Kroll Says Breach was Due to SIM Swapping
Kroll has disclosed that an employee T-Mobile account was the target of a successful SIM-swapping attack; a threat actor managed to convince T-Mobile to switch the employee’s phone number to their own device. The incident occurred on August 19. Kroll writes that “it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”
T-Mobile and most carriers have implemented some controls to make SIM swapping more difficult, but Kroll says “T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor's phone at their request.” Not a lot of detail to determine if any controls had been enabled on that particular account – doing so is key to enable trustable mobile phone-based MFA. The recent CSRB report on the Lapsus$ attack detailed how telecommunications provider customer management tools were compromised to bypass controls against SIM swapping. Good reminder to check corporate mobile services settings and mobile device management policy checks for employee-owned devices.
SIM-swapping is one threat vector we pentesters can't directly exploit, so be sure to calculate and consider this risk another way. And let this be your reminder that while SMS-based MFA is better than none, there are many more secure options available.
This was a SIM-swapping attack on the corporate account. While we've all been focused on making sure our personal accounts were protected, your corporate team should have been doing the same with your corporate carriers. Take a moment to ask your mobility team what controls are in place to prevent SIM-swapping, and if they have implemented all the latest options. They may have to reach out to their account reps for the answer. Also, make sure you're asking about all your carriers. While you may have a default/preferred service provider, odds are you have alternates for areas where coverage is better from another provider.
T-Mobile ‘owns’ this compromise of the Kroll network. SIM-swapping has been around for more than a decade and mobile service providers by now should have a solid set of procedures in place to guard against it. That said, Kroll would be wise to revisit what controls it has in place for mobile device management to minimize future data loss.
I just mentioned SIM Swapping attacks in Class this week when we were discussing Cloud and IdP attacks and the strengths of each one. I have noticed along these lines that it is still the target for getting into Crypto Exchanges. The other commonality is that T-Mobile customers seem more in the news. Is it just T-Mobile? Hard to say, but strange.
That this change took place without even notification to the subscriber is a classic failure. As a major carrier, T-Mobile must perform at least as peer to its competition. Provisioning orders must be subject to supervision, training, out-of-band confirmation, and with sufficient delay (e.g., three days) for the out-of-band confirmation to give the subscriber time to recognize and react. These are essential, not simply desirable, controls.
William Hugh Murray
Read more in
Krebs on Security: Kroll Employee SIM-Swapped for Crypto Investor Data
Kroll: Security Incident