Security News

Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims' mailboxes in follow-on business email compromise attacks. In some of the observed attacks, the potential victims were redirected to the landing pages from phishing emails using HTML attachments that acted as gatekeepers ensuring the targets were being sent via the HTML redirectors.

MFA has been in use for decades and is widely recommended by cybersecurity experts, yet 55% of SMBs surveyed are not "Very aware" of MFA and its security benefits, and 54% do not use it for their business. Of the businesses that have not implemented MFA, 47% noted they either didn't understand MFA or didn't see its value.

A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim's authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. D0x has created a new phishing method that uses Microsoft Edge WebView2 applications to easily steal a user's authentication cookies and log into stolen accounts, even if they are secured with MFA. Microsoft Edge WebView2 to the rescue.

In this video for Help Net Security, Dan Lohrmann, Field CISO at Presidio, talks about multi factor authentication and how everyone should consider it to protect their identity and accounts. They have been used for years and the problems with passwords have been well documented.

As in the Coinbase incident, many MFA bypass attacks begin with a phishing attack. Organizations use MFA to protect users against these attacks.

A new campaign from the hacking group tracked as APT36, aka 'Transparent Tribe' or' Mythic Leopard,' has been discovered using new custom malware and entry vectors in attacks against the Indian government. The particular threat actor has been active since at least 2016, based in Pakistan, and its targets have historically been almost exclusively Indian defense and government entities.

The US Cybersecurity and Infrastructure Security Agency and FBI issued a joint alert on March 15 warning organizations that state-backed criminals could use the MFA defaults and flaw to access networks. In this case, the unnamed cybercriminal gang took advantage of a misconfigured account to set default MFA protocols at the NGO. The bad actors enrolled a new device for MFA and accessed the NGO's network and then exploited the PrintNightmare flaw - tracked as CVE-2021-34527 - to run malicious code and gain system privileges, giving them access to email accounts and enabling them to move laterally to the organization's cloud environment and to steal documents.

"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default protocols at a non-governmental organization, allowing them to enroll a new device for MFA and access the victim network," the agencies said. The attack was pulled off by gaining initial access to the victim organization via compromised credentials - obtained by means of a brute-force password guessing attack - and enrolling a new device in the organization's Duo MFA. It's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.

The FBI says Russian state-backed hackers gained access to a non-governmental organization cloud after enrolling their own device in the organization's Duo MFA following the exploitation of misconfigured default multifactor authentication protocols. To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organization's Active Directory.

The Aberebot Android banking trojan has returned under the name 'Escobar' with new features, including stealing Google Authenticator multi-factor authentication codes. The malware author is renting the beta version of the malware for $3,000 per month to a maximum of five customers, with threat actors having the ability to test the bot for free for three days.