Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Authentication. Show all posts
Technology
Authentication Cyber Defence Cyberhackers Cybersecurity Rubrik Security Alert Technology

Security Update from Rubrik as Authentication Keys Are Reissued

 


In a recent report, Rubrik revealed that, last month, an unauthorized security incident compromised one of its log file servers. Rubrik has taken immediate and proactive steps to mitigate potential risks in response to this breach. As part of its remediation efforts, Rubrik has begun rotating all exposed authentication keys, which are designed to prevent potential malicious actors from exploiting these keys. 

A precautionary measure is taken by the company as a precaution to safeguard its systems and make sure that unauthorized entities cannot use the compromised credentials to gain access to the systems. As a part of its efforts to enhance its resilience against future threats, the company is actively assessing its security posture in an attempt to maintain the highest cybersecurity standards. 

This corrective action will reinforce Rubrik's commitment to protecting its infrastructure and safeguarding the integrity of its data security framework by enabling it to implement these corrective actions swiftly. 

Rubrik’s Growth, Financial Success, and Security Measures 


The company was founded in 2014 as a backup and recovery provider but has since grown into a leading security and data protection company. In the fourth quarter of Rubrik's fiscal year, ending October 31, 2024, the company raised $725 million from its initial public offering. In this quarter, Rubrik reported revenues of $236.2 million, which indicated strong market growth, which was a key indicator of Rubrik's growth. 

A security breach in Rubrik occurred in 2023 when a zero-day vulnerability (CVE-2023-0669) in Fortra's GoAnywhere MFT software gave threat actors access to Rubrik's non-production testing environment, allowing them to access Rubrik's non-production IT testing environment. While the Cl0p ransomware group has taken responsibility for this, Rubrik continues to strengthen its cybersecurity framework, which ensures that customer data is protected and that threats are mitigated at an early stage, resulting in an ongoing cybersecurity framework. 

With the launch of advanced innovations, Rubrik has made a major contribution to strengthening the cyber resilience of cloud-based, SaaS, and on-premises environments. Continuing its commitment to strengthening cyber resilience, Rubrik (NYSE: RBRK) has unveiled a series of groundbreaking innovations designed to enhance data security across several cloud, software-as-a-service (SaaS), and on-premises infrastructures. 

In addition to these enhancements, there are enhancements specifically designed to empower organizations with higher levels of capability in anticipating security breaches, identifying emerging threats, and enacting rapid, efficient recovery, regardless of where the data is located. 

As part of Rubrik's annual Cyber Resilience Summit on March 5, this company will unveil its advanced data protection solutions that are set for release during the event. This will be the first time industry leaders and cybersecurity professionals will be able to gain insight into the company's latest advances in data protection technology. 

Rubrik’s Global Presence and Industry Impact 


In the field of cybersecurity, Rubrik is a world-class company that offers backup, recovery, and data protection services. The company has established itself as a trusted partner for businesses throughout the world thanks to its strong team of more than 3,000 people. With more than 22 global offices, the organization provides cutting-edge solutions to a variety of businesses. 

With over 6,000 clients, Rubrik serves a diverse array of companies and institutions across the globe, including leading global corporations such as AMD, Adobe, PepsiCo, Home Depot, Allstate, Sephora, GSK, Honda, Harvard University, and TrelliX, among others. In an increasingly digital landscape, Rubrik is constantly innovating and expanding its security capabilities, which strengthens the company's mission of providing robust, scalable, and intelligent cybersecurity solutions. 

Rubrik Investigates Security Incident Involving Log Server Compromise 


Earlier this week, Rubrik published a security alert detailing the discovery of unusual activity on a server that stored log files. According to Rubrik's Information Security Team, the incident was first identified by cybersecurity expert Kevin Beaumont, who first reported the findings to Rubrik. As soon as the team at Rubrik detected abnormal behavior on the affected server, it immediately took it offline to eliminate any potential risks that could have occurred. 

The investigation conducted by an independent forensic cybersecurity firm, in collaboration with a forensic investigator, has revealed that the event was limited to this single server. A company spokesperson confirmed that no evidence of unauthorized access to customer data or internal code by anyone was found.

Precautionary Measures and Security Enhancements 


While Rubrik admits that the breach was confined to its log server, some log files contained access information even though Rubrik's log server was the only point of vulnerability. The company appears to be taking proactive steps to protect its system against unauthorized access, such as rotating authentication keys. However, it remains unclear how the server was compromised and what information about access has been revealed. 

Cybersecurity Dive received a further reply from Rubrik, and the company responded that, at this time, there is no indication that the information exposed has been exploited. Furthermore, it has been discovered that no signs of threat actors gaining access to Rubrik's internal development environment or customer data have been identified during the ongoing investigation.

Past Security Incidents


Several years ago, Rubrik was one of the organizations affected by the Fortra GoAnywhere vulnerability in 2023, a large-scale data breach orchestrated by the Clop ransomware group. This is not the first time Rubrik has been the target of a security event. Fortra's managed file transfer software was exposed to a zero-day vulnerability during that attack, which resulted in data theft by multiple enterprises, including Rubrik, due to a zero-day vulnerability. 

While these incidents have occurred, the company continues to implement robust security measures to ensure its cyber resilience as well as ensure that its infrastructure is protected against evolving threats in the future. 

Rubrik Unveils Advanced Data Protection and Security Enhancements 


With a range of cutting-edge innovations, Rubrik offers unmatched security, resilience, and cyber threat mitigation capabilities for the protection of critical data: 

Cloud Posture Risk Management (CPR) is an automated service for discovering, inventorying, and protecting cloud data assets based on their cloud standards. 

Cloud Protection for Oracle: Enhances Rubrik Security Cloud (RSC) capability to help safeguard the Oracle Cloud Infrastructure (OCI) databases and the Oracle Cloud VMware Solution (OCVS) databases. 

The PostgreSQL Data Protection solution helps to protect data in one of the most widely used open-source databases through robust backup security. 

The Red Hat OpenShift Back Up service provides immutable, automated backups for environments running on the Kubernetes container engine. 

A great way to back up CI/CD environments with Azure DevOps and GitHub Backup is to use Resilient Backup & GitHub Backup. 

RCV (Rubrik Cloud Vault) for Amazon Web Services: Provides air-gapped, encrypted, as well as policy-driven preservation of files. 

Data protection is strengthened by Microsoft Dynamics 365 Security - protecting data both within the organization and from customers. 

Using Salesforce Sandbox Seeding ensures that data migration from live application environments to sandboxes is efficient and error-free. 

Recovering the identity of an individual is quick, easy and malware-free thanks to Active Directory Recovery (AD) and Entra ID recovery. 

An advanced security solution for Azure & AWS that combines anomaly detection, data classification, and threat monitoring for the most specific threats.

'Turbo Threat Hunting': Delivers a rapid malware free recovery, scanning 75,000 backup files in just 60 seconds to ensure data remains safe. 
Introducing Microsoft 365 Enterprise Edition, which offers Sensitive Data Discovery, Prioritized Recovery, and Threat Intelligence tools. 

These enhancements further reinforce Rubrik's commitment to supporting proactive cyber resilience by providing secure data protection. Rubrik's proactive responses to security incidents and ongoing research in data protection also reinforce this commitment. 

A company's ability to quickly address vulnerabilities and introduce advanced security solutions sets new standards for threat detection, rapid recovery, and intelligent data protection. As cyber threats continue to evolve, organizations must prioritize strong security strategies using cutting-edge technology such as Turbo Threat Hunting and Identity Recovery to ensure their customers are protected from threats. 

It is Rubrik's steadfast commitment to safeguarding enterprise data that enables businesses to navigate digital challenges with a degree of confidence, agility, and resilience that sets it apart.
Read more »
Yahoo
Astaroth Phishing Authentication Cyber Attacks CyberCrime Cybersecurity CyberThreat Dark Web Gmail PHaas Telegram URL Yahoo

2FA Under Attack as Astaroth Phishing Kit Spreads

 


Astaroth is the latest phishing tool discovered by cybercriminals. It has advanced capabilities that allow it to circumvent security measures such as two-factor authentication (2FA) when used against it. In January 2025, Astaroth made its public debut across multiple platforms, including Gmail, Yahoo, and Office 365, with sophisticated technologies such as session hijacking and real-time credentials interceptions, which compromise user accounts across multiple platforms. 

