Companies need to keep security priorities top of mind during economic downturns so all-important revenue generation doesn't come with a heaping side order of security problems.

In today's digital world, there's no question that security must be a constant priority for companies — whether it's protecting internal corporate information or their products and solutions.

However, when recessionary forces are lurking, security for products and solutions that are offered or sold to end users, such as Web or mobile applications, needs to become an even greater focus. While it might seem counterintuitive in a climate of cost-cutting to spend on security — essentially looked at as a checklist item — the alternative is a world of pain and more costs.

According to Accenture, cyberattacks grew by 31% between 2020 and 2021. This was right as the US was grappling with the COVID-19 pandemic and the negative impact it had on the nation's economy. Now, signs may be pointing to another downturn in the economy this year, something reflected by recent layoffs in the industry.

As a result of these economic factors, the reduction in staff and budgets can create the perfect window for cybercriminals to take advantage while companies focus on continuing to operate and sustain themselves.

**A Window of Opportunity for Cybercriminals**

During down economic periods, companies place a greater focus on generating top-line revenue and allot more staff and resources to accomplish it. This means that, in 2023, companies will prioritize the enhancement of applications by creating new features and functionalities that can drive sales.

Unfortunately, with the majority of staff and resources allocated to application enhancement, security can often fall by the wayside. Particularly, keeping everything updated with the latest security practices.

This deprioritization creates a window of opportunity for cybercriminals to take advantage of flaws or bugs in applications. For example, the Synopsys Cybersecurity Research Center (CyRC) recently highlighted a number of vulnerabilities in a few applications available through various app stores. The CyRC stated that it "uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities" in the apps Lazy Mouse, Telepad, and PC Keyboard. These vulnerabilities could lead to the gathering of sensitive information, such as login credentials, through the exploitation of keystrokes.

Although we don't know the full impact of these vulnerabilities, these are great examples of the types of flaws or bugs that could fall off the list of priorities for many companies.

**Application Security Is Nonnegotiable**

With any scenario in which an application can be compromised by cybercriminals, there's enormous potential for reputational damage and revenue generation. That's why it's nonnegotiable.

Regardless of whether we're in a recessionary period or not, companies must continue prioritizing all application security activities on the same level as revenue. These activities include:

*   **Vulnerability and penetration testing:** Some of the first security activities that are often deprioritized in times of economic downturn are vulnerability and penetration testing. While a company may conduct this testing every few months during a normal economic period, it may decrease that rate to focus IT and engineering staff efforts on building new features and functionalities. This means there's opportunity for cybercriminals to attack an application that's not kept up to date to determine where its security vulnerabilities lie. It's critical for companies to maintain or increase their testing windows during down economic periods as cyber activities tend to trend up.

*   **Risk assessments:** When developing or enhancing applications, there are often company-created custom features and functionalities as well as those they integrated through a third party. Features and functionalities like this can include payments (Apple Pay, Google Pay, Stripe, PayPal, etc.), access (Facebook or Google login, etc.), biometrics, and more. As with vulnerability and penetration testing, companies must conduct regular risk assessments that include any third-party additions with which they work or integrate. The vulnerabilities inherent to these third parties have the potential to become issues for their business, too.

*   **Privacy protection:** Applications, especially those that are geared toward consumers as the end users, are particularly vulnerable to cyberattacks. Companies must continue to implement the processes and protocols that ensure the safety and encryption of user information.

*   **Bug bounty programs:** Historically, many technology companies or companies that offer applications and software host bug bounty programs that help to identify bugs or flaws. It's important for companies to continue investing in these types of programs that offer compensation to developers for their detections because, as mentioned earlier, flaws and bugs open a window for cybercriminals to exploit applications.

**Keep Priorities in Sight**

As companies look ahead and the economy continues to change, it's important they don't lose sight of their priorities. Yes, it's important to continue to find new revenue streams through applications to keep companies profitable. However, that doesn't have to come at the expense of application security.

Application Security Must Be Nonnegotiable

KnowBe4 partners with the Center for Cyber Safety and Education to support Black Americans in recognition of Black History Month to help further education.

**TAMPA BAY, Fla., Feb. 1, 2023 /PRNewswire-PRWeb/ —** KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced it has partnered with the Center for Cyber Safety and Education yo launch the KnowBe4 Scholarship for Black Americans for the fourth consecutive year.

