News Wrap: APTs, Office 365 Voicemail Phish and Bed Bath & Beyond Breach

Threatpost editors discuss this week’s biggest news – from a data breach of Bed Bath & Beyond, a tricky phishing attack and widespread APT activity. 

Threatpost editors Tara Seals and Lindsey O’Donnell break down the top security news of this week, from data breaches to advanced persistent threat (APT) activity.  Top stories include:

  • A Microsoft alert that APT group Fancy Bear has targeted anti-doping authorities and sporting organizations around the world as the world begins to gear up for the Tokyo Summer Olympic Games, which kick off July 2020.
  • A report outlining that Chinese state-sponsored hackers are attacking telecom networks to sniff out SMS messages that contain keywords revolving around political dissidents.
  • Bed, Bath & Beyond disclosing a data breach that allowed the adversaries to access customers’ online accounts – and what researchers say the attack may have stemmed from.
  • A nasty phishing campaign that uses fake voicemail messages to lure victims into revealing their Office 365 email credentials.

For direct download of the podcast, click here.

Below find a lightly-edited transcript of the Threatpost news wrap podcast.

Lindsey O’Donnell: Welcome back to the Threatpost news wrap podcast. It’s the week ended November 1. And you’ve got Lindsey O’Donnell and Tara Seals here with Threatpost to talk about this week’s top news security stories. Tara, how are you doing today?

Tara Seals: I’m good. How are you doing Lindsey? Happy post-Halloween.

LO: Good. Yeah, it’s funny you say that. I was just laughing because there’s been a whole lot of Halloween-themed news headlines and pitches that I’ve been seeing in my inbox with Halloween being yesterday. You know, I’ve seen like trick or treat malicious Android apps, spooky malware.

TS: Yeah, I had one that was the top horror stories of 2019 so far, the things that lurk in the shadows. They really went full on into it this year.

LO: Yeah, people really got into it this year. So yeah, just looking at some of the biggest stories that we had this week, one story that really kicked off the week was this article about Fancy Bear attacking anti-doping and sporting organizations globally. That really kicked off the week and…set off a storm of news articles and discussions around that. But what happened there was that Microsoft came out with an alert and said that at least 16 anti-doping agencies and sporting organizations were hit by cyberattacks, and that it had detected those attacks going back to the Russian threat group Fancy Bear, which you may know as APT28 or Sofacy. So basically, they didn’t specify the names of the targeted companies, but they did say that it was interesting timing with the 2020 Summer Olympic Games in Tokyo happening next summer. And they also mentioned that these attacks coincided with a warning that had happened, I think it was a few weeks ago, by the World Anti-Doping Agency (WADA), that Russia could face a ban from all major sporting events over discrepancies in a lab database. If you’ve been following, there’s the whole kind of anti-doping issue there.

TS: Yeah, it’s a bit of a retread, too. Because if you remember, Fancy Bear also attacked WADA, the World Anti-Doping Agency, a few years ago when Russia was banned from the Olympics, and that was the retaliation obviously, you know, Fancy Bear is widely considered to be linked with the Russian government. So some people think that this is obviously a retaliation for that, circumstantial evidence points in that direction. But the previous hack a couple years ago, that they did things like, they released Simone Biles’ medical records, because she had to take something for…cortisone for an injury or something very innocuous, but they released that. Like, “look, she’s on meds.” They also did the same thing with Serena Williams and Rafael Nadal, the tennis stars. And so, they have a history of this. And they’re just going back to their old tactics, which I think is interesting. I mean, you know, I don’t know what they’re trying to accomplish, necessarily.

LO: Yeah. And you know, what’s interesting, too, they had hacked these organizations in 2018. And then also in 2016. I’m just kind of surprised that this is happening yet again. And these organizations, these anti-doping organizations haven’t set up protections in place from however they’re being infected or attacked. And you know, it is something that they really should be taking seriously. I actually reached out to the World Anti-Doping Agency and asked them if they were one of the victims. And they said that there hadn’t been any evidence of a breach on their systems at this point. That’s not to say they haven’t been targeted, but at the same time, maybe they have set up the correct protections in place at this point.

TS: Yeah, well, I think Microsoft did say in its alert that most of the attacks were not successful. So, you know, maybe they have learned from past hacks. I think Microsoft said some of them were, but the majority were not. So this is better than before, when Fancy Bear seem to just be able to infiltrate whoever they set their sights on, so maybe we have come a little way down the road. But yeah, I mean, it just goes to show the geopolitical nature of APT activity. And there’s a lot of sort of, “we’re going to get you back for that” kind of stuff going on.

