Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Multi-factor authentication. Show all posts
User Privacy
AI technology API accounts ChatGPT Cyber Threats data security Digital Security Multi-factor authentication OpenAI Technology User Privacy

OpenAI Bolsters Data Security with Multi-Factor Authentication for ChatGPT

 

OpenAI has recently rolled out a new security feature aimed at addressing one of the primary concerns surrounding the use of generative AI models such as ChatGPT: data security. In light of the growing importance of safeguarding sensitive information, OpenAI's latest update introduces an additional layer of protection for ChatGPT and API accounts.

The announcement, made through an official post by OpenAI, introduces users to the option of enabling multi-factor authentication (MFA), commonly referred to as 2FA. This feature is designed to fortify security measures and thwart unauthorized access attempts.

For those unfamiliar with multi-factor authentication, it's essentially a security protocol that requires users to provide two or more forms of verification before gaining access to their accounts. By incorporating this additional step into the authentication process, OpenAI aims to bolster the security posture of its platforms. Users are guided through the process via a user-friendly video tutorial, which demonstrates the steps in a clear and concise manner.

To initiate the setup process, users simply need to navigate to their profile settings by clicking on their name, typically located in the bottom left-hand corner of the screen. From there, it's just a matter of selecting the "Settings" option and toggling on the "Multi-factor authentication" feature.

Upon activation, users may be prompted to re-authenticate their account to confirm the changes or redirected to a dedicated page titled "Secure your Account." Here, they'll find step-by-step instructions on how to proceed with setting up multi-factor authentication.

The next step involves utilizing a smartphone to scan a QR code using a preferred authenticator app, such as Google Authenticator or Microsoft Authenticator. Once the QR code is scanned, users will receive a one-time code that they'll need to input into the designated text box to complete the setup process.

It's worth noting that multi-factor authentication adds an extra layer of security without introducing unnecessary complexity. In fact, many experts argue that it's a highly effective deterrent against unauthorized access attempts. As ZDNet's Ed Bott aptly puts it, "Two-factor authentication will stop most casual attacks dead in their tracks."

Given the simplicity and effectiveness of multi-factor authentication, there's little reason to hesitate in enabling this feature. Moreover, when it comes to safeguarding sensitive data, a proactive approach is always preferable. 
Read more »
Zero Trust
Active Directory Authentication Compromised Passwords Cyber Security Cybersecurity Least Privilege Multi-factor authentication Network Security Password Security Security Zero Trust

Implementing Zero Trust Principles in Your Active Directory

 

In the past, many organizations relied on secure perimeters to trust users and devices. However, this approach is no longer viable with the geographical dispersion of workers and the need for access from various locations and devices. End-users now require access to corporate systems and cloud applications outside traditional work boundaries, expecting seamless and fast authentication processes.

Consequently, numerous organizations have adopted a zero-trust model to verify users accessing their data, recognizing Active Directory as a critical component of network authentication. Ensuring the security of credentials stored within Active Directory is paramount, prompting the question of how zero trust principles can be applied to maintain security.

The zero trust model, characterized by the principle of "never trust, always verify," requires authentication and authorization of every user, device, and network component before accessing resources or data. Implementing this model involves constructing a multi-layered security framework encompassing various technologies, processes, and policies.

One fundamental step in securing Active Directory environments is enforcing the principle of least privilege, which restricts privileges to the minimum necessary for individuals or entities to perform their tasks. This mitigates the risks associated with privileged accounts, reducing the potential impact of security breaches or insider threats.

Implementing a zero trust model also entails granting elevated privileges, such as admin rights, only when necessary and for limited durations. Techniques for achieving "just-in-time" privilege escalation include the ESAE (Red Forest) model and temporary admin accounts.

Additionally, employing multi-factor authentication (MFA) for password resets enhances security by adding extra layers of authentication beyond passwords. This mitigates vulnerabilities in password reset processes, which are often targeted by hackers through social engineering tactics.

Moreover, scanning for compromised passwords is crucial for enhancing password security. Despite the implementation of zero trust principles, passwords remain vulnerable to various attacks such as phishing and data breaches. Continuous scanning for compromised passwords and promptly blocking them in Active Directory helps prevent unauthorized access to sensitive data and systems.

Specops Password Policy offers a solution for scanning and blocking compromised passwords, ensuring network protection from real-world password attacks. By integrating such services, organizations can enhance their password security measures and adapt them to their specific needs.

Solutions like Specops Software provide valuable tools and support through demos or free trials for organisations seeking to bolster their Active Directory security and password policies.
Read more »
strong passwords
Anti-Malware Credit Cards Cyber Monday scams Cyber Security debit cards email security Multi-factor authentication Online Scams spoofed domains strong passwords

Cyber Monday Scams: Stay Vigilant and Protect Yourself from These Sneaky Tricks

 

With the shopping holiday of Cyber Monday just around the corner, Brits are being urged to exercise heightened caution against online scams. The prevalence of online scams has surged in recent years, and scammers have become increasingly adept at defrauding unsuspecting shoppers.

