Outlook Ditches Basic Auth, Scattered Spider Leader Tyler Buchanan Arrested, Linux Malware Uses Emojis on Discord

The Daily Decrypt

00:00 /

In today’s episode, we discuss the arrest of the alleged ringleader of Scattered Spider, implicated in data breaches affecting Twilio, LastPass, and DoorDash (https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/). We also explore a novel Linux malware, DISGOMOJI, that uses emojis for command execution via Discord (https://www.bleepingcomputer.com/news/security/new-linux-malware-is-controlled-through-emojis-sent-from-discord/). Finally, we cover Microsoft’s upcoming security enhancements for Outlook, including the move to modern authentication (https://techcommunity.microsoft.com/t5/outlook-blog/keeping-our-outlook-personal-email-users-safe-reinforcing-our/ba-p/4164184).

Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/

Logo Design by https://www.zackgraber.com/

Search Phrases

How Scattered Spider hacked Twilio
Breach of LastPass by Scattered Spider
Capture of UK hacker behind Scattered Spider
Methods used in Twilio hacking
DISGOMOJI malware and its impact
Scattered Spider group’s tactics
Cybersecurity in Discord using emojis
Transition to modern authentication in Microsoft Outlook
Protecting against DISGOMOJI malware
Twilio and other major corporations’ security breaches

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/ —`### Flash Briefing: Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Key Information: Spanish police arrested a 22-year-old UK man, Tyler Buchanan, in Palma de Mallorca. Buchanan allegedly leads Scattered Spider, a cybercrime group behind hacks on Twilio, LastPass, DoorDash, and more.
- Engagement: How does this arrest impact the cybersecurity landscape for companies frequently targeted by such groups?
Actionable Insight: Buchanan allegedly controlled Bitcoins worth $27 million, highlighting the financial scale of cybercrime.
- Engagement: What measures can organizations take to protect against such high-stakes cyber threats?
SIM-Swapping: Buchanan, alias “Tyler,” is known for SIM-swapping attacks, transferring victims’ phone numbers to intercept authentication codes.
- Engagement: Have you implemented safeguards like multi-factor authentication that don’t rely on SMS?
Scattered Spider’s Tactics: The group uses social engineering to phish for credentials, often via SMS messages mimicking Okta authentication pages.
- Engagement: Could your organization’s employees recognize a sophisticated phishing attempt?
Notable Breaches: Scattered Spider’s campaigns led to breaches at companies like Signal, Mailchimp, and LastPass, showcasing the importance of robust security practices.
- Engagement: What steps has your organization taken to ensure the security of its authentication processes?
Internal Network Access: The group’s attacks typically begin with social engineering, tricking individuals into revealing credentials that allow network access.
- Engagement: Are your employees trained to identify and report phishing attempts?
Physical Repercussions: The cybercrime community often resorts to physical violence to settle disputes, including home invasions and other assaults.
- Engagement: How does the threat of physical violence alter your perception of cybersecurity risks?
Recent Arrests: In January 2024, authorities arrested another Scattered Spider member, Noah Michael Urban, linked to significant financial thefts.
Engagement: Does knowing the legal consequences deter potential cybercriminals, or is the allure of high rewards too strong?
SIM-Swapping Leaderboard: Telegram channels maintain leaderboards ranking SIM-swappers by their conquests, showing the competitive nature of these groups.
- Engagement: What do you think motivates individuals to climb these illicit leaderboards?
Concluding Note: Buchanan’s arrest marks a significant win for cyber law enforcement, but the persistence of such groups calls for constant vigilance and improved security measures.
- Engagement: What are the most effective strategies your organization has implemented to stay ahead of cyber threats?

New Linux malware is controlled through emojis sent from Discord

https://www.bleepingcomputer.com/news/security/new-linux-malware-is-controlled-through-emojis-sent-from-discord/ —`Flash Briefing: New Linux Malware ‘DISGOMOJI’

Innovative Command Control: Cybersecurity firm Volexity has discovered ‘DISGOMOJI,’ a Linux malware using emojis sent via Discord for command and control (C2), targeting Indian government agencies. (Source: Volexity, June 15, 2024)
Espionage Campaign Origins: Volexity links DISGOMOJI to a Pakistan-based threat actor, UTA0137, known for espionage activities. They assess with high confidence that UTA0137 aims to infiltrate government entities in India. (Source: Volexity)
Functionality and Tactics: Similar to other backdoors, DISGOMOJI can execute commands, take screenshots, steal files, and deploy additional payloads. Its emoji-based C2 system allows it to bypass security software focused on text-based commands. (Source: Volexity)
Detection Method: Volexity discovered the malware via a UPX-packed ELF executable in a ZIP archive, likely distributed through phishing emails, targeting the custom Linux distribution BOSS used by Indian government agencies. (Source: Volexity)
Operational Mechanics: DISGOMOJI exfiltrates system information and listens for new emoji-based commands on a Discord server, using a reaction-based protocol to confirm command execution. (Source: Volexity)
Persistence and Spread: The malware maintains persistence using the @reboot cron command and other mechanisms like XDG autostart entries. It also steals data via USB drives and attempts lateral movement to gather more credentials. (Source: Volexity)
Security Implications: The use of emojis for commands could make DISGOMOJI harder to detect, presenting a unique challenge for cybersecurity defenses. Mid/entry-level professionals should focus on strengthening phishing defenses and monitoring unusual Discord traffic. (Source: Volexity)

Microsoft: New Outlook security changes coming to personal accounts

https://techcommunity.microsoft.com/t5/outlook-blog/keeping-our-outlook-personal-email-users-safe-reinforcing-our/ba-p/4164184 —`- Modern Authentication Requirement: Microsoft plans to phase out Basic Authentication (username and password) for Outlook personal accounts by September 16, 2024. This change impacts Outlook.com, Hotmail.com, and Live.com accounts, requiring users to switch to token-based authentication backed by multi-factor authentication (MFA). This strengthens security as Basic Authentication is vulnerable to credential capture and misuse. [Source: Microsoft]

End of Support for Old Apps: Microsoft will no longer support the ‘Mail’ and ‘Calendar’ apps on Windows after December 31, 2024. Users should migrate to the new Outlook for Windows, which provides enhanced security features. A migration toggle will be added to the existing apps to facilitate this transition. [Source: Microsoft] Listener Feedback: Have you started migrating to the new Outlook for Windows? Let us know your experience!
Deprecation of Outlook Light: The ‘light’ version of the Outlook Web App will reach the end of support on August 19, 2024. This version, intended for older web browsers, is being retired due to its degraded experience and lower security standards. [Source: Microsoft] Engagement Prompt: If you’re still using Outlook Light, what are your plans for transitioning to a more secure email client?
Gmail Access via Outlook.com: Starting June 30, 2024, users will no longer be able to access Gmail accounts through Outlook.com. However, standalone Outlook clients for Windows and Mac will continue to support this functionality. [Source: Microsoft] Discussion Point: How will this change affect your workflow if you use Gmail with Outlook.com? Join the conversation on our LinkedIn group.
Cortana Deprecation Impact: The deprecation of Cortana means that ‘Play My Emails’ and ‘Voice Search’ features on Outlook mobile will be removed at the end of this month. [Source: Microsoft]