AT&T Data For Sale by Everest Ransomware Group OCT 2022

First, let me dive into AT&T - who they are, what they are, and what all is at stake.

AT&T is the oldest public communications company in the United States. At one point, they were so large, that the United States Government forced their hand to split their company up. These created the "Bell" companies, such as Southwestern Bell in Texas.

This telecommunications company grew into the super-communications force it is today, as it re-acquired most of the "bell" companies back under the umbrella of AT&T.

Today, we see AT&T in nearly every sector from cellular communications, internet services and even a key player in information security.

My guess, is that around 50% of the internet backbone is under direct control by AT&T and it's affiliates.

Now, let us get to know Everest Ransomware Group.

They are a Russian speaking group of cyber criminals that has claimed responsibility for successfully attacking South American and African governments. Other notes of interest is the attack on Ferrari and SPERONI - as well as hundreds of celebrities.

Their tactic is definitely double-extortion, as they not only lock the infected targets out of their systems, they also siphon the data to be sold on the dark section of the deep web.

Here are references to my above comments:

Italian Celebrities: https://www.bleepingcomputer.com/news/security/italian-celebs-data-exposed-in-ransomware-attack-on-siae/

South African Govt Controls: https://cyware.com/news/everest-ransomware-gang-hacked-into-south-african-state-owned-electricity-company-eskom-e81edd5e/

Brazil's attack: https://www.riotimesonline.com/brazil-news/technology/everest-ransomware-group-claims-to-have-penetrated-brazilian-government/

Details on Everest Ransomware Group: https://www.cybersecurity-insiders.com/details-of-new-pysa-n-everest-ransomware/

Ferrari attack: https://vpnoverview.com/news/ransomware-gang-ransomexx-swipes-7gb-of-data-from-ferrari/

Some of the biggest concerns on this attack, is that AT&T is actually seen as a leader in cyber security, as it acquired AlienVault not too long ago.

Above are some of the services they offer.

AT&T provides voice solutions in 240 countries, linking 400 carriers around the globe. This allows them to provide remote access solutions from over 19,500 points of presence in 149 countries.

They also manage 79,000 MPLS nodes in 80 countries on their global fiber backbone that carries 4.6 petabytes (PETA) of data every single day! Most of the backbone miles are in the United States....connecting 80% +/- of 410,000 fiber route miles!

Now...add this, straight from att.com :

• Industry-leading BusinessDirect portal for network management.
• Industry's most comprehensive online tool kit.
• Secure, customized view into customer infrastructure.
• Visibility and control down to the end-user level. Supports 299 applications — more than any other provider.
• More than 650,000 users — the largest provider portal customer base.
• More than 2.8 million transactions monthly — significantly greater than the closest competitor.
• Performance management.
• End-to end view of traffic for:
• Class-of-service partitioning.
• Charge-back reports.
• Analysis of unexpected traffic.
• Deep root-cause analysis.
• Dynamic Network ApplicationsSM "plug and play" with VPN, offering flexible features, pricing and administration. 24/7 data collection across 100 percent of network traffic. Real-time performance reports as part of hosted solution:
• URL availability.
• Transaction response times.
• Analysis of unexpected traffic.
• Deep root-cause analysis.
• On-demand and ad hoc reporting.

End-user tools:

• Personalized profile management.
• Identical end-user experience across services.
• Intuitive and user-friendly interface.
• Single logon.
• Embedded security.

With eBill, customers can download and analyze their bills in half the time.

As you can see, from multiple sources, AT&T is truly a powerhouse, connected on many different layers (multi layer you could say) - and with easy access to nearly anything on this planet, I can only imagine the insight the Everest Ransomware Group has from the theft of data that could expose even more than the SolarWinds breach not too long ago.

If this breach report is accurate, well the claim, this could easily be the Security Incident of the Decade! (and we still have 8 more years to go)

How ERT Works:

Understanding the attack vectors for Everest Ransomware Team (ERT):

Remote Desktop Protocol and leaked access accounts.

This is imperative to understand, as the infamous 3389 has been a bane in the sides of most infosec practitioners.

Remote Desktop Protocol is a protocol used to remotely access computers. It provides direct access to a remote machine, as if it were sitting right in front of you.

Commonly, port 3389 is used to provide RDP connections. This is similar to other protocols having a nearly dedicated port assignment to their server. HTTPS, for instance, utilizes port 443 - giving us the ability to browse SSL applied websites on the world wide web.

Products, like Shodan , have made it simple for all technologists to see what exposures are on your organization. Shodan does this by constantly observing the entire internet, then creating an accessible library to search. the library contains port states, IP addresses and potentially visible vulnerabilities (CVEs) along side with identification like ASN numbers, geographic location, business name, etc. In some instances, even a screenshot of the accessible RDP enabled machines, are able to be shown.

As you can see in the image above, one does not need to know more than how to use the infamous 'MSTSC' command. Leaked usernames and even passwords, are completely evident.

If you have RDP enabled on your network - the InfoSec community has been warning to disable it for a decade or more.

Screenshot credits to: Dave White , Bob Carver and David Maimon .

As you can see from the three images above, there is a great deal of 'scuttle-butt' on RDP - but they are not rumors, these are serious security issues.

Fact is, RDP is the single biggest vulnerability into ANY network. Gov or Private, big, or small - if it is exposed and connected, you might as well just leave your wallet sitting outside of your front door.

I will add more details as I learn them.