#PSA I want to talk about a #cybersecurity vector that I hardly ever see discussed here or much anywhere else and that is #bribery for paid access.
Outside of ransomware groups offering insiders ransom payment cuts to insiders, there is hardly any discussion of this topic.
Outside of ransomware groups offering insiders ransom payment cuts to insiders, there is hardly any discussion of this topic.
I have encountered a real world incident where an individual was approached by another individual to perform a malicious action equivalent to corporate espionage.
The figure offered the individual a 6 digit offer in order to perform this action
The figure offered the individual a 6 digit offer in order to perform this action
The action would have allowed a 3rd party to access material and content that eventually would have been sold or used for financial gain.
The 3rd party was a valid company used by many other companies as an integration solution technology primarily cloud, containers, and APIs
The 3rd party was a valid company used by many other companies as an integration solution technology primarily cloud, containers, and APIs
The group that coordinates the attack showed evidence of this action before:
They explained how to handle communication with IT or other teams if discovered
The attack itself could very easily been passed off as accidental permission issues
They explained how to handle communication with IT or other teams if discovered
The attack itself could very easily been passed off as accidental permission issues
They even gave the employee instructions to fix the issue after 72 hours and to self report the mistake
So here are some takeaways from this event:
Attackers are in your 3rd party (direct access, planted malicious insider or compromised devices)
They can afford 6 digit+ bribes
So here are some takeaways from this event:
Attackers are in your 3rd party (direct access, planted malicious insider or compromised devices)
They can afford 6 digit+ bribes
Attackers have done this before and they are very familiar with IT investigations, cloud and API permissions and business processes
They are monitoring your users and know when moments of opportunity allow them to make these offers.
This
They are monitoring your users and know when moments of opportunity allow them to make these offers.
This
This attacker initiated their communication over telegram, and a member of a users group for over 6 months while befriending them
This easily could have been a blackmail driven even as well, just not applicable to this targets current status
Payment was offered in crypto
This easily could have been a blackmail driven even as well, just not applicable to this targets current status
Payment was offered in crypto
Some advice i have taken with this is to investigate every incident even self reported incidents and to not mark off accidental access mistakes so easily.
Identifying access controls to areas of opportunity like this and ensure they require multiple individuals to approve change
Identifying access controls to areas of opportunity like this and ensure they require multiple individuals to approve change
A recent example of these level attacks was the Tesla bribe incident which I thought was quite under reported
google.com/amp/s/www.bbc.…
This was a 1m bribe for a USB implant leading to a ransomware event.
google.com/amp/s/www.bbc.…
This was a 1m bribe for a USB implant leading to a ransomware event.
And to further clarify, this event did not occur at my current employer, but I was called in to advise, help investigate and analyze the incident.
The target company was in the tech sector and was not a publicly traded company, but these tactics were still used.
The target company was in the tech sector and was not a publicly traded company, but these tactics were still used.
The attacker also suggested that the target could to leak access to certain elements via "sneaking in code comments", or by accidentally changing code access in the repo.
The targeted employee was not in a position for these to be viable, but it should be noted
The targeted employee was not in a position for these to be viable, but it should be noted
The code comment dead drop option was interesting because the attackers absolutely did not want any further direct contact after the bribe offer.
"Put the key in code comments as several values across code base"
Prob could have just accidentally leaked the whole api key tbh
"Put the key in code comments as several values across code base"
Prob could have just accidentally leaked the whole api key tbh
• • •
Missing some Tweet in this thread? You can try to
force a refresh
