Connect with us

Cyber Security

Box 2FA Bypass Opens User Accounts to Attack



A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.


A security hole in Box, the cloud-based file-sharing service, paved the way for busting its multifactor authentication (MFA), researchers said – and it’s the second such MFA bypass they have discovered in the service so far.

Clearly, the stakes are high – gaining access to a Box account could give cyberattackers access to a vast array of sensitive documents and data for both individuals and organizations. The company claims 97,000 companies and 68 percent of the Fortune 500 as customers.

Varonis Threat Labs researchers said the bypass worked on accounts that used one-time SMS codes for two-factor authentication (2FA) verification. In a proof-of-concept exploit, they were able to achieve the bypass by stealing a session cookie.

Password Management Webinar

“With increased pressure to adopt and enforce multi-factor authentication, many [software-as-a-service] providers now offer multiple MFA options to provide users a second line of defense against credential stuffing and other password attacks. “Like many applications, Box allows users without Single Sign-On (SSO) to, or SMS with a one-time passcode as a second step in authentication.”

When a user goes to log on with his or her credentials, Box generates the cookie and the user is asked to navigate to an SMS verification page, where the person is instructed to enter a one-time passcode sent to an enrolled mobile phone.

However, if the user doesn’t navigate to the verification page, no SMS code is generated, but a session cookie still is. It’s at this point that the bug came into play. A malicious threat actor trying to log in with stolen credentials could have skipped going to the SMS verification page, and could have instead initiated the other MFA option provided by Box: Using an authenticator app, like Okta Verify or Google Authenticator.

If attackers were to have done this, they could have broken into the target account by using a factor ID and code from their own Box account, the session cookie received by providing the victim’s credentials, and their own authenticator app – with no physical access to the victim’s phone required.

“Box did not verify whether the victim was enrolled in [time-based one-time password] TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in,” researchers explained in a Tuesday analysis of the vulnerability. “This made it possible to access the victim’s Box account without the victim’s phone and without notifying the user via SMS.”

The proof-of-concept attack flow is as follows, according to Varonis:

  • Attacker enrolls in MFA using an authenticator app and stores the device’s factor ID.
  • Attacker enters a user’s email address and password on
  • If the password is correct, the attacker’s browser is sent a new authentication cookie and redirects to: /2fa/verification.
  • The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their own factor ID and code from the authenticator app to TOTP verification endpoint: /mfa/verification.
  • The attacker is now logged in to the victim’s account and the victim does not receive an SMS message.

Box has fixed the issue, but “we want to underscore that MFA implementations are prone to bugs, just like any other code,” researchers noted. “Our team has demonstrated not one, but two application flaws that allowed us to access a victim’s MFA-enabled Box account with only username and password. Spoiler alert: Box is not the only major SaaS provider that we’ve been able to bypass.”

The first bypass the researchers discovered worked on authenticator-based MFA.

“There are several issues that led to this vulnerability,” Zane Bond, director of product management at Keeper Security, said via email. “However, at the end of the day, this one sits in a similar bucket to many OAuth and SAML vulnerabilities that are found. The underlying technology is usually sound. These issues tend to stem from individual implementations, or errors in the implementation logic. Ultimately, every vendor is responsible for the correct implementation of a particular security control, and it’s not easy.”

For its part, Box issued the following statement to Threatpost:

“This was a bug that was identified and addressed prior to the release of the blog post. We investigate the impact of every bug reported to us and no impact to customers was observed. We’re continually working with the security community and our partners to identify and address potential issues.”

How to Protect Against MFA Bypasses

MFA can provide a false sense of security, researchers noted – and organizations should ensure that bypasses are as rare as possible by implementing common-sense protections.

One of those is mobile phishing awareness training, according to Hank Schless, senior manager of security solutions at Lookout.

“Multifactor authentication is an effective way for an end user to validate their identity. However, it cannot differentiate between whether a user really is who they say they are,” he said via email. “The issue that Varonis highlights is that compromised user credentials could make additional authentication tools far less effective.”

Meanwhile, in order to mitigate the risk of unauthorized access to apps, data and infrastructure, even with legitimate credentials, organizations could also implement cloud access security broker (CASB) and zero trust network access (ZTNA) solutions, which detect anomalous user behavior and verify identity.

“In addition to securing the endpoint, organizations also need to be able to dynamically secure access and actions within both cloud and private apps,” Schless said. “This is where ZTNA and CASB solutions shine. By understanding the interactions between users, devices, networks and data, organizations can understand key indicators of a compromise that point to ransomware or massive data exfiltration taking place. Together, securing employee mobile endpoints as well as your cloud and private apps will help organizations create a solid security posture based in a zero-trust philosophy.”

Varonis researchers noted that CISOs should ask the following:

  • Would I know if MFA was disabled or bypassed for a user across all my SaaS applications?
  • How much data can an attacker access if they compromise a normal user account?
  • Is any data unnecessarily exposed to too many users (or exposed publicly)
  • If a user accesses data abnormally, will I get an alert?

“We recommend you start by securing data where it lives,” according to Varonis. “When you limit access and monitor the data itself, your likelihood of data exfiltration due to a perimeter bypass drops significantly.”

This post was updated at 1:40 p.m. ET with a statement from Box.

Source link

Cyber Security

Cybercriminals are increasingly using info-stealing malware to target victims



Cybercriminals are increasingly shifting from automated scam-as-a-service to more advanced info stealer malware distributors as the competition for resources increases, and they look for new way to make profits, according to a report by Group-IB. 

The cybersecurity company has identified 34 Russian-speaking groups distributing info-stealing malware under the stealer-as-a-service model.

Info stealer malware collects users’ credentials stored in browsers, gaming accounts, email services, social media, bank card details, and crypto wallet information from infected computers, and sends the data to the malware operator. This data is then sold or used for fraud on the dark web. 

The identified threat actors coordinate via Telegram groups to conduct their operations. The low entry barrier and a fully automated process makes the scheme popular among beginners. 

“Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it,” Group-IB noted. 

Substantial malware increase in 2022

Telegram groups and bots designed to distribute info stealers first appeared in early 2021, according to Group-IB Digital Risk Protection team. However, a substantial increase was observed in the first seven months of this year, with more than 890,000 devices infected across 111 countries. This is almost twice the number of infected devices in 2021, when 538,000 devices were compromised. 

In the first seven months of this year, threat actors stole over 50 million passwords, 2 billion cookie files, details of 103,150 bank cards, and data from 113,204 crypto wallets. 

“The underground market value of just the stolen logs and compromised card details is around $5.8 million,” Group-IB estimates. 

Paypal and Amazon were the most targeted services, with Paypal accounting for more than 16% and Amazon for more than 13% of the attacks. 

However, cases of stealing passwords for gaming services such as Steam, EpicGames, Roblox have increased almost five-fold, the report noted.  

The top 5 most attacked countries are United States, Brazil, India, Germany, and Indonesia. 

RedLine and Racoon stealer used the most

Among the 34 groups examined, the most used stealer was RedLine, which was used by 23 groups, while the second most used tool was Racoon, used by eight groups. Custom stealers were found to be used by three groups, Group-IB noted. 

The group members are provided with both the tools in exchange for a share of the stolen data, or money. 

“However, the malware in question is offered for rent on the dark web for $150-$200 per month. Some groups use 3 stealers at the same time, while others have only one stealer in their arsenal,” the report said. 

On an average, the 34 identified info stealer distributor groups on Telegram have 200 active members. The task of the members of the group is to drive traffic to bait scam websites impersonating well-known companies and convince victims to download malicious files. 

“Cybercriminals embed links for downloading stealers into video reviews of popular games on YouTube, into mining software or NFT files on specialized forums and direct communication with NFT artists, and into lucky draws and lotteries on social media,” Group-IB noted. 

Safeguarding against the attacks

To prevent such attacks, Group-IB recommends that users avoid downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, stop saving passwords in browsers, and regularly clear browser cookies. 

It also recommends companies to have a proactive approach towards digital security and using modern technologies for monitoring and response to the attacks. 

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

EPSS explained: How does it compare to CVSS?



The Common Vulnerability Scanning System (CVSS) is the most frequently cited rating system to assess the severity of security vulnerabilities. It has been criticized, however, as not being appropriate to assess and prioritize risk from those vulnerabilities. For this reason, some have called for using the Exploit Prediction Scoring System (EPSS) or combining CVSS and EPSS to make vulnerability metrics more actionable and efficient. Like CVSS, EPSS is governed by the Forum of Incident Response and Security Teams (FIRST).

