Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label User Credentials. Show all posts

Darkbeam Data Breach: Billions of Usernames and Credentials Exposed Online


In a massive security breach, digital risk protection company ‘DarkBeam’ has lost billions of its users’ usernames and passwords that are now at high risk of getting leaked online. 

Apparently, the breach was first discovered on September 18 by Bob Diachenko, CEO of security company Security Discovery.

While the database is adequately secured now, at the time of the attack, over 3.8 billion user data was left unattended online making it accessible to anyone.

It is important to note that each one of the stolen passwords and email addresses in this database actually came from earlier data breaches. Although this is likely that this leak also impacts non-customers, it appears that DarkBeam has been gathering this data to notify its customers about potential data breaches.

These kinds of releases are frequently the result of hacking, as has earlier been observed with the most recent TMX Finance data breach. 

However, this does not appear to be the case this time. As Diachenko notes, human mistakes can lead to data leaks like this one, such as when a worker forgets to password-protect a sizable database containing critical information.

Even if a user has not heard of DarkBeam before, it is very possible that his login credentials are not exposed, since this leak includes usernames and passwords from both reported and unreported data breaches.

To address the matter, DarkBeam spokesperson released a statement, saying: 

"A third-party researcher notified us of a single unprotected instance containing a compilation of publicly available data collected by a DarkBeam researcher in 2020. We immediately closed access to this instance which contained research on previously discovered cyber breaches occurring between 2018 and 2019 and was created for the purpose of developing DarkBeam’s compromised accounts identification tool prior to the launch of our platform. No DarkBeam client information or data related to our systems was exposed and there is no evidence of unauthorized access except on September 19th by the researcher.”

How to Check if a User’s Credentials Are Exposed 

In cases, such as this one, where a news break of a data leak, it is a good idea for users to check if their own credentials were lost. 

There are various ways to do this, such as using Troy Hunt's well-known HaveIBeenPwned or Mozilla's Firefox Monitor. 

Tools mentioned above can easily let a user know if their credentials have been compromised. This way, one can manually alter their credentials to evade risk. One can also utilize some of the best-known password managers in case they believe that the aforementioned methods are time-taking. Password managers will change a user’s password automatically, thus saving their effort.  

Beyond Identity Officially Announces the Release of ‘Zero Trust Authentication'

 

Beyond Identity's launch of Zero Trust Authentication is a game-changer in the field of cybersecurity. The sub-category of zero-trust security is a step forward in aligning verification with zero-trust principles. The passwordless capability and phishing resistance features of Zero Trust Authentication enable businesses to verify the identities of people and devices with zero-trust-level certainty. This is crucial because, without such enhanced verification capacities, organizations cannot truly implement zero trust security. 

Organizations supporting Zero Trust Authentication, which was created to address the drawbacks of conventional authentication techniques, include Palo Alto Networks, CrowdStrike, Optiv, Ping Identity, the Cloud Security Alliance, and the FIDO (Fast Identification Online) Alliance. While its category-defining book, Zero Trust Authentication, describes the precise capabilities, requirements, policies, and best practises, Beyond Identity said it will provide practical Zero Trust Authentication advice to clients and channel partners through international and local events throughout 2023. 

One of the trickier problems that CISOs still have to deal with is authentication, as interoperability, usability, technical constraints, and vulnerabilities frequently make it difficult to identify and authorise individuals and devices effectively.

Zero Trust Authentication's seven prerequisites 

In order to distinguish Zero Trust Authentication from conventional authentication, Beyond Identity outlines seven requirements.

Passwordless: No passwords or other shared secrets that can be easily gained from users, recorded on networks, or hacked from databases are used. 

Phishing resistance: No chance of obtaining codes, magic links, or other authentication elements via phishing, adversary-in-the-middle, or other assaults. 

Capable of verifying user devices: Capable of ensuring that requesting devices are bound to a user and have access to information assets and applications. 

Capable of assessing device security posture: Able to identify whether devices adhere to security policies by ensuring that necessary security settings are enabled and security software is operating. 

Capable of assessing a wide range of risk signals: Competent of ingesting and analysing data from endpoints as well as security and IT management tools, allowing policy engines to assess risks based on parameters such as user behaviour, device security posture, and detection and response tool status. 

Ongoing risk assessment: The ability to analyse risk throughout a session rather than depending on one-time authentication. Integrating with security infrastructure: Connecting with a range of security infrastructure technologies to increase risk detection, faster reaction to suspicious behaviour, and improve audit and compliance reporting. 

Modern authentication techniques are ineffective

Existing identification approaches are failing miserably, says Jasson Casey, CTO at Beyond Identity, to CSO. The conventional method of security was creating a perimeter around the network and placing your trust in the users and equipment inside of it. This strategy, though, is no longer adequate. The perimeter-based paradigm failed since there are many cloud-based resources and users can work or access resources from anywhere. 

A network-based perimeter and implicit trust are absent from a zero-trust strategy, Casey continues. Casey contends that as every person and device must instead demonstrate their reliability, zero-trust authentication is a crucial component of any comprehensive zero-trust strategy. 

Simply put, efforts to prevent adversaries from penetrating systems, gaining access to accounts, or delivering ransomware won't be successful if an organisation executes the majority of zero-trust features flawlessly while continuing to rely on ineffective authentication techniques. 

By eschewing passwords and outdated multifactor authentication (MFA) and adopting the tenet of "never trusting and always confirming," Casey claims that adopting zero-trust authentication enables enterprises to put contemporary, effective security techniques into practice. 

“The approach enables several benefits for organizations including a higher level of security by reducing the attack surface and making it more difficult for attackers to move within the network. In addition, it enables more flexible working arrangements as employees can work remotely while maintaining high security. Lastly, it helps organizations to remain compliant with constantly updating regulations by providing a secure, auditable security framework,” Casey concluded.

Android Trojan Spotted in Multiple Applications on Google Play Harvesting User Credentials

 

Cybersecurity researchers at Dr. Web monitoring the mobile app ecosystem have spotted a major tip in trojan infiltration on the Google Play Store, with one of the applications having over 500,000 installations and available to download. 

The majority of these applications belong to a family of trojan malware used in a variety of scams, resulting in money losses as well as the theft of sensitive private details. Additionally, a new Android trojan called ‘Android.Spy.4498’ designed as a WhatsApp mod has been discovered in the wild. The trojan is spreading via malicious websites promoted by social media posts, forums, and SEO poisoning.

According to Dr. Web's report published in January 2022, the ‘Android.Spy.4498’ was identified in some of the unofficial WhatsApp applications (mods) named GBWhatsApp, OBWhatsApp, or WhatsApp Plus. These mods provide Arabic language support, home screen widgets, separate bottom bar, hide status options, call blocking, and the ability to auto-save received media. These mods are popular in the online communities because they offer additional features not available in the vanilla WhatsApp.

The Trojan is also capable of downloading apps and offering users to install them in order to display dialog boxes with the content it receives from malicious actors. During the attack, Android.Spy.4498 requests access to manage notifications and read their content. 

Additionally, the threats identified on the Play Store include cryptocurrency management applications, social benefit aid tools, Gasprom investment clones, photo editors, and a launcher themed after iOS 15. The majority of fake investment apps trick the victims to design a new account and deposit money supposedly for trading, which is simply transferred to the fraudster’s bank account. Other apps attempt to trick the user into signing up for expensive subscriptions. 

The user reviews under the app describe tactics that resemble subscription scams, charging $2 per week for verification or ad removals, yet offering nothing in return. As the report details, apps discovered by security analysts will load affiliate service sites and enable paid subscriptions through the Wap Click technology after tricking the user into entering their phone number.  

To mitigate the risks, researchers advised installing the apps from trustworthy sources, checking user reviews, scrutinizing permission requests upon installation, and monitoring battery and internet data consumption afterward. Also, to monitor the status of Google Play Protect regularly and add a second layer of protection by using a mobile security tool from a reputable vendor.

The Zelle Scam Aims to Steal Your Bank Credentials

 

One of the most prevalent methods for hackers to gain access to bank accounts is to drain the victim's assets via Zelle, a "peer-to-peer" (P2P) payment service utilised by many banking institutions that allows users to send money to friends and family instantly. Naturally, many of the phishing scams that lead up to these bank account takeovers start with a counterfeit SMS from the target's bank alerting them to a suspected Zelle transfer. 

According to the text, someone attempted to withdraw a substantial sum of money from their bank account and deposit it into their Zelle account. The notification asks for a response of "Yes," "No," or "1" to decline. Regardless of which option is selected, the recipients are instantly contacted by a person posing as a bank official. Incoming phone numbers are frequently faked to make it appear as if they are from the person's bank. 

The scammer asks for the customer's online banking username and then instructs them to recite back a passcode given through text or email to "verify their identity." In actuality, the fraudster begins a transaction — such as the "forgot password" option on the financial institution's website — that creates the member's authentication passcode. 

Ken Otsuka is a senior risk consultant of CUNA Mutual Group, an insurance company that offers credit unions financial services. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?” 

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’” 

Once the scammer obtains control of the bank account, they will make different deposits to other accounts before draining the customer's funds. When a victim understands what has happened, they typically contact their bank right away. Unfortunately, most consumers who fall victim to this type of direct contact phishing fraud rapidly discover that many banks are unable to help them recover their stolen funds in any way. The banks argue that the transaction was initiated by the customer and thus does not fall under Regulation E's "unauthorised transaction" protection.

7M Robinhood Customers Email Addresses for Sale on Hacker Forum

 

A prominent hacker forum and the marketplace is selling the data of about 7 million Robinhood customers who were compromised in a recent data breach. 

Last week,  Stock Trading Company Robinhood announced a data breach when one of its workers was hacked, and the threat actor utilised their account to get access to the personal information of around 7 million consumers via customer care services. The following personal information about Robinhood users was taken during the attack: 
  • TikTok phishing threatens to delete influencers’ accounts 
  • Email addresses for 5 million customers. 
  • Full names for 2 million other customers. 
  • Name, date of birth, and zip code for 300 people. 
  • More extensive account information for ten people. 
In addition to acquiring the information, Robinhood stated that the intruder tried to extort money from the firm in order to keep the information from being disclosed. Stolen email addresses, especially those for financial services, are in high demand among threat actors because they may be used in targeted phishing attempts to gain additional sensitive information. 

Two days after Robinhood disclosed the breach on a hacker forum, A threat actor known as 'pompompurin' revealed that they were selling the data. pompompurin stated in a forum post that he was selling 7 million Robinhood clients' stolen information for at least five figures, or $10,000 or more. 

The sold data includes 5 million email addresses, as well as 2 million email addresses and complete names for another tranche of Robinhood users. However, pompompurin stated that they will not sell the data of 310 clients who had more sensitive information compromised, including some users' identity cards. The threat actor claims that they downloaded the ID cards through SendSafely, a secure file transfer service utilised by the trading platform while conducting Know Your Customer (KYC) procedures. Robinhood did not initially reveal the theft of ID cards. 

Robinhood told BleepingComputer, "As we disclosed on November 8, we experienced a data security incident and a subset of approximately 10 customers had more extensive personal information and account details revealed. These more extensive account details included identification images for some of those 10 people. Like other financial services companies, we collect and retain identification images for some customers as part of our regulatory-required Know Your Customer checks." 

The attacker gained access to the Robinhood customer service systems, according to BleepingComputer, by defrauding a worker into installing remote access software on their desktop. When the hacker has it installed, he or she can do the following: 
  • keep an eye on the victim's activities, 
  • capturing screenshots 
  • access the computer remotely, 
  • utilise the employee's stored login credentials to access internal Robinhood systems 
"I was able to see all account information on people. I saw a few people while the support agent did work," pompompurin told BleepingComputer. 

pompompurin posted images of the fraudsters obtaining access to internal Robinhood systems to prove that they carried out the attack. When approached by BleepingComputer, Robinhood did not explicitly confirm that the screenshots were obtained from their systems.

Fraudsters Used Google Ads to Steal Around $500k Worth of Cryptocurrency

 

Crypto-criminals are using Google Ads to target victims with fraudulent wallets that steal credentials and empty accounts. So far, the cyber-thieves appear to have stolen more than $500,000 and counting. 

As per a recent Check Point Research analysis, the ads appear to connect to popular crypto-wallets Phantom and MetaMask for download. Based on the research, attackers began their hunt for potential victims by utilizing Google Ads and clicking on the fraudulent Google Ad leads to a malicious site that has been falsified to seem like the Phantom (or sometimes MetaMask) wallet site. 

The researchers stated, “Over the past weekend, Check Point Research encountered hundreds of incidents in which crypto-investors lost their money while trying to download and install well-known crypto wallets or change their currencies on crypto-swap platforms like PancakeSwap or Uniswap.” 

After that, the target is prompted to create a new account with a "Secret Recovery Phrase." They must also construct a password for the alleged account (which is harvested by the attackers). As per Check Point, users are subsequently given a keyboard shortcut to open the wallet and then directed to the legitimate Phantom site. The legitimate site offers users the Phantom wallet Google Chrome extension. Crypto-criminals have also targeted MetaMask wallets by purchasing Google Ads that drove users to a fake MetaMask site. 

The analysts further stated, “In a matter of days, we witnessed the theft of hundreds of thousands of dollars worth of crypto. We estimate that over $500k worth of crypto was stolen this past weekend alone. I believe we’re at the advent of a new cybercrime trend, where scammers will use Google Search as a primary attack vector to reach crypto wallets, instead of traditionally phishing through email.” 

“In our observation, each advertisement had careful messaging and keyword selection, in order to stand out in search results. The phishing websites where victims were directed to reflected meticulous copying and imitation of wallet brand messaging. And what’s most alarming is that multiple scammer groups are bidding for keywords on Google Ads, which is likely a signal of the success of these new phishing campaigns that are geared to heist crypto wallets. Unfortunately, I expect this to become a fast-growing trend in cybercrime. I strongly urge the crypto community to double-check the URLs they click on and avoid clicking on Google Ads related to crypto wallets at this time.” 

Check Point researchers recommended a few protective measures: 
  1. Verify the browser's URL: Only the extension should create the password, and always check the browser URL to see if it's an extension or a website. 
  2. Find the icon for the extension: The extension will have a chrome-extension URL and an extension icon near it. 
  3. Skip the ads. If users are looking for wallets, crypto trading, and swapping platforms in the crypto world, always look at the first website that comes up in the search rather than the ad, since they might lead to users being fooled by attackers. 
  4. Take a look at the URL: Last but not least, make sure the URLs are double-checked.

APT35 Continues Targeting Important US Citizens and Institutions

 

This year, the Google Threat Analysis Group (TAG) has noticed an increase in government-sponsored hacking. According to the data revealed in the blog post, Google has sent over 50,000 warnings of phishing and malware attempts to account holders thus far in 2021. The number of people has increased by 33% from the same period last year. 

APT35 operations dating back to 2014 have been found by FireEye. APT35, also known as the Newscaster Team, is an Iranian government-sponsored threat group that carries out long-term, resource-intensive operations to gather strategic intelligence. APT35 usually targets military, diplomatic, and government people in the United States and the Middle East, as well as organisations in the media, energy, and defense industrial base (DIB), as well as engineering, business services, and telecommunications. 

Since 2017, APT35 has been targeting politicians, NGOs, government institutions, journalists, and academia under the names Ajax Security Team, Charming Kitten, and Phosphorus. During the 2020 elections, the group also attempted to target former US President Donald Trump's election campaign staff. 

Charming Kitten made 2,700 attempts to gather information about targeted email accounts in a 30-day period between August and September 2019, according to Microsoft. There were 241 attacks and four compromised accounts as a result of this. Despite the fact that the initiative was allegedly directed at a presidential campaign in the United States, none of the stolen accounts had anything to do with the election. Microsoft did not say who was directly targeted, although Reuters later reported that it was Donald Trump's re-election campaign. The fact that only the Trump campaign utilized Microsoft Outlook as an email client backs up this claim.

