On May 24, 2022, Cisco became aware that they might have been compromised. Since then, Cisco Security Incident Response (CSIRT) and Cisco Talos have worked with analysis and clean-up. An employee’s login details were compromised, after an attacker gained access to the employee’s private Google account, and the login details stored in the browser were extracted. Using phishing, the attackers were able to get the employee to accept attacker-implemented multi-factor authentication, which provided VPN access into Cisco’s network under the employee’s name. Cisco believes so far that the attacker has not gained access to critical internal systems. The attacker was eventually kicked out of the systems, but in the weeks after made repeated attempts to regain access without success. Cisco Talos states that there is a high probability that the attacker may be connected to a threat actor who has previously sold access to the groups UNC2447, Lapsus$ and Yanluowang.
Twilio, an American cloud communications company, confirmed that customer data was compromised after an SMS phishing attack. The attackers posed as Twilio’s IT department via SMS and asked employees to reset their passwords. The website they linked to must have looked identical to the real site. CloudFlare was also exposed to the same type of attack from the same actor. Three of the employees were tricked, but the attackers did not gain access to internal systems, as CloudFlare uses hardware keys for login. This type of key makes it impossible to log in from machines other than where the key is physically inserted.
Messaging service Signal used Twilio to deliver SMS messages to authenticate Signal users. The attack against Twilio led to the attacker gaining access to 1,900 mobile phone numbers linked to Signal accounts, and was then able to re-register Signal accounts to new mobile phones. Several accounts were re-registered, and the actor could thus pretend to be these users. Message history and contacts are not transferred by Signal when changing mobile phones. After the incident, Signal encourages all their users to turn on the registration lock on their Signal account. This means that an attacker cannot easily take over your account, even if they access the text message to move the account.
The company Okta confirmed towards the end of the month that they too were one of the victims of the attack against Twilio. Information about users, phone numbers and one-time passwords was extracted from Twilio and used against Okta in a larger phishing campaign. The information extracted was then used in data breaches against over 130 organizations worldwide. So far, it does not appear that Norwegian companies have been affected. The actor behind this wave of phishing attacks has been named “0ktapus” and it is unknown who is behind it.
Twitter confirmed at the beginning of August that information relating to 5.4 million users was stolen in January. This was discovered after phone numbers and email addresses belonging to various Twitter accounts were made available for sale on “Breach Forums”. The information was stolen using a security hole that made it possible to find out which Twitter account a phone number or email address belongs to by entering it during login. Twitter has fixed the security hole, but advises people who have pseudonymous accounts on Twitter to remove email addresses and phone numbers from the account to reduce the future risk of being de-anonymized. Later in the month, Twitter’s former security chief Peiter “Mudge” Zatko also went public with information that Twitter has serious deficiencies in its defense against data attacks and poor handling of spam and fake accounts.
The American authorities have promised a reward of up to 10 million dollars for information that could lead to the arrest of the five managers in Conti. Along with the bounty, the authorities have released a photo of “Target” who is one of the leaders. They are also interested in information about the four other individuals known as “Tramp”, “Dandis”, “Professor” and “Reshaev” who are now participating in several other ransomware groups after Conti was disbanded. The government program “The Rewards of Justice” is behind the bounty and is known for issuing rewards for information about threat actors that can affect national security.
In August, the United States sanctioned Tornado Cash, which is a service for anonymizing cryptocurrency transactions. The service has legitimate uses for anonymity, but is often misused for illegal activity such as money laundering. The United States Department of the Treasury estimates that Tornado Cash has been used to launder over USD 6 billion in cryptocurrency since 2019. Tornado Cash has not implemented satisfactory procedures to control and prevent illegal use, which has resulted in the transaction mixer now being blacklisted by USA. The GitHub account that was used to maintain the source code for the service has also been deleted. One of the developers of the service was also arrested in the Netherlands and is still in prison.
All 7-Eleven kiosks in Denmark were affected by a data attack on Monday 8 August. The cash registers no longer worked, which meant that the employees could not accept payments from customers. It took several days before the kiosks gradually began to open again. 7-Eleven is operated in Denmark by “Reitan Convenience Denmark” which also owns Rema 1000 in Norway.
In August, TSOC handled 64 serious incidents in connection with the Security Monitoring and Log Analysis services, up from 9 in July. This month, most of the incidents are due to malware that takes control of the browser and serves ads and redirects the user to unwanted pages. After the summer, we also see that some machines have been infected by malware that mines cryptocurrency.
There were 309 confirmed DDoS attacks this month, up from 198 in July. 161 of the attacks were mitigated. An average attack was 3.64 Gbps and lasted 23 minutes. The largest attack observed during this period was 104 Gbps and lasted 42 minutes. One of TSOC’s business customers with the DDoS protection service was attacked this month.