Though government agencies have hundreds of devices exposed to the open Internet, experts wonder if CISA is moving at the right pace.

Researchers have discovered hundreds of devices running on government networks that expose remote management interfaces on the open Web. Thanks to the Cybersecurity and Infrastructure Security Agency (CISA), that will change quickly — possibly too quickly, according to some experts.

On June 13, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in Federal Civilian Executive Branch (FCEB) agency networks. The announcement came soon after CISA's advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that leveraged Fortinet FortiGuard devices in espionage campaigns against US government entities.

To gauge how significant BOD 23-02 would be, researchers at Censys scanned the Internet for devices exposing management interfaces in federal civilian executive branch (FCEB) agencies. The scans revealed nearly 250 qualifying devices, as well as a number of other network vulnerabilities outside of the scope of BOD 23-02. 

"While this level of exposure probably doesn't warrant an immediate panic, it's still worrisome, because it could be just the tip of the iceberg," says Himaja Motheram, security researcher for Censys. "It suggests that there may be deeper and more critical security issues, if this kind of basic hygiene isn't being met."

**How Exposed FCEB Organizations Are**

Devices qualifying under BOD 23-02 include Internet-exposed routers, switches, firewalls, VPN concentrators, proxies, load balancers, out-of-band server management interfaces, and any others "for which the management interfaces are using network protocols for remote management over public Internet," CISA explained — protocols like HTTP, FTP SMB, and others.

Censys researchers discovered hundreds of such devices, including various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found more than 15 instances of exposed remote access protocols running on FCEB-related hosts.

The search was so bountiful that they even uncovered many federal network vulnerabilities beyond the scope of BOD 23-02, including exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software.

Organizations often don't know their level of exposure or don't understand the implications of exposure. Motheram emphasizes that unprotected gear was all quite simple to find. "And what was trivial for us to find is, honestly, probably even more trivial for amateur threat actors out there."

**How Edge Devices Get Exposed**

How is it that so many devices are exposed on otherwise highly scrutinized government networks?

Joe Head, CTO of Intrusion, points to any number of reasons, including "convenience of the administrator, lack of operational security awareness, lack of respect for adversaries, use of default or known passwords, and lack of visibility."

James Cochran, director of endpoint security at Tanium, adds that "staffing shortages can cause overworked IT teams to take shortcuts so they can make the management of the network easier."

Consider, too, the traps unique to the government that can make the problem even worse. "With little oversight and concern about potential threats, devices can get added to the network under the guise of being 'mission critical,' which absolves them from all scrutiny," Cochran laments. Agencies can also merge or expand, with gaps in their network and security integration. “Over time, the overall networks begin to resemble something out of a Mad Max movie, where random things are bolted together and you are not sure why."

**Will BOD 23-02 Turn Things Around?**

In its directive, CISA indicated that it will begin scanning for qualifying devices and informing the culpable agencies. Upon notification, offending agencies will have just 14 days to either disconnect these devices from the Web, or "deploy capabilities, as part of a zero-trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself."

That two-week period will force relevant agencies to act fast to secure their systems. But that could be difficult, Motheram acknowledges. "In theory, removing devices that are exposed from the Internet should be simple, but that's not always the reality. There can be some bureaucracy to deal with when changing access policies that add friction," she explains.

Others believe the burden is undue. "This is not a responsible timeline," Cochran says. "Since the problem is so widespread, I would expect there to be significant impacts to the identified agencies. This is the same as trying to untangle a bunch of wires by sawing through them."

Others applaud CISA's no-nonsense approach. "It is hard to come up with a timeline to stop doing what should have never been done," Head says, arguing that 14 days may be too long to wait. "Five minutes would be more advisable as managers task the corrective network changes. It has been standard practice not to expose management interfaces to the public Internet for years, so making it mandatory is prudent and reasonable."

CISA Wants Exposed Government Devices Remediated in 14 Days

By Waqas
The research mainly aimed at examining VPNs, firewalls, access points, routers, and other remote server management appliances used by top government agencies in the United States.
This is a post from HackRead.com Read the original post: Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

**Cybersecurity researchers at Censys referred to publicly-accessible exposed interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets.**

Researchers at Censys, an attack surface management company, have discovered hundreds of devices linked to federal networks that have remotely accessible management interfaces. These interfaces can allow for the controlling and configuring of federal agency networks through the public internet.

**Shocking Details Emerge about Federal Network Devices**

According to a blog post from the Censys Research Team, published on June 26, an examination of the attack surfaces of approximately fifty sub-organizations within the federal civilian executive branch (FCEB) revealed 13,000 different hosts spread across 100 autonomous systems.

Further probing uncovered that services running on a subset of 1,300 FCEB hosts, accessible through IPv4 addresses, had hundreds of devices with publicly accessible management interfaces. This revelation falls within the scope of CISA’s BOD 23-02 (Binding Operational Directive).

**What is BOD 23-02?**

CISA’s BOD 23-02 helps federal agencies eliminate risks associated with remotely accessible management interfaces. It requires federal civilian agencies to remove certain networked management interfaces from the internet and mandates them to implement Zero Trust Architecture capabilities to enforce access control to internet-exposed interfaces within fourteen days of discovery.

**What are the Dangers of Internet-Exposed Interfaces?**

Researchers at Censys referred to publicly-accessible interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets. CISA notes that threat actors are taking a keen interest in targeting certain classes of devices, especially those supporting network infrastructures, as it helps them evade detection.

After compromising these devices, attackers can obtain full access to the network. Misconfigurations, insufficient or outdated security measures, and unpatched software make devices vulnerable to exploitation. If the device management interface is directly connected to or accessible from a public-facing internet, it will be far more damaging for the organization.

**Which Devices Are Impacted?**

Researchers mainly examined VPNs, firewalls, access points, routers, and other remote server management appliances. They found around 250 different web interfaces for hosts exposing network appliances, all using SSH and TELNET remote protocols.

Most of the impacted devices were Cisco network appliances with a publicly accessible Adaptive Security Device Manager interface, whereas they also discovered enterprise Cradlepoint router interfaces revealing wireless network details. Other impacted products include Fortinet FortiGuard, SonicWall, and other popular firewalls.

A screenshot shared by Censys shows a publicly accessible Cradlepoint router web interface belonging to a Federal Civilian Executive Branch (FCEB) organization.

In addition, researchers observed exposed remote access protocols, including NetBIOS, FTP, SNMP, and SMB, out-of-band remote server management devices like Lantronix SLC console server, physical Barracuda Email Security Gateway appliances, Nessus vulnerability scanning servers, HTTP services that exposed directory listings, managed file transfer protocols such as GoAnywhere, MOVEit, and SolarWinds Serv-U, and over 150 end-of-life software.

Fifteen of the remote access protocols, which already contain multiple known vulnerabilities exploitable by threat actors, were running on FCEB’s exposed hosts. The report highlights the need for federal agencies to be more proactive in safeguarding their digital assets and improving security mechanisms across all systems to make devices CISA’s BOD 23-02 compliant.

**RELATED ARTICLES**

1.  Avast found backdoor in US Federal Agency Network
2.  Fed Agency securing communication for Trump got hacked
3.  SolarWinds Hack – US Blames Russian Intel Agency Hackers
4.  Iranian Hackers Accessed Domain Controller of US Fed Network
5.  US and China Exposed Most Databases Among 308k Found in 2021

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

One ransomware attack can be devastating for a small or midsize business. Here are four solid survival tips to ensure it doesn't turn into a disaster.

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"\[T\]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

**1\. Decrease the Attack Surface**

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

**2\. Shift the Costs to the Attackers**

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

**3\. Improve Your Security Hygiene**

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

**4\. Don't Fail to Plan**

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.

Protecting Small Businesses From Ransomware on a Budget

Categories: Business
Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again.



(Read more...)




The post Understanding ransomware reinfection: An MDR case study  appeared first on Malwarebytes Labs.

Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again. The question is what medicine is available to kick this nasty infection for good.

In this post, we'll break down the idea of ransomware reinfection and share a real-life episode where Malwarebytes Managed Detection and Response (MDR) mitigated a resilient ransomware reinfection from the Royal ransomware gang.

**What is ransomware reinfection?**

Imagine this scenario: You've recently battled a vicious ransomware attack, finally restoring your systems to their normal functionality. You breathe a sigh of relief, secure in the knowledge that your data is safe and operations are running smoothly.

Alas, it's not the end of the story.

The ransomware attack you just countered was actually just the final act of a long-drawn series of malicious activities. In other words, many ransomware attacks aren't the start of the problem; they're often the result of an unresolved network compromise.

The true culprit is how the threat actor is gaining access to begin with. Once inside, they steal login credentials, deploy malware, or establish a backdoor—a secret gateway into the network that can be exploited later. This is like them leaving a hidden door unlocked for future visits.

Even after successfully mitigating the immediate ransomware attack, these hidden doors may remain unnoticed, enabling the attackers to infiltrate your network stealthily once more. This is the essence of ransomware reinfection.

Having clarified the terminology, let's delve into a real-world instance of a ransomware reinfection in action.

**Initial Ransomware Attack – November 23, 2022**

Prior to their engagement with Malwarebytes, our customer experienced a ransomware attack on their AWS environment. They chose not to pay the ransom.

The subsequent countermeasure involved a complete system rebuild from backup to recover their operations.

**Onboarding with Malwarebytes MDR and Detection of Reinfection – December 9, 2022**

In response to the initial compromise, the customer onboarded with our Managed Detection and Response (MDR) service and Endpoint Detection and Response (EDR) product. Immediately after installing the EDR on the endpoint, detections for additional ransomware were identified.

Our MDR analyst spotted file detections linked to the previous ransomware attack, attempted outbound communications to a known malicious site (a Cobalt Strike C2 server), and remote inbound RDP connection attempts. The MDR analyst promptly contacted the customer, recommending to block the C2 server and the source of the RDP connections, which the customer promptly implemented.

**New Threat Emerges – December 11, 2022**

Only two days later, a new set of remote host RDP connection attempts were detected. Again, the MDR team advised the customer to block the connection source to prevent further infiltration.

**Critical Incident and Response – December 13, 2022**

A new wave of local host file detections indicated a return of the previously encountered ransomware. An unencountered persistent mechanism was also identified, suggesting that the threat was not completely eliminated. As part of our response, we raised a critical incident to the customer, carried out an extensive threat hunt, and identified two compromised domain admin accounts, a domain controller (DC), and an SQL server.

A Potentially Unwanted Modification (PUM) detection of a disabled Windows system restore setting.

The customers’ C:Program Files directory showed peculiar files like 'desktop.ici.royal.w', 'PackageManagement', 'README.TXT', and 'Uninstall Information'.

This new detection, "Ransomware.Royal", suggests that the attackers were either still present in the network or had gained access again.

Our MDR team promptly reached out to the customer's Security team and initiated a strategic consultation via a Zoom call. Detailed insights were shared on the Indicators of Compromise (IoCs) encountered, and we advised the customer to change the passwords of the affected domain admin accounts.

In response, the customer implemented an enterprise-wide password change and blocked the newly identified C2 server. Additionally, the decision was made to rebuild the compromised DC.

**Lessons from the Incident**

This episode underscores the relentless threat of ransomware reinfection in today's threat landscape, as well as the critical role that 24x7x365 diligence of trained cybersecurity experts, swift responses, and collaborative efforts play in cyber defense.

Without having a similar level of expertise in-house, the reality is that many organizations will see reinfections that could lead to catastrophic results.

In this case, our customer had assumed full recovery from the initial ransomware attack, and if not for the MDR service, they may never had realized that the attack was still ongoing. Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the threat and safeguarded the customer’s digital space.

For more information of our EDR and MDR products and services, please visit https://try.malwarebytes.com/mdr-consultation-new/

Read more:

*   ****How to choose an MDR vendor: 6 questions to ask****
*   **Is an outsourced SOC worth it? Looking at the ROI of MDR**
*   ****3 ways MDR can drive business growth for MSPs****
*   **Cyber threat hunting for SMBs: How MDR can help**

Understanding ransomware reinfection: An MDR case study 

Small and midsized companies work to jettison some security tools to simplify operations and reduce cost, even as any economic downturn continues to remain at bay.

Enterprises are not the only organizations looking to consolidate their security tools and vendors in the face of a potential economic slowdown — small and midsized businesses are looking to reduce their costs and simplify their security as well.

The vast majority (86%) of SMB customers using managed security service providers (MSSPs), for example, are aiming to reduce their current portfolio of security tools, according to a survey published this week by OpenText. The majority of those businesses are driven primarily by an effort to reduce costs (28%) or to simplify complex security environments (26%), the survey found.

Consolidation does not just benefit the company, but can help the provider of security services as well, says Geoff Bibby, senior vice president at OpenText Cybersecurity, a cybersecurity conglomerate.

"Consolidation is two-fold," he says. "Businesses are going to service providers because they don't have the staffing or financial resources to purchase and manage multiple tools, and from the service-provider perspective, fewer tools — and fewer vendors — means simplified billing and greater ease of doing business."

Consolidation of vendors has become a major trend following the rush to adapt to the pandemic-era business landscape by moving more services to the cloud. By mid-2022 — when 83% of companies predicted a downturn in the coming year — three-quarters of companies planned to reduce the number of security vendors they used, up from 29% in 2020. The top strategies explored by companies were reducing non-essential spending (43%), re-evaluating vendors (30%), and decommissioning infrastructure (29%), according to Spiceworks Ziff Davis's "2023 State of IT" report.

Efforts to cut costs remain strong, despite a reprieve in the dark economic forecast. A majority of economists (59%) polled in May still predict that the US would enter a recession in the next 12 months, but poor-performance predictions have remained unfulfilled as employment numbers and the stock market continue to resist a downturn.

"This is the most anticipated recession that won't ever seem to arrive, and all of the data indicates that it might never arrive because none of the factors for recession seem to be there," says Jeff Pollard, vice president and principal analyst at market intelligence firm Forrester Research.

**Optimizing Vendors and Security Services**

Yet while economic risks certainly spurred concerns over IT and IT-security budgets, initiatives to both simplify and reduce the cost of security operations inside companies has a life of its own, Pollard says.

"If you go back ... to the heady days of growth just nine months ago or so, what I was consistently hearing from security leaders was: too many tools, too many products," he says. "And it wasn't based on an economic argument. It was based on simplification of technology and portfolio rationalization — they felt like they had too many security controls and too many security products."

Business intelligence firm Gartner sees a similar picture. Most midsized enterprises (MSEs) — firms with $50 million to $1 billion in revenue and up to 2,500 employees — are looking to reduce the number of vendors, but rather than focus on consolidation, the companies are looking to optimize their security operations, says Patrick Long, an analyst with Gartner.

Such optimization generally focuses on two approaches. Outsourcing to service providers allows companies to overcome a shortage of security workers, because there are currently 21 IT employees for every security-focused employee, he says. Another form of consolidating is through the products, adopting all-in-one suites from a single vendor, which helps reduce licensing costs and can result in more holistic security capabilities, he says.

Currently, two-thirds of MSEs (68%) are pursuing security-vendor reduction strategies, while the remaining third have delayed consolidation but will likely simplify their security within the next three years, Long says.

"They are optimizing their architecture and integration strategies, vendor management, workforce management, and their costs," he says, adding that "current economic conditions influence security vendor consolidation but is not the primary driver for consolidation."

**Integration Still a High Hurdle**

Reducing the number of security products is not easy. Licensing can often become a blocker, especially if a company signed long contract periods, and products from the same vendors do not always have seamless integration, says Forrester's Pollard. In addition, any adoption of an integrated product will require a security team to learn the new system, so efficiency gains can take a while to materialize, he says.

"When you buy a bundle and consolidate, in theory, the product will integrate well, but what I really hear from a lot of security leaders is that the cost savings, frankly, doesn't often materialize," Pollard says. "Because what you wind up having to do is learn a new product, a new solution, and people have to get trained on it, so you have to modify your processes."

Yet companies are making headway. Overall, companies that pursue consolidation have seen IT security costs decrease by more than 2%, with data security costs reduced by a quarter and identity management shrink by more than a third, says Ben Pippenger, chief strategy officer at Zylo, a SaaS management platform.

"There tends to be some redundancy within security categories," he says, pointing out the cloud identity and access management are among the top-15 most redundant software functions, with nearly five applications handling that capability in the average company.

"While security is an important business function, it's one that could still likely benefit from consolidation," he says.

Even With No Recession, Smaller Firms Aim to Consolidate Security Tools

The "nOAuth" attack allows cross-platform spoofing and full account takeovers, and enterprises need to remediate the issue immediately, researchers warn.

Organizations that have implemented the "Log in with Microsoft" feature in their Microsoft Azure Active Directory environments could potentially be vulnerable to an authentication bypass that opens the door to online and cloud account takeovers.

According to researchers at Descope, who dubbed the attack "nOAuth," the issue is an authentication implementation flaw that affects multitenant OAuth applications in Azure AD, Microsoft's cloud-based identity and access management service. A successful attack gives a bad actor full run of a victim's accounts, with the ability to establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.

"OAuth and OpenID Connect are open, popular standards which millions of Web properties already use," says Omer Cohen, CISO at Descope. "If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted."

**Inside the nOAuth Cyberattack Threat**

By way of background, OAuth is an open, token-based authorization framework that allows users to log into applications automatically, based on previous authentication to another trusted app. This is familiar to most people from the "Log in with Facebook" or "Log in with Google" options available on many e-commerce websites.

In the Azure AD environment, OAuth is used to help manage user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications using OAuth apps.

"Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols," according to the Descope analysis. In other words, it holds the keys to a lot of important corporate data.

The weakness allows bad actors to perform cross-platform spoofing simply by using an unwitting victim's email address to impersonate them, according to Descope's analysis on the issue, released this week.

"In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications," explained researchers at Descope. "However, in Microsoft Azure AD, the 'email' claim returned is mutable and unverified, so it cannot be trusted."

That means that anyone with malicious intent and a decent amount of platform knowledge can simply set up an Azure AD account, and arbitrarily change the email attribute under "Contact Information" in that account to control the email authentication claim.

"\[This\] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate," the researchers explained. "They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication."

The attack flow is unnervingly simple:

1.  The attackers accesses their Azure AD account as an administrator.
2.  The attackers change the "email" attribute of their account used for authentication to the victim’s email address.
3.  Since Microsoft does not require the email change to be validated on Azure AD, the system merges the two accounts and gives the attackers access to the victim's environment.

**A Far-Ranging Authentication Weakness**

To better understand the scope of the problem, the Descope researchers created a nOAuth proof-of-concept (PoC) exploit and tested it "with a white-hat attack on hundreds of websites and applications to check if any of them were vulnerable," they said. "We found that quite a few of them were."

Amid the sitting ducks were a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, as well as several SMBs and early-stage startups.

"We also informed two authentication platform providers that were merging user accounts when 'Log in with Microsoft' was used on an existing user account," according to the report. "In this instance, merging the attacker account with a legitimate user account would hand full control over the user account to the attacker. As a result, all of their customers using 'Log in with Microsoft' would have been vulnerable."

These findings, according to the researchers, "are a drop in the ocean of the Internet," and there are likely many, many thousands of other users that could be affected.

Microsoft has always issued general guidance to users to not to use an email address as a unique identifier for authentication, but after Descope informed Microsoft of the breadth of the issue, the computing giant has revamped its Azure AD OAuth implementation guidance to include two new claims to use, and dedicated sections on claim verification.

"If your app uses 'Log in with Microsoft' and you handle authentication in-house, it’s critical that you check if you use the email claim returned by Azure AD as the unique identifier," Cohen notes. "If so, remediation steps should be taken to ensure the claim used as the unique identifier for the user is the 'sub' (Subject) claim to avoid potential exploitation."

**Incorrect OAuth Implementations Plague Businesses**

Incorrect implementations of OAuth have been coming to light at big businesses lately, showcasing a need for organizations to lock down this potentially damaging attack vector.

In March, for instance, flaws in the authorization system of the Booking.com website came to light that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

And in May, a bug tracked as CVE-2023-28131 was found in the OAuth implementation of Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase. The flaw threatened the accounts of any users that used various and social media accounts to log in to an online service that uses the framework.

Cohen underscores that the OAuth standard and others like it are trustworthy and strong authentication approaches but that businesses need to make sure to work with cybersecurity and authentication experts when building them in.

"These standards are extremely complicated to work with," he says. "Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application."

He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts."

He stresses that the importance of this can't be understated, given that cybercriminals are actively looking for these types of weaknesses.

"These are very typical attack vectors exploited," Cohen notes. "Attackers use these to cause widespread harm."

He adds, "With the increase of organizations adopting cloud technologies and SaaS applications, identity is the new firewall. If user authentication is not well-designed, it doesn’t matter how secure the application is itself as you will leave the front door open to cyberattacks."

Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands

By Deeba Ahmed
The vCISO Directory comes to answer the increasing need of SMBs to manage their cybersecurity and helps them…
This is a post from HackRead.com Read the original post: First Directory of Virtual CISO Providers Launched by Cynomi

The vCISO Directory comes to answer the increasing need of SMBs to manage their cybersecurity and helps them find and engage with the right vendor.

TEL AVIV, ISRAEL, JUNE 22, 2023  – The industry’s first-ever directory of virtual Chief Information Security Officer service providers has gone live today at www.thevcisodirectory.com.

This extensive list of virtual CISO (vCISO) providers, collated by Cynomi, means that small- and medium-sized businesses (SMBs) can easily tap the expertise of qualified cybersecurity professionals to protect their digital assets and ensure compliance.

Cyberattacks are on the rise, with Check Point Software’s Mid-Year Security Report revealing a 42% global increase in malicious incidents during the first half of 2022. In this climate, strong cybersecurity measures are crucial. However, most small and medium size companies do not have a CISO of their own, usually because they lack the budget to fill such a position.

This problem is compounded by the talent gap that makes it difficult to find individuals with the necessary skill and specialized experience. According to research by Datto, only 50% of SMBs have a dedicated, internal IT person who manages their cybersecurity needs.

To address this gap and help organizations shore up their cyberdefenses, managed service providers (MSPs,) managed security service providers (MSSPs) and consultancies have developed vCISO services.

They enable businesses to avail themselves of the expertise and skills of a professional CISO to improve their cybersecurity posture, while only paying for an agreed scope of work, usually a fraction of the cost of an in-house security expert. Cynomi, by publishing the industry’s first vCISO directory, is making it simple for businesses to access this expanding pool of resources.

At launch, the vCISO directory contains more than 200 listings of U.S.-based providers, together with details on the specific services they offer and the technology platforms they use to guide and implement their security strategies. The directory will be continually updated and expanded globally to incorporate international providers. 

“Thousands of small and mid-sized businesses globally could benefit from the expertise and support of a traditional CISO, but on a more consultative or part-time basis”, said David Primor, co-founder and CEO of Cynomi. “This is where the vCISO services come in. Our new directory enables businesses to find all vCISO service providers in one place and make an informed choice between the different benefits of the many providers available.”

“Couple of years back we weren’t prioritizing our cybersecurity services, but then we started getting consistent security-as-a-service requests,” said Chris Bevil, CISO of InfoSystems, an MSP located in Tennessee, U.S.A. “We realized that setting up a robust vCISO offering was in our best business interest. In the present climate, this has been a significant boost to our business and positioned us as a leading MSP in our region.”

MSPs and MSSPs offering vCISO services that are not yet included in the directory can submit their details for consideration here. 

**About Cynomi**

Cynomi’s AI-driven platform empowers MSSPs, MSPs and consultancies to offer vCISO services to SMEs at scale and provide them with proactive cyber resilience. Combining proprietary AI algorithms with CISO-level knowledge and knowhow, Cynomi’s platform streamlines the vCISO’s work while automating manual time-consuming tasks including risk assessment, compliance readiness, cyber posture reporting, creation of tailored security policies and remediation plans, as well as task management optimization. 

Cynomi helps partners overcome the cybersecurity skill gap and scale their business, allowing them to offer new services, upsell and increase revenues while reducing operational costs. 

Established in 2020 with the vision that every company deserves a CISO, and with a channel-only approach, Cynomi now serves more than 50 partners worldwide. 

To learn more about Cynomi’s solution for MSPs, MSSPs, and cyber consultancies visit www.cynomi.com.

*   Rotem Shemesh, VP of Marketing, Cynomi
*   rotem@cynomi.com

First Directory of Virtual CISO Providers Launched by Cynomi

Why Data Exfiltration Detection is Paramount?
The world is witnessing an exponential rise in ransomware and data theft employed to extort companies. At the same time, the industry faces numerous critical vulnerabilities in database software and company websites. This evolution paints a dire picture of data exposure and exfiltration that every security leader and team is grappling with. This

Network Security / Machine Learning

****Why Data Exfiltration Detection is Paramount?****

The world is witnessing an exponential rise in ransomware and data theft employed to extort companies. At the same time, the industry faces numerous critical vulnerabilities in database software and company websites. This evolution paints a dire picture of data exposure and exfiltration that every security leader and team is grappling with. This article highlights this challenge and expounds on the benefits that Machine Learning algorithms and Network Detection & Response (NDR) approaches bring to the table.

Data exfiltration often serves as the final act of a cyberattack, making it the last window of opportunity to detect the breach before the data is made public or is used for other sinister activities, such as espionage. However, data leakage isn't only an aftermath of cyberattacks, it can also be a consequence of human error. While prevention of data exfiltration through security controls is ideal, the escalating complexity and dispersion of infrastructures, accompanied by the integration of legacy devices, makes prevention a strenuous task. In such scenarios, detection serves as our ultimate safety net – indeed, better late than never.

****Addressing the Challenge of Detecting Data Exfiltration****

Attackers can exploit numerous security gaps to harvest and exfiltrate data, employing protocols like DNS, HTTP(S), FTP and SMB. The MITRE ATT&CK framework describes many such exfiltration attack patterns. However, keeping pace with every protocol and infrastructure modification is a daunting task, complicating the integration towards holistic security monitoring. What's needed is device- or network-specific volume-based analysis of relevant thresholds.

This is where Network Detection & Response (NDR) technology steps in. ML-driven NDR allows for essential network monitoring by providing two significant properties:

1.  They enable feasible monitoring of all related network communications – the bedrock of comprehensive data exfiltration monitoring. This covers not only internal-external system interactions but also internal communications. While some attack groups exfiltrate data directly to the outside, others employ dedicated internal exfiltration hosts.
2.  Machine learning algorithms aid in context-specific learning of diverse thresholds for varying devices and networks, crucial in the current diverse infrastructure landscape.

****Decoding Machine Learning for Data Exfiltration Detection****

Before Machine Learning, thresholds for specific networks or clients were manually set. Consequently, an alert was triggered when a device sent more than the specific threshold of data outside the network. However, Machine Learning algorithms brought several advantages for data exfiltration detection:

1.  Learning the network traffic communications and the upload/download behavior of clients and servers, providing the essential baseline for anomaly detection.
2.  Establishing suitable thresholds for different clients, servers, and networks. Defining and maintaining these thresholds for each network or client group would otherwise be a tedious task.
3.  Recognizing changes in learned volume profiles, and detecting outliers and suspicious data exchanges, either internally or between internal and external systems.
4.  Employing scoring mechanisms to quantify outliers, correlating the data with other systems, and generating alerts for identified anomalies.

Visualization: When the traffic volume surpasses a certain threshold, as determined by the learned profile, an alert will be triggered.

****ML-driven Network Detection & Response to the Rescue****

**Network Detection & Response (NDR)** solutions provide a comprehensive and insightful method to detect abnormal network activities and unexpected surges in data transmission. Leveraging Machine Learning (ML), these solutions establish a network communication baseline, facilitating the swift identification of outliers. This applies to volume analysis and covert channels alike. Through this advanced, proactive stance, NDRs can detect the initial signs of intrusion, often well before data exfiltration transpires.

One NDR solution, distinguished by its precise data volume monitoring, is **ExeonTrace**. This Swiss NDR system, driven by award-winning ML algorithms, passively inspects and analyzes network traffic in real time, identifying potentially risky or unauthorized data movement. Moreover, ExeonTrace integrates seamlessly with existing infrastructure, thereby eliminating the necessity for additional hardware agents. The advantages of ExeonTrace extend beyond mere security, aiding in the comprehension of regular and anomalous network behavior – a critical factor in establishing a robust and efficient security posture.

ExeonTrace Platform: Data Volume Outlier Detection

****Key Takeaways****

In today's digital landscape, networks are continually expanding, and vulnerabilities are escalating. As a result, effective data exfiltration detection becomes indispensable. However, with the complexity of modern networks, setting manual thresholds for outlier detection can not only be cumbersome but also virtually impossible. Through volume-based detections and traffic behaviour monitoring, one can identify data exfiltration, pinpointing abnormal alterations in data volume and upload/download traffic patterns. Herein lies the power of Machine Learning (ML) in Network Detection & Response (NDR) systems: it automatically identifies infrastructure-specific thresholds and outliers.

Among these NDR solutions, ExeonTrace stands out, offering comprehensive network visibility, effective anomaly detection, and a fortified security stance. These features ensure that business operations proceed with security and efficiency. **Request a demo** to find out how to leverage ML-driven NDR to detect data exfiltration and anomalous network behaviours for your organisation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Unveiling the Unseen: Identifying Data Exfiltration with Machine Learning

A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.

Small and midsized businesses (SMBs) have some security work ahead as two major edge device vendors (Asus and Zyxel) announce critical security vulnerabilities to patch — and another (Western Digital) cuts off unpatched devices from the cloud.

Asus released new firmware on June 19 to fix nine separate vulnerabilities in several of the company's router models, one of which could let a cyberattacker gain code execution ability. Two of the most serious flaws are a critical memory corruption weakness in the Asus router firmware, tracked under CVE-2022-26376, and the second could allow a threat actor to "achieve arbitrary code execution," according to NIST, and dates back to 2018, tracked under CVE-2018-1160.

The same day, Western Digital announced it has blocked devices running unpatched firmware from its cloud as of June 15.

A severe vulnerability impacting Western Digital's MyCloud Home and other cloud storage devices could lead to remote code execution, according to NIST. Despite the fact that the bug, tracked under CVE-2022-36327, received a CVSS vulnerability-severity score of 9.8 out of 10, the flaw was known to the public for a full month before affected devices were blocked from accessing the Western Digital cloud.

Also this week, Zyxel released patches against code-injection vulnerabilities in three versions of its network-attached storage devices. The firmware command injection vulnerability is tracked under CVE-2023-27992 and could let an unauthenticated user execute operating system commands.

**SMB Edge Cyberattack Surface Explodes **

This glut of edge-device patch warnings this week showcases the fact that SMBs are increasingly at risk thanks to the exploding number of edge devices being connected to their networks. For an idea of the scale of the endpoint attack surface, experts put the number of active Internet of things (IoT) and edge devices around the world at more than 12 billion. That number is expected to hit 27 billion by 2025.

At the same time, many of these organizations are largely woefully lacking in basic cybersecurity hygiene and monitoring. At first, edge devices can seem like an economic choice for building out an SMB infrastructure, but they are much tougher to secure, explains Melissa Bischoping, director, endpoint security research at Tanium.

"For small businesses, using small-office-home-office (SOHO) routers and devices is often a cost-effective solution," she says, "but the lack of monitoring and centralized management in many of these devices can result in vulnerabilities and insecure configurations that provide easy access to an adversary."

Meanwhile, never ones to miss an opportunity, threat actors are making the most of this sweet spot.

“Edge infrastructure is an incredibly attractive target for attackers because it generally lacks the depth of monitoring and visibility that endpoints have, and is always public facing by design, removing an initial hurdle for access,” Bischoping explains.

Making these devices an even softer mark, many are built with open source components, says John Gallagher, vice president of Viakoo Labs.

"Edge devices like routers, NAS drives, IP cameras, and other IoT/OT systems are the fastest growing part of an organization’s attack surface due to their use of open source software components and often being unmanaged and unmonitored," Gallagher explains. “Traditional IT security solutions that are agent-based don't work for IoT/OT devices which require agentless solutions."

**How SMBs Can Secure the Edge**

Securing the SMB edge starts with knowing what there is to protect, according to Gallagher.

"First, make sure you have a complete inventory of devices by using an agentless asset discovery solution," Gallagher says.

Once cybersecurity teams have visibility into what there is to defend, that information can be used to direct resources effectively, Bischoping adds.

"Prioritize visibility of the edge assets and leverage that information to address patching, credential management, and configuration hardening as part of your ongoing security hygiene and controls," she says. "Other quick wins include ensuring you’ve rotated default login credentials on these devices, employed secure authentication mechanisms, and enforced least-privilege access for any accounts that may log in to those devices."

And, to handle with firmware and password updates at the scale required for IoT and edge devices, Gallagher recommends an automated approach.

Commenting on how SMBs can manage the edge more effectively, organizations should also consider whether devices need to be connected to the Internet, or would be better suited for a more secure internal network connection, advises Matthew Morin, senior director of product management with NetRise.

"In the case of many vulnerabilities announced by Asus, Zyxel, and Western Digital, ensuring the affected devices were only accessible via internal networks would have dramatically reduced the impact of the vulnerabilities," Morin recommends. "SMBs must understand what is publicly disclosed from their networks and regularly review if what is exposed needs to be there."

Teams should also look for devices with no particular owner or purpose and pull the plug. "Lastly, ensure that devices have clear ownership and tracking of their lifecycle management, so that devices that go end of life or end of support can be replaced before they get exploited." Gallagher adds.

Once those processes are in place, Morin says the next step for more mature organizations is incorporating software bills of materials (SBOMs) for added visibility.

"For more mature organizations, a good next step is ensuring that they have component-level visibility, such as an SBOM for network-connected devices," Morin adds. "In this case, with an SBOM, an organization could have been aware of this risk well before the vendor decided to patch the issue."

SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings

A threat you've never heard of is using double extortion attacks on mom-and-pop shops around the globe.

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web.

Since at least April 2022, 8base — not to be confused with the Florida-based software company of the same name — has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organizations on the cyber underground.

It didn't end there. "We've been keeping an eye on what they're doing, and this month they're busy again," says Matt Hull, global head of threat intelligence at NCC Group. 8base has already doxxed 29 new businesses this month.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. According to data scraped from their leak site, those victims include a British cleaning company, a sanitation company in Egypt, a private school in a Boston suburb, and a CPA in New York, among others of a similar profile.

The victims span science and technology, manufacturing, retail, construction, healthcare, and more. They're wisely distributed geographically as well: a shipping company in India, a Peruvian gift basket company, and a corrugated cardboard manufacturer in Madagascar. The majority, however, are focused in North America — around a third of the total — and South America. A dozen victims in both May and June were based in Brazil, in line with a recent wave of Brazilian cyberattacks more generally.

**How 8base Conducts Its Business**

With little yet known about 8base (it's part of a wave of ransomware newbies entering the market), one aspect of the group that is very clear is their preferred mode of operation. In a terms-of-service section of their leak site (see graphic), the group laid out 13 rules for their victims and themselves, written in ersatz legalese: "Participation of police departments is prohibited," and "Personal data will not be shared with third parties by the team."

    

Source: Hackmanac

Whether the gang is as honest as it would like you to think is another matter. On the About Us page, the hackers perfidiously claim, "We are honest and simple pentesters," adding that "this list contains only those companies that have neglected the privacy and importance of the data of their employees and customers."

NCC's Hull says 8base is not the first group to operate like this. "I think it's a result of the successes that other groups are having with these types of tactics," he notes.

Though 8base isn't breaking any new ground, actually defending against their tried-and-true methods is another matter.

"Budgets are tight, particularly for the smaller organizations. These organizations aren't going to be able to pay for a SOC or other advanced detection capabilities," Hull notes. "The main thing that anyone can do, whether it's an individual or small business, is get the fundamentals right." He points to password hygiene, multifactor authentication, and social engineering awareness as three simple changes small businesses can make to better their security without breaking the bank.

"Getting a hold of the basics goes a long way," he adds.

Tag

#samba