A new study by Proofpoint researchers found that Advanced persistent threat (APT) actors are increasingly using vulnerable regional managed service providers (MSPs) to leverage attacks on the small and medium-sized businesses (SMB’s) they service. Once through the MSP’s defenses, the attackers are feeding off of the less well defended SMB’s for financial gain.
The report published this week found that the state aligned actors from Russia, Iran and North Korea were increasingly using this supply chain approach to breach SMB’s defenses.
Proofpoint: “Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses. APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end-user environments.”
David Mitchell, Chief Technical Officer, HYAS starts off the commentary with this:
“MSP/MSSPs have been a concern for quite some time, primarily due to the accessrequired into a customer network, along with varying degrees of technical and security expertise on the provider side. Managed services is no longer a high margin business and as such, many MSPs are still utilizing legacy technologies to provide services to their customers, which leaves everyone in that chain exposed.
“Understanding the security posture of your third party providers is a difficult, if not impossible undertaking for small and medium businesses. Until there is a more scalable way of continuously auditing your service providers, the risk fully lies with whether the customer chose a capable MSP or not.“
Roy Akerman, Co-Founder & CEO, Rezonate adds this:
“We’ve seen the increased risk around third-party access and supply chain risk increasing for the past few years. The Kaseya VSA software vulnerability used by many MSPs was a key part of distributing REvil ransomware all the way to SMB organizations managed by MSPs. So was the SolarWinds security breach. “Watching-the-watcher” was and will continue to be a focus for organizations who outsource their work externally while always being able to identify who’s doing what and for what reason. Zero trust principles can help tackle and reduce risk by limiting MSPs to only do what they need to and not take the path of a yet-another-superadmin across your network.”
For many small and midsize companies, having someone else remotely monitor and manage their computer network is perceived as a no-brainer. The managed service provider can improve efficiency, reliability, security, and maintenance — all while lowering costs and freeing up IT staff to work on more strategic projects. But there are risks, and this Proofpoint research illustrates that in black and white.
Multi Factor Authentication or MFA is the new hotness in terms of keeping yourself secure. But not so fast. In a new report published today from Proofpoint, researchers are warning that phishing actors are coming up with new ways to bypass multi-factor authentication (MFA). The increased use of MFA, given the pandemic and the migration of WFH, has pushed threat actors to use transparent reverse proxy solutions, and to cover the rising demand, reverse proxy phish kits are being made available for purchase.
Key takeaways from the report include:
As multi-factor authentication becomes a standard security practice, phish kits are evolving with the times to steal these tokens and bypass this trusted layer of security.
Threat actors are using phish kits that leverage transparent reverse proxy, which enables them to man-in-the-middle (MitM) a browser session and steal credentials and session cookies in real-time.
It is likely that more threat actors will turn to these MitM phish kits, making security increasingly difficult for defenders.
Aimei Wei, Founder and CTO, Stellar Cyber has this to say:
“Hackers are evolving quickly in response to the security defense measures such as MFA. While security industry prepares to deal with this blind spot, people should always be vigilant on the email or website before clicking a link or login to a website.”
If this concerns you, and it should, then one of the mitigation strategies that you might want to consider is passwordless authentication. A number of companies are bringing this technology to market, or have already brought this technology to market. Thus it might be an option for your enterprise.
Proofpoint just released their quarterly threat summary, which included some insight on mobile security threats I thought might be of interest to your readers. Key takeaways include:
Mobile exploit kits and zero-day attacks targeted iOS and Android. Most mobile devices today have 10-20 exploitable zero-days. Roughly 30% of those are serious and could allow attackers to run malicious code on infected devices.
Pokémon GO-related malware spawned malicious counterfeits. Malware in the form of malicious side-loaded clone apps, dangerous add-ons, and other risky apps grew out of the game’s popularity. Users can download apps from anywhere, and even the major app stores offer only limited screening of apps and updates.
Mobile app threats: Not playing games
Pokémon GO is one high-profile example of an app whose popularity has created an ecosystem of mobile threats. Games are a major target, as are apps related to major events. Some apps are overtly malicious, and others create business risks by requiring excessive permissions or handling data poorly. Whether downloaded by employees or their family members, malicious and other risky apps are following users into the workplace.
Key stat: Nearly 5% of mobile devices on corporate networks are running Pokémon GO.
Analysis: Released in July, Pokémon GO was an immediate international sensation. Because of its staggered global release, pent-up demand led users who could not access it through legitimate app stores to sideload the app through third parties and direct downloads. Within three days of Pokémon GO’s release in Australia and New Zealand, we identified a cloned version of the Android app in a malware repository. The counterfeit copy included DroidJack, a remote access Trojan capable of taking over the device, and modified app permissions indicated in Figure 7. Though not observed in the wild, this version of Pokémon GO showed just how easily attackers could modify a popular app and distribute a malicious version to users.
A recent survey showed that Pokémon GO is installed on nearly 5% of mobile devices accessing corporate networks. Like many popular games, Pokémon GO has spawned numerous game guides, cheats, and add-ons. Many of them are risky or malicious, potentially exposing networked resources to attackers. We have identified at least three malicious versions of Pokémon GO this quarter along with numerous malicious companion apps. Even among legitimate installations, 4% of devices accessing corporate networks were an early version of the game that granted excessive permissions.
The Olympic Games in Rio also provided further examples of ways in which threat actors co-opted popular phenomena for malicious purposes. We identified over 4,000 Android apps and over 500 iOS apps related to the Olympics that exhibited risky or malicious behaviors.
Mobile threats continue with Pegasus and other zero-day tools
Most mobile devices have multiple serious, unpatched vulnerabilities that could expose them to a slew of malware and attack vectors. This includes both Android and iOS devices. As mobile devices become primary means of daily work and regular communication, these vulnerabilities can have serious consequences. That’s why organizations need dynamic, intelligent protection and management.
Key stat: The average mobile device has between 10 and 20 exploitable zero-day vulnerabilities.
Analysis: In August, we found that the so-called “Pegasus mobile device attack kit” was available in both the criminal underground and the research community. This kit can be used to attack any device that is running any iOS version between iOS 7 and iOS 9.3.5. Although the malware originally surfaced as a result of a high-profile attack on a political dissident in the United Arab Emirates, it can be used against any person or enterprise with a vulnerable device.
Like many other types of both mobile and desktop malware, Pegasus can be delivered through a URL with a convincing lure. Because it targets mobile devices, the link can be distributed via SMS, email, social media, malicious search results or even other apps. When installed, Pegasus exploits a vulnerability in many versions of iOS. It silently roots the phone and gains unencrypted access to a variety of apps and communication on the phone.
Apple’s rapid response with an update to iOS and the significant public attention the issue received helped mitigate the immediate risk. But Pegasus was only the best known of such malware: the average mobile device has 10 to 20 exploitable zero-day vulnerabilities that can be targeted by mobile malware. Roughly a third of these are serious flaws that enable attackers run malicious code.
Fans of the popular game Pokémon Go may be trying to catch them all. But according to Proofpoint, evil doers may be out to get them. Here’s why. The company has identified 543 social media accounts related to Pokémon GO across Facebook, Twitter, and Tumblr and of these, 167 – over 30% – were fraudulent. Of note:
44 accounts had links to download files, many purporting to be Pokémon GO, game guides, etc.
79 were imposter accounts.
21 accounts promised “free giveaways”.
Accounts with downloads affected both mobile and desktop platforms and delivered adware, malware, and software other than the one advertised.
So, why is this an issue now? It’s simple. Yesterday Apple announced that Pokemon Go will now be available on the Apple Watch. That means that this is about to become a bigger problem.
The full blog post outlining Proofpoint’s research can be found here. But I am not finished with the bad news just yet.
Pokémon GO has found its way onto devices connected to corporate networks. 4.5% of devices across the organizations we surveyed had Pokémon GO installed, including a small percentage of them (4%) running early versions of the game that had no patch for the Google permissions issues.
In short, your attempt to catch them all may be risky.
The Olympics in Brazil starts today. And Proofpoint has found thousands of potential risks in Olympics-related social media accounts and mobile apps. There were over 4,500 of risky apps associated with the Olympics on Android and iOS, including clearly malicious apps with the ability to take over mobile devices.
A close look at Olympic-related social media accounts also revealed a wide range of impostor accounts, as well as substantial numbers conducting more overt illegal activities such as:
●15% of Olympics-related social media accounts were fraudulent and many featured illegal live streaming, phishing, illegal ticket sales, and more.
●82% were impostor accounts, with misleading use of Olympic or sponsor brand elements to attract followers and interaction.
●6% used the popularity of the Olympics to steal follower credentials in phishing attacks
●4% involved fake or unauthorized ticket sales.
●3% emulated Olympics pages to distribute anti-Olympics or anti-Brazil propaganda.
SMBs Targeted By State-Aligned Actors Through Their MSPs: Proofpoint
Posted in Commentary with tags Proofpoint on May 25, 2023 by itnerdA new study by Proofpoint researchers found that Advanced persistent threat (APT) actors are increasingly using vulnerable regional managed service providers (MSPs) to leverage attacks on the small and medium-sized businesses (SMB’s) they service. Once through the MSP’s defenses, the attackers are feeding off of the less well defended SMB’s for financial gain.
The report published this week found that the state aligned actors from Russia, Iran and North Korea were increasingly using this supply chain approach to breach SMB’s defenses.
Proofpoint: “Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses. APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end-user environments.”
David Mitchell, Chief Technical Officer, HYAS starts off the commentary with this:
“MSP/MSSPs have been a concern for quite some time, primarily due to the access required into a customer network, along with varying degrees of technical and security expertise on the provider side. Managed services is no longer a high margin business and as such, many MSPs are still utilizing legacy technologies to provide services to their customers, which leaves everyone in that chain exposed.
“Understanding the security posture of your third party providers is a difficult, if not impossible undertaking for small and medium businesses. Until there is a more scalable way of continuously auditing your service providers, the risk fully lies with whether the customer chose a capable MSP or not.“
Roy Akerman, Co-Founder & CEO, Rezonate adds this:
“We’ve seen the increased risk around third-party access and supply chain risk increasing for the past few years. The Kaseya VSA software vulnerability used by many MSPs was a key part of distributing REvil ransomware all the way to SMB organizations managed by MSPs. So was the SolarWinds security breach. “Watching-the-watcher” was and will continue to be a focus for organizations who outsource their work externally while always being able to identify who’s doing what and for what reason. Zero trust principles can help tackle and reduce risk by limiting MSPs to only do what they need to and not take the path of a yet-another-superadmin across your network.”
For many small and midsize companies, having someone else remotely monitor and manage their computer network is perceived as a no-brainer. The managed service provider can improve efficiency, reliability, security, and maintenance — all while lowering costs and freeing up IT staff to work on more strategic projects. But there are risks, and this Proofpoint research illustrates that in black and white.
Leave a comment »