Category: The Coming Storm

Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here’s one example.

A sample Common Access Card (CAC). Image: Cac.mil.

KrebsOnSecurity recently heard from a reader — we’ll call him “Mark” because he wasn’t authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards.

The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for “PIV card reader.” The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has more than 11,700 mostly positive ratings.

The Common Access Card (CAC) is the standard identification for active duty uniformed service personnel, selected reserve, DoD civilian employees, and eligible contractor personnel. It is the principal card used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems.

Mark said when he received the reader and plugged it into his Windows 10 PC, the operating system complained that the device’s hardware drivers weren’t functioning properly. Windows suggested consulting the vendor’s website for newer drivers.

The Saicoo smart card reader that Mark purchased. Image: Amazon.com

So Mark went to the website mentioned on Saicoo’s packaging and found a ZIP file containing drivers for Linux, Mac OS and Windows:

Image: Saicoo

Out of an abundance of caution, Mark submitted Saicoo’s drivers file to Virustotal.com, which simultaneously scans any shared files with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as Ramnit, a fairly common but dangerous trojan horse that spreads by appending itself to other files.

Image: Virustotal.com

Ramnit is a well-known and older threat — first surfacing more than a decade ago — but it has evolved over the years and is still employed in more sophisticated data exfiltration attacks. Amazon said in a written statement that it was investigating the reports.

“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” Mark said.

Mark said he contacted Saicoo about their website serving up malware, and received a response saying the company’s newest hardware did not require any additional drivers. He said Saicoo did not address his concern that the driver package on its website was bundled with malware.

In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring reply.

“From the details you offered, issue may probably caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote in an email.

“Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”

Saicoo’s response to KrebsOnSecurity.

The trouble with Saicoo’s apparently infected drivers may be little more than a case of a technology company having their site hacked and responding poorly. Will Dormann, a vulnerability analyst at CERT/CC, wrote on Twitter that the executable files (.exe) in the Saicoo drivers ZIP file were not altered by the Ramnit malware — only the included HTML files.

Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can undertake online.

“Doing a web search for drivers is a VERY dangerous (in terms of legit/malicious hit ration) search to perform, based on results of any time I’ve tried to do it,” Dormann added. “Combine that with the apparent due diligence of the vendor outlined here, and well, it ain’t a pretty picture.”

But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).

A thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the U.S. government in some capacity and have government-issued CAC or PIV cards.

Two things emerged clearly from that conversation. The first was general confusion about whether the U.S. government has any sort of list of approved vendors. It does. The General Services Administration (GSA), the agency which handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list). [Thanks to @MetaBiometrics and @shugenja for the link!]

The other theme that ran through the Twitter discussion was the reality that many people find buying off-the-shelf readers more expedient than going through the GSA’s official procurement process, whether it’s because they were never issued one or the reader they were using simply no longer worked or was lost and they needed another one quickly.

“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,” said David Dixon, an Army veteran and author who lives in Northern Virginia. “When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”

Interestingly, anyone asking on Twitter about how to navigate purchasing the right smart card reader and getting it all to work properly is invariably steered toward militarycac.com. The website is maintained by Michael Danberry, a decorated and retired Army veteran who launched the site in 2008 (its text and link-heavy design very much takes one back to that era of the Internet and webpages in general). His site has even been officially recommended by the Army (PDF). Mark shared emails showing Saicoo itself recommends militarycac.com.

Image: Militarycac.com.

“The Army Reserve started using CAC logon in May 2006,” Danberry wrote on his “About” page. “I [once again] became the ‘Go to guy’ for my Army Reserve Center and Minnesota. I thought Why stop there? I could use my website and knowledge of CAC and share it with you.”

Danberry did not respond to requests for an interview — no doubt because he’s busy doing tech support for the federal government. The friendly message on Danberry’s voicemail instructs support-needing callers to leave detailed information about the issue they’re having with CAC/PIV card readers.

Dixon said Danberry has “done more to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together.”

In many ways, Mr. Danberry is the equivalent of that little known software developer whose tiny open-sourced code project ends up becoming widely adopted and eventually folded into the fabric of the Internet.  I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam?

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administration’s intelligence sharing portal.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, and issued only the briefest of statements about the matter in response to being notified.

“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.

According to this page at the Justice Department website, LEIA “provides federated search capabilities for both EPIC and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive” to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.

EPIC and LEIA also have access to the DEA’s National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).

“The EPIC System Portal (ESP) enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,” the 2016 White House document reads. “Law Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.”

