Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential. Show all posts
Teams API
ATO Azure cloud storage Credential CyberCrime Cyberhackers Data Breach Microsfot Entra ID Microsoft Passwords Teams API

Microsoft Entra ID Faces Surge in Coordinated Credential-Based Attacks

An extensive account takeover (ATO) campaign targeting Microsoft Entra ID has been identified by cybersecurity experts, exploiting a powerful open-source penetration testing framework known as TeamFiltration. 

First detected in December 2024, the campaign has accelerated rapidly, compromising more than 80,000 user accounts across many cloud environments over the past several years. It is a sophisticated and stealthy attack operation aimed at breaching enterprise cloud infrastructure that has been identified by the threat intelligence firm Proofpoint with the codename UNK_SneakyStrike, a sophisticated and stealthy attack operation. 

UNK_SneakyStrike stands out due to its distinctive operational pattern, which tends to unfold in waves of activity throughout a single cloud environment often targeting a broad spectrum of users. The attacks usually follow a period of silent periods lasting between four and five days following these aggressive bursts of login attempts, a tactic that enables attackers to avoid triggering traditional detection mechanisms while maintaining sustained pressure on organizations' defence systems. 

Several technical indicators indicate that the attackers are using TeamFiltration—a sophisticated, open-source penetration testing framework first introduced at the Def Con security conference in 2022—a framework that is highly sophisticated and open source. As well as its original purpose of offering security testing and red teaming services in enterprises, TeamFiltration is now being used by malicious actors to automate large-scale user enumeration, password spraying, and stealthy data exfiltration, all of which are carried out on a massive scale by malicious actors. 

To simulate real-world account takeover scenarios in Microsoft cloud environments, this tool has been designed to compromise Microsoft Entra ID, also known as Azure Active Directory, in an attempt to compromise these accounts. It is important to know that TeamFiltration's most dangerous feature is its integration with the Microsoft Teams APIs, along with its use of Amazon Web Services (AWS) cloud infrastructure to rotate the source IP addresses dynamically. 

Not only will this strategy allow security teams to evade geofencing and rate-limiting defences, but also make attribution and traffic filtering a significant deal more challenging. Additionally, the framework features advanced functionalities that include the ability to backdoor OneDrive accounts so that attackers can gain prolonged, covert access to compromised systems without triggering immediate alarms, which is the main benefit of this framework. 

A combination of these features makes TeamFiltration a useful tool for long-term intrusion campaigns as it enhances an attacker's ability to keep persistence within targeted networks and to siphon sensitive data for extended periods of time. By analysing a series of distinctive digital fingerprints that were discovered during forensic analysis, Proofpoint was able to pinpoint both the TeamFiltration framework and the threat actor dubbed UNK_SneakyStrike as being responsible for this malicious activity. 

As a result, there were numerous issues with the tool, including a rarely observed user agent string, hardcoded client identifications for OAuth, and a snapshot of the Secureworks FOCI project embedded within its backend architecture that had been around for quite some time. As a result of these technical artefacts, researchers were able to trace the attack's origin and misuse of tools with a high degree of confidence, enabling them to trace the campaign's origin and tool misuse with greater certainty. 

An in-depth investigation of the attack revealed that the attackers were obfuscating and circumventing geo-based blocking mechanisms by using Amazon Web Services (AWS) infrastructure spanning multiple international regions in order to conceal their real location. A particularly stealthy manoeuvre was used by the threat actors when they interacted with the Microsoft Teams API using a "sacrificial" Microsoft Office 365 Business Basic account, which gave them the opportunity to conduct covert account enumeration activities. 

Through this tactic, they were able to verify existing Entra ID accounts without triggering security alerts, thereby silently creating a map of user credentials that were available. As a result of the analysis of network telemetry, the majority of malicious traffic originated in the United States (42%). Additional significant activity was traced to Ireland (11%) and the United Kingdom (8%) as well. As a consequence of the global distribution of attack sources, attribution became even more complex and time-consuming, compromising the ability to respond efficiently. 

A detailed advisory issued by Proofpoint, in response to the campaign, urged organisations, particularly those that rely on Microsoft Entra ID for cloud identity management and remote access-to initiate immediate mitigations or improvements to the system. As part of its recommendations, the TeamFiltration-specific user-agent strings should be flagged by detection rules, and multi-factor authentication (MFA) should be enforced uniformly across all user roles, based on all IP addresses that are listed in the published indicators of compromise (IOCs). 