The recipient of this award will receive a $10,000 scholarship on behalf of KnowBe4. This is a one-time award and students may reapply each year in the future to be considered for another scholarship. Applicants will be scored in three categories: passion, merit and financial need. The application period is now open and will close on April 17, 2023 at 11:59 p.m. EST.

"KnowBe4 is honored to commemorate the beginning of Black History Month with the launch of the 2023 Black Americans in Cybersecurity Scholarship," said Kelly Barrena, VP of global talent brand and outreach, KnowBe4. "We are passionate in our efforts to diversify the cybersecurity industry and to provide this opportunity to a student who is equally as passionate about the field. KnowBe4 looks forward to learning more about the applicants and selecting a deserving recipient."

For more information on and to apply for the KnowBe4 Scholarship for Black Americans administered by the Center for Cyber Safety and Education, visit https://www.iamcybersafe.org/s/knowbe4-black-americans-scholarship.

**About KnowBe4**

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 56,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud, and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist, and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

**About the Center for Cyber Safety and Education**

The Center for Cyber Safety and Education (Center) is a non-profit charitable trust of (ISC)2 committed to making the cyber world a safer place for everyone. The Center works to ensure that people worldwide have a positive and safe experience online through award-winning educational programs, scholarships, and research. Visit http://www.IAmCyberSafe.org to learn more.

KnowBe4 to Offer $10,000 to Black Americans in Cybersecurity Scholarship

Study also reveals enterprises rely on multiple tools to ensure cloud security.

**DEL VALLE, Texas — (****BUSINESS WIRE****) —** ManageEngine, the enterprise IT management division of Zoho Corporation, today announced results from its new study, Cloud Security Outlook 2023. The study found that enterprises have a limited number of analysts running their security operations centers (SOCs) and are deploying multiple tools in an attempt to address their cloud security challenges.

According to Gartner, 85% of organizations will embrace cloud-first strategies by 2025. ManageEngine’s study has also revealed a surge in cloud adoption, with 72% of respondents using multi-cloud applications and another 5% using hybrid cloud systems. The adoption rate will further increase in 2023 and 2024 because 23% of respondents are planning to move to the cloud in the next 24 months.

Amid this situation, enterprises are forced to tackle numerous cloud security threats, including compromised accounts. Enterprises are hampered by short-staffed SOCs, which has led to concerns about their cloud security resiliency. As many as 77% of respondents stated that they only have three to five security analysts running their SOCs.

The ManageEngine study further revealed that enterprises are finding it increasingly difficult to gain visibility into cloud activities and comply with various stringent regulations. Nearly half (48%) of respondents find compliance with cybersecurity laws, especially those related to the cloud, to be highly challenging.

These factors are driving enterprises to adopt a consolidated security architecture that facilitates streamlined, efficient security operations. An overwhelming 97% of respondents will be evaluating a solution that provides all security functions in a single console in 2023.

“The adoption of CASBs and SIEM platforms helps enterprises ensure security and integrity. However, having different tool sets leads to a visibility gap and complicates cloud security management amid unpredictable threats," said Manikandan Thangaraj, vice president of ManageEngine. "Cyber resilience refers to the ability of an organization to ensure business continuity in the event of a cyberattack with the help of business processes and tools. Cloud security resilience, therefore, requires enterprises to have visibility, enhanced policy enforcement, infection isolation and impact neutralization from a unified security architecture."

The findings of the survey indicate that:

*   **A lack of staffing and orchestration makes the security process complicated.**
    *   Most respondents (84%) stated they either have fewer than five security analysts or don't have dedicated analysts at all to run their SOCs.
    *   94% of respondents use different security tools to protect data, monitor user access, adhere to compliance mandates and gain visibility into cloud platforms.

*   **The three most common and impactful cloud security threats are identity-based.**
    *   The IT professionals surveyed stated that cloud account compromise is the most common and impactful cloud security threat (35%), followed by external cloud account exploits (23%) and unauthorized access and account compromise by insiders (14%).

*   **Compliance proves to be challenging for enterprises.**
    *   About half (48%) of those who monitor their cloud access or have hybrid cloud systems deployed said that the process of ensuring compliance is highly challenging. Another 37% acknowledged that it is tough, but manageable.
    *   Only 16% of respondents said that they are all sorted when it comes to compliance with cybersecurity laws, especially those related to the cloud.

Visit ManageEngine's website to access the entire _Cloud Security Outlook 2023_ report at https://mnge.it/T8E.

**Survey Methodology**  

ManageEngine commissioned Censuswide, an independent market research agency, to study the cloud landscape and the market demand for cloud security tools. Around 500 IT professionals in the US were surveyed, spanning various industries, including healthcare, financial services, manufacturing and government.

**About ManageEngine**  

ManageEngine is the enterprise IT management division of Zoho Corporation. Established and emerging enterprises—including 9 of every 10 Fortune 100 organizations—rely on ManageEngine's real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, endpoints and more. ManageEngine has offices worldwide, including the United States, the United Arab Emirates, the Netherlands, India, Colombia, Mexico, Brazil, Singapore, Japan, China and Australia, as well as 200+ global partners to help organizations tightly align their business and IT. For more information, please visit manageengine.com, follow the company blog and get connected on LinkedIn, Facebook and Twitter.

ManageEngine Study Finds United States Enterprises Hit by Short-Staffed Security Operations Centers

Google Fi mobile customers have been alerted that their SIM card serial numbers, phone numbers, and other data were exposed in T-Mobile hack.

Google Fi has sent an email to customers to disclose that their account data was included in the more than 37 million customer records stolen from T-Mobile in November 2022.

Google Fi is a wireless plan that runs much of its service over T-Mobile networks.

Details on Google Fi customers, including phone number, SIM serial card number, and service plan details were among the stolen T-Mobile data. 

Google added in its email that the compromised information didn't contain "your name, date of birth, email address, payment card information, Social Security or tax IDs, driver's license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi or the contents of any SMS messages or calls."

However, Lior Yaari, CEO and co-founder of Grip Security, noted that potential cyberattackers can still do a lot of damage via SIM-swapping, by having access to the users’ phone numbers and SIM serial card numbers.

"At minimum, affected customers should consider changing out their SIM card to protect themselves," he said via email. "Once the hackers take over your phone number, they can use it for illicit purposes, or even bypass two-factor authentication that uses SMS."

Google Fi has not noted how many customers are affected. 

"Given the serious nature and impact of the breach, it’s surprising that Google has not disclosed the number of customers impacted, like what we have seen in other major breaches," Yaari said. Google did not immediately return a request for comment.

The latest T-Mobile data breach marks the second in two years for the mobile carrier.

Google Fi Users Caught Up in T-Mobile Breach

The new API incorporates threat intelligence research and employs machine learning to identify threats in the supply chain.

Software supply chain attacks where attack groups are tricking software developers in to integrating malicious open source components into their applications are on the rise. To help developers identify malicious packages, Checkmarx has launched Supply Chain Threat Intelligence, an API which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, and malicious behavior.

Checkmarx says it identifies malicious packages by attack type, such as dependency confusion, typosquatting, and chainjacking. And contributor reputation is calculated by analyzing anomalous activity within packages.

Supply Chain Threat Intelligence is based on threat intelligence research by Checkmarx Labs, and includes the 150,878 malicious packages the group discovered in 2022, the company says. Checkmarx then employs machine learning, retro hunting, and cross-language hunting to identify emerging threats. The company also uses static and dynamic analysis to understand how the code in the package runs.

Security works best when it is part of the developer workflow. Checkmarx says Supply Chain Threat Intelligence integrates with widely use developer tools and environments. The developer obtains a unique token from Checkmarx, sends in a package name and its version number, and receives threat intelligence on the desired package. The developer then has information on what the package does, whether the package is considered malicious, and the reputation of the developer associated with the package.

Reporting packages don't stop attack groups, as they create new sock-puppet accounts and continue publishing them, Checkmarx says. The company maintains a data lake of all the packages scanned so that the team can continue analyzing them even after they have been deleted from package managers, the company says. This can help link multiple packages to the same threat actor, or uncover patterns over time.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Checkmarx Launches Threat Intelligence for Open Source Packages

Malware eventually has to exfiltrate the data it accessed. By watching DNS traffic for suspicious activity, organizations can halt the damage.

