The MGM attackers claimed they used one of the easiest ways to breach/ransom a company, a method I use often in my hacking:
1. Look up who works at a org on LinkedIn
2. Call Help Desk (spoof phone number of person I’m impersonating)
3. Tell Help Desk I lost access to work account & help me get back in

While we wait for attack method confirmation, I’ll say that the attack method they claim worked for them does indeed work for me. Most orgs aren’t ready for phone based social engineering.

Most companies focus on email based threats in their technical tools and protocols — many are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone based attacker in the act. Teams need protocols to verify identity before taking action.

The 1st teams I go after when hacking are the folks who deal with requests from people constantly — IT, Help Desk, Customer Support, etc.
I often pretend to be an internal teammate to convince them to give me access, and I usually start with phone attacks bc they work fast.

Email phishing attacks can get caught in good spam filters and reported.
The soft spot for many teams are the folks who handle the phone call requests.
There’s a perfect storm: lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests.

Questions to ask internally to see if your team is prepared to catch this attack:
- Do the folks who handle requests from team/customers use identity verification protocols?
- Do we rely on knowledge based authentication? DOB + caller ID matches ☎️ number in system, for example.
- Are our IT/Help Desk/Support teams compensated or promoted on the speed of saying yes to requests? Have we incentivized time for security protocols in Support?
- How do we verify identity first?

Remember, most folks at work want to do a good job and often times “good work” means “fast work”. We can’t expect every employee to be able to come up with their own identity verification protocols on the fly — it’s our job to provide the right human protocols to catch this fast.

We’ll need to wait to learn the details of the attack and get confirmation.
In the meantime, I can tell you I compromise orgs w/ the exact phone attack the attackers claim to use and many orgs don’t have phone call based identity protocols to catch it yet.

Update your phone based identity verification protocols to catch account takeover attempts!
You know your org best & there’s no one size fits all.
You can move from KBA (like DOB) to OTP on 2nd verified comm channel, call back to thwart spoof, service codes, pins, and much more.

After hacking & educating orgs on how they can catch me, the biggest task I spend my time on is updating verification protocols to spot me next time. It’s maddening to get caught on their new identity verification protocol on the next pentest but there’s also nothing I love more.
More details here: https://x.com/RachelTobac/status/1701801025940971792?s=20

This is the article to send to your IT team when they refuse to enforce boot-time PINs for BitLocker:

Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop: https://www.errno.fr/BypassingBitlocker.html by Guillaume Quéré

My friend and I have been working on an #infosec site called #secflux that is an aggregate resource for #news , #articles , #blogs , #trainings , #howtos , #webcasts , #podcasts , and more.

We wanted to create a better way to receive updates, trends, and information about #security topics, while giving ourselves a #creative outlet for own related #content. So, we made a site dedicated to just that!

In any case, the flagship blogpost I’ve cobbled together is about #burnout — A topic many of you might have noticed I bring up quite a bit.

🔗 Link to the blog: https://secflux.com/the-prevalence-of-burnout-in-infosec/

I hope this helps anyone and everyone that might have previously or could be currently experiencing burnout. (It definitely felt great to write it, I hope it feels equally cathartic when people read it.)

Please read, like, share, bookmark the site, and all that jazzy jazz! 🎷

📋 Edit: We do have a newly created Mastodon account for the site! @secflux

We’re working on adding some more social media representation and integrations as we speak!

I will be giving a keynote at both Blue Team Con and WWHF about lessons I have learned in a decade of mentoring job seekers and career changers in cybersecurity, but here is one tip for free right now - never give greatly more to a company than they generally return to you. If they pay you to do a job, do a good job at it. Have integrity! But don't go overboard in perpetual overtime or free work, missing time with family, losing your health in a way they would never commit to you - most organizations today in the US will lay you off and replace you in a moment. If you die, they will replace you.

If they go above and beyond for you in real, meaningful ways, return that loyalty and commitment in kind. But never gratuitously more. You only live one life, and your job is not your family. It is a contract for labor, and if you are lucky one you learn from and somewhat enjoy.

Hey fediverse,

As many have already heard last week, Dragos had to let go about 50 people. Tuesday last week was my last day on the job, and as of today I am slowly beginning my search for a new role while allowing myself plenty of time to unwind between roles (for a change).

My role at Dragos was to reverse engineer ransomware and I would love to continue reverse engineering malware (not just ransomware) in the future. I've worked in a few different threat intelligence roles over the last several as well.

I'm located on the US East coast and am currently looking to stay remote as relocation and travel are not an option for my family.

Any leads are appreciated! My LinkedIn profile can be found at the top of my profile as well.

#malware #reverseengineering #jobs #jobsearch

Here's my final project for the Sektor7's Maldev Intermediate Course. It's a 3-stage attack that uses sRDI to inject into VeraCrypt and hooks WideCharToMultiByte() to sniff passwords for encrypted containers.

#malware #infosec #redteam #proofofconcept #hooking #hacking #srdi #injection

https://github.com/Krkn-Sec/VeraCrypt-Sniff