Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SaaS Apps. Show all posts
Threat Landscape
Credential Theft Cyber Crime Cyber Extortion Cyber Gang SaaS Apps Threat Landscape

Notorious Cyber Gang UNC3944 Shifts Focus to SaaS Apps vSphere and Azure

 

The notorious cyber gang UNC3944, which is suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, among other things, has modified its methods and is now targeting SaaS apps. 

According to Google Cloud's Mandiant threat intelligence team, UNC3944's operations coincide significantly with those of the assault groups known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group's operations began with credential harvesting and SIM swapping attacks, progressed to ransomware and data theft extortion, and has now transitioned to "primarily data theft extortion, without the use of ransomware.” 

Mandiant claimed to have heard recordings of UNC3944's calls to corporate help desks, in which it attempted social engineering attacks. 

"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers noted last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks. 

Scammers posing as callers from UNC3944 would frequently say they were getting a new phone, requiring an MFA reset. Help desk employees would enable the attackers to reset passwords and get around MFA protections if they allowed such reset. 

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant added. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” 

When the hackers infiltrated an organization's infrastructure, they would immediately hunt for information on tools such as VPNs, virtual desktops, and remote telework programmes that would provide persistent access. Access to Okta was another target; tampering with the vendor's single sign-on tools (SSO) allowed attackers to create accounts that could be used to log into other systems. 

VMware's vSphere hybrid cloud management tool was one of the targets of attacks resulting from compromised SSO tools. Microsoft Azure was another option. Both were intended to allow UC3944 operatives to design virtual machines within an organisation and use them for malicious purposes. This makes sense because most of an organization's resources will use IP addresses within a safe range.
Read more »
Vulnerability management
Authentication Keys Cyber Security SaaS Apps Threat Landscape Vulnerability management

Here's Why Tokens Are Like Treasure for Opportunistic Attackers

 

Authentication tokens are not tangible tokens, of course. However, if these digital IDs are not routinely expired or restricted to a single device, they may be worth millions of dollars in the hands of threat actors.

Authentication tokens ( commonly called "session tokens") play a vital role in cybersecurity. They encapsulate login authorization data, allowing for app validations and safe, authenticated logins to networks, SaaS applications, cloud computing, and identity provider (IdP) systems, as well as single sign-on (SSO) enabling ubiquitous corporate system access. This means that everyone holding a token has a gold key to company systems without having to complete a multifactor authentication (MFA) challenge. 

Drawbacks of employee convenience

The lifetime of a token is frequently used to achieve a balance between security and employee convenience, allowing users to authenticate once and maintain persistent access to applications for a set period of time. The attackers are increasingly obtaining these tokens through adversary-in-the-middle (AitM) attacks, in which the hacker is positioned between the user and legitimate applications to steal credentials or tokens, as well as pass-the-cookie attacks, which steal session cookies stored on browsers. 

Personal devices comprise browser caches as well, but they are not subject to the same level of security as corporate systems. Threat actors can simply capture tokens from inadequately secured personal devices, making them more vulnerable. However, personal devices are frequently granted access to corporate SaaS apps, posing a risk to corporate networks. 

Once a threat actor secures a token, they get access to the user's rights and authorizations. If they have an IdP token, they can use the SSO features of all business applications that are integrated with the IdP without the need for an MFA challenge. If it is an admin-level credential with accompanying privileges, they have the ability to destroy systems, data, and backups. The longer the token remains active, the more they can access, steal, and damage. Furthermore, they can create new accounts that do not require the token for persisted network access. 

While frequent expiration of session tokens will not prevent these types of assaults, it will significantly reduce the risk footprint by limiting the window of opportunity for a token to work. Unfortunately, we often notice that tokens are not being expired at regular intervals, and some breach reports indicate that default token expirations are being purposely extended. 

Token attacks in the spotlight 

Last year, multiple breaches involving stolen authentication tokens made headlines. Two incidents involved hacked IdP tokens. According to Okta, threat actors were in their systems from September 28 to October 17 as a result of a compromised personal Gmail account. A saved password from the Gmail account was synchronised in the Chrome browser, granting access to a service account, most likely without MFA enforcement. 

Once inside the service account, threat actors were able to obtain additional customer session tokens from ServiceNow's HAR files. The hack ultimately impacted all Okta customer support users. 

Notably, on November 23, 2023, Cloudflare discovered a threat actor attacking its systems via session tokens obtained from the Okta hack. This suggests that these session tokens did not expire 30 to 60 days after the Okta breach – not as a usual course of business, and not in response to the breach.

In September 2023, Microsoft also announced that threat actors had gotten a consumer signing key from a Windows crash dump. They then exploited it to attack Exchange and Active Directory accounts by exploiting an undisclosed flaw that allowed business systems to accept session tokens signed with the consumer's signing key. This resulted in the theft of 60,000 US State Department emails. This hack may not have had the same impact if tokens had been more aggressively expired (or pinned).
Read more »
SaaS Apps
BEC Attacks Cyber Attacks Cybersecurity Generative AI SaaS Apps

AI Might Be Paving The Way For Cyber Attacks

 


In a recent eye-opening report from cybersecurity experts at Perception Point, a major spike in sneaky online attacks has been uncovered. These attacks, called Business Email Compromise (BEC), zoomed up by a whopping 1,760% in 2023. The bad actors behind these attacks are using fancy tech called generative AI (GenAI) to craft tricky emails that pretend to be from big-shot companies and bosses. These fake messages trick people into giving away important information or even money, putting both companies and people at serious risk.

The report highlights a dramatic escalation in BEC attacks, from a mere 1% of cyber threats in 2022 to a concerning 18.6% in 2023. Cybercriminals now employ sophisticated emails crafted through generative AI, impersonating reputable companies and executives. This deceptive tactic dupes unsuspecting victims into surrendering sensitive data or funds, posing a significant threat to organisational security and financial stability.

Exploiting the capabilities of AI technology, cybercriminals have embraced GenAI to orchestrate intricate and deceptive attacks. BEC attacks have become a hallmark of this technological advancement, presenting a formidable challenge to cybersecurity experts worldwide.

Beyond BEC attacks, the report sheds light on emerging threat vectors employed by cybercriminals to bypass traditional security measures. Malicious QR codes, known as “quishing,” have seen a considerable uptick, comprising 2.7% of all phishing attacks. Attackers exploit users’ trust in these seemingly innocuous symbols by leveraging QR codes to conceal malicious sites.

Additionally, the report reveals a concerning trend known as “two-step phishing,” witnessing a 175% surge in 2023. This tactic capitalises on legitimate services and websites to evade detection, exploiting the credibility of well-known domains. Cybercriminals circumvent conventional security protocols with alarming efficacy by directing users to a genuine site before redirecting them to a malicious counterpart.

The urgent need for enhanced security measures cannot be emphasised more as cyber threats evolve in sophistication and scale. Organisations must prioritise advanced security solutions to safeguard their digital assets. With one in every five emails deemed illegitimate and phishing attacks comprising over 70% of all threats, the imperative for robust email security measures has never been clearer.

Moreover, the widespread adoption of web-based productivity tools and Software-as-a-Service (SaaS) applications has expanded the attack surface, necessitating comprehensive browser security and data governance strategies. Addressing vulnerabilities within these digital ecosystems is paramount to mitigating the risk of data breaches and financial loss.

Perception Point’s Annual Report highlights the urgent need for proactive cybersecurity measures in the face of evolving cyber threats. As cybercriminals leverage technological advancements to perpetrate increasingly sophisticated attacks, organisations must remain vigilant and implement robust security protocols to safeguard against potential breaches. By embracing innovative solutions and adopting a proactive stance towards cybersecurity, businesses can bolster their defences and protect against the growing menace of BEC attacks and other malicious activities. Stay informed, stay secure.


Read more »
SaaS Apps
Artifcial Intelligence Cyber Phishing Cyber Security Cyber Threats malware SaaS Apps

How To Combat Cyber Threats In The Era Of AI





In a world dominated by technology, the role of artificial intelligence (AI) in shaping the future of cybersecurity cannot be overstated. AI, a technology capable of learning, adapting, and predicting, has become a crucial player in defending against cyber threats faced by businesses and governments.

The Initial Stage 

At the turn of the millennium, cyber threats aimed at creating chaos and notoriety were rampant. Organisations relied on basic security measures, including antivirus software and firewalls. During this time, AI emerged as a valuable tool, demonstrating its ability to identify and quarantine suspicious messages in the face of surging spam emails.

A Turning Point (2010–2020)

The structure shifted with the rise of SaaS applications, cloud computing, and BYOD policies, expanding the attack surface for cyber threats. Notable incidents like the Stuxnet worm and high-profile breaches at Target and Sony Pictures highlighted the need for advanced defences. AI became indispensable during this phase, with innovations like Cylance integrating machine-learning models to enhance defence mechanisms against complex attacks.

The Current Reality (2020–Present)

In today's world, how we work has evolved, leading to a hyperconnected IT environment. The attack surface has expanded further, challenging traditional security perimeters. Notably, AI has transitioned from being solely a defensive tool to being wielded by adversaries and defenders. This dual nature of AI introduces new challenges in the cybersecurity realm.

New Threats 

As AI evolves, new threats emerge, showcasing the innovation of threat actors. AI-generated phishing campaigns, AI-assisted target identification, and AI-driven behaviour analysis are becoming prevalent. Attackers now leverage machine learning to efficiently identify high-value targets, and AI-powered malware can mimic normal user behaviours to evade detection.

