PUBLIC SERVICE ANNOUNCEMENT:

There is an increase of account takeovers due to insiders at telco firms simply giving control to people paying them/compromised support staff accounts. Do a check on systems where this single factor would permit an account compromise. And change the configuration. These are opportunistic trawling attacks. This is becoming more common as attackers replicate the success.

The attacker uses other channels (like people search websites) to enumerate and guess the phone number attached to an online account and then checks against the telco they have control over.

The insider only briefly temporarily forwards the victim number to a 3rd party then switches it back to normal once they’re in. This is how they stay quiet since most victims will not have leverage or telemetry to understand how they got hacked.

It was their cell phone provider.

Make it so account recovery systems require multiple factors and remove telephony-based recovery for VIP accounts entirely.
Go check your systems now. Go try to access all your stuff like you forgot your password.

I am very serious. This is based on private knowledge but is compelled by the compromise of the SEC. This is common now.

CISA KEV added a “used in ransomware" field a short while ago. It's a big help to defenders (or, should be, if you're defending the way you should be).

We've got a short blog post out this week —
https://www.greynoise.io/blog/getting-a-leg-up-on-initial-access-ransomware-with-cisa-kev-and-greynoise-tags — highlighting our ~75 🏷️ that align with KEV ransomware tags.

All are Initial Access-related.

The attached chart is Good News™ for a change, in that it shows both CISA & @greynoise increasingly have your back the day one of these super nefarious CVEs is released.