 "For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google said. 

Phishing attacks including malicious URLs are the most popular approach employed by APT35. APT35, for example, infiltrated a website affiliated with a UK university in early 2021. The group then set up a phishing kit on the website in order to collect user credentials and began sending out emails with a link to the site. The users were instructed to log in using the link provided in order to participate in a fictitious webinar. 

APT35 also attempted to use the Google Play Store to distribute spyware disguised as a VPN client. If the app is installed on the phone, it can gather SMS and call records, as well as location data and contacts. The attempt was thwarted when Google removed the app from the Play Store.

Phishers Steal One-Time Passwords from Coinbase Users

 

Crooks are growing smarter about phishing one-time passwords (OTPs) needed to complete the login process, as seen by a recent phishing campaign targeting Coinbase customers. It also reveals that phishers are attempting to create millions of new Coinbase accounts in order to find email addresses that are already associated with current accounts. 

With over 68 million users from over 100 countries, Coinbase is the world's second-largest cryptocurrency exchange. Coinbase.com.password-reset[.]com was the now-defunct phishing domain, and it was aimed towards Italian Coinbase users (the site's default language was Italian). According to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security, it was a success. Holden's team was able to go inside some of the phishing site's poorly concealed file directories, including the administrator page. Before the site was taken down, the phishing attacks collected at least 870 sets of credentials, according to that panel. 

According to Holden, the phishing gang appears to have identified Italian Coinbase customers by attempting to create new accounts using more than 2.5 million Italian email addresses. His team was also able to recover the username and password information that victims had supplied to the site, as well as nearly all of the email addresses that had been submitted ending in ".it." 

According to Holden's research, this phishing group attempted hundreds of thousands of half-hearted account signups per day. On Oct. 10, for example, the scammers ran over 216,000 email addresses through Coinbase's servers. They attempted to register 174,000 new Coinbase accounts the next day.

Coinbase revealed last month that malicious hackers stole cryptocurrency from 6,000 clients after exploiting a flaw in the company's SMS multi-factor authentication security tool. This phishing attempt is another example of how criminals are devising ever-more clever ways to get around popular multi-factor authentication alternatives like one-time passwords. 

In an emailed statement, Coinbase said, “Like all major online platforms, Coinbase sees attempted automated attacks performed on a regular basis. Coinbase is able to automatically neutralize the overwhelming majority of these attacks, using a mixture of in-house machine learning models and partnerships with industry-leading bot detection and abuse prevention vendors. We continuously tune these models to block new techniques as we discover them." 

Researchers say the simplest way to avoid phishing scams is to avoid clicking on links that appear unexpectedly in emails, text messages, or other forms of media. They also advised that you should never give out personal information in response to an unsolicited phone call.

Shipping Giant Forward Air Reports Ransomware Data Breach

 

Forward Air, a shipping company, has revealed a data breach as a result of a ransomware attack that enabled threat actors to acquire employees' personal information.

Forward Air was struck with a ransomware attack in December 2020 by what was thought to be a new cybercrime group known as Hades. Forward Air's network was shut down as a consequence of the assault, causing commercial interruption and the inability to release freight for transport. 

Forward Air stated in an SEC filing that it lost $7.5 million of less than load (LTL) freight revenue mainly due to the Company's requirement to momentarily halt its electronic data interfaces with its clients. 

Researchers later discovered that this assault was most likely carried out by members of the Evil Corp cybercrime group, who frequently carry out operations under different ransomware identities, such as Hades, to avoid US penalties. 

Multiple Forward Air workers contacted BleepingComputer at the time, concerned that the hack had revealed their personal information. As part of the attack, the threat actors built up a Twitter account that they stated would be utilized to leak Forward Air data. However, no data was ever found to be released by threat actors. 

After almost a year, Forward Air has revealed that the current and ransomware attacks exposed the data of previous workers. 

A data breach notification sent to Forward Air employees stated, "On December 15, 2020, Forward Air learned of suspicious activity occurring within certain company computer systems. Forward Air immediately launched an investigation to determine the nature and scope of the incident." 