SlashNext researchers claim Astaroth makes use of a reverse proxy called an evilginx-style proxy to place itself between legitimate login pages and users. As a result, the tool is capable of intercepting and capturing sensitive credentials, such as usernames, passwords, 2FA tokens, and session cookies, without triggering security alerts, thereby making the tool effective. 

It has been demonstrated that attackers who have obtained these session cookies will be able to hijack authenticated sessions, bypass additional security protocols, and gain unauthorized access to user accounts once they have acquired these cookies. Astaroth demonstrates the evolution of cyber threats and the sophistication of phishing techniques that compromise online security. This development highlights how cybercriminals have been evolving their methods of phishing over the years.

Clearly, Astaroth highlights how cybercriminals' tactics have evolved over the last decade, as phishing has evolved into a lucrative business. The sophistication of sophisticated attacks has now reached a point where it is now marketed like commercial software products, with regular updates, customer support, and testing guarantees attached to them. 

The attacker can intercept real-time credentials and use reverse proxy techniques in order to hijack authenticated sessions in order to bypass even the most robust phishing defences, such as Multi Factor Authentication (MFA), which are designed to protect against phishing attacks. Due to the widespread availability of phishing kits such as Astaroth, which significantly reduces the barrier to entry, less experienced cybercriminals are now capable of conducting highly effective attacks given that the barriers to entry have been significantly lowered. 

The key to mitigating these threats is to adopt a comprehensive, multilayered security strategy that is both comprehensive and multifaceted. It must have a password manager, endpoint security controls, real-time threat monitoring, and ongoing employee training to ensure that employees are aware of cybersecurity threats in real time. 

As an additional consideration, implementing Privillege Access Management (PAM) is equally vital, since it prevents unauthorized access to critical systems, even if login credentials are compromised, through the use of PAM. Business owners remain vulnerable to increasingly sophisticated phishing techniques that can circumvent the traditional defenses of their organisations without appropriate proactive security measures. 

The Astaroth phishing kit has been developed to enable a more effective method of bypassing multi-factor authentication (MFA). By using an evilginx reverse proxy, it intercepts authentication processes in real time as they are happening. By using Astaroth, attackers will be able to steal authenticated sessions and hack them seamlessly with no technical knowledge. Astaroth is different from traditional phishing tools, which capture only static credentials; instead, it dynamically retrieves authorization tokens, 2FA tokens, and session cookies. This tool is a man-in-the-middle attack that renders conventional anti-phishing defenses and multi-factor authentication protections ineffective by acting as an intermediary. 

Discovered by SlashNext Threat Researchers on cybercrime marketplaces, Astaroth is marketed as a tool that can be used easily. It is a 2-in-1 solution that sells for $2000 and includes six months of continuous updates, which includes the newest bypass techniques, as well as pre-purchase testing to demonstrate its effectiveness in real-world attacks if the buyer wants to establish credibility within cybercriminal networks. There is no doubt that the sophistication of phishing kits such as Astaroth, as well as the implementation of behaviour-based authentication, endpoint security controls, and continuous threat monitoring, are critical to organizations in order to defend themselves from these ever-evolving cyber threats that are continually evolving. 

As a means of expanding the company's customer base, Astaroth's developers have publicly revealed the methodologies they use to bypass security measures, such as reCAPTCHA or BotGuard, as a way of demonstrating the kit's effectiveness at circumventing automatic security measures. Cybercriminals in cybercrime forums and underground marketplaces are actively promoting Astaroth among their communities and are primarily distributing it through Telegram, leading to its widespread adoption among cybercriminals world-wide. 

There are several advantages to using these platforms, the most important of which is their accessibility, along with the anonymity they provide. This makes monitoring, tracking, and disrupting the sale and distribution of phishing kits very challenging for law enforcement agencies. There is a particular application known as Telegram which is commonly used by cybercriminals to communicate and to distribute their illicit activities due to its end-to-end encryption, private groups, and minimal oversight. This makes it very difficult for law enforcement to trace illicit activities on Telegram. 

It may not only facilitate the proliferation of Astaroth on the dark web, but also on underground marketplaces - both of which allow threat actors to engage in peer-to-peer transactions without disclosing their identities to each other. The fact that these platforms are decentralized, along with the fact that cryptocurrency payments are used in conjunction with them, adds more layers of protection for cybercriminals, making it even more difficult for authorities to take enforcement action against them. Astaroth continue to be embraced by cybercriminal communities and is lowering the barrier to entry for less-experienced attackers, which in turn is promoting phishing-as-a-service (PhaaS) models which are becoming more prevalent as a consequence. 

Due to the complexities posed by sophisticated phishing kits like Astaroth, security professionals emphasize the need for proactive security measures, which include real-time threat intelligence, endpoint detection, and multi-layered authentication strategies, as well as real-time threat intelligence. Aside from offering custom hosting solutions, Astaroth also offers bulletproof hosting, which will make Astaroth more resilient against legal authorities’ efforts to take down its websites. 

Cybercriminals are able to conduct attacks with minimal disruption in jurisdictions with weak regulatory oversight when using the phishing kit since it operates in jurisdictions that lack regulatory oversight. As a Field CTO of SlashNext, J Stephen Kowski believes that the emergence of Astaroth with regards to authentication is one of the most important implication that could be borne out by the fact that even the most robust authentication systems can be compromised if the attackers obtain the two-factor authentication (2FA) codes and session information during the authentication process in real time. 

Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, has emphasized the sophistication and severity of the Astaroth phishing kit. According to Richards, this phishing kit demonstrates an advanced level of complexity, making it increasingly difficult for users to identify and avoid such attacks. "Traditional security awareness training often instructs users to recognize phishing attempts by looking for red flags such as suspicious URLs, grammatical errors, or lack of SSL certification. 

However, Astaroth’s highly sophisticated approach significantly reduces these indicators, making detection far more challenging," Richards stated. Furthermore, the infrastructure supporting these attacks is often hosted by providers that do not cooperate with law enforcement agencies, complicating efforts to dismantle these operations. In response to this growing threat, the United States and several European nations have imposed sanctions on countries that provide bulletproof hosting services, which are frequently exploited by cybercriminals to evade legal action. 

Richards advises users to exercise extreme caution when receiving emails that appear to originate from legitimate organizations and contain urgent requests for immediate action. Rather than clicking on embedded links, users should manually navigate to the official website to verify the authenticity of any alerts or account-related issues. This proactive approach is essential in mitigating the risks posed by advanced phishing campaigns like Astaroth. 

Organizations must implement advanced security measures beyond traditional login protections in order to protect themselves from these threats. According to Thomas Richards, a Principal Consultant and Network and Red Team Practice Director for Black Duck, a Burlington-based company that provides applications security solutions, Astaroth's phishing kit is sophisticated and quite severe. As Richards points out, this phishing kit shows a remarkable degree of complexity, which makes it increasingly difficult for users to identify and avoid attacks such as these as they run across them. 

It has always been taught to users during traditional security awareness training to look for red flags, such as suspicious URLs, grammatical errors, or a lack of SSL certification, so they can identify phishing attempts. Although these indicators are largely reduced by Astaroth's highly sophisticated approach, Richards noted that the detection of them is much more challenging as a result. The infrastructure that supports these malicious attacks is typically hosted by providers who do not cooperate with law enforcement agencies, which complicates the process of dismantling these attacks.

Several European countries and the United States have increased sanctions in response to its growing threat, increasing the chance that these countries (including the United States) will use defenseless host hosting services, which are regularly exploited by cybercriminals to avoid legal action and avoid repercussions for their crimes. 

The American scientist Richards urges users to exercise extreme caution if they receive an email that appears to be coming from a legitimate organization and contains urgent requests for action that need to be taken immediately. As a precaution, users should not click on embedded links in emails, but instead should visit the official site to verify the authenticity of any alerts they receive or account-related issues. Taking a proactive approach effectively mitigates the threats posed by advanced phishing campaigns such as Astaroth.
Read more »
Indian Government
Aadhar Card Aadhar Security Authentication Biometric data Cyber Security data security Indian Government

India Expands Aadhaar Authentication, Allowing Private Sector Access to Biometric Data

 

The Indian government has introduced significant changes to its Aadhaar authentication system, expanding its use to a wider range of industries. Previously restricted to sectors like banking, telecommunications, and public utilities, Aadhaar verification will now be available to businesses in healthcare, travel, hospitality, and e-commerce. Officials claim this change will enhance service efficiency and security, but privacy advocates have raised concerns about potential misuse of biometric data. 

