Google’s Threat Analysis Group (TAG) observed a financially motivated threat actor working as an intermediary for Russian hackers, including the Conti ransomware gang
The group, known as Exotic Lily, is what’s called an initial access broker
Initial access brokers are more specialized entities who hone their skills to initial break-ins of networks, then sell that access to those with more dangerous intentions
In this way, initial access brokers provide bad actors more time to focus on their methods of attack
Google TAG has seen a mix of traditional tactics as well as some more creative ones from this group
They’ll attempt to get individuals to hand over their credentials and download malware
They’ll also use lookalike domains that are close to the original (using endings like .us instead of .com)
This group will also go so far as to create fake personas using AI to generate headshots and appear as recruiters on social media
Additionally, they might also take publicly available information to create fake accounts of real people to look as legitimate as possible
What groups like Exotic Lily bring to the table is their ability to scale their research
They’re only focusing on the initial access portion of the puzzle, while another bad actor will use that information for their own gains
Because Exotic Lily puts so much time toward building trust, it may seem like spotting these accounts is near-impossible
However, on the detection side, you can do your own defense and be on the lookout for doppelgangers
As a reminder, folks need to be careful about new emails or emails that don’t look quite right
In terms of targeting, this group casts a wide net
Google reports that they send upwards of 5,000 emails per day globally
Previously, they had been targeting industries like IT and Healthcare, but recently it looks like every industry is fair game
Google reported that this groups location (based on communication activity) is Central or Eastern Europe
In response to Exotic Lily’s activity, Google is improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications
They are also working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement
CISA and the FBI recently shared they're aware of "possible threats" to satellite communication (SATCOM) networks in the US and worldwide
For those who are unaware, the term ‘SATCOM’ is typical government-ese (or nerd-ese) for satellite communications
In this case, it’s not referring to any signals send and received by satellites, but specifically data networks carried by satellites (Internet connectivity, in other words)
For remote locations, satellite is often either the best way or the only way to get high-speed data because terrestrial services (whether based on cables or on terrestrial radio like microwave towers) just doesn’t extend to all parts of the planet’s land mass
For ships and remote islands, satellite is also the best bet for high-speed data
Currently, CISA and the FBI said these are “possible threats” meaning they have not yet come to fruition
If legitimate threats were to surface, it would depend A LOT on what specific satellite network was disrupted
If a network that is principally involved in providing Internet access to remote locations, then statistically speaking for most Americans it wouldn’t be a big deal, but of course for those affected it would be—they’d lose an important part of their connection to the rest of the world, and to services that people have come to rely on day to day, including sometimes critical services such as health care or proper functioning of certain infrastructure
For some SATCOM networks, it might act more like what you see when some other big chunk of internet infrastructure goes offline, like when a big datacenter goes offline.
In this case we’re talking about transport rather than data at rest, but the net result could be similar.
This warning comes after the KA-SAT network used by the Ukrainian military was affected by a cyberattack which led to outages
CISA and the FBI are warning that essentially the same could occur here in the US, but keep in mind the impact would likely be very different
In Ukraine, Russians are disabling as many different communications networks as possible, so satellite has become a last resort for many users (“users” being not just civilian end users, but also Ukraine’s army and government)
As many folks by now know, this event is also what was behind the disabling of some 8,500 German wind turbines. It wasn’t initially understood that this was the root cause there
The bottom line is that as long as Russia or some other actor didn’t also disable big chunks of other communications infrastructure, the impact wouldn’t be as dire as it is in Ukraine. But obviously it could still be quite disruptive
One article we at DT read mentioned ships and how the loss of satellite communication could have major safety implications, not the least of which is the ability of the ship to send a reliable distress signal in case of emergency
Ships do have other communication methods (such as long range HR radio), but it is still a significant impact
The mitigation strategies CISA and the FBI detailed for SATCOM network providers will sound familiar
Have good network segmentation
Have strong authentication
Look carefully at remote access policies
Review service provider data policies
Ensure you have good visibility and maybe step up your log monitoring
Ensure your patching is as current as possible
Enforce the principle of least privilege
Most things in infosec boil down to “least privilege,” meaning, does this thing really need to be able to access this other thing?
“Thing” here could mean a human accessing an account; it could mean a network having open ports to another network; it could also mean a process of talking to memory
If every instance where packets move from one spot to another isn’t subject to well-engineered least privilege design or configuration, the likelihood for malicious actions increases
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
