Search This Blog

Powered by Blogger.

Blog Archive

Labels

An Exploit on Reddit Shows MFA's Limitations

The Reddit employee was duped by spear-phishing but immediately reported it to security after the attack.

 


It is becoming increasingly obvious that attackers are finding ways to circumvent multifactor authentication mechanisms as a result of the latest hack of a well-known company. 

A threat actor sent out an email containing a link as part of a spearphishing attack on Reddit on January 9, and Reddit's users were informed as a result that one employee had been successfully convinced to click on the link in an email sent out as part of the spearphishing attack. Investigators found that the website mimicked the behavior of the intranet gateway, and attempted to steal second-factor tokens and credentials at the same time.  

According to Reddit, compromising the employee's credentials allowed the attacker to sift through Reddit's systems for a few hours. During this time, they accessed internal documents, dashboards, and code that were stored on the system. 

In a follow-up AMA video, Reddit CTO Chris Slowe (aka KeyserSosa) explained that while his company is investigating, there is still no evidence that the attacker accessed user data or production systems, as he explained in the video. 

Chris Slowe mentioned that the inability to prove a negative makes it extremely difficult for Reddit to determine anything at this point. Therefore, the team at Reddit is continuing its investigation. There is a burden of proof at the moment that suggests that access to the data was limited to several systems outside the main production environment. 

The Reddit social media community has become the latest company to fall victim to a cyberattack that harvests the credentials of its employees and enables access to sensitive systems through social engineering. In late January, Riot Games, the company responsible for making the popular game League of Legends, announced that they had been compromised. Threat actors had exploited a social engineering attack to steal code and delay updating the game, thereby delaying the release of updates. With compromised login credentials taken from Rockstar Games' Rockstar Studios, the maker of the Grand Theft Auto franchise, four months earlier, attackers were able to gain access to the Rockstar Data Warehouse and steal the source code. 

Phishing attacks and credential theft are two of the most common causes of breaches, even when the breaches are minor. As a result of the "2023 Email Security Trends" report published by Barracuda Networks, a provider of application and data protection services, more than three-quarters of IT professionals and IT security managers said their companies had experienced a successful email attack in the past year, according to the survey. Furthermore, there was an average number of fines and recovery costs associated with the most expensive attacks for the average firm. 

However, phishing and spear-phishing are considered common threats to businesses, with only 26% of respondents feeling unprepared for both attacks. Compared to 2019 when 47% and 36% of respondents claimed their firms were unprepared to face the threat of a data breach, this is an improvement. In the report, it was found that there has been an increase in concern over account takeovers in the past few years. 

The report states that although organizations may be better equipped to prevent phishing attacks, they may not have the capacity to resolve account takeovers, which are usually a consequence of phishing attacks that succeed. 

Cybersecurity Relies Heavily on Employees 

Aside from the irony of the Reddit hack, the incident provides a valuable lesson on the importance of employee training. As soon as the employee entered the credentials into the phishing website, he suspected something was amiss, and he immediately contacted Reddit's IT department to inquire about the incident. As a result, the window of opportunity available to the attacker was reduced, and the damage they could do was limited. 

"The time has come for us to stop looking at employees as weaknesses and instead begin to view their contributions to organizations as the strengths they are or can be," Dudley emphasizes. Technical controls are just a limited part of what organizations can do. Employees can also offer further context for why something does not seem right. 

Slowe, Reddit's account manager, said that, in the follow-up AMA, the employee who was at the center of the Reddit breach wouldn't be faced with a long-term punishment, but all access to the account would be revoked until the problem is resolved. 

As always, the problem is that it takes only one person to fall for something like [a phish], he explained. In this case, Slowe mentioned that he is exceptionally grateful that the employee reported it immediately after realizing it had happened.   
Share it:

AMA

Cyber Attacks

Cybersecurity

Data Theft

Email

Reddit