Open source Prometheus servers and exporters are leaking plaintext passwords and tokens, along with API addresses of internal locations.

Statue of PrometheusSource: luminous via Alamy Stock Photo

Reseachers have discovered hundreds of thousands of servers running Prometheus open source monitoring software on the open Web are exposing passwords, tokens, and opportunities for denial of service (DoS) and remote code execution.

As a leader among open source observability tools, Prometheus is used widely by organizations to monitor the performance of their applications and cloud infrastructure. But it comes with a catch: As noted in its documentation, "It is presumed that untrusted users have access to the Prometheus HTTP endpoint and logs. They have access to all time series information contained in the database, plus a variety of operational/debugging information."

Apparently, a whole lot of users either aren't aware of the ways in which Prometheus is exposed by default, or don't realize the value of the data that's exposed along the way. Using Shodan, researchers from Aqua Nautilus discovered more than 40,000 exposed Prometheus servers, and more than 296,000 exposed "exporters," which the program uses to collect data from monitored endpoints. The researchers found sensitive data in those servers and exporters, and opportunities for "repojacking" and DoS attacks.

**What Prometheus Exposes**

On first impression, the data Prometheus collects might seem rather bland: application performance metrics, metrics associated with particular cloud tools, CPU, memory, and disk usage, for example.

"We think that it's only statistics — it's only information about the health of the system. That's the problem," says Assaf Morag, director of threat intelligence at Aqua Nautilus. Probing the data from the perspective of an attacker reveals all kinds of information that could lubricate cyberattacks.

"We noticed that we can actually see plaintext passwords and tokens, and API addresses of internal locations that should be kept hidden," Morag says. For example, he found one exposed and unauthenticated instance of Prometheus belonging to Skoda Auto, the Czech automobile manufacturer, which revealed some of the company's subdomains, and Docker registries and images.

Besides exposing secrets, open Web Prometheus servers and exporters also carry a risk of DoS. There's the '/debug/pprof' endpoint, for example, which helps users profile remote hosts, and is enabled by default by most Prometheus components. In their testing, the researchers demonstrated that they could overload the endpoint to disrupt communications or outright crash Amazon Web Services Elastic Compute Cloud (AWS EC2) instances or Kubernetes pods.

"The result was conclusive: We ended up stopping virtual machines each time we ran our script," Morag reports. To drive home the significance of such an attack scenario, he jokes, "I read somewhere that Kubernetes clusters run in fighter jets. I don't think that they are exposed to the Internet, but \[it goes to show\] we run Kubernetes in lots of places today."

**Repojacking Opportunities in Prometheus**

Users can protect their Prometheus servers and exporters by taking them offline, or at least adding a layer of authentication to keep out prying eyes. And, of course, there are tools designed to mitigate DoS risks.

Less easily solved is a third issue in the platform: Several of its exporters were found vulnerable to repojacking attacks.

The opportunity for repojacking can occur whenever a developer changes or deletes their account on GitHub and doesn't perform a namespace retirement. Simply, an attacker registers the developer's old username, then plants malware under the same title as the developer's old, legitimate projects. Then any projects that reference this repository but aren't updated with the correct redirect link can end up ingesting the malicious copycat.

Prometheus' official documentation referenced several exporters associated with freely claimable usernames, meaning that any attacker could have stepped in and taken advantage to perform remote code execution. Aqua Nautilus reported the issue to Prometheus, and it has since been addressed.

Repojacking opportunities are likely far more widespread than is realized, Morag emphasizes, so organizations need to be monitoring any discrepancies between the projects they rely on and the links they follow to access them. "It's not that difficult," he says. "But if you're doing it for millions of open source projects, that's where the problem starts. If you use an automated \[scanning tool\], you could be safe."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

336K Prometheus Instances Exposed to DoS, 'Repojacking'

Law enforcement across mainland China have been using EagleMsgSpy surveillance tool to collect mobile device data since at least 2017, new research shows.

Source: Vicky Barlow via Alamy Stock Photo

NEWS BRIEF

A surveillance tool named EagleMeSpy, developed by a Chinese software company for legal use by the country's public security bureaus, has been scraping the most sensitive data from targeted Android devices since at least 2017.

Researchers at Lookout warn that the EagleMeSpy spyware has been under constant development, and while at the moment they have only seen evidence of an Android version, analysis of the tool's infrastructure indicates a potential Apple iOS version is out there somewhere as well.

Unlike other commercial spyware products, EagleMeSpy requires physical access to the targeted device to deploy the tool, the Lookout team found. The researchers reported they found no evidence of the spyware in Google Play or any other app stores, leading them to conclude Chinese law enforcement officials are the only ones initiating the surveillance software infection.

"An installer component, which would presumably be operated by law enforcement officers who gained access to the unlocked device, is responsible for delivering a headless surveillance module that remains on the device and collects extensive sensitive data," the Lookout report read.

Once installed, EagleMsgSpy gathers everything it can, including chat and text messages, screen and audio recordings, call logs, contacts, location data, and network activity, Lookout said. Additional evidence shows the vendor behind the spyware has multiple clients.

"Lookout researchers have observed an evolution in the sophistication of the use of obfuscation and storage of encrypted keys over time," the report warned. "This indicates that this surveillanceware is an actively maintained product whose creators make continuous efforts to protect it from discovery and analysis."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Chinese Cops Caught Using Android Spyware to Track Mobile Devices

Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device.

Source: Hilke Maunder via Alamy Stock Photo

Internet of Things (IoT) vendor Ruijie Networks has shored up its Reyee cloud management platform against 10 newly discovered vulnerabilities that could have given adversaries control of thousands of connected devices in a single cyberattack.

The Fuzhou, China-based infrastructure maker's Ruijie Networks devices, are commonly used to provide free Wi-Fi in public settings like airports, schools, shopping malls, and governments across more than 90 countries.

A pair of researchers from Claroty Team82 have developed an attack they named "Open Sesame" that they used to successfully take control of Rujie Networks devices through its cloud-based Web management portal for remote monitoring and configuration.

"The Ruijie Reyee cloud platform lets admins remotely manage their access points and routers," researchers Noam Moshe and Tomer Goldschmidt explained in a statement. "By exploiting these vulnerabilities, attackers could access these devices and the internal networks to which they connect. Our research found tens of thousands of potentially affected devices worldwide."

Moshe and Goldschmidt presented their findings in a presentation titled "The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices" at Black Hat Europe 2024 this week.

Of the 10 CVEs outlined by a new Claroty Team82 report, all of which have been patched by Ruijee, three received CVSS scores of 9 or higher: CVE-2024-47547, a weak password recovery bug with a CVSS score of 9.4; CVE-2024-48874, a server-side request forgery vulnerability with a CVSS score of 9.8; and CVE-2024-52324, flagged as a "use of inherently dangerous function," also with a 9.8 CVSS score.

"The most serious vulnerability we discovered was the vulnerability allowing devices to impersonate the Ruijie cloud platform, sending commands to other devices," the Clarity researchers said.

The collection of bugs allowed remote code execution (RCE) on devices connected to the Ruijie cloud platform, they explained.

"An attacker would be able to exploit weak authentication mechanisms to generate valid device credentials," the research team commented. "After authenticating as a device, we discovered that the attacker could impersonate the Ruijie cloud platform and send malicious payloads to other devices in its stead, gaining full control through legitimate cloud functionality."

**Open Sesame Attack**

As spectacular as taking over 50,000-plus IoT devices at one time would be, the Claroty researchers suspect that not many adversaries want that kind of attention. Instead, they predicted, threat actors armed with these bugs would take a more low-profile approach, taking over specific devices in distinct locations.

"Exploiting this vulnerability at scale could alert the vendor, who would issue a fix to the vulnerabilities needed for this exploit," according to a blog post detailing Claroty's findings. "In addition, many attackers would simply not gain anything by mass-exploiting tens of thousands of devices; this is only relevant in the case of an attacker attempting to build a botnet. Instead, most attackers would take a more targeted, stealthy approach."

With this in mind, the Claroty team built the Open Sesame attack scenario, allowing them to execute code on a vulnerable Ruijie device with nothing more than a serial number.

To make it work, an attacker needs close proximity to a Wi-Fi network using Ruijie access points to sniff out the raw beacons sent out by the Wi-Fi network for users to find and connect. That beacon also contains the device's serial number.

"Then, using the vulnerabilities in Ruijie's MQTT communication, an attacker could impersonate the cloud and send a message to the target device (identified by its SN the attacker leaked)," the blog post added. "This will result in the attacker supplying a malicious OS command for the device to execute, resulting in a reverse shell on the attacked Ruijie access point, giving the attacker access to the device internal network."

The researchers went on to explain that they hope this work highlights how the porousness of clouds can become a big vulnerability for IoT networks.

"Team82's research on Ruijie's infrastructure further exposes how vulnerable devices that are insecurely connected to, and managed through, the cloud can be," the report said.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

In Operation PowerOFF, global authorities aim to deter individuals from engaging in malicious cyber acts.

Source: M4OS Photos via Alamy Stock Photo

NEWS BRIEF

Law enforcement agencies around the world have seized 27 of the most popular Web platforms used to launch distributed denial-of-service (DDoS) attacks.

The international operation, which remains ongoing, is known as PowerOFF and was coordinated by Europol, involving 15 countries. The operation targeted various levels of operatives in the groups engaged in the cybercriminal activities, including three administrators who were arrested in France and Germany. It also identified 300 other cybercriminals.

Three of the so-called "booter" and "stresser" websites that were taken down as part of Operation PowerOFF include zdstresser.net, orbitalstress.net, and starkstresser.net.

"While these platforms are often marketed as legitimate tools for stress-testing, they are frequently misused to facilitate malicious attacks," said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. "By dismantling these services and identifying more than 300 customers, law enforcement agencies aim to disrupt the entire ecosystem addressing both the supply of these tools and the demand from those who use them for illegal activities."

The holiday season in particular has in the past been a peak period for hackers to carry out DDoS attacks, ultimately leading to financial loss, reputational damage for retailers, and operational disruption.

Law enforcement agencies launched an online ad campaign using Google search ads and YouTube to deter individuals from engaging in criminal activities like DDoS, highlighting the consequences of such attacks. Law enforcement also plans to conduct knock-and-talks, and use warning letters and emails.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Europol Cracks Down on Holiday DDoS Attacks

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

In the wake of a widespread telecommunications breach at the hands of China, a US senator is proposing legislation aimed at enforcing cybersecurity standards across the communications industry — but it's unclear how efficacious they could be.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC2286) recently overtook Volt Typhoon as China's threat actor du jour, thanks to a year-plus campaign of cyber espionage against at least eight telcos, including AT&T, Verizon, and T-Mobile. Its winnings were remarkable: Not only did the group manage to steal extensive metadata on calls and text messages between ordinary Americans, but they also reportedly accessed and even recorded calls involving high-ranking government officials. Reports from the same time highlighted breaches of both the Trump and Harris campaigns and the Biden administration. They're also active globally.

In the wake of that national security failure, Sen. Ron Wyden (D-Ore.) on Dec. 10 released draft legislation aimed at securing US phone networks. The "Secure American Communications Act" would require the Federal Communications Commission (FCC) to issue new cybersecurity rules for telcos and enforce those that have already been applied based on older legislation.

Related:Lessons From the Largest Software Supply Chain Incidents

"Sen. Wyden deserves credit for putting critical infrastructure security in the spotlight," says Madison Horn, former congressional candidate for Oklahoma's 5th district. She suggests, however, that the proposal is less revolutionary than rhetorical. "His push for stronger cybersecurity standards is important, but let's be clear — most of what he's calling for already exists."

**Has the FCC Been Negligent in Enforcing Telco Security?**

In a press release, Wyden's staff framed his bill not as a major change to the telecommunications industry, but a wake-up call — "to fix \[the FCC's\] own failure to fully implement telecom security requirements already required by federal law."

At issue is Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which:

Requires a carrier to ensure that any interception of communications or \[call-identifying information\] access effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of a carrier officer or employee acting in accordance with Federal Communications Commission (FCC) regulations.

Wyden's camp argues that this proposition, formulated without specific regard for cyber systems, "required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement," adding that "in the years since, the FCC has never fully implemented this provision."

Related:Google Launches Open Source Patch Validation Tool

FCC Chairwoman Jessica Rosenworcel agreed, in a draft Declaratory Ruling shared with her fellow commissioners last week. And besides affirming that interpretation of Section 105, Rosenworcel floated a proposal requiring communications services providers (CSPs) to submit annual reports, "attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks." Unlike the newly drafted bill in the Senate, this ruling would take effect immediately if it were adopted.

**What Wyden's Telco Security Bill Misses**

The Secure American Communications Act, similarly, proposes that CSPs conduct, document, and report annual vulnerability testing, and engage with independent auditors for annual assessments of FCC cybersecurity compliance. Above all, the bill proposes that the FCC enforce the spirit of Section 105 by implementing cybersecurity requirements aimed at blocking unauthorized access to these networks.

Related:Large-Scale Incidents & the Art of Vulnerability Prioritization

Are these the steps necessary to prevent the next Salt Typhoon-style attack against American communications?

In Horn's view, "The problem isn’t a lack of rules. Telcos are required to follow FCC rules, NIST standards, and ISO 27001 protocols. They conduct annual cybersecurity certifications, report breaches to multiple agencies — with CISA being a prime example — and manage supply chain risks. The efforts to secure supply chains, especially after Huawei’s impact, have already led to significant regulatory action."

Instead of a lack of rules and regulations, she argues, "It's largely a resources and scaling problem. We’re talking about a US telecommunications network that spans 800,000 miles of fiber-optic cables and 113,000 miles of long-haul fiber routes, not to mention undersea cables and satellite links. Every mile of that network introduces new endpoints and attack surfaces. The real challenge is ensuring the frameworks we already have can be implemented faster, more effectively, and at this monumental scale."

Bulky legacy systems ill-equipped to adapt to new cybersecurity guidelines, insufficient funding for cybersecurity projects, and an insufficient pool of cybersecurity talent nationwide aren't problems that can be fixed with any wave of a pen, either.

"Our adversaries are operating at the speed of war, while we’re moving at the speed of paperwork," she laments. "Attacks like Salt Typhoon don’t succeed because our policies failed — they succeed because our capacity to act didn’t keep pace with the threat."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat

Security isn't just about tools — it's about understanding how the enemy thinks and why they make certain choices.

Source: Andriy Popov via Alamy Stock Photo

COMMENTARY

In the past, security professionals were true hackers at heart — passionate individuals who made money doing what they loved: breaking systems, pushing boundaries, and constantly learning. They grew their skills out of sheer curiosity and dedication.

Today, however, many in security are simply "professionals" who found a well-paying job but lack that hacker spirit. They're not driven by a love of the challenge or a hunger to learn. They may take the occasional course or learn a few technical tricks — but often, they're doing the bare minimum. This leads to weak security. Meanwhile, attackers? They still have that old-school hacker passion, constantly learning and evolving for the love of the challenge.

We've completely misunderstood how to do security. Instead of genuinely simulating bad guys and preparing for the real thing, we play around with automated tools and call it "offensive" security. Many red-team exercises simply follow a checklist of known exploits without adapting to the specific environment. In contrast, a genuine adversary simulation requires creativity and a deep understanding of the target's weaknesses — crafting custom attack paths and adjusting tactics on the fly. It's about going beyond technical skills and truly getting into the adversary mindset.

