In October 2021, Google announced plans to enable 2-factor authentication by default for over 150 million Google users and 2 million YouTube creators who has not yet enabled it. In February 2022, Google announced it observed a 50% decrease in compromised accounts within that test group. Google is also helping accounts hook up recovery emails and associated phone numbers to prevent lockouts while also securing the account. As of 2018, 90% of active Gmail accounts were not using 2-factor authentication, and recently both Twitter and Facebook revealed less than 5% of users had this feature enabled.
This report shows the benefits of multi-factor authentication, and could contribute to a “future without passwords” as both our textbook and tech giants including Google have discussed.
Following our reading on protecting digital identities, this article from BleepingComputer discusses the privacy implications of Covid Passport Apps. Security Vendor Symantec discovered 27 apps had significant security and privacy concerns. Specifically, the “hard-coded cloud service (AWS) credentials and absence of SSL CA validation” which as we’ve learned can leave victims vulnerable to replay attacks.Of course, the apps pose additional risks such as unencrypted data and no requirement of HTTPS. Given the pleotra of PII data these apps will undoubtedly be targets for cyber criminals.
Red Cross has recently revealed that personal data of more than half a million people were being compromised. As the attackers were able to get access to the Red Cross systems though unpatched vulnerability. After detecting the incident for almost a month, Red Cross has indicated that the attack was encountered by an “highly sophisticated and targeted” attack. Red Cross has mentioned that after discovering the incident they have taken the compromised server offline on January 18. Red Cross also stated that they believe the attackers were able to gain access to the server on November 9, 2021. The attackers were able to get an access to the personal data such as names, locations, and contact information despite being encrypted and Red Cross indicated that the attacker might of have exfiltrated that data as well.
The Nvidia ransomware attack has had some repercussions. Code signing certificates were a part of the attack that took place on Feb 23. Now, these certificates are being used to sign malware so programs can get past security safeguards on Windows machines. The certificates are expired but are still recognized by Windows. The leak of these certificates (there are 2) is considered a significant threat because this is what computers are using to ensure trust in the software. lapsus$ is the group that conducted the ransomware attack and has recently attacked Samsung.
This article from thehackernews discusses some of the latest information regarding cybersecurity and its role throughout the Russia-Ukraine conflict. To no surprise, Russian hackers, according to Google’s TAG (Threat Analysis Group), are attacking Ukrainians and their European allies with phishing attacks. Multiple Russian threat actors including Fancy Bear, Ghostwriter, and Mustang Panda have launched phishing campaigns against Ukraine and its allies. In one aspect of the situation, Ukraine’s CERT (computer emergency response team) issued warnings of the campaigns targeting Ukr.net users. Ghostwriter, a Belarusian threat actor, has also launched phishing campaigns against certain Ukrainian sites as well. Interestingly enough, Mustang Panda is also included in the mix, and it is a China-based threat actor that has been seeking to plant malware in “targeted European entities related to the Ukraine invasion.” Other findings include series of DDoS attacks, which at their peak on some Ukrainian targets, exceeded 100 GB/s. As many have probably heard, Ukraine has responded with its provisioning of the IT Army, which is responding to such Russian attacks similarly, by using “digital warfare to to disrupt Russian government and military targets.”
Nvidia Suffers Leak of Company, Employee Information in Cyberattack
The company became aware of the security breach on Feb. 23
On February 23rd Nvidia, a major U.S. manufacturer of chips and graphics processing units became a victim of a cyber attack leaking company and employee information. A hacking outfit under the name “Lapsus$” has reportedly claimed responsibility for the attack.The Lapsus$ data extortion group has released what they claim to be data stolen from the Nvidia GPU designer. The cache is an archive that is almost 20GB large. Lapsus$ said that they stole 1TB of data from Nvidia and that they were prepared to publish it unless the company paid a ransom demand. LHR is Nvidia’s lite hash rate technology that enables graphics cards to reduce a GPU’s mining capacity. The Lapsus$ extortion group hopes that Nvidia will remove this limitation.
During an informal closing meeting, one of my clients asked my team and I how we felt about going passwordless. Passwordless is that extra layer of security to then be prompted for MFA. Would going passwordless really fly with the regulators? MFA has other forms of authentications such as one time passwords, push notifications, and SMS notifications. Based off of Microsoft, passwordless is being implemented for one of the factors such as weak passwords. This is the reason why strong passwords need to be put in place.
Microsoft states there are 3 ways to help users keep their identifies safe such as Windows Hello (facial, thumbprint), Microsoft Authenticator, and FIDO2 Security Keys (Standards-based passwordless authentication).
However, passwords are not going to go away anytime soon. Passwords are the most cost friendly and easy authentication option which makes it difficult to push away.
The article that I am choosing to summarize for this weeks in-the-news assignment is about the vulnerability patches in one of Microsoft’s scheduled monthly updates. There were 71 vulnerabilites patched in total, with 3 rated as critical and the other 68 decribed as “important”. There was also the (allegedly) first security patch impacting Xbox specifically.
The most critical bug was with Microsoft Exchange Server (CVSS rating of 8.8), but it was not known to be exploited in the wild (not a zero-day). An authenticated attacker could target server accounts via a network call and get these accounts to execute code and elevate privileges. Dustin Childs, Zero-Day Initiative researcher at Trend Micro, described the potential exploit as “low complexity” and said that he wouldn’t be surprised to see the bug exploited soon in the wild.
The most concerning zero-day bug was with Remote Desktop Client (CVSS rating of 8.8) because it allowed RCE (remote code execution). Microsoft has been more vigilant in searching for and patching Remote Desktop bugs because more people are working from home and there have been more bugs noticed with this software.
Lastly, the Xbox bug was found in the Xbox Live authentication manager for Windows, and could even allow elevation of privilege. It was described as very unique and is allegedly the first security patch impacting Xbox specifically.
thanks for the post! In this current cyberwar atmosphere, it is so important for international organizations to keep updated with vulnerability information like this, and constantly patch–especially government entities.
Anonymous claims it hacked into Russian TVs and showed the true devastation of Putin’s Ukraine invasion
In a recent video, the hacktivist group Anonymous threatened Russia with promises of cyberattacks and a declaration of cyberwar, coming from both inside and outside of the warring nation. Anonymous did not lie. As of Monday, the group claimed to have successfully hacked into Russian state TV systems, presenting viewers with information and visuals on the true devastation Russia is enacting in Ukraine. Evidence of this successful attack was posted across the Twitter platform. The hack targeted pro-Russia news channels that would usually show Kremlin-approved propaganda; instead displaying images of innocent Ukrainian civilian missile attacks. Like a typical hacktivist attack, this breach aimed to spread ideological awareness to Russian citizens in light of the current tense political atmosphere. The attack at first only targeted a few Russian networks, but then spread to every nationalist Russian television station. Russian airwaves have also been hacked to play the Ukrainian national anthem. I believe that this is such an insane current event. In this program, we have only read about hacktivist attacks/cyberwar (for the most part). Now, these topics are happening day by day. I think that the power Anonymous holds is awesome, yet terrifying. The fact that this group is so widespread and powerful in intelligence and numbers almost renders it as its own nation. Anonymous declared that they only want peace and are fighting against war; but what if a more malicious hacker group takes stage next? What about the countless Russian and Chinese hackers that can be deployed at any time? This is yet another reason for institutions to protect their information assets and work to preserve the CIA triad.
A threat actor launched an attack using DanaBot against the webmail server belonging to the Ukrainian Ministry of Defense. The malware is commonly used to commit bank fraud and steal credentials. The DDoS attack is launched using the malware’s download and execute commands. The downloaded DDoS executable was written in Delphi, similar to DanaBot. The White House blamed the attacks on the Russian GRU. It believes the attacks may have set the stage for more damaging attacks on Ukraine.
Access control is increasingly regarded as reshaping security landscape for all businesses everywhere. As companies grow and expand, it becomes more prevalent and essential for them to develop complex security systems that are still easy to understand and use. However, access control can solve these issues and streamline daily processes that often cause unnecessary problems in the business environment. This article further talks about an overview of access control, including types of systems, their benefits and their various features. Not all access control systems are exactly same, so it’s necessary to appreciate the differences so as to offer the best services possible
“Novel Attack Turns Amazon Devices Against Themselves”
Researchers from the University of London and Catania University have discovered how to weaponize Amazon Echo devices for self-attack. The report states that an attacker could use an Internet radio to send signals to the target Echo like a command and control server. This method “works remotely and can be used to control multiple devices at once,” but requires additional steps, including tricking the target user into downloading a malicious Alexa “skill” (app) to the Amazon device. The physical proximity required for Bluetooth, or having to trick a user into downloading a malicious skill, limits but does not eliminate the potential for harm in cases like the one described in the Alexa and Alexa reports.
Google recently discovered widespread phishing attacks and espionage attempts targeting Ukraine officials and generals. These attacks started two weeks prior to the invasion on Ukraine. Many of the targets made up of users from Ukrnet, a Ukranian media company, and Polish and Ukranian government organizations. These attacks were traced back to Belarusian outfit Ghostwriter and Russian Fancy Bear groups. It’s theorized these attacks might be state-sponsored, but it hasn’t been confirmed.
A vulnerability in implementing multi-factor authentication (MFA) for Box allowed threat actors to take over accounts. (How MFA can be breached).
I came across this article and thought it would be helpful in this week’s class. Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Recently, a vulnerability in implementing multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported.
Even though this vulnerability was fixed in November 2021, Researchers mentioned that upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /MFA/verification) or a code received via SMS (at /2fa/verification).
The researchers pointed out that if the user does not navigate the SMS verification form, no SMS message will be sent despite the generated session cookie. A threat actor can provide the user’s email and password to get a valid session cookie bypassing SMS-based 2FA.
Below is the attack flow devised by the experts:
1. Attacker enrolls in multi-factor authentication using an authenticator app and stores the device’s factor ID.
2. The attacker enters a user’s email address and password on account.box.com/login.
3. If the password is correct, the attacker’s browser is sent a new authentication cookie and redirects to: /2fa/verification.
4. The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their factor ID and code from the authenticator app to the TOTP verification endpoint: /MFA/verification.
5. The attacker is now logged in to the victim’s account, and the victim does not receive an SMS message.
Patrick Jurgelewicz says
Google Account Hacks Dropped by Half After Pushing Two-Step Authentication by Default
https://www.theverge.com/2022/2/8/22923618/google-account-hacks-dropped-half-two-step-authentication
In October 2021, Google announced plans to enable 2-factor authentication by default for over 150 million Google users and 2 million YouTube creators who has not yet enabled it. In February 2022, Google announced it observed a 50% decrease in compromised accounts within that test group. Google is also helping accounts hook up recovery emails and associated phone numbers to prevent lockouts while also securing the account. As of 2018, 90% of active Gmail accounts were not using 2-factor authentication, and recently both Twitter and Facebook revealed less than 5% of users had this feature enabled.
This report shows the benefits of multi-factor authentication, and could contribute to a “future without passwords” as both our textbook and tech giants including Google have discussed.
Kelly Sharadin says
Following our reading on protecting digital identities, this article from BleepingComputer discusses the privacy implications of Covid Passport Apps. Security Vendor Symantec discovered 27 apps had significant security and privacy concerns. Specifically, the “hard-coded cloud service (AWS) credentials and absence of SSL CA validation” which as we’ve learned can leave victims vulnerable to replay attacks.Of course, the apps pose additional risks such as unencrypted data and no requirement of HTTPS. Given the pleotra of PII data these apps will undoubtedly be targets for cyber criminals.
https://www.bleepingcomputer.com/news/security/dozens-of-covid-passport-apps-put-users-privacy-at-risk/
Vraj Patel says
Red Cross has recently revealed that personal data of more than half a million people were being compromised. As the attackers were able to get access to the Red Cross systems though unpatched vulnerability. After detecting the incident for almost a month, Red Cross has indicated that the attack was encountered by an “highly sophisticated and targeted” attack. Red Cross has mentioned that after discovering the incident they have taken the compromised server offline on January 18. Red Cross also stated that they believe the attackers were able to gain access to the server on November 9, 2021. The attackers were able to get an access to the personal data such as names, locations, and contact information despite being encrypted and Red Cross indicated that the attacker might of have exfiltrated that data as well.
Reference:
https://portswigger.net/daily-swig/red-cross-servers-were-hacked-via-unpatched-manageengine-flaw
Dhaval Patel says
The Nvidia ransomware attack has had some repercussions. Code signing certificates were a part of the attack that took place on Feb 23. Now, these certificates are being used to sign malware so programs can get past security safeguards on Windows machines. The certificates are expired but are still recognized by Windows. The leak of these certificates (there are 2) is considered a significant threat because this is what computers are using to ensure trust in the software. lapsus$ is the group that conducted the ransomware attack and has recently attacked Samsung.
https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/
Antonio Cozza says
This article from thehackernews discusses some of the latest information regarding cybersecurity and its role throughout the Russia-Ukraine conflict. To no surprise, Russian hackers, according to Google’s TAG (Threat Analysis Group), are attacking Ukrainians and their European allies with phishing attacks. Multiple Russian threat actors including Fancy Bear, Ghostwriter, and Mustang Panda have launched phishing campaigns against Ukraine and its allies. In one aspect of the situation, Ukraine’s CERT (computer emergency response team) issued warnings of the campaigns targeting Ukr.net users. Ghostwriter, a Belarusian threat actor, has also launched phishing campaigns against certain Ukrainian sites as well. Interestingly enough, Mustang Panda is also included in the mix, and it is a China-based threat actor that has been seeking to plant malware in “targeted European entities related to the Ukraine invasion.” Other findings include series of DDoS attacks, which at their peak on some Ukrainian targets, exceeded 100 GB/s. As many have probably heard, Ukraine has responded with its provisioning of the IT Army, which is responding to such Russian attacks similarly, by using “digital warfare to to disrupt Russian government and military targets.”
https://thehackernews.com/2022/03/google-russian-hackers-target.html
Kyuande Johnson says
Nvidia Suffers Leak of Company, Employee Information in Cyberattack
The company became aware of the security breach on Feb. 23
On February 23rd Nvidia, a major U.S. manufacturer of chips and graphics processing units became a victim of a cyber attack leaking company and employee information. A hacking outfit under the name “Lapsus$” has reportedly claimed responsibility for the attack.The Lapsus$ data extortion group has released what they claim to be data stolen from the Nvidia GPU designer. The cache is an archive that is almost 20GB large. Lapsus$ said that they stole 1TB of data from Nvidia and that they were prepared to publish it unless the company paid a ransom demand. LHR is Nvidia’s lite hash rate technology that enables graphics cards to reduce a GPU’s mining capacity. The Lapsus$ extortion group hopes that Nvidia will remove this limitation.
Victoria Zak says
“Passwordless: More Mirage Than Reality”
During an informal closing meeting, one of my clients asked my team and I how we felt about going passwordless. Passwordless is that extra layer of security to then be prompted for MFA. Would going passwordless really fly with the regulators? MFA has other forms of authentications such as one time passwords, push notifications, and SMS notifications. Based off of Microsoft, passwordless is being implemented for one of the factors such as weak passwords. This is the reason why strong passwords need to be put in place.
Microsoft states there are 3 ways to help users keep their identifies safe such as Windows Hello (facial, thumbprint), Microsoft Authenticator, and FIDO2 Security Keys (Standards-based passwordless authentication).
However, passwords are not going to go away anytime soon. Passwords are the most cost friendly and easy authentication option which makes it difficult to push away.
Reference:
https://www.microsoft.com/en-us/security/business/identity-access-management/passwordless-authentication
https://thehackernews.com/2021/04/passwordless-more-mirage-than-reality.html
Michael Jordan says
The article that I am choosing to summarize for this weeks in-the-news assignment is about the vulnerability patches in one of Microsoft’s scheduled monthly updates. There were 71 vulnerabilites patched in total, with 3 rated as critical and the other 68 decribed as “important”. There was also the (allegedly) first security patch impacting Xbox specifically.
The most critical bug was with Microsoft Exchange Server (CVSS rating of 8.8), but it was not known to be exploited in the wild (not a zero-day). An authenticated attacker could target server accounts via a network call and get these accounts to execute code and elevate privileges. Dustin Childs, Zero-Day Initiative researcher at Trend Micro, described the potential exploit as “low complexity” and said that he wouldn’t be surprised to see the bug exploited soon in the wild.
The most concerning zero-day bug was with Remote Desktop Client (CVSS rating of 8.8) because it allowed RCE (remote code execution). Microsoft has been more vigilant in searching for and patching Remote Desktop bugs because more people are working from home and there have been more bugs noticed with this software.
Lastly, the Xbox bug was found in the Xbox Live authentication manager for Windows, and could even allow elevation of privilege. It was described as very unique and is allegedly the first security patch impacting Xbox specifically.
Seals, T. (2022, March 8). Microsoft Addresses 3 Zero-Days & 3 Critical Bugs for March Patch Tuesday. threatpost.com. Retrieved from https://threatpost.com/microsoft-zero-days-critical-bugsmarch-patch-tuesday/178817/
Lauren Deinhardt says
HI Mike,
thanks for the post! In this current cyberwar atmosphere, it is so important for international organizations to keep updated with vulnerability information like this, and constantly patch–especially government entities.
Lauren Deinhardt says
https://fortune.com/2022/03/07/anonymous-claims-hack-of-russian-tvs-showing-putins-ukraine-invasion/
Anonymous claims it hacked into Russian TVs and showed the true devastation of Putin’s Ukraine invasion
In a recent video, the hacktivist group Anonymous threatened Russia with promises of cyberattacks and a declaration of cyberwar, coming from both inside and outside of the warring nation. Anonymous did not lie. As of Monday, the group claimed to have successfully hacked into Russian state TV systems, presenting viewers with information and visuals on the true devastation Russia is enacting in Ukraine. Evidence of this successful attack was posted across the Twitter platform. The hack targeted pro-Russia news channels that would usually show Kremlin-approved propaganda; instead displaying images of innocent Ukrainian civilian missile attacks. Like a typical hacktivist attack, this breach aimed to spread ideological awareness to Russian citizens in light of the current tense political atmosphere. The attack at first only targeted a few Russian networks, but then spread to every nationalist Russian television station. Russian airwaves have also been hacked to play the Ukrainian national anthem. I believe that this is such an insane current event. In this program, we have only read about hacktivist attacks/cyberwar (for the most part). Now, these topics are happening day by day. I think that the power Anonymous holds is awesome, yet terrifying. The fact that this group is so widespread and powerful in intelligence and numbers almost renders it as its own nation. Anonymous declared that they only want peace and are fighting against war; but what if a more malicious hacker group takes stage next? What about the countless Russian and Chinese hackers that can be deployed at any time? This is yet another reason for institutions to protect their information assets and work to preserve the CIA triad.
zijian ou says
A threat actor launched an attack using DanaBot against the webmail server belonging to the Ukrainian Ministry of Defense. The malware is commonly used to commit bank fraud and steal credentials. The DDoS attack is launched using the malware’s download and execute commands. The downloaded DDoS executable was written in Delphi, similar to DanaBot. The White House blamed the attacks on the Russian GRU. It believes the attacks may have set the stage for more damaging attacks on Ukraine.
https://cyware.com/news/ddos-attacks-fuel-pandemonium-7bd4551e
kofi bonsu says
Access control is increasingly regarded as reshaping security landscape for all businesses everywhere. As companies grow and expand, it becomes more prevalent and essential for them to develop complex security systems that are still easy to understand and use. However, access control can solve these issues and streamline daily processes that often cause unnecessary problems in the business environment. This article further talks about an overview of access control, including types of systems, their benefits and their various features. Not all access control systems are exactly same, so it’s necessary to appreciate the differences so as to offer the best services possible
https://www.securityindustry.org/2019/10/08/overview-of-access-control-systems/
Dan Xu says
“Novel Attack Turns Amazon Devices Against Themselves”
Researchers from the University of London and Catania University have discovered how to weaponize Amazon Echo devices for self-attack. The report states that an attacker could use an Internet radio to send signals to the target Echo like a command and control server. This method “works remotely and can be used to control multiple devices at once,” but requires additional steps, including tricking the target user into downloading a malicious Alexa “skill” (app) to the Amazon device. The physical proximity required for Bluetooth, or having to trick a user into downloading a malicious skill, limits but does not eliminate the potential for harm in cases like the one described in the Alexa and Alexa reports.
https://threatpost.com/attack-amazon-devices-against-themselves/178797/
Madalyn Stiverson says
https://www.theverge.com/2022/3/8/22966892/ukraine-us-targeted-cyber-war-russia-invasion-google-phishing-energy
Google recently discovered widespread phishing attacks and espionage attempts targeting Ukraine officials and generals. These attacks started two weeks prior to the invasion on Ukraine. Many of the targets made up of users from Ukrnet, a Ukranian media company, and Polish and Ukranian government organizations. These attacks were traced back to Belarusian outfit Ghostwriter and Russian Fancy Bear groups. It’s theorized these attacks might be state-sponsored, but it hasn’t been confirmed.
Olayinka Lucas says
A vulnerability in implementing multi-factor authentication (MFA) for Box allowed threat actors to take over accounts. (How MFA can be breached).
I came across this article and thought it would be helpful in this week’s class. Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Recently, a vulnerability in implementing multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victim’s phone, Varonis researchers reported.
Even though this vulnerability was fixed in November 2021, Researchers mentioned that upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /MFA/verification) or a code received via SMS (at /2fa/verification).
The researchers pointed out that if the user does not navigate the SMS verification form, no SMS message will be sent despite the generated session cookie. A threat actor can provide the user’s email and password to get a valid session cookie bypassing SMS-based 2FA.
Below is the attack flow devised by the experts:
1. Attacker enrolls in multi-factor authentication using an authenticator app and stores the device’s factor ID.
2. The attacker enters a user’s email address and password on account.box.com/login.
3. If the password is correct, the attacker’s browser is sent a new authentication cookie and redirects to: /2fa/verification.
4. The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their factor ID and code from the authenticator app to the TOTP verification endpoint: /MFA/verification.
5. The attacker is now logged in to the victim’s account, and the victim does not receive an SMS message.
Source:
https://securityaffairs.co/wordpress/126901/hacking/box-2fa-bypass-falw.html