As companies increasingly adopt MFA, cybercriminals are developing a variety of strategies to steal credentials and gain access to high-value accounts anyway.

As companies increasingly require stronger versions of security for their employees and customers, attackers are getting better at bypassing multifactor authentication (MFA), resulting in a steady stream of compromises, such as this week's announcement of a data leak at cybersecurity firm LastPass and the announced breach at social media service Reddit earlier in February. 

While multiple ways exist to bypass the flawed security of two-factor authentication (2FA) that uses one-time passwords (OTPs) sent through short message service (SMS) texts, systems protected by push notifications or using hardware tokens are considered much harder to compromise. Yet attackers have landed on a trio of techniques to get around the additional security: MFA flooding, proxy attacks, and session hijacking — focused on the user, the network, and the browser, respectively. 

"Most of the time, attackers are getting around weaker forms of MFA, especially those that use SMS, \[but\] there are plenty of techniques attackers use to circumvent MFA, including MFA flooding, SIM-swapping, and attacker-in-the-middle attacks," says Matt Caulfield, CEO of Oort, an identity-security provider.  

    

MFA bypass attacks increased in 2020 (green) compared with previous years. Source: Okta

**MFA Flooding & Fatigue**

The first target for attackers is often the human behind the keyboard. Overall, 82% of breaches involved the "human element," and more than 80% of Web application breaches are attributed to the use of stolen credentials, according to Verizon's "2022 Data Breach Investigations Report (DBIR)." 

MFA flooding, where an attacker will repeatedly attempt to log in using stolen credentials to create a deluge of push notifications, aims at taking advantage of users' fatigue for security warnings. "Push notifications are a step up from SMS, but are susceptible to MFA flooding and MFA fatigue attacks, bombarding the victim with notifications in the hope they will click 'Allow' on one of them," Caulfield says. 

Another popular tactic — the account reset attack — aims to fool tech support into giving attackers control of a targeted account, an approach that led to the successful compromise of the developer Slack channel for Take-Two Interactive's Rockstar Games, the maker of the Grand Theft Auto franchise.

"An attacker will compromise a user’s credentials, and then pose as a vendor or IT employee and ask the user for a verification code or to approve an MFA prompt on their phone," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Attackers will often use the information they’ve already compromised as part of the social engineering attack to lull users into a false sense of security."

**Session Hijacking & Pass-the-Cookie Attacks**

After a worker logs in to an online account or cloud service, a session cookie containing the user’s authentication credentials is typically set and remains active until the user ends the session by logging out. A common post-compromise tactic is for the attacker to harvest every cookie in the browser cache for potential use as a session hijack or pass-the-cookie attack. Malware such as Emotet has this functionality as a regular feature.

Other variants of this attack use cross-site scripting or malicious browser extensions to take control of a user's session after they pass the MFA barrier, says NCC Group's LaRose.

"The ultimate goal of this technique is to attack the user’s session indirectly, and therefore not interact with the stronger security controls in the login flow," he says.

**Proxy Attacks & AitM**

Finally, attackers can try to compromise infrastructure between the users device and a cloud service or online site. Using a compromised or malicious server to intercept requests from the user and destination server, a proxy attack — or adversary-in-the-middle (AitM) attack — allows cyberattackers to harvest the authentication mechanism in real time.

"This allows the attackers to bypass most available methods of MFA, since the user is providing the site, and the hacker, with both the username and password and additional authentication," Drew Trumbull, incident response team lead with the Information Security Office at the University of North Carolina, said in a review of the technique.

The technique may have contributed to the breach at LastPass, where "the threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA," according to the company's statement.

**Resetting the Matrix**

To defend against the latest attacks, companies should deploy phishing-resistant MFA, which consists of something you own, such as a hardware key, and something you are, such as a biometric. Common hardware key solutions, such as Yubikey, have made phishing-resistant MFA more easy to deploy, says NCC Group's LaRose.

Unfortunately, there are still hurdles for companies in adopting hardware keys, making it difficult to attain complete coverage, says Oort's Caulfield.

"Just the logistics of shipping hardware-based security keys to every employee and managing the process when they lose them can be a nightmare," he says. "Shipping laptops and security keys to contractors is even harder."

And with the increased overhead to manage the devices comes another in-road for attackers — resetting an account following a lost or stolen device. By pretending to be the victim, an attacker can claim to have lost a device, allowing them to enroll a new factor upon sign-in or act during a reset grace period, says Oort's Caulfield. 

"MFA resets are a massive challenge," he says. "It’s likely we’ll see attackers shifting from the factor as a weakness to the registration and reset process."

And indeed, rather than use a hardware token, workers and consumers are far more likely to subscribe to a security question or use a time-based OTP (TOTP) received through email or SMS. Nearly 80% of users polled at identity-provider Okta, for example, use email as a second factor — and nearly 40% have a TOTP pushed to them through an application — while only about 5% use a token or Yubikey, according to Oort's "2023 State of Identity Security" report. Users of Azure AD and Duo Security show similar preferences, the report noted, with security questions and SMS passcodes dominating enrollment numbers.

Cyberattackers Double Down on Bypassing MFA

The biggest dilemmas in running a modern cybersecurity team are not all about software, said CISOs from HSBC, Citi, and Sepio.

Managing risk on a global scale has always been challenging, but in the aftermath of the COVID pandemic, CISOs have had to become even more agile. The shift to hybrid work, the rapid deployment of cloud applications, and the move to continuous integration and continuous development (CI/CD) have emboldened threat actors with new and broader targets.

Meanwhile, the number of devices and endpoints on organizations' networks have increased exponentially. Two veteran CISOs lamented the challenges these changes have imposed during a webinar last week organized by Sepio, an asset detection and risk management startup. Sepio's CISO Ilan Kaplan moderated an hour-long discussion with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years before joining startup Deep Instinct last summer as CIO.

Shivanandan and Froggett shared with Kaplan what they see as three of the most significant challenges the rapidly changing cybersecurity and risk landscape presents.

**1\. Maintaining Visibility of All Network Assets**

Cybersecurity professionals have historically struggled to gain complete visibility into what's on their networks and threats directed at them. Froggett noted that newer cloud-native technologies, such as container-based applications and SaaS, offer better visibility than traditional software because modern apps were built to be more secure.

But overshadowing that benefit is the sheer scale of all the components associated with modern applications. "An asset used to survive 5, 6, 7 years, or longer if you include the underlying operating systems, whereas now the lifetime of the container can be measured in seconds or maybe minutes," Froggett said. That creates "a whole new set of \[visibility\] challenges from that perspective."

Shivanandan noted that traditional methods of capturing inventories, keeping them up to date, and tracking them were predicated on the notion of adding assets to a network manually. But with modern applications, that doesn't work, she said, because of the scale and the speed by which devices and software are deployed. "One of the biggest challenges that every CIO and every CISO faces is having that visibility and making sure that visibility is up to date," Shivanandan said.

**2\. Avoiding New Risks When Adding Apps**

Besides addressing the mounds of existing regulatory risks and the current threat landscape, security teams must also avoid being the source of new risks. Asked how they ensure that, Shivanandan said that, while reviewing the source code of every component added to the infrastructure is impossible, HSBC has rigorous processes around onboarding a new technology, which includes "a lot of pen testing and red teaming."

"Unfortunately, with the number of parties we have, we cannot do it for everyone," she added. "We do it for a select few." The problem is "every software change and every new release can knowingly or unknowingly introduce something new. It's a constant battle that we're facing."

Froggett said that Citi has strict processes around onboarding new technology, including pen testing and red teaming, but with the current release cadences, enforcement has become challenging. "Ultimately, you can't usually do source code reviews" of everything that comes in, he said.

**3\. Recruiting and Retaining Skilled Talent**

The shortage of experienced cybersecurity specialists is nothing new, but Shivanandan said it remains one of her top challenges. "All the technology in the world is only as good as the people there to make sure that we install \[everything\] correctly and keep it up to date," she said.

Shivanandan said despite considerable progress, it remains difficult for women to break the glass ceiling. She believes men have an outsized presence in senior cybersecurity roles compared to the entire IT industry.

"When you start out at the lower levels, there's \[an\] equal \[proportion of\] men and women, 50-50, sometimes even 60-40 women," she said. "Then, as you go through the progression, the women drop out, and the men continue to progress from a seniority level."

Nevertheless, Shivanandan said women face fewer barriers today compared with when she started out. She said, "When I was starting out, they wanted to pat you on the head and say, 'dear, don't worry your pretty little head, I'll take care of technical things.' But not anymore. There's no ceiling for a woman to get into any position now. It's a matter of just perseverance."

Shivanandan considers herself fortunate at HSBC, where 40% of her leadership team is women. "The women and the men are both fantastic, and that's the thing that you really want to look for," she said.

Froggett said during his nearly 25 years at Citi, most of his bosses were women. "The job's not done for sure, but there is definitely more of a balance \[of men and women in senior leadership roles than\] I saw five or 10 years ago."

Shivanandan emphasized that creating a diverse team goes beyond gender. A large portion of her team has some sort of neurodiversity, she said. According to research, an estimated 15%-20% of people have some form of neurodivergence such as autism, attention deficit hyperactivity disorder (ADHD), mental health conditions, or learning disabilities.

Shivanandan said those conditions are often assets: "That's what makes them fabulous in the job." But she added, "I think that's probably harder to overcome from a career progression standpoint, from a leadership versus a technical perspective."

CISOs Share Their 3 Top Challenges for Cybersecurity Management

The data protection capability is now available across multiple Workspace applications: Gmail, Calendar, Drive, Docs, Slides, Sheets, and Meet.

Google is rolling out client-side encryption Gmail and Calendar, which would allow users to create meeting events as well as send and receive emails which have been encrypted before being sent to Google servers. Client-side encryption will be available to organizations with Google Workspace Enterprise Plus, Education Standard, and Education Plus plans. All other types of Google Workspace accounts and personal Gmail accounts will not get client-side encryption.

Google enabled client-side encryption for Google Drive, Docs, Slides, Sheets, and Meet last year, so with the latest update, client-side encryption is now available across Workspace applications. Workspace administrators have to enable client-side encryption before users can use it.

Client-side encryption means the data is encrypted within the user’s browser before it is transmitted or stored on Google servers. Because the client-side decryption keys are created by a cloud-based key management service, organizations retain control over who has access to their data. For example, if there is a government request for Google Workspace data, Google will not be able to provide the information because Google doesn’t have the decryption keys. Adversaries would have to target the organization’s specific key to access the data. For some organizations, this level of control is necessary to meet regulatory compliance requirements.

Media giant Groupe Le Monde rely on client-side encryption across Workspace to ensure journalists’ safety by protecting communications, appointments, and files from potential leaks, Ganesh Chilakapati, a Google Workspace group product manager, and Andy Wen, director of product management for Google Workspace Security, wrote in a Google Workspace blog post.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Adds Client-Side Encryption to Gmail, Calendar

Platform uniquely designed to facilitate automated compliance, security behavior change.

**MINNEAPOLIS****,** **Feb. 28, 2023** **/PRNewswire/ --** Hoxhunt, the leading cybersecurity behavior change software company, today announced the availability of the industry's foremost Human Risk Management Platform and three new products. For the first time, cybersecurity leaders can now focus on true visibility and measurable outcomes, not just regulatory and audit compliance.

According to the World Economic Forum, 95 percent of data breaches can be traced back to human error, mostly from clicking on targeted phishing attacks. Hoxhunt delivers high-ROI resilience with minimal resources by automating the transition of employees from being the greatest security risk to the most valuable resource. Hoxhunt's Human Risk Management Platform enables human threat intelligence—which is the only way to catch the millions of sophisticated phishing attacks that evade technical filters each year--into the security stack.

The AI-enabled platform offers three new products that can be aligned with an organization's security maturity state.

*   The new Comply product enables security awareness programs to be delivered automatically. From choosing the curriculum to customizing training content, Hoxhunt Comply enables security leaders to build a comprehensive program at the click of a button.
*   The Hoxhunt Change product adds capabilities to the market leading security behavior change solution. The advanced AI engine and machine learning algorithms transform employees into a global network of threat detection sensors that protect themselves and their organizations from threats that have infiltrated the perimeter. The AI platform delivers individualized, adaptive training experiences for employees at the edge of their skill levels at scale, resulting in lasting and measurable improvement. Even real phishing attacks are transformed into vital learning experiences when employees detect them. The platform assesses and expands individual abilities with quick micro-training nudges based on in-the-moment responses to both real and simulated phishing attacks, which in turn creates long-term engagement and optimal online behavior for employees.
*   Respond helps make sense of the threat feed to the SOC and automatically pinpoints the incidents that need attention. The Hoxhunt platform analyzes over 93,000 newly reported threats every day that have bypassed traditional security technology layers. Now organizations can harness the power of a global network of 1.5M human threat sensors to prevent the most malicious ransomware and BEC attacks.

Hoxhunt was established to take a people-first approach, going beyond traditional, compliance-based security awareness training and enabling a risk-based security strategy via measurable security behavior change.

"As bad actors refine their tactics, searching for gaps in security controls, employees have become the largest attack vector for cybercriminals looking to penetrate into corporate networks," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "Employees are often overlooked as a part of an organization's security posture and attackers continue to exploit this. In most organizations, at best, employees receive generic awareness training in order to meet corporate compliance goals, initiatives which fail to alter employee cyber behavior or create the ability to detect and respond to social engineering attacks. Hoxhunt was established to solve this uncontrolled issue. With our human risk platform, organizations can significantly alter their employees' security skill levels to create a strong human detection engine when attackers surpass technical layers."

Hoxhunt's full-stack, AI-driven platform delivers:

*   **Increased Visibility:** Provides visibility into the true risk of an organization's human layer and the threats that have (or could have) infiltrated their systems.
*   **Measurable Risk Reduction:** Hoxhunt transforms employees into security assets, creating a global human threat sensor network to detect and eliminate email threats that slip past your technical protections. Hoxhunt drives the failure rate to just 2%, compared to 25% when using alternative phishing tools.
*   **Streamlined** **Reporting:** Maintains full control and visibility of employee training progress across departments, automatically generating reports that CISOs can utilize to translate improvements in organizational security posture.

Since its inception, Hoxhunt has helped some of the world's leading companies graduate from security awareness training into security behavior change and human risk management, including Airbus, DocuSign, Kaercher, and Victorinox. The company has also received numerous accolades in recent months. Hoxhunt was named a Best Software Company (EMEA) by G2 and received three awards from TrustRadius for security excellence.

To learn more about Hoxhunt and to request a demo, please visit: https://www.hoxhunt.com/.

**About Hoxhunt**

Hoxhunt helps security leaders and employees join forces to prevent data breaches. Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.

Hoxhunt Launches Human Risk Management Platform

**MIAMI****,** **Feb. 28, 2023** **/PRNewswire/ --** Network Assured shared the results of a recent study on cyberattacks against U.S. healthcare organizations. It looked at the total number of data breaches historically, the number of individuals affected, and the financial cost of each breach. One of the more stark findings of the report was that two of the worst healthcare data breaches in U.S. history happened in the past 12 months.

**Is Healthcare Cybersecurity Getting Worse?**

Despite a minor decrease in the number of attacks against healthcare organizations from 2021 (715 breaches) to 2022 (707 breaches) the severity of attacks by records compromised, continued to increase.

The breach of OneTouchPoint Inc. saw 4,112,892 records compromised. It was the largest healthcare data breach of 2022 and the 9th largest of all time. The breach of Advocate Aurora Health saw more than 3 million patients' data compromised. It was the 2nd largest healthcare breach of 2022 and the 10th largest of all time.

Other study results indicated that:

*   **The healthcare data of minors was a particular focus of 2022 cyberattacks.** The 2022 breach of Connexin Software, that provides management software for pediatric practices, saw the healthcare records of more than 2 million minors compromised.
*   **Ransomware, malware, and phishing emails were involved** in the majority of the year's worst data breaches.
*   **A higher volume of smaller healthcare organizations are being affected:** While the largest breach of all time was in 2014, the latest year saw more individual organizations affected by data breaches than ever before.

**Third-party Vendors a Primary Cause of Healthcare Data Breaches**

The report found that insecure third party vendors were a consistent cause of high impact data breaches. Both the worst healthcare breach of 2022, and the second worst of all-time came as a result of Business Associates failing to properly secure patient information.

**Dark Web Incentivizing Healthcare Cyberattackers**

The report found that patients healthcare data obtained through cyberattacks is most commonly sold. On the dark web, an individual healthcare record can be worth as much as $250. According to the report's author Aaron Weissman, _"A complete medical record contains all of a someone's personal identifying information. That information can be used to register identification documents or apply for credit cards. Even incomplete medical records can be aggregated with other stolen information to create a complete individual identity profile."_

**Basic Cybersecurity Practices Lacking in Healthcare**

The report challenges the narrative that the increasing severity of cyberattacks is a result of the increasing sophistication of malicious actors. In many of the worst data breaches on record, investigators found that even basic cybersecurity practices were lacking.

In the worst healthcare breach of all time, investigators cited "a lax credential management policy and a lack of a risk management program" as a causal factor in the attack. The second largest healthcare data breach of all time, was "determined to have occurred because of the lack of a cybersecurity program."

To see the complete findings, including a full breakdown of the largest healthcare breaches by records stolen, and damage incurred, with full color charts, please see visit the study here.

**About Network Assured**

Network Assured is a free, independent advisory that helps businesses price cybersecurity services, perform due diligence, and find better vendors. Learn more at www.NetworkAssured.com.

Two of The Worst Healthcare Data Breaches in US History Happened Last Year

The adversaries obtained a decryption key to a LastPass database containing multifactor authentication and federation information as well as customer vault data, company says.

The threat actors who broke into password management firm LastPass's development environment last August used information gathered from that incident for a follow-on attack, the company confirmed. The cyberattackers were able to access and exfiltrate data from an encrypted cloud storage service housing a backup of LastPass customer and vault data.

To pull off the heist, the adversaries targeted a home computer belonging to one of four DevOps engineers at LastPass who had the decryption keys needed to access a broader set of LastPass customer and encrypted vault data housed in encrypted Amazon S3 cloud storage buckets. 

The engineer's machine had a vulnerable third-party media player that the attacker exploited to gain access to the computer and install a keylogger on it. The malware eventually enabled the threat actor to gain access to the DevOps engineer's corporate vault and to export the decryption keys needed to access the AWS S3 LastPass production backups, LastPass said.

**Attacker Had Access to Broad Range of Data**

The DevOps engineer's credentials and keys allowed the threat actor to access a broad range of encrypted and unencrypted data — including password vault data — housed in the AWS S3 storage environment, LastPass announced this week. The backup data included configuration information, API and third-party integration secrets, customer metadata, and backups of all customer vault data. However, LastPass described most of the sensitive data in the customer vaults as encrypted and readable only with a unique decryption key derived from each end user's master passwords. 

"As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass — therefore, they were not included in the exfiltrated data," the company said.

In addition, the attacker also accessed a backup of a database containing LastPass multifactor authentication (MFA) and federation information. The database included MFA seeds assigned to users when they first registered their MFA authenticator with LastPass, hashes of customer generated one-time passwords (OTPs), and so-called split knowledge components or K2 keys associated with business customers. The secrets that business customers use to integrate third-party MFA vendors such as Duo Security with LastPass were also affected. 

"This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor," LastPass said, which has offered up a complete description of all affected data.

**Latest Twist in Unfolding Tale**

The update sent out Feb. 27 is the latest twist in a breach tale that has been slowly growing in scope since last August, when LastPass disclosed that it had spotted unusual activity on its network. At the time, the password management firm said threat actors had broken into its cloud development environment via a compromised software engineer's laptop and stolen some source code and other proprietary technical information. In updates in November and December, LastPass said the same threat actors had used information obtained in the August incident to access and decrypt a limited number of storage volumes within the cloud-based storage service.

LastPass' most recent update is unlikely to win the company any new fans in the security industry, especially because of how the scope of the incident has kept changing with each disclosure. When it first reported the breach last August, company CEO Karim Toubba described it as limited to the company's development environment and claimed the company had "achieved a state of containment." In its subsequent updates, the company reassured users about the separation between its development and production environments and why their information was therefore safe. With this week's announcement, LastPass said the attack on its cloud storage environment had overlapped with the attack on the development environment.

"The company now has a history of breaches and, depending on how you count, this is the third in less than a year," says Eric Noonan, CEO of CyberSheath. At a tactical level, it's hard to know what they might have done better, because information about the breaches have been relatively scant, he says. "In the bigger scheme of things this is what CISA, and other accountable government agencies are talking about when they say product companies have a responsibility to build security and safety into their products prior to unleashing them on the public," Noonan says.

**Review Master Passwords**

The company has advocated that business customers and individual customers review their master passwords and change them if necessary. Users who have followed the company's previous recommendations for setting a master password should be safe from brute-force guessing methods.

The attack is further proof of how inextricably linked enterprise security has become with the security of the networks and devices that employees use at home, security experts say.

CISOs must understand the implications of a personal device compromise, a home network being wide open, or personal compromise impacting the company, says Chris Pierson, CEO and founder of BlackCloak. "The risks are no longer theoretical and never have been," Pierson says. "Because corporate environments have become so well fortified, cybercriminals are moving to the lowest-hanging fruit," which are often are the personal devices of key employees and executives, he says.

A survey that BlackCloak conducted recently found that the personal desktops, mobile, and tablet computing devices that key corporate executives use often are vulnerable and lack basic protections. BlackCloak's data showed, for instance, that 76% of executives' personal devices leak data actively, 87% of executives' personal devices have no security installed on them, and 23% of executives have open ports at home. The survey showed that 87% of executives use passwords that are currently leaked on the Dark Web, 54% do not use a password manager, and social media sites and data brokers have a lot of information that attackers can use to social engineer them.

**Focusing on Home Users & Devices**

Attacks like the one LastPass disclosed this week highlight why security teams need to focus more on protecting employees from account takeover attacks wherever they are and whatever device they might be using, says Avi Turgeman, CEO and co-founder of IronVest. 

"They need to take a more holistic approach to protecting \[employees against\] all critical vulnerabilities," Turgeman tells Dark Reading. This includes implementing measures such as identity authentication, access management, post-login protection, 2FA/MFA protection, and phishing. "Eighty percent of data breaches are a result of compromised credentials," he notes.

LastPass DevOps Engineer Targeted for Cloud Decryption Keys in Latest Breach Revelation

The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.

The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was "likely" developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers.

According to a Cyfirma report on Feb. 28, Ex-22 possesses advanced post-exploit capabilities that include elevated reverse shell, remote file download and upload, screenshot and live session monitoring of infected devices, privilege elevation capabilities and LSASS credential dumping, and persistence capabilities. Buyers get access to an administration panel through a $1,000 monthly subscription. The researchers say they're moderately certain this crew is operating out of Asian countries and engaged in an ambitious buildout of its own affiliate program, along with an "aggressive" marketing campaign. 

Meanwhile, recent samples of LockBit 3.0 campaigns show they utilize the same command-and-control (C2) infrastructure as Exiltration-22.

The Ex-22 creators claim their framework is "fully undetectable" by every antivirus and endpoint detection and response (EDR) vendor. While that's not totally true, "as of 13th February 2023, the malware still has 5/70 detections on Online Sandboxes, even after multiple dynamic scans being performed," the report explains. "This tells us that the threat actors are skilled at anti-analysis and defense evasion techniques."

The analysis points to what some security pundits see as a slight shift in the winds of post-exploit activity. While Cobalt Strike still remains the dominant tooling of choice for the bad guys, security tooling capable of picking up on activity stemming from this framework is mounting, and the criminal marketplace is spinning up to provide a more stealthy alternative. Last year's most notable example of this movement was the increased adoption of Brute Ratel C4 for malicious post-exploit activity.

"With continuous improvements and support, Ex-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates," the report explained.

**Post-Exploitation Options Proliferate**

Interestingly, Ex-22 is actually the second high-profile, highly evasive post-exploitation framework uncovered by security researchers this month. Earlier in February, researchers with Zscaler ThreatLabZ published an analysis of a campaign they observed targeting a government organization using a C2 framework called Havoc.

"While C2 frameworks are prolific, the open source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques, such as indirect syscalls and sleep obfuscation," wrote Zscaler researchers Niraj Shivtarkar and Shatak Jain in a Feb. 14 analysis.

Meantime, in January researchers with Cybereason detailed recent campaigns utilizing the C2 framework Sliver for post-exploitation activity. This follows up on work done by Microsoft and Team Cymru tracking the rise of Sliver. An open source alternative, Sliver is also cross-platform, offering support for action on OS X, Linux, and Windows.

Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strike's Heels

Unknown attackers made off with a raft of PII, the Justice Department says — but witnesses in the protection program are still safe.

The US Marshals Service (USMS), which is tasked with hunting down fugitives and administering the Witness Security Program, was hit with a "major" ransomware incident and data breach in mid-February, officials said.

Despite the ransomware element, USMS's fugitive-hunting operations have continued in the wake of the cyberattack, officials said. However, on Feb. 17, unidentified cyberattackers absconded with a treasure trove of important data, according to Drew Wade, a Justice Department spokesperson.

"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information \[PII\] pertaining to subjects of USMS investigations, third parties, and certain USMS employees," he told NBC News.

Meanwhile, the outlet cited unnamed sources within the DoJ as confirming that the Witness Security Program (known as the "witness protection program" in films and TV) was not affected.

The attack impacted a "standalone USMS system," Wade said, which was quarantined from the rest of the network. Even so, the incursion should be seen as a "major incident,” he added.

A concrete motive for the attack and the culprits behind it may emerge over the course of the investigation, but targeting the PII could be a prelude to a broader cyber offensive, according to Lior Yaari, CEO and co-founder of Grip Security.

"The US Marshals data breach is another example of how cybercriminals aim for identities — the most common threat target," he says, noting that the data in general would be valuable to a wide range of attacker types. "In this case, attackers were able to exfiltrate and add to the identity fabric for individuals in the USMS system, including prisoners. Compromised identities give cybercriminals an embedded position in identity fabric, thereby extending their presence anywhere and everywhere the identity goes."

US Marshals Ransomware Hit Is 'Major' Incident

Marcus Hutchins, who set up a "kill switch" that stopped WannaCry's spread, later pled guilty to creating the infamous Kronos banking malware.

It's a new chapter for Marcus Hutchins, the security researcher who was hailed a hero in May 2017 after inadvertently stopping the spread of the infamous WannaCry worm with a sinkhole he created.

Hutchins, who was arrested for creating and selling the Kronos banking Trojan a few months after his kill switch quelled WannaCry, has been named the first-ever fellow for the cybersecurity online training platform Cybrary, which serves some 3 million students. In his new role, Hutchins will head up training events and mentoring programs, advise on training content, and help build new virtual labs and other hands-on educational tools.

"When I started out in cybersecurity, high-quality training resources were few and far between. My peers and I often found ourselves making do with a mismatch of random blog posts and forum discussions. Since then, I've always strived to create the resources I wish I had access to back then," Hutchins said in a statement. "I'm a strong believer in expanding access to these foundational training resources and increasing the accessibility of the domain-specific material that is required to help people find their place in our industry."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WannaCry Hero & Kronos Malware Author Named Cybrary Fellow

The opportunistic "SCARLETEEL" attack on a firm's Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.

A vulnerable Kubernetes container and lax permissions allowed an attacker to turn a opportunistic cryptojacking attack into a wide-ranging intrusion that targeted intellectual property and sensitive data.

The attack, which cloud-security firm Sysdig dubbed "SCARLETEEL," started with a threat actor exploiting a Kubernetes cluster, using an internal service to gain temporary credentials, and then used those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the targeted company's infrastructure. In the end, the company — which was not named in the incident report published today — had properly limited the scope of permissions for the stolen identity, which blunted the attack.

The incident, however, underscores that companies need to be careful when configuring the controls that allow cloud resources to interact with each other, says Michael Clark, director of threat research at Sysdig.

"Having EC2 roles being able to access other resources can be common, though usually it is tightly scoped to prevent incidents like this one," he says. "It's more about understanding how misconfigurations like this can combine with other issues leading to a larger breach."

The sophisticated cyberattack also shows that attackers are increasingly targeting cloud infrastructure in better ways. In the past, threat actors have focused on rudimentary interaction with cloud services, such as deploying cryptojacking software, but as they understand the vulnerabilities introduced by businesses in their own environments, cloud-focused attacks are becoming more popular.

In fact, observed cloud exploitation cases nearly doubled in 2022, while the number of incidents where threat actors interacted with cloud resources nearly tripled, cybersecurity services firm CrowdStrike stated in its latest annual "Global Threat Report" published on Feb. 28.

"It took a while for them to figure out how to operate in the cloud," says Adam Meyers, head of intelligence at CrowdStrike. "Organizations really need to be taking a hard look at their cloud security, because the cloud comes secure out of the box, but as people start to operate on it and change it, they make it less secure."

**From Minor to Major Security Breach**

The attacker compromised the target's cloud infrastructure through a vulnerable Internet-exposed service that allowed access to a Kubernetes pod, a technology used to manage and deploy containerized applications. Once inside the cluster, the attacker used the access to deploy containers with cryptojacking software, essentially stealing processing capacity from the victim's cloud infrastructure to mine for cryptocurrency.

"This is a common practice in automated container threats," Sysdig researchers stated in their analysis, adding that the attackers then "exploited that role to do enumeration in the cloud, search for sensitive information, and steal proprietary software."

The attackers had knowledge of how to move through the AWS cloud, including EC2 services, connecting to Lambda serverless functions, and using the continuous integration and continuous deployment (CI/CD) service known as Terraform. Because Terraform often saves the state of its pipeline to Simple Storage Service (S3) buckets, the attacker was able to retrieve those files and find at least one more additional credential in the plaintext data.

The second identity, however, had limited permissions, stopping the attacker's lateral movement, Sysdig stated in its analysis. Meanwhile, the attacker's attempts to enumerate users and cloud infrastructure led to detection, Clark says.

"It was caught by abnormal amounts of AWS actions being taken, especially from roles that shouldn't be making those types of requests," he says. "There is a threat intelligence aspect \[too\] — some of the IP addresses, which were involved, have been associated with malicious activity in the past."

**Misconfiguration, Not Lack of MFA**

The takeaways of the attack? For one, companies need to ensure that they have good visibility into the operation and telemetry of their cloud infrastructure. In addition, limiting access — even assigning read-only access to specific cloud resources — can make all the difference in stopping an attack while in progress. The more attackers hammer at resources using stolen identities, the greater chance of detecting them, according to Sysdig.

"First, zero trust and the principle of least privilege are important and if you implement them, you will reduce the likelihood of compromise," the researchers wrote. "Second, strong detections and alerts should help you catch these activities before an attacker gets too deep."

Clark also points out that multifactor authentication (MFA) technologies will likely not make a great deal of difference in blunting cloud infrastructure attacks, since most of the cloud identities that attackers take advantage of are machine identities — so, alternate protections need to be put into place.

"MFA may have been helpful for the other involved accounts to prevent their access," Clark says, "but these were internal accounts made for automation purposes rather than ones that were expected to be logged into by a person."

Source

DARKReading