TPx, a leading nationwide managed services provider (MSP) delivering cybersecurity, managed networks, and cloud communications, today announced the addition of penetration scanning to its Security Advisory Services portfolio.

**AUSTIN, Texas, Sept. 19, 2022 /PRNewswire-PRWeb/ —** TPx, a leading nationwide managed services provider (MSP) delivering cybersecurity, managed networks, and cloud communications, today announced the addition of Penetration Scanning to its Security Advisory Services portfolio.

Penetration Scanning is one of the best ways organizations can understand where security weaknesses and risks exist across the network and what the impact of cyberattacks would be. TPx Penetration Scanning leverages an automated scanning platform, which provides short turnarounds coupled with low costs. This expanded offer builds on TPx's Vulnerability Scanning, which evaluates devices that are connected to the network to identify vulnerabilities.

By combining Penetration Scanning and Vulnerability Scanning, TPx is providing customers a more comprehensive way to identify risk and strengthen their security posture. A TPx Vulnerability and Penetration Scan mirrors the behavior of bad actors to help customers understand how likely it is that a hacker will be able to exploit a businesses' weaknesses to gain access to systems or confidential information on their network. Performed as one-time events or in regular intervals, scans track a company's risk profile in near real time.

"Proactively maintaining and protecting an organization's network requires continuous effort - no matter the company's size, type or number of locations," said Rick Mace, CEO, TPx. "As the threat landscape continues to expand and become more complex, Vulnerability and Penetration Scanning are two of the best tools a business can use to understand its weaknesses and how a hacker might exploit them."

TPx continues to evolve its offerings to continuously improve how it meets changing customer needs. TPx's Penetration Scan is designed for businesses of all sizes that need an affordable way to mitigate risk, be eligible for cyber insurance, and stay compliant with various regulations and policies.

For more information on TPx's Vulnerability and Penetration Scanning, visit  
https://www.tpx.com/services/managed-it/security-advisory-services/

About TPx  
TPx is a leading nationwide managed service provider focused on the success of small- and medium-sized businesses (SMBs) with approximately 18,000 customers in more than 49,000 locations across the U.S. For more than two decades, TPx has offered managed services and solutions to help customers across every business sector address the growing complexity of their IT environments. For more information, visit http://www.tpx.com or follow TPx on LinkedIn, Twitter and Facebook.

SOURCE: TPx

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

TPx Introduces Penetration Scanning, Expands Security Advisory Services

Cyberattacks keep inflicting more expensive damage, but firms are responding decisively to the challenge.

In seven out of eight countries, cyberattacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cybersecurity professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.

**Cyberattacks Are a Bigger Concern for US Businesses Than the "Great Reshuffle"**

According to the report, IT pros in US businesses are more worried about cyberattacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyberattacks. Approximately half of all US businesses (47%) suffered an attack in the past year.

Remote work has caused many smaller organizations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organizations more vulnerable to cybercrime.

**COVID Has Caused Businesses to Double Their IT Spending**

Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Alannah Paul, cyber product head for Hiscox in the US, said in a statement. "Remote working provided a year-long Christmas for cybercriminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cybersecurity."

**The Costs Keep Rising**

It may come as no surprise that as more organizations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyberattack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cybercriminals — was a cloud-based corporate server.

However, in terms of attack costs, the report reveals major regional disparities. While one organization in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.

**US Companies Lead in Cyber Maturity but Are More Likely to Pay a Ransom**

The US recorded a "cyber maturity" score of 3.05 — the highest among the countries ranked — compared with the average of 2.94. Still, US companies were the most likely to pay a ransom to recover their stolen data. Eighty-four percent of American companies that suffered a ransomware attack paid up.

On the other hand, Hiscox reported that the median cost of total ransoms paid is down by 20%, and recovery costs have nearly halved. More firms got their data back or succeeded in restoring it. Larger organizations, with 1,000 or more employees, are more likely to have recovered their data (68% compared with 59% on average) and are far less likely to have had their data exposed (20% compared with 29% on average).

**Closing Remarks**

While cybercriminals have always preferred to go after high-value, high-profile companies, they're starting to move lower down the food chain. According to the report, firms with revenues of $100,000 to $500,000 can now look forward to as many cyberattacks as firms that earn $1 million to $9 million annually. Regardless of size, no one is immune. Doing the basics well is vital, and relatively low cost, especially when set against the cost of managing a wide-ranging attack and the outage that comes along with it.