On January 31, the Ministry of Electronics and Information Technology (MeitY) announced revisions to the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2025. These amendments allow both public and private organizations to integrate Aadhaar-based authentication into their operations, provided their services align with the public interest. The government states that this update is designed to improve identity verification processes and ensure smoother service delivery across various sectors.  

One major change in the updated framework is the removal of a rule that previously linked Aadhaar authentication to preventing financial fraud. This revision broadens the scope of verification, allowing more businesses to use Aadhaar data for customer identification. The Unique Identification Authority of India (UIDAI), the agency overseeing Aadhaar, will continue to manage the authentication system. The scale of Aadhaar’s use has grown significantly. 

Government records indicate that Aadhaar authentication was conducted in nearly 130 billion transactions by January 2025, a sharp increase from just over 109 billion transactions the previous year. With the new regulations, companies wishing to adopt Aadhaar authentication must submit detailed applications outlining their intended use. These requests will be reviewed by the relevant government department and UIDAI before receiving approval. Despite the government’s assurance that all applications will undergo strict scrutiny, critics argue that the review process lacks clarity. 

Kamesh Shekar, a policy expert at The Dialogue, a technology-focused think tank, has called for more transparency regarding the criteria used to assess these requests. He pointed out that the Supreme Court has previously raised concerns about potential misuse of Aadhaar data. These concerns stem from past legal challenges to Aadhaar’s use. In 2018, the Supreme Court struck down Section 57 of the Aadhaar Act, which had previously allowed private entities to use Aadhaar for identity verification. 

A later amendment in 2019 permitted voluntary authentication, but that provision remains contested in court. Now, with an even broader scope for Aadhaar verification, experts worry that insufficient safeguards could put citizens’ biometric data at risk. While the expansion of Aadhaar authentication is expected to simplify verification for businesses and consumers, the ongoing debate over privacy and data security underscores the need for stricter oversight. 

As Aadhaar continues to evolve, ensuring a balance between convenience and personal data protection will be crucial.
Read more »
Privacy
Authentication CyberCrime Cybersecurity CyberThreat Hackers MFA Privacy

The Evolving Role of Multi-Factor Authentication in Cybersecurity

 


In recent years, the cybersecurity landscape has faced an unprecedented wave of threats. State-sponsored cybercriminals and less experienced attackers armed with sophisticated tools from the dark web are relentlessly targeting weak links in global cybersecurity systems. End users, often the most vulnerable element in the security chain, are frequently exploited. As cyber threats grow increasingly sophisticated, multi-factor authentication (MFA) has emerged as a critical tool to address the limitations of password-based security systems.

The Importance of MFA in Modern Cybersecurity

Passwords, while convenient, have proven insufficient to protect against unauthorized access. MFA significantly enhances account security by adding an extra layer of protection, preventing account compromise even when login credentials are stolen. According to a Microsoft study, MFA can block 99.9% of account compromise attacks. By requiring multiple forms of verification—such as passwords, biometrics, or device-based authentication—MFA creates significant barriers for hackers, making unauthorized access extremely difficult.

Regulations and industry standards are also driving the adoption of MFA. Organizations are increasingly required to implement MFA to safeguard sensitive data and comply with security protocols. As a cornerstone of modern cybersecurity strategies, MFA has proven effective in protecting against breaches, ensuring the integrity of digital ecosystems, and fostering trust in organizational security frameworks.

However, as cyber threats evolve, traditional MFA systems are becoming increasingly inadequate. Many legacy MFA systems rely on outdated technology, making them vulnerable to phishing attacks, ransomware campaigns, and sophisticated exploits. The advent of generative AI tools has further exacerbated the situation, enabling attackers to create highly convincing phishing campaigns, automate complex exploits, and identify security gaps in real-time.

Users are also growing frustrated with cumbersome and inconsistent authentication processes, which undermine adherence to security protocols and erode organizational defenses. This situation underscores the urgent need for a reevaluation of security strategies and the adoption of more robust, adaptive measures.

The Role of AI in Phishing and MFA Vulnerabilities

Artificial intelligence (AI) has become a double-edged sword in cybersecurity. While it offers powerful tools for enhancing security, it also poses significant threats when misused by cybercriminals. AI-driven phishing attacks, for instance, are now virtually indistinguishable from legitimate communications. Traditional phishing indicators—such as typographical errors, excessive urgency, and implausible offers—are often absent in these attacks.

AI enables attackers to craft emails and messages that appear authentic, cleverly designed to deceive even well-trained users. Beyond mere imitation, AI systems can analyze corporate communication patterns and replicate them with remarkable accuracy. Chatbots powered by AI can interact with users in real-time, while deepfake technologies allow cybercriminals to impersonate trusted individuals with unprecedented ease. These advancements have transformed phishing from a crude practice into a precise, calculated science.

Outdated MFA systems are particularly vulnerable to these AI-driven attacks, exposing organizations to large-scale, highly successful campaigns. As generative AI continues to evolve at an exponential rate, the potential for misuse highlights the urgent need for robust, adaptive security measures.

Comprehensive Multi-Factor Authentication: A Closer Look

Multi-Factor Authentication (MFA) remains a cornerstone of cybersecurity, utilizing multiple verification steps to ensure that only authorized users gain access to systems or data. By incorporating layers of authentication, MFA significantly enhances security against evolving cyber threats. The process typically begins with the user providing credentials, such as a username and password. Once verified, an additional layer of authentication—such as a one-time password (OTP), biometric input, or other pre-set methods—is required. Access is only granted after all factors are successfully confirmed.

Key forms of MFA authentication include:

  1. Knowledge-Based Authentication: This involves information known only to the user, such as passwords or PINs. While widely used, these methods are vulnerable to phishing and social engineering attacks.
  2. Possession-Based Authentication: This requires the user to possess a physical item, such as a smartphone with an authentication app, a smart card, or a security token. These devices often generate temporary codes that must be used in combination with a password.
  3. Biometric Authentication: This verifies a user's identity through unique physical traits, such as fingerprints or facial recognition, adding an extra layer of security and personalization.
  4. Location-Based Authentication: This uses GPS data or IP addresses to determine the user's geographical location, restricting access to trusted or authorized areas.
  5. Behavioral Biometrics: This tracks and monitors unique user behaviors, such as typing speed, voice characteristics, or walking patterns, providing an adaptive layer of security.

The combination of these diverse approaches creates a robust defense against unauthorized access, ensuring superior protection against increasingly sophisticated cyberattacks. As organizations strive to safeguard sensitive data and maintain security, the integration of comprehensive MFA solutions is essential.

The cybersecurity landscape is evolving rapidly, with AI-driven threats posing new challenges to traditional security measures like MFA. While MFA remains a critical tool for enhancing security, its effectiveness depends on the adoption of modern, adaptive solutions that can counter sophisticated attacks. By integrating advanced MFA methods and staying vigilant against emerging threats, organizations can better protect their systems and data in an increasingly complex digital environment.

Read more »
SMTP servers
Authentication Cyber Security Cyber Threats Cybersecurity Dark Web Data Privacy email encryption email security Malware Distribution Phishing Attacks SMTP servers

New SMTP Cracking Tool for 2024 Sold on Dark Web Sparks Email Security Alarm

 

A new method targeting SMTP (Simple Mail Transfer Protocol) servers, specifically updated for 2024, has surfaced for sale on the dark web, sparking significant concerns about email security and data privacy.

This cracking technique is engineered to bypass protective measures, enabling unauthorized access to email servers. Such breaches risk compromising personal, business, and government communications.

The availability of this tool showcases the growing sophistication of cybercriminals and their ability to exploit weaknesses in email defenses. Unauthorized access to SMTP servers not only exposes private correspondence but also facilitates phishing, spam campaigns, and cyber-espionage.