The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

Claims about the purloined DEA access were shared with this author by “KT,” the current administrator of the Doxbin — a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.

[SIDE NOTE: Nearly two dozen domain names used by Doxbin were very recently included on the “Domain Block List” (DBL) maintained by Spamhaus, an anti-abuse group that many Internet service providers work with to block spam and malicious activity online. As a result, the Doxbin is currently unreachable on the open Internet].

As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of LAPSUS$, a data extortion group that hacked into some of the world’s largest tech companies this year — including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.

Weaver said it’s clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.

“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”

The DEA’s EPIC portal login page.

ANALYSIS

The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.

However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on Page 87 of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.

There are 3,330 results. Granted, only some of those results are login portals, but that’s just within the Department of Justice.

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication.

I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.

But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.

When KrebsOnSecurity recently explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless Emergency Data Requests (EDRs) from social media firms and technology providers, many security experts called it a fundamentally unfixable problem. But don’t tell that to Matt Donahue, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests — in part by assigning trustworthiness or “credit ratings” to law enforcement authorities worldwide.

A sample Kodex dashboard. Image: Kodex.us.

Donahue is co-founder of Kodex, a company formed in February 2021 that builds security portals designed to help tech companies “manage information requests from government agencies who contact them, and to securely transfer data & collaborate against abuses on their platform.”

The 30-year-old Donahue said he left the FBI in April 2020 to start Kodex because it was clear that social media and technology companies needed help validating the increasingly large number of law enforcement requests domestically and internationally.

“So much of this is such an antiquated, manual process,” Donahue said of his perspective gained at the FBI. “In a lot of cases we’re still sending faxes when more secure and expedient technologies exist.”

Donahue said when he brought the subject up with his superiors at the FBI, they would kind of shrug it off, as if to say, “This is how it’s done and there’s no changing it.”

“My bosses told me I was committing career suicide doing this, but I genuinely believe fixing this process will do more for national security than a 20-year career at the FBI,” he said. “This is such a bigger problem than people give it credit for, and that’s why I left the bureau to start this company.”

One of the stated goals of Kodex is to build a scoring or reputation system for law enforcement personnel who make these data requests. After all, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to abuse the EDR process is illicit access to a single police email account.

Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, and hopefully making it easier for all customers to spot an unauthorized EDR.

Kodex’s first big client was cryptocurrency giant Coinbase, which confirmed their partnership but otherwise declined to comment for this story. Twilio confirmed it uses Kodex’s technology for law enforcement requests destined for any of its business units, but likewise declined to comment further.

Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.

Donahue said in Kodex’s system, each law enforcement entity is assigned a credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

“In those cases, we warn the customer with a flash on the request when it pops up that we’re allowing this to come through because the email was verified [as being sent from a valid police or government domain name], but we’re trying to verify the emergency situation for you, and we will change that rating once we get new information about the emergency,” Donahue said.

“This way, even if one customer gets a fake request, we’re able to prevent it from happening to someone else,” he continued. “In a lot of cases with fake EDRs, you can see the same email [address] being used to message different companies for data. And that’s the problem: So many companies are operating in their own silos and are not able to share information about what they’re seeing, which is why we’re seeing scammers exploit this good faith process of EDRs.”

NEEDLES IN THE HAYSTACK

As social media and technology platforms have grown over the years, so have the volumes of requests from law enforcement agencies worldwide for user data. For example, in its latest transparency report mobile giant Verizon reported receiving 114,000 data requests of all types from U.S. law enforcement entities in the second half of 2021.

Verizon said approximately 35,000 of those requests (~30 percent) were EDRs, and that it provided data in roughly 91 percent of those cases. The company doesn’t disclose how many EDRs came from foreign law enforcement entities during that same time period. Verizon currently asks law enforcement officials to send these requests via fax.

Validating legal requests by domain name may be fine for data demands that include documents like subpoenas and search warrants, which can be validated with the courts. But not so for EDRs, which largely bypass any official review and do not require the requestor to submit any court-approved documents.

Police and government authorities can legitimately request EDRs to learn the whereabouts or identities of people who have posted online about plans to harm themselves or others, or in other exigent circumstances such as a child abduction or abuse, or a potential terrorist attack.

But as KrebsOnSecurity reported in March, it is now clear that crooks have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using illicit access to hacked police email accounts, the attackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person. That might explain why the compliance rate for EDRs is usually quite high — often upwards of 90 percent.

Fake EDRs have become such a reliable method in the cybercrime underground for obtaining information about account holders that several cybercriminals have started offering services that will submit these fraudulent EDRs on behalf of paying clients to a number of top social media and technology firms.

