New Survey from Abnormal Security Highlights Account Takeover Attacks as the Leading Threat for Today’s Organizations

Posted in Commentary with tags on June 4, 2024 by itnerd

Abnormal Security, the leader in AI-native human behavior security, today announced the launch of a new research report—the 2024 State of Cloud Account Takeover Attacks. The report reveals how security stakeholders view the growing threat of account takeovers, how they are currently approaching prevention, and what they are looking for in next-generation defenses against these attacks. 

Based on a survey of over 300 security professionals across a variety of global industries and organization sizes, Abnormal’s research found that 77% of security leaders cited account takeover attacks as one of their top four most concerning cyber threats. Combined, this makes account takeovers the leading worry for security leaders—even ahead of news-headlining attacks like ransomware and spear phishing. 

These worries are justified, given that 83% of survey participants reported that their organization had been impacted by an account takeover attack at least once over the past year. Worse still, nearly half of organizations (45.5%) were impacted by account takeover attacks more than five times over the past year, while nearly one in five had experienced more than 10 significant account takeover attacks.

The cloud applications that security stakeholders are most concerned about being compromised include file storage and sharing services, such as Dropbox and Box, and cloud infrastructure services, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Also near the top of the list are business email accounts, such as Microsoft Outlook and Gmail, and document and contract management software like Docusign. Each of these applications have the potential to expose troves of sensitive company data, while a compromised cloud infrastructure application can also enable lateral movement across the corporate network. 

Despite their concerns, the majority of security stakeholders appear unprepared to protect against account takeovers. Commonly used strategies to protect against this threat include implementing fraud detection mechanisms such as multi-factor authentication (MFA) and strong password use. Yet, the majority of survey participants are skeptical of both MFA (63%) and single sign on (65%) as effective tools to prevent account takeover attacks. 

Other frequently mentioned solutions included identity and access management (IAM), cloud access security brokers (CASB), and web application firewalls (WAF), which were all cited by more than 50% of respondents, but none of which are explicitly designed to counter the account takeover threat. Similarly, many survey participants (87%) expect their individual cloud services to supply native protections against account takeovers. But most application providers aren’t security companies, and while they may offer some security features, these tend to be safeguards against misconfiguration or elevated privileges rather than real-time protection against account takeover.   

Security stakeholders are eager for alternative solutions, and 99% believe implementing a solution for detecting and automatically remediating compromised accounts in cloud services would greatly improve their defenses. Reiser continued, “It’s clear that there is a need for a new approach to not only detect account takeovers but also remediate them automatically before attackers have a chance to exfiltrate sensitive data or infiltrate connected applications. Cross-platform visibility and automated remediation capabilities, with uniform coverage for all the applications that enterprises use, will be critical as organizations seek to protect their entire attack surface.”

Leave a comment »

Security Researcher Finds That Microsoft Recall Is A Bigger Disaster Than We All Thought

Posted in Commentary with tags , on June 3, 2024 by itnerd

Along with the release of Windows laptops using the Snapdragon X Elite processor, Microsoft released a bunch of new AI features for Windows 11. Including something called Microsoft Recall which literally takes snapshots of everything that you do on the PC. At the time, I said this:

Here’s where things get sketchy. While Recall apparently encrypts everything that it is taking a picture of, Recall with the default settings is taking pictures of everything. So if you do online banking, enter your SIN number online, or do anything else that is sensitive, Recall will likely know about it. Think of the fun a threat actor could have if they somehow managed to pwn the PC and got access to that data. And don’t think that threat actors aren’t thinking about giving that a shot as they know that it’s a potential gold mine of information that they can sell on the dark web. Never mind use against you. Now at this point a threat actor would likely have to have physical access to the device as this info is stored locally. But the one thing that I have learned over the years is that threat actors are creative and crafty individuals. So if there’s another attack vector out there that will allow them to grab this data, they will find it. And exploit it. 

Well, it now seems that this might be worse than previously thought. The Verge has surfaced just how vulnerable Recall actually is:

Despite Microsoft’s promises of a secure and encrypted Recall experience, cybersecurity expert Kevin Beaumont has found that the AI-powered feature has some potential security flaws. Beaumont, who briefly worked at Microsoft in 2020, has been testing out Recall over the past week and discovered that the feature stores data in a database in plain text. That could make it trivial for an attacker to use malware to extract the database and its contents.

“Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder,” explains Beaumont in a detailed blog post. “This database file has a record of everything you’ve ever viewed on your PC in plain text.”

