The investment in Salt Security underscores the fact that attacks targeting APIs are increasing.

The boom in mobile apps, cloud services, and Web applications have led to a worrying trend: Attackers are increasingly targeting the APIs that underpin them. Enterprises need tools in order to secure these data-rich connectors, and CrowdStrike's announcement that it is investing in Salt Security highlights the critical role API security plays in Web application security.

APIs – application programming interfaces – are ubiquitous in the modern enterprise. Consider the following:

*   A Web application displaying a map and location data relies on the Google Maps API.
*   An e-commerce application offering multiple payment options, such as the "Pay with PayPal" feature, is using an API.
*   Retailers use APIs to work with couriers and delivery companies to ensure package are picked up and delivered correctly.
*   Companies may send software via API. That's what Tesla does.

"APIs connect the critical data and services that drive today's digital innovation," said Roey Eliyahu, CEO and co-founder at Salt Security, in a statement.

Developers rely on APIs to connect their applications to multiple data sources and services in order to build new features and products without having to start from scratch. For example, not many organizations have the resources or data to maintain detailed maps, but they don't need to because Google Maps offers the information via an API. However, the fact that APIs have access to sensitive data and systems makes them vulnerable. If the API is somehow abused, that can expose the underlying data and result in a data breach.

A bug in the Peloton API allowed anyone to pull users’ private account data directly from Peloton’s servers, even if a user's profile was set to private. There was a similar situation involving a financial lending site, where a leaky Experian API allowed anyone to look up credit scores of someone else with only a name and mailing address.

"Enterprises are producing a massive number of APIs at a rate that far outpaces the maturity of network and application security practices," wrote Gartner analysts Jeremy D’Hoinne and Mark O’Neill in a recent "Gartner Predicts" report on API security. "Strong inventory and real-time discovery are both necessary to gain enough visibility into all APIs that the organization produces."

From a financial perspective, CrowdStrike's investment makes sense. The API security market is expected to grow 26.3% between 2022 and 2032, according to research from Future Market Insights earlier this month. Gartner estimates that API attacks will soon become the most-frequent attack vector for Web applications.

In addition to the investment, CrowdStrike says it plans to work with Salt Security on security testing to harden APIs and API discovery and runtime protection for applications.

CrowdStrike Investment Spotlights API Security

The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways.

Uber has attributed last week's massive breach at Uber to the notorious Lapsus$ hacking group and released additional details on the attack. Researchers say the incident has highlighted the risks that can come from trusting too much in multifactor authentication (MFA), as well as unmanaged risk around cloud-service adoption.

In an update on Monday, Uber laid out the attribution: "We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so." Uber's announcement pointed to other companies that had been targeted by the notorious gang via similar techniques, including Cisco, Microsoft, Nvidia, Okta, and Samsung,

Lapsus$ has attracted considerable attention in recent months for its brazen attacks on some of the world's largest and well-known companies. One well-known tactic that the group has been known to use is co-opt MFA-circumventing tools into its attack chain.

And indeed, Uber on Monday said the attacker who breached its network last week had first obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time. 

After the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt — thus allowing the attacker to log in.

"The Uber breach appears to be a result of an MFA fatigue attack, also referred to as an MFA bombing attack," says Duncan Greenwood, CEO of Xage. "It’s a technique in which hackers send multiple authentication approval requests to a secondary device like a mobile phone, in hopes that a user unintentionally provides access, or grows so frustrated that they eventually approve a request." 

**Remediation Process Begins**

Once in, the attacker breached multiple internal systems, and Uber is currently in the process of doing an impact analysis, the company said: "The attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack."

The company said the attacker does not appear to have made any changes to its codebase, nor does he appear to have access to any customer or user data stored by cloud providers. The attacker did appear to have downloaded some internal Slack messages and accessed or downloaded an internal tool that Uber's finance team uses to manage invoices. Though the attacker also accessed a database of vulnerability disclosures in its platform submitted via external researchers through the HackerOne bug-bounty program, all the bugs have been remediated, Uber said.  

**Breach Shows MFA's Weaknesses**

Greenwood describes MFA fatigue attacks as being a very effective tactic for breaching target organizations. He says his company has observed attackers typically sending frequent MFA requests in the middle of the night or sending less frequent requests over a few days. 

"Either way, in traditional MFA architectures, all it takes is just one approved request for a hacker to access internal systems, from which they can further infiltrate the target organization," he says.

Uber's security practices are sure to come under scrutiny because of the breach. But the reality is that the company was the victim of practices that are common to many organizations, researchers note.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says the Uber attack highlights a fundamental misconception around MFA's strength as a method to secure access. 

"Although MFA adds a critical second layer of security to your accounts, the biggest misconception about MFA is that all forms are equally secure," he says.

One example of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. This is where attackers port a mobile number to a SIM card or device that they control to receive SMS messages or phone calls for the target number. 

"Use of SMS text messages as MFA should be discouraged and never used as MFA for high-value assets," Tiquet says. "The use of an authenticator app, security key, or biometrics are stronger and more effective methods to protect your accounts." 

Security researcher Bill Demirkapi explains that another very common misconception is that standard forms of MFA — such as push, touch, and mobile — protect against social engineering. The reality is that MFA remains vulnerable to man-in-the-middle (MitM) attacks, he says.  

He notes that best practices include using phishing- and MiTM-resistant forms of MFA rather than time-based one-time passwords (TOTP), not centralizing access keys, and rotating keys regularly. On the latter point, organizations also often do not limit access keys to the minimum privileges required for the key's intended purpose.   

"Uber may not have followed best practices, but many other companies don't either," he says. "The main point I'd like to drive home is the importance of not only investing into security for your organization, but specifically investing into these best practices as well."

It should be noted that the Uber breach is not the only high-profile hit in the last few days; the same Lapsus$ hacker who claimed responsibility in that incident (or at least someone using the same "Teapot" alias that the Uber hacker used) now appears to have also breached Take-Two Interactive's Rockstar Games, posting videos of an early development copy of the Grand Theft Auto 6 video game. In a message, the company acknowledged the breach and said it was "extremely disappointed" to have details of the game leaked in advance of its release.

**Cloud Service Adoption Increases Risk **

MFA is not the only weak link for many companies. At a higher level, breaches like the one at Uber show the impact that rapid cloud services adoption and distributed work models are having on enterprise security strategies, says Russell Spitler, co-founder and CEO of Nudge Security. 

The move to a more distributed model has increased enterprise reliance on asynchronous communications tools such as Slack and WhatsApp in business-critical environments, he says. The rapid adoption of SaaS has created an unmanaged risk in the form of complex integrations between poorly managed services.

"The recent breach at Uber points to the fact that security orgs are outpaced by the sprawling complexity of modern, distributed IT environments and sprawling digital supply chains," Spitler notes. "This complexity creates opportunities for even the most novice of threat actors to gain access using compromised credentials and \[finding\] their way to critical assets."

Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack

The Take-Two Interactive subsidiary acknowledges an attack on its systems, where an attacker downloaded "early development footage for the next Grand Theft Auto" and other assets.

Rockstar Games, a subsidiary of Take-Two Interactive Software, today confirmed that an unauthorized third party had downloaded files and videos for its flagship game Grand Theft Auto 6 following the posting over the weekend of scores of video clips to an online forum.

More than 90 video files — since removed — were posted at 3:26 a.m. on Sunday, Sept. 18, to the GTAForums. Several forum users considered the videos to be authentic, and the forum administrators appeared to confirm that that data was stolen when they pulled down the files and posted a warning for forum members to not share media or links to copyrighted material.

By early Monday, Take-Two Interactive had confirmed the breach in a corporate filing with the Securities and Exchange Commission.

"Rockstar Games recently experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from its systems, including early development footage for the next Grand Theft Auto," the company stated in the filing. "Current Rockstar Games services are unaffected. We have already taken steps to isolate and contain this incident."

The breach is the latest attack on gaming companies. In June 2021, game giant Electronic Arts suffered a massive breach, with cybercriminals stealing nearly 800GB of source code and data from the firm. The breach followed an attack on CD Projekt Red, the maker of the Witcher games and Cyberpunk 2077, which resulted in the theft of internal data and source code.

Game companies are not the only group being targeted — attackers are also focused on gamers. Players of the top 28 games encountered more than 380,000 instances of malware and unwanted files the 12 months ending in June 2022, according to software security firm Kaspersky Lab. Rockstar Games' Grand Theft Auto was the fourth most targeted PC game, according to the firm's analysis.

"Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise," Kaspersky researchers stated. "Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices."

**Uber-Hacker Poser**

In the Rockstar Games attack, the threat actor apparently gained access through a compromised credential. The cybercriminal used the name "teapotuberhacker," reportedly claiming to be the person behind the breach of Uber last week.

However, reliable details of the hack are in short supply. Already, fraudsters have posted a great deal of misinformation on Twitter and have reserved names similar to the hacker's on Telegram and other social media networks.

A thread on the GTAForums appears to be genuine, however. The administrators have already removed the video files and links posted by the purported hacker. Multiple posts on the GTAForums have claimed that the videos came from a developer Slack channel, which is similar to the compromise of Electronic Arts. The posted videos are dated between March 2021 and September 2022.

Take-Two Interactive and Rockstar Games played down the impact of the attack, maintaining that the development of the game will not be affected.

"Work on the game will continue as planned," the company stated in its SEC filing. "At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident."

The hacker posted the videos to GTAForums early Sunday morning, stating, "Here are 90 footage/clips from GTA 6," and adding, "Its possible i could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build."

The attacker may not have had general access to Rockstar Games' systems, but only the communication channels used by developers. "These videos were downloaded from Slack," the poster wrote, clarifying that the source was "employee communications."

**Wall Street Fallout**

The breach initially hurt Take-Two Interactive's stock price (NASDAQ: TTWO), but the company's assurance that the game's launch date would not be delayed seemed to assuage investors, and the stock rose slightly by late afternoon. The company has actually not yet announced the game's official release data, but reports have pegged mid- to late-2024 as likely.

"We are extremely disappointed to have any details of our next game shared with you all in this way," the company said in a statement posted on Twitter. "Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations."

Rockstar Games Confirms 'Grand Theft Auto 6' Breach

Pool controllers exposed to the Internet with default passwords let threat actors tweak pool pH levels, and potentially more.

After the hacktivist group GhostSec bragged it had breached a hotel pool controller in Israel, a team of researchers decided to take a deep dive. 

The cyberattack group didn't provide details about the operational technology (OT) breach, but researchers at Otorio found two Aegis II controllers exposed to the Internet with default passwords. The Aegis II controller is used to control the chemical concentration in water in locations such as pools. 

Last week, GhostSec first claimed it breached 55 Berghof programmable logic controllers (PLCs) across Israel. On Sept. 10, the group claimed it had control over an unidentified hotel's pool water system. 

GhostSec warned in a posted message that while it has control of the pool's pH and chlorine levels, it wasn't interested in using the access to harm innocent people. The threat actors simply wanted to demonstrate the kind of damage they could do, the post added. 

"Our research found two pool controllers that could be affected," the Otorio report said. "While we do not know for certain, it appears that the most likely aim of the breach was for the attackers to demonstrate that they had the ability to control the water's pH in the hotel's pools as GhostSec's Telegram message alleged."

The researchers noted that the incident underscores the potential dangerous real-world implications of OT cyberattacks. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattackers Make Waves in Hotel Swimming Pool Controls

If we know a user is legitimate, then why would we want to make their user experience more challenging?

Years ago, I had to get hold of a personal document that I needed from a government office. I had brought with me all of the documentation that I was told I needed, but there was an issue — a bureaucratic technicality that rendered one of the pieces of documentation invalid in the eyes of the clerk.  

I tried to argue that if we zoomed out and looked at the big picture, it was clear that I was me and entitled to my own document. The clerk would not hear of it, though, and replied, "It should not be easy to get this document." I did not agree and quipped, "It should be easy to get this document if one is entitled to it." Unfortunately, that remark did not get me the document, and I was forced to return another day.

The reason I am sharing this story with you is because it can teach us an important lesson about balancing fraud and user experience. My example illustrates how off-base the conventional wisdom is that says making something harder for a legitimate user to get reduces risk. If a user is legitimate, and if we know they are legitimate, then why would we ever want to make their user experience more challenging?

All that does is introduce another kind of risk — the risk that the user will give up and go elsewhere to get what they need. I didn't have the option of going elsewhere when I needed my document from the government. The users of your online application, on the other hand, very much do have that option in most cases. It is worth thinking about how user experience can be balanced against the need to detect and mitigate fraud losses.

Here are five ways enterprises can improve their fraud detection capabilities in order to better balance fraud detection and user experience.

**1\. Device Intelligence**

I am often surprised by how many fraud rules focus on IP addresses. As you know, IP addresses are trivial for a fraudster to change — the minute you block them from one IP address, they move on to another. The same goes for blocking entire countries or ranges of IP addresses — it is trivial for a fraudster to bypass that. Focusing on IP addresses creates unreliable rules that generate a huge volume of false positives.

Reliable device identification, on the other hand, is entirely different. Being able to identify and track end-user sessions via their device identifiers, rather than their IP addresses, enables fraud teams to hone in on devices that are interacting with the application. This allows for fraud teams to perform a variety of checks and analyses that leverage device identification, such as looking for known fraudster devices, looking for devices that log into a relatively high number of accounts, and other methods.

**2\. Behavioral Intelligence**

It can be quite difficult to differentiate between legitimate users and fraudsters at layer 7 (the application layer) of the OSI model. Moving up to layer 8, or the user layer, however, makes that differentiation much more plausible.

In most cases, legitimate users and fraudsters behave differently within sessions. This is mainly because they have different objectives and levels of familiarity with the online application. Studying end-user behavior gives enterprises another tool they can use to more accurately differentiate between fraud and legitimate traffic.

**3\. Environmental Intelligence**

In many cases, environmental clues (the environment being where the end user is coming from) exist that can help a fraud team differentiate between fraud and legitimate traffic. Having insight into and properly leveraging these environmental clues takes some investment, though it pays huge dividends when it comes to more accurately detecting fraud.

**4\. Known Good User Identification**

As organizations get better at understanding what fraudulent traffic looks like, they also reap another benefit: They become better at identifying what good traffic and what known good users look like. In other words, if I can be reasonably confident that the session in question and the end user navigating it are both good, I can be reasonably confident that I don't need to pile on tons of friction in the form of authentication requests, multifactor authentication (MFA) challenges, or otherwise.

**5\. Session Focus**

Some teams focus somewhat myopically on transactions. That is a bit like trying to see the beauty of the ocean through a straw. True, you can see a portion of the ocean, but you miss most of it. Similarly, looking across the entirety of the end-user session, rather than at individual transactions or groups of transactions, is a great way to more accurately separate fraudulent traffic from legitimate traffic. The techniques mentioned above, along with others, all work far better with a broader, more strategic view of what is going on.

**Reduce the Friction**

Enterprises do not need to choose between effective fraud detection and ease of use. It is possible to manage and mitigate risk without introducing additional friction to your end users as they journey through your online applications. The time has come to throw out the conventional wisdom that says otherwise.

5 Ways to Improve Fraud Detection and User Experience

TPx, a leading nationwide managed services provider (MSP) delivering cybersecurity, managed networks, and cloud communications, today announced the addition of penetration scanning to its Security Advisory Services portfolio.

**AUSTIN, Texas, Sept. 19, 2022 /PRNewswire-PRWeb/ —** TPx, a leading nationwide managed services provider (MSP) delivering cybersecurity, managed networks, and cloud communications, today announced the addition of Penetration Scanning to its Security Advisory Services portfolio.

Penetration Scanning is one of the best ways organizations can understand where security weaknesses and risks exist across the network and what the impact of cyberattacks would be. TPx Penetration Scanning leverages an automated scanning platform, which provides short turnarounds coupled with low costs. This expanded offer builds on TPx's Vulnerability Scanning, which evaluates devices that are connected to the network to identify vulnerabilities.

By combining Penetration Scanning and Vulnerability Scanning, TPx is providing customers a more comprehensive way to identify risk and strengthen their security posture. A TPx Vulnerability and Penetration Scan mirrors the behavior of bad actors to help customers understand how likely it is that a hacker will be able to exploit a businesses' weaknesses to gain access to systems or confidential information on their network. Performed as one-time events or in regular intervals, scans track a company's risk profile in near real time.

"Proactively maintaining and protecting an organization's network requires continuous effort - no matter the company's size, type or number of locations," said Rick Mace, CEO, TPx. "As the threat landscape continues to expand and become more complex, Vulnerability and Penetration Scanning are two of the best tools a business can use to understand its weaknesses and how a hacker might exploit them."

TPx continues to evolve its offerings to continuously improve how it meets changing customer needs. TPx's Penetration Scan is designed for businesses of all sizes that need an affordable way to mitigate risk, be eligible for cyber insurance, and stay compliant with various regulations and policies.

For more information on TPx's Vulnerability and Penetration Scanning, visit  
https://www.tpx.com/services/managed-it/security-advisory-services/

About TPx  
TPx is a leading nationwide managed service provider focused on the success of small- and medium-sized businesses (SMBs) with approximately 18,000 customers in more than 49,000 locations across the U.S. For more than two decades, TPx has offered managed services and solutions to help customers across every business sector address the growing complexity of their IT environments. For more information, visit http://www.tpx.com or follow TPx on LinkedIn, Twitter and Facebook.

SOURCE: TPx

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

TPx Introduces Penetration Scanning, Expands Security Advisory Services

Cyberattacks keep inflicting more expensive damage, but firms are responding decisively to the challenge.

In seven out of eight countries, cyberattacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cybersecurity professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.

**Cyberattacks Are a Bigger Concern for US Businesses Than the "Great Reshuffle"**

According to the report, IT pros in US businesses are more worried about cyberattacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyberattacks. Approximately half of all US businesses (47%) suffered an attack in the past year.

Remote work has caused many smaller organizations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organizations more vulnerable to cybercrime.

**COVID Has Caused Businesses to Double Their IT Spending**

Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Alannah Paul, cyber product head for Hiscox in the US, said in a statement. "Remote working provided a year-long Christmas for cybercriminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cybersecurity."

**The Costs Keep Rising**

It may come as no surprise that as more organizations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyberattack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cybercriminals — was a cloud-based corporate server.

However, in terms of attack costs, the report reveals major regional disparities. While one organization in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.

**US Companies Lead in Cyber Maturity but Are More Likely to Pay a Ransom**

The US recorded a "cyber maturity" score of 3.05 — the highest among the countries ranked — compared with the average of 2.94. Still, US companies were the most likely to pay a ransom to recover their stolen data. Eighty-four percent of American companies that suffered a ransomware attack paid up.

On the other hand, Hiscox reported that the median cost of total ransoms paid is down by 20%, and recovery costs have nearly halved. More firms got their data back or succeeded in restoring it. Larger organizations, with 1,000 or more employees, are more likely to have recovered their data (68% compared with 59% on average) and are far less likely to have had their data exposed (20% compared with 29% on average).

**Closing Remarks**

While cybercriminals have always preferred to go after high-value, high-profile companies, they're starting to move lower down the food chain. According to the report, firms with revenues of $100,000 to $500,000 can now look forward to as many cyberattacks as firms that earn $1 million to $9 million annually. Regardless of size, no one is immune. Doing the basics well is vital, and relatively low cost, especially when set against the cost of managing a wide-ranging attack and the outage that comes along with it.

Increasing awareness of cyber threats is a positive signal, and a step into the right direction. Smaller organizations aren't planning to — and probably can't — cover quite as many bases as their larger counterparts. But they're not far behind. For instance, 44% of the smaller firms included in the Hiscox report said they plan to regularly simulate a cyberattack to gauge their company's incident response plan, compared with 58% of the big firms. Not bad.

On the other hand, the number of organizations reporting attacks has risen, and so has the severity of the attacks. The scale of the challenge is nothing to sneeze at. As such, all companies, large and small, must implement a carefully structured approach to effectively and successfully combat cyber threats.

Cyberattack Costs for US Businesses up by 80%

Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giant's AWS, Windows, Google Cloud, VMware, and other environments.

Questions are swirling around Uber's internal security practices after an 18-year-old hacker gained what appears to have been complete administrative access to critical parts of the company's IT infrastructure using an employee's VPN credentials as an initial access vector.

Numerous screenshots that the alleged attacker posted online suggest the intruder did not have to breach a single internal system to essentially pwn the ride-sharing giant's IT domain almost entirely.

So far, Uber has not disclosed details of the incident beyond saying that the company is responding to it and working with law enforcement to investigate the breach. So, at least some of what is being is reported about the incident is based on a New York Times report from Sept. 15 in which the teen claimed to have gained access to Uber's internal networks using credentials obtained from an employee via social engineering. The attacker used that access to move laterally across Uber's internal domain to other critical systems, including its email, cloud storage, and code repository environments.

Since then, he has posted numerous screen shots of internal systems at Uber to confirm the access he had obtained on it and how it was obtained.

The screenshots show the hacker gained full administrative access to Uber's AWS, Google Cloud, VMware vSphere, and Windows environments — as well as to a full database of vulnerabilities in its platform that security researchers have discovered and disclosed to the company via a bug bounty program managed by HackerOne. The internal data the attacker accessed appears to include Uber sales metrics, information on Slack, and even info from the company's endpoint detection and response (EDR) platform.

In a tweet thread that some security researchers reposted, Twitter user Corben Leo posted claims from the alleged hacker that he used the socially engineered credentials to access Uber's VPN and scan the company's intranet. The hacker described finding an Uber network share that contained PowerShell scripts with privileged admin credentials. "One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM). Using this I was able to extract secrets for all services, DA, Duo, OneLogin, AWS, GSuite," the attacker claimed.

For now, the attacker's motivations are not very clear. Normally, it's pretty apparent, but the only thing that hacker has done so far is make a lot of noise, noted that Uber drivers should be paid more, and shared screenshots proving access.

"They seemed really young and maybe even a little sloppy. Some of their screenshots had open chat windows and a ton of metadata," says Sam Curry, a security engineer at Yuga Labs who has reviewed the screenshots,

**Pure-Play Social Engineering**

Invincible Security Group (ISG), a Dubai-based security services firm, claimed that its researchers had obtained a list of administrative credentials that the threat actor had gathered. "They seem to be strong passwords, which confirms that it was indeed a social-engineering attack that got him access to Uber's internal network," ISG tweeted.

Curry tells Dark Reading that the attacker appears to have gained initial access from compromising one employee's login information and social engineering that person's VPN two-factor authentication 2FA prompt.

"Once they had VPN access, they discovered a network drive with 'keys to the kingdom,' which allowed them to access \[Uber's\] cloud hosting as root on both Google Cloud Platform and Amazon Web Services," Curry notes. "This means they probably had access to every cloud deployment, which is likely the majority of Uber's running applications and cloud storage."

One significant fact is that the employee who was initially compromised worked in incident response, he notes, adding that normally such employees have access to many more tools within Uber's environment than average employees. 

"Having this level of access, and additionally the access they found in the PowerShell script, means that they probably didn’t have too many limitations to do whatever they wanted inside Uber," Curry says.  

In a series of tweets, independent security researcher Bill Demirkapi said the attacker appears to have gained persistent MFA access to the compromised account at Uber "by socially engineering the victim into accepting a prompt that allowed the attacker to register their own device for MFA."

"The fact that the attackers appear to have compromised an IR team member's account is worrisome," Demirkapi tweeted. "EDRs can bake in 'backdoors' for IR, such as allowing IR teams to 'shell into' employee machines (if enabled), potentially widening the attacker's access."

**Bug Bounty Data Access is "Problematic"**

The apparent fact that the attacker gained access to Uber vulnerability data submitted via its bug bounty program is also problematic, security experts say. 

Curry says he learned of the access after the hacker posted a comment about Uber being hacked on the company's bug bounty tickets. Curry had previously discovered and submitted a vulnerability to Uber, which if exploited would have permitted access to its code repositories. That bug was addressed, but it's unclear how many of the other vulnerabilities that have been disclosed to the company have been fixed, how many of them were unpatched, and what level of access those vulnerabilities could provide if exploited. The situation could become significantly worse if the hacker sells the vulnerability data to others.

"Bug bounty programs are an important layer in mature security programs," says Shira Shamban, CEO at Solvo. "A main implication here is that the hacker now knows about other vulnerabilities within the Uber IT environment and can use them to set up backdoors for future use, which is unsettling."

Vulnerability and pen-testing tools are important in enabling companies to better assess and improve the security postures, says Amit Bareket, CEO and co-founder of Perimeter 81. "However, if the correct security measures aren't put in place, these tools can turn into double-sided swords, enabling bad actors to take advantage of the sensitive information they may contain," he says. 

Companies should be aware of this and make sure such reports are protected and stored in encrypted form to avoid being misused for malicious intent, Bareket notes.

The latest incident is unlikely to do much to improve Uber's already somewhat dinged reputation for security. In October 2016, the company experienced a data breach that exposed sensitive information on some 57 million riders. But instead of disclosing the breach as it was required to, the company paid $100,000 to the security researchers that reported the breach in what was viewed as an attempt to pay them off. In 2018, the company settled a lawsuit over the incident for $148 million. It arrived at similar but much smaller settlements in lawsuits over the incidents in the UK and the Netherlands.

Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber

Financial services firms need to learn how — and when — to put machine learning to use.

Deepfakes — also known as synthetic media — can be used for more than impersonating celebrities and making disinformation more believable. They can also be used for financial fraud.

Fraudsters can use deepfake technology to trick employees at financial institutions into changing account numbers and initiating money transfer requests for substantial amounts, says Satish Lalchand, principal at Deloitte Transaction and Business Analytics. He notes that these transactions are often difficult, if not impossible, to reverse.

Cybercriminals are constantly adopting new techniques to evade know-your-customer verification processes and fraud detection controls. In response, many businesses are exploring ways machine learning (ML) can detect fraudulent transactions involving synthetic media, synthetic identity fraud, or other suspicious behaviors. However, security teams should be mindful of the limitations of using ML to identify fraud at scale.

**Finding Fraud at Scale**

Fraud in the financial services sector over the past two years was driven by the fact that many transactions were pushed to digital channels as a result of the COVID-19 pandemic, Lalchand says. He cites three risk factors driving the adoption of ML technologies for customer and business verification: customers, employees, and fraudsters.

Though employees at financial services firms are typically monitored via cameras and digital chats at the office, remote workers are not surveilled as much, Lalchand says. With more customers signing up for financial services virtually, financial services firms are increasingly incorporating ML into their customer verification and authentication processes to close that window for both employees and customers. ML can also be used to identify fraudulent applications for government assistance or identity fraud, Lalchand says.

In addition to spotting fraudulent Paycheck Protection Program loans, ML models can be trained to recognize transaction patterns that could signal human trafficking or elder abuse scams, says Gary Shiffman, co-founder of Consilient, an IT firm specializing in financial crime prevention.

Financial institutions are now seeing fraud emerge across multiple products, but they tend to search for fraudulent transactions in silos. Artificial intelligence and ML technology can help bring together fraud signals from across multiple areas, Shiffman says.

"Institutions continue to do the whack-a-mole, and continue to try and identify where fraud was increasing, but it was just happening from all over the place," Lalchand says. "The fusion of information ... is called CyFi, bringing cyber and financial data together."

ML tools can assist in positively identifying customers, detecting identity fraud, and spotting the likelihood of risk, says Jose Caldera, chief product officer of global products for Acuant at GBG. ML can examine past behavior and risk signals and apply those lessons in the future, he says.

**The Limits of Machine Learning**

Though ML models can analyze data points to detect fraud at scale, there will always be false positives and false negatives, and the models will degrade over time, Caldera says. Therefore, cybersecurity teams training the algorithm to spot fraud must update their models and monitor its findings regularly, not just every six months or every year, he says.

"You have to make sure that you understand that the process is not a one-time \[task\]. And … you need to have the proper staffing that would allow you to maintain that process over time," Caldera says. "You're always going to get more information, and ... you need to be able to use it constantly on improving your models and improving your systems."

For IT and cybersecurity teams evaluating the effectiveness of ML algorithms, Shiffman says they will need to establish ground truth — the correct or "true" answer to a query or problem. To do so, teams using ML technologies try out a model using a test data set, using an answer key to count its false negatives, false positives, true positives, and true negatives, he says. Once these errors and correct answers are accounted for, companies can recalibrate their ML models to identify fraudulent activity in the future, he explains.

Besides updating their algorithms to detect fraud, IT and cybersecurity teams using ML technology must also be aware of legal restrictions on sharing data with other entities, even to identify fraud, Shiffman says. If you're handling data from another country, you may not be legally able to transfer it to the US, he says.

For teams looking to use ML technology for fraud detection, Caldera cautions that such tools are just one component of a fraud prevention strategy and that there is no one solution to solving that problem. After onboarding new customers, cybersecurity and IT professionals must stay abreast of how they are changing behaviors over time.

"The use or not of technology or machine learning is just one component of your toolset," Caldera says. "You as a business, you have to understand: What is the cost that you are putting to this, what is the risk tolerance that you have, and then what is the customer position that you want?"

Tackling Financial Fraud With Machine Learning

The attacks showcase broader security concerns as phishing grows in volume and sophistication, especially given that Windows Defender's Safe Links feature for identifying malicious links in emails completely failed in the campaign.

Thousands of Microsoft 365 credentials have been discovered stored in plaintext on phishing servers, as part of an unusual, targeted credential-harvesting campaign against real estate professionals. The attacks showcase the growing, evolving risk that traditional username-password combinations present, researchers say, especially as phishing continues to grow in sophistication, evading basic email security.   

Researchers from Ironscales discovered the offensive, in which cyberattackers had compromised email account credentials for employees at two well-known financial-services vendors in the realty space: First American Financial Corp., and United Wholesale Mortgage. The cybercrooks are using the accounts to send out phishing emails to realtors, real estate lawyers, title agents, and buyers and sellers, analysts said, in an attempt to steer them to spoofed Microsoft 365 login pages for capturing credentials.

The emails alert targets that attached documents needed to be reviewed or that they have new messages hosted on a secure server, according to a Sept. 15 posting on the campaign from Ironscales. In both cases, embedded links direct recipients to the fake login pages asking them to sign into Microsoft 365.

Once on the malicious page, researchers observed an unusual twist in the proceedings: The attackers tried to make the most of their time with the victims by attempting to tease out multiple passwords from each phishing session.

"Each attempt to submit these 365 credentials returned an error and prompted the user to try again," according to the researchers' writeup. "Users will usually submit the same credentials at least one more time before they try variations of other passwords they might have used in the past, providing a gold mine of credentials for criminals to sell or use in brute-force or credential-stuffing attacks to access popular financial or social-media accounts."

The care taken in the targeting of victims with a well-thought-out plan is one of the most notable aspects of the campaign, Eyal Benishti, founder and CEO at Ironscales, tells Dark Reading.

"This is going after people who work in real estate (real estate agents, title agents, real estate lawyers), using an email phishing template that spoofs a very familiar brand and familiar call to action ('review these secure documents' or 'read this secure message')," he says.

It's unclear how far the campaign may sprawl, but the company's investigation showed that at least thousands have been phished so far.

"The total number people phished is unknown, we only investigated a few instances that intersected our customers," Benishti says. "But just from the small sampling we analyzed, there more than 2,000 unique sets of credentials found in more than 10,000 submission attempts (many users supplied the same or alternate credentials multiple times)."

The risk to victims is high: Real estate-related transactions are often targeted for sophisticated fraud scams, especially transactions involving real estate title companies.

"Based on trends and stats, these attackers likely want to use the credentials to enable them to intercept/direct/redirect wire transfers associated with real estate transactions," according to Benishti.

**Microsoft Safe Links Falls Down on the Job**

Also notable (and unfortunate) in this particular campaign, a basic security control apparently failed.

In the initial round of phishing, the URL that targets were asked to click didn't try to hide itself, researchers noted — when mousing over the link, a red-flag-waving URL was displayed: "https://phishingsite.com/folde...\[dot\]shtm."

However, subsequent waves hid the address behind a Safe Links URL — a feature found in Microsoft Defender that's supposed to scan URLs to pick up on malicious links. Safe Link overwrites the link with a different URL using special nomenclature, once that link is scanned and deemed safe.

In this case, the tool only made it harder to visually inspect the actual in-your-face "this is a phish!" link, and also allowed the messages to more easily get past email filters. Microsoft did not respond to a request for comment.

"Safe Links has a several known weaknesses and generating a false sense of security is the significant weakness in this situation," Benishti says. "Safe Links didn’t detect any risks or deception associated with the original link, but rewrote the link as if it had. Users and many security professionals gain a false sense of security because a security control in place, but this control is largely ineffective."

Also of note: In the United Wholesale Mortgage emails, the message was also flagged as a "Secure Email Notification," included a confidentiality disclaimer, and sported a fake "Secured by Proofpoint Encryption" banner.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said that his company is no stranger to being brand-hijacked, adding that fake use of its name is in fact a known cyberattack technique that the company's products scan for.

It's a good reminder that users can't rely on branding to determine the veracity of a message, he notes: "Threat actors often pretend to be well-known brands to entice their targets into divulging information," he says. "They also often impersonate known security vendors to add legitimacy to their phishing emails."

**Even Bad Guys Make Mistakes**

Meanwhile, it might not be just the OG phishers that are benefiting from the stolen credentials.

During the analysis of the campaign, researchers picked up on a URL in the emails that shouldn't have been there: a path that points to a computer file directory. Inside that directory were the cybercriminals' ill-gotten gains, i.e., every single email and password combo submitted to that particular phishing site, kept in a cleartext file that anyone could have accessed.

"This was totally an accident," Benishti says. "The result of sloppy work, or more likely ignorance if they are using a phishing kit developed by someone else — there are tons of which available for purchase on black market."

The fake webpage servers (and cleartext files) were quickly shut down or removed, but as Benishti noted, it's likely that the phishing kit the attackers are using is responsible for the cleartext glitch — which means they "will continue to make their stolen credentials available to the world."

**Stolen Credentials, More Sophistication Fuels Phish Frenzy**

The campaign more broadly puts into perspective the epidemic of phishing and credential harvesting — and what it means for authentication going forward, researchers note.

Darren Guccione, CEO and co-founder at Keeper Security, says that phishing continues to evolve in terms of its sophistication level, which should act as a clarion warning to enterprises, given the elevated level of risk.

"Bad actors at all levels are tailoring phishing scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites to lure in their victims, then take over their account by changing the credentials, which prevents access by the valid owner," he tells Dark Reading. "In a vendor impersonation attack \[like this one\], when cybercriminals use stolen credentials to send phishing emails from a legitimate email address, this dangerous tactic is even more convincing because the email originates from a familiar source."

Most modern phishes can also bypass secure email gateways and even spoof or subvert two-factor authentication (2FA) vendors, adds Monnia Deng, director of product marketing at Bolster, while social engineering in general is extraordinarily effective in a time of cloud, mobility, and remote work.

"When everyone expects their online experience to be fast and easy, human error is inevitable, and these phishing campaigns are getting more clever," she says. She adds that three macro-trends are responsible for the record numbers of phishing-related attacks: "The pandemic-fueled move to digital platforms for business continuity, the growing army of script kiddies who can easily purchase phishing kits or even buy phishing as a subscription service, and the interdependency of technology platforms that could create a supply chain attack from a phishing email."

Thus, the reality is that the Dark Web hosts large caches of stolen usernames and passwords; big data dumps are not uncommon, and are in turn spurring not only credential-stuffing and brute-force attacks, but also additional phishing efforts.

For instance, it's possible that threat actors used information from a recent First American Financial breach to compromise the email account they used to send out the phishes; that incident exposed 800 million documents containing personal information.

"Data breaches or leaks have a longer half-life than people think," Benishti says. "The First American Financial breach happened in May 2019, but the personal data exposed can be weaponized used years afterwards."

To thwart this bustling market and the profiteers that operate within it, it's time to look beyond the password, he adds.

"Passwords require ever increasing complexity and rotation frequency, leading to security burnout," Benishti says. "Many users accept the risk of being insecure over the effort to create complex passwords because doing the right thing is made so complex. Multifactor authentication helps, but it is not a bulletproof solution. Fundamental change is needed to verify you are who you say you are in a digital world and gain access to the resources you need."

**How to Fight the Phishing Tsunami**

With widespread passwordless approaches still a ways off, Proofpoint's Kalember says that the basic user-awareness tenets are the place to start when fighting phishing.

"People should approach all unsolicited communications with caution, especially those that request the user to act, such as downloading or opening an attachment, clicking a link, or disclosing credentials such as personal or financial information," he says.

Also, it’s critical that everyone learn and practice good password hygiene across every service they use, Benishti adds: "And if you are ever notified that your information may have been involved in a breach, go reset all of your passwords for every service you use. If not, motivated attackers have cleaver ways of correlating all sorts of data and accounts to get what they want."

In addition, Ironscales recommends regular phishing simulation testing for all employees, and called out a rule-of-thumb set of red flags to look for:

*   Users could have identified this phishing attack by closely looking at the sender
*   Make sure the sending address matches the return address and the address is from a domain (URL) that usually matches the business they deal with.
*   Look for bad spelling and grammar.
*   Mouse over links and look at the full URL/address of the destination, see if it looks unusual.
*   Always be very cautious about sites that ask you for credentials not associated with them, like Microsoft 365 or Google Workspace login.

Source

DARKReading