In today’s cybersecurity news…
Microsoft MFA bypassed in AuthQuake PoC
Researchers at Oasis Security presented details of an attack technique that could have given threat actors access to Outlook emails, OneDrive files, Teams chats, and Azure cloud instances. Needing only an hour to execute, it required no user interaction, and it would not trigger any notification to the victim. The attack is based on exploitation of the authenticator app process, in which a user to obtains a six-digit MFA code on their app. The researchers saw that one session supports up to 10 failed attempts to prevent brute-force attacks, but they then saw that an attacker could execute multiple attempts simultaneously, enabling them to go through possible combinations relatively fast. Oasis named this attack method AuthQuake, and reported it to Microsoft in late June. A temporary fix was deployed a few days later, followed by a permanent fix in October.
Cybercrime marketplace Rydox taken down
The Justice Department announced yesterday that it had participated in a coordinated international mission to seize Rydox, an online marketplace that has been linked to sales of sensitive data such as credit card information, login credentials, and other PII stolen from thousands of U.S. residents. The FBI’s Pittsburgh Office worked alongside Albania’s Special Anti-Corruption Body, its National Bureau of Investigation, Kosovo’s Special Prosecution Office and Police, and the Royal Malaysian Police. Two individuals were apprehended in Kosovo and will be extradited to Pennsylvania to face charges, while another was detained in and will be prosecuted in Albania.
U.S. charges Chinese national for hacking thousands of Sophos firewall devices
Guan Tianfeng worked at Sichuan Silence Information Technology Co., and now faces charges for “developing and testing a zero-day exploit used to compromise approximately 81,000 firewalls.” He, along with some accomplices, exploited an SQL zero-day vulnerability to deploy malware that stole data and encrypted files to block remediation attempts. “Sophos was informed of the attacks by one of its customers on April 22, 2020. An investigation determined that hackers targeted systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone. They then exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.
Thanks to today’s episode sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Prometheus instances exposed leaking creds and API keys
Researchers at Aqua are warning that “thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks.” They continued, “Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys.” According to The Hacker News, up to “296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers are estimated to be publicly accessible over the internet, making them a huge attack surface that could put data and services at risk.”
Texas adds Allstate-linked data broker to list of alleged privacy law violators
The attorney general of Texas has accused the data broker Arity of sharing consumers’ information without clear notice or consent. “In the past six weeks, six of the mobile apps that Arity says are partners have been accused by the state of improperly sharing user data with third parties.” Arity is owned by the insurer Allstate. Its official description says it “sells recommendations to insurers for how to price individual customers’ plans based on their driving behaviors. It gathers data through a software development kit (SDK) embedded inside the mobile apps belonging to its partners.”
Screen Actors Guild health plan sued after September data breach
This class action lawsuit follows an announcement last week that a data breach had exposed sensitive healthcare information of its union members. On December 2, SAG-AFTRA Health Plan informed its members as well as California regulators that hackers had broken into an employee’s email account in September, using a phishing email. While the union health plan’s systems were not breached, the email account “contained emails and attachments that included some participants’ names and Social Security numbers, and, in some cases, may also have contained information associated with claims and health insurance information, such as participants’ health plan participant identification numbers, if applicable.”
Yahoo cybersecurity team sees layoffs, outsourcing under new CTO
Yahoo’s famous cybersecurity team, known as The Paranoids, has lost 25% of its staff over the last year, according to TechCrunch. The Paranoids’ offensive security team, which “conducts cyberattack simulations to identify weaknesses in the company’s network before external hackers can,” was completely eliminated this week and will now be outsourced. Valeri Liborski, Yahoo’s new chief technology officer announced these changes in an email to staff, stating, “This was a very difficult decision and one I have not taken lightly.”