**Question: How does a threat actor utilize DNS communications in malware attacks?**

**Dave Mitchell, CTO, Hyas:** The idea that you can protect yourself from all malware is unrealistic, especially considering malware is an umbrella term that does not refer to any specific exploit, vector, goal, or methodology. Because the range of cyber threats is so wide and varied, there is no magic bullet that will repel every attack. So it's really only a matter of time before your network environment is compromised, forcing you to make some very hard decisions.

For instance, in the medical field, successful cyber attacks don't just affect an organization's ability to function; they also have major legal and reputational repercussions. Because of these circumstances, medical industry victims end up paying out ransomware demands at a higher rate than any other industry. If they were able to detect indicators of problems before they become full-blown attacks, healthcare organizations could save an average of $10.1 million per incident averted.

Most security solutions address a specific subsection of malware and/or infiltration vectors, but none of them can stop all threats at the gate. Even if they could, sometimes the gate is bypassed altogether. As we saw with the Log4J exploit and the recent compromise of the popular Ctx Python package, "trusted" resource libraries hosted on places like GitHub can be compromised by outside entities and used to deliver payloads of malware to thousands of endpoints without immediately triggering a red flag.

Not all threats lurk solely in cyberspace. Returning to the healthcare industry as an example highlights another attack vector that can get around all of your perimeter security — physical access. Most hospitals, physician's offices, pharmacies, and other medical facilities rely on networked terminals and devices located (or accidently left) in places where they can be accessed by patients, visitors, or other unauthorized users. In situations like these, it doesn't matter how well-defended your network is from outside attacks because the bad actor can simply insert a USB stick or use a logged-in device to access malware, compromising the network from within.

This may seem like an unwinnable situation, but thankfully there is one feature that ties the overwhelming majority of malware together — a shared Achilles' heel called the Domain Name System (DNS). More than 91% of malware utilizes DNS communication at some point during its attack lifecycle, making DNS an invaluable choke point in the fight against cyber threats.

When a piece of malware first finds its way onto your network, it tries to avoid detection. It uses this time as a reconnaissance phase during which it attempts to spread to more devices in the network environment, locate critical resources, and compromise backup storage.

It is also during this time that the malware needs to communicate back to the hackers' command and control (C2) infrastructure to receive instructions and report the information it has uncovered about the network. Like any traffic on the Internet, to communicate back out into the world, it needs to make a request to a domain name server. By employing a protective DNS solution, network administrators can monitor DNS traffic for indicators of malicious activity and then take action by blocking, quarantining, or otherwise disrupting it.

Unfortunately, with new threats being developed all the time and the ever-present risk of a physically initiated attack, companies must prepare for the inevitable successful breach of their network. However, once malware has gotten inside your network, it is almost certain to employ DNS communication at some point. A protective DNS solution can detect these abnormal requests and block them entirely, rendering the malware inert and letting you quickly begin the process of cleaning your systems and shoring up your defenses for next time.

How Can Disrupting DNS Communications Thwart a Malware Attack?

Five vulnerabilities in the baseboard management controller (BMC) software used by 15 major vendors could allow remote code execution if attackers gain network access.

Five vulnerabilities in the baseboard management controller (BMC) firmware used in servers of 15 major vendors could give attackers the ability to remotely compromise the systems widely used in data centers and for cloud services.

The vulnerabilities, two of which were disclosed this week by hardware security firm Eclypsium, occur in system-on-chip (SoC) computing platforms that use AMI's MegaRAC Baseboard Management Controller (BMC) software for remote management. The flaws could impact servers produced by at least 15 vendors, including AMD, Asus, ARM, Dell, EMC, Hewlett-Packard Enterprise, Huawei, Lenovo, and Nvidia.

Eclypsium disclosed three of the vulnerabilities in December, but withheld information on two additional flaws until this week in order to allow AMI more time to mitigate the issues.

Since the vulnerabilities can only be exploited if the servers are connected directly to the Internet, the extent of the vulnerabilities is hard to measure, says Nate Warfield, director of threat research and intelligence at Eclypsium.

