With Cyber Threat Intelligence, Foresight is 20/20

On the morning of June 7th, while going through my emails, one email from the IntSights research team stood out to me. "EA sports got breached?" I thought to myself, "they are going after EA? Really? I sure hope the FIFA ‘22 release date won't get postponed now." The email suggested that the threat actor Leakbook, aka KickAss_Forum, was offering for sale Electronic Arts source code and gigabytes of EA's game data on a couple of notable cybercrime forums (Raidforum and Exploit.in).

In the following days I kept close track of the incident and evolving news regarding the attack vector and possible infiltration method. It appears that the threat actor purchased a simple session cookie as well as credentials to access the EA Slack environment. These were probably purchased amongst credentials to other platforms as well, because of course this type of data leak can and does happen to many organizations.

I had to take a look for myself, to see how easy it would be to get in with just the items mentioned above. It turns out that browsing to Slack.com via a browser and entering EA as a company space leads to a login page where a set of credentials would be the only thing separating a user from accessing the company Slack environment. Again, this is not uncommon.

Cyber Threat Intelligence

The Importance of Early Indicators

For me, the amazing part of this entire story is that the issues leading to this breach could have been easily and simply mitigated, even automatically, by using an ETP/CTI platform, such as IntSights.

In this case, IntSights External Threat Protection would have identified the credentials for sale and alerted the customer about them. Not only that, we would have offered to obtain the exposed credentials or cookies on their behalf. And finally, IntSights would have identified Slack, amongst many other exposed services, and alerted the customer about them, assigning the appropriate severity to reflect the risk of the exposed services based on the purpose of the platform.

Looking at trends based on the IntSights platform, it seems that such exposure of internal use systems accessible from outside the organization, and the availability of session cookies and credentials for sale, or credentials as part of leaked databases, potentially providing threat actors with access to customer critical systems is (unfortunately) too common.

When examining the Slack exposure that led to the EA compromise, a quick check in the IntSights platform revealed that in the past month alone, more than 3,000 different Slack logins for various companies had been compromised and put up for sale on cybercrime black markets.

The below example shows a single bot holding credentials for an infected machine, including credentials for Citrix and Slack. The harvested credentials are sold for as little as $8 USD.

Examples from the examined data include exposed pages and services such as HR systems, marketing tools, project and sales management platforms, and even access to the management console of cybersecurity tools used by the company.

Examining the credentials and session cookies available for sale shows that not only are there credentials allowing access to internal systems, but cybercriminals on black markets are often selling credentials to internal development environments or admin credentials to customer services and systems:

Cyber Threat Intelligence Exposes Hidden Threats

Cyber threat intelligence provides an early warning of impending attacks, but only if it’s tailored to your organization’s digital footprint, analyzed automatically, and mitigated with the touch of a button. Relating intelligence to your digital assets is critical to effective threat protection, enabling you to proactively identify, assess, and remediate threats that directly target your organization, employees, brand, and customers.

Click here to learn how IntSights Threat Command does all of the above, taking the complexity out of threat intelligence and delivering instant value.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.