Tag: Cyber security

Microsoft Reveals Russian Hack: Executives’ Emails Compromised

Posted on by Srishti Chaubey

Introduction

In a recent disclosure, Microsoft unveils the details of a sophisticated cyber breach by Russian state-sponsored hackers. The breach, detected on January 12, sheds light on the tactics of the notorious hacking group, Midnight Blizzard, also known as APT29 or Cozy Bear.

Breach Overview: Understanding the Intrusion

In November 2023, Midnight Blizzard initiated a password spray attack. They compromised a legacy non-production test tenant account, gaining access to limited Microsoft email accounts.

Compromised Accounts: Impact on Corporate Email Security

The aftermath reveals that a select group fell victim, including members of Microsoft’s senior leadership team and employees in crucial functions such as cybersecurity and legal. The attackers exfiltrated emails and attached documents, putting sensitive information at risk.

Attribution and Interest: Identifying the Culprits

Microsoft’s threat research team attributed the breach to APT29, emphasising the group’s specific interest in Microsoft’s knowledge of their operations. This marks Midnight Blizzard’s return after their infamous 2020 cyberattack on SolarWinds.


Highlighting the Key Issue: Addressing Problems with Passwords

The breach underscores the vulnerability posed by traditional password systems. The password spray attack exploited weak passwords, showcasing the critical need for organizations to evolve towards passwordless solutions to enforce security.

Risk Mitigation: Addressing Future Threats

Microsoft, quick to respond, is now advocating for the adoption of passwordless solutions as a preventive measure against such breaches. The urgency to reassess and enhance cybersecurity measures has never been more evident.

Immediate Response: Microsoft’s Swift Action

In response to the breach, Microsoft has promptly applied enhanced security standards to its legacy systems and internal business processes. This immediate action aims to sabotage potential follow-up attacks and protect against further unauthorised access.

Ongoing Investigation: Collaborating with Authorities

The investigation is ongoing, with Microsoft actively collaborating with law enforcement and regulators to comprehensively assess the full impact of the breach. This collaboration is crucial for determining additional preventive measures and addressing the evolving landscape of cyber threats.

Conclusion: Looking Ahead

As companies face ever-changing online risks, the Microsoft hack is a clear signal that using weak passwords can be a big problem. Implementing passwordless solutions stands out as a critical step towards a more secure digital future.

MongoDB Security Incident: Navigating the Aftermath

Posted on by Srishti Chaubey

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

On December 13, 2023, MongoDB, a prominent US-based open-source NoSQL database management system provider, faced a substantial security incident. This breach of MongoDB Atlas, a fully-managed cloud database, unfolded as unauthorised access infiltrated corporate systems, laying bare customer account metadata and contact information. The assailants employed a cunning phishing attack, exploiting support service applications. The consequences were dire – a trove of sensitive data, including customer names, phone numbers, and account details, left exposed in the turbulent aftermath of this cyber storm.

MongoDB Steps Explained

Intrusion Footprints: A List of IPs Disclosed

In a proactive move, MongoDB disclosed a comprehensive list of external IP addresses on their alerts page. These IPs were strategically employed by the unauthorised third party. Organisations are strongly advised to meticulously scrutinise their networks, diligently searching for any ominous signs of suspicious activity intricately linked to these disclosed IPs. If you spot these IPs, you’ve got unwelcome guests. Remember it’s time to act, and act fast.

MongoDB Breach

Phishing & Social Engineering – The Achilles’ Heel of Multi-Factor Authentication

MongoDB issues a resolute counsel to its user base, emphasising the critical need to bolster defences against the looming threats of social engineering and phishing. In response, the company advocates the implementation of multi-factor authentication (MFA), urging users to promptly update their MongoDB Atlas passwords as an additional layer of security.

Phishing attacks or social engineering can bypass and disable all types of MFA solutions, as seen time and again. The security incident under discussion started with phishing attacks. So implementing MFA will have zero security advantage but will only increase the cost, efforts and complexity of authentication.

GoPasswordless – The best protection for MongoDB

Going passwordless with PureAUTH will benefit in 2 broad ways to protect MongoDB or any other enterprise applications –

  1. Secure Authentication – PureAUTH offers passwordless authentication which is secure from phishing & social engineering attacks.
  2. Resilience in case of data breach – If data from the database like MongoDB is leaked due to mis-configurations, 0-day vulnerability or insider attacks etc, the adversary will not find any passwords, MFA seeds, swap-able public keys, or any usable data to carry out unauthorised access elsewhere.