EPSS definition

EPSS prides itself on being an open and data-driven effort that aims to estimate the probability that a software vulnerability will be exploited in the wild. CVSS focuses on the innate characteristics of vulnerabilities culminating in a severity score. The severity score alone doesn’t indicate a likelihood of exploitation, which is critical information for vulnerability management professionals who need to prioritize their vulnerability remediation and mitigation efforts to maximize their impact on reducing organizational risk.

EPSS has a special interest group (SIG) that is open to the public for those interested in participating in the effort. EPSS is volunteer driven and led by researchers, security practitioners, academics, and government personnel. FIRST can and does own the rights to update the model and the associated guidance as the organization sees fit, despite this industry collaboration driven approach. The group boasts chairs and creators from organizations such as RAND, Cyentia, Virginia Tech, and Kenna Security among many members from a variety of organizations. EPSS has several related papers that dive into associated topics such as attack prediction, vulnerability modeling and disclosure, and software exploitation. 

The EPSS model 

EPSS aims to help security practitioners and their organizations improve vulnerability prioritization efforts. There are an exponentially growing number of vulnerabilities in today’s digital landscape and that number is increasing due to factors such as the increased digitization of systems and society, increased scrutiny of digital products, and improved research and reporting capabilities.

Organizations generally can only fix between 5% and 20% of vulnerabilities each month, EPSS claims. Fewer than 10% of published vulnerabilities are ever known to be exploited in the wild. Longstanding workforce issues are also at play, such as the annual ISC2 Cybersecurity Workforce Study, which shows shortages exceeding two million cybersecurity professionals globally. These factors warrant organizations having a coherent and effective approach to aid in prioritizing vulnerabilities that pose the highest risk to their organization to avoid wasting limited resources and time.

The EPSS model aims to provide some support by producing probability scores that a vulnerability will be exploited in the next 30 days and the scores range between 0 and 1 or 0% and 100%. To provide these scores and projections, EPSS uses data from sources such as the MITRE CVE list, data about CVEs such as days since publication, and observations from exploitation-in-the-wild activity from security vendors such as AlienVault and Fortinet. 

The EPSS team published data to support their approach of using CVSS scores with EPSS scoring data to lead to more effective vulnerability remediation efforts. For example, many organizations mandate that vulnerabilities with a specific CVSS score or higher must be remediated, such as a 7 or above. However, this prioritizes vulnerability remediation based on only the CVSS score, not if the vulnerability is known to be exploited or not. Coupling EPSS with CVSS is more effective because that prioritizes vulnerabilities based on both their severity rating and if they are known to be actively exploited. This lets organizations address CVEs that pose the greatest risk to the organization. 

EPSS focuses on two core metrics  – efficiency and coverage. Efficiency examines how well organizations are using resources to resolve the percentage of remediated vulnerabilities. EPSS points out that it is more efficient for most of an organization’s resources to be spent remediating mostly known-exploited vulnerabilities, as opposed to random vulnerabilities based on only severity scores via CVSS. Coverage is a look at the percentage of exploited vulnerabilities that were remediated. 

To show the efficiency in their proposed approach, EPSS conducted a study in 2021 evaluating CVSS v3 base scores and EPSS v1 and EPSS v2 data over a 30-day period to determine the total number of CVEs, the number of remediated CVEs and the number of exploited CVEs.

Initially, the study showed that most CVEs aren’t remediated. Secondly, the number of exploited CVEs that are remediated is just a subset of the total remediated CVEs. This means that organizations don’t remediate most CVEs, and among those they do, many aren’t actively known to be exploited and potentially don’t pose the greatest risk.

The study also demonstrates that the EPSS v2 further improves the efficiency of vulnerability remediation efforts by maximizing the percentage of exploited vulnerabilities that are remediated. When organizations have resource challenges with cybersecurity practitioners, it is crucial to maximize their return on investment by having the resources focus on the vulnerabilities that pose the greatest risk to the organization. Ultimately, EPSS is trying to help organizations make more efficient use of their limited resources and improve their effectiveness of driving down organizational risk. 

EPSS shortcomings

Like CVSS, EPSS has its critics from the industry and academia. One article titled Probably Don’t Rely on EPSS Yet comes from Carnegie Mellon University’s Software Engineering Institute’s blog. SEI originally published a paper titled Towards Improving CVSS, which laid out some sharp criticisms of CVSS, from which EPSS originated shortly after the publication. 

