Inside Jingle Thief Cloud Fraud Unwrapped

A

You're listening to the Cyberwire Network, powered by N2K.

B

Welcome to threatvector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for uniformity 2.

A

Identity compromise means that the attackers are targeting you. They're not targeting you targeting a machine or a service, they're targeting you. They're looking to compromise accounts, and in this case of Atlas lion, every new identity that they compromise, they turn that into money. Identity attacks are not a future problem, they're a today problem. They're happening now. And we saw in Jingle Thief that one compromised account quickly turned into dozens of compromised accounts in a matter of months, if you're not monitoring behavior. So it really shows the importance of monitoring your identity behavior. And the highlight of this attack is that it's entirely in the cloud. Attackers don't need exploits, they don't need malware. They just need to compromise identities.

B

Today I'm speaking with Stav Seti, principal researcher at Palo Alto Networks. Stav and the Unit 42 research team recently uncovered a financially motivated operation they're calling Jingle Thief, a cloud based campaign that exploited Microsoft 360 environments to commit large scale gift card fraud targeting global retailers and consumer service enterprises. Today we're going to talk about how attackers leveraged identity misuse, what this means for defenders in cloud first world, and and why campaigns like Jingle Thief are reshaping how we think about trust and persistence in cybersecurity. Stav, welcome to Threat Vector. I'm really excited to have you here this morning.

A

Thanks, David. I'm really happy to be here.

B

So, before we get into this Jingle Thief campaign, and by the way, love the name, I think that it's super memorable. Can you talk to me about your work as a principal researcher here and how you and your team approach uncovering threat actor behavior?

A

Yeah, of course. So I'm part of the Cortex research team on the UEBA and ITDR team. And what we do is we focus on identity threats. So that means we look into how users are compromised and we try and find a way to detect that behavior.

B

What got you interested in that particular focus area in security?

A

I think it feels a little bit more real to me because I'm a user and I can get attacked at any point. So I kind of feel that those kind of attacks are interesting, more so than attacking a machine, because I feel that I can relate to them a little bit more. And I also think that identity attacks are just the next big thing. I think all the attacks nowadays are heading towards identity land. And it's really interesting to me to research all these cases and I'm lucky to be part of that.

B

So today we're going to talk about this Jingle Thief campaign, which is really centered around identity based cloud compromise and gift card fraud. And I wanted to start with the basics, you know, for the listeners. What exactly is the Jingle Thief campaign? You know, some folks maybe haven't read the research that we've got out on the Unit 42 Threat Research Center. What was it that first drew the Cortex researchers team to this specific activity?

A

The Jingle Thief campaign is a campaign that we found very fascinating. And it came up because of our Cortex ITDR alerts that were raised. And what makes this so interesting is it's attackers going after gift cards. And they were able to steal and target gift cards from some of the biggest retail brands that you know. So that's really fascinating. And what makes it even more fascinating is that this is in the cloud. There's no malware, there's no exploits. They're purely living in Microsoft 365, which is a bit unusual because nowadays you don't see that too often with the gift card fraud. And yeah, so they would try and target retailers or just anyone that can issue gift cards.

B

Steph, you mentioned something and I want to make sure that we don't go scream and buy it. You said the, the four letters itdr. And for those who are not part of our parlance, our jargon every day. What is it? Real quick?

A

Okay, so ITDR stands for Identity Threat Detection and Response. And it's all about detecting identity attacks, such as the Jingle Thief attack. And we'll talk more about that.

B

Yeah, super important here. And it was the, the technical capability of the Cortex platform that you're, you're referring to. I just wanted to make sure that, you know, if you're, if you're not in the business all the time of our shortcuts, that you knew what that was. All right, let's get back to Jingle Thief real quick. Who's behind this, this campaign? Talk to me about the threat actor.

A

Yeah, so we're pretty sure that this group is what people know as Atlas Line. This line is a Moroccan based group. They've been active since 2021. And, and while we don't have 100% attribution, I say for the purposes of this chat, let's call them Atlas Line. What do you think?

B

Yeah, that Works for me. And you said Moroccan based, financially motivated. That's probably part of the crime side of cyber attacks, not necessarily something tied to a state actor. What distinguishes the campaign from maybe some of the other financially motivated operations that we've been looking at recently?