"We really don't know what the what the blast radius is on this, because while we know some of the platforms, we don't have any details as to \[how\] prolific these things are," he says. "You know, did they sell 100,000 of them? Did they sell 10 million of them? We just don't know."

Baseboard management controllers are typically a single chip — or system-on-chip (SoC) — installed on a motherboard to allow administrators to remotely manage servers with near total control. AMI's MegaRAC is a collection of software based on the Open BMC firmware project, an open source project for developing and maintaining an accessible baseboard management controller firmware.

Many server makers rely on BMC software to allow administrators to take complete control of the server hardware at a low level, giving it access to "lights-out" features, the Eclypsium advisory stated. Because the software is widely used, the footprint of the vulnerable features is quite large.

"\[V\]ulnerabilities in a component supplier affect many hardware vendors, which in turn can pass on to many cloud services," Eclypsium stated in its advisory. "As such these vulnerabilities can pose a risk to servers and hardware that an organization owns directly as well as the hardware that supports the cloud services that they use."

AMI is the latest baseboard management controller (BMC) software maker to have vulnerabilities found in their code. In 2022, Eclypsium also found vulnerabilities in Quanta Cloud Technology (QCT) servers that have found common use by cloud firms. And previous research by the company in 2020 found that the lack of signed firmware in laptops and servers could allow an attacker to install a Trojan horse to remote control the devices.

**December Flaws Most Serious**

The two latest flaws released on January 30 include two lower severity issues. The first vulnerability (CVE-2022-26872) gives an attacker the ability to reset a password if they can time the attack during a narrow window between when a one-time password is validated and when the new password is sent by the user. In the second security issue (CVE-2022-40258), the password file is hashed with a weak algorithm, Eclypsium stated.

Both issues are less severe than the three vulnerabilities disclosed in December, which include two vulnerabilities — a dangerous command in the BMC's API (CVE-2022-40259) and a default credential (CVE-2022-40242) — that could allow simple remote code execution, Eclypsium stated in the advisory. The other vulnerability (CVE-2022-2827) allows an attacker to remotely enumerate usernames via the API.

The Redfish API replaces previous versions of the Intelligent Platform Management Interface (IPMI) in modern data centers, with support from major server vendors and the Open BMC project, according to Eclypsium.

Eclypsium conducted its analysis of the AMI software after the code was leaked to the Internet by a ransomware group. AMI is not thought to be the source of the leaked software code; rather, the code is a result of a third-party vendor being hit by ransomware, Warfield says.

"What we've discovered back in the summer was that somebody had leaked intellectual property for a bunch of technology companies onto the Internet," he says. "And, as we were digging through it ... trying to figure out what it was and who had it, we came across some of AMI's intellectual property. So we kind of started digging into that to see what we could find."

**Patching Rate Unknown**

AMI has issued patched software for all five vulnerabilities, and now the mitigation of the vulnerabilities is in the hands of server makers and their customers.

Already, many vendors — such as HPE, Intel, and Lenovo — have issued advisories to their customers. However, patching those servers will be up to the companies who have the servers deployed in their data centers.

Firmware patching tends to happen at a glacial rate, which should be a worry, says Warfield.

"The tricky part is the the time between the patches coming out and people actually applying them," he says. "BMC is not something with, sort of, a Windows update mechanism, where you can say, 'Oh, I've got 100,000 servers that are affected. Let me just push this out to all of them.'"

Firmware Flaws Could Spell 'Lights Out' for Servers

Security vulnerabilities in VMware's vRealize Log Insight platform can be chained together to offer a cybercriminals a gaping hole to access corporate crown jewels.

Three security vulnerabilities affecting VMware's vRealize Log Insight platform now have public exploit code circulating, offering a map for cybercriminals to follow to weaponize them. These include two critical unauthenticated remote code execution (RCE) bugs.

The vRealize Log Insight platform (which is transitioning its name to Aria Operations) provides intelligent log management "for infrastructure and applications in any environment," according to VMware, offering IT departments access to dashboards and analytics that have visibility across physical, virtual, and cloud environments, including third-party extensibility. Usually loaded onto an appliance, the platform can have highly privileged access to the most sensitive areas of an organization's IT footprint.

"Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it," said Horizon.ai researcher James Horseman, who did a deep dive into the public exploit code this week. "Often, logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and personally identifiable information. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment."