The primary criticisms leveled by the article include EPSS’s opacity as well as issues with its data and outputs. The article discusses how it isn’t clear how EPSS dictates the development processes, governance, or its intended audience. EPSS relies on pre-existing CVE IDs, meaning it wouldn’t be helpful for entities such as software suppliers, incident response teams, or bug bounty groups because many of the vulnerabilities these groups deal with don’t have CVE IDs yet and might never receive them. EPSS wouldn’t be helpful when dealing with zero-day vulnerabilities, given they gain visibility as exploitation is underway and have no CVE ID. 

The blog author also raises concerns about the openness and transparency of EPSS. While EPSS dubs itself an open and data-driven effort and has a public SIG, it and FIRST retain the right to change the site and model at any time without explanation. Even SIG members have no access to the code or data the underlying EPSS model uses. The SIG itself has no oversight or governance of the model, and the process by which the model is updated or modified isn’t transparent to the public, let alone SIG members. The article points out that the EPSS model and data could also be pulled back from the public domain given it is governed and managed by FIRST. 

The article notes that EPSS focuses on the probability that a vulnerability will be exploited in the next 30 days, but this requires a few fundamental things to exist for it to be projected. They include an existing CVE ID in the NVD with an associated CVSS v3 vector value, an IDS signature tied to an active attempted exploit of the CVE ID, contribution from AlienVault or Fortinet, and the model itself tied to the next 30 days.

As the author pointed out, only 10% of vulnerabilities with CVE IDs have accompanying IDS signatures, meaning 90% of vulnerabilities with CVE IDs may go undetected for exploitation. This also creates a dependency on Fortinet and AlienVault with regards to IDS sensors and associated data. This could be mitigated to some extent by further involvement from the broader security vendor community. While data from Fortinet and AlienVault is useful, it doesn’t represent the entire threat landscape or perspectives of the other major security vendors that could contribute to vulnerability exploitability probability.

While these are valid critiques, using EPSS gives organizations an opportunity to make the most of their scarce security resources to drive down organizational risk. Focusing on vulnerabilities with the highest probability of exploitation lets organizations make investments that have the highest chance to mitigate malicious actors and minimize friction on development teams.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

DUCKTAIL malware campaign targeting Facebook business and ads accounts is back



A group of attackers, likely based in Vietnam, that specializes in targeting employees with potential access to Facebook business and ads management accounts, has re-emerged with changes to its infrastructure, malware, and modus operandi after being initially outed a few months ago.

Dubbed DUCKTAIL by researchers from WithSecure, the group uses spear phishing to target individuals on LinkedIn who have job descriptions that could suggest they have access to manage Facebook business accounts. More recently, the attackers were also observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for attackers’ financial gain.

DUCKTAIL attackers do their research

The account abuse is achieved using a victim’s browser through a malware program delivered under the guise of documents related to brands, products, and project planning. The attackers first build a list of companies that have business pages on Facebook. They then search for employees on LinkedIn and other sources who work for those companies and have job titles that could provide them with access to those business pages. These include managerial, digital marketing, digital media, and human resource roles.

The final step is to send a link to them with an archive that contains the malware masquerading as a .pdf, alongside images and videos that appear to be part of the same project. Some of the file names seen by the researchers include project “development plan,” “project information,” “products,” and “new project L’Oréal budget business plan.” Some of the files included country names, suggesting the attackers customize them for every victim and country based on their reconnaissance. The identified victims were spread around the world, so the attackers don’t target one particular region.

It’s believed the DUCKTAIL group has been operating this campaign since the second half of 2021. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset.

Attackers switch to GlobalSign as certificate authority

Malware samples analyzed earlier this year were digitally signed with a legitimate code signing certificate obtained from Sectigo in the name of a Vietnamese company. Since that certificate has been reported and revoked, the attackers have switched to GlobalSign as their certificate authority. While they continued to request certificates from multiple CAs in the name of the original company, they’ve also set up six other businesses, all in Vietnamese, and have obtained code signing certificates using three of them. Code signing certificates require extended validation (EV) where the identity of the applicant is verified through various documents.

“At the time of writing, the threat actor has adapted to certificate revocations by utilizing timestamping as a countersignature method through DigiCert,” the WithSecure researchers said in a new report released this week.

The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the framework’s single-file feature, which bundles all the required libraries and files into a single executable file, including the main assembly. This ensures the malware can be executed on any Windows computer regardless of whether it has the .NET runtime installed or not. Since August 2022, when the campaign halted, the WithSecure researchers observed multiple development DUCKTAIL samples uploaded to VirusTotal from Vietnam.

One of the samples was compiled using the NativeAOT of .NET 7, which provides similar capabilities as the single-file feature of .NET Core, allowing binaries to be compiled natively ahead of time. However, NativeAOT has limited support for third-party libraries, so the attackers reverted to .NET Core.

The bad actors have been experimenting

Other experimentation was observed as well, such as the inclusion of anti-analysis code from a GitHub project that was never actually turned on, the capability of sending a list of email addresses as a .txt file from the command-and-control server instead of hardcoding them in the malware, and launching a dummy file when the malware is executed in order to make the user less suspicious – document (.docx), spreadsheet (.xlsx) and video (.mp4) dummy files were observed.

The attackers are also testing multistage loaders to deploy malware, such as an Excel add-in file (.xll), which extracts a secondary loader from an encrypted blob and then finally downloads the infostealer malware. The researchers also identified a downloader written in .NET that they associate with high confidence to DUCKTAIL, which executes a PowerShell command that downloads the infostealer from Discord.

The infostealer malware uses Telegram channels for command and control. The attackers have better locked down these channels since they were outed in August and some channels now have multiple administrators, which could suggest they are running an affiliate program similar to ransomware gangs. “This is further strengthened by increased chat activity and the new file encryption mechanism that ensures only certain users will be able to decrypt certain exfiltrated files,” the researchers say.

Browser hijacking

Once deployed, the DUCKTAIL malware scans for browsers installed on the system and the path to their cookie storage. It then steals all the stored cookies, including any Facebook session cookie stored inside. A session cookie is a small identifier set by a website inside a browser after authentication is completed successfully to remember the user has been logged in for a period of time.

The malware uses the Facebook session cookie to interact with Facebook pages directly or to send requests to the Facebook Graph API to obtain information. This information includes name, email, birthday, and user ID for personal accounts; name, verification status, ad limit, pending users and clients from Facebook business pages to which the personal accounts have access; name, ID, account status, ads payment cycle, currency, adtrust DSL, and amount spent for any associated Facebook Ads accounts.

The malware also checks whether two-factor authentication is enabled for the hijacked accounts and uses the active session to obtain backup codes for the 2FA when enabled. “Information stolen from the victim’s machine also allows the threat actor to attempt these activities (as well as other malicious activities) from outside the victim’s machine,” the researchers said. “Information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information (such as name and birthday) could be used to cloak and impersonate the victim.”

The malware aims to attempt to add email addresses controlled by attackers to the hijacked Facebook business accounts with the highest possible roles: admin and finance editor. According to Facebook owner Meta’s documentation, admins have full control over the account, while finance editors have control over credit card information stored in the account as well as transactions, invoices, and spending on the account. They can also add external businesses to stored credit cards and monthly invoices allowing those businesses to use the same payment method.

Impersonating legitimate account manager identities

“In instances where the targeted victims did not have sufficient access to allow the malware to add the threat actor’s email addresses into the intended business accounts, the threat actor relied on the information that was exfiltrated from the victims’ machines and Facebook accounts to impersonate them and achieve their post-compromise objectives via hands-on activity,” the researchers said in their new report.

In one instance that WithSecure incident responders investigated, the victim used an Apple machine and had never logged into Facebook from a Windows computer. No malware was found on the system and the initial access vector could not be determined. It’s unclear if this was related to DUCKTAIL, but the researchers established that the attackers were also from Vietnam.

Facebook Business administrators are advised to regularly review users added under Business Manager > Settings > People and revoke access to any unknown users granted admin access or finance editor roles.

“Across our investigations, WithSecure Incident Response team found that business history logs and targeted individuals’ Facebook data were relevant to analysis of the incident,” the researchers said. “However, for logs relating to the individual’s Facebook account, inconsistencies are widely present between what is visible on the web portal compared to what you would get if you were to download a copy of your data. As a recommendation to other investigators, the WithSecure Incident Response team strongly recommends capturing a local copy of business history logs as soon as possible and requesting a copy of user data for their account.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading