Aug 25 2022

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

Category: Access Control,Attack Matrix,Cyber Attack,Vendor AssessmentDISC @ 2:02 pm

The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp.

Okta logo on a mobile phone screen

The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.

That’s according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.

“Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations,” researchers said in a blog post today. “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio’s phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.

The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.

For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).

In Cloudflare’s case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.

Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB’s findings are still unknown, so additional victims could come to light.

“Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords,” he warns. “Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”

Time to Rethink IAM?

On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.

“The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack,” Yaari says. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta.”

The incident also points out that enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.

“From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access,” he wrote in an emailed statement.

https://www.darkreading.com/remote-workforce/twilio-hackers-okta-credentials-sprawling-supply-chain-attack

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: authentication, authorization, Identity and Access Management

Oct 21 2021

Problems with Multifactor Authentication

Category: 2FADISC @ 9:04 am
Problems with Multifactor Authentication

Tags: authentication, MFA, phishing, Problems with Multifactor Authentication, ransomware, social engineering, Two-factor authentication

Jan 14 2014

What to Log for Authentication and Access Control

Category: Access Control,Log ManagementDISC @ 10:30 am

Authentication and access control plays a critical role in web application security.  Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If  we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the contrary, let’s say only failures are logged, a legitimate or valid user may misuse, corrupt, harm or simply abuse the system without any detection. Besides that all other authentication and access control related events (such as account lockout) are important and must be logged.

  • Failed log in
  • Successful log in
  • Account locked /disable
  • Account unlocked / enabled
  • Account created
  • Password changed
  • Username changed
  • Logged out

Logs should include the resources involved in the web application (IP address, URL, user name, http method, protocol version, etc…) and document the reason why access was denied for the failed event. Some application provides much better logs than others. generally log entries should contain (user ID, timestamp, source IP, Description of the event, error code, priority).

All error conditions should be logged including simple stuff as sql query errors, which can help to detect sql injection attack. Some errors related to the availability of the application are important for early sign to trigger BCP. Availability is one of the main pillar of information security, so it should be logged and monitored. Log error conditions should include but not limited to (failed queries, file not found and cannot open error, unexpected state, connection failure and timeout)

Besides the inherent benefits of log management, a number of laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizations’ needs for log management – ISO 27001, ISO 22301, FISMA, GLBA, HIPAA, SOX, and PCI-DSS.

Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology: Special Publication 800-92

Security Log Management

 

Related articles




Tags: Access Control, authentication, Log Analysis, logging, Security, Site Management

Feb 16 2010

Security risk assessment process and countermeasures

Category: Security Risk AssessmentDISC @ 4:01 pm

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

• Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
• Preventive controls reduce exposure. Firewall is an example of preventive control
• Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
• Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

Related articles by Zemanta




Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process

Sep 18 2008

Email and Security

Category: Email SecurityDISC @ 3:14 am

As we know, it is possible to spoof an email sender’s name, so now the question of how to authenticate the sender has become even more important, since email has been used to send sensitive information.

In the recent case of Gov. Sarah Palin’s email, her email account got hacked and the hacker posted the screen shot of her email to WikiLeaks. Freedom of information laws require messages from government email accounts to be placed into the public record, so some public officials try to use Yahoo/Gmail to keep the information out of public scrutiny.

First of all public figures should avoid using public email addresses and even if you do don’t make it so obvious by naming it eponymously as did Gov.Palin. This information is owned by the commercial email sites and system administrators can see the email in the mailbox and can capture the text in transit. In commercial sites you will draw a great amount of attention, If you happen to be a high profile figure.

Second, perhaps we should not use commercial channels for private or sensitive information. If it’s necessary to use email as for sensitive information, make sure your email is encrypted in accordance with the Advanced Encryption Standard.

Third, two factor authentication for sensitive email is industry standard now, which requires the user to possess something (Token) and something only the user knows (Password or PIN). Two factor authentications provide identity theft protection.

Finally, strong authentication is a solution to secure identities and use of the Advanced Encryption Standard minimizes the exposure of email content.

How to forge email addresses


(Free Two-Day Shipping from Amazon Prime).




Tags: authenticate, authentication, encryption, minimize exposure, palin, secure identities, spoof, theft protection

Aug 21 2008

Access control fraud and countermeasures

Category: Access ControlDISC @ 1:22 am

These days access to the internet is a business requirement. Most businesses are selling their products and services on the internet which sometimes requires customers to have access to the critical assets such as applications and databases. The global growth of the internet has increased complexity and potential risks to these assets. In some cases, one potential breach may put the organization’s very existence at risk.  French bank SociĂ©tĂ© GĂ©nĂ©rale made a frightening announcement in Jan. 2008 that it has uncovered a $7.14 billion US fraud â€” one of history’s biggest.  A trader at the futures desk misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.”


In a security review, the reviewer will first determine the criticality of an asset and focus on how that asset is accessed by employees, the risks that unauthorized access by insiders or outsiders could pose to the organization, and if access control has sufficient countermeasures in place to mitigate those risks.  In other words, the security review will determine the risk level of access control to a particular asset and what appropriate control should be in place based on level of risk. At the same time, the business’s first priority is to make information available with effective access control in place. Based on criticality, assets subject to security review present different level of risk associated with access control. In other words, “not all data breaches are created equal.”


Authorization control is utilized to determine access to network resources. Authentication will determine the identity of the user. Authentication verifies that the login belongs to a user who is attempting to gain access to the system which can be obtained through PKI, smart cards, USB devices, tokens and biometrics.  Accounting keeps the records of user activity including what was used, when and for how long. Most of the application and operating systems have strong auditing features in place to track the activities of a user. Accounting records can be very useful for forensic evidence in case of a security breach. Authenticity covers validity of the information, if someone misrepresents your information by claiming that it is his or hers. Authenticity addresses all forms of information misrepresentation and authenticity of the system users.


In system profiling, the reviewer determines the criticality of access control and the risk posed to an organization where the risk is directly proportional to the criticality of an asset. Higher risk will require stronger controls or perhaps multiple controls. Security review should determine that controls in place are sufficient to avoid unauthorized access and non-repudiation of information and people. In many ways a password is the weakest link in the access control of a network defense. The best passwords are at least 60 random characters, letters, numbers, and punctuation which can be stored on a portable flash drive flash drive, to be retrieved when needed. All the passwords for the critical infrastructure should have these password characteristics. One weak password in the critical infrastructure can become a launching pad to access other resources in the network.


Security tools can be used to collect user permissions in a spreadsheet, which can be utilized to analyze the effectiveness of authentication, authorization, accounting, and authenticity. This analysis will determine if users have appropriate access based on need, role and security policy of the organization. Non-repudiation is the cornerstone of access control which assures the validity of a transaction and user. Regular monitoring and non-repudiation of users in all facets of access control might be necessary to mitigate the identity fraud associated with high profile assets. Compliance only addresses the bare minimum required to comply with a control but to measure the strength of a control in high profile assets, a security reviewer should use due care to regularly evaluate the effectiveness of access control at all levels. It might not be an example of due diligence when some regulations fail to require data encryption.


Security Threats


Rogue Trader Crushes Bank Societe Generale


httpv://www.youtube.com/watch?v=h4qD_ooM198


(Free Two-Day Shipping from Amazon Prime). Great books




Tags: accounting, authentication, authenticity, authorization, bast passwords, countermeasure, data encryption, due diligence, fraud, higher risk, identity fraud, mitigate, non-repudiation, potential risks, security review, security tools, societe general, unauthorized access