Let's be real — technical skills alone aren't going to save anyone. To outsmart attackers, we need to cultivate a hacker mindset: understand the motivations, tactics, and psychology behind attacks, focusing on creativity and adaptability rather than just checking boxes.

**Why Adversaries Do What They Do**

Too many defenders get stuck on the "how" of an attack — the technical exploits, tools, and vulnerabilities — but to stay ahead, we need to ask "why." Attackers aren't just pushing buttons; they're making strategic decisions, choosing the path of least resistance and maximum gain specific to their objectives.

Attackers know defenders are predictable. They know defenders — often too focused on what looks scary instead of what's actually vulnerable — will patch the big vulnerabilities while ignoring the misconfigurations or overly trusted third-party integrations. Red teams might overlook these, but real adversaries know they're prime opportunities. Attackers exploit trusted integrations to move laterally or exfiltrate data without triggering alarms. This is why understanding the "why" behind attacks is crucial. Attackers aren't just targeting technology — they're going after the path of least resistance, and too often, that's where we're late.

**Stop Being a Button-Pusher**

Here's the harsh truth: Relying solely on automated tools and predefined processes is a recipe for failure. While those tools are useful, attackers thrive on predictability, so the more security teams rely on the same tools and scripts, the easier it is for them to slip through.

Think about the SolarWinds breach, where attackers leveraged a trusted, automated process to compromise thousands of systems — because defenders didn't critically assess their own tools. SolarWinds is a lesson in the danger of blind trust in automation. If you're just pushing buttons, you're making their job easy.

Attackers are constantly testing the boundaries — doing the unexpected, finding unnoticed cracks. To defend against that, you need to do the same. Be curious, be creative, and don't be afraid to challenge the rules. That's what attackers are doing every day.

**Detecting Intent in the Cloud**

The cloud is a whole new ballgame. Old perimeter defenses don't cut it anymore — it's about understanding intent. Attackers aren't just exploiting vulnerabilities; they're using legitimate cloud services against you, moving laterally, escalating privileges, and blending in with regular user activity.

Take the Sisense breach: The attacker exploited cloud misconfigurations and legitimate credentials to access sensitive data. They didn't break in — they logged in. The attacker understood how to blend in with typical user activity. Recognizing intent in the cloud is critical; it's about seeing the attacker's goals and cutting them off before they succeed.

If you notice unusual activity, don't wait for an alert. Assume intent and start digging. The faster you understand why something is happening, the faster you can stop it.

**Building a Hacker Culture**

Growing and honing a hacker mindset is a journey, and it won't come from reading a book or taking a course. It takes time, practice, mentorship, and hands-on experience. Pair up newer team members with people who've been through the trenches, involve the defense team in red team exercises, and let them make mistakes. Real learning happens by doing.

Want to know if you have a hacker mindset? Try the Jack Attack Test (JAT), where creativity — not content — reveals true hacker thinking. For example, finding 10 different ways to "turn off the light" is similar to finding 10 ways to perform a denial-of-service (DoS) attack. Hackers think conceptually, while security professionals might get lost in the details, saying they "don't know anything about electricity."

Another thing: Give your team members the chance to think like attackers. Run attack simulations where they must step into the hacker's shoes. Get a threat intel report, and make them explain the why, not the how. Challenge them to take unconventional approaches. Attackers are masters of the unexpected, and if defenders want to keep up, they need to be too.

**Embracing the Adversary Mindset**

At the end of the day, security isn't just about tools — it's about understanding how the enemy thinks and why they make certain choices. Every move they make — each target, exploit, and escalation — is deliberate. To stay ahead, defenders must adopt this mindset. By understanding the strategy behind their actions, defenders can identify weak points in their defenses. It's not just about technology; it's about understanding intent, anticipating the unexpected, and challenging the norm. No tool can replace a curious mind ready to step into an adversary's shoes and do whatever it takes to stay ahead.

