Cisco Talos on frequency of MFA attacks in 2024

During the first quarter of 2024, Cisco Talos’s incident response teams saw MFA attacks in almost half of all security incidents they worked on, with fraudulent MFA push notifications in one quarter of attacks.

Using another data set from Cisco Duo deployments, Cisco also said that many MFA push notification attacks are timed for pre-work hours (e.g., 8-9am) in the hope that distracted workers will let something slip through.

See Cybersecurity Dive.

Design flaw in Microsoft Authenticator

Microsoft Authenticator, an app for safeguarding accounts with time-based tokens for MFA, has a long-standing design flaw that Microsoft doesn’t seem keen to fix. When a user scans a QR code to add a new account, but their user name is the same as one that already exists in the app, Authenticator will overwrite the most recent one. Oops. The user may not realize their loss until some time later, at which point they are most likely to blame the issuer of the code, not Authenticator. This flaw does not apply to Microsoft-issued codes.

See CSO Online.

OTP Agency founders plead guilty to charges

The three founders of the OTP Agency in the United Kingdom, a service that enabled the theft of one-time codes used for authentication, plead guilty to charges of making and supplying articles for use in fraud and money laundering. When the OTP Agency was operational, it sold a weekly subscription for bypassing multi-factor authentication safeguards and had around 2,200 members on its Telegram group.

See Forbes.

Ransomware attack on Synnovis affects service delivery at London hospitals

Synnovis, a pathology partnership between Guy’s and St Thomas’NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, is Europe’s largest provider of medical testing and diagnostics. It was hit by a ransomware attack earlier this week, which had cascading service delivery impacts across multiple hospitals in London. This included cancellation of some procedures and operations, and the need to coordinate emergency blood transfusions by pen and paper since the online systems were down. The attack has not yet been resolved.

See Sky News and statement from Synnovis

OpenText purchased Pillr, an MDR platform

OpenText purchased a cloud-native, multi-tenant MDR platform for MSPs. Pillr, originally from Novacoast, allows OpenText to offer customers enhanced threat hunting, monitoring, and response capabilities. OpenText said the acquisition will be combined with its existing Threat Detection offerings which are set up for deployment within organizations for network detection and response. 

See press release and OpenText’s Threat Detection and Response products

Dark Wire: The Incredible True Story of the Largest Sting Operation Ever

WIRED has a teaser extract from Joseph Cox’s new book, Dark Wire, about how the FBI wiretapped the world. Amazon says the book provides “the inside story of the largest law-enforcement sting operation ever, in which the FBI made its own tech start-up to wiretap the world, shows how cunning both the authorities and drug traffickers have become, with privacy implications for everyone.” Joseph is an investigative journalist; the story borders on the unbelievable, but we guess that’s the idea.

See WIRED and Amazon

Organizations have insufficient cyber insurance coverage

CYE, a cyber risk quantification firm, calculated that the average organization is only covered for 25% of the financial risk associated with a cyber breach. The data comes from external (not CYE) and internal (CYE) sources. CYE said that 80% of organizations lack sufficient coverage, and the maximum insurance gap is 3000% – which would mean that the organization is only covering 0.03% of its total cost due to a data breach. 

The associated report (it’s not in the press release) says that the gap could be “in the ability or willingness of cyber insurers to provide adequate insurance coverage,” which is the major trend line we’ve seen the most due to the spate of high-cost ransomware incidents that decimated insurance company profits. We agree that it could also be due to an inability to quantify risk internally, but would see the insurance market dynamics as the major influence. Regardless of the impact on insurance policy issuance, the value of risk quantification is that it shows what an organization is not covered against from an insurance POV, thus highlighting to senior leadership the urgent work that needs to be done to actually improve security posture – not merely shift the cost of a breach to a third-party. Press release Report

MDRs are failing to help enough; a better approach is needed

A study by Radiant Security found significant shortcomings in MDR (managed detection and response) services, such as a lack of context about their environment (34%), more escalations than a SOC team can handle (32%), and a long time frame for remediating incidents (44% take more than 4 weeks per incident). Also, 70% of respondents said they are saving only 25% or less of their time after outsourcing to an MDR service – which doesn’t line up with the outsourcing value proposition. Radiant says it’s time for a new approach, and it has some ideas on what organizations should be doing instead. Press release

Microsoft and Google continue to top the list of most impersonated brands

Microsoft and Google continue to be in first and second places respectively as the most impersonated brands used in phishing attacks, followed by LinkedIn, Apple, and DHL in 1Q 2024. Amazon brand impersonation has dropped from 4Q 2023 to 1Q 2024, and Airbnb has made a first time appearance in 1Q 2024. Be careful what you click on peeps! InfoSecurity Magazine

U.S. critical infrastructure organizations need to improve cyber hygiene

In almost all attacks seen against U.S. critical infrastructure organizations, cyber actors have taken advantage of poor cyber hygiene practices. These include the use of default or weak passwords, unpatched known vulnerabilities, and poorly secured network connections. Avril Haines, Director of National Intelligence, said they are seeing record levels of attacks against U.S. industrial control systems typically used to automate industrial processes and widely used by critical infrastructure organizations. Defense.gov