On Friday, Felicity Oswald, the chief of the National Cybersecurity Center (NCSC), cautioned that cybercriminals will be out in full force, intent on "scamming people out of their hard-earned cash."

"The growing availability and capability of technology like large language models is making scams more convincing," she explained.

According to the NCSC, shoppers lost over £10 million to online scams during the festive period last year, which included Black Friday and Cyber Monday. City A.M. spoke to Oz Alashe MBE, a cybersecurity expert and CEO of CybSafe, who shared his top tips for staying safe from online scams during the shopping weekend.

"Cyber Monday is not just a time for bargain hunters; it's also a breeding ground for criminals to prey on financial information and sensitive data," he remarked.

"People need to be equipped with the knowledge and understanding to identify these threats before they cause harm. A crucial aspect of this lies in adopting secure behaviors and implementing effective cyber hygiene practices to safeguard consumers, their friends, and their families."

Here are five of the most common online scams to watch out for:

1. Malicious emails and texts

Cybercriminals exploit major shopping events to bombard people with emails and text messages promoting deals and discounts. When you receive such messages, scrutinize the sender's address. Does it appear legitimate? Only click on links if you are absolutely certain of their authenticity. If not, delete them immediately!

2. Spoofed domains

Criminals create replica websites of legitimate brands to trick shoppers into divulging their financial information.

Always double-check the URL of the websites you visit, and exercise caution with links received via email, text, or social media promotions. If you have doubts, search for the brand online to verify if the advertised deals are available on their official website.

3. Prioritize credit cards over debit cards for purchases

Credit cards offer better fraud protection if your information is compromised, making them a valuable tool against online scams.

If you discover unauthorized charges on your credit card, you should be reimbursed for the entire amount spent, provided you notify your provider promptly.

4. Check return policies and read reviews before purchasing from unfamiliar sites

Scam websites often lack return policies or impose strict return windows. Investigate whether there are reviews mentioning fraud or counterfeit products. If something seems suspicious, trust your instincts and avoid the site.

5. Empower yourself to combat online scams

Educate yourself about the tactics employed by cybercriminals, and then consider how you can enhance your security.

Enable multi-factor authentication on online accounts that offer the service. Create strong, unique passwords. Employ anti-malware and email security solutions, and always maintain backups of your critical data. These practices will significantly strengthen your online security.
Read more »
User Privacy
Cyber Security Malicious actor Microsoft Microsoft Office Multi-factor authentication Phishing Attack Sensitive data Unauthorized access User Privacy

Unveiling the DarkGate Malware Phishing Attack on Microsoft Teams

Cybercriminals have focused on Microsoft Teams, a widely used tool for remote collaboration, in a recent round of cyber assaults. This well-known tool is being used by a crafty phishing campaign to spread the dangerous DarkGate ransomware. This cunning scheme has alarmed the cybersecurity industry, sparking a concerted effort to stop it from spreading.

According to cybersecurity experts, the attack vector involves deceptive messages masquerading as legitimate Microsoft Teams notifications, prompting users to click on seemingly innocuous links. Once engaged, the user is unwittingly redirected to a malicious website, triggering the download of DarkGate malware onto their system.

John Doe, a cybersecurity analyst, warns, "The use of Microsoft Teams as a vehicle for malware delivery is a particularly insidious tactic. Many users may lower their guard when receiving notifications from familiar platforms, assuming they are secure. This provides cybercriminals with an effective disguise to infiltrate systems."

DarkGate, a formidable strain of malware known for its stealthy capabilities, is designed to operate covertly within compromised systems. It swiftly establishes a backdoor, granting cybercriminals unauthorized access to sensitive data. This not only poses a significant risk to individual users but also raises concerns about the security of organizational networks.

Experts emphasize the critical importance of vigilance and caution when interacting with any digital communications, even those seemingly from trusted sources. Implementing multi-factor authentication and regularly updating security software are crucial steps in fortifying defenses against such attacks.

Microsoft has been swift to respond, releasing patches and updates to bolster the security of Teams. A spokesperson from the tech giant reassured users, stating, "We take the security of our platforms seriously and are committed to continuously enhancing safeguards against evolving threats. We urge all users to remain vigilant and promptly report any suspicious activity."

Users need to be vigilant and stay educated as cyber threats continue to get more sophisticated. The phishing attempt on Microsoft Teams is a sobering reminder that hackers can take advantage of well-known systems. Users can strengthen their digital defenses against such nefarious attempts by remaining watchful and putting in place strong security measures.
Read more »
Sensitive data
AI Model Cyber Security Encryption Keyboard security Malicious actor MFA Multi-factor authentication Sensitive data

AI Eavesdrops on Keystrokes with 95% Accuracy

An advanced artificial intelligence (AI) model recently showed a terrifying ability to eavesdrop on keystrokes with an accuracy rate of 95%, which has caused waves in the field of data security. This new threat highlights potential weaknesses in the security of private data in the digital age, as highlighted in research covered by notable media, including.

Researchers in the field of cybersecurity have developed a deep learning model that can intercept and understand keystrokes by listening for the sound that occurs when a key is pressed. The AI model can effectively and precisely translate auditory signals into text by utilizing this audio-based technique, leaving users vulnerable to unwanted data access.

According to the findings published in the research, the AI model was tested in controlled environments where various individuals typed on a keyboard. The model successfully decoded the typed text with an accuracy of 95%. This raises significant concerns about the potential for cybercriminals to exploit this technology for malicious purposes, such as stealing passwords, sensitive documents, and other confidential information.

A prominent cybersecurity researcher, Dr. Amanda Martinez expressed her apprehensions about this breakthrough: "The ability of AI to listen to keystrokes opens up a new avenue for cyberattacks. It not only underscores the need for robust encryption and multi-factor authentication but also highlights the urgency to develop countermeasures against such invasive techniques."

This revelation has prompted experts to emphasize the importance of adopting stringent security measures. Regularly updating and patching software, using encrypted communication channels, and employing acoustic noise generators are some strategies recommended to mitigate the risks associated with this novel threat.

While this technology demonstrates the potential for deep learning and AI innovation, it also emphasizes the importance of striking a balance between advancement and security. The cybersecurity sector must continue to keep ahead of possible risks and weaknesses as AI develops.

It is the responsibility of individuals, corporations, and governments to work together to bolster their defenses against new hazards as the digital landscape changes. The discovery that an AI model can listen in on keystrokes is a sobering reminder that the pursuit of technological innovation requires constant vigilance to protect the confidentiality of sensitive data.


Read more »
Zero Trust
CIO CISO Cyber Security IAM Identity and Access Management ITDR Multi-factor authentication Zero Trust

Things CISOs Need to Know About Identity and Access Management


These days, threat actors are utilizing Generative AI to steal victims’ identities and profiting through deepfakes and pretext based cyberattacks. With the most recent Verizon 2023 Data Breach Investigations Report (DBIR) indicating that pretexting has doubled in only a year, well-planned attacks that prey on victims' trust are becoming more common. Identity and access management (IAM) is a topic that is now being discussed at the board level in many businesses due to the increased danger of compromised identities.

Building IAM on a Foundation of Zero Trust to Increase its Effectiveness

Zero trust is an essential requirement for getting an IAM right, and identity is at the heart of zero trust. CISOs must adopt a zero-trust framework thoroughly and proceed as though a breach has already occurred. (They should be mindful, though, that cybersecurity providers frequently exaggerate the possibilities of zero trust.)

According to CrowdStrike’s George Kurtz, “Identity-first security is critical for zero trust because it enables organizations to implement strong and effective access controls based on their users’ needs. By continuously verifying the identity of users and devices, organizations can reduce the risk of unauthorized access and protect against potential threats.” He says that“80% of the attacks, or the compromises that we see, use some form of identity and credential theft.”

What Must CISO Know About IAM in 2023? 

According to CISO, one of the significant challenges in staying updated with the IAM technology is the pressure that comes with their cybersecurity tech stakes and goals like getting more done with less workforce and budget. 63% percent of CISOs choose extended detection and response (XDR), and 96% plan to combine their security platforms. The majority of CISOs, up from 61% in 2021, have consolidation on their roadmaps, according to Cynet's 2022 CISO study.

As customers combine their IT stacks, cybersecurity providers like CrowdStrike, Palo Alto Networks, Zscaler, and others see new sales prospects. According to Gartner, global investment in IAM will increase by 11.8% year between 2023 and 2027, from $20.7 billion to $32.4 billion. Leading IAM suppliers include IBM, Microsoft Azure Active Directory, Palo Alto Networks, Zscaler, CrowdStrike, Delinea, Ericom, ForgeRock, Google Cloud Identity, and AWS Identity and Access Management.

We are mentioning some of the IAM aspects that CISOs and CIOs must know of in 2023:

Audit all Access Credentials and Rights to Prevent the Growing Credential Epidemic

An Insider attack is a nightmare for CISOs, raising concerns about their jobs that keep them up all night. According to some CISOs, a notorious insider attack that is not caught on time could cost them and their teams their jobs, especially in financial services. Furthermore, internal attacks are as complicated as or harder to identify than exterior attacks, according to 92% of security leaders.

A common error is importing legacy credentials into a new identity management system. Take your time examining and erasing credentials. Over half of the businesses have encountered an insider threat in the previous year, according to 74% of organizations, who also claim that insider attacks have escalated. 20 or more internal attacks have occurred in 8% of people.

According to Ivanti's Press Reset, a 2023 Cybersecurity Status Report, 45% of businesses believe that previous workers and contractors still have active access to the company's systems and files. “Large organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employee’s termination,” said Dr. Srinivas Mukkamala, chief product officer at Ivanti.

Multifactor Authentication (MFA) can be a Quick Zero-trust Win

Multifactor Authentication (MFA) is essential as a first line of zero-trust security, according to CISOs, CIOs, and SecOps team members interviewed by VentureBeat. MFA is an instant win that CISOs have consistently told VentureBeat they rely on to demonstrate the success of their zero-trust projects.

