Warning: This group specializes in SMS texting scams.
Welcome to Cyber Security Today. It’s Friday, September 15th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Many threat actors use email phishing messages as their attack vectors to trick employees. A group known as UNC3944 to researchers at Mandiant has a different strategy. It often uses SMS text messages and phone calls as its communications vehicle. In a report Thursday the researchers said this group’s tactic is to contact corporate help desks and persuade staff they are an employee having network access trouble and need their passwords reset or a new multifactor authentication code. Once in an IT network they escalate their access privileges until they can launch malware, steal data or install ransomware. Some researchers call this group Oktapus, Scatter Swine or Scattered Spider. Mandiant says IT leaders have to stop using SMS text as a multifactor authentication verification option, block external access to Microsoft Azure and Microsoft 365 administration features, and require video verification of a help desk caller who wants a password reset. The user’s image should be matched to a database of employee photos. The user would also have to show a piece of ID, like a driver’s licence.
An Iranian-based group is successfully compromising organizations with password spray tactics, according to Microsoft. The group has been dubbed Peach Sandstorm under Microsoft’s new naming protocol. All groups from Iran have Sandstorm in their name. Other researchers call it ATP33 or Elfin. The group’s targets include companies in the defence, satellite and pharmaceutical industries. The goal is probably to steal industrial secrets. Password spraying is where threat actors try to authenticate to many accounts using a single password or a list of commonly used passwords. It differs from a brute force attack, which targets a single account. But this group also sometimes tries to exploit vulnerabilities in applications to get network access. To defend against this group Microsoft says IT departments should implement multifactor authentication. They should also consider implementing passwordless solutions for employees.
Information on thousands of police officers and staff from Britain’s Greater Manchester Police have been copied from a company that makes police identity cards. It’s the second cyber attack on a U.K. police ID card maker in less than a month. The data would include names, photos and identity numbers in the ransomware attack. Last month a similar data theft from a police supplier happened in London.
Windows administrators who allow Kubernetes containers in their environment should be aware of new vulnerabilities. Researchers at Akamai say Kubernetes clusters below version 1.28 need to be patched to avoid being exploited and then have a hacker to do nasty things.
Finally, the SWIFT banking network, which ties together financial institutions from around the world, is holding its annual SIBOS convention in Toronto next week. I’m hosting a ransomware panel on Monday afternoon aimed at senior managers. If you’re there, say hello. I like to meet my listeners.
Later today the Week in Review will be available. Guest commentator David Shipley of Beauceron Security and I will discuss Microsoft’s explanation of how a threat actor got hold of a digital signing key that allowed it to forge email access tokens.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.