Cyber Security News
“Usernames and passwords are insufficient and vulnerable means of authentication on their own; therefore, it is essential to employ strong authentication techniques like multi-factor authentication (MFA) to confirm users’ identities before granting secure access to resources,” Sarah Lefavrais, Product Marketing Manager, Thales states in her recent article. It’s true. Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed to improve security without hindering user convenience.
What is Strong Authentication?
Tech Target states that strong authentication is “any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.” It is commonly referred to as a way to confirm a user’s identity when passwords are not enough. As Tech Target continues, the European Bank and many that adopt its guidelines state that strong authentication must include “at least two mutually-independent factors” so that the compromise of one will not lead to the compromise of the other. These factors are:
- Knowledge – Something the user knows
- Possession – Something the user has
- Inherence – Something the user is
As Lefavrais states, employing more than one of these measures is needed to ensure only legitimate users can access applications and services, and when applications contain sensitive data such as confidential, personally identifiable information that needs to be protected.
In IAM strategy, strong authentication methods like MFA and Modern Authentication are quickly replacing traditional methods like passwords, especially as the new gold standard for how IT and security teams enforce access controls, and gain visibility into access events – especially as workloads move to the cloud, VMs and across remote and hybrid environments.
The IAM Security Boundary
Strong authentication is a critical component of modern-day identity and access management. It not only provides additional layers of security around entry points, but allows for customizable levels of authentication, authorization, and access control throughout your environment, giving users only the permissions (and sign-in requirements) they need. To illustrate that point, we’ll investigate two of the primary methods, MFA and Modern Authentication, further in-depth.
Multi-factor Authentication (MFA) is widely seen as the strongest mode of authentication. MFA allows you to:
- Protect against the compromise made possible by weak passwords. With MFA, a password alone is insufficient to grant access, so credential stuffing and brute force attacks are rendered useless.
- Reduce identity theft from phishing and other social engineering schemes. Even if you do click on that email and enter a few credentials, if your bank, work VPN, or other access point requires MFA (especially with tokenization, biometrics, or location-based entry), chances are those credentials won’t be enough, and hackers will move on to easier targets.
- Stay within compliance boundaries like the OMB Memorandum for Zero Trust Cybersecurity and the European Union Agency for Cybersecurity (ENISA) and CERT-EU guidelines, as noted by Lefavrais. These require MFA use throughout subordinate enterprises.
A few MFA methods used in strong authentication include:
- FIDO security keys
- Certificate-based smart cards and certificate-based USB tokens
- Mobile phone and software-based authentication
- One Time Password (OTP) authenticators
- Pattern-based (or grid) authenticators
- Hybrid tokens
Modern Authentication relies on technologies, such as FIDO and Webauthn, contextual authentication and modern federation protocols, which ensure proper user identity and access controls in cloud environments. That means you can implement more effective access security for cloud apps, alongside the existing access controls that are already in place for on-premises and legacy applications. Flexible policy-based access enable a friendly experience while maintaining a high level of security for roles or resources requiring it.
What to Look for in a Strong Authentication Service
When choosing a strong authentication service, be it on-premises or in the cloud, features to consider are:
- Policy-based access with ability to implement conditional access. In order to optimize the end user experience while maintain the best access security for a particular user and application, look for a solution that can enforce a range of authentication methods through policies and risk scoring.
- Resistant to phishing. Phishing accounts for roughly a quarter of all data breaches, according to Verizon’s 2021 DBIR. Strong authentication solutions with FIDO2 can both authenticate securely and prevent attacks.
- User experience. Do the methods involved create security fatigue, or is it simple to secure multiple-use authentication journeys?
- Adaptability and customizability. Can you assign different access controls based on role or asset? What about context, environment, or use case?
Ultimately, you need to ensure your strong authentication provider supports your industry’s identity and access regulations and integrates smoothly with your current identity environment, deploying flexibly and maintaining equilibrium as you transition over. To maintain a risk-based authentication posture, IAM solutions must continue evolving alongside increased digitization demands. When a single lock and key no longer suffice to safeguard the VMs, remote environments, and cloud-based assets of today, we must adopt the access management and strong authentication methods that can.
About the Author: Katrina Thompson is an ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
(SecurityAffairs – hacking, Strong Authentication)
The post Strong Authentication – Robust Identity and Access Management Is a Strategic Choice appeared first on Security Affairs.
Recenlty Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138.
A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers.
Once installed the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2), a Confluence user account with the username “disabledsystemuser” is created.
According to Atlassian, the account allows administrators to migrate data from the app to Confluence Cloud. The bad news is that the account is created with a hard-coded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.
“When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.” reads the advisory published by Atlassian. “A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the group has access to.”
The affected versions are:Questions for Confluence 2.7.x2.7.34
2.7.35Questions for Confluence 3.0.x3.0.2
The company pointed out that uninstalling the Questions for Confluence app does not solve this vulnerability because the disabledsystemuser account is not removed after the app has been uninstalled. Admins of impacted Confluence Server or Data Center instances can remediate this vulnerability with the following actions:
- Option 1: Update to a non-vulnerable version of Questions for Confluence
- Option 2: Disable or delete the disabledsystemuser account
The attacks exploiting the issue began after the release of the hard-coded credentials on Twitter.
Default Atlassian Confluence password has been leaked
Update Questions for Confluence app ver 2.7.x >= 2.7.38 or > 3.0.5
Credits to @fluepke#CyberSecurity
Rapid7 researchers pointed out that the exploitation of the CVE-2022-26138 flaw is underway.
“This easily allows a remote, unauthenticated attacker to browse an organization’s Confluence instance. Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.” reads the post published by Rapid7 researchers.
(SecurityAffairs – hacking, Atlassian)
The post Exploitation is underway for a critical flaw in Atlassian Confluence Server and Data Center appeared first on Security Affairs.
A malicious campaign targeting Discord users leverages multiple npm packages to deliver malware that steals their payment card information, Kaspersky researchers warn.
The malicious code hidden in the packages, and tracked as Lofy Stealer, is a modified version of an open-source token logger called Volt Stealer,
“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.” reads the analysis published by Kaspersky.
The malicious code can detect when a user logs in, change email or password, enable/disable multi-factor authentication (MFA) and add new payment methods, including complete bank card details. The harvested data are uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).
Below is the timeline of uploaded malicious packages, which include the small-sm, pern-valids, lifeculer, or proc-title malicious npm modules:Package nameVersionTimestamp (UTC)small-sm8.2.02022-07-17 20:28:29small-sm4.2.02022-07-17 19:47:56small-sm4.0.02022-07-17 19:43:57small-sm1.1.02022-06-18 16:19:47small-sm1.0.92022-06-17 12:23:33small-sm1.0.82022-06-17 12:22:31small-sm1.0.72022-06-17 03:36:45small-sm1.0.52022-06-17 03:31:40pern-valids1.0.32022-06-17 03:19:45pern-valids1.0.22022-06-17 03:12:03lifeculer0.0.12022-06-17 02:50:34proc-title1.0.32022-03-04 05:43:31proc-title1.0.22022-03-04 05:29:58
Once harvested, this data is uploaded to one of several Replit-hosted instances whose addresses are hard-coded within the malware (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).
Kaspersky states that they are constantly monitoring the updates to repositories to rapidly detect all new malicious packages.
(SecurityAffairs – hacking, Discord)
The post Malware-laced npm packages used to target Discord users appeared first on Security Affairs.
On July 21, 2022, Akamai mitigated the largest DDoS attack that ever hit one of its European customers.
The attack hit an Akamai customer in Eastern Europe that was targeted 75 times in the past 30 days with multiple types of DDoS attacks, including UDP, UDP fragmentation, ICMP flood, RESET flood, SYN flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood.
“On Thursday, July 21, 2022, Akamai detected and mitigated the largest DDoS attack ever launched against a European customer on the Prolexic platform, with globally distributed attack traffic peaking at 853.7 Gbps and 659.6 Mpps over 14 hours.” reads the post published by Akamai. “The attack, which targeted a swath of customer IP addresses, formed the largest global horizontal attack ever mitigated on the Prolexic platform.”
The malicious traffic peaked at 853.7 Gbps and 659.6 Mpps over 14 hours, this is the largest global horizontal attack ever mitigated on the Akami Prolexic platform.Source Akamai: Spike in BPS attack traffic
According to Akamai, threat actors used a highly-sophisticated, global botnet of compromised devices to launch the attack.
In September, the Russian Internet giant Yandex was hit by the largest DDoS attack in the history of Runet, the Russian Internet designed to be independent of the world wide web and ensure the resilience of the country to an internet shutdown. The attack was launched by the Mēris botnet and reached 21.8 million RPS (requests per second).
(SecurityAffairs – hacking, DDoS)
The post Akamai blocked the largest DDoS attack ever on its European customers appeared first on Security Affairs.
LibreOffice is an open-source office productivity software suite, a project of The Document Foundation (TDF).
LibreOffice maintainers addressed three security flaws in their suit, including an arbitrary code execution issue tracked as CVE-2022-26305. The CVE-2022-26305 flaw is classified as the execution of untrusted macros due to improper certificate validation. The issue could lead to the execution of malicious macros.
By default, LibreOffice executes macros only if they are stored in a trusted file location or if they are signed by a trusted certificate included in a list of certificates stored in the user’s configuration database.
“An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate.” reads the advisory published by LibreOffice. “An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted.”
This flaw cannot be exploited if the macro security level is set to very high or if the user has no trusted certificates.
The second issue fixed in the popular software is a static initialization vector that allows to recover passwords for Web Connections without knowing the master password.
“LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.” reads the advisory. “A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.”
The third issue addressed in the software, tracked as CVE-2022-26307, is related to the use of Weak Master Keys that could be guessed by attackers through a brute-force attack.
“LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.” reads the advisory. “A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.”
All the flaws were discovered by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, they were fixed with the release of versions 7.2.7, 7.3.2, and 7.3.3.
(SecurityAffairs – hacking, LibreOffice)
The post LibreOffice fixed 3 flaws, including a code execution issue appeared first on Security Affairs.
In response to Microsoft’s decision steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default in Microsoft Office applications, threat actors are adopting new attack techniques.
Researchers from Proofpoint reported that threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in their malware campaigns. Proofpoint researchers noticed that the of ISO, RAR and LNK file attachments reached nearly 175% during the same period and at least 10 malicious actors started using LNK files in their campaigns since February 2022.
“According to an analysis of campaigned threats, which include threats manually analyzed and contextualized by Proofpoint threat researchers, the use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022.” reads the analysis published by Proofpoint.
Before October 2021, most of malicious phishing campaigns were spreading malware using weaponized Office documents. Upon tricking the victims into opening the file, the attack chain will start.
Microsoft’s move to block macros has pushed threat actors in finding alternative techniques to bypass Mark of the Web (MOTW) protections.
The Mark of the Web is a feature that was introduced by Microsoft to determine the origin of a file. If a file was downloaded from the Internet or from another location on a network, it would contain a comment in the file identifying the zone from which the file was downloaded from. Depending on this zone (e.g. intranet, internet etc) Windows would handle the file accordingly so as to avoid users from running or opening potentially harmful files from untrusted sources.
The researchers observed that the number of campaigns containing LNK files has increased by 1,675% since October 2021. Proofpoint tracked multiple threat actors, both cybercriminal gangs and APT groups, leveraging LNK files.
“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different filetypes for initial access. This change is led by the adoption ISO and other container file formats, as well as LNK files. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.” concludes the report. “Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history. It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”
(SecurityAffairs – hacking, macros)
The post Threat actors use new attack techniques after Microsoft blocked macros by default appeared first on Security Affairs.
ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.
Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.
The reporting of security incidents has been part of the EU’s regulatory framework for telecoms
since the 2009 reform of the telecoms package.
This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
The incident had a significant impact on the victim, the total user hours lost (resulted by
multiplying for each incident the number of users by the number of hours) was 5,106 million user
hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.
Below are the takeaways from incidents that took place in 2021:
- 4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
- This is the first time that incidents concerning confidentiality and authenticity were reported.