It is also recommended that organisations comply with OAuth 2.0 security standards and implement granular conditional access policies within Entra ID environments to limit potential exposure to hackers. There has been no official security bulletin issued by Microsoft concerning this specific threat, but internal reports have revealed that multiple instances of unauthorised access involving enterprise accounts have been reported. This incident serves as a reminder of the risks associated with dual-use red-teaming tools such as TeamFiltration, which can pose a serious risk to organisations. 

There is no doubt in my mind that such frameworks are designed to provide legitimate security assessments, however, as they are made available to the general public, they continue to raise concerns as they make it more easy for threat actors to use them to gain an advantage, blurring the line between offensive research and actual attack vectors as threats evolve. 

The attackers during the incident exploited the infrastructure of Amazon Web Services (AWS), but Amazon Web Services (AWS) reiterated its strong commitment to promoting responsible and lawful use of its cloud platform. As stated by Amazon Web Services, in order to use its resources lawfully and legally, all customers are required to adhere to all applicable laws and to adhere to the platform's terms of service. 

A spokesperson for Amazon Web Services explained that the company maintains a clearly defined policy framework that prevents misappropriation of its infrastructure. As soon as a company receives credible reports that indicate a potential violation of these policies, it initiates an internal investigation and takes appropriate action, such as disabling access to content that is deemed to be violating the company's terms. As part of this commitment, Amazon Web Services actively supports and values the global community of security researchers. 

Using the UNK_SneakyStrike codename, the campaign has been classified as a highly orchestrated and large-scale operation that is based on the enumeration of users and password spraying. According to researchers at Proofpoint, these attempts to gain access to cloud computing services usually take place in bursts that are intense and short-lived, resulting in a flood of credentials-based login requests to cloud environments. Then, there is a period of quietness lasting between four and five days after these attacks, which is an intentional way to prevent continuous detection and prolong the life cycle of the campaign while enabling threat actors to remain evasive. 

A key concern with this operation is the precision with which it targets its targets, which makes it particularly concerning. In the opinion of Proofpoint, attackers are trying to gain access to nearly all user accounts within the small cloud tenants, while selectively targeting particular users within the larger enterprise environments. 

TeamFiltration's built-in filtering capabilities, which allow attackers to prioritise the highest value accounts while avoiding detection by excessive probing, are a calculated approach that mirrors the built-in filtering capabilities of TeamFiltration. This situation underscores one of the major challenges the cybersecurity community faces today: tools like TeamFiltration that were designed to help defenders simulate real-world attacks are increasingly being turned against organisations, instead of helping them fight back. 

By weaponizing these tools, threat actors can infiltrate cloud infrastructure, extract sensitive data, establish long-term access, and bypass conventional security controls, while infiltrating it, extracting sensitive data, and establishing long-term control. In this campaign, we are reminded that dual-purpose cybersecurity technologies, though essential for improving organization resilience, can also pose a persistent and evolving threat when misappropriated. 

As the UNK_SneakyStrike campaign demonstrates, the modern threat landscape continues to grow in size and sophistication, which is why it is imperative that cloud security be taken into account in a proactive, intelligence-driven way. Cloud-native organisations must take steps to enhance their threat detection capabilities and go beyond just reactive measures by investing in continuous threat monitoring, behavioural analytics, and threat hunting capabilities tailored to match their environments' needs. 

In the present day, security strategies must adapt to the dynamic nature of cloud infrastructure and the growing threat of identity-based attacks, which means relying on traditional perimeter defences or static access controls will no longer be sufficient. In order to maintain security, enterprise defenders need to routinely audit their identity and access management policies, verify that integrated third-party applications are secure, and review logs for anomalies indicative of low-and-slow intrusion patterns. 

In order to build a resilient ecosystem that can withstand emerging threats, cloud service providers, vendors, and enterprise security teams need to work together in order to create a collaborative ecosystem. As an added note, cybersecurity community members must engage in ongoing discussions about how dual-purpose security tools should be distributed and governed to ensure that innovation intended to strengthen defences is not merely a weapon that compromises them, but rather a means of strengthening those defences. 

The ability to deal with advanced threats requires agility, visibility, and collaboration in order for organisations to remain resilient. There is no doubt that organisations are more vulnerable to attacks than they were in the past, but they can minimise exposure, contain intrusions quickly, and ensure business continuity despite increasingly coordinated, deceptive attack campaigns if they are making use of holistic security hygiene and adopting a zero-trust architecture.

Read more »
Password Security
Credential Cyber Security CyberCrime Information Security Password Password Management Password Security

Strengthening Password Security: Addressing Misconceptions and Best Practices

 

According to recent research by the Institution of Engineering and Technology (IET), conducted to mark World Password Day, only one in five people in the UK can correctly identify a secure password over a risky one. This alarming statistic underscores the widespread lack of awareness and understanding when it comes to password security among the public. 

