image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 188. Vish Upon a Star

Coming up this week on Breaking Badness: Vish You Were Here, Snowflake in a Heat Wave, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Vish You Were Here

  • The Cybersecurity and Infrastructure Security Agency (CISA) warned that criminals are impersonating its employees in phone calls
  • Who is the target for these crimes? Are other government agencies targets? We’ve discussed on other episodes about the private sector working with governments, so would that make everyone a target?
    • Tim’s can think of good reasons why ordinary people would be bad targets (likely most of them have never heard of CISA and therefore their scam radar should be triggered) and also why employees of agencies might be targets 
    • It’s more interesting what the article didn’t say
      • They did not include if the cybercriminals posed the scam as a fine as in “you’re in violation of the recent CISA advisory on [topic] and as a result we have assessed a fine pursuant to [some random made up US Code violation section].” It seems to me that as a lure that might fool some people
  • Criminals are using phone calls impersonating government employees in an attempt to legitimize their scams, but is there more legitimacy in using the phone rather than Business Email Compromise?
    • This is an interesting question to Tim – what comes to mind immediately is for years, anti-phishing guidance was to use the phone to verify transactions that you’re unsure of – so that implied the phone was connected to trust
      • To be clear, in this scenario we’re talking about phoning a person you presumably know and we’re also talking about the potential victim initiating the phone call 
    • With phone usage, there’s also less of a paper trail
      • We of all people should know that when an email is received, there are some fingerprints and metadata and so forth that can be quite useful in understanding more about what the criminal is up to and perhaps what else they’ve built besides that email they sent you
    • This might be more about creating urgency – it’s an immediate two-way conversation
      • The scammer has the chance to try to talk to the would-be victim out of their defenses and attempt to make their case that the scammer is real
        • In this case, the scammer is claiming to be from a government agency asking for payment in gift cards, which ought to throw out all attempts at legitimacy 
  • Has the trend of impersonation over the phone increased over the past few years?
    • It certainly seems like we’re hearing more about it, but it’s not particularly new. We have talked in the past about BazaCall (or BazarCall, it’s gone by both versions of the name), who do tech support scams over the phone
    • The article we’re looking at for this episode notes that the FTC reported that the frequency of phone-based scams has been on the decline
      • Tim said it will be interesting to see if that trend continues
        • It might be on the decline as the younger generations continue their preference for email/texting 
        • Another consideration is that we’re all bombarded with scam calls, so it’s kind of like what spam was to email – we just decided to start ignoring it and the spam ended up in our junk boxes forever 
        • Now, we just don’t pick up our phones as much 
  • Scam calls are on the decline, but with all the buzz around AI, wouldn’t voice impersonation be on the rise?
    • There is certainly an expectation that deepfakes would make scam calls grow dramatically
      • But there’s no need to deepfake the voice of someone unknown to the victim, so what we’re looking for in this scenario would be deepfake BEC confirmation
        • For example, you get a call from the “CFO” or “CEO” right after a BEC email was sent, saying “that email was legitimate, please do what’s asked.” 
      • Without deepfaking per se, the ability to have AI talk-bots do conversations with victims certainly has the potential to give scammers much more scale, that’s why Tim would expect to see it on the rise
  • What are the tips CISA offers to avoid this type of scam?
    • First, do not pay the caller
    • CISA also said to take note of the phone number of who called you
      • Of course, phone numbers are easy to spoof 
    • Hang up immediately (unless you like scamming scammers) 
    • Validate the contact by calling CISA at (844) SAY-CISA (844-729-2472) or report it to law enforcement. (Sure, although what is there to validate? If CISA doesn’t ask for payment over phone calls—and to my knowledge they don’t ask for payment of any kind, ever. So really there’s nothing to validate. But law enforcement, ya betcha)

Snowflake in a Heat Wave

  • Mandiant identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion
  • To begin, what is Snowflake?
    • We’ll use the Mandiant description which is “a multi-cloud data warehousing platform used to store large amounts of structured and unstructured data.”
      • Really, they are a kind of data warehousing and data analytics platform 
      • For example, they have customers sending all their sales data and then they are able to run custom analytics packages on it 
      • They’re a pretty large provider of these services and have been around for over a decade 
      • They have a large customer base, and this article mentions those customers are reusing passwords quite a bit
  • Did Mandiant make this discovery or did Snowflake?
    • It’s a little from column A and a little from column B
      • Snowflake was looking at some threat intel on database records that had come out on Snowflake instances and the first tell was some of this information was coming up on Tor and other forums where cyber criminals hang out 
      • Parts of these databases were emerging in places they definitely shouldn’t be – proving that access had been granted in ways it should not have been
      • When this happens, it’s very much like Ghostbusters (who you gonna call? Mandiant). But what Mandiant discovered was that it was not any vulnerability compromise on Snowflake’s part
        • Mandiant determined the root cause was compromised passwords on accounts that had been going back as far as 2020 
        • It also looked like it was occurring with customers of Snowflake who did not have multi-factor authentication (MFA) turned on within those accounts 
        • Those passwords were leaked and discovered by threat actors who were then able to gain access and enumerate the data in those Snowflake instances by using tooling both provided by Snowflake and custom tools from the threat actor 
        • The threat actor would then pull down that data and threaten to release it to the world if they were not paid 
  • What have Mandiant and Snowflake done to address this attack with victims?
    • They have been on a joint investigation and working with law enforcement agencies
      • This goes back a few weeks, but we bring this up because as of the week of June 10, 2024, Mandiant put out a report (Breaking Badness likely would have discussed this sooner, but we rolled out our mini-series over the months of May and into June 2024) 
  • What are the implications of this attack and what does it highlight?
    • The importance of MFA is at the heart of this story 
    • It really does come back to basics on educating employees on the importance of password hygiene and MFA 
    • This is not to blame victims, however. This is all trickier than it sounds

Additional References:

This Week’s Hoodie Scale

Vish You Were Here

[Tim]: 2/10 Hoodies
[Taylor]: 2.63/10 Hoodies

Snowflake in a Heat Wave

[Tim]: 4/10 Hoodies
[Taylor]: 4.55/10 Goodies

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!