10 min read
In terms of new critical vulnerabilities released, each year seems to be worse than the last. Unfortunately, it’s a trend that security analysts are unlikely to see decrease anytime soon. As businesses integrate new technology into their tech stack, they also introduce new avenues of attack. And these attackers are relentless.
Malicious actors are able to alter a script or modify a piece of malware more quickly than the time it typically takes to release security updates and implement patching. For that reason, organizations are constantly on their heels when it comes to cyber threat protection.
But all hope is not lost! While it’s easy to get overwhelmed by the sheer number of new threats, focusing on the rather limited number of attack vectors can make cybersecurity a lot less frightening.
Credential theft, or compromised credentials, refers to instances where unauthorized individuals obtain usernames and passwords, frequently due to phishing, social engineering, or data breaches. These stolen login credentials offer a direct route into an organization’s digital assets and infrastructure.
Once they obtain access to credentials, malicious actors can use them in attacks in a variety of ways. One of the most popular techniques is “credential stuffing,” in which attackers attempt to access several internet accounts utilizing stolen credentials, exploiting the unfortunate practice of using the same password across various platforms. Additionally, credential theft can act as a springboard for lateral movement within a network, enabling hackers to advance undetected from one system to another and escalate their attack.
While not quite as exciting as other attack vectors included below, compromised credentials are one of the most common and easiest ways for cyber criminals to gain access and expand the scope of their attacks. In fact, the 2023 Verizon Data Breach Investigation (DBIR) revealed that 83% of breaches involved external actors and of these breaches, 49% involved the use of stolen credentials.
Limit the potential impact by implementing:
- Strong password policies
- MFA for all company accounts
- Role-based access controls (RBAC)
- Regularly scheduled password changes
- Policy to eliminate logins immediately for departing employees and vendors
Advanced Social Engineering
Social engineering can be summed up as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”
Better stated, social engineering is a deceptive tactic cybercriminals use to exploit the vulnerability of human psychology rather than technical flaws. The intention is to trick someone into disclosing private information, allowing unwanted access, or taking activities that can jeopardize security.
“Social engineering” refers to a broad class of attacks, but it covers specific types of attack techniques, including phishing. Most are familiar with phishing, which involves sending deceptive messages that appear to be from a trusted or reliable source, enticing recipients to click on malicious links, download malware, or divulge confidential information.
More recently, attackers have opted for targeted phishing methods, or spear-phishing, as a more effective method of access. Rather than simply playing on general human weakness, spear-phishing usually contains company-specific information in targeted campaigns. Think of an email from your CEO asking you to wire $100,000 to a vendor you are familiar with. Obviously, the bank information doesn’t go to the vendor bank, but to the bank of the attackers. Targeted spear-phishing attacks also continue to be one of the most common ways to inject malware into a victim’s network and systems.
In fact, phishing has become such a popular method of attack that multiple government agencies recently joined forces to create a Phishing Guidance document, “STOPPING THE ATTACK CYCLE AT PHASE ONE”.
Social engineering attacks are particularly difficult to defend since they exploit human weaknesses and not a particular device or system. Humans want to be helpful and efficient. Phishing and other social engineering attacks prey on this by creating a sense of urgency and authority.
What Can I Do?
The good news is by being vigilant and implementing employee training and policies, you can decrease the risk of falling victim to social engineering attacks. The most effective defense against social engineering is simply awareness and education. Be sure to educate yourself and your employees on social engineering tactics and methods.
Here are some quick tips to reduce compromise from these types of attacks.
Verify the Source
Before taking any action, you should always confirm the legitimacy of the sender. Inspect the sender’s email address and domain to ensure it matches the official contact information of the organization. Be cautious of lookalike characters masquerading as the real deal.
Break the Loop
Attackers who utilize social engineering frequently create a closed-loop communication mechanism. For instance, an email that demands you text a strange phone number or contains a dubious link to wire money. Break the cycle by contacting the person or business using a separate method of contact to confirm their legitimacy.
Limit Information Exchange
Be cautious about the information you disclose. Phishers often use seemingly innocuous details to craft convincing messages. Avoid oversharing personal or sensitive data, even if a message appears trustworthy.
Evaluate the credibility of the message. Are the claims, demands, or offers within the communication realistic and reasonable? A red flag should be raised if anything looks too good to be true.
Take Your Time
Attackers that use social engineering and phishing frequently create a false sense of urgency to manipulate targeted victims. Successful phishing attacks are frequently the result of hasty decisions. Slow down and take the time to scrutinize emails, messages, and requests.
By following these steps you’ll reduce the likelihood of a successful social engineering attack.
Exploitation of Vulnerabilities
One of the most often exploited vulnerabilities by cybercriminals is unpatched software. It’s common for software developers to address security flaws when they release new updates. However, failing to update your software opens your system to attack. Cybercriminals are constantly on the lookout for outdated software, as it provides an easy point of entry into a system.
Aside from the known vulnerabilities exist zero-day threats, which are vulnerabilities previously unknown to security experts. When cybercriminals discover these vulnerabilities before security experts, they can exploit the flaw to infiltrate systems, typically without detection.
So, what can you do about it?
The first step is to ensure that all software is kept up to date. However, with over 50% of the vulnerabilities in the national vulnerability database scoring high or critical on the CVSS, it’s not feasible that an IT team dedicated solely to patching would be able to keep up with this rate. Realistically, an average organization could likely patch 10% of the high or critical vulnerabilities each month. If you don’t have time to manually update all software on a regular basis, it is best to invest in a managed service that will handle updates automatically.
Results from vulnerability scanning typically leave IT professionals to determine the patching order on their own, often without the context needed to make an informed determination. Vulnerability management helps organizations by providing prioritization of scan results and performing automated tasks, allowing time to focus on what truly matters: proactively addressing critical vulnerabilities and strengthening their overall security posture. This not only streamlines the patching process but also frees up valuable resources for strategic security planning, threat mitigation, and continuous monitoring to stay one step ahead of evolving cyber threats. It’s also important to use security software that is designed to detect threats and prevent them from infiltrating your system.
Misconfigured Cloud-Based Applications
The use of cloud-based applications has become extremely popular over the years as businesses search for convenient methods to store and retrieve their data. However, this convenience can result in a significant security trade-off. Many cloud application providers boast an expansive user base but weak default settings. These misconfigurations and a potentially large number of victims make them an attractive target for attackers.
In cloud/user agreements, the user is typically. in charge of protecting the applications and data they choose to host on the cloud services, while cloud service providers are responsible for safeguarding the network, hardware, and equipment required to deliver their cloud services.
Unfortunately, end users often fail to adhere to security best practices when configuring their cloud applications, leaving them open to attack. Typically, default configurations or misconfigurations of cloud-based applications are what leave an organization vulnerable. Hackers can exploit these weaknesses to gain access to sensitive data, install malicious software, and even take control of the entire network. Default configurations are such a common concern that CISA listed it as #1 in a recent article on the Top Ten Cybersecurity Misconfigurations advisory.
What can I do about it?
First and foremost, it’s crucial to ensure that your cloud-based applications are correctly configured. Regularly review and update your security settings, check for any known vulnerabilities, and address them immediately. Review access controls frequently and ensure that only those who require access have it. Implementing multi-factor authentication (MFA) adds an additional layer of security, making it more challenging for hackers to gain access to your data. To further enhance your security, consider implementing a managed extended detection and response (XDR) solution to help detect and respond to potential threats in real time.
Weaponization of Legitimate Tools
The weaponization of legitimate tools is not a new concept, but it has become increasingly common in recent years. Cybercriminals use these tools because they are often overlooked by security teams and can easily bypass traditional security measures. Additionally, these tools often have legitimate functionality that allows malicious actors to move laterally across a network and exfiltrate data without raising suspicion.
Nowhere was this made more apparent than CL0P and its weaponization of Cobalt Strike. Cobalt Strike is a legitimate tool used for penetration testing, but in the hands of cybercriminals, it becomes a powerful weapon for lateral movement and data theft. While not specifically a method of entry, CL0P (and other ransomware groups) leveraged Cobalt Strike as a means of lateral movement and as a remote access trojan. This approach takes a threat from compromised credentials to a multi-faceted attack.
What Can I Do?
The first step is to ensure that all legitimate tools used in your organization are properly secured and monitored. This includes ensuring that they are updated regularly, access is limited to authorized personnel, and all activity is logged and monitored. It’s also important to implement a zero-trust approach to your network security, meaning that no user or device is trusted until thoroughly verified.
MFA Bypass and Interception
What happens when a means of security turns malicious?
As multi-factor authentication is more widely recognized and adopted as a strong security policy, cybercriminals have developed intricate means of access by bypassing or intercepting MFA methods. These methods take advantage of the flow of authentication methods used by MFA systems. In the case of token hijacking, attackers are going after MFA systems in an effort to steal an authentication token that will give them access to the user’s account secretly. They do this by seizing the authentication token and sending it to themselves during the process. Once the attacker gets the token, they can use it whenever they want to gain access to the user’s account, even after the user has logged out.
MFA token hijacking is a relatively new cyber-attack technique that exploits the flow of authentication tokens used by MFA systems. MFA token hijacking is a dangerous threat because MFA has long been considered the gold standard for securing user accounts. This attack exposes the vulnerability of modern MFA systems and demonstrates the need for more advanced security measures. It also underscores the need for constant vigilance on the part of system administrators and users alike.
What Can I Do?
There are several actions you can take to reduce or mitigate the risk of MFA token hijacking. First, use complex passwords that are hard to guess, and avoid using the same password for multiple accounts. This may seem like a no-brainer, but weak or reused passwords are still a significant problem. Longer-term solutions would be:
- Implement cloud-primary authentication solution using modern open standards.
- Enforce phishing-resistant MFA universally
What’s a Business to Do Then?
Having security prevention basics like AV and endpoint protection is still important, but far from complete protection. In fact, these scary attack vectors typically evade most legacy endpoint security solutions. Since perfect prevention is not possible, it’s important that IT security teams adjust their mindset to assume that it’s a matter of when, and not if a breach will occur.
Rather than focus on a prevention-only defense, it’s vital to include threat detection and incident response solutions in your security strategy. Incorporating relevant security frameworks like NIST and a defense-in-depth approach helps detect threats quickly and respond to incidents faster, minimizing the damage an attack could have on your business.
- Anticipate attacks.
- Know your own posture.
- Recognize the adversary.
- Recover right the first time.
By making security a top priority and being proactive in implementing these cybersecurity measures, businesses can better protect themselves against these and other emerging threats.