Executive Summary

THREAT	IMPACT	MITIGATION
Increasing trend of threat actors seeking assistance to place counterfeit EDRs, on underground forums. EDRs can be exploited to obtain sensitive information from service providers.	Lack of EDR verification results in unauthorized access to sensitive data. Harvested data can be sold for monetary benefits and used to facilitate further cyber attacks.	Enable DMARC security standards across all mail domains. Verify the authenticity of incoming EDRs. Enable MFA.

Analysis and Attribution

Overview

CloudSEK’s contextual AI digital risk platform XVigil has recorded multiple instances of threat actors seeking EDRs for multiple social media platforms on underground forums.
PII records and various databases are often compromised using such requests.
In contrast to the traditional TTPs such as phishing attacks, security misconfigurations, compromised credentials, etc, this is a newly discovered TTP being employed by threat actors across the globe.
EDRs were previously employed by famous threat actor groups such as LAPSUS$, to exfiltrate vital information.

Threat actor offering huge price amount for lodging a successful EDR through Apple

EDRs (Emergency Data Requests)

An Emergency Data Request is a procedure used by U.S. law enforcement agencies for obtaining information from service providers in emergencies where there is no time to avail a subpoena.
These requests are solely made by high-ranking officials of the legal hierarchy and are usually sent from an official email address associated with the organization.
Threat actors can impersonate such officials upon gaining access to these email IDs and exfiltrate sensitive information about potential targets by making EDRs.
These requests can be placed without any proof of identification, legal procedures, or warrants in place.
The service providers processing these requests do not verify the authenticity of the email or run any background checks, before obliging to the request.
Large amounts of sensitive data can be harvested through fake EDRs with minimum risk and effort.

Information from Underground Forums

In July 2022, multiple posts requesting EDR services have been observed on various underground forums.
These threat actors are looking to target popular organizations including Apple, Snapchat, and Twitter, to gain crucial PII from user accounts.
The posts observed fall under two primary categories:-
- Actors looking for official email addresses to place EDRs (email accounts ending with @mil or @gov domains).
- Actors looking for assistance in crafting an authentic-looking EDR email, outlining the data requirements of the target. (For more information refer to the Appendix)
Threat actors are offering money ranging from USD 80 to USD 500 for the above-mentioned services. A threat actor was even seen offering BTC 3,000 to anyone who could assist with EDR data harvesting.

Tactics, Techniques, and Procedures (TTPs)

Threat actors with access to official email IDs of legal authorities can successfully extort sensitive information via counterfeit EDRs by following a few simple steps.

EDR Creation

The structure and language used in EDR emails should be convincing and authentic for the service providers to oblige, without asking any further questions.
The forged EDRs should create a sense of importance, urgency, and panic.
The requested information is said to be for a high-profile investigation by legal authorities, with a thinly veiled threat of repercussions if the request is not met.

Email Acquisition

Threat actors identify government email domains that do not have DMARC security standards applied to them because such email domains can be spoofed to send out fake EDRs.

The Attack

Once the target agency’s website is compromised, attackers gain unrestricted access and place a backdoor “shell” on the server to maintain persistence until detected.
The attack is proceeded by creating new email accounts within the compromised organization’s mail domain.

Impact & Mitigation

Impact	Mitigation
Persistent access to the compromised agency without being detected for long time periods. Infiltrating the compromised entity and gaining internal access to sensitive files. Lack of authentication before sharing the data results in large data harvesting campaigns. Harvested data can be sold for monetary benefits. Compromised data can further aid: Phishing Identity theft Impersonation	Implement a strong password policy. Enable MFA (multi-factor authentication) across all logins. Enable DMARC security standards on the organization’s mail domains. Verify the authenticity and the origin of incoming EDRs. Verify the legitimacy of individuals before giving away vital or sensitive information. Monitor cybercrime forums for the latest tactics employed by threat actors.