Secure With Celerity Episode 13
ANDREW MCLEAN [00:01:33] Good afternoon, good afternoon and welcome to Secure with Celerity. The day today is the 24th of July. It’s a Friday. So it must be time for our roundup of the cybersecurity news. A lot of it happen in the world of cybersecurity. Every country seems to fall out at the moment, mostly due to cybersecurity. So there’s got to be some interesting things to discuss today. It’s my absolute pleasure to be joined by my experts, Josh Read and Neil Hulme. Welcome, guys.
NEIL HULME [00:02:03] How you doing?
JOSHUA READ [00:02:04] Are you alright?
ANDREW MCLEAN [00:02:06] Yeah, not bad. Not bad. Yeah. So, guys, there’s so much happening this week. But I think the biggest story is one that you actually covered on Secure last week when it first broke. But I believe you’ve now got more information on it. And that’s to do with the Twitter breach. It’s been all over the news. Can you tell us a little bit about it? And you know what information has come out since.
JOSHUA READ [00:02:30] Yeah. So when we covered this story last week, it was a bit of a developing story. There was there’s a lot of activity around it. There were obviously evidence that a lot of high profile Twitter accounts had been breached. And no one was really a 100% definitively. Sure. Well, it actually happened. So obviously, we spoke about it last week. I think we worked out accumulatively the accounts that we I looked out and evidence that I saw there was an accumulative following of two hundred and ninety nine million, three hundred and twenty eight thousand and three hundred followers, which is massive. That’s a huge following. And essentially, the all these high profile Twitter accounts, they got breached and then a Bitcoin wallet address or cryptocurrency wallet address was posted. And it was typical social engineering saying if you send money to this address, I’ll double it and send it back to you in the next 30 minutes, obviously it was a scam. And but as the weeks have gone on, I’ve been following this Twitter support account, and they’ve actually been very, very open about all that. And I have to commend them. They’ve had it so that potentially each step of their investigation, they’ve added something new to that Twitter. They’ve provided more information. So documented so far, there has been one hundred and thirty total accounts targeted by the attackers. Forty five accounts had that tweet sent by attackers with forty five accounts that basically had these bitcoin and cryptocurrency tweets, social engineering tweets sent. And some of them, like Elon Musk, Jeff Bezos, Joe Biden, some of the biggest and most influential characters on Twitter at this moment in time. There was 36 accounts that had their direct message in accessed as well. So there could be further breaches before the releases of the DM conversations between celebrities. I don’t want to wish to comment on that but watch the space and a accounts had that an archive of that data downloaded, which is basically like the activity that that user is doing on Twitter. It’s just the best massive log file of everything that they’ve done. On the 18th of July with a row of both basically created a blog and wrote around what happened and what they were doing. They said, at this time, we believe attackers targeted certain employees of Twitter through a social engineering scheme. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two factor authentication protections. As of now, we know that they access tools only available to our internal support teams to target one hundred and thirty Twitter accounts, forty five of those accounts. The attackers were able to initiate a password reset, log into the account and then send tweets. So essentially what they’ve done is they’ve managed to breach some Twitter support accounts, which essentially employees of Twitter managed to get hold of a Twitter, a god tool, which basically gives them admin rights across the whole of Twitter, the whole platform, and then proceeded to initiate password resets some of the largest, most some of the biggest accounts on Twitter and then breach those accounts and then send tweets. So it’s quite a complicated and long drawn-out process. All the rewards pay dividends. I think it’s again, there’s a few things that stand out for me in this statement that they released. First, they obviously phishing, again, is paying dividends in this attack. It’s the main attack method that’s used. It’s probably, again, excellent evidence of how successful phishing can be, especially towards even the most technical of organisations. You would deem Twitter a digital giant in the world’s economy and the world’s working environments and even they have fallen victim to phishing attacks. Secondly, I found it very interesting, they attackers were able to circumvent and almost phish two factor authentication methods. Now, I don’t know. They haven’t detailed how that was possible or how they did it. I know I’ve seen a lot of concepts online around multifactor authentication, phishing, stealing, interception tokens and almost like mind in the middle attack. So replicating tokens and passing them on. It’s a complicated process and there’s very limited work and knowledge of it in process. So I’d like to understand how they managed to bypass multifactor authentication. But most shockingly and lastly is the fact that Twitter have an essentially a god mode. You know, the details that they managed to breach the support accounts and then by breaching these accounts, they manage to get hold of this Twitter admin tool that allowed them to essentially roam, recover on the platform. What shocked me most, though, was how widely available it sounded and how I think they said it, that it was only available to our internal support team. But the internal support team at Twitter will be substantial in size. It’s you know, it’s a multinational. It’s a multinational company. They’re gonna have support centres around the world. They’re gonna have hundreds of employees working in support, just merely half the size of the platform and the organisation. So, you know, maybe more policies need to be put in place around tools like these got mode admin mode tools. And I would say I’m wondering if the admin tool will soon go up for sale on the dark web. If it’s a transportable thing. Are Twitter change the way that they work? Be interesting to see. Yeah, it’s scary. It is really scary.
ANDREW MCLEAN [00:09:32] Yeah. I mean, do you think this was a slow burn? This was a slow burn or once they had access. Do you think it was bam bam bam. I mean, how orchestrated do you think this was?
NEIL HULME [00:09:43] I think that a lot of faith and they in their perimeter security, obviously, you know, on there, they’re clearly not there in much in the way of fraud analytics once people are in. So they must trust their own people. And obviously, I had a high degree of confidence in that perimeter. But, yeah, they’re not doing any. It doesn’t appear that they’re doing any fraud analytics. So they’re not watching log files and monitoring unusual activity. If they were then perhaps they would’ve picked this up. You know, it’s common to find. Certainly in my experience, if I go back to my days as a unique admin. You know, you have a super use a password. You can do everything with that. And people typically want to use that password because it’s the quickest and easiest way of getting things done. If I get access to that account, I can do anything, including covering my tracks as well. So any log file activity, I can delete a log file activity because I’m the superuser. Really what they probably want to look at. And I suspect if they don’t have this in place, they probably will do is former role-based access, you know. So rather than everybody having this admin credentials that allows them to effectively do anything, you need to sort of have various levels. And when you get into the sort of superuser levels that need to be more checks put in place, you know, so we need to be monitoring that, monitoring the if you have a role-based access, you know, monitoring those log files for abnormal activity. And monitoring user activity in general, because you could argue that the nature of the tweets is probably different to what perhaps what these you know, these people are highly unlikely to be, you know, asking for Bitcoin donations. So, you know, that would be abnormal activity. And, you know, if you’re monitoring for that type of thing, then you should pick that up too.
JOSHUA READ [00:11:45] Yeah, definitely. I think it’s difficult because if they had location-based a lot of banking fraud software, they do it based off a new, you know, a number of different characteristics, you know, what have you bought. Where if you bought it from. How much is that the item that you’ve bought. In Twitter, it’s simply is even something as simple as location. You know, if you’re ninety nine percent of your activity on the platform is associated with one square mile radius of, let’s say, New Castle. Now, all of a sudden, there’s a lot of activity coming from Nairobi. Then obviously that should flag warning signs, especially on accounts that have such magnitude on the platform, like the ones that were breached. So I don’t really understand it at all. I think there’s definitely a lot of security that needs to go into practise as well as consideration.
NEIL HULME [00:12:41] Well, they should be monitoring multiple vectors. So, as you say, the location being one of them and then unusual activity. It is possible to sort of feel like I that’s monitoring this sort of stuff. But you’ve got to kind of do it over a period of time. So something to follow AI but something clearly out of the ordinary like this. You know, it’s a tool. There’s tooling out there that would pick that up.
