Advisory 2019-003 - Immediately Turn On Mailbox Auditing

Mossé Security's Advanced CSIRT Team have been urgently called to respond to an alarming number of email account compromises that have allowed threat actors such as CRIME CHARLIE and CRIME OSCAR to steal money from regional organisations. Vast collateral damages are doubtlessly ensuing to these companies' reputations with their 3rd party vendors and employees.

Mailbox Audit logs allow incident responders to answer the following questions:

• Which emails is the adversary accessing?
• Who is the adversary impersonating?
• Which files are being accessed, edited and deleted?
• What is the adversary's IP address and what country are the attacks originating from?
• How are we differentiating legitimate employee activities vs. adversary activities?

IT Managers are urgently advised to confirm that all audit logs for cloud services are captured and retained for at least 18 months.

Microsoft Office 365

As of January 2019, Office 365 turns on audit logs by default. If your organisation created its account prior to that date, then you must enable it manually.

The following logs can be captured:

• User activity in SharePoint Online and OneDrive for Business
• User activity in Exchange Online
• Admin activity in SharePoint Online
• Admin activity in Azure Active Directory
• Admin activity in Exchange Online
• User and admin activity in Sway
• eDiscovery activities in the security and compliance center
• User and admin activity in Power BI
• User and admin activity in Microsoft Teams
• User and admin activity in Dynamics 365
• User and admin activity in Yammer
• User and admin activity in Microsoft Flow
• User and admin activity in Microsoft Stream
• Analyst and admin activity in Microsoft Workplace Analytics
• User and admin activity in Microsoft PowerApps

Google Suite

G Suite automatically enabled audit logs and allows the following events to be searched:

• Admin audit log
• Login audit log
• SAML audit log
• Drive audit log
• Calendar audit log
• Devices audit log
• OAuth Token audit log
• Groups audit log
• Hangouts Chat audit log
• Google+ audit log
• Google+ audit log
• Hangouts Meet audit log
• User Accounts audit log
• Email Log Search

Mossé Security Recommendation: Incident Simulation

Mossé Security is sending out this Urgent Advisory to all organisations, both regional and international ones, to promptly undertake a table-top exercise and roleplay adversaries such as CRIME OSCAR or CRIME CHARLIE targeting them. This is a service that Mossé Cyber Security Institute delivers and can also teach you how to then effectuate it independently. If you're unsure how to do this on your own, Mosse Security strongly advises not to wait.

The goal here is to demonstrate with absolute certainty that the logs required to respond to these threat actors are being captured in the timeliest manner possible.

Published: 10/07/2019