Cyber crime can appear phenomenally sophisticated. But, when you peel back the layers of code, what you’re left with nine times out of ten is an old-fashioned confidence trick.
Someone is trying to convince you they are someone or something they are not, to get you to do something you really shouldn’t.
This perspective reminds us we have agency. Usually, we are pushing the button to let criminals in. And we must remain sceptical and vigilant.
This issue, we look at hackers/confidence tricksters trying to get their hands on Microsoft logins and US government accounts.
We also look at a case where there may well have been no nefarious bad actors – just a simple yet devastating error. Yes, we’re talking about the Afghan data breach.
All this and more – including ways you can keep your organisation safe.
Did you just give away your Microsoft login?
Intersys’ Head of Security Jake Ives has warned that threat actors are exploiting a lesser-known Microsoft login method called ‘Device Code Flow’, to trick users into handing over access to their accounts.
The exploit works like this:
1. You are sent a link via email, phone call, SMS or WhatsApp to a Microsoft device login page (hxxps://microsoft(dot)com/DeviceLogin) with a code to enter. The message looks legitimate — and you ARE visiting a real Microsoft website.
2) You enter the code, log in with your email and password, and complete multi-factor authentication (MFA).
You’ve just authenticated the hacker’s session. They now have a valid access token, which allows them to impersonate you and access your Microsoft services including email, files, calendars and more – without needing your password again.
At Intersys, we actively monitor and assess emerging attack methods like these. We have included mitigation strategies for this threat in our internal security baseline, and our Cyber Security as a Service (CSaaS) clients benefit from this protection as standard.
Note: If you’re using Microsoft Teams desk phones, be aware that these rely on the Device Code Flow. Be cautious before enforcing any blanket mitigations.
Four suspected M&S and Co-op hackers arrested in NCA raids
Three months on from several devastating cyber attacks on British retail, UK police have made their first arrests.
The National Crime Agency has confirmed that four people – including a 20-year-old woman and three males aged between 17 and 19 – have been arrested as part of their investigation into the M&S and Co-op cyber attacks.
Neighbours in a quiet Staffordshire cul-de-sac reported balaclava-clad NCA officers bursting through the door of a family home to arrest the 20-year-old woman. They also seized a cache of electronic devices. Paul Foster, head of the NCA’s National Cyber Crime Unit, confirmed that the arrests were a “significant step” in the investigation.
The NCA had earlier confirmed that it was investigating the Scattered Spider cyber crime group in relation to the hacks. The group’s modus operandi seems to be social engineering attacks aimed at company help desks. Many members of the groups are believed to be young and English-speaking.
M&S is still struggling to bring its key clothing distribution centre back online and earlier announced a £300 million hit in lost profits. The Co-op’s CEO recently confirmed that all 6.5 million Co-op members have had their personal data stolen in the hack.
What we can learn from the Afghan data breach
An accidentally shared spreadsheet containing the names of almost 19,000 Afghans who had applied to relocate to the UK, to flee Taliban reprisals, has wreaked havoc within the government.
The incident happened in February 2022 but only came to light this month when a super-injunction was lifted.
The accidental data breach was caused by an unnamed official at UK Special Forces Headquarters when he emailed the document to a contact outside the government. The highly sensitive data had details on Afghan nationals who had helped the British government during the war with the Taliban.
The previous government only learned of the breach when some of the data appeared in a Facebook post. The then government was concerned about the safety of the Afghans named in the document and proceeded to set up a covert £850 million emergency resettlement scheme. The Ministry of Defence then asked the court for an injunction to stop the leak from becoming public.
Defence Secretary John Healy has called the incident a “serious departmental error” and a “clear breach of data protection protocols”.
Delay email sending rules can be very effective in buying more time if you think you’ve sent an email to the wrong recipient. Furthermore, adding sensitivity labels to emails can help to classify and protect private data. Data can also be protected by applying passwords and passwords themselves can be shared securely through password management tools or as one-time passwords that are only valid for a single use or limited time.
AI impersonator tricks US government
The US State Department is on high alert after an unknown impostor used AI to impersonate the voice and text messages of US Secretary of State Marco Rubio. The hacker went on to contact five different senior officials on the Signal app, including foreign ministers, a member of Congress and a governor.
The state department is warning that the aim of the attack was “gaining access to information or accounts” of powerful government officials.
It’s not the first time that the American government has been targeted by impersonators. Back in May, White House Chief of Staff Susie Wiles’ personal mobile phone was hacked by an impersonator who got in touch with several of her contacts, including lawmakers.
AI spoofing and phishing have emerged as popular cyber-crime tools that can be deployed at scale by criminals and malicious state actors.
Our recent blog about how to protect against AI Deepfakes has some useful tips for organisations on how to fight back against this rising threat.
Should you worry about a hacker taking control of your car?
A Bluetooth vulnerability in major car manufacturers such as Mercedes-Benz, Volkswagen and Skoda could leave vehicles exposed to a potential takeover of driving control systems.
However, we’re not losing sleep over this and here’s why.
On the surface, the research revealing the PerfektBlue vulnerabilities, which could potentially allow remote code execution on millions of vehicles, may seem concerning.
But Intersys Managing Director Matthew Geyman notes that this particular attack strategy would only be successful if several conditions are met simultaneously.
- The attacker would have to be within a maximum distance of five to seven metres from the vehicle.
- The vehicle’s ignition would need to be switched on.
- The infotainment system would have to be in pairing mode – i.e., the vehicle would have to be actively pairing a Bluetooth device.
- The user would need to actively approve the external Bluetooth access of the attacker on the vehicle’s digital display screen.
Says Matthew, “While it’s important to be vigilant, the need for close proximity rules out mass attacks; meanwhile, our common sense should rule out individual incidents – we should never pair our technology with unknown devices.’
To sum up, we’ll file this one under ‘good to know, but let’s not get overly alarmed’.
Other vulnerabilities and updates
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Fortinet FortiWeb SQL Injection Vulnerability
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability