For this week’s “In the News”, research an article that centers around how identities were compromised to provide access, or how an account that was otherwise authorized was then used for unauthorized purposes.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Steve Pote says
This may be a bit myopic and technical, where I set out looking for some “Ocean’s Eleven” scenario, I found this exploit write-up has all the right parts; access control, privilege escalation, even a github code sample.
The nutshell version is this: the vulnerability allows use of a system process to alter file access discretionary access for the process…allows it to elevate the intruding user or malware to do damage. We will see more use of this. As written SandboxEscaper, discoverer of the exploits, is simply publishing the exploits, someone weaponizing them isn’t far behind.
Back to this week’s topic, Identity & Access Management, the weak link, is the discretionary access by a process…either the process should never be able to elevate ~like an end user~ or identity of the user the process is an agent for needs to be validated (local admin, Help Desk Group, sudo…)
https://www.zdnet.com/article/windows-10-zero-day-exploit-code-released-online/
Oby Okereke says
Citrix discloses security breach of internal network
_______________________________________________________________________________________
https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/
Key Highlights:
• March 09, 2019, FBI notifies Citrix, a cloud computing giant of an unauthorized access to its internal network
• The attack was attributed to Iranian hacking group called IRIDIUM
• Password Spraying was utilized for this attack – A method of exploiting weak passwords by attempting to access a large number of accounts (usernames) with a few commonly used password.
• About 6TB of data – mainly business documents belonging to NASA, Aerospace industry contracts and FBI amongst other entities
Summary:
It would appear the hacking group IRIDIUM is known for launching attacks via proprietary techniques which would include bypassing multi-factor authentications for critical applications and services for further unauthorized access to VPN channels and SSO (Single Sign-On). Further investigation by Citrix revealed that a few Citrix employee accounts had weak passwords that fit the bill. This goes to show that organizations should never undermine the use of strong passwords and well and auditing of identity and user assess to ensure that no changes has occurred with access control baseline.
This attacks makes one wonder at the effectiveness of the IDS/IPS employed by Citrix to detect such lateral movements. The Citrix breach serves as a reminder that security should not be a onetime effort but rather requires Continuous Monitoring cum Continuous Diagnostics and Mitigation (CDM) ( What and who is on the network, what is happening on the network and how is data on the network being protected are some of the questions addressed by CDM )must be prioritized at all levels of the organization.
Brock Donnelly says
This from Citrix, how unexpected? I would expect with company such as Citrix with high profile clients like the FBI and NASA would have better auditing procedures to prevent against weak passwords. However, IRIDIUM has been around for a long time. Just last year they hacked Australian Parliament. The web credits them for having high proprietary skills in exceeding 2FA and SSO. I only knew them as a software cracking group, oh how we grow.
Oby Okereke says
Errata:
Citrix discloses security breach of internal network
__________________________________________________________________________________________________
The correct date should read March 6, 2019 and not March 9, 2019 as previously stated in my post. Thus, March 6, 2019 the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network.
Ahmed A. Alkaysi says
This is extremely worrying as many organization use Citrix to provide VPN access to their employees. If I was a client of Citrix, I would take a hard look at the relationship. This is why the need to audit, getting SOC 1 & 2 reports, and evaluating a third parties information security controls are extremely important. These should all be part of the contract signed with Citrix. I am not sure IRIDIUM is a nation-state group, or just a collection of cyber criminals, but high profile organization should always be aware that they are a target, and that they may get attacked from any avenue.
Brock Donnelly says
https://thehackernews.com/2019/06/komodo-agama-wallet-hacking.html
Cryptocurrency Firm Itself Hacked Its Customers to Protect Their Funds From Hackers
Hacking you own customers may sound like a horrible way to stay on their good graces but this hack was in their best interest. The company Komodo discovered their wallet Agama had a vulnerability. The bug was created intentionally to target Komodo Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.
The update contained malicious code that stored all seed phrases on a public server. The hacker saved the seed phrases on a public server to obscure his/her identity and to create a scenario where anyone could be a suspect when the vulnerability was finally exploited.
The malicious code was discovered by NPM (https://www.npmjs.com/) and they notified Komodo quickly. How did Komodo decide they could best protect their customers and their blockchain? They unauthorizedly transferred nearly 8 million KMD and 96 Bitcoins from their cryptocurrency wallets to a new address owned by the company. They used the hackers backdoor against their own users to preserve their accounts.
However, if you have logged into any version of Agama downloaded from Komodo, Android or iOS aft April 13 2019, it’s likely you’ve had your wallet credentials stolen.
Elizabeth V Calise says
Hi Brock,
I like the take on this article. I think it is quite effective if a company attempts to hack themselves. I think the cyber security teams learn more. Instead of being on the defense side, you are now on the attacking side. Now, employees are trying to penetrate the company’s systems as best as they can. If they are not successful, they either have a good defense up or are bad hackers. If they do break into the systems, it is better to have your own employees do it than an actual attacker trying to steal the company’s data. The employee’s have the opportunity to learn the weaknesses and address them vs having to understand the weakness last minute after an attack has already occurred.
Scott Radaszkiewicz says
Hacker Discloses Second Zeor-Day Bypass patch for Windows EoP Flaw
https://thehackernews.com/2019/06/windows-eop-exploit.html
In summary, an anonymous security research group named SandboxEscaper shared another zero-day exploit in Windows 10. The flaw will not allow access to a Windows 10 system, but if a hacker has already gained a foothold in the system, it could use this flaw to escalate its privileges, if it hasn’t already done so. The interesting thing about this flaw is that the same group released a similar flaw two weeks ago, which Microsoft promptly released a patch for. Well, this is go around two, and the hacking group says they have hacked the patch that Microsoft has released to fix the original flaw, producing the same results.
Brock Donnelly says
Ha, this research groups is quite the thorn in the side of Microsoft. Just hen you think you fixed the damn these pesky beavers show up and unravel all your hard work. Time to shoot the beavers or in Microsofts case, stop allowing a bandaid to fix your problems when you need a hospital. Someone at Microsoft is having a rough night sleep by the hand of SandboxEscaper.
Scott Radaszkiewicz says
I agree with you, but ethical hackers, assuming SandboxEscaper is one, really do help shed a light on issues. It must be hard to be Microsoft, the big kid on the block, who everyone wants to take down. I think it’s just the hand we are dealt. Computers, being what they are, will never be completely secure. The more we develop them, the weaker they become!.
Sheena L. Thomas says
I haven’t found anything recent “identities were compromised to provide access” breaches in my search. Although, I know some have occurred. However, I found an older breach that effected ebay customers and employees in 2014. The hackers stole credentials of three employees to gain unauthorized access to ebays network and the systems that reside on it. Ebay notified it’s customers and employees to change their passwords. The hackers had access to their systems for 229 days. The company is not sure how the user’s credentials were stolen, I am thinking it could have been from a possible phishing email. However, the company never exposed how the credentials were hacked, so I am assuming it was phishing or malware. This is the reason I will continue to scream that most companies need to implement multi-factor authentication.
https://money.cnn.com/2014/05/21/technology/security/ebay-passwords/index.html
Dima Dabbas says
Sheena,
The shocking part is that it doesn’t require much to be able to get access to networks and systems. Stealing credentials of three employees gave the attackers the power to ebay’s networks and systems. I agree with you Sheena in that organizations need to start considering and implementing better security procedures like multi-factor authentication. This will at least make it more difficult for attackers to gain access to other user accounts.
Dima Dabbas says
Fortnite Flaw Put Millions of Players at Risk, Researchers Say
https://www.bloomberg.com/news/articles/2019-01-16/fortnite-flaw-put-millions-of-players-at-risk-say-researchers
This article discusses how Fortnite put the accounts of millions of users at risk of a malicious attack. Fortnite is an online video game where plays create battle arenas and purchase costumes and weapons for these arenas. The vulnerability that was discovered in the authentication process allowed attackers to send players phishing emails that contained links, which when clicked would give the attackers access to the user account. This enabled attackers to be able to purchase virtual currency and game equipment that could be transferred to the attacker’s account and then resold. This vulnerability in the authentication process also enabled attackers to gain access to the conversations that players had with the other players. Again, this rises from the issue that users are not well educated about security and privacy. This vulnerability was resolved by Epic Games as well as emailing users to make sure they use strong passwords and that they never share their passwords with anyone.
Brock Donnelly says
The ultimate weakness here likely resides int he parents of young children far to young for the ESRB rating for Fortnite. Even searching the web for the average age of a fortnight player reveals list from eighteen and up. The education that you mentioned would have to go to parents of children in age groups six to fifteen. In order to get underage children to play the hottest game, fueled by peer pressure, parents create an “adult profile” for their children. In most cased they set up the account twitch their own birthday, in case of account recovery. The password they create needs to be easy so their kinds can remember it. Afterward they just hand the controller over to their children and walk out of the room. The human lemmings with no care for strength in security are the high reason for the Fortnite hack. Should someone else be responsible for monetary loss when the end user is at fault? I don’t think so, what do you think?
Oby Okereke says
I find this a bit troubling been that young children are unduly exposed. This really makes me wonder about the effectiveness of code reviews. The most troubling part of this attack is “the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details”. A massive invasion of privacy and whose credit cards are exposed ? Obviously not the people playing the games.
Rommel R. Miro says
https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/
A lot of the 2FA rely on the SMS or text messaging portion for users to provide the secondary identity. In the article above, the author’s SIM card was compromised in such a way that another entity took control of it and basically performed a man-in-the-middle attack by intercepting the text messages for authentication. Since other apps also used the same compromised number for 2FA, those accounts were also compromised. The data in the compromised account’s drive opened more avenues for other attacks including financial breaches.
Scott Radaszkiewicz says
Wow, now that’s some real high level planning to hack a users account. I think the real moral of the story is that if they really want to get into your account, and they know what they are doing, they are going to get into it. Multi factor authentication, like most security defense plans, are a deterrent to hacking. These measures keep out the “Script kiddies” who are trying to hack your system and don’t know anything. But you add in a determined hacker, or state agents comprised of a team, then the game changes. If someone has nothing but time and is focused in on a target, eventually, it will happen.
Frederic D Rohrer says
Mel, thanks for the story. I have seen this attack carried out with a prominent target. They later described how someone had called Verizon on their behalf and convinced them to send another SIM.
A member of my immediate family has been targeted the same way. In their case the first indication was that the SIM stopped working. We noticed no reception even standing next to an antenna. This is usually a dead giveaway that the SIM was cloned as the carrier can not authenticate two SIMs simultaneously. Luckily my family got the money back very quickly.
You can call your carrier and request to not allow any SIM copy attempts.
Ahmed A. Alkaysi says
According to Oregon’s Department of Human Services (DHS), Private Health Information (PHI) of approximately 645,000 was compromised due to a phishing attack. The article describes how 9 employees opened the phishing emails and clicked on the embedded in the email. Clicking the link compromised their email boxes which contained a almost 2 million emails. Some of the PHI included names, addresses, social security numbers, case numbers, and other sensitive information. Currently, the department has hired an agency called IDExperts to conduct a forensics review and contact those that were affected.
This attack shows why phishing training should be mandatory across all organizations. Although the training would not stop the compromise if a user clicked on the link, it would still be a preventative control that has the potential to mitigate amount of users clicking on the link and ultimately the impact of this incident.
https://kobi5.com/news/oregon-dhs-data-on-oregon-dhs-data-on-about-645000-people-compromised-645000-people-compromised-104502/
Scott Radaszkiewicz says
No target too big or too small for hackers. And I agree with the mandatory Phishing training for all staff. The weakest link in your defense, as we all know, is the employee. You can built the strongest defense for protect your assets, but one employee with one click of a button, and it’s all undone.
Oby Okereke says
What I find nonetheless pathetic is the attack vector used for this attack. People will always remain the weakest link. Phishing scams have been around for ever and like most people will agree with me, most successful large scheme attacks will almost leverage on an easy attack method and it will always fail
How much Security Awareness Training is really going to be enough deal a final blow to these genre of hacking attacks? I ran into this security training awareness provider https://www.knowbe4.com/ which I think is pretty good based on the garner reviews, almost 5 stars. However, time will tell if security awareness training will completely eliminate the users being used to launch attacks due to sheer negligence and should I say lack of knowledge.
Elizabeth V Calise says
Oby – to your question, I think people (employees) will always be a weakness especially for large organizations of more than 100,000 employees. Training can be effective as much as the employee cares. I seen employees breeze by training just because they want to be able to get it out of the way and return to their project or assignment. Security awareness training should include quizzes or test so it is required that the employees need to pay attention. Even with the top notch training and full attention, someone is bound to make a mistake a click the link in that email.
In my opinion, human error is impossible to avoid.
Oby Okereke says
Elizabeth,
Certainly, to quote you “human error is impossible to avoid”. Perhaps, maybe if there are repercussions tied to such negligence on the part of employees, employees will then pay more attention to the importance of completing and practicing lessons garnered from security awareness training as well as being good stewards of their organizations security program in its entirety.
Brock Donnelly says
I agree that phishing training should be mandatory but how does someone ensure that it works? Do you create a low tolerance offense tracker and reinforce training? for how long? You In some of the environments that I have worked no amount of training could help some users. I guess until we master learning or quantum computers, training is all we have.
Ahmed A. Alkaysi says
I think training definitely works to an extent. Will it ensure that everyone taking the training will able to avoid such attacks in the future? Most like not. However, from personal experience and seeing it done at large enterprises, running mock phishing campaigns throughout the company forces employees to remain cognizant of the dangers involved. If an employee clicks on the phishing link, they would be forced to take additional training. At least in my organization, it has come to a point where many employees are paranoid for every external email and have started to tag legitimate emails as phish.
Elizabeth V Calise says
I could not find a article for 2019, but did find one not far back in 2018.
Last year, T-Mobile announced that they were beached and personal data of around 2 million customers was stolen. The leaked data consisted of usernames, billing zip codes, phone numbers, email addresses, and account number. It also included information on whether the customers prepaid or postpaid their accounts.
The company’s cyber security team reported “discovered and shut down an unauthorized capture of some information.” Details were not provided like if it was a man in the middle attack, data stolen from a database or log files or if someone has inappropriate privileged access? The word “unauthorized” in their statement can imply that a threat actor did not have authorization to collect the privileged data to begin with.
This can be an example of a privileged attacked based on poor identity and privilege management.
https://www.beyondtrust.com/blog/entry/the-5-most-cringe-worthy-privileged-data-breaches-of-2018
Jonathan Duani says
I am actually surprised that nobody wrote about this. I think this is an amazing example illustrating what the post really talks about. I know that at this point is was a little over 5 years ago however, the lesson that were learned during this breach really changed the cyber climate in the commerce space. The target attack was over a period of multiple weeks where attackers gained access to the POS system at Target using the credentials of a HVAC contractor. Once they were in the network the system was lacking controls to keep the attacker there. They were able to jump through different networks until they were able to gain access to the POS system. From there they installed software that skimmed the credit cards of millions of users, saved it on their server and then uploaded it to an off-site location all under the noses of Target security employees even with multiple warnings going off they were still ignored. I think this is one of the best websites I found on the subject and it really illustrates and goes into detail exactly what happened.
Source: https://www.angelkings.com/target-corporation
Oby Okereke says
Hi Jonathan:
Yes indeed the Target attack ultimately addresses the article for the week. And you’re equally apt with regard to your statement about the website. The website did an awesome job with the breakdown of events; starting by describing what happened to the takeaways from the attack.
The attackers stole the credentials from a third-party vendor – HVAC company that provides services to Target. External persons or companies that provides services to an organization will always remain a huge risk factor because they provide an unknown amount of risk that could adversely impact the contracting organization as in this case – Target. Thus the need to qualify, quantify, track and mitigate third party service organizations should be part of every organization’s security program.
Frederic D Rohrer says
Performance Anxiety when it comes to Access Management and IAM related attacks. Source: https://www.infosecurity-magazine.com/opinions/performance-anxiety-access-threats/
This article describes that many IT and Security leaders feel ill-equipped to deal with credential attacks. In an excerpt, they describe that only 35% of respondents registered significant confidence in their ability to stop access threats, and 61% said that they have little to modest confidence in the ability to do just that.
They felt least confident in three areas: defining app, data and resources access and protection requirements; enforcing user and device access policy; and provisioning, monitoring and enforcing BYoD and IoT device access.
BYoD seems to bring in increasing threat, as device walls are harder to define and private credentials become mixed in with company accounts.