The Dual Role of AI

The evolving narrative in cybersecurity paints AI as both a shield and a spear. While it empowers defenders to anticipate and counter sophisticated threats, it also introduces complexities. Defenders must adapt to AI's dual nature, acclimatising to innovation to assimilate the intricacies of modern cybersecurity.

What's the Future Like?

As cybersecurity continues to evolve in how we leverage technology, organisations must remain vigilant. The promise lies in generative AI becoming a powerful tool for defenders, offering a new perspective to counter the threats of tomorrow. Adopting the changing landscape of AI-driven cybersecurity is essential to remain ahead in the field.

The intersection of AI and cybersecurity is reshaping how we protect our digital assets. From the early days of combating spam to the current era of dual-use AI, the journey has been transformative. As we journey through the future, the promise of AI as a powerful ally in the fight against cyber threats offers hope for a more secure digital culture. 


Read more »
Security Vendors
Application Security Cyber Security Data Safety Illegal Apps SaaS Apps Security Vendors

Dangers of Adopting Unsanctioned SaaS Applications

 

A sleek little app-store sidebar was silently introduced to the right side of your session screen by the most recent programme update, as you might have seen on your most recent Zoom calls. With the touch of a button and without even pausing their Zoom session, this feature enables any business user inside your company to connect the software-as-a-service (SaaS) apps displayed in the sidebar.

The fact that anyone within an organisation can deploy, administer, and manage SaaS applications emphasises both one of the major strengths and security threats associated with SaaS. Although this technique could be quick and simple for business enablement, it also intentionally avoids any internal security review procedures. 

As a result, your security team is unable to identify which applications are being adopted and used, as well as whether or not they may be vulnerable to security threats, whether or not they are being used securely, or how to put security barriers in place to prevent unauthorised access to them. Zero-trust security principles become nearly hard to enforce. 

Joint Obligation 

Companies need to understand that they are continually being urged by vendors to install additional apps and adopt new features before they reprimand their staff for recklessly utilising SaaS applications. Indeed, the applications themselves frequently meet crucial business demands, and sure, employees naturally want to use them right away without waiting for a drawn-out security evaluation. But, whether they are aware of it or not, they are acting in this way because shrewd application providers are actively marketing to them and frequently tricking users into thinking they are adhering to security best practices. Users are not always reading the consent text displayed on the consent screens that are intended to give users pause during installation and nudge them to read about their rights and obligations. 

Always be cautious

In other circumstances, security is frequently presumed. Consider well-known brands' application markets. Vendors do not have the motivation, financial interest, or capacity to assess the security posture of every third-party application sold on their marketplaces. Yet, in order to promote the business, they may mislead users into believing that anything sold there retains the same level of protection as the marketplace vendor, frequently by omission. Similarly, market descriptions may be worded in such a way as to imply that their application was developed in partnership with or approved by a significant, secure brand.

The use of application marketplaces results in third-party integrations that pose the same vulnerabilities as those that led to numerous recent assaults. During the April 2022 GitHub assault campaign, attackers were able to steal and exploit legitimate Heroku and Travis-CI OAuth tokens issued to well-known suppliers. According to GitHub, the attackers were able to steal data from dozens of GitHub customers and private repositories by using the trust and high access offered to reputable vendors. 

Similarly, CircleCI, a provider focusing in CI/CD and DevOps technologies, reported in December 2022 that some customer data was stolen in a data breach. The investigation was sparked by a hacked GitHub OAuth token. According to the CircleCI team's research, the attackers were able to obtain a valid session token from a CircleCI engineer, allowing them to bypass the two-factor authentication mechanism and gain unauthorised access to production systems. They were able to steal consumer variables, tokens, and keys as a result. 

An Attraction to Frictionless Adoption 

Vendors also design their platforms and incentive plans to make adoption as simple as accepting a free trial, a lifetime free service tier, or swiping a credit card, frequently with alluring discounts to try and buy without commitment. Vendors want users to adopt any exciting, new capability immediately, so they remove all barriers to adoption, including going around ongoing IT and security team reviews. It is hoped that an application will prove to be too well-liked by business users and crucial to corporate operations to be removed, even if security personnel become aware of its use. 

Making adoption too simple, however, can also result in a rise in the number of underutilised, abandoned, and exposed apps. An app can frequently continue to function after it has been rejected during a proof of concept (PoC), abandoned because users have lost interest in it, or the app owner has left the company. This results in an expanded and unprotected attack surface that puts the organisation and its data at greater risk.

While educating business users on SaaS security best practises is important, it's even more crucial to prevent SaaS sprawl by teaching them to think more critically about the seductive promises of quick deployment and financial incentives made by SaaS suppliers.

Additionally, security teams ought to use solutions that can help them manage risks associated with SaaS misconfiguration and SaaS-to-SaaS integrations. These technologies allow customers to continue utilising SaaS applications as required while also conducting security due diligence on new vendors and integrations and setting up crucial security barriers.
Read more »
Subscribe to: Posts (Atom)