Organizations should take note of the risk, especially since the barrier to exploitation for the bugs — aka, the access complexity — is low, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which reported the vulnerabilities.

"If you are doing centralized log management with this tool, it represents a significant risk to your enterprise," he tells Dark Reading. "We recommend testing and deploying the patch from VMware as soon as possible."

**Inside the VMware vRealize Log Insight Bugs**

The two critical issues carry severity scores of 9.8 out of 10 on the CVSS scale and could allow an "unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution," according to the original VMware advisory.

One (CVE-2022-31706) is a directory traversal vulnerability; the other (CVE-2022-31704) is a broken access control vulnerability.

The third flaw is a high-severity deserialization vulnerability (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to "remotely trigger the deserialization of untrusted data, which could result in a denial of service."

**Creating a Bug Chain for Complete Takeover**

Horizon.ai researchers, after identifying the exploit code in the wild, discovered that the three issues could be chained together, prompting VMware to update its advisory today.

"This \[combined\] vulnerability \[chain\] is easy to exploit; however, it requires the attacker to have some infrastructure setup to serve malicious payloads," Horseman wrote. "This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system."

That said, he offered a silver lining: The product is intended for use in an internal network; he noted that Shodan data turned up 45 instances of the appliances being publicly exposed on the Internet.

That does not, however, mean that the chain can’t be used from within.

"Since this product is unlikely to be exposed to the Internet, the attacker likely has already established a foothold somewhere else on the network," he noted. "If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”

The three bugs were first disclosed last week by the virtualization giant as part of a cache that also included one other, a medium-severity information-disclosure bug (CVE-2022-31711, CVSS 5.3) that could allow data harvesting without authentication. The latter doesn't yet have public exploit code, though that could quickly change, particularly given how popular of a target VMware offerings are for cybercriminals.

There could also soon be multiple ways to exploit the other issues, too. "We have proof-of-concept code available to demonstrate the vulnerabilities," ZDI's Childs says. "We would not be surprised if others figured out an exploit in short order."

**How to Protect the Enterprise**

To protect their organizations, admins are urged to apply VMware's patches, or apply a published workaround as soon as possible. Horizon.ai has also published indicators of compromise (IoCs) to help organizations track any attacks.

Also, "if you are using vRealize or Aria Operations for centralized log management, you need to check what type of exposure that system has," Childs advises. "Is it connected to the Internet? Are there IP restrictions for who can access the platform? These are additional items to consider beyond patching, which should be your first step. It's also a reminder that every tool or product in an enterprise represents a potential target for attackers to gain a foothold."

Critical VMware RCE Vulnerabilities Targeted by Public Exploit Code

Everyone on Twitter wants a blue check mark. But Microsoft Azure's blue badges are even more valuable to a threat actor stealing your data via malicious OAuth apps.

Late last year, a group of threat actors managed to obtain "verified publisher" status through the Microsoft Cloud Partner Program (MCPP). This allowed them to surpass levels of brand impersonation ordinarily seen in phishing campaigns, as they distributed malicious applications bolstered by a verified blue badge only ever given to trusted vendors and service providers in the Microsoft ecosystem.

The MCPP is Microsoft’s channel partner program, inhabited by 400,000-plus companies that sell and support its enterprise products and services and also build their own solutions and software around them. Members include managed services providers, independent software vendors, and business app developers, among others.

Researchers from Proofpoint first discovered this activity on Dec. 6 of last year. A report published on Jan. 31 outlines how threat actors used their bogus status as verified app publishers within the MCPP program to infiltrate UK- and Ireland-based organizations' cloud environments. The fake solutions partners targeted employees in finance and marketing, as well as managers and executives, via malicious applications. Users who fell for the badge potentially exposed themselves to account takeover, data exfiltration, and business email compromise (BEC), and their organizations were laid open to brand impersonation.

Overall, the campaign "used unprecedented sophistication to bypass Microsoft’s security mechanisms," the researchers tell Dark Reading. "This was an extremely well-thought-out operation."

**How the Hackers Duped Microsoft**

To become a verified publisher, Microsoft Cloud Partners must meet a set of eight criteria. These criteria are largely technical and, as Microsoft outlined in its documentation, passing the bar "doesn't imply or indicate quality criteria you might look for in an app." But threat actors abusing the system to distribute malicious apps? That's not supposed to happen.

The trick in this case was that, before phishing end users, the attackers tricked Microsoft itself.

To wit: They registered as publishers under "displayed" names that mimicked legitimate companies. Meanwhile, their associated "verified publisher" names were hidden and slightly different. The example given by the researchers is that a publisher masquerading as "Acme LLC" might have a verified publisher name "Acme Holdings LLC."

Evidently, this was enough to skate by the systems' verification process. In fact, researchers noted, "in two cases, the verification was granted one day after the creation of the malicious application."

When reached for comment on the failure of the verification process, Proofpoint did not offer further details, and a Microsoft spokesperson merely noted, _“_Consent phishing is an ongoing, industrywide issue, and we’re continuously monitoring for new attack patterns. We've disabled these malicious apps and are taking additional steps to harden our services to help keep customers secure.” 

The spokesperson added, "The limited number of customers who were impacted by the campaign described in the Proofpoint blog have been notified."

**How the Hackers Duped Enterprise Users**

Having obtained their verified status, the threat actors began spreading malicious OAuth apps, an increasingly popular vehicle for cyberattackers in recent years. They rigged these apps to request broad access to victims' accounts.

"The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," according to an advisory published Jan. 31. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps."

OAuth — short for "open authorization" — is a token-based framework that enables users to authorize certain data sharing between third-party applications, without needing to divulge their login credentials in the process. A common example is the "log in with Google" or "log in with Facebook" options that many websites offer to avoid having to create a new set of credentials to use with the sites. OAuth dialogues are common enough that users typically just hit "Accept," without digging into the fine details of what they're agreeing to.

Snuffing out this consent phishing campaign would have required a great deal more vigilance than that.

Beyond the "verified publisher" stamp of approval, the attackers gave vague and innocuous names to the apps requesting permissions: Two were called, simply, "Single Sign-on (SSO)," and one "Meeting." And though publishing under the guise of other impersonated organizations, the attackers chose a household name to display to users at the requested permissions stage.

"The attacker(s) used different data fields to fool targeted users," the Proofpoint researchers said. "They used one name, identical to the impersonated org's name, as the visible publisher name. The other name was used as a hidden parameter, not visible in the malicious app's consent page."

In one case, "they used an outdated version of the well-recognized Zoom icon," the Proofpoint authors explained in the report, "and redirected to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility."

To conclude, they put it bluntly: "End users are likely to fall prey to the advanced social engineering methods outlined in this blog."

Victims who fell for the gambit granted their attackers permission to access special areas of their accounts, like their mailboxes and calendars. The permissions also included offline access, enabling the hackers to do what they wished entirely out of view.

**Bogus OAuth Apps: Takeaways for Business**

After learning about the campaign on Dec. 15, Microsoft disabled the malicious applications and associated publisher accounts. It then enlisted its Digital Crimes Unit to investigate further.

According to Microsoft, "We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future."

To defend against future campaigns of this kind, Proofpoint researchers recommended deploying effective cloud security solutions to help detect malicious applications, and pointed readers to Microsoft's advisory regarding consent phishing. Their most important bit of advice was "to exercise caution when granting access to third-party OAuth apps, even if they are verified by Microsoft."

"Do not," they wrote, "trust and rely on OAuth apps based on their verified publisher status alone."

Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status

Recent cyberattacks against SMBs across Europe have been traced back to copycat groups using leaked LockBit locker malware.

A recent spate of cyberattacks against small to midsize businesses (SMBs) across Northern Europe was initially believed to be the handiwork of LockBit, but following further investigation, it turns out that a copycat group is using leaked LockBit malware for campaigns of its own.

According reports from Belgium's Computerland publication, the "wannabes," while not as sophisticated as the LockBit operators themselves, were able to encrypt the files of at least one organization. The LockBit impersonators were able to exploit an unpatched FortiGate firewall, researcher Pierluigi Paganini explained.

"Despite not being the true LockBit locker group, these micro-criminals were still able to cause significant damage by encrypting a large number of internal files," Paganini added. "However, the company was able to restore its network from backups and no client workstations were affected during the intrusions."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading