Section 1 - Enough Beef for a Burger

Following the escalating rap feud between our lead rapper Dwake and Dollar Currency Records' (DCR) Present, a trusted cybersecurity contact alerted me that we should expect a cyberattack by threat actors related to this feud, and that they heard a rumor of IP address 18.66.52.227 being used for reconnaisance.

Using this information, I looked up any queries made against our website.

InboundNetworkEvents
| where src_ip == "18.66.52.227"
| where timestamp <= datetime(2024-04-11)
//simply because the game's case develops in roughly "real time";
//i.e. at this point of the story we should only see the things from April 10th

Indeed, said IP address accessed our network on April 10th in order to execute reconnaisance search queries looking for information on artists' contact info, company press releases, concerts, and specifically info on how to book or contact Dwake.

Since Lead Rapper Dwake is evidently the focus of the threat actors' attention, I'll priorize examining him. This attack seems to be simply compromised credentials, rather than devices (e.g. installation of malware).

OWL Records' password reset process requires an email and solving previously-established static security questions. The attackers, masquerading as Dwake, requested a password reset and succesfully entered his security questions.

https://owl-records.com/account/security-questions?question_1=mother's+maiden+name&answer_1=Washington&question_2=first+pet's+name&answer_2=Fluffy

Dwake inadvertely leaked the answers in a verse dissing Present that went viral recently.

Yo, Present, you don't know where I'm from,
Got the Washington name from my mom's side, son.
It makes sense why they call you present
Cause you're so easy to beat, its pretty much a gift

Used to play with little Fluffy, now I'm runnin' with the wolves,
You say you're on top, but I'm breakin' all the rules.
I'm on that next level, you're stuck in the past,
with those weak beats you won't last.

After succesfully resetting Dwake's corporate email password, the threat actors then resetted his Instagram password, taking it over and defacing his profile with embarrassing images and statements the following day (April 11th).

Section 2 - Less Beef, More Phish

Between Present's information being made available on BreachForums if he did not retire in 30 days and/or paid up 10M USD (reports conflict) and a tip from the same trusted contact, I decided to focus on possible phishing attempts against OWL Records employees from the same threat actor, which is suspected to be related to Dollar Currency Records in some way. For this portion of the investigation, I've decided to start by looking at any new inbound network events since the first signs of reconnaisance in early April.

InboundNetworkEvents
| where src_ip == "18.66.52.227"
| where timestamp >= datetime(2024-04-11)

There's some deeply troubling activity; it seems the threat actor managed to compromise multiple employee accounts, including Dwake's. Most troubling is a sign of data exfiltration from Dwake's account on April 30th. In order to confirm who was affected, I ran this query:

InboundNetworkEvents
| where src_ip == "18.66.52.227"
| where parse_url(url).['Query Parameters'] has "user"
| project user = extract( //see https://learn.microsoft.com/en-us/kusto/query/extract-function
    "^([a-zA-Z]+)", //regex pattern
    0, //capture group to extract
    tostring(parse_url(url).['Query Parameters'].["user"]), //source string
    typeof(string) //convert the extracted element to a string
)
//this extracts the username from the query parameters
//"https://owl-records.com/mail?user=lowhite[...]"
//becomes "lowhite[...]" via parse_url
//which becomes just "lowhite" via extract()
| distinct user
| lookup Employees on $left.user == $right.username

In order to retrace the threat actors' steps, I've decided to examine the known threat actor IP:

PassiveDns
| where ip == "18.66.52.227"
| distinct domain

This domain could be used for malicious purposes, such as stealing credentials or delivering malware via phishing emails. Looking up IP addresses associated with this domain reveals that the threat actors only made use of a single domain and a single IP addresses for this operation.

Email
| where * has "betterlyrics4u.com"

Of 13 emails, only 2 intended for rapper Jay Knight, sent April 11th, were blocked. Jay Knight was eventually compromised by a third email sent April 12th.

Email addresses:
• ghostwritersanonymous@protonmail.com
• wemakebeatz@gmail.com

Sender:
• Ghost Writer (sender name)
• GhostWriter (signature)

Subjects:
• Need a ghostwriter for your next hit?
• Get FREE beats from the best hip hop writers in the game!!!!

