Kroll August 2023 SIM Swap Attack

Incident Name: Kroll August 2023 SIM Swap Attack

Date of Incident: August 19th, 2023

Summary:

Kroll is a global company providing organizations with risk and financial solutions. On August 19th, 2023, they discovered that a T-Mobile account belonging to a Kroll employee had been compromised by a threat actor, and T-Mobile had allowed the threat actor to transfer the employee’s phone number to their own device. It is alleged that once the threat actor gained access to the phone number, they were able to bypass multi-factor authentication (MFA) and access the employee’s account. As a result, the threat actor was able to access Kroll’s cloud-based assets, which included personal information such as names, addresses, emails, and debtor claim details of bankruptcy claimants from companies like BlockFI, FTX, and Genesis. Kroll has notified the affected customers about the breach of their data.

FTX and BlockFI, two affected companies, have released statements confirming that user passwords and funds were not impacted by this breach since it was specific to Kroll’s systems. Additionally, several individuals have reported receiving phishing emails related to this breach. FTX has shared examples of these emails on social media platforms. The phishing emails aim to deceive customers by impersonating FTX and encouraging them to withdraw their digital assets. The ultimate goal is to steal customers’ seeds in order to empty their crypto wallets.

Key Social Engineering/OSINT Themes:

Recon – Kroll employee and organizational information was harvested, including employee phone numbers and personal details. The threat actor leveraged exposed employee information to perform a SIM swap attack.
SIM Swap – The threat actor used the employee information to contact T-Mobile and swap their number to the threat actor’s SIM so that they would receive all employee SMS messages and calls. This access was then used to access the employee’s cloud-based account to access the data.

Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.

High Risk Employees

HASP Framework 1.1 — Identify high-value employee targets
HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets

Exposed Employee PII

HASP Framework 2.1 — Identify exposed employee PII
HASP Framework 2.2 — Reduce exposed employee PII

Exposed Credentials

HASP Framework 3.1 — Identify exposed work credentials
HASP Framework 3.7 — Restrict service account access
HASP Framework 3.8 — Monitor for account takeover (including real-time alerts on exposed credentials)
HASP Framework 3.9 — Monitor for MFA configuration changes
HASP Framework 3.10 — Monitor for new MFA registrations

Exposed Remote Services

HASP Framework 4.2 — Identify exposed shadow IT
HASP Framework 4.4 — Manage shadow IT / remote access

Indicators of Attack

HASP Framework 7.1 — Monitor for suspicious external accounts
HASP Framework 7.2 — Request takedowns for suspicious external accounts
HASP Framework 7.3 — Alert your organization about suspicious external accounts
HASP Framework 7.4 — Monitor for suspicious domains
HASP Framework 7.5 — Block suspicious domains

Cyber Awareness

HASP Framework 8.1 — Train employees on social engineering attacks
HASP Framework 8.2 — Provide employees with social engineering phishing simulation training
HASP Framework 8.4 — Build and establish social engineering policies, processes, and procedures

Industry: Financial Services, Professional Services

Actor: Unknown

Motivations: Financial

Related Hacks: Coinbase / CoinsPaid

Breach Notice/Company Notice:

Security Incident | Kroll

Other Sources: