Security News

What if you lose your phone? Tom Merritt lists five additional ways to receive MFA codes, without SMS. Someone wrote in, after seeing my Top 5 about avoiding using SMS for multi-factor authentication, and asked, "Do you have any suggestions on how to protect myself from getting locked out of my accounts if my phone disappears or dies?" Great question. One advantage of SMS multi-factor authentication is that when you get your phone number on a new phone all the factors will get texted to you there.

Asigra software version 14.2 support for the Microsoft software suite empowers solution providers to significantly lower cybersecurity threats targeting backup repositories with MS Office 365 data. Asigra Cloud Backup with Deep MFA allows users to easily schedule the creation of point-in-time backup copies of mailboxes and corporate data residing in Microsoft Office 365 Exchange Online, Office 365 Groups, SharePoint Online, and OneDrive for Business - with no limitations on data volumes or number of mailboxes.

As the list of known organizations compromised by way of the SolarWinds supply chain attack is slowly growing - according to Reuters, the attackers also breached U.S. Department of Homeland Security's systems, the State Department, and the National Institutes of Health - Microsoft has decided that its Defender Antivirus will start blocking/quarantining the known malicious SolarWinds binaries today - even if the process is running. As security researcher Vinoth Kumar pointed out, the attackers might have easily compromised the company's update server by using a password that was published on their public Github repository for over a year or, as several Reuters sources noted, they might have bought access to SolarWinds' computers through underground forums.

Using indicators of compromise made available by FireEye, threat intelligence and incident response firm Volexity determined that the threat group behind the SolarWinds hack targeted a U.S. think tank earlier this year, and it used a clever method to bypass multi-factor authentication and access emails. "At the time of the investigation, Volexity deduced that the likely infection was the result of the SolarWinds box on the target network; however, it was not fully understood exactly how the breach occurred, therefore Volexity was not in a position to report the circumstances surrounding the breach to SolarWinds," Volexity said.

Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it "Significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population." The SMS and voice formats aren't adaptable to user experience expectations, technical advances, and attacker behavior in real-time.

Up to 78 percent of Microsoft 365 administrators do not have multi-factor authentication security measures enabled. A recent report by CoreView Research also found that 97 percent of all total Microsoft 365 users do not use MFA, shedding a grim light on the security issues inherent with the implementation of Microsoft's subscription service.

On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView. Microsoft 365 administrators fail to implement basic security like MFA. The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication activated.

Bugs in the multi-factor authentication system used by Microsoft's cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system, according to researchers at Proofpoint. The flaws exist in the implementation of what is called the WS-Trust specification in cloud environments where WS-Trust is enabled and used with Microsoft 365, formerly called Office 365.

ManageEngine announced that ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, now supports multi-factor authentication for VPNs to protect organizations' internal networks from unauthorized access. "VPN gateways are directly accessible through the internet and are prone to brute force and other types of attacks. Relying on credentials alone to protect VPN access to vital resources could result in immeasurable losses," said Parthiban Paramasivam, director of product management, ADSelfService Plus.

While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place. According to Abnormal Security, cybercriminals are zeroing in on email clients that don't support modern authentication, such as mobile email clients; and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won't be subject to that protection.