Weekly Video: August 22, 2022
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
This week, we have three stories that should help us better think about the “supply chain” underpinning most of our operations, and how we might better secure that space.
And we’re going to do it in 5 minutes or less
Cisco’s No Good, Very Bad Day
MailChimp Gets 86’d by Digital Ocean
Signal + Twilio = Vulnerability?
Cisco’s No Good, Very Bad Day
Tech giant Cisco - with a market cap over $200B - recently had a breach that prompted their own Talos threat intelligence unit to publish a blog outlining the details and extent of the incident.
It also probably had something to do with the fact that a ransomware group dumped a few gigabytes of Cisco data on the dark web and they could no longer deny it.
So what happened?
Well, because we get a pretty detailed write-up, we know that Cisco says an employee had their own personal Gmail account hacked.
They were using Google’s “Chrome Sync” feature to store credentials in their browser, including their Cisco VPN credential.
Fortunately, Cisco’s VPN had multi-factor authentication enabled, but unfortunately, the attackers were able to overcome this hurdle by bombarding the user with “vishing” - or voice phishing - impersonating support functions from known and trusted organizations, including multiple calls over several days, ultimately getting the access they needed.
This has become a common technique lately - known as “MFA Fatigue” where attackers will simply hammer your users with push notifications to allow access until the user simply either gets tired and acquiesces or makes a mistake and clicks the wrong button. Another reason to consider not using “push” based notifications.
Once in, the threat actors tread a pretty common path: they added their own devices to the VPN, and worked their way to more privileged accounts, then into other environments, using mostly commodity tools, tactics, techniques and procedures.
Cisco has a bunch of lessons learned / recommendations that they pretty unironically list at the end of the article, so it’s definitely worth digging into if you’re curious about how to best defend against these types of threats.
MailChimp Gets 86’d by Digital Ocean
Digital Ocean, a large, publicly traded cloud provider that’s grown popular in the crypto space, said that their users were recently targeted with password reset and account takeover attacks through Digital Ocean’s email provider, MailChimp.
You might know MailChimp as a marketing or newsletter tool, but since being sold to Intuit last year for $12B, they’ve expanded their offerings to do all sorts of email related services, including sending automated messages at scale.
Digital Ocean only found out that they were impacted when their own legitimate emails weren’t getting delivered. Turns out, bad actors had already run rampant through Digital Ocean’s users, enough to trigger automated account disabling based on suspicious activity.
Like the last story, Digital Ocean noted that two-factor authentication saved most of its users from being completely compromised - even if the attackers could reset the passwords, they weren’t able to provide the second factor and ultimately log in to the accounts.
Digital Ocean also noted that it migrated its email delivery capabilities away from MailChimp - another reminder that it may ultimately come down to changing vendors if and when they pose these types of risk - no small task.
Signal + Twilio = Vulnerability?
Sticking with the theme of using another company to deliver messages, secure messaging app Signal saw a subset of about 1900 Signal users suffer an attack based on a breach at SMS notification platform Twilio.
Signal uses Twilio to deliver verification numbers via SMS during sign up - not the actual Signal messages themselves - but regardless, the Twillio breach allowed attackers to re-register some accounts to new numbers and impersonate the users via the messaging platform.
Ironically, because of this, when the account was re-registered by the attackers, even if the user was able to recover the account, they are unable to see the users or messages where they were being impersonated.
Signal offers both a Signal PIN and a Registration Lock capability to prevent these sort of attacks, but users must opt-in to both features to ensure that full resilience is achieved.
The larger takeaway, however, is that the chain of trust is complex, and ultimately threat actors here are attempting to conduct transactions using cryptocurrency by inserting themselves at the weakest point along this trust chain, and then manipulating the trust up the chain to the desired point of attack.
Make no mistake - these are financially motivated attacks, and they are willing to invest the time because they see the payoffs as worth it. For more on how these scams work in a low-tech sense, see the bonus link about “Pig Butchering” - a mass scale swindling operation run out of abandoned casinos in South East Asia.
Fundraising
We’re back to the big volume weeks, folks. Congratulations to the more than $16B in newly committed capital last week.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered in the section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
https://techcrunch.com/2022/08/16/digitalocean-emails-mailchimp-breach/
https://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-trafficking