"The investigation determined that certain Forward Air systems were accessible in November and early December 2020 and that certain data, which may have included your personal information, was potentially viewed or taken by an unknown actor." 

Employee names, addresses, dates of birth, Social Security numbers, driver's licence numbers, passport numbers, and bank account numbers are among the data that the Evil Corp threat actors may have obtained. 

While Forward Air claims there is no evidence that the data was misused, they are providing impacted individuals with a complimentary one-year membership to the myTrueIdentity credit monitoring service. 

Since there is no way to detect if a threat actor utilised stolen data, even if they promise not to after receiving a ransom payment, all impacted workers should presume that their data has been compromised. This implies that individuals should keep track of their credit reports, bank records, and other financial information.

Coinbase: Hackers Stole Cryptocurrency From Around 6,000 Customers

 

Crypto Exchange Coinbase has revealed that hackers successfully stole money from at least 6,000 Coinbase users this spring, partly by exploiting a vulnerability in the cryptocurrency exchange's two-factor authentication mechanism. 

Coinbase is the world's second-largest bitcoin exchange with over 68 million users from over 100 countries. In a data breach warning delivered to impacted clients this week, Coinbase disclosed the hacking activity. The notice states, “At least 6,000 Coinbase customers had funds removed from their accounts, including you,” 

Account breaches happened between March 2021 and May 20, 2021. Coinbase estimates hackers launched a wide-scale email phishing effort to deceive a significant number of customers into providing their email addresses, passwords, and phone numbers. 

Furthermore, the unknown attackers got access to victims' email inboxes through the use of malicious software competent of reading and writing to the inbox if the user enables permission. Although, a password is insufficient to gain access to a Coinbase account. 

The business secures an account by default using two-factor authentication, which means users must enter both a password and a one-time passcode issued on the phone to log in. 

However, the hackers were capable to obtain the one-time passcode in certain situations. This happened to users who used the two-factor authentication method, which depends on SMS texts to deliver the code. 

A spokesperson for the cryptocurrency exchange told PCMag in a statement, “Once the attackers had compromised the user’s email inbox and their Coinbase credentials, in a small number of cases they were able to use that information to impersonate the user, receive an SMS two-factor authentication code, and gain access to the Coinbase customer account.” 

Coinbase did not go into detail about how the impersonation occurred. However, according to the statement, the attackers employed a SIM-swapping attack to deceive the cell phone carrier into transferring over the victim's phone number. 

In response, Coinbase says it’s been compensating victims for the stolen cryptocurrency, following reports the company did little to help consumers hit in the hack. 

A company spokesperson added, “We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost.” 

It's also unclear how the issue was resolved. Coinbase, on the other hand, is pushing consumers to abandon the SMS-based two-factor verification scheme for more secure alternatives. This includes utilising a smartphone app to generate the one-time passcode or a hardware-based security key. 

Thousands of University Wi-Fi Networks Dislcose Log-In Credentials

 

Multiple configuration vulnerabilities in a free Wi-Fi network used by several colleges can enable access to the usernames and passwords of students and teachers who connect to the system using Android and Windows devices, according to the findings by researchers. 

WizCase researchers lead by researcher Ata Hakçl evaluated 3,100 Eduroam setups at universities throughout Europe and discovered that more than half of them have vulnerabilities that threat actors might exploit. 

They noted that the risk of misconfiguration might spread to other companies throughout the world. Eduroam offers free Wi-Fi access at participating institutions. It provides log-in credentials to students, researchers, and faculty members, allowing them to access the internet across many universities by utilizing credentials from their own university. 

Researchers found vulnerabilities in the execution of the Extensible Authentication Protocol (EAP) used by Eduroam, which offers numerous levels of authentication when individuals connect to the network. Some of these authentication steps are not implemented properly in some colleges, causing security flaws.

Researchers wrote in a report posted Wednesday, “Any students or faculty members using Eduroam or similar EAP-based Wi-Fi networks in their faculties with the wrong configuration are at risk.” 

