United States Special Operations Command has an annual conference called Sovereign Challenge, although it does seem to be on hiatus due to the pandemic. I first heard of this in 2018, I started examining their online presence, and was astounded to find that sovereignchallenge.org was available, so I bought it. I made several efforts to get them to reclaim it, but they went unanswered.

This is a dangerous situation for them in terms of a potential spearphishing campaign. Let me explain …

Attention Conservation Notice:

Mucking around with DNS and email and stuff lies ahead. It’s probably a skim and read the conclusion if you’re not a hard cyber person.

Recon:

I noticed the domain was available in the context of examining their overall footprint. This is what I know about Sovereign Challenge thus far.

• SovereignChallenge.org left adrift, I own it now.

• @SovereignChall Twitter account is linked to a domain email but I’ve not contrived a way to retrieve it yet.

• There’s a Facebook group but the email its linked to is a clearly fake name and they want a picture ID before resetting the account.

• The official presence is www.socom.mil/SovereignChallenge

Hazards:

What could be done with this sort of access? If I were a foreign intel agency I could quickly cook up an ID that would pass muster and regain access to that Facebook group. I bet if I put some time into setting up a mailer, rather than the Cloudflare thing I’m doing now, I could recover that Twitter account, too.

Once those two social media profiles are under control, the obvious move is to clone the official presence, set up some watering hole attacks using the actual domain, maybe start a spearphishing campaign. Since I’m used to doing influence, investigations, and security I do not have the skills needed, but every single APT out there has a hundred people who can do this in their sleep.

Overall the U.S. military has pretty good cybersecurity. The hazards here would be retirees, vendors, and interested citizens falling into the trap. Nailing the devices of the general’s wife is a good first step to getting into his stuff, too.

Remediation:

Well, first, they could have just sent me an email offering some cool SOCOM swag, and I’d have given ‘em back their domain. But if you read Sovereign Challenge Theropod Stampede closely you’ll recall what I said about completed jobs. You clean them up. Or you let their stuff sit around for potential future use. But you don’t leave that to chance, you have to MINDFULLY pick which one you choose to do.

This is a situation where if they could not find a way to regain the domain itself, they should have immediately moved to control and idle those social media accounts. I presume there’s some sort of government services access to both companies, and that should have been used to eliminate the attack surface these uncontrolled assets represent.

Conclusion:

If you aren’t doing the hands on in terms of technology you should still be keeping an eye on things. It’s REALLY hard to run clean unless you’ve achieved Professional Paranoia. If you’re working with or managing people doing the work in this area they should welcome extra scrutiny from you. If you can figure out how to leverage an opening, you’re a good simulation of an A game intruder that comes calling.

This is not the only thing like this I’ve seen, there have been two others in the fourth quarter of 2023. One was an NGO running a mailing list. They got had and just didn’t understand the hazards, they just assumed they were safe because a non-technical boomer founder couldn’t envision what a bad actor would do next. Now they’re wondering why their engagement has plummeted and their efforts are fizzling.

The other one has been a bit like SOCOM. I’ve spent a quite a few hours trying to get the attention of whomever does their tech support. They literally have no method for someone to do that and I think it’s frightful exposure given their business. Having gone above and beyond the call in terms of responsible disclosure, I don’t feel at all bad about having a piñata party with them some time in the next few days.