Experts caution that widespread use of this method could result in increased phishing attacks, credential theft, and malware distribution. "Organizations and individuals must prioritize strengthening email security protocols, implementing strong authentication, and closely monitoring for unusual server activity," they advise.

Mitigating these risks requires consistent updates to security patches, enforcing multi-factor authentication, and using email encryption. The emergence of this dark web listing highlights the ongoing threats cybercriminals pose to critical communication systems.

As attackers continue to innovate, the cybersecurity community emphasizes vigilance and proactive defense strategies to safeguard sensitive information. This development underscores the urgent need for robust email security measures in the face of evolving cyber threats.
Read more »
Windows
Authentication CVE-2024-8260 Cyber Security NTLM OPA Patch relay Tenable Vulnerability Windows

Critical Flaw in Open Policy Agent Exposed NTLM Credentials, Patch Released

 

A now-resolved security vulnerability in Styra's Open Policy Agent (OPA) could have exposed New Technology LAN Manager (NTLM) hashes, potentially leading to credential leakage. If exploited, the flaw allowed attackers to capture the NTLM credentials of the OPA server’s local user account and send them to a remote server. From there, they could either crack the password or relay the authentication, according to a report by cybersecurity firm Tenable, shared with The Hacker News.

The vulnerability, identified as CVE-2024-8260 and classified as a Server Message Block (SMB) force-authentication flaw, affected both the Command Line Interface (CLI) and the Go software development kit (SDK) on Windows. The issue arose from improper input validation, enabling unauthorized access by leaking the Net-NTLMv2 hash of the logged-in user on the Windows device running OPA.

Exploiting this vulnerability required specific conditions: the victim had to initiate outbound SMB traffic over port 445, gain an initial foothold through social engineering, or run the OPA CLI using a Universal Naming Convention (UNC) path rather than a Rego rule file.

Tenable security researcher Shelly Raban explained that when a Windows machine accesses a remote share, it sends the NTLM hash of the local user to authenticate to the remote server. Attackers can capture these credentials to perform relay attacks or crack the password offline. Following the responsible disclosure in June 2024, the issue was patched in version 0.68.0, released on August 29, 2024.

Tenable emphasized the importance of securing open-source projects to avoid exposing vendors and users to potential threats. The disclosure of this vulnerability coincides with Akamai's revelation of a privilege escalation flaw (CVE-2024-43532) in Microsoft's Remote Registry Service, which also involved NTLM relay attacks.

Microsoft, in response to NTLM vulnerabilities, reiterated its commitment to replace NTLM with Kerberos in Windows 11 to enhance authentication security.
Read more »
Threat Detection
2024 Authentication Cyber Fraud CyberCrime Cybersecurity Mamba 2FA MFA phishing phishing-as-a-service SEKOIA Telegram Threat Detection

Mamba 2FA Emerges as a New Threat in Phishing Landscape

 

In the ever-changing landscape of phishing attacks, a new threat has emerged: Mamba 2FA. Discovered in late May 2024 by the Threat Detection & Research (TDR) team at Sekoia, this adversary-in-the-middle (AiTM) phishing kit specifically targets multi-factor authentication (MFA) systems. Mamba 2FA has rapidly gained popularity in the phishing-as-a-service (PhaaS) market, facilitating attackers in circumventing non-phishing-resistant MFA methods such as one-time passwords and app notifications.

Initially detected during a phishing campaign that imitated Microsoft 365 login pages, Mamba 2FA functions by relaying MFA credentials through phishing sites, utilizing the Socket.IO JavaScript library to communicate with a backend server. According to Sekoia's report, “At first, these characteristics appeared similar to the Tycoon 2FA phishing-as-a-service platform, but a closer examination revealed that the campaign utilized a previously unknown AiTM phishing kit tracked by Sekoia as Mamba 2FA.” 

The infrastructure of Mamba 2FA has been observed targeting Entra ID, third-party single sign-on providers, and consumer Microsoft accounts, with stolen credentials transmitted directly to attackers via Telegram for near-instant access to compromised accounts.

A notable feature of Mamba 2FA is its capacity to adapt to its targets dynamically. For instance, in cases involving enterprise accounts, the phishing page can mirror an organization’s specific branding, including logos and background images, enhancing the believability of the attack. The report noted, “For enterprise accounts, it dynamically reflects the organization’s custom login page branding.”

Mamba 2FA goes beyond simple MFA interception, handling various MFA methods and updating the phishing page based on user interactions. This flexibility makes it an appealing tool for cybercriminals aiming to exploit even the most advanced MFA implementations.

Available on Telegram for $250 per month, Mamba 2FA is accessible to a broad range of attackers. Users can generate phishing links and HTML attachments on demand, with the infrastructure shared among multiple users. Since its active promotion began in March 2024, the kit's ongoing development highlights a persistent threat in the cybersecurity landscape.

Research from Sekoia underscores the kit’s rapid evolution: “The phishing kit and its associated infrastructure have undergone several significant updates.” With its relay servers hosted on commercial proxy services, Mamba 2FA effectively conceals its true infrastructure, thereby minimizing the likelihood of detection.

Read more »
Vulnerabilities and Exploits
Authentication Data Management Ivanti Security Updates Vulnerabilities and Exploits

Critical Security Flaw Discovered in Ivanti Virtual Traffic Manager


 

Ivanti, a leading company in network and security solutions, has issued urgent security updates to address a critical vulnerability in its Virtual Traffic Manager (vTM). The flaw, identified as CVE-2024-7593, carries an alarming severity with a CVSS score of 9.8 out of 10, signalling its potential risk to users.

Authentication Bypass Could Lead to Rogue Admin Access

The vulnerability arises from an incorrect implementation of the authentication algorithm in Ivanti vTM, excluding specific versions (22.2R1 and 22.7R2). This flaw allows remote attackers to bypass authentication processes, enabling them to create unauthorized administrative users. This could grant cybercriminals full control over the management interface, posing daunting risks to the affected systems.

Affected Versions and Immediate Actions

The vulnerability impacts several versions of Ivanti vTM, including 22.2, 22.3, 22.3R2, 22.5R1, 22.6R1, and 22.7R1. Ivanti has responded by releasing patched versions—22.2R1, 22.7R2, and upcoming fixes for 22.3R3, 22.5R2, and 22.6R2, expected during the week of August 19, 2024. As a temporary measure, the company recommends that users limit admin access to the management interface or restrict it to trusted IP addresses to mitigate the risk of unauthorised access.

Despite no confirmed incidents of this vulnerability being exploited in the wild, the availability of a proof-of-concept (PoC) code increases the urgency for users to apply the latest patches to safeguard their systems.

Additional Vulnerabilities Addressed in Neurons for ITSM

In addition to the vTM flaw, Ivanti has also patched two serious vulnerabilities in its Neurons for ITSM product. The first, CVE-2024-7569, is an information disclosure vulnerability with a CVSS score of 9.6. It affects Ivanti ITSM on-premises and Neurons for ITSM versions 2023.4 and earlier, allowing attackers to obtain sensitive information, including OIDC client secrets, through debug data.

The second flaw, CVE-2024-7570, rated 8.3 on the CVSS scale, involves improper certificate validation. This vulnerability enables a remote attacker in a man-in-the-middle (MITM) position to craft a token that could grant unauthorised access to the ITSM platform as any user. These issues have been resolved in the latest patched versions of 2023.4, 2023.3, and 2023.2.

Further adding to the urgency, Ivanti has also addressed five high-severity vulnerabilities (CVE-2024-38652, CVE-2024-38653, CVE-2024-36136, CVE-2024-37399, and CVE-2024-37373) in its Avalanche product. These flaws could potentially lead to denial-of-service (DoS) conditions or even remote code execution if exploited. Users are strongly advised to update to version 6.4.4, which includes fixes for these issues.

These security updates highlight the critical practicality of staying current with patches and updates, especially for systems as vital as traffic management and IT service management platforms. Ivanti's quick response to these vulnerabilities is crucial in helping organisations protect their digital infrastructure from potentially devastating attacks. Users are urged to implement the recommended updates without delay to combat any risks posed by these newly discovered flaws.


Read more »
Subscribe to: Posts (Atom)