“If you are using an Android device and have Eduroam Wi-Fi set to auto-connect, malicious people could capture your plaintext username and password by only getting 20 or so meters in the range of you.” 

WizCase evaluated several configuration guidelines and built a test environment with multiple attack scenarios for the study. Overall, their analysis indicated that in the majority of institutions with misconfigured networks, threat actors may establish an “evil twin”, Eduroam network that a user would mistake for the actual network, especially on Android devices. 

Referring to Eduroam's catalogue application that performs certificate checks, researchers stated, “This could result in these devices automatically sending their stored credentials in order to connect to the evil twin Wi-Fi network for users not using eduroamCAT.” 

Researchers emphasized that the issue is not due to any technical flaw in Eduroam's services or technology, but rather due to improper setup instructions provided by the institutions' own network administrators to those setting up access. 

Moreover, while each institution supplies resources and personnel to assist Eduroam functioning, researchers discovered that there is no centralized management for the network – either as a whole or at each university where the system is in place. This signifies that a minor misconfiguration may make it a target for hackers. 

Researchers narrowed down the issue further by dissecting the numerous consecutive steps of EAP authentication, discovering that inadequate implementation of the last level of this authentication, known as "Inner Authentication," is at the foundation of the problem. Inner Authentication is accomplished in one of two methods in EAP. 

One method is to utilize the Plain Authentication Protocol (PAP), which sends users' credentials to the authentication server in plaintext and relies on Outer Authentication to completely encrypt the traffic with a server certificate. 

The alternative method utilizes Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2), which understands that there may be errors in the “Outer Authentication stage, and transfers the password in a hashed, non-plaintext form. 

Mismanaged Certificate Checks 
“When a network with the same Wi-Fi name appears, Android devices will not check whether this certificate is trustworthy or not, and will not even notify the user about the certificate before connecting,” they explained. 

Even an operating system that properly performs certificate checks can disclose data since many users do not understand what a certificate check implies and will permit the connection to proceed even if they get an alert concerning the certificate. 

According to the researchers, this indicates that the problem can arise on Windows as well if a system is misconfigured. iOS devices are not vulnerable to the vulnerability since they do not enable connections to EAP networks without first installing the EAP configuration file, which ensures the validity of the server-side certificate. 

As per the researchers, 2,100 of the 3,100 Eduroam participating university setups examined by WizCase are possibly impacted by the issue. 

According to the firm, it may be prevented by returning to the second technique of Inner Authentication. WizCase contacted Eduroam in December to share their results and received a response the same day. 

In accordance with WizCase, Eduroam officials stated that they are aware of “Eduroam identity providers who do not follow the requirements of the Eduroam policy and leave their own users unprotected,” agreeing with researchers that this conduct is “unacceptable.” It is unknown whether Eduroam contacted its customers to alert them about the issue.

Exchange/Outlook Autodiscover Bug Exposed $100K Email Passwords

 

Guardicore Security Researcher, Amit Serper identified a critical vulnerability in Microsoft's autodiscover- the protocol, which permits for the automatic setup of an email account with only the address and password needed. 

The vulnerability allows attackers who buy domains containing the word "autodiscover," such as autodiscover.com or autodiscover.co.uk, to capture the clear-text login details of users experiencing network issues (or whose admins incorrectly configured DNS). 

From April 16 through August 25 of this year, Guardicore purchased many similar domains and used them as proof-of-concept credential traps: 
  •  Autodiscover.com.br 
  •  Autodiscover.com.cn 
  •  Autodiscover.com.co 
  •  Autodiscover.es 
  •  Autodiscover.fr 
  •  Autodiscover.in 
  •  Autodiscover.it 
  •  Autodiscover.sg 
  •  Autodiscover.uk 
  •  Autodiscover.xyz 
  •  Autodiscover.online 
A web server linked to these domains got hundreds of thousands of email credentials in clear text, most of which also operated as Windows Active Directory domain credentials. 

The credentials are sent from clients who request the URL /Autodiscover/autodiscover.xml with an HTTP Basic authentication header that already contains the unfortunate user's Base64-encoded credentials. 

The various factors contribute to the overall vulnerability like; the Autodiscover protocol's "backoff and escalate" behaviour when authentication fails, its failure to check Autodiscover servers before giving up user credentials, and its readiness to utilise insecure methods such as HTTP Basic in the first place. 

Failing upward with Autodiscover 

The main task of the Autodiscover protocol is to simplify account configuration—one can depend on a normal user to memorise their email address and password, but years of computing have imparted us that asking them to remember and correctly enter details like POP3 or IMAP4, TLS or SSL, TCP 465 or TCP 587, and the addresses of actual mail servers is several bridges too far. 

By keeping all nonprivate elements of account information on publicly available servers, the Autodiscover protocol enables regular users to configure their own email accounts without assistance. 

When the user creates an Exchange account in Outlook, they provide an email address and a password, such as bob@example.com with password Hunter2. With the user's email address in hand, Autodiscover searches for configuration information in a published XML document. It will attempt HTTP and HTTPS connections to the URLs listed below: (Note: contoso is a Microsoftism that refers to a hypothetical domain name rather than a specific domain.)

http(s)://Autodiscover.example.contoso.com/Autodiscover/Autodiscover.xml http(s)://example.contoso.com/Autodiscover/Autodiscover.xml 

Thus so far, it can be fairly believed that anyone permitted to store resources on example.contoso.com or its Autodiscover subdomain has been given explicit trust by the owner of example.contoso.com. 

However, if these initial connection attempts fail, Autodiscover will back off and attempt to locate resources in a higher-level domain. In this case, Autodiscover would seek for /Autodiscover/Autodiscover.xml on both contoso.com and Autodiscover.contoso.com. 

If this fails, Autodiscover will attempt to submit email and password information to autodiscover.com itself. It would be terrible enough if Microsoft controlled autodiscover.com, but the truth is far more complicated. That domain was registered in 2002 and is now held by an unknown individual or organization that is utilizing GoDaddy's WHOIS privacy shield. 

Guardicore’s Analysis 

Guardicore acquired 96,671 distinct sets of email usernames and passwords in clear text over four months while running its test credential trap. These credentials were obtained from a diverse range of businesses, including publicly listed firms, manufacturers, banks, electricity companies, and others. 

When the Autodiscover protocol fails up from Autodiscover.contoso.com.br to Autodiscover.com.br, the security offered by Contoso's ownership of its own SSL cert disappears. Whoever purchased Autodiscover.com.br—in this scenario, Guardicore—merely supplies their own certificate, which fulfills TLS warnings despite not being associated with Contoso at all. 

In many situations, Outlook or a similar client will initially present its user's credentials in a more secure format, such as NTLM. 

Unfortunately, a simple HTTP 401 from the webserver requesting HTTP Basic auth in its place is all that is required, to which the client using Autodiscover will abide (typically without error or warning to the user) and send the credentials in Base64 encoded plain text, completely readable by the web server responding to the Autodiscover request.

Conclusion 
The truly terrible news is that there is no mitigation solution for this Autodiscover issue available to the general public.

If your company's Autodiscover infrastructure has a bad day, your client will "fail upward," possibly revealing your credentials. This issue has yet to be patched; according to Microsoft Senior Director Jeff Jones, Guardicore publicly revealed the flaw before reporting it to Microsoft. 

But Guardicore did offer these protective measures:
  • Make sure that you are actively blocking Autodiscover. domains (such as Autodiscover.com/Autodiscover.com.cn, etc) in your firewall. 
  • When deploying/configuring Exchange setups, make sure that support for basic authentication is disabled – using HTTP basic authentication is the same as sending a password in clear text over the wire.
  • A comprehensive-textual list of all top-level domains can be found in the following url: https://data.iana.org/TLD/tlds-alpha-by-domain.txt 
For developers and vendors, the company offered this tip: 

Make sure that when you are implementing the Autodiscover protocol in your product you are not letting it “fail upwards”, meaning that domains such as “Autodiscover.” should never be constructed by the “back-off” algorithm.