A

I think there's a few things. I think the first thing is the patience and the discipline. They stay months within an organization. In one case, we saw, we saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey, this is really something different here. I think another aspect is the living off the land. In Microsoft 365, it's all Cloud. That's a little bit unusual as well. And lastly, it's the gift card aspect, the gift card theft. A lot of times financially motivated actors will go for ransomware. And this was all about gift cards.

B

Okay. And so they are looking at these gift cards as a way of getting their money. Talk to me about how you go from stealing gift cards because that seems like a limited way of financing your operation to, you know, are they selling them? Are they demanding that the, the retailer buy them back? Like what, what's the path to monetization?

A

Yeah, so I think that's kind of like the golden question here is why would you target gift cards in the first place? And that's exactly what my team asked when we first saw this. We just didn't really get it at first. And I actually think it's, at the end of the day, it's a perfect solution for them. So what they're going to do is they're going to issue gift cards and they're going to sell them later in underground markets. Why do they target gift cards? Because when you think about it, gift cards are just digital cash with no traceability. They're easy to resell and there's no noise and they're impossible to trace. So if I redeem them, you have no PII associated to them. So that's what makes them so perfect.

B

Okay, so if I, if I play this back, you go in, you're, you're in an environment, you're not necessarily noisy, you're persistent, maybe you've got some technical chops. And then instead of locking things up, demanding some sort of ransom, dealing with a crypto, you basically issue yourself a payday. You know, gonna go ahead and type in a half a million dollars or a hundred thousand dollars here or there later on when the, when the heat's off, so to speak, you can then start to sell those out. And you're basically cashing out this digital cash that no one can really trace to an actual payment. You're no longer holding the stolen goods, you're financed. So it is kind of a low stakes operation. And I don't want to say it's the perfect crime, but it feels like it's starting to make more and more sense why Atlas lion and maybe others are looking at gift cards as this weak spot inside of some enterprises where they can go have a payday.

A

It's like they're an easy way to print, print cash. All they need is an identity and they can just print their own money.

B

So let's talk about how some of these attacks got in. What was the initial access? You know, was it, was it phishing? Was it smishing? Did they go out and buy identities? Walk me through that process a little bit.

A

So initial access here, exactly what you said it was. SMS phishing, smishing and phishing. And we actually found, on my team, we investigated it and found the PHP email sender that the attacker used. And in those logs we saw the emails and the SMS messages that went out from Moroccan IP addresses, which was really cool to see that. And you know that smishing and phishing are pretty common, Right? So what kind of makes this kind of unique? There's a few things here that made the initial access really interesting. I think the first one is how highly tailored the pages the phishing pages were. They used actual branding fonts, layouts from each target. So they really did their homework here. And These fake Microsoft 365 pages look identical to the corporate company's pages, which is crazy. I don't think there's any way for the employees to tell a difference. So not only did they do their homework, but they also did something called the URL sign trick. Have you heard of that before?

B

No. Talk me through that.

A

So the URL sign trick is really interesting. You could have a URL like company login@signrandom domain.com. and if I'm a user at a company, I'll see the company login on the left side of the ad sign. Like let's say it's Palo Alto Networks. I'll see that and I'll be like, hey, that's pretty legitimate. But the browser will actually go to what's on the right side. So company login@random domain.com that random domain.com is actually what my browser is going to navigate to, which means that the user will be fooled.

B

Yeah.

A

And the browser will actually go to the malicious domain that the attacker controls. So I think that's a super interesting technique that they used. And it's not that common also when.

B

You'Re talking about identity theft and identity attacks in some way, they're also attacking the identity of the organization, the fonts, the domains, the way that things look such that they can steal a legitimate identity from that company or from that employee. That feels like it's a next level phishing attack. Beyond almost a phishing attack. It's something different. Or am I just kind of behind on where normal phishing, quote unquote, normal phishing is at?

A

I think normal fishing can definitely be less tailored. So I think that's what makes this so dangerous is how tailored it is to the organization. I think that's. Yeah, that's kind of the most interesting aspect here. They've really tried to make you believe that they're the actual organization because they really did their homework here. And there were actually a few other things that made them really successful. It's the, all the reconnaissance that they did. It's the at sign notation. And it's also. They would also use compromised WordPress domains to look legit. So they would put their phishing pages there and that made the security tools ignore it and the users would fall for it. So the phishing here was actually pretty smart. And they would also go through multiple rounds of phishing and they would refine it over and over again until they got it right. And all they needed was one credential. They just needed one compromised user. And once they had one compromised user, it's game over.

B

Talk to me about the maybe seasonal or behavioral patterns that made Atlas lion social engineering tactics really effective.

A

Yeah. So what was really interesting here is that they would target their attacks and that's kind of why we call them Jingle Thief during the holiday season. Right. So during the holiday rush, you have limited employees, you have a lot of noise and distraction. And that's kind of what helped them be so successful here. But something else that's really interesting is that during the holiday periods of a lot of temporary employees, and these temporary employees are new. Right. So they don't have a behavioral baseline, which makes them a lot harder to detect. And so no, no behavioral baseline, but they have a lot of high permissions, so they're able to issue gift cards. That makes them the perfect targets.

B

So what you're saying is like, I get hired in to go work at a large retailer. One of my jobs is to work in this. Issuing this, this area that's basically Printing digital money. People are, you know, paying for gift cards. They want to go exchange those during the holidays. And systems are going well. We don't really have much of what normal looks like for David, the new employee. And if I get popped, if I get compromised, then the system's like, oh, well, he's just issuing these massive gift cards. That seems pretty normal. He's been doing that for a while. And even then, the best security systems don't have the critical data of a normal baseline to be able to go, hey, we should flag this. This is wildly inappropriate that, you know, molten's out there putting out $60,000 gift cards left and right.

A

Exactly.

B

Is that right? Like that? Oh, man. Like, you know, I, I don't often say this, but, like, this is a really clever attack. Like, this is a. This is a way to really, you know, come in and, and use all the advantage that they have. And then targeting it during the, the holiday season when things are really busy just makes it fly right under the radar.

A

Yeah.

B

You mentioned earlier in our conversation that you'd observe, or you and the team had observed, Atlas lion sitting in an environment for quite a while. I think you said 10 months in one case. What is it about this group that lets them sit in an environment for so long and go undetected?

A

Yeah, So I think that's actually the most fascinating part of this whole campaign. Right. That ALICE Line is an organization for over 10 months. It's actually crazy. And the way that they do it is they abuse Microsoft 365 identity features. For example, let's say I am an attacker from ALICE Line and I have credentials. Okay. So after I get the credentials and the initial access, the first thing I'm going to do is enroll my device. And if I enroll my device, I'll be able to bypass MFA from here on out. And it's really smart because the victim can reset their password, but the attacker still has a trusted device. So that's kind of their first step is how can I get my device there? So, yeah, device registration is number one. The next thing that they'll do is they will add exchange inbox forwarding rules. Have you heard of those before?

B

I want to say I ran across that in our research, but I didn't fully understand it. So hopefully the audience will, Will, will humor me here. Can you walk me through what that is? Because it seems like it's both pretty common, but also kind of a clever attack.

A

Yeah, exactly. So exchange forwarding rules will allow you to forward emails from one mailbox to an external address. So what the attacker would do here is they would add, they would basically set up a forwarding rule to forward all emails to their own personal attacker control address. And that allows them to have ongoing visibility of the mailbox. So that's a really great technique that they will use and it's pretty common. I think that organizations should really monitor all inbox rule creations because it's a pretty smart tactic and a very common tactic.

B

So I think there's this misconception that I'm being disabused of when I talk to, you know, folks like yourself. I talked to Margaret Kelly about cloud attacks not too long ago, and there's this idea that cloud environments are really secure, you know, and as you're talking about it, it's like, okay, these attackers get inside of Microsoft 365, they're attacking, they're living off the land. Why is it that the legitimate cloud services seem so appealing to attackers today?

A

Yeah, that's a great question. And I think that attackers really love the cloud because all their valuable data lives there. Like if you think of your own cloud, you have SharePoint documents, you have all your emails, all your data is there, right? So it makes it the perfect target. And specifically Atlas lion, they would use Microsoft 365 as their reconnaissance playing round. They would turn SharePoint into their own personal scavenger hunt. So they would look for a lot of internal documents on gift card workflows or VPN documentation, MFA guides, you name it, basically everything they needed to operate like an insider. And so they have a full map now of business processes and they're able to really blend in now. And it's not just SharePoint, they'll also get, we saw like such a high amount of emails accessed by Atlas line in a really short amount of time. So now that they have all this business information, they're eventually able to issue gift cards looking legitimate. They learned all about the gift card workflows, what portals there are, and they can really operate like a legitimate user.