Conclusion

Amidst the gloom, MongoDB presents a silver lining: Passwordless Authentication. It’s a call to transcend traditional password reliance for a more secure future. Fortify your defences with passwordless security. MongoDB users, the future beckons. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cyber security landscape with renewed strength. Passwords? Pfft, that’s so yesterday. The journey continues—Passwordless Authentication awaits.

Unpacking Okta’s Recent Security Breach

Posted on by Srishti Chaubey

Introduction

In today’s interconnected world, data breaches have become unfortunately common. One recent incident that has drawn the cybersecurity community’s attention involves Okta, a prominent identity and access management (IAM) provider. This blog post delves into the specifics of the Okta breach, its impact, and the lessons we can learn.

The Initial Okta Breach

The story starts with a breach of Okta’s case management system, reported in late October. Threat actors gained unauthorised access to sensitive files of 134 Okta customers, less than 1% of the customer base. Some stolen files were HTTP Archive (HAR) files with session tokens, usable in session hijacking attacks.

Okta Breach
Image Source : https://www.helpnetsecurity.com/2023/11/06/okta-support-compromised-service-account/

Targets: BeyondTrust, Cloudflare, and 1Password

BeyondTrust, Cloudflare, and 1Password confirmed their systems were targeted due to this breach. They emphasised no loss of customer data during these incidents, highlighting their robust security measures.

Okta’s Response and Investigation

David Bradbury, Okta’s Chief Security Officer, revealed the breach’s origin. An employee logged into their personal Google account on an Okta-managed laptop, inadvertently saving service account credentials. The hackers exploited this service account, gaining permissions to view and update support cases. The breach occurred from September 28 to October 17, 2023.

Okta Breach Flow
Image Source: https://www.cyberark.com/resources/blog/piecing-together-the-attack-on-oktas-support-unit

Investigation Challenges

Okta’s security team initially focused on unauthorized access to support cases. Identifying suspicious downloads took 14 days. Unique log event types and IDs complicated the detection process.

On October 13, BeyondTrust provided a suspicious IP address, leading to the identification of the compromised account’s activities.

Implications and Ongoing Concerns

The breach raises numerous cybersecurity concerns. Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, highlighted the potential for secondary attacks arising from exposed data. Such incidents erode trust in service providers, especially for security-focused companies like Okta.

John Bambenek, Principal Threat Hunter at Netenrich, pointed out that recurring security events raise questions about Okta’s reliability in sensitive roles like identity and authentication.

Conclusion: The Vital Role of Passwordless Authentication

The Okta breach underscores the importance of robust cybersecurity practices. Organisations must remain vigilant, conducting continuous security assessments and proactively implementing measures against evolving threats.

A single compromised password can jeopardize an entire institution. Therefore, we strongly advocate for passwordless authentication. By eliminating passwords, organizations can fortify their defenses, enhancing security and reducing the risk of future incidents. Passwordless authentication is a safer and more effective approach to protecting digital identities in today’s evolving landscape. #gopasswordless

Resolution 2023 | Making World Password Free

FinTech Company’s Million+Records Exposed…

Posted on by Srishti Chaubey

Have you ever received a phone call from a seemingly legitimate vendor, who knew all your personal and financial information, and then requested an advance payment or financial assistance from you? If you have, you know how terrifying this situation can be. It only takes one small mistake to send your finances into disarray.

But you are not alone in this struggle. Jaramiah Fowler, a cybersecurity expert, helped avoid this nightmare scenario by his vigilance. Fowler discovered a database containing a million consumers’ personal and financial information, including names, email addresses, postal addresses, phone numbers, payment purposes, sums paid, due dates, and tax ID numbers. The database had invoices from people and companies who paid for their goods and services using an app.This database belonged to NorthOne Bank, a FinTech company used by over 320,000 American businesses

Jeremiah Fowler discovered a database that was not password-protected by NorthOne Bank.

About NorthOne

NorthOne is a popular FinTech company that offers integration options with various services, including but not limited to Airbnb, Cash App, Lyft, PayPal, Quickbooks, Shopify, Square, Stripe, Uber, Venmo, and Wave. It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank.

The Incident

The findings were first reported on January 19th, 2023 and the database remained unsecured until January 31st, 2023. It is unclear how long these records were exposed or who else may have had access to the database. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.

The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. There were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, Jeremiah observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.

Invoices in the exposed Dataset

(Source: https://www.websiteplanet.com/news/northone-leak-report/

This is how the data appeared in the compromised dataset. You can clearly see “Powered by NorthOne” in the footer of the image.

How Customers can be targeted ?

The data in the unprotected PDFs contains Tax Identification Number (TIN) along with other personal details of the customers. This TIN can be exploited to file fraudulent federal tax returns and claim refunds from the Internal Revenue Service (IRS).

Someone can misuse the data by using the Employee Identification Number (EID) to apply for loans. Another challenge could be to prove that the application was not authorised.

In order to acquire customers’ trust, a con artist may also pose as a legitimate financial organisation and cite transaction receipts. Consumers’ personal information can be used by other parties to influence them and reveal sensitive information.

What went wrong?

It seems that NorthOne had a database with no protection on. You can learn how to safeguard your database, code repositories, and code infrastructure with PureAUTH‘s Just-in-Time Access Provisioning. You can learn more in our blog titled Know Your Code Infrastructure.

Another Password Manager Breached – Norton

Posted on by Srishti Chaubey

In January, 2023 Gen Digital, a firm previously popular as Symantec and NortonLifeLock , found itself targeted by a significant Credential Stuffing attack. The attack resulted in the compromise of thousands of user accounts.

Just weeks prior to this incident, LastPass, a prominent competitor of Gen Digital in the password manager market, fell victim to a breach. This breach followed a prior cyberattack against LastPass in August. According to LastPass, the hackers leveraged technical data pilfered during the August cyberattack to gain unauthorized access to its cloud storage system.

It’s worth noting the irony here – the very software designed to fortify defences against cyber attacks found itself in the crosshairs of one. To draw a parallel, it’s akin to a scenario where the police station itself becomes the target of a burglary.

Credential Stuffing

Credential stuffing refers to the use of credentials such as username, email id and personal information from previous security breaches. These credentials are fed to other login systems to gain access to other websites. Unlike other cyber attacks, Credential Stuffing does not require brute force. Instead it uses a simple web solution to stuff thousands of stolen credentials into login systems. Credential stuffing is one of the oldest tricks in the book. It’s very easy to fall victim if one uses the same or similar credentials on multiple sites.

Lost one password? Alas you lost them all - Norton Credential stuffing attack.

I recently explored the website “Have I been pwned” and was shocked to see one of my personal email ids compromised in a previous attack. Going through their listing on breached websites made me realise how unsafe our credentials and information are, and how easily one can gain access to it.

Impact of the Incident

In an internal investigation in December 2022, NortanLifeLock detected “unusually large volume” of login attempts. They found that a malicious actor was using a list of credentials obtained from illegal marketplaces on “dark web”.

Nortan commented that 925,000 people were targeted in a credential-stuffing attack. It is probable that the data does contain names, phone numbers and addresses of users. The attackers might also have access to Norton Password Manager users’ private vault data. This vault contains stored passwords for other online accounts. The firm is not commenting on how much customer data actually got a negative impact because of the attack.

Nortan relaeased a warning to it’s users after failing to reject the mass login attempt. They indicated that they “strongly believe that an unauthorised third party knows and has utilised your username and password for your account.” They also suggested the users to use 2 step authentication systems and provided free credit monitoring services to affected users.

Amplification Effect

The Password managers are a hot target because they provide adversaries with an amplified power to gain access to multiple accounts by compromising one password manager account.

As they say putting all the eggs in one basket is a bad strategy. Keeping all passwords in one manager will have a huge impact if compromised.

Passwords are not assets; they represent security vulnerabilities. Rather than locking them away in a vault, consider going passwordless. #GoPasswordless

Dropbox Employees Phished, GitHub Repositories Exposed

Posted on by Srishti Chaubey

Dropbox disclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.

Phishing email impersonating CircleCI

The Incident

Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.

CircleCI login options
CICircle Login page

On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.

CircleCI login page
Github Login Page

The adversaries are not traced yet, as they used VPNs to hide their tracks.

The incident details shared by Dropbox
The incident details shared by Dropbox

The Impact

Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.

Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.

Previous Incidents

Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.

IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.

Mitigation

Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.

When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.

With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods. 

Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless

© 2024 | PureID. All Rights Reserved

Privacy & Terms | Licenses