Brief #8: Revolut's $20M Loss, ScarletEEL's Cloud Exploits

Mandos Brief, Week 28 2023: Revolut's costly loophole, ScarletEEL's cloud exploits, Storm0558's email breaches, ToiToin attacks South America and more .

6 min read
mandos brief #8 - week 28 2023


Revolut's $20 Million Lesson: The Cost of a Payment System Exploit

The cyberattack on Revolut, a fintech startup, resulted in a significant loss of $20 million. The attackers exploited a flaw in the company's payment systems, which was due to discrepancies between its US and European systems. This flaw caused funds to be erroneously refunded when transactions were declined.

The issue was first detected in late 2021, but before it could be fixed, organized criminal groups leveraged the loophole. They encouraged individuals to make expensive purchases that would be declined. The refunded amounts would then be withdrawn from ATMs.

The exact technical details associated with the flaw are currently unclear. However, it's evident that the attackers exploited a software bug that tricked Revolut into refunding too much money. This mass fraud scheme resulted in a net loss of about $20 million for Revolut.

The breach was not publicly disclosed, and Revolut decided not to comment on the attack. However, the company managed to recover some funds by pursuing those who had withdrawn cash. Despite this, the incident highlights the importance of robust security measures and the need for continuous monitoring of payment systems.

ScarletEEL's Exploits Terraform, Kubernetes, and AWS

ScarletEEL represents a sophisticated cloud operation that exploits containerized workloads to perform privilege escalation into AWS accounts. The attack begins within a compromised Kubernetes container and then spreads to the victim's AWS account. This demonstrates the attacker's deep understanding of AWS cloud mechanics, including EC2 roles, Lambda serverless functions, and Terraform.

The attacker uses a Terraform state file to attempt to pivot to other connected AWS accounts, aiming to broaden their reach throughout the organization. This level of sophistication is indicative of the increasing complexity of cloud-based attacks, which have risen by 56% over the past year.

In addition to exploiting vulnerabilities for privilege escalation, the attacker also seeks to exfiltrate sensitive data and create new resources for cryptomining. This multi-pronged approach underscores the diverse range of motives behind these attacks, which can range from financial gain to more espionage-focused objectives.

The ScarletEEL operation highlights the importance of robust cloud security measures, including vulnerability management, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), runtime threat detection, and secrets management. These tools can help organizations reduce their risk from advanced threats and ensure the security of their cloud-based infrastructure.

US Government Emails Compromised by China-Based Espionage Group

The cyber espionage group, Storm0558, believed to be based in China, managed to breach the email accounts of more than two dozen organizations worldwide, including US and Western European government agencies. The group exploited a flaw in Microsoft's cloud email service, specifically in Outlook Web Access and They forged authentication tokens to access user accounts, a sophisticated technique that allowed them to impersonate Azure AD users and gain access to enterprise email accounts.

The cyber attackers had access to these accounts since May 2023, and their activities went undetected until customers reported unusual mail activity to Microsoft in mid-June. The affected agencies include the US State and Commerce Departments, among others. The National Security Council confirmed the breach, and Microsoft was immediately contacted to identify the source and vulnerability in their cloud service.

While Microsoft has successfully mitigated the attack and the cyber attackers no longer have access to the compromised accounts, it remains unclear whether any sensitive data was exfiltrated during the month-long period the attackers had access. This incident highlights the ongoing threat of cyber espionage and the need for robust cybersecurity measures, particularly in government agencies.

Windows Policy Loophole Is A Gateway for Malicious Drivers

The Windows policy loophole being exploited by cyber attackers is a significant threat to system security. This loophole allows the loading of drivers signed before July 29, 2015, using open-source tools such as HookSignTool and FuckCertVerifyTimeValidity. These tools alter the signing date of kernel-mode drivers, enabling the loading of malicious and unverified drivers signed with expired certificates.

The policy that permits this was designed to maintain compatibility with older software, allowing them to load older drivers in Windows 10 and Windows 11 without needing to be reviewed by Microsoft for safety implications. However, this has opened a gateway for cyber attackers to deploy thousands of malicious signed drivers without submitting them to Microsoft for verification.

Microsoft has taken steps to mitigate the threat by blocking all certificates used in this exploit and suspending the developer program accounts involved in the incident. However, the underlying policy loophole remains, and the tech giant faces a challenge in finding a better solution without compromising the backward compatibility of Windows with older software.

ToiToin: The Rising Threat to Latin American Banking

ToiToin is a sophisticated banking trojan that has been active since 2023. It primarily targets businesses in Latin America and employs a multistage infection chain along with custom-made modules to carry out its malicious activities. These activities include injecting harmful code into remote processes, circumventing user account control (UAC), and evading detection by sandboxes.

The trojan begins its attack with a phishing email. The email contains a malicious link that leads to a zip archive hosted on an Amazon EC2 instance. This archive contains a downloader executable that sets up persistence on the victim's system and communicates with a remote server to retrieve next-stage payloads.

ToiToin is capable of collecting data from installed web browsers and system information. It also checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module embedded into financial platforms in the Latin America region. This information is then sent back to the cyber attackers in an encoded format.

The trojan uses various evasion techniques and encryption methods throughout its infection chain. For example, it uses Amazon EC2 instances to host the malware, which helps it evade domain-based detections. It also generates a new and randomly generated file name with each download, allowing it to evade detection based on static file-naming patterns.

Share This Post

Check out these related posts

Brief #56: Patch Critical Microsoft Flaw, AI Cybersecurity Market Booms, Outcome-Driven Metrics for CISOs, Cybersecurity Career Progression

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #55: Snowflake Breach, AI-Powered Malware, CISO AI Pressures, Cybersecurity Talent Shortage

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #54: Fortinet Zero-Day, OpenAI AI Safety, Security Leaders Focus on High-Impact, Cybersecurity Skills in Demand

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read