Project Hyphae

Information Security News – 9/19/2022

Share This Post

Attacker Apparently Didn’t Have to Breach a Single System to Pwn Uber

Article Link:

  • An 18-year-old hacker gained what appears to have been complete administrative access to critical parts of Uber’s IT infrastructure using an employee’s VPN credentials gathered via social engineering as an initial access vector.
  • Early indications show that the hacker breached the account of one of Uber’s incident response (IR) team members, which allowed widespread system access and the ability to run legitimate tools, like Powershell, without raising any alarms.
  • Screenshots from the hacker show he gained full administrative access to Uber’s AWS, Google Cloud, VMware vSphere, and Windows environments. He also had access to a full database of discovered bug bounty vulnerabilities, another repository with Uber sales metrics, information on Slack, and even info from the company’s endpoint detection and response (EDR) platform.

Attackers Can Compromise Most Cloud Data in Just 3 Steps

Article Link:

  • According to an Orca Security analysis of data from major cloud services, released on Sept. 13, attackers only need, on average, 3 steps to gain access to sensitive data, the so-called “crown jewels”.
  • The first, and most apparent, step is exploiting a known vulnerability. As the data analysis highlights, 78% of attacks start in this manner. The second step is exploiting cloud provider root accounts, a third of which lack MFA protections. The last step that is exploited is weak or leaked passwords being used on Internet-accessible workloads, which Orca noted that 12% of organizations struggle with.
  • Last, there is an issue with fully understanding and monitoring cloud resources. As the report notes, 11% of cloud providers’ and their customers’ cloud assets were considered “neglected”, having not been patched in the last 180 days.

One in 10 Employees Leak Sensitive Company Data Every 6 Months: Report

Article Link:

  • On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, 9.4% of employees do so, Cyberhaven noted in its report that tracked 1.4 million people who handle sensitive information, globally.
  • The most common exfiltration vectors are personal cloud storage (used in 27.5% of incidents), personal webmail (used in 18.7% of incidents), and corporate email to an inappropriate recipient (resulting in 14.4% of incidents).
  • Of the increase in data exfiltration incidents before an employee voluntarily departs, 68.7% occurs before they notify the company and 37.7% occur after the employee gives their resignation notice.

API Security, and Even Visibility, Isn’t Getting Handled by Enterprises

Article Link:

  • A report commissioned by Noname Security found that more than 75% of cybersecurity professionals in the US and UK said that their organization had experienced at least one API-related security incident within the last 12 months. Likewise, 74% said they hadn’t completed a full inventory of their APIs. Last, 71% said they were confident in the API security provided by their communications service provider.
  • The most vulnerable industries, according to the survey, were energy and utilities, as well as manufacturing, with 78% of respondents in these industries reporting an API-related breach.
  • Additionally, 14% of UK respondents and 8% of US respondents said they have real-time insight and testing on their APIs and potential API-related vulnerabilities.

Cybersecurity in 2022? Remote Working & Mobile are Changing Everything

Article Link:

  • As technology advances, the attack surface available to cyber attackers has increased and the jobs for security teams have become significantly more challenging.
  • The ‘bring your own device’ factor is the big challenge. Securing BYOD devices is much more difficult than securing company-owned devices with a mobile device management (MDM) solution in place. But in the work from home era, employers have little choice in what devices are utilized.
  • Despite organizations having to utilize BYOD devices more frequently, steps can be taken to limit risks associated with BYOD devices. Specifically, this article notes NIST’s 5-step BYOD framework which includes “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”.

Most Organizations Consolidate to Improve Risk Posture

Article Link:

  • A recent survey by Gartner found that 75% of organizations are pursuing security vendor consolidation in 2022, up from 29% in 2020. Furthermore, many organizations are looking to specifically optimize their secure access service edge (SASE) and extended detection and response (XDR) vendors.
  • The survey found that organizations want to consolidate their security vendors to reduce complexity and improve risk posture, not to save on budget or to improve procurement. 65% of surveyed organizations expect to improve their overall risk posture, and only 29% of respondents expect reduced spending on licensing.
  • While saving money isn’t the main focus, this resource optimization will likely lead to the reallocation of cybersecurity funding towards other risk-reducing security measures.

Hackers now use “Sock Puppets” for More Realistic Phishing Attacks

Article Link:

  • An Iranian-aligned hacking group, known as TA453, uses a new, elaborate phishing technique where they use multiple personas and email accounts to lure targets into thinking it’s a realistic email conversation. The attackers send an email to targets while CCing another email address under their control and then respond from that email, engaging in a fake conversation.
  • This technique is called “Multi-persona Impersonation” (MPI) and has been noted as being more effective in making phishing emails look legitimate.
  • The documents that targets were tricked into downloading via OneDrive links in TA453’s recent campaign are password-protected files that perform template injection. From there, macros collect information such as username, list of running processes along with the user’s public IP from and then exfiltrates that information using the Telegram API.

How SOCs Distribute Cybersecurity Alerts to Avoid Burnout

Article Link:

  • As cyber threats become more advanced, enterprise security operations centers (SOCs) are finding themselves inundated with challenges. Amid that landscape, organizations are also having to deal with a lack of security talent, professional burnout and tight budgets to help with their primary goal of protection.
  • This article highlights 3 approaches to addressing security alerts. The first is a classical approach of triage tiers with more complex challenges being escalated accordingly. The second is assigning alerts on vectors or areas of competency, such as having team members specialized in web applications and servers. The last is a single queue method where all team members work from the same alert queue with the capacity to have personnel on-hand to handle more sophisticated incidents.

Microsoft-Terranova Gone Phishing Tournament

Article Link:

  • The Gone Phishing Tournament is an initiative lead by Microsoft and Terranova to provide free baseline click rate data utilizing real-world phishing simulations during the month of October.
  • 82% of breaches include (and often start with) user behavior. Not all are phishing, but a majority of them are as it is a cheap and reliable initial attack vector.
  • Furthermore, human behavior plays a major role in either falling victim to or withstanding phishing attempts that are conducted by malicious actors. This initiative is meant to aid organizations in moving towards improving employee behavior related to phishing by offering a baseline to act upon.
  • For more information go here:

More To Explore

Information Security News 6-5-2023

‘Picture-in-Picture’ Obfuscation Spoofs Delta, Kohl’s for Credential Harvesting Article Link: NSA and FBI: Kimsuky Hackers Pose as Journalists to Steal Intel Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.