Mossé Security’s Advanced CSIRT Team have been urgently called to respond to an alarming number of email account compromises that have allowed threat actors such as CRIME CHARLIE and CRIME OSCAR to steal money from regional organisations. Vast collateral damages are doubtlessly ensuing to these companies’ reputations with their 3rd party vendors and employees.
Mailbox Audit logs allow incident responders to answer the following questions:
IT Managers are urgently advised to confirm that all audit logs for cloud services are captured and retained for at least 18 months.
As of January 2019, Office 365 turns on audit logs by default. If your organisation created its account prior to that date, then you must enable it manually.
The following logs can be captured:
G Suite automatically enabled audit logs and allows the following events to be searched:
Mossé Security is sending out this Urgent Advisory to all organisations, both regional and international ones, to promptly undertake a table-top exercise and roleplay adversaries such as CRIME OSCAR or CRIME CHARLIE targeting them. This is a service that Mossé Cyber Security Institute delivers and can also teach you how to then effectuate it independently. If you’re unsure how to do this on your own, Mosse Security strongly advises not to wait.
The goal here is to demonstrate with absolute certainty that the logs required to respond to these threat actors are being captured in the timeliest manner possible.