LO: Right. Yeah. And I mean, that’s not even the only state-sponsored APT activity that we wrote about this week too. We also wrote about APT41, which I actually haven’t heard about for a while, but they emerged in this new FireEye report that basically said that they had breached a telecom SMS server and used that breach to sniff out certain cell phone numbers and SMS messages for various political dissidents. So if you know about APT41, they are typically China-linked and they have in the past carried out state-sponsored activity as well as financially-motivated activity. And it appears that this latest attack has been around cyber-espionage. So you know, just more APT activity out there this week.

TS: You know, I would love to know how these carriers were infiltrated in the first place. I mean, it’s kind of shocking.

LO: Yeah, I was surprised that FireEye didn’t have any further comment or detail about how these installation scripts that basically infected the servers got onto the servers in the first place. You know, they didn’t provide a lot of detail around that, they, as you mentioned, they didn’t mention who the four various telecom providers were. I think they were focusing more on – I’m sure they had their reasons – but they had, they were focusing more on kind of the cyber espionage activity itself. And as you also mentioned, I think it’s also important to note that these attacks were highly targeted. So what the APT group was doing was, it had a kind of predetermined list of keywords that it was looking for in certain SMS messages. And those keywords would have things like political leaders or military intelligence organizations or political movements at odds with the Chinese government. And if the SMS messages that they were able to sniff out, using these telecom networks, contained any of the keywords, then the malware that they had installed on the telecom servers would save the SMS message and kind of ship it out to the threat actors’ C2. So that was interesting. And then in addition to that, they also were looking for very specific information as well as such as the IMSI numbers, which is like the unique identity of different mobile devices. And then also the specific phone numbers. So like, if someone placed a phone call, they would, you know, scoop up the destination phone number, and then the phone number that had made the call as well.

TS: Yeah, I mean, it’s kind of breathtaking, when you think about the fact that they must have some sort of AI engine in the background. I mean, there are a lot of resources that must have gone into this attack, because if you think about how many text messages you send per day, right? I mean, I send a lot. And think about every single person within the footprint, even if they were just targeting one city (which that’s also information that we don’t know, if they were zeroing in on certain geographic areas or whatever). Let’s just say you hack a carrier’s SMS server, and then basically you have this firehose of all of these millions and millions and millions of text messages coming through. And they’re just sifting through, looking for keywords, and then they have to figure out if it’s a coincidence that a person happened to use that keyword or if it’s someone that would be of interest to them, then they pivot and look for that person’s associates by looking at the phone numbers that they call and who calls them. It’s just this very elaborate surveillance operation that seems really massive in terms of the amount of information that has to be sifted through and analyzed and sliced and diced. So I don’t know, the whole thing kind of boggles my mind, from the fact that they managed to hack a telecom network in the first place to the amount of information that they have to analyze on the back-end – this is this is kind of a big deal it seems to me.

LO: I mean I would be interested – as we mentioned before details are scant at this point – but I would be interested as more comes out. Typically what researchers will do is they’ll publish subsequent research in the future as more details come out about these types of attacks, so I’ll definitely be keeping an eye out for any kind of future FireEye information that comes forward about this specific attack.

TS: FireEye Mandiant we’re calling you out. We need more details. We need to know more.

LO: Yeah, definitely keeping an eye out for that. So speaking of cyberattacks, there were quite a few of those this week. And one such cyberattack that caught my eye was something you wrote about Tara which was the data breach of Bed Bath & Beyond, which I frequent quite often.

TS: Yeah, they disclosed a data breach, but it was kind of interesting. They did it through an SEC filing, and didn’t really make any announcement on their website or anything like that. They’re kind of keeping it a bit hush-hush. The details are very scant, they basically said that somebody was able to get ahold of a password and email combination that the adversaries were then able to use to eventually access customers’ online accounts. But that’s basically all they said about it. And they said that this affects less than 1 percent of the company’s online customer accounts, which sounds like no big deal until you think about the fact that they get 4 million website visitors per month. The 1 percent can still translate into a really large number of people.

LO: Right. Well, you talked to a couple of researchers who even though details were super limited for this one, they actually had some really interesting perspectives in terms of how you’re able to look on Dark Web and find out some more information there. So I thought that was a great angle to take this story and dig deeper into the impact of this breach and how this could have happened as well.