Increasing awareness of cyber threats is a positive signal, and a step into the right direction. Smaller organizations aren't planning to — and probably can't — cover quite as many bases as their larger counterparts. But they're not far behind. For instance, 44% of the smaller firms included in the Hiscox report said they plan to regularly simulate a cyberattack to gauge their company's incident response plan, compared with 58% of the big firms. Not bad.

On the other hand, the number of organizations reporting attacks has risen, and so has the severity of the attacks. The scale of the challenge is nothing to sneeze at. As such, all companies, large and small, must implement a carefully structured approach to effectively and successfully combat cyber threats.

Cyberattack Costs for US Businesses up by 80%

Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giant's AWS, Windows, Google Cloud, VMware, and other environments.

Questions are swirling around Uber's internal security practices after an 18-year-old hacker gained what appears to have been complete administrative access to critical parts of the company's IT infrastructure using an employee's VPN credentials as an initial access vector.

Numerous screenshots that the alleged attacker posted online suggest the intruder did not have to breach a single internal system to essentially pwn the ride-sharing giant's IT domain almost entirely.

So far, Uber has not disclosed details of the incident beyond saying that the company is responding to it and working with law enforcement to investigate the breach. So, at least some of what is being is reported about the incident is based on a New York Times report from Sept. 15 in which the teen claimed to have gained access to Uber's internal networks using credentials obtained from an employee via social engineering. The attacker used that access to move laterally across Uber's internal domain to other critical systems, including its email, cloud storage, and code repository environments.

Since then, he has posted numerous screen shots of internal systems at Uber to confirm the access he had obtained on it and how it was obtained.

The screenshots show the hacker gained full administrative access to Uber's AWS, Google Cloud, VMware vSphere, and Windows environments — as well as to a full database of vulnerabilities in its platform that security researchers have discovered and disclosed to the company via a bug bounty program managed by HackerOne. The internal data the attacker accessed appears to include Uber sales metrics, information on Slack, and even info from the company's endpoint detection and response (EDR) platform.

In a tweet thread that some security researchers reposted, Twitter user Corben Leo posted claims from the alleged hacker that he used the socially engineered credentials to access Uber's VPN and scan the company's intranet. The hacker described finding an Uber network share that contained PowerShell scripts with privileged admin credentials. "One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM). Using this I was able to extract secrets for all services, DA, Duo, OneLogin, AWS, GSuite," the attacker claimed.

For now, the attacker's motivations are not very clear. Normally, it's pretty apparent, but the only thing that hacker has done so far is make a lot of noise, noted that Uber drivers should be paid more, and shared screenshots proving access.

"They seemed really young and maybe even a little sloppy. Some of their screenshots had open chat windows and a ton of metadata," says Sam Curry, a security engineer at Yuga Labs who has reviewed the screenshots,

**Pure-Play Social Engineering**

Invincible Security Group (ISG), a Dubai-based security services firm, claimed that its researchers had obtained a list of administrative credentials that the threat actor had gathered. "They seem to be strong passwords, which confirms that it was indeed a social-engineering attack that got him access to Uber's internal network," ISG tweeted.

Curry tells Dark Reading that the attacker appears to have gained initial access from compromising one employee's login information and social engineering that person's VPN two-factor authentication 2FA prompt.

"Once they had VPN access, they discovered a network drive with 'keys to the kingdom,' which allowed them to access \[Uber's\] cloud hosting as root on both Google Cloud Platform and Amazon Web Services," Curry notes. "This means they probably had access to every cloud deployment, which is likely the majority of Uber's running applications and cloud storage."

One significant fact is that the employee who was initially compromised worked in incident response, he notes, adding that normally such employees have access to many more tools within Uber's environment than average employees. 

"Having this level of access, and additionally the access they found in the PowerShell script, means that they probably didn’t have too many limitations to do whatever they wanted inside Uber," Curry says.  

In a series of tweets, independent security researcher Bill Demirkapi said the attacker appears to have gained persistent MFA access to the compromised account at Uber "by socially engineering the victim into accepting a prompt that allowed the attacker to register their own device for MFA."

"The fact that the attackers appear to have compromised an IR team member's account is worrisome," Demirkapi tweeted. "EDRs can bake in 'backdoors' for IR, such as allowing IR teams to 'shell into' employee machines (if enabled), potentially widening the attacker's access."

**Bug Bounty Data Access is "Problematic"**

The apparent fact that the attacker gained access to Uber vulnerability data submitted via its bug bounty program is also problematic, security experts say. 

Curry says he learned of the access after the hacker posted a comment about Uber being hacked on the company's bug bounty tickets. Curry had previously discovered and submitted a vulnerability to Uber, which if exploited would have permitted access to its code repositories. That bug was addressed, but it's unclear how many of the other vulnerabilities that have been disclosed to the company have been fixed, how many of them were unpatched, and what level of access those vulnerabilities could provide if exploited. The situation could become significantly worse if the hacker sells the vulnerability data to others.

"Bug bounty programs are an important layer in mature security programs," says Shira Shamban, CEO at Solvo. "A main implication here is that the hacker now knows about other vulnerabilities within the Uber IT environment and can use them to set up backdoors for future use, which is unsettling."

Vulnerability and pen-testing tools are important in enabling companies to better assess and improve the security postures, says Amit Bareket, CEO and co-founder of Perimeter 81. "However, if the correct security measures aren't put in place, these tools can turn into double-sided swords, enabling bad actors to take advantage of the sensitive information they may contain," he says. 

Companies should be aware of this and make sure such reports are protected and stored in encrypted form to avoid being misused for malicious intent, Bareket notes.

The latest incident is unlikely to do much to improve Uber's already somewhat dinged reputation for security. In October 2016, the company experienced a data breach that exposed sensitive information on some 57 million riders. But instead of disclosing the breach as it was required to, the company paid $100,000 to the security researchers that reported the breach in what was viewed as an attempt to pay them off. In 2018, the company settled a lawsuit over the incident for $148 million. It arrived at similar but much smaller settlements in lawsuits over the incidents in the UK and the Netherlands.

Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber

Financial services firms need to learn how — and when — to put machine learning to use.

Deepfakes — also known as synthetic media — can be used for more than impersonating celebrities and making disinformation more believable. They can also be used for financial fraud.

Fraudsters can use deepfake technology to trick employees at financial institutions into changing account numbers and initiating money transfer requests for substantial amounts, says Satish Lalchand, principal at Deloitte Transaction and Business Analytics. He notes that these transactions are often difficult, if not impossible, to reverse.

Cybercriminals are constantly adopting new techniques to evade know-your-customer verification processes and fraud detection controls. In response, many businesses are exploring ways machine learning (ML) can detect fraudulent transactions involving synthetic media, synthetic identity fraud, or other suspicious behaviors. However, security teams should be mindful of the limitations of using ML to identify fraud at scale.

**Finding Fraud at Scale**

Fraud in the financial services sector over the past two years was driven by the fact that many transactions were pushed to digital channels as a result of the COVID-19 pandemic, Lalchand says. He cites three risk factors driving the adoption of ML technologies for customer and business verification: customers, employees, and fraudsters.

Though employees at financial services firms are typically monitored via cameras and digital chats at the office, remote workers are not surveilled as much, Lalchand says. With more customers signing up for financial services virtually, financial services firms are increasingly incorporating ML into their customer verification and authentication processes to close that window for both employees and customers. ML can also be used to identify fraudulent applications for government assistance or identity fraud, Lalchand says.

In addition to spotting fraudulent Paycheck Protection Program loans, ML models can be trained to recognize transaction patterns that could signal human trafficking or elder abuse scams, says Gary Shiffman, co-founder of Consilient, an IT firm specializing in financial crime prevention.

Financial institutions are now seeing fraud emerge across multiple products, but they tend to search for fraudulent transactions in silos. Artificial intelligence and ML technology can help bring together fraud signals from across multiple areas, Shiffman says.

"Institutions continue to do the whack-a-mole, and continue to try and identify where fraud was increasing, but it was just happening from all over the place," Lalchand says. "The fusion of information ... is called CyFi, bringing cyber and financial data together."

ML tools can assist in positively identifying customers, detecting identity fraud, and spotting the likelihood of risk, says Jose Caldera, chief product officer of global products for Acuant at GBG. ML can examine past behavior and risk signals and apply those lessons in the future, he says.

**The Limits of Machine Learning**

Though ML models can analyze data points to detect fraud at scale, there will always be false positives and false negatives, and the models will degrade over time, Caldera says. Therefore, cybersecurity teams training the algorithm to spot fraud must update their models and monitor its findings regularly, not just every six months or every year, he says.

"You have to make sure that you understand that the process is not a one-time \[task\]. And … you need to have the proper staffing that would allow you to maintain that process over time," Caldera says. "You're always going to get more information, and ... you need to be able to use it constantly on improving your models and improving your systems."

For IT and cybersecurity teams evaluating the effectiveness of ML algorithms, Shiffman says they will need to establish ground truth — the correct or "true" answer to a query or problem. To do so, teams using ML technologies try out a model using a test data set, using an answer key to count its false negatives, false positives, true positives, and true negatives, he says. Once these errors and correct answers are accounted for, companies can recalibrate their ML models to identify fraudulent activity in the future, he explains.

Besides updating their algorithms to detect fraud, IT and cybersecurity teams using ML technology must also be aware of legal restrictions on sharing data with other entities, even to identify fraud, Shiffman says. If you're handling data from another country, you may not be legally able to transfer it to the US, he says.

For teams looking to use ML technology for fraud detection, Caldera cautions that such tools are just one component of a fraud prevention strategy and that there is no one solution to solving that problem. After onboarding new customers, cybersecurity and IT professionals must stay abreast of how they are changing behaviors over time.

"The use or not of technology or machine learning is just one component of your toolset," Caldera says. "You as a business, you have to understand: What is the cost that you are putting to this, what is the risk tolerance that you have, and then what is the customer position that you want?"

Tackling Financial Fraud With Machine Learning

The attacks showcase broader security concerns as phishing grows in volume and sophistication, especially given that Windows Defender's Safe Links feature for identifying malicious links in emails completely failed in the campaign.

Thousands of Microsoft 365 credentials have been discovered stored in plaintext on phishing servers, as part of an unusual, targeted credential-harvesting campaign against real estate professionals. The attacks showcase the growing, evolving risk that traditional username-password combinations present, researchers say, especially as phishing continues to grow in sophistication, evading basic email security.   

Researchers from Ironscales discovered the offensive, in which cyberattackers had compromised email account credentials for employees at two well-known financial-services vendors in the realty space: First American Financial Corp., and United Wholesale Mortgage. The cybercrooks are using the accounts to send out phishing emails to realtors, real estate lawyers, title agents, and buyers and sellers, analysts said, in an attempt to steer them to spoofed Microsoft 365 login pages for capturing credentials.

The emails alert targets that attached documents needed to be reviewed or that they have new messages hosted on a secure server, according to a Sept. 15 posting on the campaign from Ironscales. In both cases, embedded links direct recipients to the fake login pages asking them to sign into Microsoft 365.

Once on the malicious page, researchers observed an unusual twist in the proceedings: The attackers tried to make the most of their time with the victims by attempting to tease out multiple passwords from each phishing session.

"Each attempt to submit these 365 credentials returned an error and prompted the user to try again," according to the researchers' writeup. "Users will usually submit the same credentials at least one more time before they try variations of other passwords they might have used in the past, providing a gold mine of credentials for criminals to sell or use in brute-force or credential-stuffing attacks to access popular financial or social-media accounts."

The care taken in the targeting of victims with a well-thought-out plan is one of the most notable aspects of the campaign, Eyal Benishti, founder and CEO at Ironscales, tells Dark Reading.

"This is going after people who work in real estate (real estate agents, title agents, real estate lawyers), using an email phishing template that spoofs a very familiar brand and familiar call to action ('review these secure documents' or 'read this secure message')," he says.

It's unclear how far the campaign may sprawl, but the company's investigation showed that at least thousands have been phished so far.

"The total number people phished is unknown, we only investigated a few instances that intersected our customers," Benishti says. "But just from the small sampling we analyzed, there more than 2,000 unique sets of credentials found in more than 10,000 submission attempts (many users supplied the same or alternate credentials multiple times)."

The risk to victims is high: Real estate-related transactions are often targeted for sophisticated fraud scams, especially transactions involving real estate title companies.

"Based on trends and stats, these attackers likely want to use the credentials to enable them to intercept/direct/redirect wire transfers associated with real estate transactions," according to Benishti.

**Microsoft Safe Links Falls Down on the Job**

Also notable (and unfortunate) in this particular campaign, a basic security control apparently failed.

In the initial round of phishing, the URL that targets were asked to click didn't try to hide itself, researchers noted — when mousing over the link, a red-flag-waving URL was displayed: "https://phishingsite.com/folde...\[dot\]shtm."

However, subsequent waves hid the address behind a Safe Links URL — a feature found in Microsoft Defender that's supposed to scan URLs to pick up on malicious links. Safe Link overwrites the link with a different URL using special nomenclature, once that link is scanned and deemed safe.

In this case, the tool only made it harder to visually inspect the actual in-your-face "this is a phish!" link, and also allowed the messages to more easily get past email filters. Microsoft did not respond to a request for comment.

"Safe Links has a several known weaknesses and generating a false sense of security is the significant weakness in this situation," Benishti says. "Safe Links didn’t detect any risks or deception associated with the original link, but rewrote the link as if it had. Users and many security professionals gain a false sense of security because a security control in place, but this control is largely ineffective."

Also of note: In the United Wholesale Mortgage emails, the message was also flagged as a "Secure Email Notification," included a confidentiality disclaimer, and sported a fake "Secured by Proofpoint Encryption" banner.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said that his company is no stranger to being brand-hijacked, adding that fake use of its name is in fact a known cyberattack technique that the company's products scan for.

It's a good reminder that users can't rely on branding to determine the veracity of a message, he notes: "Threat actors often pretend to be well-known brands to entice their targets into divulging information," he says. "They also often impersonate known security vendors to add legitimacy to their phishing emails."

**Even Bad Guys Make Mistakes**

Meanwhile, it might not be just the OG phishers that are benefiting from the stolen credentials.

During the analysis of the campaign, researchers picked up on a URL in the emails that shouldn't have been there: a path that points to a computer file directory. Inside that directory were the cybercriminals' ill-gotten gains, i.e., every single email and password combo submitted to that particular phishing site, kept in a cleartext file that anyone could have accessed.

"This was totally an accident," Benishti says. "The result of sloppy work, or more likely ignorance if they are using a phishing kit developed by someone else — there are tons of which available for purchase on black market."

The fake webpage servers (and cleartext files) were quickly shut down or removed, but as Benishti noted, it's likely that the phishing kit the attackers are using is responsible for the cleartext glitch — which means they "will continue to make their stolen credentials available to the world."

**Stolen Credentials, More Sophistication Fuels Phish Frenzy**

The campaign more broadly puts into perspective the epidemic of phishing and credential harvesting — and what it means for authentication going forward, researchers note.

Darren Guccione, CEO and co-founder at Keeper Security, says that phishing continues to evolve in terms of its sophistication level, which should act as a clarion warning to enterprises, given the elevated level of risk.

"Bad actors at all levels are tailoring phishing scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites to lure in their victims, then take over their account by changing the credentials, which prevents access by the valid owner," he tells Dark Reading. "In a vendor impersonation attack \[like this one\], when cybercriminals use stolen credentials to send phishing emails from a legitimate email address, this dangerous tactic is even more convincing because the email originates from a familiar source."

Most modern phishes can also bypass secure email gateways and even spoof or subvert two-factor authentication (2FA) vendors, adds Monnia Deng, director of product marketing at Bolster, while social engineering in general is extraordinarily effective in a time of cloud, mobility, and remote work.

"When everyone expects their online experience to be fast and easy, human error is inevitable, and these phishing campaigns are getting more clever," she says. She adds that three macro-trends are responsible for the record numbers of phishing-related attacks: "The pandemic-fueled move to digital platforms for business continuity, the growing army of script kiddies who can easily purchase phishing kits or even buy phishing as a subscription service, and the interdependency of technology platforms that could create a supply chain attack from a phishing email."

Thus, the reality is that the Dark Web hosts large caches of stolen usernames and passwords; big data dumps are not uncommon, and are in turn spurring not only credential-stuffing and brute-force attacks, but also additional phishing efforts.

For instance, it's possible that threat actors used information from a recent First American Financial breach to compromise the email account they used to send out the phishes; that incident exposed 800 million documents containing personal information.

"Data breaches or leaks have a longer half-life than people think," Benishti says. "The First American Financial breach happened in May 2019, but the personal data exposed can be weaponized used years afterwards."

To thwart this bustling market and the profiteers that operate within it, it's time to look beyond the password, he adds.

"Passwords require ever increasing complexity and rotation frequency, leading to security burnout," Benishti says. "Many users accept the risk of being insecure over the effort to create complex passwords because doing the right thing is made so complex. Multifactor authentication helps, but it is not a bulletproof solution. Fundamental change is needed to verify you are who you say you are in a digital world and gain access to the resources you need."

**How to Fight the Phishing Tsunami**

With widespread passwordless approaches still a ways off, Proofpoint's Kalember says that the basic user-awareness tenets are the place to start when fighting phishing.

"People should approach all unsolicited communications with caution, especially those that request the user to act, such as downloading or opening an attachment, clicking a link, or disclosing credentials such as personal or financial information," he says.

Also, it’s critical that everyone learn and practice good password hygiene across every service they use, Benishti adds: "And if you are ever notified that your information may have been involved in a breach, go reset all of your passwords for every service you use. If not, motivated attackers have cleaver ways of correlating all sorts of data and accounts to get what they want."

In addition, Ironscales recommends regular phishing simulation testing for all employees, and called out a rule-of-thumb set of red flags to look for:

*   Users could have identified this phishing attack by closely looking at the sender
*   Make sure the sending address matches the return address and the address is from a domain (URL) that usually matches the business they deal with.
*   Look for bad spelling and grammar.
*   Mouse over links and look at the full URL/address of the destination, see if it looks unusual.
*   Always be very cautious about sites that ask you for credentials not associated with them, like Microsoft 365 or Google Workspace login.

Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials

Building quantum resilience requires C-suite commitment, but it doesn't have to mean tearing out existing infrastructure.

You may feel that encrypting data with current technology will offer robust protection. Even if there is a data breach, you may presume the information is secure. But if your organization works with data with a "long tail" — that is, its value lasts years — you'd be wrong.

Fast forward five to 10 years from now. Quantum computers — which use quantum mechanics to run operations millions of times faster than today's supercomputers can — will arrive and will be able to decrypt today's encryption in minutes. At that point, nation-state actors simply have to upload the encrypted data that they've been collecting for years into a quantum computer, and in a few minutes, they will be able to access any part of the stolen data in plaintext. This type of "harvest now, decrypt later" (HNDL) attack is one of the reasons why adversaries are targeting encrypted data now. They know they can't decrypt the data today but will be able to tomorrow.

Even though the threat of quantum computing is some years away, the risk exists today. It is for this reason that US President Joe Biden signed a National Security Memorandum requiring federal agencies, defense, critical infrastructure, financial systems, and supply chains to develop plans to adopt quantum-resilient encryption. President Biden setting the tone for federal agencies serves as an apt metaphor — quantum risk should be discussed, and risk mitigation plans developed, at the leadership (CEO and board) level.

**Take the Long-Term View**

Research analyst data suggests the typical CISO spends two to three years at a company. This leads to potential misalignment with a risk that is likely to materialize in five to 10 years. And yet, as we see with government agencies and a host of other organizations, the data you generate _today_ can provide adversaries with tremendous value in the future once they can access it. This existential problem will likely not be tackled solely by the person in charge of security. It must be addressed at the highest business leadership levels owing to its critical nature.

For this reason, savvy CISOs, CEOs, and boards should address the quantum computing risk problem together, _now_. Once the decision to embrace quantum-resistant encryption is made, the questions invariably become, "Where do we start, and how much will it cost?"

The good news is it doesn't have to be a painful or costly process. In fact, existing quantum-resilient encryption solutions can run on existing cybersecurity infrastructure. But it is a transformational journey — the learning curve, internal strategy and project planning decisions, technology validation and planning, and implementation all take time — so it is imperative that business leaders begin preparing today.

**Focus on Randomizing and Key Management**

The road to quantum resilience requires commitment from key stakeholders, but it is practical and does not usually require ripping-and-replacing existing encryption infrastructure. One of the first steps is to understand where all of your critical data resides, who has access to it, and what protection measures are currently in place. Next, it is important to identify which data is most sensitive and what its sensitivity lifetime is. Once you have these data points, you can develop a plan to prioritize the migration of the data sets to quantum-resilient encryption.

Organizations must give thought to two key points when considering quantum-resilient encryption: the quality of the random numbers used to encrypt and decrypt data and the key distribution. One of the vectors quantum computers could use to crack current encryption standards is to exploit encryption/decryption keys that are derived from numbers that are not truly random. Quantum-resistant cryptography uses longer encryption keys and, most importantly, ones that are based on truly random numbers so they can't be cracked.

Second, the typical company has several encryption technologies and key-distribution products, and management is complex. Consequently, to reduce the reliance on keys, often only large files are encrypted, or, worse yet, lost keys leave batches of data inaccessible. It is imperative that organizations deploy high-availability, enterprise-scale encryption key management to enable a virtually unlimited number of smaller files and records to be encrypted. This results in a significantly more secure enterprise.

Quantum-resistant encryption is no longer a "nice to have." With every passing day, risk is mounting as encrypted data is stolen for future cracking. Happily, unlike quantum computing, it does not require a huge investment, and the resulting risk reduction is almost immediate. Getting started is the hardest part.

Keep Today's Encrypted Data From Becoming Tomorrow's Treasure

The target has been under relentless DDoS attack, which ultimately set a new packets-per-second record for Europe.

Researchers at Akamai are reporting a distributed denial-of-service (DDoS) attack in Eastern Europe, which set records by peaking at 704.8 Mpps as the cyberattackers tried to cripple the organization's business operations.  

The attackers began by targeting the victim's primary data center, before expanding unexpectedly and hitting six different global locations, from Europe to North America.

This isn't the first record-breaking DDoS attack this unidentified Eastern European victim has weathered. In July, it was on the receiving end of 14-hour attack that set the previous European packets-per-second record of 659.6 Mpps.

The notable set of attacks is part of an emerging trend toward more complex, powerful, and persistent DDoS attacks, according to Akamai. 

"Adversaries are constantly evolving their techniques, tactics, and procedures to evade detection and maximize disruption, as demonstrated by this ongoing attack campaign," the Akamai report on the European DDoS attack said. "These events reflect a growing trend in which adversaries are increasingly hitting deep-reconnaissance targets," 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Attack Against Eastern Europe Target Sets New Record

A teen hacker reportedly social-engineered an Uber employee to hand over an MFA code to unlock the corporate VPN, before burrowing deep into Uber's cloud and code repositories.

**_This post was updated at 2:15 ET on Sept. 16, 2022 to reflect additional initial compromise information._**

Ride-sharing giant Uber took some of its operations offline late Thursday after it discovered that its internal systems have been compromised. The attacker was able to social-engineer his way into an employee's VPN account before pivoting deeper into the network, the company said.

While the full extent of the breach has yet to come to light, the person claiming responsibility for the attack (reportedly a teenager) claimed to have troves of emails, data pilfered from Google Cloud storage, and Uber's proprietary source code, "proof" of which he sent out to some cybersecurity researchers and media outlets, including The New York Times.

"They pretty much have full access to Uber," Sam Curry, security engineer at Yuga Labs, told the Times. "This is a total compromise, from what it looks like."

**Compromise Dominoes**

The Slack collaboration platform was the first system taken offline, but other internal systems quickly followed, according to reports. Just before the disablement, the attacker sent off a Slack message to Uber employees (some of whom shared it on Twitter): "I announce I am a hacker and Uber has suffered a data breach."

The perp also told researchers and media that the breach began with a text message to an Uber employee, purporting to be from corporate IT. More specifically, according to independent cybersecurity analyst Graham Cluley, the hacker mounted what's known as an "MFA fatigue attack." 

To wit: The attacker had already determined a valid username and password for Uber's VPN, but needed a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the worker with MFA push notifications for more than an hour before contacting the target via WhatsApp, where he again posed as Uber IT staff. If the person wanted the irritation to stop, he said, they needed to accept the MFA request. The target complied.

"While no official explanation has been provided yet, \[apparently\] the intruder was able to connect to the corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share," Ian McShane, vice president of strategy at Arctic Wolf, said in a statement. "This is a pretty low-bar-to-entry attack and is something akin to the consumer-focused attackers calling people claiming to be Microsoft and having the end user install keyloggers or remote access tools."

The hacker also told other researchers that once in, he scanned the company’s intranet, and was lucky enough to find a PowerShell script containing hardcoded credentials for a Thycotic privileged access management (PAM) admin account, which gave him bountiful tools to unlock other internal systems, like Slack.

In a media statement to the Times, an Uber spokesperson confirmed that social engineering was the point of entry, and simply said that the company was working with law enforcement to investigate the breach. Publicly, via Twitter, the company posted, "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

According to reports, the hacker said he is 18 years old and targeted the company to demonstrate its weak security; there may also be a hacktivist element, because he also declared in the Slack message to employees that Uber drivers should be paid more.

"Given the access they claim to have gained, I'm surprised the attacker didn't attempt to ransom or extort, it looks like they did it 'for the lulz,'" McShane added.

**Not Uber's First Data Breach Ride**

Uber was the subject of another massive breach, back in 2016. In that incident, cyberattackers made off with personal information for 57 million customers and drivers, demanding $100,000 in exchange for not weaponizing the data (the company paid up). A subsequent criminal investigation led to a non-prosecution settlement with the US Department of Justice this summer, which included Uber admitting that it actively covered up the full extent of the breach, which it didn't even disclose for more than a year.

Also related to that earlier hit, in 2018 Uber settled nationwide civil litigation by paying $148 million to all 50 states and the District of Columbia; and, ironically given the new developments, it agreed to "implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments."

Hacker Pwns Uber Via Compromised VPN Account

Since 2007, the Pwnies have celebrated the good, the bad, and the wacky in cybersecurity. Enjoy some of the best moments of this year's ceremony.

Highlights of the 2022 Pwnie Awards

Be wary of being pestered into making a bad decision. As digital applications proliferate, educating users against social engineering attempts is a key part of a strong defense.

Social engineering is hardly a new concept, even in the world of cybersecurity. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.

Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won't question an email that comes from a trusted source — and all too often, they're right.

But email isn't the only effective means cybercriminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What's more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organizations can't afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.

**Targeting Single Sign-on**

Businesses use digital applications because they're helpful and convenient. In the age of remote work, employees need access to critical tools and resources from a wide range of locations and devices. Applications can streamline workflows, increase access to critical information, and make it easier for employees to do their jobs. An individual department within an organization might use dozens of applications, while the average company uses more than 200. Unfortunately, security and IT departments don't always know about — let alone approve of — these applications, making oversight a problem.

Authentication is another issue. Creating (and remembering) unique username and password combinations can be a challenge for anyone who uses dozens of different apps to do their job. Using a password manager is one solution, but it can be difficult for IT to enforce. Instead, many companies streamline their authentication processes through single sign-on (SSO) solutions, which allow employees to sign into an approved account once for access to all connected applications and services. But because SSO services give users easy access to dozens (or even hundreds) of business applications, they are high-value targets for attackers. SSO providers have security features and capabilities of their own, of course — but human error remains a difficult problem to solve.

**Social Engineering, Evolved**

Many applications — and certainly most SSO solutions — have multifactor authentication (MFA). This makes it more difficult for attackers to compromise an account, but it's certainly not impossible. MFA can be annoying to users, who may have to use it to sign into accounts multiple times a day — leading to impatience and, sometimes, carelessness.

Some MFA solutions require the user to input a code or show their fingerprint. Others simply ask, "Is this you?" The latter, while easier for the user, gives attackers room to operate. An attacker who already obtained a set of user credentials might try to log in multiple times, despite knowing that the account is MFA-protected. By spamming the user's phone with MFA authentication requests, attackers increase the victim's alert fatigue. Many victims, upon receiving a deluge of requests, assume IT is attempting to access the account or click "approve" simply to stop the flood of notifications. People are easily annoyed, and attackers are using this to their advantage.

In many ways, this makes BAC easier to accomplish than BEC. Adversaries engaging in BAC just need to pester their victims into making a bad decision. And by targeting identity and SSO providers, attackers can gain access to potentially dozens of different applications, including HR and payroll services. Commonly used applications like Workday are often accessed using SSO, allowing attackers to engage in activities such as direct deposit and payroll fraud that can funnel funds directly into their own accounts.

This kind of activity can easily go unnoticed — which is why it's important to have in-network detection tools in place that can identify suspicious behavior, even from an authorized user account. In addition, businesses should prioritize the use of phish-resistant Fast Identity Online (FIDO) security keys when using MFA. If FIDO-only factors for MFA are unrealistic, the next best thing is to disable email, SMS, voice, and time-based one-time passwords (TOTPs) in favor of push notifications, then configure MFA or identity provider policies to restrict access to managed devices as an added layer of security.

**Prioritizing BAC Prevention**

Recent research indicates that BEC or BAC tactics are used in 51% of all incidents. While lesser known than BEC, successful BAC grants attackers access to a wide range of business and personal applications associated with the account. Social engineering remains a high-return tool for today's attackers — one that's evolved alongside the security technologies designed to stop it.

Modern businesses must educate their employees, teaching them how to recognize the signs of a potential scam and where to report it. With businesses using more applications each year, employees must work hand-in-hand with their security teams to help systems remain protected against increasingly devious attackers.

Source

DARKReading