mins read

Multiple Threat Actors Exploiting EDRs to Acquire Sensitive Information

Multiple Threat Actors Exploiting EDRs to Acquire Sensitive Information

August 11, 2022
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.
Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Financial

Region:

Global

Executive Summary

THREAT IMPACT MITIGATION
  • Increasing trend of threat actors seeking assistance to place counterfeit EDRs, on underground forums.
  • EDRs can be exploited to obtain sensitive information from service providers.
  • Lack of EDR verification results in unauthorized access to sensitive data.
  • Harvested data can be sold for monetary benefits and used to facilitate further cyber attacks.
  • Enable DMARC security standards across all mail domains.
  • Verify the authenticity of incoming EDRs.
  • Enable MFA.

Analysis and Attribution

Overview

  • CloudSEK’s contextual AI digital risk platform XVigil has recorded multiple instances of threat actors seeking EDRs for multiple social media platforms on underground forums.
  • PII records and various databases are often compromised using such requests.
  • In contrast to the traditional TTPs such as phishing attacks, security misconfigurations, compromised credentials, etc, this is a newly discovered TTP being employed by threat actors across the globe.
  • EDRs were previously employed by famous threat actor groups such as LAPSUS$, to exfiltrate vital information.
Threat actor offering huge price amount for lodging a successful EDR through Apple
Threat actor offering huge price amount for lodging a successful EDR through Apple

 

EDRs (Emergency Data Requests)

  • An Emergency Data Request is a procedure used by U.S. law enforcement agencies for obtaining information from service providers in emergencies where there is no time to avail a subpoena.
  • These requests are solely made by high-ranking officials of the legal hierarchy and are usually sent from an official email address associated with the organization.
  • Threat actors can impersonate such officials upon gaining access to these email IDs and exfiltrate sensitive information about potential targets by making EDRs.
  • These requests can be placed without any proof of identification, legal procedures, or warrants in place.
  • The service providers processing these requests do not verify the authenticity of the email or run any background checks, before obliging to the request.
  • Large amounts of sensitive data can be harvested through fake EDRs with minimum risk and effort.

Information from Underground Forums

  • In July 2022, multiple posts requesting EDR services have been observed on various underground forums.
  • These threat actors are looking to target popular organizations including Apple, Snapchat, and Twitter, to gain crucial PII from user accounts.
  • The posts observed fall under two primary categories:-
    • Actors looking for official email addresses to place EDRs (email accounts ending with @mil or @gov domains).
    • Actors looking for assistance in crafting an authentic-looking EDR email, outlining the data requirements of the target. (For more information refer to the Appendix)
  • Threat actors are offering money ranging from USD 80 to USD 500 for the above-mentioned services. A threat actor was even seen offering BTC 3,000 to anyone who could assist with EDR data harvesting.

Tactics, Techniques, and Procedures (TTPs)

Threat actors with access to official email IDs of legal authorities can successfully extort sensitive information via counterfeit EDRs by following a few simple steps.

EDR Creation

  • The structure and language used in EDR emails should be convincing and authentic for the service providers to oblige, without asking any further questions.
  • The forged EDRs should create a sense of importance, urgency, and panic.
  • The requested information is said to be for a high-profile investigation by legal authorities, with a thinly veiled threat of repercussions if the request is not met.

Email Acquisition

  • Threat actors identify government email domains that do not have DMARC security standards applied to them because such email domains can be spoofed to send out fake EDRs.

The Attack

  • Once the target agency’s website is compromised, attackers gain unrestricted access and place a backdoor “shell” on the server to maintain persistence until detected.
  • The attack is proceeded by creating new email accounts within the compromised organization’s mail domain.

Impact & Mitigation

Impact Mitigation
  • Persistent access to the compromised agency without being detected for long time periods.
  • Infiltrating the compromised entity and gaining internal access to sensitive files.
  • Lack of authentication before sharing the data results in large data harvesting campaigns.
  • Harvested data can be sold for monetary benefits.
  • Compromised data can further aid:
    • Phishing
    • Identity theft
    • Impersonation
  • Implement a strong password policy.
  • Enable MFA (multi-factor authentication) across all logins.
  • Enable DMARC security standards on the organization’s mail domains.
  • Verify the authenticity and the origin of incoming EDRs.
  • Verify the legitimacy of individuals before giving away vital or sensitive information.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

Threat actor looking for help with crafting authentic-looking email
Threat actor looking for help with crafting authentic-looking email

 

One of the first posts offering EDR services. Sales trashing on the post raises a question about the service’s legitimacy.
One of the first posts offering EDR services. Sales trashing on the post raises a question about the service’s legitimacy.

 

Further attempts to successfully fulfill EDR via Snapchat
Further attempts to successfully fulfill EDR via Snapchat

 

Further attempts to successfully fulfill EDR via Snapchat and Twitter
Further attempts to successfully fulfill EDR via Snapchat and Twitter

 

Actor providing services of extracting data through EDRs
Actor providing services of extracting data through EDRs

 

Threat actor looking for EDR service for Snapchat
Threat actor looking for EDR service for Snapchat

 

Sample of Indian Government Police email availability
Sample of Indian Government Police email availability

 

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
May 19, 2020

How to bypass CAPTCHAs easily using Python and other methods

How to bypass CAPTCHAs easily using Python and other methods

Blog Image
June 3, 2020

What is shadow IT and how do you manage shadow IT risks associated with remote work?

What is shadow IT and how do you manage shadow IT risks associated with remote work?

Blog Image
June 11, 2020

GraphQL 101: Here’s everything you need to know about GraphQL

GraphQL 101: Here’s everything you need to know about GraphQL

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Engineering

min read

Multiple Threat Actors Exploiting EDRs to Acquire Sensitive Information

Multiple Threat Actors Exploiting EDRs to Acquire Sensitive Information

Authors
Co-Authors
No items found.
Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Financial

Region:

Global

Executive Summary

THREAT IMPACT MITIGATION
  • Increasing trend of threat actors seeking assistance to place counterfeit EDRs, on underground forums.
  • EDRs can be exploited to obtain sensitive information from service providers.
  • Lack of EDR verification results in unauthorized access to sensitive data.
  • Harvested data can be sold for monetary benefits and used to facilitate further cyber attacks.
  • Enable DMARC security standards across all mail domains.
  • Verify the authenticity of incoming EDRs.
  • Enable MFA.

Analysis and Attribution

Overview

  • CloudSEK’s contextual AI digital risk platform XVigil has recorded multiple instances of threat actors seeking EDRs for multiple social media platforms on underground forums.
  • PII records and various databases are often compromised using such requests.
  • In contrast to the traditional TTPs such as phishing attacks, security misconfigurations, compromised credentials, etc, this is a newly discovered TTP being employed by threat actors across the globe.
  • EDRs were previously employed by famous threat actor groups such as LAPSUS$, to exfiltrate vital information.
Threat actor offering huge price amount for lodging a successful EDR through Apple
Threat actor offering huge price amount for lodging a successful EDR through Apple

 

EDRs (Emergency Data Requests)

  • An Emergency Data Request is a procedure used by U.S. law enforcement agencies for obtaining information from service providers in emergencies where there is no time to avail a subpoena.
  • These requests are solely made by high-ranking officials of the legal hierarchy and are usually sent from an official email address associated with the organization.
  • Threat actors can impersonate such officials upon gaining access to these email IDs and exfiltrate sensitive information about potential targets by making EDRs.
  • These requests can be placed without any proof of identification, legal procedures, or warrants in place.
  • The service providers processing these requests do not verify the authenticity of the email or run any background checks, before obliging to the request.
  • Large amounts of sensitive data can be harvested through fake EDRs with minimum risk and effort.

Information from Underground Forums

  • In July 2022, multiple posts requesting EDR services have been observed on various underground forums.
  • These threat actors are looking to target popular organizations including Apple, Snapchat, and Twitter, to gain crucial PII from user accounts.
  • The posts observed fall under two primary categories:-
    • Actors looking for official email addresses to place EDRs (email accounts ending with @mil or @gov domains).
    • Actors looking for assistance in crafting an authentic-looking EDR email, outlining the data requirements of the target. (For more information refer to the Appendix)
  • Threat actors are offering money ranging from USD 80 to USD 500 for the above-mentioned services. A threat actor was even seen offering BTC 3,000 to anyone who could assist with EDR data harvesting.

Tactics, Techniques, and Procedures (TTPs)

Threat actors with access to official email IDs of legal authorities can successfully extort sensitive information via counterfeit EDRs by following a few simple steps.

EDR Creation

  • The structure and language used in EDR emails should be convincing and authentic for the service providers to oblige, without asking any further questions.
  • The forged EDRs should create a sense of importance, urgency, and panic.
  • The requested information is said to be for a high-profile investigation by legal authorities, with a thinly veiled threat of repercussions if the request is not met.

Email Acquisition

  • Threat actors identify government email domains that do not have DMARC security standards applied to them because such email domains can be spoofed to send out fake EDRs.

The Attack

  • Once the target agency’s website is compromised, attackers gain unrestricted access and place a backdoor “shell” on the server to maintain persistence until detected.
  • The attack is proceeded by creating new email accounts within the compromised organization’s mail domain.

Impact & Mitigation

Impact Mitigation
  • Persistent access to the compromised agency without being detected for long time periods.
  • Infiltrating the compromised entity and gaining internal access to sensitive files.
  • Lack of authentication before sharing the data results in large data harvesting campaigns.
  • Harvested data can be sold for monetary benefits.
  • Compromised data can further aid:
    • Phishing
    • Identity theft
    • Impersonation
  • Implement a strong password policy.
  • Enable MFA (multi-factor authentication) across all logins.
  • Enable DMARC security standards on the organization’s mail domains.
  • Verify the authenticity and the origin of incoming EDRs.
  • Verify the legitimacy of individuals before giving away vital or sensitive information.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

Threat actor looking for help with crafting authentic-looking email
Threat actor looking for help with crafting authentic-looking email

 

One of the first posts offering EDR services. Sales trashing on the post raises a question about the service’s legitimacy.
One of the first posts offering EDR services. Sales trashing on the post raises a question about the service’s legitimacy.

 

Further attempts to successfully fulfill EDR via Snapchat
Further attempts to successfully fulfill EDR via Snapchat

 

Further attempts to successfully fulfill EDR via Snapchat and Twitter
Further attempts to successfully fulfill EDR via Snapchat and Twitter

 

Actor providing services of extracting data through EDRs
Actor providing services of extracting data through EDRs

 

Threat actor looking for EDR service for Snapchat
Threat actor looking for EDR service for Snapchat

 

Sample of Indian Government Police email availability
Sample of Indian Government Police email availability