Aiden for addressing vulnerabilities and keeping Windows endpoints at the desired specification

Aiden Technologies announced new security capabilities to mitigate vulnerabilities faster across Windows endpoints. Its AidenVision system identifies and alerts on high and critical CVEs across all Windows endpoints, maps what new software patches are needed to address these CVEs, and then automates remediation. Pre-AidenVision, the company says that organizations typically took 55 days to remediate 50% of the most critical KEVs from CISA. Post-AidenVision, organizations can deal with 97% of the most critical CVEs within 3 days. The reporting system gives audit-ready evidence to meet enquiries from regulatory bodies and insurance carriers. Aiden Technologies

Another reason to stop relying on SMS for MFA

Receiving one-time codes by SMS is a very convenient way of enacting multi-factor authentication requirements. It is, however, one of the least secure methods of MFA and one we continually recommend against. With phishing kits routinely including MFA bypass capabilities for one-time codes, SMS and other MFA mechanisms that take this approach should be deprecated in your security posture. And here’s another reason: fraudsters are targeting employees at mobile carriers with offers of money to perform a SIM swap, thus giving them access to a user’s phone number to receive MFA codes, among other malicious benefits. Security Boulevard

• How AI is fuelling frighteningly effective scams
  Reviews areas of malicious use of AI technology for voice and video scams, along with a brief mention of phishing. Looks at how standard AI tools can be “weaponized by criminals to create realistic yet bogus voices, websites, videos and other content to perpetrate fraud,” and why voice cloning is a particular problem for the financial services industry that has built transaction authorization around voice signatures for years.
  AARP
• Time to click for phishing links
  KnowBe4 runs the numbers on when people click on links in phishing emails. Two findings stood out: first, links in phishing messages received Monday to Friday are routinely clicked by 20% or more of users, and second, more than half of users click to open phishing emails within 60 minutes of receiving the message. KnowBe4 Blog
• The impact of generative AI on the efficacy of security awareness training
  Explores the impact of generative AI on the performance of security awareness training, emphasizing the changing dynamics as cybercriminals leverage generative AI services to remove traditional signals of compromise (e.g., spelling mistakes, poor language use) and weaponize the services to deliver individually-targeted phishing messages based on a social media profile. SCMagazine

• LockBit take down
  A coalition of the FBI and law enforcement agencies from 9 other countries disrupted the operations of the LockBit ransomware group. The operation seized rogue accounts and servers across multiple countries, as well as 1,000 potential decryption keys to assist LockBit victims. A couple of individuals were arrested. It is being touted as a “systemic disruption and dismantling” of the LockBit group. LockBit claimed the timing was due to it having ransomed Fulton County and thus held incriminating evidence on Donald Trump that could affect the upcoming US election. FBI Akamai KrebsOnSecurity
• Cayosoft receives minority investment of $22.5 million for expansion
  Cayosoft, which focuses on Active Directory management, received $22.5 million in new investment funds for accelerating U.S. and international growth. Cayosoft will use the funds to hire sales and marketing personnel, as well as for the development of new tools to help organizations manage Active Directory. The investment is positioned around Cayosoft’s recovery, management and governance solutions for Active Directory forests; its solution can enable recovery post-attack “instantly” (defined as within second or minutes, verses hours / days / longer for competitive offerings. Cayosoft
• Research on adoption of AI and LLMs in enterprises
  cnvrg.io, an Intel company, published the results of its third annual ML Insider survey (published December 2023, so playing catchup on this one). Key findings: only 10% of the organizations surveyed have already launched generative AI solutions to production, the U.S. organizations in the research are further ahead, and those that have deployed such solutions have seen various benefits. Main reasons for slow adoption: need to improve skills (lack of knowledge), compliance and privacy issues (and rightly so), and high cost of implementation. Intel

• DP World Australia, a port operator in Australia, suffered a cyberattack that forced it to limit access to ports in Sydney, Melbourne, Brisbane, and Fremantle for several days. Key incident response focus: (1) prioritize sensitive inbound freight (e.g.,stuff in the real world that perishes), and (2) determine the effect on its systems and data. Bloomberg
• IRONSCALES released the Fall 2023 update of its email security platform, with an emphasis on fighting image-based and QR code attacks that bypass text analysis. Internal data shows a 215% increase in phishing emails that incorporate images over the past six months. There are new automated simulation capabilities, too. IRONSCALES
• KnowBe4 published a new report on security behaviors of workers in the UK. Findings: attentiveness to cybersecurity concerns varies throughout the day, responding to emails while on a bio-break is a thing, and a distracted worker is more likely to click on a suspicious link. KnowBe4
• Egress released an integration with KnowBe’s Adaptive Security models, so that Egress users are automatically enrolled in role-relevant and risk-level appropriate training based on the threats arriving in their inbox. The intent: “individualized security coaching that drives behavioral change and reduces overall risk.” Egress
• A firm in New Zealand experienced an attempted BEC scam that included a deepfake video call in Microsoft Teams, although the scam emphasized the video lookalike only, not the voice soundalike. NZ Herald