a hacker. 

This is something to watch out for where a lot of people use open source software and adaptations of it for a lot of things. 

Matt Radolec: So I wonder if the lesson here is that, that even these [00:05:00] pseudo trusted sources of code or information, you still gotta trust the person that's coming from, you gotta still make sure they're an authorized person.

'cause this kind of fraudulent employee, there's a layer of sophistication here that we haven't seen in other supply chain attacks, or at least where the details haven't come out yet. 

David Gibson: Yeah, I think it talks to signing code and we're gonna talk a little bit about signatures, right? Coming up with Storm as well.

Matt Radolec: It also makes me wonder, I wonder how many people in our audience and just curious, you guys wanna use like a chat in if this applies to, you have actually identified a fraudulent LinkedIn profile getting connections at your company. 'cause I've definitely done that. 

David Gibson: Yeah. 

Matt Radolec: I've seen those fraudulent LinkedIn profiles come across and I'm like, who is this person?

And I go and I look 'em up in Outlook and they don't exist. And I usually report that to the SOC team, but I wonder if people are aware of that as like a social engineering method, or maybe we need to do a better job in industry at making awareness to not just accepting people that look like they work for your company, but maybe doing like a little bit of due diligence like Do they actually work there? 

David Gibson: Yeah. And I'm not even sure that they [00:06:00] would've needed to make a ton of connections, but it certainly would've helped if they had a couple of connections too. 

Matt Radolec: Take it a step further, and we'll talk about more like Microsoft and their responsibilities later, especially when we talk about like Storm, should LinkedIn actually be like, To say you work at a company, should you have to click on a link from your corporate email address to prove you work there to be able to actually even get a page that says you work there? That's a feature request if we've got any LinkedIn folks out there.

David Gibson: Yeah. I mean if we're using it to authenticate an identity, it does make sense. There should be a couple of hoops to go through. 

Matt Radolec: So I think you know, we can't not talk about MoveIt, right?

I know the Storm is the big news here, but at least publicly known over 400 victims and it's estimated by Coveware, they're a company that specializes in ransomware recovery, that Clops gonna earn around a hundred million dollars from this supply chain attack. 

Now, I think it's also interesting that they're reporting that only about one in three companies are actually [00:07:00] paying for the ransom.

But that means this is still big business, right? If they're getting a one in three success rate and still having the opportunity to make a hundred million dollars, I think that this is just a sign we're gonna see more and more supply chain attacks that are either found by someone and sold to ransomware gangs, which is a little bit of a theory that I have here, or the ransomware gangs are hiring security researchers and finding these things themselves because the efficacy level, the effectiveness of these types of attacks is super clear. 

And I think, just to talk again about like social engineering and the sophistication of it, Clop is even getting into a little bit of the branding and the kind of advertising media company like approach that we saw with things like Darkside and the BlackMatter ransomware groups where they're advertising these fake sites that are clearly fraudulent, where they're advertising the data that was stolen from their clients. 

And so I think, there is a little bit of good news. There's just like this beacon of light that shines from this though, and that is that MoveIt had way more customers than 400. 

So a good number of organizations did rapidly either take the appliances down, [00:08:00] apply mitigations, or fix their systems, or put detective or compensating controls in place. So there, there is like a little bit of good news here. But all these other companies losing a hundred million dollars it's pretty damning.

David Gibson: Yeah, definitely. It looks like the ransom amount for people that do pay is actually getting higher. So they're potentially going up market in terms of their victims.

Matt Radolec: I think it's also clear, this stuff's not just on the dark web anymore. Bleeping Computer reported that data on the leaks are now actually available on the open internet.

And I think that's definitely also a shift, right? You're not just saying hackers, come look at this. You gotta have an onion browser. You're saying anyone on the internet come peruse through this data. 

We also saw this tactic used by the Alpha V ransomware group. Now, I'm not sure if that means that there's a connection there or they're just taking the best of and reusing what works.

But this is that tactic that David and I often talk about that double and triple extortion. Instead of just saying we're not gonna give you the decryptor, or we're going to unleash the ransomware into crypto files. They're also threatening we're gonna put it in the public domain [00:09:00] if you don't pay us.

Just to add to another layer of what kind of is that classic ransomware attack has also become a bit of an extortionware or a extortion type attack as well. 

David Gibson: Yeah, I think if it's searchable, there's a shaming effect. And if the people that have been victimized have clients whose data is in the package that was exfiltrated, I think they might be getting external pressure to pay for that as well. So that, that might be a component there that they're trying to add some pressure there. 

Matt Radolec: Now David, I know that you are like super pumped up to talk about whatever has happened, a Storm about Storm. 

And I want you to explain it to our audience, but I think the core thing here is on one side of the fence we've got Microsoft saying, we understand what happened and it's this on the other side of the fence, we've got security researchers from Wiz saying something different.

Can you walk this through for our audience? 

David Gibson: Yeah, Microsoft talked about the breach of email and we talked about this last time [00:10:00] and since we spoke last time Wiz came out and said, Hey, this breach looks like it was bigger. That it was more than just email that was potentially compromised.

And, I actually was curious about this because if you log into Outlook Web access, you can see sharePoint online share. You can see OneDrive, and it's wait a minute you can't use the same token to access all that stuff. It looks like it's more than just email, but that isn't quite true.

Go ahead. 

Matt Radolec: I know that we looked into that with our research team, but it also breaks the question for me, are you using that token? Are you getting another token? That's what's unclear to me. Are you only using this one Forge Token? Or once you use that Forge token to sign in, are you getting a token from Microsoft legitimate or illegitimately crafted, but legitimate but separate from this Forge token that is your single sign-on token?

I think this is the part that's really unclear to me. That Maybe this is where Wiz, the angle that Wiz is taking, is because you see Microsoft come out and say these are [00:11:00] hypothetical attack scenarios, but not things that we've observed exploited right? Now. 

David Gibson: Yeah. 

Matt Radolec: But they're also not saying, they're also not things that we've confirmed haven't happened.

Like they're not saying that we've combed through everything. We know this didn't happen. They're just saying we haven't seen that this actually did happen, but it could be possible.

David Gibson: Yeah that statement never gives me confidence is we haven't observed this. It's sort of hey, the absence of evidence is just not the evidence of absence.

It's not the same thing. And when people say, we haven't seen that before, it reminds me of the Black swan. People believe it doesn't exist.

The good news is, at least in their public statements, is they did when they started investigating the breach, assume that the actor was able to get further and then over the course of their investigation, they said, okay, no, it looks like it's just Exchange Online. 

But it, again, when people don't conclusively say it would not be possible to use these tokens to access other things, [00:12:00] then it does leave room for doubt. 

Matt Radolec: And is this like one of these things we're gonna talk about 10 more times? Are we just like the tip of the iceberg outside of the water? 

The other thing that this brings up for me is like the shared responsibility model. 'cause on one hand I think it is a obligation company like ours, we publish research all the time. Company like Wiz make research, make these claims, right?

It's our job to challenge the status quo of is the security we're getting from these like giants, is it good enough? Is it even good? 

David Gibson: Yeah. 

Matt Radolec: On the other hand though, like we put a lot of trust into Microsoft. They haven't really like, led us astray. I mean, Obviously they create the vulnerabilities, they create the products, but then they also kinda, the vulnerabilities are inherited in them, but then they'll usually pass them and pitch 'em.

Like I, I have some empathy for them too, but it's in their interest to say, oh no, we don't know. And it's in Wiz's best interest to say, yeah, but maybe. And so where is truth? This is what's leaving me perplexed. 

David Gibson: Yeah well, I think this clearly would not be in the realm of any customer's responsibility to really manage the key signing process there.

I don't think any, correct me if I'm [00:13:00] wrong, but I don't think there's any way that anybody could have mitigated this on their own. And in terms of the detective aspects, yes, if you had the logging, and it was robust enough, maybe you could be able to see some of this unusual activity.

But a lot of people didn't even have access to the logging there, but it 

Matt Radolec: No, and Marcel makes a good point, right? Give us the logs. Yeah. Finally they're coming out and saying they're gonna give everybody the logs that the E5 customers could have leveraged here. 

David Gibson: It just who's watching the Watchmen really. If there is a failure from your provider and you can't really even detect unusual access or detect the failure on your own, it is a tough thing to swallow from a shared responsibility model. 

Matt Radolec: And Charles, from our chat, I just wanted to share this, David.

He believes this is the tip of the iceberg. And that token and API security will dominate headlines in the near future because it's still wild west. A lot of traffic over the internet is token based authentication, and it's not a place that a lot of people have explored to secure. And I'll say maybe not even done enough research in.

I think that's the lesson learned here, is that [00:14:00] security researchers need to, shift a little bit of that, that mind share towards token and token security and forging and fraudulent tokens and using fraudulent tokens and the things that we can do to get our arms around that.

David Gibson: Yeah. And right now it looks like the only thing we can do to see if there was any evidence of being affected by this breach is look at some of the network traffic for soft ether proxy. 

Matt Radolec: And I thought you were gonna say ask ChatGPT and I'm glad you didn't. 

David Gibson: No, but the TTPs from Microsoft on their blog gave a list of IP addresses to look out for. And so if you're wondering whether you've been attacked, I don't really see a whole lot more that you can go do at this point. 

Did you read anything else in there that you might be able to 

Matt Radolec: No, I just, I like the comment from Philip that the banking regulators are getting excited about API security 'cause I think that's where a lot of these things start, right? You get pressure from these large institutions on, Hey, our vendors, Vendors. Vendors, they gotta do better with this, it starts to trickle down. I, Hey, if the banks are [00:15:00] doing that, Philip, if you got some insider information there, thank you.

Like we need more pressure on this. And David I gotta call you out on this one. Okay. Because I'm wondering if you're like masquerading as a cyber criminal here.

On our last episode, you said something about the dangers of ChatGPT and said it's only a matter of time before we've got ChatGPT tools, writing phishing emails, and a week later, what are we doing here on the show but talking about a new AI tool called FraudGPT that uses AI to craft phishing emails and social engineering emails. So I gotta say, are you giving people ideas or are you, is there some kind, do you have a call sign that we don't know about on the show yet? 

David Gibson: Last time we talked about WormGPT as another AI use for malware criminals, maybe they use WormGPT to write FraidGPT. I don't know. 

Matt Radolec: Or maybe here you go I'm gonna type it in the chat, see what our audience thinks of my new hacker name for you.

Is it D4DH4X? Is it Dad Hacks? Like dad jokes I'm wondering if this is gonna be your new call sign. 

Alright, so we just cracked the [00:16:00] can on the JumpCloud breach last time. What have we learned about that since then?

David Gibson: Yeah, this one, the JumpCloud. I'm so distracted by the dad hatch. This is the 

Matt Radolec: I know. I'm sorry. I got the chat going on. You and I distracted you. 

This was the one, this was the cloud authentication broker doing a lot of brokerage for a lot of other cloud companies, had an intrusion.

Looks like all the big names are getting in on it. And there's this theory that it's Lazarus group that's behind it.

David Gibson: Yeah, so the North Korean DPRK group has been, looks like the attacks are from them all the TTPs match, so some attribution now going that same group. Which as we've seen over the years, does a lot of crypto heist and things like that. So perhaps 

Matt Radolec: Yeah, I was gonna say, what's the crypto angle here? Maybe JumpCloud would had to be doing something for a crypto. And this is just like the start of the supply chain attack. 'cause it's usually, it's all crypto they've been going after lately. 

David Gibson: I know it seems like the same playbook, right? Get some way in, whether it's MoveIt or whether it's JumpCloud ,and then exploit, run the same playbook, get to [00:17:00] data and then threaten to leak it, right? Or make it unavailable. 

So this could be a new case for the national cryptocurrency enforcement team. 

Matt Radolec: I'm sure if they had a hit TV series or a hit web series, like State of Cybercrime, I'm sure they would say we're on the case.

Or what, is there another quote you could do from that show at the beginning that they would've said, 

David Gibson: I'm sticking with just the facts, Matt. 

Matt Radolec: All right so little surprise ending here. Varonis is gonna be a Black Hat. Including maybe even a guest appearance from David and myself.

Though we wouldn't want to give it away if we were hosting an episode of the show, it's at Black Hat in a couple of weeks. 

We'd love to see you there. So we're gonna have a booth. There's gonna be a Capture the Flag hacking Game, sponsored by Varonis Threat Labs. We're gonna have our Automation Claw Nation claw machine.

We are gonna host an episode of the show live at 11:00 AM on August 9th. There's gonna be all kinds of cool stuff going on at the booth. And if you're company wants to talk to Varonis. Members of our executive team, myself and David included will be there and we have an [00:18:00] executive meeting room where we can take face-to-face meetings.

That would be really awesome, especially if you wanna talk with us about Varonis. You could also see our field CTO, Brian Vecci live give a presentation on how attackers crack SSO, steal data mainly targeting cloud secrets and cloud keys. That's on Wednesday the ninth at 3:00 PM and there's plenty of happy hours and dinners and after party opportunities.

So feel free to check out our website, check out the Varonis click on the Black Hat banner. And we hope to see some of you there. 

David Gibson: Yeah, looking forward to it. This will actually be my first Black Hat. 

Matt Radolec: Really?

David Gibson: I haven't been there. Yeah. 

Matt Radolec: I've been a bunch of times been ended defcon. I wonder if people in our audience, anybody in the audience is going.

David Gibson: Yeah, I've always wanted to go to Vegas in August, so 

Matt Radolec: Yeah. I gotta tell you ahead of time, it's hot and it is like really hot. Yeah. The thing that always gets me though is the humidity. I come from the east coast, like you, it's humid all the time. And sometimes when I'm out there in August, there's [00:19:00] just no water in the air and I have to do little tricks like have wet towels over the air conditioner just to get some humidity going in the hotel room. Otherwise, I feel like I'm like at altitude getting all dried out.

And yeah I think that pretty much wraps it up for us, David. 

I, again, I wanna give a special shout out to our producers, Frank and Hailey and Megan. And if I'm missing anyone, Frank, please let me know after the show. 

Shout out to you, David. And then of course, to our audience, the show's made possible by you. We love being here and getting to talk with you about all things cyber crime.

And so I really just really appreciate you being here with us today. 

David Gibson: Thanks everybody. Thanks so much for joining. And please let us know if you're in Black hat and we'll see you next time.