A fake EDR service advertised on a hacker forum in 2021.

An individual who’s part of the community of crooks that are abusing fake EDR told KrebsOnSecurity the schemes often involve hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

EDR OVERLOAD?

Donahue said depending on the industry, EDRs make up between 5 percent and 30 percent of the total volume of requests. In contrast, he said, EDRs amount to less than three percent of the requests sent through Kodex portals used by customers.

KrebsOnSecurity sought to verify those numbers by compiling EDR statistics based on annual or semi-annual transparency reports from some of the largest technology and social media firms. While there are no available figures on the number of fake EDRs each provider is receiving each year, those phony requests can easily hide amid an increasingly heavy torrent of legitimate demands.

Meta/Facebook says roughly 11 percent of all law enforcement data requests — 21,700 of them — were EDRs in the first half of 2021. Almost 80 percent of the time the company produced at least some data in response. Facebook has long used its own online portal where law enforcement officials must first register before submitting requests.

Government data requests, including EDRs, received by Facebook over the years. Image: Meta Transparency Report.

Apple said it received 1,162 emergency requests for data in the last reporting period it made public — July – December 2020. Apple’s compliance with EDRs was 93 percent worldwide in 2020. Apple’s website says it accepts EDRs via email, after applicants have filled out a supplied PDF form. [As a lifelong Apple user and customer, I was floored to learn that the richest company in the world — which for several years has banked heavily on privacy and security promises to customers — still relies on email for such sensitive requests].

Twitter says it received 1,860 EDRs in the first half of 2021, or roughly 15 percent of the global information requests sent to Twitter. Twitter accepts EDRs via an interactive form on the company’s website. Twitter reports that EDRs decreased by 25% during this reporting period, while the aggregate number of accounts specified in these requests decreased by 15%. The United States submitted the highest volume of global emergency requests (36%), followed by Japan (19%), and India (12%).

Discord reported receiving 378 requests for emergency data disclosure in the first half of 2021. Discord accepts EDRs via a specified email address.

For the six months ending in December 2021, Snapchat said it received 2,085 EDRs from authorities in the United States (with a 59 percent compliance rate), and another 1,448 from international police (64 percent granted). Snapchat has a form for submitting EDRs on its website.

TikTok‘s resources on government data requests currently lead to a “Page not found” error, but a company spokesperson said TikTok received 715 EDRs in the first half of 2021. That’s up from 409 EDRs in the previous six months. Tiktok handles EDRs via a form on its website.

The current transparency reports for both Google and Microsoft do not break out EDRs by category. Microsoft says that in the second half of 2021 it received more than 25,000 government requests, and that it complied at least partly with those requests more than 90 percent of the time.

Microsoft runs its own portal that law enforcement officials must register at to submit legal requests, but that portal doesn’t accept requests for other Microsoft properties, such as LinkedIn or Github.

Google said it received more than 113,000 government requests for user data in the last half of 2020, and that about 76 percent of the requests resulted in the disclosure of some user information. Google doesn’t publish EDR numbers, and it did not respond to requests for those figures. Google also runs its own portal for accepting law enforcement data requests.

Verizon reports (PDF) receiving more than 35,000 EDRs from just U.S. law enforcement in the second half of 2021, out of a total of 114,000 law enforcement requests (Verizon doesn’t disclose how many EDRs came from foreign law enforcement entities). Verizon said it complied with approximately 91 percent of requests. The company accepts law enforcement requests via snail mail or fax.

Image: Verizon.com.

AT&T says (PDF) it received nearly 19,000 EDRs in the second half of 2021; it provided some data roughly 95 percent of the time. AT&T requires EDRs to be faxed.

The most recent transparency report published by T-Mobile says the company received more than 164,000 “emergency/911” requests in 2020 — but it does not specifically call out EDRs. Like its old school telco brethren, T-Mobile requires EDRs to be faxed. T-Mobile did not respond to requests for more information.

Data from T-Mobile’s most recent transparency report in 2020. Image: T-Mobile.

Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

-targeting employees at their personal email addresses and phone numbers;
-offering to pay $20,000 a week to employees who give up remote access credentials;
-social engineering help desk and customer support employees at targeted companies;
-bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
-intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.”

HOW DID WE GET HERE?

The smash-and-grab attacks by LAPSUS$ obscure some of the group’s less public activities, which according to Microsoft include targeting individual user accounts at cryptocurrency exchanges to drain crypto holdings.

In some ways, the attacks from LAPSUS$ recall the July 2020 intrusion at Twitter, wherein the accounts for Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages inviting the world to participate in a cryptocurrency scam that promised to double any amount sent to specific wallets. The flash scam netted the perpetrators more than $100,000 in the ensuing hours.

The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts.

The Twitter hackers largely pulled it off by brute force, writes Wired on the July 15, 2020 hack.

“Someone was trying to phish employee credentials, and they were good at it,” Wired reported. “They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.”

Twitter revealed that a key tactic of the group was “phone spear phishing” (a.k.a. “voice phishing” a.k.a. “vishing”). This involved calling up Twitter staffers using false identities, and tricking them into giving up credentials for an internal company tool that let the hackers reset passwords and multi-factor authentication setups for targeted users.

In August 2020, KrebsOnSecurity warned that crooks were using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log in at a phishing website that mimicked their employer’s VPN login page.

Two days after that story ran, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued their own warning on vishing, saying the attackers typically compiled dossiers on employees at specific companies by mass-scraping public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. The joint FBI/CISA alert continued:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded. As KrebsOnSecurity wrote about the vishers back in 2020:

“It matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.”

“And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.”

“Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization.”

SMASH & GRAB

The primary danger with smash-and-grab groups like LAPSUS$ is not just their persistence but their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. After all, in many attacks, the stolen credentials are useful only so long as the impersonated employee isn’t also trying to use them.

This dynamic puts tremendous pressure on cyber incident response teams, which suddenly are faced with insiders who are trying frantically to steal everything of perceived value within a short window of time. On top of that, LAPSUS$ has a habit of posting screenshots on social media touting its access to internal corporate tools. These images and claims quickly go viral and create a public relations nightmare for the victim organization.

Single sign-on provider Okta experienced this firsthand last month, when LAPSUS$ posted screenshots that appeared to show Okta’s Slack channels and another with a Cloudflare interface. Cloudflare responded by resetting its employees’ Okta credentials.

Okta quickly came under fire for posting only a brief statement that said the screenshots LAPSUS$ shared were connected to a January 2022 incident involving the compromise of “a third-party customer support engineer working for one of our subprocessors,” and that “the matter was investigated and contained by the subprocessor.”

This assurance apparently did not sit well with many Okta customers, especially after LAPSUS$ began posting statements that disputed some of Okta’s claims. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers.

My CXO source said the lesson from LAPSUS$ is that even short-lived intrusions can have a long-term negative impact on victim organizations — especially when victims are not immediately forthcoming about the details of a security incident that affects customers.

“It does force us to think about insider access differently,” the CXO told KrebsOnSecurity. “Nation states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn’t care, it’s more about, ‘What can these 2-3 accounts get me in the next 6 hours?’ We haven’t optimized to defend that.”

Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ should consult Microsoft’s recent blog post on the group’s activities, tactics and tools. Microsoft’s guidance includes recommendations that can help prevent account takeovers or at least mitigate the impact from stolen employee credentials.

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.

“And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately,” Rasch continued. “Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply.”

To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.

THE LAPSUS$ CONNECTION

The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone.

In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization.

“Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$.

The roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ allegedly hail.

Researchers from security firms Unit 221B and Palo Alto Networks say that prior to launching LAPSUS$, the group’s leader “White” (a.k.a. “WhiteDoxbin,” “Oklaqq”) was a founding member of a cybercriminal group calling itself the “Recursion Team.” This group specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

Everlynn advertising a warrant/subpoena service based on fake EDRs. Image: Ke-la.com.

“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.”

A month prior on Cracked, Everlynn posted a sales thread, “1x Government Email Account || BECOME A FED!,” which advertised the ability to send email from a federal agency within the government of Argentina.

“I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.,” Everlynn’s sales thread explained, setting the price at $150. “You can breach users and get private images from people on SnapChat like nudes, go hack your girlfriend or something haha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more.”

Last week, the BBC reported that authorities in the United Kingdom had detained seven individuals aged 16 to 21 in connection with LAPSUS$.

TAKING ON THE DOXBIN

It remains unclear whether White or Everlynn were among those detained; U.K. police declined to name the suspects. But White’s real-life identity became public recently after he crossed the wrong people.

The de-anonymization of the LAPSUS$ leader began late last year after he purchased a website called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people.

Based on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime members soon took to harassing him about various components of the site falling into disrepair. That pestering eventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so, White leaked the Doxbin user database.

White’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White perhaps the most thorough dox the forum had ever produced.