- The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
- System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
- The number of Incidents caused by human errors is the same as in 2020.
- Only 22% of incidents were reported as being related to third-party failures compared to 29%
Let me suggest reading the full report for additional information:
(SecurityAffairs – hacking, telecom security incidents)
The post ENISA provides data related to major telecom security incidents in 2021 appeared first on Security Affairs.
The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) researchers linked a threat group known as Knotweed to an Austrian surveillance firm named DSIRF, known for using multiple Windows and Adobe zero-day exploits. The group targets entities in Europe and Central America with a surveillance tool dubbed Subzero.
The DSIRF website states the provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”
Microsoft states that multiple news reports have linked the company to the Subzero malware toolset used to hack a broad range of devices, phones, computers, and network and internet-connected devices.
The researchers found evidence that links DSIRF to the Knotweed’s operation, including the C2 infrastructure used by Subzero, and code signing certificate issued to DSIRF that is used to sign an exploit.
Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies.
MSTIC states that the KNOTWEED’s Subzero malware was deployed in multiple ways, the IT giant referred the different stages of Subzero malware as Jumplump for the persistent loader and Corelump for the main malware.
Once compromised the system, threat actors drop the Corelump downloader and inject it directly in memory to evade detection. It supports multiple features, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.
Microsoft researchers observed a variety of post-compromise actions on infected systems:
- Setting of UseLogonCredential to “1” to enable plaintext credentials
- Credential dumping via comsvcs.dll
- Attempt to access emails with dumped credentials from a KNOTWEED IP address
- Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com
- Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF
Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF.
One of the zero-day exploits used in Knotweed attacks was triggering the recently patched CVE-2022-22047 issue. The attackers used this exploit to escalate privileges, escape sandboxes, and gain system-level code execution on the vulnerable system.
“In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.” reads the report. £We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.”
Below is the list of recommendations published by Microsoft for its customers to prevent Subzero infections:
- All customers should prioritize patching of CVE-2022-22047.
- Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the related indicators.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. Note: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
“Microsoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.” concludes Microsoft.
(SecurityAffairs – hacking, Subzero malware)
The post European firm DSIRF behind the attacks with Subzero surveillance malware appeared first on Security Affairs.
The Spanish police have arrested two men suspected to be the hackers behind cyberattacks that hit the country’s radioactivity alert network (RAR) between March and June 2021.
The RAR system is a mesh of gamma radiation detection sensors, deployed across the country in order to detect anomalous radiation levels and take protective measures to prevent damage to the environment and the population. The sensors are connected by telephone to the control center at the DGPCE headquarters that gathers the measures and transmits the necessary orders to the sensors.Source https://westobserver.com
The suspects are former workers of a company in charge of the maintenance of the RAR system, for this reason, they had technical knowledge of the system.
The duo was identified after a year-long investigation, the police carried out searches at two homes and one company in Madrid and San Agustín de Guadalix. The agents found numerous computers and communications devices that were used in the attack.
The two suspects had access to the network of the General Directorate of Civil Protection and Emergencies (DGPGE) and were able to disconnect the sensors from the system reducing their detection capacity even in the environment of nuclear power plants.
The Cyberattack Group of the National Police, with the help of the DGPGE, determined that once the attackers gained access to the network attempted to delete the RAR management web application in the control center. The suspects targeted more than 300 sensors out of the 800 existing ones.
The cyber attacks terminated in June 2021,
In parallel, the duo launched individual attacks against sensors, taking down 300 out of 800 spread across Spain, essentially breaking their link to the control center and disrupting the data exchange.
The cyberattacks against RAR stopped in June 2021 after the security breach was discovered by the Spanish authorities.
“During the investigation it was determined that the two detainees had been responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE, for which they had a deep knowledge of it that made it easier for them to carry out the attacks and helped them in their efforts to mask their authorship, significantly increasing the difficulty of the investigation.” reads the announcement published by Policia National.
The police did not provide additional details about the attack, at this time the motivation behind the attack is unknown.
(SecurityAffairs – hacking, Zyxel)
The post Spain police arrested two men accused of cyber attacks on radioactivity alert network (RAR) appeared first on Security Affairs.