Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Password. Show all posts
SPN
Active Directory CyberCrime IT ecosystem Kerberoasting Password Serving Service Accounts. gMSAs SIEM Cyber Security SPN

Securing Service Accounts to Prevent Kerberoasting in Active Directory

 


As the cornerstone of enterprise IT ecosystems for identity and access management, Active Directory (AD) continues to serve as its pillar of support. It has been trusted to handle centralised authentication and authorisation processes for decades, enabling organisations to manage users, devices, applications, and services across a complex networked environment. 

The AD platform has long been in use and has played a critical role in the enterprise, yet its architecture and accumulated technical debt have made it a popular target for cyber adversaries, despite its widespread use and critical role. Threat actors have used various attack vectors to achieve their objectives, but Kerberoasting is one of the most commonly observed and effective techniques they employ. 

Kerberoasting is a sophisticated post-exploitation technique which allows cyber attackers to extract and crack service account credentials from Active Directory environments. There are specific vulnerabilities in this vulnerability in the Kerberos authentication protocol. Kerberos is a trusted protocol that was created for the purpose of facilitating secure identity verification across potentially untrusted networks, such as the Internet. 

Kerberoasting is a play on words, which emphasises the way adversaries basically roast Kerberos service tickets in order to expose sensitive data. An attacker who has already gained access to the network through the compromise of a low-privileged account, or who has been granted access through Kerberoasting, uses legitimate Kerberos functionality to take advantage of it. 

If an attacker requests service tickets associated with specific service principal names, the Key Distribution Center (KDC) will send them back in a format encrypted with the password hash of the service account in an encrypted format. When these tickets are exported, they can then be subjected to offline brute force or dictionary attacks, which will not trigger immediate alarms in the environment if the password for the service account is weak or guessable, allowing attackers to retrieve the credentials in clear text and use them to move laterally, escalate privileges, or exfiltrate sensitive information. 

Insidious as Kerberoasting is, it's stealthiness and efficiency that make it so dangerous—it does not require elevated privileges for execution, and it can be carried out using either built-in tools or widely available open-source tools. Even if an attacker manages to limit their reach by hardening account privileges and enforcing strict access controls, one poorly configured or insecure account is all it takes to complete a full domain compromise. 

Thus, in order to combat such attacks, it is important to implement proactive detections, robust credential hygiene, and robust security monitoring as essential components. Kerberoasting exploits inherent vulnerabilities in the Kerberos authentication protocol, specifically in the way in which service principal names (SPNs) are managed within Active Directory. When attackers exploit these mechanisms, they can be able to extract encrypted service tickets from memory, attempt offline brute-force attacks against these tickets, and eventually retrieve the plaintext credentials for service accounts that were previously encrypted. 

In the absence of proper mitigation, this method often results in lateral movement, privilege escalation, and the full compromise of the domain. It is becoming increasingly difficult for organisations to identify, prevent, and remediate such threats as attackers are continuing to refine their tools and techniques. 

Users must understand the technical aspects of Kerberoasting and implement targeted defences if they want to ensure the integrity of their Active Directory environment. A Kerberoasting attack is particularly effective when a combination of insecure configurations, weak passwords for service accounts, and outdated encryption algorithms such as RC4 remain common in legacy Active Directory environments, which have a tendency to be particularly vulnerable.

In order to carry out these attacks successfully, it is necessary to take advantage of Kerberos functionality in a manner that remains difficult to detect with traditional security monitoring tools because these attacks utilise standard Kerberos functionality. If an actor manages to get hold of a valid domain user account, regardless of its privilege level, they will be able to start orchestrating the attack using the tools readily available to them and the built-in commands built into their system. 

In order to perform Kerberos-based authentication, it is necessary to identify Active Directory accounts associated with Service Principal Names (SPNs). These SPNs indicate which accounts are attached to specific services within the network. A common method of exploiting the SPNs of accounts is by enumerating them with reconnaissance tools such as GetUserSPNs.py, which was developed by SecureAuth Corporation, or Rubeus, which was developed by GhostPack. 

After identifying these service accounts, the attacker requests a Kerberos Key Distribution Centre (KDC) ticket for one or more of these service accounts. It is the KDC's responsibility to generate a TGS ticket that is encrypted using the hash of the password of the target service account. This ticket is then harvested and taken offline by the attacker since the password is encrypted. 

Since the encryption relies on the password hash, an attacker can use an offline brute force attack or dictionary attack to recover the plaintext password, using tools such as Hashcat or John the Ripper. Because the attackers are operating offline during this stage, they can work undetected and at their own pace while the attacker works undetected. 

Once the service account's password is cracked successfully, the attacker has a legitimate set of credentials to authenticate as that account. In turn, this enables unauthorised access to any services or systems tied to the compromised account, which allows for unauthorised access. It is important to note, however, that depending on the permissions and scope associated with the service account, the attacker may be able to escalate privileges, exfiltrate sensitive data, manipulate systems, or set up persistence mechanisms that can be exploited in the future. 

The attack path highlights the importance of ensuring robust password policies are implemented, service account privileges are limited, and legacy cryptographic protocols are eliminated in order to minimise the risk of Kerberoasting and other credential-based attacks. It is important for organisations to develop a dynamic and layered defence strategy in order to reduce the attack surface and enhance the overall resilience of their Active Directory (AD) environments as Kerberoasting tactics continue to evolve. 

It is important to have technical controls in place, architecture awareness, and ongoing testing of security practices to mitigate the threat posed by such attacks. A method that can be very effective is integrating the understanding of Kerberos authentication mechanisms with hardening of service account configurations and deploying advanced detection capabilities. 

For proactive security measures to be effective, strong password policies must be enforced for all service accounts, especially those that are associated with Service Provider Networks. Keeping passwords complicated, lengthy, and rotating regularly will decrease the probability of offline cracking attempts, and in addition, minimising the privileges assigned to service accounts—ensuring they operate by the principle of least privilege—can considerably reduce the impact of a compromised credential.

Detecting Kerberoasting activity is equally important as having visibility and situational awareness. Due to the fact that the attack relies on Kerberos functionality, conventional detection methods may not be effective. Consequently, organisations should use robust monitoring systems capable of identifying anomalous Kerberos ticket request patterns or excessive Kerberos SPN enumeration behaviour that may indicate an ongoing attack. 

Security Information and Event Management (SIEM) systems, enhanced with behavioural analytics, play a crucial role to play in highlighting any anomalies that may indicate an ongoing attack. It is important for organisations to perform regular automated penetration testing and red teaming exercises to further strengthen their defensive capabilities by simulating real-world attacks and validating the effectiveness of the security controls. 

These assessments allow organisations to stay on top of emerging technologies and develop more effective incident response strategies. Kerberos security is ultimately determined by the organization's ability to maintain visibility into its environment, enforce strict account hygiene, and adjust its defenses to respond to evolving threats in order to maintain visibility into the environment. 

In order to be able to build a resilient AD infrastructure against Kerberoasting and other credential-based attacks, organisations need to combine preventative measures with continuous monitoring and testing. Defending Active Directory environments from Kerberoasting and similar credential-based threats in the future requires organisations to shift from reactive defences to a proactive, security-by-design approach to effectively protect themselves. 

The task is much greater than applying patchwork fixes, as it also involves reevaluating how service accounts are managed, monitored, and secured over the course of their lifecycle as a whole. In reality, every service account, particularly one with elevated privileges or access to critical systems, should be treated as a high-value asset and be overseen by strict provisioning and auditing processes through automated auditing tools as well as periodic re-evaluations of credentials. 

A transition away from legacy authentication mechanisms and the adoption of modern alternatives, including Group Managed Service Accounts (gMSAs), tiered access models, and Just-in-Time (JIT), will significantly reduce exposure without negatively affecting operational performance. As well as continuously educating oneself and one's organisation on the shifting tactics of adversaries, security teams should also continuously educate themselves and their organisations on how adversaries are changing tactics. 

There is an increasing trend of threat actors adopting advanced tools and stealthier methods. Complacency is becoming a silent enabler of compromise, resulting in increased threats. By establishing blue team readiness, threat hunting capabilities, and cross-functional security awareness, people will be able to strengthen their technical defences and also foster a culture of resilience in their organisations. 

There is more to it than just defending against a particular attack - Kerberoasting is an indication of the overall maturity of a company when it comes to security. The organisations that prioritise layered security architecture, continuous validation, and intelligent automation will be better prepared to withstand today's threats and those that will emerge in the future.
Read more »
Password Security
Common Password Complex Password Cyber Security cybercriminals data security education sector Educational Institutes Password Password Security

Weak Passwords Still Common in Education Sector, Says NordVPN Report

 

A new study by NordVPN has revealed a serious cybersecurity issue plaguing the education sector: widespread reliance on weak and easily guessable passwords. Universities, schools, and training centres continue to be highly vulnerable due to the reuse of simple passwords that offer minimal protection.  

According to NordVPN’s research, the most frequently used password across educational institutions is the infamous ‘123456’, with over 1.2 million instances recorded. This is closely followed by other equally insecure combinations like ‘123456789’ and ‘12345678’. Shockingly, commonly used words such as ‘password’ and ‘secret’ also rank in the top five, making them among the least secure options in existence. 

Karolis Arbaciauskas, head of business product at NordPass, emphasized that educational institutions often store a wealth of sensitive data, including student records and staff communications. Yet many are still using default or recycled passwords that would fail even the most basic security check. He warned that such practices make schools prime targets for cybercriminals. 

The consequences of this weak security posture are already visible. One of the most notable examples is the Power Schools breach, where personal information, including names, birthdates, and contact details of nearly 62 million students and educators, was compromised. These incidents highlight how vulnerable educational data can be when simple security measures are neglected.  

Cybercriminals are increasingly targeting schools not just for monetary gain but also to steal children’s identities. With access to personal information, they can commit fraud such as applying for loans or credit cards in the names of underage victims who are unlikely to detect such activity due to their lack of a credit history. 

To mitigate these risks, NordVPN recommends adopting stronger password practices. A secure password should be at least 12 characters long, combining uppercase and lowercase letters, numbers, and special symbols. One example is using a memorable phrase with substitutions, like turning a TV show quote into ‘Streets;Ahead6S&AM!’. Alternatively, using a trusted password manager or generator can help enforce robust security across accounts. 

As digital threats evolve, it’s critical that educational institutions update their cybersecurity hygiene, starting with stronger passwords. This simple step can help protect not only sensitive data but also the long-term digital identities of students and staff.
Read more »
SVR
APT29 CyberCrime Cybersecurity CyberThreat Email Hacking Gmail Google GTIG MFA Password Privacy SVR

Russian Threat Actors Circumvent Gmail Security with App Password Theft


 

As part of Google's Threat Intelligence Group (GTIG), security researchers discovered a highly sophisticated cyber-espionage campaign orchestrated by Russian threat actors. They succeeded in circumventing Google's multi-factor authentication (MFA) protections for Gmail accounts by successfully circumventing it. 

A group of researchers found that the attackers used highly targeted and convincing social engineering tactics by impersonating Department of State officials in order to establish trust with their victims in the process. As soon as a rapport had been built, the perpetrators manipulated their victims into creating app-specific passwords. 

These passwords are unique 16-character codes created by Google which enable secure access to certain applications and devices when two-factor authentication is enabled. As a result of using these app passwords, which bypass conventional two-factor authentication, the attackers were able to gain persistent access to sensitive emails through Gmail accounts undetected. 

It is clear from this operation that state-sponsored cyber actors are becoming increasingly inventive, and there is also a persistent risk posed by seemingly secure mechanisms for recovering and accessing accounts. According to Google, this activity was carried out by a threat cluster designated UNC6293, which is closely related to the Russian hacking group known as APT29. It is believed that UNC6293 has been closely linked to APT29, a state-sponsored hacker collective. 

APT29 has garnered attention as one of the most sophisticated and sophisticated Advanced Persistent Threat (APT) groups sponsored by the Russian government, and according to intelligence analysts, that group is an extension of the Russian Foreign Intelligence Service (SVR). It is important to note that over the past decade this clandestine collective has orchestrated a number of high-profile cyber-espionage campaigns targeting strategic entities like the U.S. government, NATO member organizations, and prominent research institutes all over the world, including the U.S. government, NATO, and a wide range of academic institutions. 

APT29's operators have a reputation for carrying out prolonged infiltration operations that can remain undetected for extended periods of time, characterised by their focus on stealth and persistence. The tradecraft of their hackers is consistently based on refined social engineering techniques that enable them to blend into legitimate communications and exploit the trust of their intended targets through their tradecraft. 

By crafting highly convincing narratives and gradually manipulating individuals into compromising security controls in a step-by-step manner, APT29 has demonstrated that it has the ability to bypass even highly sophisticated technical defence systems. This combination of patience, technical expertise, and psychological manipulation has earned the group a reputation as one of the most formidable cyber-espionage threats associated with Russian state interests. 

A multitude of names are used by this prolific group in the cybersecurity community, including BlueBravo, Cloaked Ursa, Cosy Bear, CozyLarch, ICECAP, Midnight Blizzard, and The Dukes. In contrast to conventional phishing campaigns, which are based on a sense of urgency or intimidation designed to elicit a quick response, this campaign unfolded in a methodical manner over several weeks. 

There was a deliberate approach by the attackers, slowly creating a sense of trust and familiarity with their intended targets. To make their deception more convincing, they distributed phishing emails, which appeared to be official meeting invitations that they crafted. Often, these messages were carefully constructed to appear authentic and often included the “@state.gov” domain as the CC field for at least four fabricated email addresses. 

The aim of this tactic was to create a sense of legitimacy around the communication and reduce the likelihood that the recipients would scrutinise it, which in turn increased the chances of the communication being exploited effectively. It has been confirmed that the British writer, Keir Giles, a senior consulting fellow at Chatham House, a renowned global affairs think tank, was a victim of this sophisticated campaign. 

A report indicates Giles was involved in a lengthy email correspondence with a person who claimed to be Claudia S Weber, who represented the U.S. Department of State, according to reports. More than ten carefully crafted messages were sent over several weeks, deliberately timed to coincide with Washington's standard business hours. Over time, the attacker gradually gained credibility and trust among the people who sent the messages. 

It is worth noting that the emails were sent from legitimate addresses, which were configured so that no delivery errors would occur, which further strengthened the ruse. When this trust was firmly established, the adversary escalated the scheme by sending a six-page PDF document with a cover letter resembling an official State Department letterhead that appeared to be an official State Department document. 

As a result of the instructions provided in the document, the target was instructed to access Google's account settings page, to create a 16-character app-specific password labelled "ms.state.gov, and to return the code via email under the guise of completing secure onboarding. As a result of the app password, the threat actors ended up gaining sustained access to the victim's Gmail account, bypassing multi-factor authentication altogether as they were able to access their accounts regularly. 

As the Citizen Lab experts were reviewing the emails and PDF at Giles' request, they noted that the emails and PDF were free from subtle language inconsistencies and grammatical errors that are often associated with fraudulent communications. In fact, based on the precision of the language, researchers have suspected that advanced generative AI tools have been deployed to craft polished, credible content for the purpose of evading scrutiny and enhancing the overall effectiveness of the deception as well. 

There was a well-planned, incremental strategy behind the attack campaign that was specifically geared towards increasing the likelihood that the targeted targets would cooperate willingly. As one documented instance illustrates, the threat actor tried to entice a leading academic expert to participate in a private online discussion under the pretext of joining a secure State Department forum to obtain his consent.

In order to enable guest access to Google's platform, the victim was instructed to create an app-specific password using Google's account settings. In fact, the attacker used this credential to gain access to the victim's Gmail account with complete control over all multi-factor authentication procedures, enabling them to effectively circumvent all of the measures in place. 

According to security researchers, the phishing outreach was carefully crafted to look like a routine, legitimate onboarding process, thus making it more convincing. In addition to the widespread trust that many Americans place in official communications issued by U.S. government institutions, the attackers exploited the general lack of awareness of the dangers of app-specific passwords, as well as their widespread reliance on official communications. 

A narrative of official protocol, woven together with professional-sounding language, was a powerful way of making the perpetrators more credible and decreasing the possibility of the target questioning their authenticity in their request. According to cybersecurity experts, several individuals who are at higher risk from this campaign - journalists, policymakers, academics, and researchers - should enrol in Google's Advanced Protection Program (APP). 

A major component of this initiative is the restriction of access to only verified applications and devices, which offers enhanced safeguards. The experts also advise organisations that whenever possible, they should disable the use of app-specific passwords and set up robust internal policies that require any unusual or sensitive requests to be verified, especially those originating from reputable institutions or government entities, as well as implement robust internal policies requiring these types of requests. 

The intensification of training for personnel most vulnerable to these prolonged social engineering attacks, coupled with the implementation of clear, secure channels for communication between the organisation and its staff, would help prevent the occurrence of similar breaches in the future. As a result of this incident, it serves as an excellent reminder that even mature security ecosystems remain vulnerable to a determined adversary combining psychological manipulation with technical subterfuge when attempting to harm them. 

With threat actors continually refining their methods, organisations and individuals must recognise that robust cybersecurity is much more than merely a set of tools or policies. In order to combat cyberattacks as effectively as possible, it is essential to cultivate a culture of vigilance, scepticism, and continuous education. In particular, professionals who routinely take part in sensitive research, diplomatic relations, or public relations should assume they are high-value targets and adopt a proactive defence posture. 

Consequently, any unsolicited instructions must be verified by a separate, trusted channel, hardware security keys should be used to supplement authentication, and account settings should be reviewed regularly for unauthorised changes. For their part, institutions should ensure that security protocols are both accessible and clearly communicated as they are technically sound by investing in advanced threat intelligence, simulating sophisticated phishing scenarios, and investing in advanced threat intelligence. 

Fundamentally, resilience against state-sponsored cyber-espionage is determined by the ability to plan in advance not only how adversaries are going to deploy their tactics, but also the trust they will exploit in order to reach their goals.
Read more »
Password
AI Privacy Credentials Stolen CyberCrime CyberThreat Data Breach Data Stolen Datasafety Password

Global Data Breach Uncovers 23 Million Stolen Credentials

 


As a consequence of the fact that a single set of login credentials can essentially unlock an individual's financial, professional, and personal life, the exposure of billions of passwords represents more than just a routine cybersecurity concern today- it signals a global crisis in the trust of digital systems and data security. 

Cybernews has recently reported a staggering number of 19 billion passwords that circulate on underground criminal forums right now, according to their findings. According to experts, this massive database of compromised credentials, which is one of the most extensive collections of credentials ever recorded, is intensifying cyberattacks around the globe in an attempt to increase their scale and sophistication. 

As opposed to isolated breaches of the past, this latest leak seems to have come from years of data breaches, reassembled and repurposed in a way that enables threat actors to launch highly automated and targeted attacks that can be used by threat actors. Not only is the leaked data being used to breach individual accounts, but it is also allowing credential stuffing campaigns to run on a large scale against banks, corporations, and government systems, involving automated login attempts using the leaked credentials. 

Due to this rapid development of the threat landscape, cybersecurity professionals are warning that attacks will become more personal, more frequent, and harder to detect in the future. Considering the sheer number of compromised passwords, it is evident that it is essential to implement more comprehensive digital hygiene practices, such as multi-factor authentication, regular password updates, and educating the public about the dangers associated with reused or weak credentials. Today's hyperconnected world is a powerful reminder that cybersecurity isn't an optional issue. This development serves as a strong reminder of the importance of maintaining strong digital hygiene.

As the threat posed by infostealer malware continues to grow, a thriving underground economy of stolen digital identities will continue to thrive as a result. Infections are silently carried out by these malicious programs that harvest sensitive information from devices. These details include login credentials, browser-stored data, and session cookies. These data are then sold or traded between cybercriminals. With billions of compromised records currently circulating within these illicit networks, it is alarming to see the scale of this ongoing data theft. 

One example of this was when a massive dataset, referred to as "ALIEN TXTBASE", was ingested into the widely trusted breach monitoring service, Have I Been Pwned, by cybersecurity expert Troy Hunt, known for being a very prominent case study. In the dataset, 1.5 terabytes of stealer logs are included, which contain approximately 23 billion individual data rows. These logs comprise 1.5 terabytes in total. According to the researchers, over 284 million distinct email accounts around the world were impacted by these breaches, which accounted for 493 million unique combinations of websites and email addresses. This trove of disclosed information underscores the magnitude of these breaches as they are becoming increasingly widespread and indiscriminate.

A malware program known as Infostealer does not target specific individuals but rather casts a wide net, infecting systems en large and stealing personal information without the knowledge of the user. As a result, there is an ever-increasing number of compromised digital identities that are constantly growing, which is a significant contributor to the global increase in the risks of account takeovers, fraud, and phishing attacks, as well as long-term privacy violations. 

It is common for individuals to believe they are unlikely targets for cybercriminals simply because they do not feel that they are "important enough." This belief is very, very false, and it is not possible to find a way to change it. In reality, modern cyberattacks are not manually orchestrated by hackers selecting a specific victim; instead, they are driven by automated tools capable of scanning and exploiting vulnerabilities at a large scale using automated tools. Regardless of whether a person has a professional or personal online presence, anyone can potentially be at risk, no matter what their profession, profile, or perceived importance is. 

The worst part is that, based on recent data, about 94% of the 19 billion leaked passwords were reused on multiple accounts in a way that makes the situation even more concerning. Cybercriminals can successfully infiltrate others using the same credentials once one account has been compromised, increasing the chances of successful attacks. It can be extremely difficult for an individual to cope with the consequences of a successful password breach. 

They may have to give up their email accounts, social media accounts, cloud storage accounts, financial applications, and more if they are hacked. When hackers have access to their accounts, they may use them to commit identity theft, open fraudulent credit lines, or conduct unauthorised financial transactions. As a result of the exposure of sensitive personal and professional information, it is also possible to face public humiliation, blackmail, or reputational damage, especially if malicious actors misuse compromised accounts for the dissemination of misinformation or for conducting illicit activities. 

As a result, cybercrime is becoming more sophisticated and sophisticated, thereby making everyone, regardless of their digital literacy, vulnerable without proper cybersecurity measures in place. Cybercrime risks are no longer theoretical—they are becoming a reality daily. Several leaked records reveal the inner workings of infostealer malware, offering a sobering insight into how these threats function in such a precise and stealthy manner. 

While traditional data breaches are focused on large corporate databases, infostealers typically infect individual devices without the user's knowledge and take a more insidious approach, often without the user being aware of it. In addition to extracting data such as saved passwords, session cookies, autofill entries, and browser history, these malicious tools can also extract a wide range of sensitive data as soon as they are embedded. 

Once the data is stolen, it is then trafficked into cybercriminal circles, leading to a vicious cycle of account takeovers, financial fraud, and identity theft. It has recently been reported that the ALIEN TXTBase dataset, which has received much attention because of its huge scope and structure, is a notable example of this trend. There is a misconception that this dataset stems from a single incident, but in fact, it is actually a compilation of stealer logs from 744 different files that were derived from a single incident. 

It was originally shared through a Telegram channel, where threat actors often spread such information in a very unregulated and open environment. Each entry in the dataset follows the same format as a password—URL, login, and password, which provides an in-depth look at the credentials compromised. Troy Hunt, a cybersecurity researcher, gathered these fragments and compiled them into one unified and analysed dataset, which was then incorporated into Have I Been Pwned, a platform that can be used to identify a user's vulnerability. 

It is important to note that only two sample files were initially reviewed; however, as it became clear that the extent of the leak was immense, the whole collection was merged and analysed to gain a clearer picture of the damage. By aggregating this data methodically, cybercriminals are demonstrating that they aren't merely exploiting isolated incidents; they're assembling vast, cumulative archives of stolen credentials that they're cultivating over time. By sharing and organising this data in such a widespread manner, the reach and effectiveness of infostealer campaigns can be accelerated, presenting a threat to both personal privacy as well as organisational security for many years to come.

Act Without Delay 


As a result of the recent security breaches of passwords, individuals can still protect themselves by taking action as soon as possible to protect themselves and their devices. Procrastination increases vulnerability as threats are rapidly evolving. 

Strengthen Passwords


Creating a strong, unique password is essential. Users should avoid using common patterns when writing their passwords and create passphrases that include uppercase, lowercase, numbers, and symbols, in addition to letters and numbers. Password managers can assist in creating and storing complex passwords securely. 

Replace Compromised Credentials


Changing passwords should be done immediately if they are reused across different websites or remain unchanged for an extended period, especially for sensitive accounts like email, banking, and social media. Tools like Have I Been Pwned can help identify breaches faster. 

Enable Multi-Factor Authentication 


A multi-factor authentication system (MFA) reduces the risk of a security breach by reducing the need to upload multiple authentication credentials. App-based authenticators such as Google Authenticator provide better security than SMS-based authenticators, which are still preferable. 

Use Privacy Tools

Several platforms like Cloaked provide disposable email addresses and masked phone numbers, which minimise the possibility of sensitive information being breached and the exposure of personal information. 

Stay Vigilant and Informed

It is critical to monitor account activity regularly, revoke untrusted entry to accounts, and enable alerts on untrusted devices. Staying informed through a trusted cybersecurity source and educating others on how to protect themselves will further enhance collective security. The growing threat of credential theft can be combated by raising awareness, taking timely action, and establishing strong security habits. 

Protecting a person's digital identity is an ongoing responsibility which requires vigilance, proactive measures, and continuous awareness. As a result of recent credential leaks of unprecedented scale and sophistication, it has become increasingly imperative for individuals as well as organisations to take additional measures to ensure their cybersecurity posture is as secure as possible. Proactive and continuous vigilance must become an integral part of all organisations' cybersecurity practices, incorporating not just robust password management and multi-factor authentication, but also regular security audits and real-time monitoring of digital assets. 

As a precautionary measure against exploitation, companies should implement comprehensive cybersecurity frameworks, which include employee training, threat intelligence sharing, and incident response planning. It is equally important that users adopt privacy-enhancing tools and remain informed about emerging threats to stay ahead of adversaries who continually change their tactics, thereby protecting themselves against the relentless attacks of cyber adversaries. 

In the end, protecting digital identities is a continuous commitment that requires both awareness and action; if you fail to perform these responsibilities, you expose your business and personal data to relentless cybercriminals. Stakeholders need to cultivate a culture of security, mindfulness,sadandeverage advanced protective measures. This will reduce their vulnerability in the increasingly interconnected digital ecosystems of today, preserving trust and resilience to overcome the challenges presented by cybersecurity threats.
Read more »
Password
Browser Extension Browser Vulnerability Cybersecurity Datathreats Digital Data Management LayerX Digital World Extensions Manage Passwords Password

Report Reveals Serious Security Issues in Common Browser Extensions

 


Modern digital workflows have become increasingly dependent on browser extensions, supporting a variety of tasks ranging from grammar correction, password management, and advanced AI integrations into everyday tasks. Browser extensions have become widely used across both personal and corporate environments, but they remain among the most overlooked vectors of cybersecurity risks in the world. 

Although end users continue to enjoy the convenience offered by these tools, many IT and security professionals are unaware of the significant threats that may be posed by the excessive permissions granted to these extensions, which can, in many cases, expose sensitive organizational data and compromise enterprise systems, and which can be a serious concern for an organization. 

In its Enterprise Browser Extension Security Report for 2025, a leading authority in browser extension security and management, LayerX Security offers comprehensive insight into the security and management of browser extensions. In this report, LayerX's extensive customer database of real-world enterprise telemetry is combined with publicly available data from major online marketplaces for browser extensions for the first time to present an analysis of actionable data from actual enterprise telemetry. 

A unique perspective is provided in this report by merging these two data streams and analyzing them through the lens of cybersecurity, to provide a comprehensive understanding of how browser extensions are used within enterprise environments, the behaviors of the employees who use them, and the risks associated with these extensions, all of which are often overlooked. 

Using this research, we will be able to examine the permissions commonly requested by extensions, identify the high-risk extensions currently in use, and identify critical security blind spots where organizations may be vulnerable to data leaks, unauthorized accesses, or malware infiltration due to critical security blind spots. This report differs from traditional studies, which have focused primarily on public metrics and hypothetical threat models, and instead presents a data-driven assessment of the actual behaviour of enterprises and the usage patterns of extensions. 

Using this report, organisations can gain a better understanding of critical security gaps, identify security blind spots, and demonstrate the danger of overly permissive extensions, which can lead to data leakage, unauthorised access, and third-party vulnerabilities. LayerX, a cloud-based threat management platform that combines internal usage data with external ecosystem data, provides an unprecedented insight into a threat landscape that has long been under the radar of many security and IT professionals. 

There are several ways in which browser extensions can be used to enhance browser functionality, including the ability to block ads, manage passwords, or customise user interfaces, but they can also be used to make users' browser more vulnerable. While many extensions offer legitimate productivity and usability benefits, not every extension is made with the idea of keeping users safe in mind at all times. As a result, there are increasing numbers of extensions that have been created with malicious intent. 

These extensions seek to steal sensitive data, monitor the activities of users, insert unauthorised advertisements, or, in severe cases, even fully control the browser. The Enterprise Browser Extension Security Report 2025 sheds light on the scope of this neglected risk by highlighting that extensions, by their very nature, often require extensive permissions, which can be easily exploited by attackers. Taking this into account, the report calls for an entirely new paradigm in the management of browser extensions across organisations' networks. 

IT and security teams are encouraged to adopt a proactive, policy-driven approach to oversight of extensions across enterprise endpoints. This begins with a thorough audit of each extension deployed across all enterprise systems. Creating an extensive inventory of extensions allows organisations to classify them according to their functions, determine their permission levels, assess the credibility of developers, and monitor update patterns to determine the trustworthiness of all extensions. 

By understanding this type of information, it is possible to develop a risk-based enforcement strategy that will enable high-risk or suspicious extensions to be flagged, restricted or blocked entirely without impacting the user's productivity. A key point highlighted in the report is the fact that adaptive security frameworks are imperative because they can respond dynamically to evolving threats in the browser ecosystem. As a result of the increasing number of attacks targeting browser extensions as delivery mechanisms for malware or data exfiltration, these measures are not just advisable, they are essential. 

Organisations cannot afford to ignore browser extensions as a secondary concern anymore. Because malicious or compromised extensions can bypass traditional perimeter defences in a way that is silent, malicious or compromised extensions are a critical threat vector that requires continuous visibility, contextual risk assessment and strategic controls to be effectively managed. 

In the past, "man-in-the-browser" attacks were primarily based on malware that would manipulate browser memory by identifying certain HTML patterns and injecting script> tags directly into the content of in-memory web pages. Despite the undeniable malicious nature of these methods, they were largely restricted by the browser's native security architecture, which in turn kept them from going too far. 

As a result, the scripts that were injected were restricted in their ability to access cross-site data, to persist beyond the session, or to execute outside the target page. Because they ran in a sandboxed environment, followed the same-origin policy, and were limited to the duration of the page on which they were inserted. Despite these limitations, modern threat actors are increasingly taking advantage of malicious browser extensions to circumvent them. 

Browser extensions are installed components that are independent of individual web pages, as opposed to traditional web-based malware. In a browser session, they will have access to elevated and persistent resources, allowing them to run continuously in the background, even when there are no tabs open at the time. 

The malicious extensions can bypass the same-origin constraints, intercept or modify information from multiple websites with these elevated privileges, access cookies and store them across domains with such elevated privileges, and exert ongoing control over browsing environments without immediate detection. As part of this evolution, a critical change was also made to the JavaScript execution context. 

Unlike traditional injections, where the injection executes in the same context as legitimate web application scripts and security tools, leaving behind detectable artefacts like DOM elements, JavaScript variables, and suspicious network requests, extensions are executed in a separate context, often with more privileges. By separating in-page activity, attackers are less likely to be discovered by conventional security tools that monitor in-page activity, making it easier to conceal their presence and sustain longer dwell times within compromised environments as a result. With their advanced capabilities and stealth, malicious browser extensions mark a significant change in the threat landscape and transform them into powerful weapons for cyber adversaries. 

For modern enterprises that are interested in maintaining robust browser-level security, they must understand and mitigate these risks. In addition to showing the scale and complexity of the threat landscape for browser extensions in 2025, the Enterprise Browser Extension Security Report 2025 also provides an actionable framework for mitigating the risks that may arise as a result. 

In addition to providing diagnostics, LayerX offers a clear, strategic roadmap to help enterprises move from a fragmented and unmonitored extension environment to one governed, structured, and secure. In addition to containing five core recommendations, this guidance can be used to assist security teams in implementing effective, scalable measures to protect their data.

1. Establish a Comprehensive Extension Inventory 

Visibility is a critical part of any meaningful browser extension security strategy, so organizations should establish a comprehensive inventory of all extensions installed across every managed device to establish a comprehensive security strategy. As part of the browser management APIs and endpoint management platforms, IT teams can track the installations and sideloaded components that are both officially installed. 

To effectively enforce policy and collect key metadata, such as extension IDs and versions, installation sources, publisher credentials, permissions requested, and installation timestamps, this comprehensive dataset must be created. It serves as the basis for all subsequent analysis and enforcement actions. 

2. Classify Extensions by Functionality and Risk Category 


As soon as an organisation establishes an inventory of extensions, it should categorise them according to their core functionality. These categories can be categorised according to whether the extensions enhance productivity, integrate AI, improve developer productivity, or encompass media. These categories should also be aligned with predefined risk categories. 

Extensions with GenAI or data scraping capabilities, for example, may require elevated access to the application and should be examined more closely; however, extensions whose capabilities are restricted to interface customisation might pose a much lower threat. By categorising the functional components of an application, security teams can prioritise oversight efforts and direct resources accordingly. 

3. Deep Dive into Permission Scopes and Access Levels


For security teams to understand the potential impact of each extension, it is vital to analyse the permission sets requested by each extension. Those teams should pay close attention to permissions categorised as high-sensitivity, such as the permissions to read and change all the data on each website users visit, to access browsing history and to manage downloads. Also, less well-known but equally risky scopes are "nativeMessaging" and "cookies." The use of a permissions-to-impact matrix is a great way for organisations to map technical access to risky scenarios in real-world scenarios, such as session hijacking, data exfiltration, or tampering with web requests. 

4. Conduct a Holistic Risk Assessment for Each Extension 


As part of a well-rounded risk assessment, contextual factors should be considered as well as technical factors, including the legitimacy of the publisher, the age of the extension, the frequency of updates, the user adoption patterns, and the rating of the extension store. 

Using these elements, one can create a weighted risk score for each extension, highlighting high-risk entries that are highly complex with powerful permissions but questionable provenances or widespread deployments. Using automated tools and dynamic dashboards, it may be possible to identify and prioritise emerging threats in real time, allowing for a swift response. 

5. Enforce Adaptive, Risk-Based Policies Across the Organisation 


It is recommended that organisations, instead of relying on rigid allowlists or denylists, develop flexible, risk-aware policies that are tailored to meet the specific needs of different user groups, business units, or levels of data sensitivity. A low-risk productivity extension could be automatically approved, while a high-risk or unverified extension may require manual approval or be restricted to an isolated developer environment. 

Several automated enforcement actions are available to ensure compliance as new extensions are installed, existing extensions are updated, and access is revoked, such as real-time alerts, forced uninstallations, or access revocations. Therefore, as browser extensions continue to become more and more prevalent across enterprise environments, there is a growing recognition that the risks they pose cannot be ignored as secondary. 

The report by LayerX is both a call to action and a blueprint for organizations to begin moving from passive tolerance to active governance, and is a call to action. By adopting a data-driven, structured approach to browser extension security, enterprises can reduce the risk they run from vulnerabilities while simultaneously maintaining the productivity gains that extensions were originally designed to deliver.
Read more »
Windows
Cloud Microsoft Password Technology Threat Intelligence Windows

Microsoft Alerts Users About Password-spraying Attack

Microsoft Alerts Users About Password-spraying Attack

Microsoft alerts users about password-spraying attacks

Microsoft has warned users about a new password-spraying attack by a hacking group Storm-1977 that targets cloud users. The Microsoft Threat Intelligence team reported a new warning after discovering threat actors are abusing unsecured workload identities to access restricted resources. 

According to Microsoft, “Container technology has become essential for modern application development and deployment. It's a critical component for over 90% of cloud-native organizations, facilitating swift, reliable, and flexible processes that drive digital transformation.” 

Hackers use adoption-as-a-service

Research says 51% of such workload identities have been inactive for one year, which is why attackers are exploiting this attack surface. The report highlights the “adoption of containers-as-a-service among organizations rises.” According to Microsoft, it continues to look out for unique security dangers that affect “containerized environments.” 

The password-spraying attack targeted a command line interface tool “AzureChecker” to download AES-encrypted data which revealed the list of password-spray targets after it was decoded. To make things worse, the “threat actor then used the information from both files and posted the credentials to the target tenants for validation.”

The attack allowed the Storm-1977 hackers to leverage a guest account to make a compromised subscription resource group and over 200 containers that were used for crypto mining. 

Mitigating password-spraying attacks

The solution to the problem of password spraying attacks is eliminating passwords. It can be done by moving towards passkeys, a lot of people are already doing that. 

Microsoft has suggested these steps to mitigate the issue

  • Use strong authentication while putting sensitive interfaces to the internet. 
  • Use strong verification methods for the Kubernetes API to stop hackers from getting access to the cluster even when valid credentials like kubeconfig are obtained.  
  • Don’t use the read-only endpoint of Kubelet on port 10255, which doesn’t need verification. 

Modify the Kubernetes role-based access controls for every user and service account to only retain permissions that are required. 

According to Microsoft, “Recent updates to Microsoft Defender for Cloud enhance its container security capabilities from development to runtime. Defender for Cloud now offers enhanced discovery, providing agentless visibility into Kubernetes environments, tracking containers, pods, and applications.” These updates upgrade security via continuous granular scanning. 

Read more »
Ransomware
Black Basta Cyber Security Password Ransomware

Black Basta Hackers Use New Tool to Break Weak Passwords on Remote Systems

 



A cybercriminal group called Black Basta has built a new tool that helps them break into remote systems like VPNs and firewalls by guessing weak passwords. This tool allows them to easily target companies and demand ransom.

According to cybersecurity experts, the tool— named BRUTED, automatically scans the internet to find systems that might be easy to hack. It focuses on popular VPN and firewall services from companies like Cisco, Fortinet, Palo Alto, and others. It also attacks systems used for remote desktop access.

The tool gathers information like IP addresses, website subdomains, and security certificates to help guess passwords specific to each organization. It then sends fake login requests that look like they’re from a real user or device, making it harder to detect.

Since BRUTED runs automatically, it helps hackers attack many targets quickly. This increases their chances of breaking in and earning money from ransomware attacks.

Experts warn that many companies still rely on simple or repeated passwords, which makes their systems easy to hack. Sometimes, attackers use leaked or default passwords that organizations forget to change.

This poor password management exposes businesses to big risks. In fact, weak passwords might have also caused a leak in Black Basta’s own data when a hacker broke into a Russian bank and exposed the gang’s private chats.

Black Basta is known for targeting important industries like healthcare and manufacturing, where even a small disruption can cause major losses. These industries are more likely to pay ransom to avoid shutdowns.

Security experts are urging businesses to act fast—use strong and unique passwords, change default settings, run regular security checks, and train employees about password safety.

Good password habits can help prevent such attacks and protect important systems from hackers like Black Basta.


Read more »
VPN breach
Black Basta Cyber Attacks Cyber Network CyberCrime Cyberhackers CyberThreat Password Ransomware VPN breach

Ransomware Hackers Develop Advanced Tool for VPN Breaches

 


In the Black Basta ransomware group, an automated brute force attack tool referred to as BRUTED has been developed to target and compromise edge networking devices such as firewalls and VPNs, as well as other edge networking devices. By using this sophisticated tool, they can efficiently breach vulnerable internet-facing endpoints, making them able to scale ransomware attacks considerably better than ever before. 

A researcher at EclecticIQ identified the presence of BRUTED when she analyzed internal chat logs related to the ransomware gang, and she found that BRUTED exists. These logs were used to reveal insight into the tool's deployment and revealed that Black Basta has been employing BRUTED to conduct credential-stuffing and brute-force attacks since 2023 against a variety of remote access software programs. This cyber threat has been targeting a wide variety of systems, including SonicWall NetExtender, Palo Alto GlobalProtect, and Citrix NetScaler, highlighting the broad scope of the threat. 

It is Black Basta's intention to improve its operational efficiency by automating brute-force attacks, which in turn allows it to exploit critical infrastructure security vulnerabilities more systematically. As a result of the discovery of BRUTED, organizations relying on internet-connected security solutions are at an even higher risk of cybercrime, as the evolving tactics and sophistication of ransomware groups are becoming more complex. 

The Black Basta ransomware operation has developed an automated brute-force framework known as BRUTED, which has been designed specifically to compromise edge networking devices, such as firewalls and virtual private network access points. As a result of this advanced framework, the group can gain early access to targeted networks, which facilitates large-scale ransomware attacks on vulnerable, internet-connected endpoints, which will lead to a successful attack. 

A recently published study by Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ, confirms that the Black Basta ransomware group is using a previously unidentified brute-force framework for stealing data. Known as BRUTED, this framework is specifically crafted to automate the process of compromising enterprise VPNs and firewalls, thus enhancing the group's ability to gain unauthorized access to corporate networks, which is significantly enhanced. 

Multiple reports have emerged throughout 2024 detailing the extensive use of brute-force attacks against these devices and password spray. It is still unclear how these incidents are linked to BRUTED or other threat actor operations, although the issue is still under investigation. This tool has been developed to highlight the increasing sophistication of ransomware tactics and the increasing risk organizations face when relying on internet-connected security infrastructure as part of their security measures. 

A thorough analysis of Büyükkaya's source code has proven that the tool's primary function consists of snooping across the internet and credential stuffing attacks, to attack edge network devices. It has been widely used within corporate environments to implement firewalls and VPN solutions. By its log-naming conventions, BRUTED is referred to as the bruised tool, and researchers at EclecticIQ have concluded that it is used by Black Basta to perform large-scale credential-stuffing attacks. This group gains an initial foothold by exploiting weak or reused credentials, which allows them to move from compromised networks to other compromised ones, and ultimately install ransomware. 

It is also BRUTED's responsibility to assist affiliates, who are responsible for performing initial access operations in ransomware campaigns, as well as to enhance the group's operational efficiency. As the framework automates and scales attacks, it can widen the victim pool and accelerate the monetization process, thus increasing the efficiency of ransomware operations. As a result of this discovery, cybercriminals have become increasingly sophisticated in their tactics, which highlights the need for robust security measures to protect against them. 

Arda Büyükkaya explained that the BRUTED framework will enable Black Basta affiliates to automate and scale their attacks to significantly increase the number of victims they can target, as well as boost their monetization efforts to continue operating ransomware. As a result of the emergence of this brute-forcing tool, edge devices are demonstrating their ongoing vulnerability, especially in light of persistent warnings from private cybersecurity firms and government agencies regarding increased threats targeting VPN services. Even though these advisories have been issued, it remains a lucrative attack vector for cybercriminals to hack passwords for firewalls and virtual private networks (VPNs). 

According to the Qualys team, a blog post a while back highlighted the fact that Black Basta has been using default VPN credentials, brute force techniques involving stolen credentials, and other forms of access to gain initial access to their systems. In this report, the manager of vulnerability research at Qualys Threat Research Unit and a co-author of the report asserted that weak passwords for VPNs and other services that are open to the public continue to pose a significant security risk to organizations. 

Furthermore, Abbasi emphasized that several leaked Black Basta chat logs contained simple or predictable credentials, demonstrating the persistent vulnerabilities that threat actors exploit to infiltrate corporate networks. By implementing the BRUTED framework, threat actors can streamline their ransomware operations, as it enables them to infiltrate multiple networks at the same time with as little effort as possible.

As a result of this automation, cybercriminals have access to greater monetization opportunities, which allows them to scale their attacks more efficiently. The risks posed by such tools must be mitigated by the adoption of strong cybersecurity practices. To protect against these risks, organizations must enforce unique passwords for all edge devices and VPNs. Further, multi-factor authentication (MFA) is an essential component of any security system because it adds another layer of protection that prevents unauthorized access, even when credentials are compromised. To identify potential threats, continuous network monitoring is also crucial. 

Security teams should keep an eye on authentication attempts coming from unfamiliar locations and flag high volumes of failures to log in as an indicator of brute force attacks. Several measures can be implemented to reduce the effectiveness of credential-stuffing techniques, such as rate-limiting measures and account-locking policies. As a result of the growing threat of BRUTED, EclecticIQ has provided a list of IP addresses and domains associated with the framework to the public in response. 

Indicators such as these can be used to update firewall rules so that requests from known malicious infrastructure will be blocked effectively while limiting the tool's reach. BRUTED does not exploit software vulnerabilities to gain access to network edge devices, but maintaining up-to-date security patches remains an important part of cybersecurity. Regularly applying the latest patches ensures that potential vulnerabilities in the network security systems are addressed, thus strengthening the overall resilience of the network security systems.
Read more »
Subscribe to: Posts (Atom)