TS: Yeah, it was really interesting because Colin Bastable, who is the CEO of Lucy Security, they specialize in employee security training, and he was saying that it kind of smacks of a supply-chain issue. So maybe somebody was able to penetrate a third-party supplier of services to the website, and then be able to from there gain administrative privileges and pivot to move laterally and all that kind of stuff, which of course, we’ve seen that a lot in the past. These supply-chain attacks, like with the Ticketmaster breach, for example, with Magecart, they were able to compromise a third-party component and then from there, be able to go after the real target. And obviously in the infamous Target breach a few years ago, and that was an HVAC supplier, right, so they were able to pivot through that network to get to the Target network, so we’ve seen these types of things before. And so he thought that was maybe what had happened. That was one theory. And now the other theory was that somebody just got phished, you know, there was some internal administrative person who fell for a spearphishing email and they were off to the races.

LO:  I’m definitely more curious about that. And I know you mentioned this too in your story, but I saw separate reports of ImmuniWeb’s analysis of various stolen credentials, speaking of which, that were found on the Dark Web, I thought there were some interesting points there too about how many credentials belonging to what types and sizes of companies that have been found on the Dark Web. And I think that you had written that as many as 95 percent of the credentials contained unencrypted – or bruteforced and cracked by the attackers – plain-text passwords. So that’s just a massive number. And that shed some light on to the credential issue that we’re dealing with and how that might impact the story as well.

TS: Yeah, definitely. And I don’t know if you’ve gone Have I Been Pwned, you know, Troy Hunt’s website, you can plug in your email and see if anybody has compromised it, or your password. The ImmuniWeb analysis found that there were 21 million different sets of credentials belonging to just the Fortune 500 alone. Bed Bath & Beyond is one of the Fortune 500, they’re like number 200-something. If I were a large enterprise, I would be concerned with that. So, these credentials are out there. Now, whether or not they’re still valid, whether or not people have changed their passwords on a regular basis or not, who knows? But it’s definitely an epidemic.

LO: Yeah, well speaking of credentials, the final story I wanted to discuss that you wrote about was really interesting. It was about a phishing attack that was using a fake voicemail message to lure victims into revealing their Office 365 email credentials. I thought that was kind of a interesting angle there for attackers to take. What did you find there?

TS: Yes, researchers at McAfee that uncovered this campaign, they were saying that it’s really unusual because if you’re a targeted victim, you would get this email in your inbox that said, “hey, you missed a voicemail so why don’t you sign on to your Office 365 online, login to the cloud. So you can listen to your voicemail.” It was just such an unusual tactic that hasn’t really been seen before. And a lot of people apparently are falling for it.

LO: So they had the actual audio attachment, is that it?

TS: Yeah, well, they were fake audio attachments. So if you’re a recipient of one of these emails, you see that there’s an audio file attached, that just has a snippet that has somebody talking like, “Hi, I’m calling about blah, blah, blah,” and then it cuts it off. So it’s just a little sample basically to tease people and say, “you want to listen to the rest of the voicemail, sign in to Office 365 online.”

LO: I think that the audio aspect of it is very interesting. And researchers who I’ve talked to have said that audio is going to be kind of the next tactic that a lot of attackers are going to be using for different phishing campaigns. And I know we saw that audio deep fake a couple of weeks ago, where someone deep faked audio and essentially used that to scam a company. So I think between that, and then this, I’m concerned about how audio will be used in the future because a lot of employers nowadays are trained to look and look for kind of visual clues and red flags in various phishing emails. But then when it comes to audio, you know, there’s not a lot of training there for that.

TS: Yeah, now that’s a really good point. I had forgotten about that, that deep fake, where the person basically impersonated the CEO of the company, and it was indistinguishable from the real thing. I think that we tend to trust our ears more than something that we have popping up in our email box that you just read. We like to think that we’re savvy types that can discern whether or not something’s real or not, but that’s changing overtime. If you read that whole feature article about deepfakes that you wrote, and how that’s changing the security game, I think that’s just fascinating.

LO: It’s definitely concerning and something to be on the lookout for. So, Tara, thanks for coming onto the news wrap. We should probably wrap it up now.

TS: I can talk to you all afternoon Lindsey.

LO: If only we didn’t have to go write more stories.

TS: Yeah, we have to get back to work. That’s right.

LO: For everyone listening. Thanks for joining in. Catch us next week on the Threatpost news wrap that we’ll get up next Friday. We usually go live every Friday. And Tara, thanks for coming on today.

TS: Thanks so much for having me, Lindsey.


Suggested articles

The State of Secrets Sprawl – Podcast

In this podcast, we dive into the 2022 edition of the State of Secrets Sprawl report with Mackenzie Jackson, developer advocate at GitGuardian. We talk issues that corporations face with public leaks from groups like Lapsus and more, as well as ways for developers to keep their code safe.