Multiple Threat Actors Exploiting EDRs to Acquire Sensitive Information

Executive Summary

Analysis and Attribution

Overview

• CloudSEK’s contextual AI digital risk platform XVigil has recorded multiple instances of threat actors seeking EDRs for multiple social media platforms on underground forums.
• PII records and various databases are often compromised using such requests.
• In contrast to the traditional TTPs such as phishing attacks, security misconfigurations, compromised credentials, etc, this is a newly discovered TTP being employed by threat actors across the globe.
• EDRs were previously employed by famous threat actor groups such as LAPSUS$, to exfiltrate vital information.

EDRs (Emergency Data Requests)

• An Emergency Data Request is a procedure used by U.S. law enforcement agencies for obtaining information from service providers in emergencies where there is no time to avail a subpoena.
• These requests are solely made by high-ranking officials of the legal hierarchy and are usually sent from an official email address associated with the organization.
• Threat actors can impersonate such officials upon gaining access to these email IDs and exfiltrate sensitive information about potential targets by making EDRs.
• These requests can be placed without any proof of identification, legal procedures, or warrants in place.
• The service providers processing these requests do not verify the authenticity of the email or run any background checks, before obliging to the request.
• Large amounts of sensitive data can be harvested through fake EDRs with minimum risk and effort.

Information from Underground Forums

• In July 2022, multiple posts requesting EDR services have been observed on various underground forums.
• These threat actors are looking to target popular organizations including Apple, Snapchat, and Twitter, to gain crucial PII from user accounts.
• The posts observed fall under two primary categories:-
  • Actors looking for official email addresses to place EDRs (email accounts ending with @mil or @gov domains).
  • Actors looking for assistance in crafting an authentic-looking EDR email, outlining the data requirements of the target. (For more information refer to the Appendix)
• Threat actors are offering money ranging from USD 80 to USD 500 for the above-mentioned services. A threat actor was even seen offering BTC 3,000 to anyone who could assist with EDR data harvesting.

Tactics, Techniques, and Procedures (TTPs)

Threat actors with access to official email IDs of legal authorities can successfully extort sensitive information via counterfeit EDRs by following a few simple steps.

EDR Creation

• The structure and language used in EDR emails should be convincing and authentic for the service providers to oblige, without asking any further questions.
• The forged EDRs should create a sense of importance, urgency, and panic.
• The requested information is said to be for a high-profile investigation by legal authorities, with a thinly veiled threat of repercussions if the request is not met.

Email Acquisition

• Threat actors identify government email domains that do not have DMARC security standards applied to them because such email domains can be spoofed to send out fake EDRs.

The Attack

• Once the target agency’s website is compromised, attackers gain unrestricted access and place a backdoor “shell” on the server to maintain persistence until detected.
• The attack is proceeded by creating new email accounts within the compromised organization’s mail domain.

Impact & Mitigation

References

• Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”- Brian Krebs
• Emergency Data Request – Wikipedia
• ^#Traffic Light Protocol – Wikipedia

Appendix