Beaumont shared an example of the plain text database on X, scolding Microsoft for telling media outlets that a hacker cannot exfiltrate Recall activity remotely. The database is stored locally on a PC, but it’s accessible from the AppData folder if you’re an admin on a PC. Two Microsoft engineers demonstrated this at Build recently, and Beaumont claims the database is accessible even if you’re not an admin.

Well that’s just incredibly horrible. Because now that we know that pwnage is possible, threat actors around the globe will be figuring out how to pwn anyone who is running this feature. Even if technical details are being withheld.

But I am not done yet. It actually gets worse:

Beaumont has exfiltrated his own Recall database and created a website where you can upload a database and instantly search it. “I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something,” he says.

You would think a company the size of Microsoft would have had a few security researchers try to find vulnerabilities in this feature before even announcing it? But I guess not. It truly sounds like to me that Microsoft needs to do a recall of Recall, because it’s simply not something that users can trust to be secure. Thus it’s not ready for primetime.

1 Comment »

HYAS Experts Warn Of Active Remcos RAT Campaign

Posted in Commentary with tags on June 3, 2024 by itnerd

Examining the trove of data exposed in Autonomous System Numbers (ASNs) can identify and mitigate complex malware campaigns in novel ways. Using these technique, HYAS has just published Tracking An Active Remcos Malware Campaign.

Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.

The campaign HYAS is tracking began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.

The report details the threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications which — combined with hosting on a Lithuanian ISP — obfuscates the true origin of the attack and also leverages international resources to evade localized law enforcement. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.

HYAS’ report provides real-time tracking and attribution, the impacts and risks of Remcos, and detection and removal recommendations.

About HYAS’ Novel Research Process: ASNs are unique identifiers of networks participating in the global routing system, and can offer insight into the infrastructure threat actors are using. HYAS collects IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign and uses specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This enumeration helps ID the ownership and affiliations of networks involved in the campaign. HYAS then:

  • identifies the origins of malicious traffic, 
  • pinpoints hosting providers associated with malware distribution, 
  • surfaces and traces connections between threats and entities that otherwise seem unaffiliated, and 
  • attributes malware campaigns to specific threat actors or groups, defend against active campaigns and thwart future ones.

Leave a comment »

Is TikTok Preparing Itself For Sale? Reuters Thinks So

Posted in Commentary with tags on June 2, 2024 by itnerd

In one of the last times that I talked about TikTok, I mentioned this:

A Reuters report that was posted late yesterday has blown my mind. In short, ByteDance who’s back is against the way because of Congress all but banning TikTok if ByteDance doesn’t sell it, actually prefers that that the app be banned in the US if legal options fail 

The reason being is that TikTok’s Chinese corporate masters ByteDance doesn’t want anyone to get the algorithm that runs TikTok. Here’s my thoughts on that:

Assuming that this is true, I have to wonder what do those algorithms do? Every social network except Mastodon has them. But they’re usually to present you with stuff that you’re interested in. Or try to target advertising towards you. The cynic in me says that they do a lot more than that, and ByteDance doesn’t want anyone to find those details out. That also suggests to me that TikTok and ByteDance fighting to keep the app alive in the USA is not about users or free speech or anything like that. Which makes this ban the right decision as clearly ByteDance has something to hide that likely is counter to their core agreements.

Fast forward to today and according to Reuters, that might be changing:

TikTok is working on a clone of its recommendation algorithm for its 170 million U.S. users that may result in a version that operates independently of its Chinese parent and be more palatable to American lawmakers who want to ban it, according to sources with direct knowledge of the efforts.

The work on splitting the source code ordered by TikTok’s Chinese parent ByteDance late last year predated a bill to force a sale of TikTok’s U.S. operations that began gaining steam in Congress this year. The bill was signed into law in April.

The sources, who were granted anonymity because they are not authorized to speak publicly about the short-form video sharing app, said that once the code is split, it could lay the groundwork for a divestiture of the U.S. assets, although there are no current plans to do so.

The company has previously said it had no plans to sell the U.S. assets and such a move would be impossible.

TikTok initially declined to comment. After publication of this story, TikTok in a posting on X said “The Reuters story published today is misleading and factually inaccurate,” without specifying what was inaccurate.

That’s interesting. TikTok and ByteDance wouldn’t be doing this for giggles. And I can see them wanting to keep this on the down low as it undercuts one of their main arguments about the algorithm. All of this assumes that this is true. Which you have to at least consider that this story is at least plausible as I really cannot see any scenario where ByteDance simply allows TikTok to be banned in the US. Which in turn would likely lead to bans in other countries.Thus they have to have a plan B of some sort. Regardless, it’s not going to take long to find out if this is true or not.

Leave a comment »

Spotify Appears To Be Quietly Walking Back How It Is Handling The Car Thing Fiasco

Posted in Commentary with tags on June 2, 2024 by itnerd

You might recall that I along with Spotify users of their Car Thing product called them out for deciding to brick perfectly good devices because they didn’t want to support it anymore. I am guessing that some PR expert at Spotify told management that this wasn’t a good look because Engadget is now saying that Spotify will offer refunds if you have a valid receipt:

The company told Engadget on Thursday that, as of last Friday, customers with proof of purchase (like an emailed invoice) can contact customer service and get their money back for the vehicle streaming device.

If that’s you, then you need to find that receipt and contact Spotify. While this about face is a good thing for users of Car Thing, it honestly shouldn’t have taken this backlash for Spotify to do the right thing. On top of that, I tripped over this by accident. Thus I have to assume that Spotify isn’t wanting this to be widely known. But that’s the cynic in me talking becauseI’m sure that Spotify is a company that always wants to do the right thing.

Leave a comment »

Snowflake Data Breaches Makes The News This Week

Posted in Commentary with tags on June 1, 2024 by itnerd

Threat group ShinyHunters, who recently claimed responsibility for Santander and Ticketmaster breaches, claimed they stole data from cloud storage company Snowflake after hacking into an employee’s account. They have also claimed to gain access to data from other high-profile Snowflake customers. I wrote about Ticketmaster here, and Santander here if you want to get up to speed on those.

I gathered up some commentary from industry leaders on this week’s events:

Glenn Chisholm, Co-founder and Chief Product Officer, Obsidian Security

“This year, we have seen a sequence of breaches that have affected major SaaS vendors, such as Microsoft, Okta, and now Snowflake. The commonality across these breaches is identity; the attackers are not breaking in, they are logging in. In IR engagements we have seen through partners like CrowdStrike, we see SaaS breaches often starting with identity compromises–in fact 82% of SaaS breaches stem from identity compromises such as spear phishing, token theft and reuse, helpdesk social engineering, etc. This includes user identities as well as non-human (application) identities.

SaaS is now a very active space where attacks are occurring across the spectrum, from targeted APTs to financially motivated attackers, and every company needs to carefully review its SaaS security program. Ensure the correct application posture to minimize risk, protect their identities which form the perimeter of your SaaS applications, and secure their data movement. These must be a continuous program since your applications evolve, configurations change, identities get introduced, and attackers change their patterns. In other words, you need automation to scale this across all your SaaS applications.”

Will Lin, co-Founder and CEO, AKA Identity and Author, The VC Field Guide and former Venture Partner, ForgePoint Capital

“This breach is so complicated and simple at the same time. Simple that the attack vector was stolen privileged credentials. ‘Bad actors don’t hack in, they log in.’ Complicated because it involves multiple parties who can only do so much to prevent this from happening. The predicament that the world has today is that credentials have been the number one cause of data breaches since the DBIR started tracking them. The modern world has been set up to fail without good data and visibility into their most important trust boundary: identities and access management.”

Avishai Avivi, CISO, SafeBreach

“The latest Snowflake breach surfaces multiple troubling aspects about the potential impact of shifting to massive data lakes hosted on a cloud provider. Combine this with compromised credentials and a session cookie hijack, and you have the perfect storm. It’s important to understand that we are still in the early stages of identifying the specifics of this incident. Hudson Rock’s insightful blog post provides some understanding. The attacker seems to have gained initial access through a combination of stolen credentials from a sales engineer and session hijacking.

At this point, we have to shift to some educated hypothesis and conjecture. The malicious actor then used a single set of credentials with access to a single backend cloud-based platform, ServiceNow, that Snowflake uses to effect a breach on dozens, potentially hundreds, of Snowflake’s customers.

The ability to leverage this single entry vector to access the data of multiple customers indicated:

  • Initial infection by a known malware – It appears that credentials were compromised by the Lumma malware back in October 2023. Indicating the EDR control failed to detect it.
  • Multifactor Authentication (MFA) was not deployed uniformly – MFA makes the ability to use stolen credentials in this way very difficult.
  • Continuous vs. Just-In-Time (JIT) privileged access – It seems like, at best, the authorized session the malicious actor was able to take advantage of was not following best practices and did not force refreshed authentication.
  • A deficient segregation of duties – a single sales engineer should not be able to access dozens of customers’ data.
  • The malicious actor was able to exfiltrate customer data – The fact that massive amounts of customer data were exfiltrated indicates lax egress traffic monitoring and control.

Aside from the actual breach, the alarming aspect is that Snowflake appears to have a very robust security program. They claim to have all the proper security certifications their customers may require. This breach reinforces the point that implementing the right technology controls is just the first step; the only way to know the efficacy of those technologies is to continuously test them using a comprehensive security control validation program. Traditional penetration testing programs are not sufficient either. Organizations must test the ability of a malicious actor to move laterally throughout its environment and then leave with the data they were able to access.”

Leave a comment »

Rogers Starts Expanding 5G Network To The Rest Of Toronto’s Subway System

Posted in Commentary with tags on May 31, 2024 by itnerd

You might recall that Canadian telco Rogers bought the company that put cellular infrastructure in Toronto’s subway system. But at the same time, they all but shut out competitors like TELUS and Bell. That is until the federal government forced Rogers to open things up after a significant uptick in violence on the subway system. As part of that, Rogers had to agree to expand the network with milestones in 2025 and the second in 2026 that they had to hit. Fast forward to today. I got this in my inbox saying that they were starting the process of hitting those milestones:

The expansion work began this week in the tunnels between Kennedy and Warden stations on Line 2. Together with the TTC, Rogers is expanding the network in phases to connect the remaining 36 kilometres of unconnected tunnels. Work is being done during overnight and weekend construction windows to minimize disruption for riders.

When complete, the modernized and expanded 5G network will deliver seamless wireless coverage with mobile voice and data services in all 75 stations and tunnels across Toronto’s subway system, part of Rogers commitment to expand connectivity for Torontonians.

You know what? It’s amazing what a corporation like Rogers will do if the right levers are pulled. As in the feds forcing them to do this. I say that because I am certain that Rogers would not have done this on their own as they’ve never been and never will be that sort of company. Nor would they have opened up this network to non-Rogers customers if they were not forced to do so by the feds. So if you’re in Toronto and you suddenly get cell service in the subway system where you never had it before in the weeks and months ahead, you can thank Rogers for putting in the work to make that happen. But you should also thank the feds for forcing Rogers do the right thing as well.

Leave a comment »

AHEAD & Wiz Announce Partnership 

Posted in Commentary with tags , on May 30, 2024 by itnerd

AHEAD, a leading provider of enterprise cloud, data, and platform solutions, has announced a partnership with Wiz, an AI and cloud security company and Cloud Native Application Protection Platform (CNAPP) provider. Together, they are offering a comprehensive and integrated approach to securing cloud environments, empowering enterprises to confidently harness the potential of AI and cloud.

In today’s rapidly evolving enterprise cloud landscape, organizations face significant challenges in maintaining a robust security posture across their cloud environments. The complexity of cloud architectures, the pace of change in cloud services, and the growing sophistication of cyber threats make it increasingly difficult for organizations to effectively secure their cloud assets.

AHEAD’s Cloud Security Accelerator, powered by Wiz, addresses these challenges by providing a comprehensive and integrated approach to securing cloud environments. The solution offers precise identification of security posture deviations, robust mitigation of vulnerabilities, comprehensive auditing of development and deployment landscapes, and streamlined processes.

AHEAD’s Cloud Security Accelerator allows organizations to take control of their cloud security posture, mitigate risks, and achieve compliance, ultimately enabling them to confidently leverage the power of cloud computing while maintaining a secure and resilient IT environment.

Leave a comment »

TELUS Expands Mobility For Good Program

Posted in Commentary with tags on May 30, 2024 by itnerd

Nine in 10 Canadians who have children 18 and under have reported that their costs of living have significantly increased over the past year, with 61 per cent of families having to adjust their day-to-day expenses (source: Abacus Data). 

To help families stay connected to each other and to services and information that matter most, today, TELUS is launching its Mobility for Good for Low Income Families program, expanding its program to support families across the country receiving the maximum Canada Child Benefit. The program enables families to receive discounted access to TELUS’ Mobility for Good plans, bringing them critical access to connectivity.

Mobility for Good as a whole is already open to 500,000 Canadians, including youth aging out of foster care, low-income seniors, Indigenous women at risk of violence, government-assisted refugees and other marginalized individuals. With today’s expansion, 800,000 families eligible to receive the maximum Canada Child Benefit from the federal government are now able to benefit from TELUS’ Mobility for Good program and can immediately apply through the TELUS’ website

With 97 per cent of Mobility for Good participants reporting the program makes it easier to stay connected to friends, family and support workers and 86 per cent reporting the program helped them find resources in a crisis, this offering couldn’t be more important than it is now.

Leave a comment »

Canadian Business Optimism Wanes Amid Economic Challenges: Zoho

Posted in Commentary with tags on May 30, 2024 by itnerd

The newly released Zoho Canada Business Outlook Report by Zoho Corporation, a leading global technology company, indicates a decline in business optimism among Canadian business leaders due to ongoing economic challenges. The report shows that 61.2% of respondents remain optimistic about the remainder of 2024, compared to 74.1% in the previous Q4 2023 report. Additionally, 32.9% cite the economy as their biggest challenge, and 51.9% indicate a decline in customer spending.

The survey, conducted in April 2024, included 1,000 Canadian business leaders (C-level to manager) and explored business performance, staffing trends, economic impacts, and technology usage. The report also highlights mixed priorities regarding Artificial Intelligence (AI), with 45.4% of respondents not considering it the most critical technology for their business, and moderate concerns about AI replacing existing roles (34.6%).

Key Survey Findings:

  • Respondents continue to be somewhat optimistic about their business with 63.1% of respondents anticipating growth of 1-20% (74.1% in Q4, 2023)
  • Staffing is holding steady with 57.2% of businesses planning to maintain current workforce levels (64% in Q4, 2023)
  • The integration of AI is a mixed priority with 45.4% of people not seeing it as the most critical technology.
  • 51.9% of respondents feel that customer spending is down
  • 24% of businesses indicate that cybersecurity is a technology priority, closely followed by collaboration tools (21.1%) and CRM (20.9%)
  • The availability of employee well-being programs skews towards the negative with 52.1%  of respondents indicating that none exist at their workplaces.

Employee Wellness

Employee wellness initiatives are critical for fostering a resilient and productive workforce, but there’s room for improvement – less than half of respondents indicated that wellness programs exist.

Employee wellness initiatives are split, with:

  • 52.1% of businesses lacking initiatives and 47.9% having some in place
  • Work-life balance is encouraged through flexible work hours (36.3%), remote work options (25.9%), regular breaks (22.4%), and paid time off for mental health days (15.4%).
  • 37.8% have observed a noticeable increase, reflecting a positive shift towards better mental health support

Business Outlook

  • 61.2% of businesses are optimistic
  • 28.6% are neutral
  • 10.2% are pessimistic 

Economic Impact and Customer Spending

Looking ahead, small businesses feel that the economy and a decline in customer spending are most likely to affect their business performance:

  • 32.9% of businesses cite the economy as their biggest challenge
  • 19.7% cite cash flow issues 
  • 14.0% cite funding/capital concerns 
  • Customer spending behavior has been negatively affected, with 51.9% observing a decrease in spending and only 22.3% seeing an increase
  • Ontario respondents indicate a slightly higher decrease of 53.5%, while Quebecers are less at 41.2%

Staffing

Staffing levels remain stable, with businesses planning to maintain their current workforce. However, there are concerns about AI’s impact on employment, with moderate worries about job replacement.

  • 57.2% of businesses plan to maintain their current workforce levels
  • 34.5% intend to hire more staff
  • 8.3% are planning layoffs
  • Concerns about AI replacing existing roles are moderate, with 22.7% somewhat concerned, 22.5% not very concerned, and 18.3% not concerned at all. 14.5% are very concerned.

Technological Integration and AI

While AI is recognized as important by some, many respondents do not consider it the most critical technology for their business. Among the primary factors driving AI adoption are increasing productivity, competitiveness, and reducing headcount/employee costs.

  • 45.4% do not consider AI as the most critical technology for their business, whereas 36.4% recognize its importance
  • The primary driving factors for AI adoption include increasing productivity (49.2%), increasing competitiveness (16.1%), and lowering headcount/employee costs (10.4%)
  • Technological priorities: 24.0% cybersecurity; 21.1% collaboration tools; 20.9% CRM

Report Methodology

Conducted in April, 2024, using Zoho Survey and Zoho Analytics, this study contacted 1,000 individuals across Canada. Participants in the study included a range of business leaders, from the C-level and owner/operators to managers, at small and large enterprises across a variety of industries.

Report Dashboard

Click here for the report dashboard.

Leave a comment »

« Older Entries
Newer Entries »