Security News

Microsoft 365 Defender researchers have disrupted the cloud-based infrastructure used by scammers behind a recent large-scale business email compromise campaign. "The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns," Microsoft 365 Defender Research Team's Stefan Sellmer and Microsoft Threat Intelligence Center security researcher Nick Carr explained.

Shay Nahari, Head of Red-Team services at CyberArk, says that they've been increasingly asked by customers to probe their multi-factor authentication defenses, which lead them to pinpoint four main attack vectors used by threat actors to circumvent MFA controls, by exploiting: architectural and design flaws, insecure channels, side channel attacks and insufficient attack surface coverage. The cybersecurity industry has been extolling the virtues of MFA use for years.

JumpCloud announced JumpCloud Protect, a one-touch multi-factor authentication solution that makes it easy for IT admins to deploy and enforce MFA without adversely impacting end users. JumpCloud Protect is a fully featured mobile MFA app, that allows employees authenticating into protected apps and resources to verify themselves directly from their corporate-issued or BYOD mobile device.

Physical security keys introduce a new twist to 2FA. Instead of using a code delivered to your phone, the hardware-based key is a dongle you insert into your company laptop or other registered access device. The private key remains on the device, while the public key is sent to the site with which it is registered.

Yubico announced its next-generation FIPS security keys: the YubiKey 5 FIPS Series. The addition of the YubiKey 5 NFC, YubiKey 5C NFC, and YubiKey 5Ci into the FIPS series lineup significantly expands coverage for mobile-first environments that many organizations have been waiting for.

While MFA adoption and spending is on the rise, organizations are still unclear on best practices and methodologies, Yubico and 451 Research reveal. The findings show that MFA adoption and spending has increased within the enterprise due to a confluence of several factors: the growing recognition that stolen credentials and phishing attacks are at the root of most security breaches; the rise of work-from-home policies due to the COVID-19 pandemic; and the adoption of modern authentication standards such as Fast Identity Online U2F, FIDO2 and WebAuthn that underpin new advances in two-factor and passwordless authentication.

Ecessa announced it has added several advanced security features to its latest firmware release, version 12.0.0. These advanced features enhance Ecessa's next generation firewall capabilities integrated with each of its products and further secure the company's position in the Secure Access Service Edge marketplace.

Akamai Technologies announced the launch of Akamai MFA, a phish-proof solution designed to enable enterprises to quickly deploy FIDO2 multi-factor authentication without the need to deploy and manage hardware security keys. Akamai MFA uses a smartphone application that transforms existing smartphones into a hardware security key to deliver a frictionless user experience.

The Feds are warning that cybercriminals are bypassing multi-factor authentication and successfully attacking cloud services at various U.S. organizations. "These types of attacks frequently occurred when victim organizations' employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services," the alert outlined.

The US Cybersecurity and Infrastructure Security Agency said today that threat actors bypassed multi-factor authentication authentication protocols to compromise cloud service accounts. While threat actors tried gaining access to some of their targets' cloud assets via brute force attacks, they failed due to their inability to guess the correct credentials or because the attacked organization had MFA authentication enabled.