Mandiant's 'most prevalent threat actor' may be living under your roof – the teenager

RSA Conference While some spend sleepless nights worrying about the big four nation-state cyber threats, you shouldn't underestimate the ones possibly living under your roof: teenagers.

"One of the most prevalent threat actors in the United States today that is…really hard to defend against: it's the teenagers," said Charles Carmakal, CTO of Google Cloud's Mandiant Consulting, at a threat intelligence panel at the outskirts of RSA Conference in San Francisco. "There's a number of [teenage] groups that we're actively tracking."

We've seen very young individuals break into some of the biggest organizations by leveraging these techniques

Specifically: teens and early 20-somethings, who live in the US and the UK, who typically speak English as their first language, Carmakal said. 

These teens "are incredibly effective social engineers, and they are able to convince people to do things that they ask them to do, like visit certain malicious websites and type in their username and password, or log into any desktop comm and download the AnyDesk client and provision access to somebody," he added. "We've seen very young individuals break into some of the biggest organizations by leveraging these techniques that are so hard to defend against."

Of course, Lapsus$ immediately comes to mind. This is the possibly extinct extortion gang led by teenagers who went on a cybercrime spree last year before the arrest of its alleged ringleaders. Before that, however, the gang stole data from Nvidia, Samsung, Microsoft, Okta, and others.

Carmakal pointed to the Twilio breach, which was later linked to the Okta intrusion. In addition to disclosing the company had been hit by a social-engineering scam, the comms giant also shared some of the real text messages that their employees received, he noted.

These young miscreants also tried (and failed) — to hit Cloudflare, and cast a much wider net in their phishing expedition, targeting as many as 135 organizations — primarily IT, software development and cloud services providers based in the US — in a campaign now dubbed Oktapus. 

"This is happening, very successfully, at dozens of other organizations, maybe hundreds of other organizations," Carmakal said. "Basically you have threat actors that are sending text messages to people's either work or personal cell phone numbers, and they are crafting these very convincing messages."

Typically these types of phishing attacks target people who work in tech support or call centers. And they are especially effective because the network traffic isn't monitored by the company and its security provider. 

"It's all traversing through this cellular network, so enterprises aren't even able to monitor this," Carmakal said. 

• Medusa ransomware crew brags about spreading Bing, Cortana source code
• Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign
• An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says
• How fiends abuse an out-of-date Microsoft Windows driver to infect victims

Another way teenage hackers are pulling off these heists is by calling organizations' staffers and convincing them that they are help-desk employees by spoofing the caller ID to look like the real help-desk phone number. 

"The thing that's very scary about these operators is that when they conduct their extortion, they are doing it in a way that is very different than how most ransomware and multi-faceted extortion operators do it," Carmakal said. "They are making it very personal."

This includes harassing companies' employees and their family members, he added. "If you think about the dynamic in extorting an organization, it's one thing to pay a threat actor to get a decryptor to get your systems running again. It's a very different story if you're an executive at the company and your daughter is being harassed by a threat actor. Your desire to pay, or your willingness to pay shoots up tenfold."

Carmakal said one Mandiant Consulting client that is currently being extorted by cybercriminals received flowers from the extortionist. "It was a very, very intimidating thing." ®