Search This Blog

Showing posts with label MFA. Show all posts

84% of US Businesses Experienced Identity-Related Breaches


According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts. 

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue. 

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders. 

Having focused on the fundamentals and investments in security outcomes 97%  will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users. 

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords. 

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022. 

Microsoft Now Permits IT Administrators to Evaluate and Deactivate Inactive Azure AD users


Azure Active Directory has received a handful of security updates from Microsoft. In preview, the business has unveiled a new access reviews tool that allows enterprises to delete inactive user accounts which may pose a security concern. Users who created the new Azure AD tenant after October 2019 received security defaults, however, customers who built Azure AD tenants before October 2019 did not receive security defaults. 

According to Microsoft, the Azure AD security defaults are utilized by around 30 million companies today, and the defaults will be rolled out to many more organizations, resulting in the settings protecting 60 million more accounts. IT admins could now terminate Azure AD accounts that haven't signed in for a certain number of days. 

The Azure Active Directory Identity Governance service now includes the new access review feature. It's useful for companies who don't want contractors or former employees to have access to sensitive data. Azure Active Directory (Azure AD) is a Microsoft cloud service that manages identification and authentication for on-premise and cloud applications. In Windows 2000, it was the advancement of Active Directory Domain Services. 

"The term "sign-in activity" refers to both interactive and non-interactive sign-in activities. Stale accounts may be automatically removed during the screening process. As a result, your company's security posture increases," Microsoft explained. 

According to Alex Weinert, Microsoft's director of identity security, the defaults were implemented for new tenants to ensure that they had "minimum security hygiene," including multi-factor authentication (MFA) and contemporary authentication, independent of the license. He points out that the 30 million firms which have security defaults in place are significantly less vulnerable to intrusions.

This month, Microsoft will send an email to all global admins of qualified Azure AD tenants informing them of security settings. These administrators will receive an Outlook notification from Microsoft in late June, instructing them to "activate security defaults" and warning of "security defaults will be enforced automatically for respective businesses in 14 days." All users in a tenant will be required to register for MFA using the Microsoft Authenticator app after it has been activated. A phone number is also required of global administrators.

Devious Phishing Tactic Circumvents MFA Using Remote Access Software


As per a new phishing technique,adversaries can defeat multi-factor authentication (MFA) by having victims connect to their accounts directly on attacker-controlled servers using the VNC screen sharing system.

Bypassing multi-factor authentication (MFA) configured on the intended victim's email accounts is one of the most difficult barriers to successful phishing attempts. Even if threat actors can persuade users to input their credentials on a phishing site, if the account is protected by MFA, completely breaching the account requires the victim's one-time passcode. 

Phishing kits have been upgraded to employ reverse proxies or other means to obtain MFA codes from unwitting victims to get access to a target's MFA-protected accounts. Companies, on the other hand, are becoming aware of this technique and have begun implementing security measures that prevent logins or cancel accounts when reverse proxies are found. VNC is here to help. 

Mr.d0x, a security researcher, attempted to create a phishing attack on the client's employees to get corporate account credentials while conducting a penetration test for a customer. Mr.d0x put up a phishing assault utilising the Evilginx2 attack framework, which operates as a reverse proxy to steal credentials and MFA codes because all of the accounts were configured with MFA. 

The researcher discovered that when reverse proxies or man-in-the-middle (MiTM) attacks were detected, Google blocked logins. According to Mr.d0x, this was a new security feature installed by Google in 2019 precisely to avoid these types of attacks. 

Websites like LinkedIn, according to the researcher, identify man-in-the-middle (MiTM) assaults and delete accounts following successful logins. To get around this, Mr.d0x devised a cunning new phishing technique that employs the noVNC remote access software and browsers in kiosk mode to display email login prompts that are hosted on the attacker's server but shown in the victim's browser. 

VNC is a remote access software that allows users to connect to and control the desktop of a logged-in user. Most people use dedicated VNC clients to connect to a VNC server, which opens the remote desktop in a similar way to Windows Remote Desktop. 

An application called noVNC, on the other hand, allows users to connect to a VNC server directly from within a browser by merely clicking a link, which is where the researcher's new phishing method comes into play. 

A new report by Mr.d0x on his new phishing technique explained, "So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g."   

"Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already set up Firefox in kiosk mode all the user will see is a web page, as expected." 

A threat actor can use this configuration to send targeted spear-phishing emails with links that launch the target's browser and log into the attacker's remote VNC server. These links are highly customisable, allowing the attacker to make links that do not appear to be suspicious VNC login URLs.  

Since the attacker's VNC server is set up to run a browser in kiosk mode, which displays the browser in full-screen mode, when the victim clicks on a link, they will be taken to a login screen for the targeted email provider, where they can log in as usual. 

However, because the attacker's VNC server is displaying the login prompt, all login attempts will be made directly on the remote server. Once a user logs into the account, an attacker can utilise a variety of tools to obtain passwords and security tokens, according to Mr.d0x. 

Even more dangerous, since the user enters the one-time passcode directly on the attacker's server, authorising the device for future login attempts, this technique bypasses MFA. If the attack was limited to a few people, merely entering into their email account using the attacker's VNC session would grant the device permission to connect to the account in the future. Because VNC allows many individuals to monitor the same session, an attacker might disconnect the victim's connection after the account was logged in and reconnect later to gain access to the account and all of its email. 

While this attack is yet to be observed in the open, the researcher told BleepingComputer that he believes it will be used in the future. Every phishing advice remains the same when it comes to safeguarding from these types of attacks: do not click on URLs from unknown senders, scan embedded links for strange domains, and take all email as suspect, especially when it asks you to log in to your account.