**About the Author**

Field CTO, Mitiga

Roei Sherman, field chief technology officer (CTO) at Mitiga, is a leading expert in cloud incident response and adversarial cybersecurity. With more than a decade of experience, he specializes in red team operations, adopting an adversarial mindset and guerrilla tactics for proactive defense.

Roei’s background includes serving in the field intelligence unit of the Israel Defense Forces, where he remains active in the reserve. He has held notable roles, including global director of offensive services at AB InBev and red team leader at EY Israel. His expertise spans red team engagements, social engineering, physical security, and incident response across various platforms. 

Holding a BA in business administration with a cybersecurity focus and an MA in criminology, Roei merges technical skill with academic insight. He co-organizes BSidesTLV and serves on the CFP team for Diana’s Initiative, underscoring his dedication to advancing the cybersecurity field.

Cultivating a Hacker Mindset in Cybersecurity Defense

The US State Department has offered a $10 million reward for Guan Tianfeng, who has been accused of developing and testing a critical SQL injection flaw with a CVSS score of 9.8 used in Sophos attacks.

Source: B Christopher via Alamy Stock Photo

NEWS BRIEF

The US government unsealed charges yesterday against a Chinese national who allegedly broke into approximately 81,000 of Sophos firewall devices around the world in 2020.

Guan Tianfeng, also known as gbigmao and gxiaomao, was charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Tianfeng has also been accused of developing and testing a zero-day security vulnerability used to conduct the Sophos attacks.

The zero-day vulnerability in question is tracked as CVE-2020-12271 and has a CVSS score of 9.8, a critical SQL injection flaw that could allow a threat actor to achieve remote code execution (RCE).

A federal arrest warrant was issued for Tianfeng in the US District Court, Northern District of Indiana, Hammond Division, and it is believed that he is currently residing in Sichuan Province, China.

The Rewards for Justice Program through the US Department of State is offering an award of up to $10 million for information on Tianfeng and the offices he worked out of, Sichuan Silence Technology Company Ltd., as well as associated individuals and their malicious activity.

"The defendant and his conspirators compromised tens of thousands of firewalls and then continued to hold at risk these devices, which protect computers in the United States and around the world," said Assistant Attorney General for National Security Matthew Olsen, in a press release. "The Department of Justice will hold accountable those who contribute to the dangerous ecosystem of China-based enabling companies that carry out indiscriminate hacks on behalf of their sponsors and undermine global cybersecurity."

Any tips or information can be made with the FBI via WhatsApp, Signal, Telegram, or tips.fbi.gov.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Chinese Hacker Pwns 81K Sophos Devices With Zero-Day Bug

Threat actors punch holes in the company's online ordering systems, tripping up doughnut deliveries across the US after a late November breach.

Source: Matthew Horwood via Alamy Stock Photo

US doughnut dealer Krispy Kreme suffered a cybersecurity incident that's made a mess of online ordering but spared retail operations that continue to serve up sugar-coated confections nationwide.

A Securities and Exchange Commission filing from Krispy Kreme disclosed the company was subject to an "unauthorized activity on a portion of its information technology systems" in late November.

"The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, including the restoration of online ordering, and has notified federal law enforcement," the Krispy Kreme 8-K filing explained. "As the investigation of the incident is ongoing, the full scope, nature, and impact of the incident are not yet known."

Krispy Kreme added that while the cybersecurity incident is likely to have a "material impact" on the business until it is able to recover, anticipated losses are likely to be offset by cyber insurance.

Beyond operational impact, the statement did not indicate whether customer data was compromised. Paul Bischoff, consumer privacy advocate at Comparitech, recommended anyone who's ordered doughnuts online through Krispy Kreme should expect they've been exposed.

"Most attacks of this nature don't just disrupt systems," Bischoff added. "They also steal data. Companies typically take about six months to investigate breaches and find contact information for affected customers, give or take a few months."

**Krispy Kreme Incident Recovery Continues**

As the company recovers from the incident, Ilia Sotnikov, security strategist at Netwrix, said the Krispy Kreme cybersecurity team likely worked quickly to avoid more widespread damage.

"All their shops are open and all delivery commitments to retail and restaurant partners are fulfilled," Sotnikov said in a statement. "This means that the team identified the intrusion and was ready to swiftly follow the incident response plan."

Beyond initial concerns about business continuity, the entire Krispy Kreme supply chain is potentially vulnerable to follow-on cyberattacks, according to Ryan Sherstobitoff, senior vice president of threat research and intelligence at Security Scorecard.

"As one of the world's largest doughnut companies with over 400 US locations, this breach raises concerns about not only operational disruptions amidst the holidays but also the potential exposure of sensitive data within Krispy Kreme and its supply chain," Sherstobitoff noted, in a statement. "With the holiday season in full swing, retailers must remain vigilant. Cybercriminals are lurking, waiting to exploit any distraction."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Krispy Kreme Doughnut Delivery Gets Cooked in Cyberattack

Researchers at Cavero have created a correlating numbers mechanism, adding a layer of privacy that even threat actors can't gain enough information to breach.

Source: ArtemisDiana via Alamy Stock Photo

A future that uses quantum computing is not far off — but not quite here either. When it does arrive, it will ultimately render the methods we use to encrypt information useless. And while some organizations and businesses may be slow to act, bad actors are already preparing, stealing large amounts of encrypted data and putting it on hold until a later date, when quantum capabilities become available and allow them to decrypt it.

These attacks are known as harvest now, decrypt later (HNDL) attacks — and they pose a serious threat in the future, should bad actors gain access to quantum computers and find the means to actually use them.

"What we need is a new way for us to be able to encrypt data which protects that data now and in the future as well," says Frey Wilson, co-founder and CTO at Cavero Quantum.

**The Cavero Method**

Cavero has created a cryptographic system that uses symmetric keys in two different ways, one using computation complexity and the other using an information theoretical method. The latter typically uses physical resources, but Wilson notes that Cavero achieves it by using the properties of random numbers.

"If you can create two correlated data sets and ensure that any third data set is correlated \[but\] not in the same way as the initial two, then from the correlated data, you can use essentially low entropy sections of that data to be able to generate a key mutually," says Wilson, ahead of a Black Hat Europe 2024 briefing on the approach.

Related:Library of Congress Offers AI Legal Guidance to Researchers

These keys aren't passkeys, though the intention is on the same track, Wilson stresses. Passkeys fall under the category of asymmetric keys, a cryptographic method of encrypting and decrypting data. The risk with this, however, is that passkeys are limited within their own ecosystems, such as Apple or Amazon, unable to cross-correlate with other ecosystems.

"Because this key is sent from a central server initially, there's a moment that the key is in transit to get to a device," says James Trenholme, CEO of Cavero Quantum. "It has the potential to be hacked or viewed by a third party."

Cavero aims to solve this problem by providing a solution that doesn't share any information publicly. Keys are mutually generated for each party using the correlating numbers mechanism, so that even if a threat actor is watching the exchange in the middle, they are unable to gather enough information to calculate or intercept the key, Trenholme adds.

**The Past & Future of Cryptography Keys**

Wilson says the solution, which uses smaller key sizes and is deployable on any device regardless of the size, is unique in its approach.

Related:'White FAANG' Data Export Attack: A Gold Mine for PII Threats

"That appeal to history is absolutely something that we hear regularly," says Wilson of their solution, which is nearly 12 years in the making. "This is based off a body of work that has existed here that we’ve taken, and we've expanded on. It just so happens that we've taken it in a direction that's been slightly different to other people."

Wilson plans to go into detail on that at Black Hat Europe, noting that "it's a new way of looking at the methodology that sits underneath it."

Going forward, the pair would like to see Cavero's keys used as the cornerstone in many, if not all, types of communications. And while its natural for a CEO to say this about their company's product, it seems as though Cavero's keys are in the best interest of communications processes in the name of privacy and security.

Some industries will benefit from Cavero's technology sooner than others, like those that manage high-value data or have a long-term data source.

"We'd like to see it used in every kind of communication, whether it be a voice call, a message, a data transfer, logging applications, the list goes on," says Trenholme, including telecommunications, defense, financial services, identity frameworks, and more.

Related:'Bootkitty' First Bootloader to Take Aim at Linux

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Symmetrical Cryptography Pioneer Targets the Post-Quantum Era

A critical flaw in the company's rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Source: Fabio Principe via AdobeStock Photo

Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

Researchers at Oasis Security discovered the flaw, which was present due to a lack of rate limit for the amount of times someone could attempt to sign in with MFA and fail when trying to access an account, they revealed in a blog post on Dec. 11. The flaw exposed the more than 400 million paid Microsoft 365 seats to potential account takeover, they said.

When signing into a Microsoft account, a user supplies their email and password and then selects a pre-configured MFA method. In the case used by the researchers, they are given a code by Microsoft via another form of communication to facilitate sign-in.

The researchers achieved the bypass, which they dubbed "AuthQuake," by "rapidly creating new sessions and enumerating codes," Tal Hason, an Oasis research engineer, wrote in the post. This allowed them to demonstrate "a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code," which is 1 million, he explained.

"Simply put — one could execute many attempts simultaneously," Hason wrote. Moreover, during the multiple failed attempts to sign in, account owners did not receive any alert about the activity, "making this vulnerability and attack technique dangerously low profile," Hason wrote.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. "While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day," Hason wrote.

**Ample Time to Guess MFA Code**

Another issue that allowed for the MFA bypass was that the available timeframe an attacker had to guess a single code was 2.5 minutes longer than the recommended timeframe for a time-based one-time password (TOTP) according to RFC-6238, the Internet Engineering Task Force (IETF) recommendation for implementing MFA authentication.

RFC-6238 recommends that a code expires after 30 seconds; however, most MFA applications provide a short grace period and allow these codes to be valid longer.

"This means that a single TOTP code may be valid for more than 30 seconds," Hason explained. "The Oasis Security Research team's testing with Microsoft sign-in showed a tolerance of around three minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent."

Related:Chinese Cops Caught Using Android Spyware to Track Mobile Devices

This extra time meant that the researchers had a 3% chance of correctly guessing the code within the extended timeframe, Hason explained. A malicious actor trying to crack the code would have been likely to proceed and run further sessions until they hit a valid guess, which the researchers proceeded to do without encountering any limitations, he said.

After 24 sessions of trying to guess the code, which would take around 70 minutes, a malicious actor would already pass the 50% chance of hitting the valid code. In their research, the Oasis team attempted this method several times, and once even found they guessed the code early on in the process, exposing how quickly MFA could be bypassed.

**Best Practices for Safe MFA**

While MFA is still considered one of the most secure ways to protect passwords to online accounts, the research demonstrates that no system is completely attacker-proof. Oasis recommended that organizations continue to use either authenticator apps or strong passwordless methods for protecting user accounts from malicious attacks.

Related:Europol Cracks Down on Holiday DDoS Attacks

Other best practices include one that has long been recommended for years as part of basic password hygiene: users should change passwords to their online accounts frequently. Moreover, any organization using MFA to protect accounts should add a mail alert to notify users of failed MFA attempts, even if they don't notify them of every failed password sign-in attempt, Hason noted.

This latter advice also should be applied to any organization building MFA into a system or application, according to Oasis. MFA app designers also should ensure they include rate limits that don't allow for indefinite attempts to sign in, and lock an account after a certain time to limit successful MFA attacks or bypasses.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading