Cyber Intelligence Weekly (April 24, 2022): Our Take on Three Things You Need to Know

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Before we get started on this week’s CIW, I’d like to highlight a wonderful article by our very own James Stahl, Senior Offensive Security Engineer, who outlines how organizations need to think about changing up their offensive security testing and risk management approaches based on this new breed of threats.

Away we go!

1. T-Mobile Breached Again, This Time by Lapsus$

T-Mobile has been in the news several times over the past few years after falling victim to numerous hacks. This time around T-Mobile has been taken advantage of by Lapsus$, the group that has gained extraordinary notoriety over the past couple of months through their hacks of Microsoft, NVIDIA, Okta and several others.

First reported on a couple days ago by Brian Krebs, he explains how Lapsus$ claimed T-Mobile as their most recent victim. Private Telegram messages between the Lapsus$ crime group were shared with Krebs, which revealed the T-Mobile incident. The Lapsus$ members would gain access to the T-Mobile by targeting employees by either purchasing their credentials, through social engineering, or by buying access from illicit initial access broker markets. T-Mobile has around 75,000 employees.

The access to internal T-Mobile management systems that Lapsus$ had was valuable because it could potentially allow them to carry out highly lucrative attacks that involve SIM swapping. In SIM swapping an attacker can take over someone’s phone to carry out attacks, get one-time passcodes, reset passwords, etc. While the Lapsus$ members had that access, they also dug further into T-Mobile systems and supposedly gained access to T-Mobile’s Slack and Bitbucket accounts. According to the Krebs story, they then proceeded to download more than 30,000 source code repositories from T-Mobile. What they planned to do with all this source code is unknow, but presumably the idea was they’d use it to extort T-Mobile.

These continued attacks using trusted insider access are a sign of things to come and organizations need to shift their thinking when it comes to security testing and risk management and consider these new avenues of attack.

2. Criminals Abuse Apple Pay in Spending Sprees

In a recent report from Motherboard, Vice outlines how Apple Pay has been widely abused recently to leverage stolen credit cards to more easily buy goods and gift cards. In order to add these stolen cards to Apple Pay, they have been leveraging a recently developed tool that focuses on stealing the multi-factor authentication tokens needed when adding a new card to the Apple Pay app.

These bots supposedly place automatic phone calls to victims in an attempt to trick them into divulging their MFA codes. Once the MFA code is stolen, the hackers can add the stolen cards to their Apple Pay and start spending, presumably because Apple Pay doesn’t require the card to be physically present. According to the article, the scammers are using the cards to buy loads of gift cards (or GIFFYS, as they call them) that can then be used for merchandise or sold at a discount on the open markets.

Apple conveniently states on its website that it is the card issuer’s responsibility to determine whether or not the card being added needs additional verification or not, and they also state that it is the user’s responsibility to watch out for phishing or fraudulent attempts for verification.

This is a classic case of the tradeoff between a frictionless user experience versus fraud and security. One side benefits the masses, while the other is extremely detrimental to a smaller minority. It seems to me that Apple, and other contactless payment systems, need to work harder with the issuing banks to assume additional responsibility in ensuring that customer payment data stays secure.

3. Millions of Lenovo Laptops Contain Firmware-Level Vulnerabilities

In a recent report from Dark Reading, they outline how millions of Lenovo laptops worldwide contain firmware vulnerabilities that allow attackers to persist on these systems with certain malware. Two of the vulnerabilities involve drivers that were only supposed to be used in the manufacturing process.

Researchers from ESET discovered the Unified Extensible Firmware Interface (UEFI) vulnerabilities through their research. The worry is that vulnerabilities like these can help attackers more easily bypass protections at some of the lowest levels of the BIOS and operating systems.

For information on how to patch your Lenovo devices, check out their support page here.