The study revealed that despite expressing concern about the possibility of being hacked in the future, a significant portion of the population continues to engage in risky password practices. For example, 20% of respondents admitted to using the same password for multiple websites and devices, a practice strongly discouraged by cybersecurity experts. 

Additionally, many individuals rely on easily guessable passwords, such as pet names or significant dates, further compromising their online security. Despite the prevailing fear of cyber threats, there exists a notable discrepancy between public perception and best practices in password security. While 84% of respondents believe that hackers are becoming more inventive, many still hold misconceptions about what constitutes a secure password. 

For instance, a significant portion of the population mistakenly believes that replacing letters with numbers in passwords enhances security, when in reality, this practice does little to deter sophisticated cyberattacks. Dr. Junade Ali, a cybersecurity expert and IET fellow, highlighted the critical importance of strong passwords in today's digital landscape. Weak and predictable passwords serve as easy targets for cybercriminals, who employ various tactics, including credential stuffing, to gain unauthorized access to multiple accounts. Credential stuffing exploits the common practice of using the same password across multiple platforms, allowing hackers to compromise multiple accounts with minimal effort. 

To address these vulnerabilities, the IET has issued recommendations aimed at improving password security awareness and practices. Among these recommendations is the suggestion to create randomly generated, long, and unique passwords for each website or online service. Longer passwords are generally more resistant to brute-force attacks and provide an added layer of security against unauthorized access.  

Additionally, the use of a reputable password manager is encouraged to securely store and manage passwords across various platforms. Password managers not only simplify the process of generating and storing complex passwords but also provide alerts in the event of a data breach, allowing users to take immediate action to protect their accounts. 

By following these guidelines and adopting strong password security practices, individuals can significantly enhance their defenses against cyber threats and safeguard their sensitive information online. As cyberattacks continue to evolve in sophistication, proactive measures to strengthen password security are essential in mitigating the risk of unauthorized access and data breaches.
Read more »
malware
Credential Darknet Data Theft Kaspersky malware

Rise In Cybercrime: Dark Web Fueling Credential Attacks

 


In an unsettling situation, cybercriminals are increasingly turning to credential theft as a lucrative business, aided by the rise of infostealer malware attacks. Over the past three years, these threat actors have capitalised on the opportunity, compromising millions of personal and corporate devices globally.

The Rise of Infostealer Malware

According to cybersecurity experts at Kaspersky, infostealer malware attacks have surged sevenfold in recent years, with over 10 million devices compromised in 2022 alone. These sophisticated attacks enable hackers to silently collect login credentials and sensitive data from devices, posing a significant cybersecurity threat.

The Lucrative Market for Stolen Credentials

The value of corporate credentials in the cybercrime market has soared, leading to a 643% increase in data theft attacks. Cybercriminals act as initial access brokers, stealing corporate credentials and selling them on dark web forums for substantial profits. Kaspersky researchers highlight various sales models, with prices starting at $10 per log file.

Emerging Dark Web Hubs

Darknet markets have become key enablers of cybercrime, facilitating the sale of stolen credentials and victim profiles to cybercriminal groups. Following the takedown of Genesis Market, new hubs like Kraken Market and DNM Aggregator have emerged, offering seamless payment options via crypto processors.

Regional Impact

Regions like the Asia-Pacific and Latin America have been particularly affected by credential stealing attacks, with millions of credentials stolen from countries like Brazil, India, Colombia, and Vietnam. In Australia, compromised credentials accounted for the majority of cybersecurity incidents, with compromised or stolen credentials implicated in 56% of all incidents.

The Role of Initial Access Brokers

The number of initial access brokers (IABs) operating worldwide has risen significantly, with the APAC region experiencing a particularly sharp increase. These brokers play a critical role in fueling cybercrime operations, selling access to corporate networks and facilitating activities like ransomware attacks.

Despite the perception of cyberattacks as complex operations, the reality is that many exploit the simplicity of credential vulnerabilities. According to the Cybersecurity and Infrastructure Security Agency (CISA), over half of government and critical infrastructure attacks leverage valid credentials, with stolen credentials implicated in 86% of breaches involving web-based platforms. Credential stuffing, a technique where attackers use stolen usernames and passwords on various websites, has become increasingly popular due to individuals' tendency to reuse login information for convenience. 

With cybercriminals exploiting vulnerabilities in corporate and personal networks, organisations and individuals must remain a step ahead to protect against this pervasive threat.




Read more »
Subscribe to: Posts (Atom)