KrebsOnSecurity recently interviewed the past and current owner of the Doxbin — an established hacker who goes by the handle “KT.” According to KT, it is becoming more common for hackers to use EDRs for stalking, hacking, harassing and publicly humiliating others.

KT shared several recent examples of fraudulent EDRs obtained by hackers who bragged about their success with the method.

“Terroristic threats with a valid reason to believe somebody’s life is in danger is usually the go-to,” KT said, referring to the most common attestation that accompanies a fake EDR.

One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year. The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request.

“Discord replies to EDRs in 30 minutes to one hour with the provided information,” KT claimed.

Asked about the validity of the unauthorized EDR shared by KT, Discord said the request came from a legitimate law enforcement account that was later determined to have been compromised.

“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies,” Discord said in a written statement. “We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

KT said fake EDRs don’t have to come from police departments based in the United States, and that some people in the community of those sending fake EDRs are hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, KT said, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

“A lot of governments overseas are using WordPress, and I know a kid on Telegram who has multiple shells on gov sites,” KT said. “It’s near impossible to get U.S. dot-govs nowadays, although I’ve seen a few people with it. Most govs use [Microsoft] Outlook, so it’s more difficult because theres usually some sort of multi-factor authentication. But not all have it.”

According to KT, Everlynn and White recently had a falling out, with White paying KT to publish a dox on Everlynn and to keep it pinned to the site’s home page. That dox states that Everlynn is a 15-year-old from the United Kingdom who has used a variety of monikers over the past year alone, including “Miku” and “Anitsu.”

KT said Everlynn’s dox is accurate, and that the youth has been arrested multiple times for issuing fake EDRs. But KT said each time Everlynn gets released from police custody, he goes right back to committing the same cybercrimes.

“Anitsu (Miku, Everlynn), an old staff member of Doxbin, was arrested probably 4-5 months ago for jacking government emails used for EDR’ing,” KT said. “White and him are not friends anymore though. White paid me a few weeks ago to pin his dox on Doxbin. Also, White had planned to use EDRs against me, due to a bet we had planned; dox for dox, winner gets 1 coin.”

A FUNDAMENTALLY UNFIXABLE PROBLEM?

Nicholas Weaver, a security specialist and lecturer at the University of California, Berkeley, said one big challenge to combating fraudulent EDRs is that there is fundamentally no notion of global online identity.

“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”

It’s not clear that the FBI would be willing or able to take on such a task. In November 2021, KrebsOnSecurity broke the news that hackers sent a fake email alert to thousands of state and local law enforcement entities through the FBI’s Law Enforcement Enterprise Portal (LEEP). In that attack, the intruders abused a fairly basic and dangerous coding error on the website, and the fake emails all came from a real fbi.gov address.

The phony message sent in November 2021 via the FBI’s email system. 

The particulars of how the FBI’s LEEP portal got hacked were provided by Pompompurin, the handle chosen by an individual who’s been involved in countless data breaches at major companies. But Doxbin’s KT told KrebsOnSecurity this week that White was the one who initially discovered the LEEP portal security weakness.

“White originally found that,” KT said. “Pom just took credit.”

KrebsOnSecurity asked the FBI whether it had any indication that its own systems were used for unauthorized EDRs. The FBI declined to answer that question, but confirmed it was aware of different schemes involving phony EDRs targeting both the public and the agency’s private sector partners.

“We take these reports seriously and vigorously pursue them,” reads a written statement shared by the FBI. “Visit this page for tips and resources to verify the information you are receiving. If you believe you are a victim of an emergency data request scheme, please report to www.ic3.gov or contact your local FBI field office.”

Rasch said while service providers need more rigorous vetting mechanisms for all types of legal requests, getting better at spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States.

“One of the problems you have is there’s no validated master list of people who are authorized to make that demand,” Rasch said. “And that list is going to change all the time. But even then, the entire system is only as secure as the least secure individual police officer email account.”

The idea of impersonating law enforcement officers to obtain information typically only available via search warrant or subpoena is hardly new. A fictionalized example appeared in the second season of the hit television show Mr. Robot, wherein the main character Elliot pretends to be a police officer to obtain location data in real time from a cellular phone company.

Weaver said what probably keeps fraudulent EDRs from being more common is that most people in the criminal hacking community perceive it as too risky. This is supported by the responses in discussion threads across multiple hacking forums where members sought out someone to perform an EDR on their behalf.

“It’s highly risky if you get caught,” Weaver said. “But doing this is not a matter of skill. It’s one of will. It’s a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale.”

The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data. In July 2021, a bipartisan group of U.S. senators introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.