Cybercrime is always on the lookout for new techniques to target companies around the world, even those we deem safer like Apple and Meta (Facebook). The case we are about to discuss is a demonstration of how effective a social engineering attack can be, even against companies whose staff are trained to recognize these threats.
Popular investigator Brian Krebs last week reported that cybercriminals used compromised email accounts belonging to the government and police departments to obtain sensitive data relating to private companies such as mobile phone providers, Internet Service Providers and social media companies. The scheme is simple, the criminals send “emergency data requests,” (Edrs) or official requests for information about the customers of the targeted companies, for the victims to provide them with the data of unsuspecting users.
Why the Edr? The choice of this formula is anything but random, the EDRs are requests for data made in cases of emergency that the US law enforcement agencies send to private companies to obtain information. This procedure is streamlined and does not require prior authorization from a court because it is assumed that the authorities operate a collection of information in investigations that need a rapid response. For this reason, for an attacker to be able to send such a request to a company is a guarantee of obtaining the information to which he intends to access, all without arousing any suspicion in the victims. Obviously, for the success of the technique it is necessary to send Edr requests from email accounts belonging to law enforcement agencies that have been previously compromised.
It must be said that technically it would be sufficient to integrate the request process with additional mechanisms for verifying the sender’s identity, for example using a digital signature, however for various reasons the American authorities still seem to be reluctant to adopt this solution. The cybercrime industry, having discovered this flaw in the processes, has started to exploit Edr in its attacks, even some malicious actors have implemented a Cybercrime-as-a-Service model by selling requests to other criminal groups, offering them access to accounts of compromised law enforcement agencies or by sending requests on their behalf to specific companies.
Krebs cites the case of a criminal with the pseudonym of “Bug” who through Telegram has sold numerous logins to various US police and government email accounts in the last month alone. The same user was also offering Edr through the Breached Criminal Forum[.]co before being permanently banned. “Bug” claimed to be able to send requests to companies such as Twitter, Instagram, and Snapchat.
Fonte KrebsOnSecurity
At this point we come to real cases of fraudulent EDR requests sent to technology companies and cited by Krebs and Bloomberg. Popular social media platform Discord was among the first to report receiving a fraudulent EDR request, while Bloomberg revealed that giants Apple and Meta / Facebook recently provided data of their users in response to fake EDR. The EDR therefore would have allowed various criminal gangs to obtain data from the technological giants, and not only, through this cunning stratagem.
Among these cybercriminals is a group, now disbanded, called the Recursion Team. Melted like snow in the sun, some members of the group would have joined other gangs, including the feared Lapsus $, responsible for attacks on multinationals such as Nvidia, Microsoft, Okta, Vodafone, Samsung and Globant. The dynamism of the criminal underground in recent months is a further source of concern as techniques such as those of the EDR spread rapidly thanks to the mobility between the main gangs of their members.
Attacks such as these discussed remind us of how insidious the criminal enterprise is, always ready to exploit technological flaws as well as in processes that can provide access to sensitive data. Krebs also highlighted the speed with which the cybercrime-as-a-service model evolves to provide the criminal landscape with new and efficient services that allow even groups with less technical skills to target IT giants. Concluding consideration is that these attacks urgently need to adopt a “Zero-trust” approach to enterprise IT security, which implies that there is no reliable perimeter within which transactions / requests can be accepted without a formal authentication process.