Security researchers investigating ransom gangs are targeted by criminals who track them down. The hacker, believed to be a member of the notorious Russian cybercrime gang REvil, used a fraudulent emergency data request (EDR), a type of subpoena used by US law enforcement to obtain information from Twitter about cybersecurity analysts before to threaten researchers and their families.
EDRs can be obtained with little care, making them ideal vehicles for social engineering attacks. Legislation has been drafted that may require requests to come with a digital signature, making them more difficult to falsify.
What is an urgent data request?
The EDR allows U.S. law enforcement agencies to unilaterally request information from an organization in the event of a life or death emergency. This means that they can circumvent the protocol for receiving information about who owns an account from a social media platform, which usually involves receiving a court order or a full summons.
As applications can be made by the agencies themselves without any supervision, they are a useful tool for social engineering. Many companies, such as Twitter, “have a streamlined process in which they publish faxes or police contact information to gain urgent access to data,” said Mark Rush, a former U.S. Attorney General. said the KrebsonSecurity blog earlier this year. “But there is no real mechanism, defined by most ISPs or technology companies, to test the validity of a search warrant or subpoena. So, as long as it looks right, they will comply. ”
Successful fake EDRs are often sent from official email accounts that have been hacked, says Louise Ferret, a researcher on the search platform Security Searchlight Security. “You need email from the US government or US law enforcement,” she said. There are more than 18,000 police jurisdictions in the United States, many of which have been violated by hackers. At the federal level, the FBI’s email server was compromised last year, and cybersecurity in US government departments was criticized as inadequate by auditors.
How EDR is used to target security researchers
Although these tactics were previously used by hackers targeting other cybercriminals, they are now being used against ransomware researchers to intimidate them offline. One such criminal, known online as the Sheriff and considered as such REvil member Alexander Sikerinhas used this tactic against three researchers in the past month, using fake EDR to obtain contact information for targets and send them offensive and threatening emails.
Content from our partners
One of the researchers known online as Disagreementdescribes in detail her experience in a blog, which explains that at one point she was sent a message threatening her with the same fate like the murdered Saudi journalist Jamal Hashoghi: “You will end up like Jamal”, message reads. “I will personally feed you with your family.”
The sheriff and another hacker, known as RichTheKid, boasted on the hacking forum breached.co that they had submitted 20 fake EDRs on Twitter for information on “IP audit, email and phone” to security researchers. The sheriff has been banned from the forum ever since.
Fake EDR: an increasingly popular tactic
Using fake EDRs to obtain information is an increasingly popular tactic for hackers, Ferret said. “It seems like an already existing tactic that has been used quite freely in the past in the cybercrime underground, but more often as part of a hacking operation to obtain this kind of sensitive customer data or by cybercriminals against their rivals as a means to “We harass or even intimidate them to continue working for them,” she said. Doxxing is a practice in which someone’s personal information is published or shared maliciously online.
“Threats are now turning this type of low-tech tactic on those who investigate and uncover their illegal activities,” Ferret added. “And Twitter is an easy target because it brings together a lot of researchers.”
Twitter is not up to date with its EDR validation process. The nature of the requests means that they need to be dealt with quickly, which means that employees can potentially be left with the choice to take the time to properly inspect and risk being seriously injured or killed, or to release information more quickly. little attention.
Twitter points out in its privacy policy that “we may disclose law enforcement account information in response to a valid emergency disclosure request. Twitter is assessing requests for urgent disclosure of each case in accordance with the relevant law. “The company did not respond to questions from Technical monitor at the time of writing.
Rival social media platform Facebook received 21,700 emergency requests worldwide from January to June 2021 and provided some data in response to 77% of requests.
What is being done to deal with counterfeit EDR?
Legislation to address the fraudulent use of EDR may be forthcoming. Democrat Sen. Ron Wyden has drafted a proposal Digital Authentication Bill for Court Orders. The proposal, which has bipartisan support, was presented for the first time last year and will, among other things, require the EDR and similar orders to come with a digital signature to prove authenticity.
“No one wants technology companies to refuse legal requests for emergencies when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” Wilden said. “Fraudulent government demands are a serious concern, which is why I have already drafted legislation to eliminate false orders and subpoenas.”
Ferret says the legislation would be a welcome step to keep security researchers and others safe. “Using things like digital signature technology is an interesting way to deal with this, because we hope it will be much faster than other verification methods,” she said. “I think it’s definitely necessary, especially if it happens more often.”
For now, however, researchers will be left to feel exposed and insecure on Twitter, she concluded. “This is new for researchers who have previously been able to remain anonymous,” Ferret said. “They seem to feel less safe or feel as if they will now be identified.”
Read more: Is REvil back? The return of the Ransomware gang raises suspicions
Ransomware researchers are being targeted by the criminals they track