Dates: 2024-04-10 to 2024-04-25
• Dwake received the emails on 2024-04-19

Since all recipients had their accounts compromised, we can surmise that they clicked the malicious links and input their credentials. We can confirm dates and times with:

InboundNetworkEvents
| where src_ip == "18.66.52.227"
| where parse_url(url).['Query Parameters'] has "user"
| project user = extract( //see https://learn.microsoft.com/en-us/kusto/query/extract-function
    "^([a-zA-Z]+)", //regex pattern
    0, //capture group to extract
    tostring(parse_url(url).['Query Parameters'].["user"]), //source string
    typeof(string) //convert the extracted element to a string
)
| distinct user
| lookup Employees on $left.user == $right.username
| distinct name, ip_addr
| lookup OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where url has "betterlyrics4u.com"

Since Dwake has been the focus of the feud with DCR's Present and is the sole lead rapper among the affected, I've decided to focus on his account. As previously noted, the sole sign of data exfiltration is from his account.

Lead Rapper Dwake Audrey clicked on the malicious link on 2024-04-15.

The phishing page requested OWL Records credentials to "Login to speak with GHOST WRITER". There is also, rather mysteriously, a "forgot password" button, and a SSO button if one is "already upgraded".

To see when the threat actors sucessfully logged in to the employee accounts, I used:

AuthenticationEvents
| where src_ip == "18.66.52.227"
| where result =~ "successful login"

Lead Rapper Dwake Audrey's account specifically was accessed once, on 2024-04-15 at 13:53:12.

After compromising the artists, the threat actors searched for information stored in each compromised email account (see [2]); they made search queries for "secret", "confidential", "scandal", "leak", and "sensitive", along with looking through each artists' email drafts, the internal communications email folder and its meeting notes, private emails and employee complaints subfolders.

In Dwake's case, they exfiltrated his private emails in a zip archive named "DwakesDirtySecrets.zip", downloaded directly to the attacker's device.

In brief:

1. The threat actor engaged in recon using IP address 18.66.52.227, focusing on Dwake's contact information.
2. Having found his email address, the threat actor successfully answers the two static security questions, their answers having been inadvertely leaked by Dwake himself in his lyrics.
3. The threat actor resets his password and uses his email account to "recover" and reset his Instagram's password, enabling defacement.
4. The threat actor sends phishing emails offering "ghostwriting services" to 10 of DCR's rappers and a link to a fake login page; all ten click the links and submit their credentials.
5. With unfettered access to the mailboxes, the threat actor exfiltrates information from Lead Rapper Dwake; there are no signs of exfiltration from the other compromised employees.

The exfiltrated emails could be used for blackmail and extortion in the future; the immediate aftermath is that the feud--allegedly the source of these attacks--is resolved peacefully for the time being.

While one can question Dwake's wisdom to include private information in his lyrics--lyrics dissing a rival, no less--I would argue the greater failure was OWL Records' deeply flawed knowledge-based authentication (KBA; security questions) for password resets.

Despite the fact that KBA remains widespread, specially "static KBA" (shared secrets), the NIST no longer recommends their use. Furthermore, the questions given to OWL Records employees do not meet some important minimum standards such as requiring a minimum of four questions (Dwake got compromised with only two). While those standards might not necessarily apply to the specific case of a record label's internal corporate network, I think it's a good idea to consider them when evaluating this case.

A great flaw of this system is that the questions given are frequenly a matter of public record that anyone can look up, are frequently lacking in specificity (so users probably set the answer to something generic and easily-guessable), or are things people may be compelled to share for one reason or another (should Dwake never speak of his dear childhood pet Fluffy?)

Better than KBA/KBV would be if requesting a password reset required a MFA token, such as TOTP, PINs, or URL tokens sent through additional communication channels, such as their personal email account. Further, OWASP's Forgot Password Cheat Sheet recommends only using security questions as an extra layer complementing more robust verification methods, if at all; OWASP also has a legacy Security Questions Cheat Sheet that starts with a giant warning about how security questions are a terrible idea in this day and age. [...] there are no acceptable uses of security questions in secure software [...].

In the case of Dwake's phish in section 2, there does not seem to be any form of MFA; much like the first time Dwake got compromised, the threat actor only needed access to basic details of his account in order to gain access. If there had been another factor to authenticate and if such a measure were enforced across all accounts, then the threat actor would've been stopped in their tracks, unable to compromise Dwake's (and other artists') accounts for espionage and data exfiltration.