B

So basically once they get in, because all the information is there, it acts as a instruction manual, one stop shop of how to rip off the company. Because legitimate users actually need all that information to operate. They want to look legitimate and that further makes it difficult for you to detect them, I imagine. Did they go a step further and give themselves higher access than that original user initially had?

A

Yeah, they definitely did. And they would do something really clever and it would really also blend in kind of like the SharePoint documents. What they would do is they would. Hey, so now I have all your emails. I can see how you tend to normally ask for permissions. For example, ServiceNow, I saw that you created a few ticket requests over the past week. Let me do the exact same. So that Alice Line would do the exact same and escalate their permissions via ServiceNow ticket request. And for it, that looks completely legitimate, completely normal, because this user has done that in the past. So yeah, that's a really smart way of doing it. And it's not hacking, it's kind of like abusing the business process.

B

Yeah, it's not quite hacking, it's not quite social engineering. It's somewhere in a gray space between those two things. But it certainly shows that they have a level of discipline to stay undetected. What were some of the other things that they did to evade detection and hide their activities activity once they're inside?

A

Right. So the first thing is, because they're entirely in the cloud, there's already no malware. Which means that all of your ADR solutions are completely blind to this. Right. So that's number one. The second thing that they would do is they would. A big element here was internal phishing. We didn't mention it yet, but what they would do is they would send out internal phishing emails for lateral movement and then they would delete those emails. And the internal phishing was really successful because there's a lot of implicit trust. If your coworker emails you, that's instant credibility. And nobody really suspects anything. So they went from one account to dozens of accounts from that. It's like a game of cybertag going from one victim to the next launch point. And so to hide their traces of that, they would just clean up the mailboxes. So they would send out, send out a phishing email and move that email from sent items to deleted items. And let's say there was like an alert of phishing. They would also delete that from the inbox completely. So they would really try and hide their traces and they did a really great job at it.

B

How did the behavior analytics. You mentioned the UBA earlier and ITDR tools help play a role in this because it seems like they're going to a lot of trouble specifically to target folks that don't have a baseline to delete things to act within normal ServiceNow ticket requests. Right. Like there's a lot about this that just appears to be normal day to day activity within an organization. And yet there had to be some indicator, there had to be a little bit of noise here and there that you could string together. And I'm really curious what tripped them up that allowed you to get on their scent trail.

A

Exactly. So it is very legitimate looking activity. Right. So if I create an inbox rule, I create inbox rules all the time. That's pretty legitimate. But what the whole idea of behavioral analytics is to build a profile for the user. So let's say I have a profile for the user of the locations that they log in from, and I have a user that constantly logs in from the United States. All of a sudden they're logging in from Morocco. Based on that baseline, I can flag this activity. And that's kind of what behavioral analytics does. And maybe that alone, the unusual location login is not strong enough on its own. We'll take lots of different small signals like that and put them together so I can have a first login from Morocco for that user, a first inbox rule creation, a new MFA enrollment, a new device registration. I take all those things together and they create a clear compromise story. And that's what UEBA and ITDR really shine in.

B

That's pretty cool. It's basically finding enough bits and pieces of evidence that when put together, that jigsaw of data becomes a really clear. This is a problem specifically. And I imagine like, once, once you started seeing that, you were able to then say, like, how do we find other things that give us that confidence? Like earlier said, you know, attribution is hard, but you're pretty confident. And then to start to see where that happens elsewhere. I know the attackers exploited legitimate identity mechanisms like device reg and password self service. What are some of the lessons that security teams need to take away from this attack and this misuse of trust?

A

That's a great question. I think the first thing is a lot of times security teams will say, hey, mfa, that equals safety. And I think it's really important to recognize that MFA is not safety, it's not safe. And they should really monitor every new password reset every new device enrollment, all that things, all that needs to be monitored. And it's not enough just to be like, hey, that user logged in with mfa, it's safe.

B

So, Steph, Jingle Thief is a really powerful example of identity based compromise. What does that concept mean in practical terms, though?

A

Yeah, so identity based compromise means that the attacker will target you. They're not going to target a machine or a service, they're going to target you. And once they have your credentials, like we saw earlier when we talked about their internal phishing, they have all your permissions now and your trust so they can email your coworker and your co workers will immediately trust it. Right. So it's not really a system takeover, it's a process takeover. In Jingle Thief we saw that legitimate workflows were used in abnormal ways to turn identity directly into profit. And this is like the Jingle Thief case I think is a really good example of why identity is a new perimeter.

B

From a defensive perspective, what practical steps can enterprises take today to reduce their exposure to these identity based attacks like Jingle Thief?

A

So I think there's a few things you can do. I think number one I would say is what we talked about before about IoTDR and UEBA. Behavioral analytics is so important because this is entirely in the cloud. Endpoint detection is not going to help you at all. You need to track who's logging in, where they're logging in from, how their behavior changes over time. I think that's number one most important. I think also in the case of Jangle Thief, posture really matters as well. I would make sure to look at what permissions users have, like can everybody issue gift cards and limit that? And lastly, I think that identity compromise happens really fast. So you need to make sure to act fast because you can go from one compromised user to 100 compromised users in the matter of a very short time.

B

So really it's thinking about this idea of don't over rely on an mfa. And then as you're looking at your controls, and especially since you're attacking a user, one compromise can very much snowball to keep it into that holiday theme into hundreds of users very, very quickly. This is a tricky one to defend against for sure. But I keep coming back to this idea that you are able to find enough evidence through behavior analytics through ITDR and paint that picture such that you don't have any idea how you're leaking so much money. On the gift card side of things, you've mentioned a couple times that Jingle Thief has been traced back to this Moroccan infrastructure through IPs through ASN patterns. How valuable is that kind of intelligence in ongoing threat tracking?

A

So I think that it's super valuable because it allows you to have a fingerprint to connect the dots across multiple incidents. So I'm consistently seeing Moroccan ASNs throughout multiple organizations. I can look for those ASNs and be able to connect the dot to the same campaign. That's like the main value. And I think that what was super interesting in this case is that you saw Alice line connecting consistently from Moroccan ASNs it's like kind of funny because they didn't even try and hide their location. I mean, there were a few US Proxy cases, but very few of them. And it shows confidence because they kind of know that geolocation alerts are so often ignored. And I found that really interesting.

B

So, Stav, looking ahead, do you expect that financially motivated campaigns like this will evolve in new ways or maybe even have copycats that try to use these same attack techniques?

A

Yeah, definitely. I think so. I think that they're going to keep adapting and we expect that any platform where trust can be turned to profit to be used. So for example, today might be Microsoft 365, but in the future it'll expand to more cloud platforms. And today they're targeting gift cards. But in the future it can be loyalty programs. It can be really any system that has digital currency anywhere that identity can turn into money.

B

Steph, one last question here. Are there any early warning signs that defenders should watch for as attackers continue to weaponize cloud trust?

A

Yeah, I think definitely there are a lot of warning signs in the identity behavior. You have to look at device enrollments, MFA factor additions, inbox rules, all of that. I strongly suggest monitoring all of those. Yeah, I think that's the best. The best thing to prioritize is the identity layer.

B

Steph, thanks for this awesome conversation today. I learned so much and I appreciate thanks for the patience from the audience as you had to unpack a few things for me that were a little bit more technical. I really appreciate you coming in and sharing your insights on the Jingle Thief campaign and specifically how identity based cloud fraud is reshaping at least my perspective of cybersecurity strategy. This one seems like it's kind of a weak spot that we need to really focus on or suffer the consequences.

A

Thank you so much, David. It was great being here.

B

And we'll go ahead and make sure that there's a link to the Jingle Thief campaign and the Threat Research center in our show notes. That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. If you want to contact me directly about the show, email me at threatfactorallowaltonetworks.com I want to thank our executive producer, Mike Heller, our content and production teams, which include Kenny Miller, Joe Betacourt and Virginia Tranquil. Original music and mix by Elliot Peltzman. We'll be back next week until then. Stay secure. Stay vigilant. Goodbye for now.

A

Sam.