ANDREW MCLEAN [00:13:09] Well, I think we’re gonna come back to a spin off of this little bit later in the show. But let’s move on to the next topic. I just know now I’m gonna need some help with this because I know nothing about football or if you’re watching in America, soccer. It’s the Premier League hackers try to steal one million pound transfer fee during football club cyber attack. So, first of all, you need something the story is. Second of all, you need to tell me what a transfer fee is because I don’t actually know. But I’m gonna start with you, Neil, because it looks like you’re a football fan. If I’ve guessed rightly from your background, do you want to give us a little tour of your room and and tell us the story?
NEIL HULME [00:13:51] I’ve got a couple of shirts, the Manchester United Legends. I’ve got the….So various other bits and pieces as well. Some of the boxing in it as well.
ANDREW MCLEAN [00:14:10] Okay. Beautiful. So tell me what happened and also tell me what transfer fee is, because I don’t understand.
JOSHUA READ [00:14:19] There was a report released via from NCSC. And it was a riveting read, it really was. Now, that was even sarcasm. It was actually really interesting. And essentially in that they detailed a lot of case studies of what happened at these, not just football clubs, but all sporting associations within the United Kingdom. There was evidence that one football club, they managed to hack the turnstiles and block them, which could potentially called off a game. And if they did not manage to fix that, there was also evidence of a CEO or an owner getting their email hacked and midst transfer of a player. So and then not nearly resulted in a one million pound fee fallen into cybercriminals hands t.
ANDREW MCLEAN [00:15:25] It’s just like when someone intercepts your email and says, oh, by the way, we’ve changed a bank account, put it in this account?
JOSHUA READ [00:15:35] It’s sort of like the way that it was described in the report was it was like the club’s managing director had been hacked before the transfer negotiation. And as a result, I would say the woman in power nearly fell into the hackers hands. Well, from my understanding is they managed to replicate the club that they were buying the player from one of their accounts. And then they then took over the communication with the owner of the Premier League club, and then they tried to talk them into sending this transfer fee. And luckily enough, I think, it was the football clubs bank which actually stopped the transactions. You know, relates back to our last story around fraud analytics. It was that very, very lucky. Well, I’ve long been baffled how football hasn’t been a target in the past. You’re talking, you know, obviously Neil is a Manchester United fan, you know, back when Paul Pogue broke the hundred million pound mark for a transfer fee and then ever since then, transfer fees has astronomically rose. And it keeps rising and rising. It’s you know, it baffles me how that volume of money being so publicly transferred between two entities isn’t being attempted to be socially engineered or hacked or in any method, really. The same actually some very worrying statistics that came out of the report. So the biggest documented loss was four million pounds. And approximately thirty percent of incidents caused direct financial damage, averaging one hundred thousand pounds per incident. Thirty per cent of organisations questions recorded over five incidents in a twelve-month period alone, and seventy percent of sports organisations have experienced a cyber incident of breach. So they’re not the only ones. You know, there will be other organisations obviously I’ll say that seeing that magnitude. But i if you look at those statistics alone, it is of huge magnitude. You know, the thirty percent of organisations questioned, recorded five incidents in a twelve-month period alone is massive. So, you know, these incidents, you know, receipt, you know, having malware sent on an email isn’t really an incident. It’s, you know, if your email fill a blocks it’s not an incident. Incidents involve user accounts being breached, malware actually getting onto systems and spreading sideways. Those are the types of magnitude of incidents that we’re talking about in this report. And, you know, they’re not small things. So it is slightly concerning. It’s probably why they’ve released the report. It’s it’s crazy. Yeah. So the incident was very well recorded in the report. The cybercriminals sent an amended payment to requests to the managing director of the club and change in the real bank details to an account which they had control of, which is typical social engineering tactics. The transaction was approved by the Premier League club and they actually sent the payment. So, you know, it proves really how easy or how easy it could be. Obviously, a lot more work will have gone into this cyber attack. This is very concerning. You think in them ultimately.
ANDREW MCLEAN [00:19:47] A little bit like back to the Twitter story. Have these been opportunities within internally is in employees of these technological failures or both? I mean, what’s kind of going on here?
NEIL HULME [00:20:03] What would C-level people are prime targets for phishing and spearphishing? You know, if I read a statistic from Verizon that said senior executives are twelve times more likely to be. And it may also be as well that, you know, in a lot of cases, they are business people, perhaps not as you know, as I.T. aware, certainly around cyber as perhaps other people in the organization. But it just underlines the fact that, you know, part of your security has to be training and awareness at all levels. Because this particular spearphishing attack, where it’s they’re using information, rather like Josh was talking about, you know, that they had they could make it very specific and very convincing. You need to be aware of those, you know. So, you know, so you don’t get caught out.
JOSHUA READ [00:21:05] Yeah, definitely. I think Paul who is the director of operations at NCSC said that sport is a pillar of many of our lives and we’re eagerly anticipating the return of full stadiums and busy sporting calendars. While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show that the impacts on side of cybercriminals cashing in on the industry is very real. I would urge sporting bodies at this time to you to look at where they can improve their cybersecurity. Doing so now will help them and millions of funds from the consequence of cybercrime. You’ve got to think as well. You know, these football clubs are almost like centralized areas of data with the likes of funds, signing off-season tickets, providing the personal details. It’s literally at a flea market. We’re in for cyber attackers just a jump on it. It’s mad.
ANDREW MCLEAN [00:22:11] I mean, it is quite the story. It’s quite the story. But before we return to that story. Let’s move quickly on to the next one. The US, United States charges two Chinese hackers for targeting COVID-19 research and trade secrets. I don’t know anything about this one. Give us a little info.
JOSHUA READ [00:22:33] Yeah, the links with the activity that the UK had with Russia, where they deemed ATP to a 27 and Cozy Bear hacker groups, were actually state actors of Russia and they were trying to steal Covid-19 related research and information. It’s is a reoccurring topic. So the US Department of Justice yesterday revealed that there was charges against two Chinese nationals for their alleged involvement in a decade-long hacking spree is what they deemed it targeting dissidents, government agencies and hundreds of organizations. It sounds massive. They haven’t released a lot. They are in terms of, you know, all every single attack that they deemed to be within the remit of their activities. There was an eleven counting indictment that was sealed, unsealed on Tuesday, and it alleges the two perpetrators stole terabytes of sensitive information included, including from companies developing COVID-19 vaccines, testing technologies and treatments. So it’s a reoccurring topic. COVID-19 research and anything that is hot topic right now with, you know, any organization that is directly related to COVID-19 research should be really considering cybersecurity. If they haven’t already, it’s you know, it’s fairly obvious that that type of information is gonna be absolute gold dust to any state actors, whether it’s Russia, China, even third world countries, dominions of Africa, areas of Southeast Asia, North Korea, areas like that. People who don’t have the resource and money to come. Resource as you know, time and effort into developing a vaccine-like what the UK and the US can do. So it’s essentially them cheating and trying to steal the hard work that the UK has provided so far under US. But as I said before, it won’t be the first and it won’t be the last. It’s a really it’s sad really, because it all it’s doing is hindering the progress of the vaccination. Essentially, if you’re having to deal with cyber-attacks and then also deal with the development of the vaccine itself split opinions and, you know, that type of thing is quite difficult.
NEIL HULME [00:25:23] Yeah, I mean, this the. I mean, people are sort of interested in looking at these sort of tactics and vulnerabilities. There is the Mitre attack website. So it’s a globally accessible knowledge base of tactics and techniques. And amongst other things, what it lists is, you know, things that the vulnerabilities that are out there and the particular groups that tend to exploit those vulnerabilities. And it’s a forum where people share this information. You know, it’s sort of promote security. So if people want to get a feel for this, go and have a look at, it’s attack.mitre.org if anyone would look at it.
ANDREW MCLEAN [00:26:12] It’s frightening stuff. Thank you for that Neil. Okay so we’re gonna just before we run out of time, we’re gonna move on to our final story. Slack, the messaging service credentials are abundant on cybercrime markets, but little interest from hackers. Tell us more.
JOSHUA READ [00:26:29] Yeah, a lot. People are very aware of Slack. Now we use it. Other organisations that use it, essentially, the KLA did some scraping of the dark web with various tools that they had with them and uncovered a great deal of Slack credentials available for sale on the dark web. What’s interesting about this is that the report that The New York Times, supposedly they had an interview with a teenager who managed to do the Twitter hack, although it’s unconfirmed at this moment in time, and apparently that they gained access to the Twitter account that we mentioned in the first story via a Slack channel of Twitter. So if that is the case, I know we’ve said that obviously there’s very little interest in the dark web from hackers in terms of Slack credentials. It could be that there’s a massive uptake and a definite shift in obviously what the capabilities are. If you managed to obtain a great deal of credentials for Slsck, especially for organisations linked examples I’ve got on the screen now. These are some of the examples of sales that were on and there was people asking for a credential, asking for credential databases, paying five dollars to fifty dollars per account based on what they were for. That was supposed to be a plus a year ago. And no one replied. So it was obviously no interest. There’s lots of sales that had been up for a couple of months that had no activity and more worryingly there’s evidence that there was access to what looks to be a government Slack website. So, you know, I’m not going to lie. It’s always we’re in when government related stuff gets obviously advertised so freely on the dark web. I think the repulse claims there I think the price of Slack credentials is obviously going to rocket now, probably if The New York Times report turns out to be true. But apparently, there were seventeen thousand Slack accounts up for sale, which resembled one thousand two hundred different Slack workspaces. And the prices varied from fifty cents to three hundred dollars. Obviously dependent on what company wells, whether it was, you know, what the goodies were if you did buy it.
NEIL HULME [00:29:27] That’s the thing isn’t it? It’s like yeah. It depends on what Slack account you’ve got isn’t it? You might just see a load of gifs and people in charge for ages with nothing really interesting going on. So, you know, there were I guess, you know, perhaps premeditated or fortunate to get access to, you know, Twitters. All the stuff. It’s a Twitter.
ANDREW MCLEAN [00:29:50] So they in theory, what we’re saying if a theory stands up, it’s you got Slack channel for support the support of said, I love Bob or whoever it is. What’s the super admin password again and they can oh, it’s this and some of it. And you start.
JOSHUA READ [00:30:14] The link got a great lot of detail into what they was supposed to they claimed by The New York Times that they had this interview with this kid. He was a teenager and he said that he managed to obtain select credentials and then got into Slack. And they basically, yeah, it sniffed conversations and managed to obtain a Twitter account log in, which I’ve got no privileges. And it’s scary, really. It’s I mean, it proves how valuable Slack credentials could really be if it turns out to be true.
NEIL HULME [00:30:55] Yeah. I mean, if you know, I think if they can access, you know, your Microsoft team, then obviously you know that. But then give them access to your kind of Office 365 environment. And perhaps, that’s why, you know, Slack previously wasn’t as of much interest because, you know, it doesn’t give me the same level of access as it would if you had something like Teams, obviously. Really boring conversations and pictures of cats and things like that. You know.
ANDREW MCLEAN [00:31:27] As is most Slack channels that I’ve seen that. Yes. Yeah. It’s been interesting development. And maybe we’ll find out more about this next week. But for this week, I’m afraid that is all we have time for. I’d like to thank my fantastic guests from Celerity, Josh Read and Neil Hulme. Thank you very much, guys. And we’ll talk soon. You’ve been watching Secure with Celerity, The Weekly Cyber Security Show. It’s Friday, the 24th of July, and I hope you find this interesting. And until next week, I believe my co-host, Mr. Dave Taylor, will be back. I’ll see you soon.