They advise that MFA should be implemented with as little impact on employees' productivity as possible. The most effective multi-factor authentication (MFA) implementations combine password or PIN code authentication with biometric, behavioral biometric, or what-you-have (token) aspects.

Protect IAM Infrastructure with Identity Threat Detection and Response (ITDR) Tools

ITDR tools could mitigate risks and strengthen security configuration. Additionally, they may identify attacks, offer remedies, and uncover and repair configuration flaws in the IAM system. Enterprises can strengthen their security postures and lower their risk of an IAM infrastructure breach by implementing ITDR to safeguard IAM systems and repositories, including Active Directory (AD).

Some of the popular vendors include Authomize, CrowdStrike, Microsoft, Netwrix, Quest, Semperis, SentinelOne (Attivo Networks), Silverfort, SpecterOps, and Tenable.  

Read more »
Unauthorized access
Chinese Actors Command and Control(C2) Data Breach Firewalls Multi-factor authentication Ransomware Attacks. Sensitive data Software Unauthorized access

XWorm Malware Exploits Critical Follina Vulnerability in New Attacks

Security researchers have identified a new wave of attacks using the XWorm malware that exploits the Follina vulnerability. XWorm is a remote access trojan (RAT) that has been previously linked to state-sponsored Chinese hacking groups. The Follina vulnerability is a critical vulnerability in Microsoft Windows systems that was first disclosed in 2022.

The XWorm malware uses Follina to spread across networks and exfiltrate sensitive information. The malware can also open a backdoor to allow attackers to gain remote access to compromised systems. The attacks have been observed targeting a range of organizations in different sectors, including finance, healthcare, and government.

According to security experts, the XWorm malware is particularly dangerous because it can bypass traditional security measures. The malware can evade detection by anti-virus software and firewalls, making it difficult to detect and remove. Moreover, the Follina vulnerability is easily exploitable, and attackers can use it to gain access to vulnerable systems with minimal effort.

The XWorm malware is usually delivered through phishing emails or through exploit kits. Once a user clicks on a malicious link or opens a malicious attachment, the malware is installed on the victim's system. The malware then establishes communication with a command and control (C&C) server, allowing attackers to remotely control the infected machine.

To protect against the XWorm malware, security experts recommend that organizations apply the latest security patches and updates to their operating systems. They also advise users to be cautious when opening emails and attachments from unknown sources. Additionally, organizations should implement multi-factor authentication, network segmentation, and strong password policies to reduce the risk of unauthorized access.

The XWorm malware is a potent threat that exploits the Follina vulnerability to spread across networks and steal sensitive data. Organizations need to remain vigilant and take appropriate measures to protect their systems and data from such attacks.
Read more »
Software
Dark Web Data Breach. Malicious actor Multi-factor authentication Phishing Attacks Ransomware Attacks. Software

Enterprise Targeted by Akira Ransomware's Extortion Techniques

A new ransomware operation called Akira has been found targeting enterprise organizations. According to reports, Akira ransomware is a relatively new strain that is used in targeted attacks and is designed to infiltrate enterprise networks.

The ransomware is primarily distributed through phishing emails that contain a malicious attachment or a link that, when clicked, will download the malware onto the victim’s computer. Once inside the network, the ransomware is capable of moving laterally and infecting other machines, encrypting all the files it can access.

The attackers behind Akira ransomware are known for using double extortion tactics. After encrypting the victim’s files, they threaten to publish the stolen data on the dark web if the ransom is not paid. This tactic adds another layer of pressure to the already stressed-out victims.

Akira ransomware has already caused significant damage, targeting various companies across the world, including a Taiwanese mobile phone manufacturer, a Canadian software development company, and an American e-commerce firm.

Experts warn that this ransomware is particularly dangerous for companies that have weak cybersecurity protocols and are not regularly updating their software. The attackers behind Akira ransomware are always looking for vulnerabilities to exploit, and companies with outdated software are easy targets.

To prevent becoming a victim of Akira ransomware, companies are advised to update their software regularly, use strong passwords, implement multi-factor authentication, and train employees on how to identify and avoid phishing emails.

The rise of Akira ransomware is yet another reminder of the importance of cybersecurity. With cyber threats becoming increasingly sophisticated, it is essential for organizations to take the necessary precautions to protect their valuable data and networks from cybercriminals.


Read more »
User Privacy
API Data Breach Multi-factor authentication Twilio User Privacy

Hackers Breached Accounts of Twilio Users

According to data provided by Twilio, hackers were able to obtain information from "a limited number" of customer accounts through a breach including data theft of employee credentials.

On August 4th, a hacker sent SMS messages to Twilio employees asking them to change their passwords or informing them of a change in their schedule. Each message contained a URL that contained phrases like "Twilio," "SSO" (single sign-on), and "Okta," the brand of user authentication service that is employed by numerous businesses. Employees who clicked on the link were taken to a fake Twilio sign-in page, where hackers were able to capture the data they entered.

When the breach was discovered, Twilio worked with US phone providers to shut down the SMS system and also requested that web hosting companies remove the fake sign-in sites. Twilio reports that hackers were still able to switch to different hosting companies and cell carriers in order to continue their assault.

Facebook and Uber are two of the more than 150,000 businesses that use Twilio.

Laurelle Remzi, an official for Twilio, declined to reveal how many customers were impacted or what data the hackers got. According to Twilio's privacy statement, the data it gathers includes addresses, payment information, IP addresses, and, in certain situations, identification documentation. 

The hackers are skilled enough to switch between telco carriers and hosting providers using social engineering lures, according to Twilio, a dominant player in the enterprise communication API market with 26 offices across 17 countries. Twilio classified the situation as ongoing.

The company didn't specify whether the social engineering attacks were successful or whether any MFA (multi-factor authentication) hurdles were encountered by the attacker.

According to Twilio, its security team has terminated access to the hacked employee accounts in order to reduce the effect of the attack and has contacted a third-party forensics company to assist in the investigation.


Read more »
User Priavcy
Cyber Security MFA Microsoft Azure Multi-factor authentication Outlook User Priavcy

Microsoft Now Permits IT Administrators to Evaluate and Deactivate Inactive Azure AD users

 

Azure Active Directory has received a handful of security updates from Microsoft. In preview, the business has unveiled a new access reviews tool that allows enterprises to delete inactive user accounts which may pose a security concern. Users who created the new Azure AD tenant after October 2019 received security defaults, however, customers who built Azure AD tenants before October 2019 did not receive security defaults. 

According to Microsoft, the Azure AD security defaults are utilized by around 30 million companies today, and the defaults will be rolled out to many more organizations, resulting in the settings protecting 60 million more accounts. IT admins could now terminate Azure AD accounts that haven't signed in for a certain number of days. 

The Azure Active Directory Identity Governance service now includes the new access review feature. It's useful for companies who don't want contractors or former employees to have access to sensitive data. Azure Active Directory (Azure AD) is a Microsoft cloud service that manages identification and authentication for on-premise and cloud applications. In Windows 2000, it was the advancement of Active Directory Domain Services. 

"The term "sign-in activity" refers to both interactive and non-interactive sign-in activities. Stale accounts may be automatically removed during the screening process. As a result, your company's security posture increases," Microsoft explained. 

According to Alex Weinert, Microsoft's director of identity security, the defaults were implemented for new tenants to ensure that they had "minimum security hygiene," including multi-factor authentication (MFA) and contemporary authentication, independent of the license. He points out that the 30 million firms which have security defaults in place are significantly less vulnerable to intrusions.

This month, Microsoft will send an email to all global admins of qualified Azure AD tenants informing them of security settings. These administrators will receive an Outlook notification from Microsoft in late June, instructing them to "activate security defaults" and warning of "security defaults will be enforced automatically for respective businesses in 14 days." All users in a tenant will be required to register for MFA using the Microsoft Authenticator app after it has been activated. A phone number is also required of global administrators.
Read more »
Windows
Antivirus Industrial control system LockBit malware Multi-factor authentication PowerShell Ransomware Threat Windows

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell

 

The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.
Read more »
phishing kit
Credential Theft Cyber Security Multi-factor authentication phishing kit

Threat actors are Looking for Ways to Bypass MFA with Evolving Phishing Kits

 

People have been concerned about information security since the first password was included in the Compatible Time-Sharing System at MIT in 1961. While multi-factor authentication (MFA) did not arrive on the scene until years later, in 1986, with the first RSA tokens, it has recently achieved broad consumer acceptance. According to the annual State of the Auth Report from MFA digital authenticator firm Duo, 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021, up from 28% in 2017.   

While several organisations, including Duo and RSA, have contributed to making MFA more widespread and user-friendly, threat actors have not been sitting on their laurels, preferring to attack MFA as well as seeking for ways to circumvent MFA with changing phishing kits. 

 Phishing kits are software created to assist threat actors acquire credentials and swiftly capitalise on them. Many of these kits, which are either installed on a dedicated server owned by the threat actor or secretly put on a hacked server owned by an unlucky user, may be purchased for less than a cup of coffee. 

Proofpoint threat researchers have seen a wide range of MFA phishing kits, from simple open-source kits with human-readable code and no-frills functionality to sophisticated kits with multiple layers of obfuscation and built-in modules that allow for the theft of usernames, passwords, MFA tokens, social security numbers, and credit card numbers. These kits, at their heart, use the same mechanisms for credential harvesting as conventional kits that steal only usernames and passwords. 

 Proofpoint researchers have witnessed the introduction of a new sort of kit in recent years that does not rely on duplicating a target website. Instead, these kits use a transparent reverse proxy to provide the victim with the actual website. A reverse proxy is a computer network application that sits in front of back-end applications and forwards client (e.g., browser) requests to those apps. Scalability, performance, resilience, and security are all improved by using reverse proxies. 

 Modern web pages are dynamic and constantly change. As a result, providing the actual site rather than a copy considerably improves the perception that an individual is logging in safely. Another advantage of using a reverse proxy is that it allows a threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords, but also the session cookie in real-time.

 In a recent publication, researchers from Stony Brook University and Palo Alto Networks investigated MitM phishing kits and uncovered an industry blind spot. The researchers created Phoca, a machine learning tool, to scan suspected phishing pages and identify if they were utilising a transparent reverse proxy to access MitM credentials. They discovered over 1200 MitM phishing sites.
Read more »
Phishing emails
Cyber Crime Microsoft Multi-factor authentication Office 365 Phishing emails

Attackers use Azure AD to Enroll Outlook on BYOD and then Send Phishing Emails

 

Microsoft has issued a warning about a new multi-stage phishing campaign that first enlists an attacker's BYOD device on a corporate network before sending thousands of convincing phishing emails to other targets. Bring your own device (BYOD) refers to the practice of employees connecting to their corporate networks using personal devices to access work-related systems and possibly sensitive or confidential data. Smartphones, personal computers, tablets, and USB drives are examples of personal devices. 

According to Microsoft, the goal of enrolling or registering a device on a target company's network was to evade detection during subsequent phishing assaults. According to Microsoft, "most" firms that had activated multi-factor authentication (MFA) for Office 365 were not affected by phishing emails transmitted via attacker-controlled registered devices, but all organizations that had not implemented MFA were affected. 

The attack took advantage of situations in which MFA was not enforced while registering a new device with a company's instance of Microsoft's identity service, Azure Active Directory (Azure AD), or enrolling a BYOD device in mobile device management (MDM) platform such as Microsoft's Intune. 

"While multiple users within various organizations were compromised in the first wave, the attack did not progress past this stage for the majority of targets as they had MFA enabled. The attack's propagation heavily relied on a lack of MFA protocols," Microsoft said. "Enabling MFA for Office 365 applications or while registering new devices could have disrupted the second stage of the attack chain," it added. 

According to Microsoft, the first wave of the attack targeted firms in Australia, Singapore, Indonesia, and Thailand. The first stage used a DocuSign-branded phishing email that asked the recipient to review and sign the document. It made use of phishing domains with the .xyz top-level domain (TLD). The phishing link in each email was also unique and included the target's name in the URL. Victims were routed to a bogus Office 365 login page by the phishing link. 

In the second phase, the attackers installed Microsoft's Outlook email client on their own Windows 10 PC, which was then successfully connected to the victim's Azure AD. All the attackers had to do was accept Outlook's onboarding experience, which encourages the user to register a device. In this situation, the attackers were using credentials obtained in phase one. 

Certain practices, according to Microsoft researchers, can limit an attacker's ability to move laterally and compromise assets after the initial intrusion and should be supplemented with advanced security solutions that provide visibility across domains and coordinate threat data across protection components. Organizations can further limit their attack surface by removing basic authentication, mandating multi-factor authentication when adding devices to Azure AD, and enabling multi-factor authentication for all users.
Read more »
SMS
Data Breach Inbox Multi-factor authentication OTP Issues SMS

A Breach on Multi-Factor Authentication Leads to a Box Account Takeover

 



According to new research from Varonis, a vulnerability in Box's implementation of multi-factor authentication (MFA) allows attackers to take over accounts without having access to the victim's phone. Because of the flaw, which was patched in November 2021, an attacker just needed stolen credentials to get access to a company's Box account and steal sensitive information if SMS-based MFA was activated. Users without Single Sign-On (SSO) can further secure their accounts using an authenticator app or SMS for second-factor authentication, according to Box, which says that close to 100,000 firms utilize its platform.

How Does SMS Verification Work in Box?

After providing a username and password in Box's login form, the user is redirected to one of two pages:
  • If the user is enrolled with an authenticator app, a form to enter a time-based one-time password (OTP).
  • If the user has opted to receive a passcode via SMS, a form to enter an SMS code will appear. 
  • A code is delivered to the user's phone when they go to the SMS verification form. To gain access to their Box.com account, they must enter this code. 

When a user attempts to log into a Box account, the platform saves a session cookie and leads to a page where they must enter a time-based one-time password (TOTP) from an authenticator app (at /mfa/verification) or an SMS code (at /2fa/verification). When a user adds an authenticator app to their account, Box provides them a factor ID and the user must enter a one-time password issued by the app in addition to the credentials when logging in. 

Researchers from Varonis revealed that an attacker might circumvent MFA for accounts that had SMS-based MFA enabled by abandoning the SMS-based verification procedure instead of commencing TOTP-based MFA. By combining the MFA modalities, the attacker might gain access to the victim's account by giving a factor ID and code from a Box account and authenticator app that the attacker controls.

The entire talk about required MFA from firms like Salesforce and Google, as well as a White House executive order, is to emphasize that MFA implementations, like any other programming, are prone to flaws. MFA can give the impression of security. Because MFA is enabled, an attacker does not necessarily need physical access to a victim's device to compromise their account.
Read more »
Multi-factor authentication
Android Banking Malware Cyber Security Google Play Store Multi-factor authentication

Android Banking Malware Spreads Using a Bogus Google Play Store Website

 

An Android banking trojan aimed at Itaú Unibanco has used an unusual technique to spread to devices, the actors created a page that looks remarkably similar to Android's official Google Play app store in order to deceive visitors into thinking they are installing the software from a reliable service. The Trojan poses as Itaú Unibanco's official banking app and uses the same icon as the legitimate app. 

Banco Itaú Unibanco S.A. is a Brazilian financial services firm based in São Paulo. Founded in 2008 by the merging of Banco Itaú and Unibanco, Itaú Unibanco is the largest bank in Brazil, as well as the largest in Latin America and the Southern Hemisphere, and the world's 71st largest bank. It is also one of the world's twenty most valuable banks. It has approximately 33,000 service sites worldwide, 3,527 of which are in Brazil, as well as around 28,000 ATMs and 55 million customers. 

When the user clicks on the "Install" button, they are prompted to download the APK, which is the first indication of fraud. Google Play Store apps are always installed through the store interface, never requiring the user to manually download and install programmes. Cyble researchers examined the malware and discovered that when it is executed, it attempts to launch the genuine Itaú app from the Google Play Store. If that is successful, it will utilize the actual app to carry out fraudulent transactions by modifying the user's input fields.

During installation, the software does not request any unsafe permissions, preventing suspicious or risky detection from AV tools. Instead, it intends to use the Accessibility Service, which is all that mobile malware requires to overcome all security on Android systems. According to a recent research by Security Research Labs, "we are currently dealing with an Android malware Accessibility abuse epidemic, and Google has failed to patch the targeted flaw." As a result, only the user has the ability to detect indicators of abuse and stop the infection before it has a chance to cause harm to the device. 

According to the researchers, if you want to enjoy the ease of mobile e-banking, download the app from the bank's official website or the Google Play Store. Furthermore, apply app updates as soon as they become available, and utilize an AV tool from a reliable vendor. Use a strong password and enable multi-factor authentication on the app to ensure optimal account security.
Read more »
Phishing Campaign
Cyber Security Login Credentials Microsoft 365 Multi-factor authentication Phishing Campaign

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email

 

Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth. The 2050.earth website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the 2050.earth site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. 

Noreply@sm.kaspersky.com is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.
Read more »
United States
Crypto Currency Multi-factor authentication SMS Technology Threat actor United States

Thousands of Coinbase Clients were Robbed due to an MFA Flaw

 

After exploiting a vulnerability in Coinbase's SMS multi-factor authentication security mechanism, a threat actor stole cryptocurrency from 6,000 customers, according to the firm. A threat actor executed a hacking campaign between March and May 20th, 2021 to penetrate Coinbase customer accounts and steal cryptocurrency, according to a warning given to impacted consumers this week. 

The hackers apparently required to know the user's email address, password, and phone number, as well as have access to their email accounts, according to the US-based exchange, which has roughly 68 million customers from over 100 countries. It's unclear how the hackers got their hands on that information. 

"In this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase's SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account," Coinbase told customers in electronic notifications. 

Customers' personal information was exposed as well, according to the report, "including their complete name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balances."

According to Coinbase, a flaw in their SMS account recovery process allowed hackers to acquire access to the SMS two-factor authentication token required to access a secured account. Coinbase claims to have updated the "SMS Account Recovery protocols" after learning of the incident, preventing any further bypassing of SMS multi-factor authentication. 

Because the Coinbase bug allowed threat actors to gain access to accounts that were thought to be secure, the exchange is depositing funds in affected accounts equal to the stolen amount. 

"We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost," promised Coinbase. It's unclear whether Coinbase will credit hacked users with the stolen cryptocurrency or fiat currency. If fiat currency is used, it may result in a taxable event for the victims if their profits increase. 

Coinbase recommends implementing multi-factor authentication (MFA) with security keys, Time-based One-Time Passwords (TOTP) with an authenticator app, or SMS text messages as a last resort in their account security guide.
Read more »
Security Researchers
Authentication Bypass Cyber Security Microsoft Multi-factor authentication Security Researchers

Kerberos Authentication Spoofing: A Quick Look

 

Since authentication is the first line of defence for security systems, if a threat actor gets past it, they can very much do whatever they want. Threat actors can log in as administrators and change configurations, get access to protected resources, and take control of appliances in order to steal sensitive data. 

Silverfort discovered that all four security systems they examined – Cisco ASA, F5 Big-IP, IBM QRadar, and Palo Alto Networks PAN-OS – were vulnerable to bypass vulnerabilities due to the way they implemented the Kerberos and LDAP authentication protocols. 

Kerberos was first introduced by Microsoft in Windows 2000. It's also become the industry standard for websites and Single-Sign-On implementations on a variety of platforms. Kerberos is an open-source project maintained by the Kerberos Consortium. Microsoft Windows presently uses Kerberos authentication as its default authorization method, and Kerberos implementations are available for Apple OS, FreeBSD, UNIX, and Linux. 

The Kerberos authentication protocol works in the following ways:

 • The client asks the Key Distribution Center (KDC) for an authentication ticket (TGT). 

 • The KDC checks the credentials and returns an encrypted TGT as well as the session key.

 • The Ticket Granting Service (TGS) secret key is used to encrypt the TGT. 

 • When the TGT expires, the client keeps it, and the local session manager requests another TGT (this process is transparent to the user).

Kerberos can be configured without Kerberos' SSO capabilities in the four security systems aforementioned. Instead, when logging in, the user is asked for a username and password, and the system then asks for the TGT. To put it another way, the security system acts as both a client and a server. A KDC spoofing vulnerability might occur if the Client/Server exchange is overlooked. 

The KDC Spoofing vulnerability allows an attacker to overcome Kerberos authentication, break security restrictions, and obtain unrestricted access to sensitive workloads using Big-IP Access Policy Manager (APM). In a report, Silverfort security researchers Yaron Kassner and Rotem Zach discussed it. 

F5 Networks released BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3, which included a security patch for this vulnerability (CVE-2021-23008, CVSS score 8.1). Multi-factor authentication (MFA) or an IPSec tunnel between the impacted BIG-IP APM system and the Active Directory servers, was suggested by the company. 
Read more »
Users' Credential
Cyber Fraud Multi-factor authentication PayPal Scammers Users' Credential

Virtual Wallet Users are Being Scammed

 

People are carrying less cash as technology advances, preferring to use debit cards, credit cards, and smartphone payment apps instead. Although using virtual wallets like Venmo, PayPal, and Cash App is easy and becoming more common, there is a risk of being scammed by someone who does not appear to be who they claim to be. Virtual wallets are applications that you can download on your Android or iPhone to make it simple to send and receive money from friends, relatives, and other people. To move money, these apps are connected to a bank account. 

Scammers are always on the lookout for their next victim, and these apps provide them with an ideal opportunity to defraud people of their hard-earned money. Fraudsters have devised a number of strategies for intercepting payments or convincing app users to pay them directly. 

Last year, the Better Business Bureau reported on a new scheme in which con artists send messages requesting the return of unintended payments after making deposits into their victims' accounts. 

When the victim checks their account and discovers these transfers, which were made with stolen credit cards, they refund the funds, by which point the scammer has replaced the stolen credit card credentials with their own. The money is then sent to the fraudster, and the victim is held responsible until the owner of the stolen card files restitution claims. 

In contrast to Cash App and Venmo, PayPal is the oldest form of virtual wallet. In a PayPal scam, the scammer asks a seller to send the things he or she "bought" to a particular address. They discover that the address is invalid after the scammer "pays" for the item and the seller sends the package, but it's too late. 

If the shipping company is unable to locate the address, the item will be marked as undeliverable. The scammer would then contact the shipping company and provide a new address in order to accept the package while claiming they did not receive it. 

The scammer would then collect the item and file a complaint with PayPal claiming that the item was never delivered. PayPal will refund the money charged to the scammer because the buyer has no evidence that the item was shipped. As a result, the seller loses both money and goods to the con artist. 

App developers should take action to protect their users from these types of scams. Multifactor authentication and secondary confirmation, such as emailed security codes, are examples of these safeguards. According to Microsoft research, multifactor authentication will prevent 99.9% of fraud attempts involving compromised login credentials.
Read more »
Users' Credential
Cyber Security Encryption GitHub Multi-factor authentication SSH Users' Credential

GitHub Announced Security Key Support for SSH Git Operations

 

When using Git over SSH, GitHub, the ubiquitous host for software creation and version control (and unfortunate victim of a relentless stream of attacks targeting the same), now supports encryption keys.

GitHub security engineer Kevin Jones said in a blog post on Monday that this is the next step in improving security and usability. These portable FIDO2 fobs are used for SSH authentication to protect Git operations and avoid the havoc that can occur when private keys are misplaced or stolen, or when malware attempts to execute requests without user permission. For instance, in 2019, the TrickBot data-stealing malware was updated to include a password grabber that could attack data from OpenSSH applications. 

These security keys, which include the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are easy to carry around in your pocket and attach to computers via USB, NFC, or Bluetooth. They can be used instead of one-time passwords generated by apps or sent via SMS. SMS SSH codes sent via text can currently be intercepted.

Strong passwords are still relevant, but because of the proliferation of data breaches and cyberattacks, they are becoming less useful as a single security mechanism, prompting the development of password managers that often check for credential leakage online, biometrics, and security keys. 

"We recognize that passwords are convenient, but they are a consistent source of account security challenges," Jones commented. "We believe passwords represent the present and past, but not the future. By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain." 

Since keys are one of the variables in multi-factor authentication (MFA), users can treat them with the same care as any other credential. You should have your security key plugged in if you're the only one that has access to it. “When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.” 

When you use a security key, neither ransomware nor unintended private-key leakage will reveal your keys, he said: “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”
Read more »
Subscribe to: Posts (Atom)