TechInsights

25/06/2023

Whether you are still dependent on passwords or have push based MFA, consider adding FIDO2 authenticators paired with a modern Identity-as-a-service (IDaaS) solution that can easily integrate with existing applications in your organization.

Password fishing (phishing) is the most successful attack technique, with insecure password logins being responsible for over 80% of data breaches. Furthermore, passwords are a productivity drain: 20-50% of helpdesk calls are password-related. Yet many organizations are still relying on passwords an...

20/06/2023

With cyberattacks more prevalent than ever and a global skills shortage in cybersecurity, security vendors are adapting their partner programs, with particular focus on certification and trainings requirements.
Fortinet has recently announced its NSE Certification Program update (effective October 1st 2023) to better address the evolving threat landscape and cybersecurity job market needs.
See the details here (https://www.fortinet.com/nse-training/training-program-update) and the FAQ here (https://helpdesk.training.fortinet.com/support/solutions/folders/73000564603).
If you are an existing or aspiring Fortinet partner, the local distributor Exclusive Networks - Adriatics has several special offers valid until September 30th, 2023, so you can quickly progress to your chosen certification level - check them on the link below:

👇
https://pages.info.exclusive-networks.com/Fortinet-NSE

19/06/2023

The F5 SaaS platform approach to tackle complexities and elevate application security, powered by F5 Distributed Cloud. Read more.

Public web apps and APIs are often the most critical part of the attack surface. Secure them with a SaaS platform approach.

13/06/2023

Sigurnosne preporuke rijetko navode oslanjanje na software-as-a-service (SaaS) kao mjeru upravljanja rizikom. Nedavno objavljeni propust u MOVEit file sharing softveru dobro ilustrira razlike u izloženosti korisnika koji su isti softver koristili kao SaaS uslugu, u odnosu na one koji su samostalno instalirali na vlastitim serverima (tradicionalni self-managed pristup). Više na linku niže.

--

Security advice rarely includes "outsourcing" to SaaS as a risk management measure. The recently disclosed vulnerability in MOVEit file transfer management software illustrates the different outcomes for customers consuming the same software as SaaS, vs. those installing the software on their own servers (traditional self-managed approach). Read more below.

The MOVEit vulnerability illustrates the security implications of outsourcing software to a SaaS provder vs the self-managed approach.

13/06/2023

Objavljen je novi Verizon Data Breach Investigation Report 2023 koji opet potvrđuje da ljudski faktor igra ključnu ulogu u probojima u organizacije: phishing/socijalni inženjering, krađa kredencijala, nenamjerne pogreške u konfiguraciji kao i namjerne zloupotrebe - odgovorne su za 3/4 proboja. Iskorištavanje softverskih propusta je drugi, ali znatno manje zastupljen mehanizam proboja.
Više ovdje:
https://www.techinsights.pro/post/the-human-element-is-driving-breaches

--

The new Verizon Data Breach Investigation Report 2023 has been released, once again confirming that the human factor plays a crucial role in breaches: phishing/social engineering, stolen credentials, unintentional configuration errors, as well as deliberate misuse - account for 3/4 of the breaches. Exploitation of software vulnerabilities is the second, but significantly less prevalent breach mechanism.
chinsights.pro/post/the-human-element-is-driving-breaches

The new Verizon Data Breach Report 2023 has been released, once again confirming that the human factor plays a crucial role in breaches.

05/06/2023

Interesting results from the IDG survey "Public sector digital transformation" co-sponsored by HPE and AMD. The survey was conducted in 14 European countries and was in particular focused on the level of cloud computing implementation in public administration entities.

The survey notes that distrust of cloud computing is still noticeable in the public sector across the EU, but adoption is growing:

➡ Overall, 36% of organizations are already using the cloud computing model today (includes both private, hybrid and public cloud), with another 29% planning to do so in the foreseeable future or are already in the process of implementing the cloud in their IT environments.

➡ However, the remaining 35% of entities still have not decided or have no plans to migrate their systems and data externally.

➡ Of all the cloud options, public cloud is the most distrusted model: working the math, it turns out overall only 10% of organizations use public cloud providers. This is in line with Eurostat surveys (see here: https://www.techinsights.pro/post/iaas-paas-adoption-still-low-in-see-region).

➡ With regards to data in the cloud, respondents appear to be most worried about data sovereignty, cost escalations and cyber security. The latter is not in line with some industry bodies' advice: for ex. see CISA's recommendation on externalizing IT to the cloud to reduce cybersecurity risks: https://www.linkedin.com/posts/techinsights-pro_cloud-saassecurity-simplifysecurity-activity-7061790462029811712-GZjq

Full IDG survey here: https://www.hpe.com/psnow/doc/a00129608enw

25/05/2023

Is a security or antimalware agent needed on Vmware ESXi hypervisor?
Crowdstrike vs Vmware debate.
In its recent blog (https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/), Crowdstrike outlines the long history of Ransomware-as-a-service operators targeting Vmware ESXi infrastructure - subtly arguing it's time for a security or antimalware agent to be deployed on hypervisor level.
The attractivity of Vmware for attackers is obvious: tens or hundreds of servers run on a typical Vmware infrastructure, and market share in SEE region is probably close to 90%. You can hardly find a customer not using at least one ESXi or vCenter server.
Vmware has long been insisting "Antivirus software is not required with the vSphere Hypervisor and the use of such software is not supported". Yet in its response to Crowdstike, Vmware this time notes their advice "[... ]is outdated and should be considered deprecated". Apparently, they plan to come up with a new advice in the near future.

It remains to be seen what Vmware's position on 3rd party antimalware will be. In the meantime, it's worth noting how frequently ESXi and vCenter servers were offering opportunities for unauthenticated exploitation without user interaction (for the technically minded, CVSS vectors PR:N/UI:N). See recent timeline below.

22/05/2023

FIDO2 is fast gaining adoption as a phishing resistant form of multifactor authentication. Supported by all major platforms (Microsoft, Google Android, Apple) and browsers (Mozilla, Chrome, Edge) it finally promises to simplify strong authentication, make it easier to implement and ultimately more secure.
But how to make FIDO2 work in an organizational context? It turns out identity management becomes the crucial element: shield all entry points (apps, VPN, VDI, etc) behind an identity federation service is the way forward.

The multifactor authentication (MFA) most commonly used in organizations today is relying on smartphone applications that provide push notifications to be approved by employees when authenticating against protected resources. From Microsoft to Google authenticator, we're all used to this process now...

19/05/2023

It seems the Croatian Data Protection Agency (AZOP) is on a streak: after the record fine imposed on a debt collection agency earlier this month (2,2 mil eur), this week saw another milestone penalty (380,000 eur) for a local sports betting firm.
Apparently, the company was copying and storing banking cards and cardholders data without notifying customers, and lacking appropriate technical and organizational measures, as stipulated by the GDPR regulation.

📣 What is new in the ruling (besides the unusually high fine) is an explicit reference to GDPR article 32, specifically the encryption of personal data at the database level (i.e. data-at-rest encryption).

Data-at-rest encryption (particularly on the database record level) for PII data is typically avoided in practice as it usually introduces complexity and failure points which many IT departments will want to avoid.
Furthermore, data is often stored in various locations and formats, accessed via diverse interfaces (from storage level to a Sharepoint-type web app), complicating things further.

It remains to be seen how this latest sentence will change the economics of introducing data-at-rest encryption more broadly into organizational environments.

The full verdict from the DPA is here (Croatian language):
https://azop.hr/sportskoj-kladionici-izrecena-upravna-novcana-kazna-od-380-000-eura/

18/05/2023

Recognizing the vulnerabilities of existing mobile push multifactor authentication schemes (➡ https://www.techinsights.pro/post/phishing-resistant-mfa-the-new-normal), Microsoft is rolling out "number matching" when logging into MS365 services.

It's important to note this is just a mitigation measure on Microsoft's part, in order to minimize the risk of MFA attacks based on "fatigue" or "prompt bombing", which have become increasingly common: a threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.

Number matching is designed to mitigate this risk by introducing an additional step: besides simply clicking on "Yes, that's me" and confirming the identity, the users are now presented with a number they need to type into the mobile app to complete the authentication.

Of course, this still does not address proxy-in-the-middle MFA attacks, now a mature and unfortunately popular malicious technique ( ➡ https://www.techinsights.pro/post/bypassing-mobile-push-authentication-an-example).

As recommended by CISA, number matching is only a workaround, while true phishing-resistant MFA is what organizations should be aiming at. This means either certificate based auth (CBA) or the more user friendly FIDO2 tokens/passkeys, currently becoming a strong authentication standard on all platforms.

15/05/2023

➡ Are high risk applications being used by employees?
➡ Is there lateral movement inside the network pointing to an attacker's hidden presence?
➡ Are public facing services (VPN, web apps) being exploited or brute forced?
➡ Is risky traffic being tunneled and bypassing existing security policies?
➡ Is DNS being used to infiltrate malware or exfiltrate data?
➡ Are there bot infected devices lurking on the network?

These are some questions that can be answered with the right tools, proper threat intelligence and a non-disruptive approach to network traffic detection.
Find out more on how it can be achieved with Palo Alto Networks' Security Lifecycle review (SLR).

https://www.techinsights.pro/post/quickly-gain-situational-awareness-and-visibility-into-your-network-environment


Exclusive Networks - Adriatics

We all know visibility is the key to prevent breaches: gaining situational awareness and visibility into network traffic is usually a great way to start. Attackers often spend 3 or more months moving around inside business networks before launching their attacks. Yet, with the right tools and detect...

14/05/2023

GDPR's 5th enforcement anniversary sees the largest fine issued so far in Croatia. Regardless of the outcome, the case will undoubtedly have significant implications for the future.
One thing is certain: in today’s GDPR regime, personal data is to be treated as if it’s “radioactive material”. Handle with care.

----

On GDPR's 5th anniversary, the Croatian data protection authority (DPA) has issued the biggest fine in terms of GDPR violation so far: 2,26 mil Eur. The company fined is B2 Kapital, a financial services agency specializing in purchasing non-performing loans (NPLs) from banking institutions. More info on the case here https://azop.hr/agenciji-za-naplatu-potrazivanja-izrecena-upravna-novcana-kazna-u-iznosu-od-226-milijuna-eura/ (Croatian language).

According to the GDPR Enforcement Tracker, the largest fine issued up until now in Croatia was 285,000 EUR, whereby fines were largely targeting the telecommunications sector. This is apparently the first time a financial service company is being fined (?).
Judging by the latest financial data for B2 Kapital, the penalty seems to be close to the maximum allowed, i.e. 4% of total revenue.

The leak was apparently reported anonymously both to the media and the DPA itself, via an USB stick containing around 77 thousand records on physical persons on hook for non-performing loans (NPLs). According to the DPA, the leaked records contained the first and last name, date of birth and VAT number of each person. Further proceedings by the DPA found B2 Kapital responsible for handling close to 133 thousand records without proper technical and organizational measures to ensure an adequate level of protection (GDPR article 32).
This latest example shows that in today's GDPR enforcement environment, processing or storing any amount of personal data on physical persons (however trivial) is in fact to be considered a "radioactive" asset with a huge risk attached. This especially applies to companies with high revenue and comparatively small net margins, as the penalties are based on turnover.

Furthermore, the technical and organizational measures according to article 32 can be interpreted broadly, introducing substantial uncertainty. Disgruntled employees can find ways to bypass technical controls, and high penalties can even incentivize leaks, while external attackers or simply configuration errors will continue to expose customer data in the future. So it remains to be seen how companies will react. Considering all, it's reasonable to conclude most companies will consider GDPR a cost of doing business, and some markets such as NPLs reselling will probably become much less liquid, prompting banks to find other ways to wind down bad assets. In any case, unintended consequences are bound to surround GDPR for the foreseeable future.
Meanwhile, the investigation at B2 Kapital has not uncovered whether the leak was a target of a hacker attack or a result of an inside job. B2 was unable to produce any log records indicating how the data was extracted and the company has announced a legal challenge to the DPA's findings and fine.

Regardless of the outcome, this case will undoubtedly have significant implications for the future.

14/05/2023

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has seen many businesses and organizations suffer the consequences of destructive cyber attacks in recent years. Being involved in breach assessments along various industry stakeholders, their cybersecurity advice is notable, yet often overlooked/ignored:
"One major improvement you can make is to eliminate all services that are hosted in your offices [...] These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure. [...] We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible."

Read more in CISA's Cyber Guidance for small businesses here:
https://www.cisa.gov/cyber-guidance-small-businesses

Should the advice be extended to larger organizations as well?

08/05/2023

Hybrid work or work from anywhere and the usage of SaaS apps outside the traditional perimeter (for ex. MS365) are changing the role of network security, in particular next-gen firewalls (NGFW).
Being on the market for more than 10 years, the NGFW is not so much "next-gen" anymore. However, a future-proof NGFW platform is still of strategic importance to the organization.
The NGFW firewall architecture has to adapt to new realities: the dissolving network perimeter, BYOD, SaaS applications and cloud infrastructure, to name a few.

Being on the market for more than 10 years, the Next-Generation Firewall (NGFW) is not so much "next-gen" anymore. However, a future-proof NGFW platform is still of strategic importance to the organization. This is especially true in the context of hybrid work adoption, the growing number of SaaS ap...

05/05/2023

A lack of situational awareness can prolong the amount of time a threat actor operates undetected inside a network. This in turn allows attackers to discover more assets and exfiltrate more data. Business data API endpoints are particularly interesting as they often allow for automated data scraping.
This appears to be the case with the latest breach and customer leak reported by T-mobile USA, the second since January.

T-Mobile has revealed a second data breach that occurred in 2023, which reportedly exposed customer data and account PINs.

24/04/2023

Last week Google announced another security fix that addresses a vulnerability apparently exploited in the wild.

Tracked as CVE-2023-2136 (https://www.securityweek.com/google-patches-second-chrome-zero-day-vulnerability-of-2023/), this one is an integer overflow issue in a library called Skia, used by the web browser to render web content. Users (and admins) should update to at least Chrome v112.0.5615.137 to fix the issue.

The vulnerability made it into CISA's known exploited vulnerabilities database, although there are no details on how widely the exploit is being deployed by malware actors.

In any case, this vulnerability comes just a few days after a similar Chrome bug was patched by Google, also known to be exploited in the wild (CVE-2023-2033).

Both bugs could essentially make it into drive-by download exploit kits usually deployed on compromised web servers. Unsuspecting users visiting such web pages could inadvertently install malware on their devices.

Google Chrome is being widely used by billions of internet users, so prompt patching will always be difficult, even in relatively small organizations.

As the number of vulnerabilities discovered each year is still growing by 20%+, having robust endpoint detection & response (EDR/XDR) capabilities is becoming even more important. XDR is the new baseline for endpoint protection, now that antimalware detection is a commodity enabled by default at operating system level.

17/04/2023

The open source model has always had its proponents and critics. The modern times bring some fresh challenges to the model.

Start with security and the infamous Log4Shell bug (https://www.protocol.com/newsletters/protocol-enterprise/open-source-security-log4j) disclosed in late 2021. An open source library featured a catastrophic bug - not a problem per se, if not for the fact that the library is a standard part of most enterprise software deployed worldwide: from core banking systems, over ERPs to CRM software. Any and all of those critical software systems suddenly became vulnerable and open for exploitation overnight.
And everybody was made aware that the fix depended on a few library maintainers, with no SLA or any contractual relationship attached. Yes, they were working overnight to fix and distribute the fix, but now regulators are awakening to a new systemic risk.

As a reaction, we now have the EU Commission proposal for the Cyber Resilience Act. The act establishes a set of expectations for any product with digital elements: ability to perform updates, follow diligent software development practices, the assessment of cybersecurity risks and the need for certification. And yes, the threat of fines for non-compliance.

The upcoming regulatory frameworks are bound to change the practice of open source development, maybe even discourage loosely connected individuals to publish open source software, unless they abide to strict certification requirements.

The unintended outcomes could be less open source innovation. Some open source developers might even geographically restrict access to open source code, simply because they do not want to be liable for not complying to EU regulation; they are often hobbyists and not experts in compliance regulations.
A critical appraisal of the upcoming Cyber Resilience Act and its potential impact on open source can be found here:
https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/

17/04/2023

The pandemic proved a boon for the tech sector (if Nasdaq is your benchmark).
It’s not yet clear whether the latest generative transformer AI models will do the same for tech.
GPT models will need to translate into tangible productivity gains across many industries (beyond the current hype), and the tech companies will need to find paths to monetization.

On both counts, the outcomes are unclear. The broader market reaction is still defined by growing online shopping, remote working and zooming “discovered” during the pandemic.

Better ask chatGPT what the future impacts will be:)

05/04/2023

Phishing is the most popular technique to gain unauthorized access to IT systems, so it's useful to remind about the dangers of password-based authentication.

Verizon's 2022 Data Breach Report puts the proportion of breaches caused by social engineering techniques such as phishing - at 82%.

The times are changing so much, that an organization will get a lower security rating or have difficulties insuring against cyber risk, unless it uses some form of multifactor authentication.

Password expiration (https://www.techinsights.pro/post/password-rotation-an-obsolete-practice) is a related issue promoting bad security practices - so much so that Microsoft for example is reporting a reduced security score via its Secure Score service (https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide), if password rotation is enabled for its MS365 customers.

24/03/2023

Just as it seemed ransomware attacks are subsiding and companies are finding ways to cope (https://www.techinsights.pro/post/ransomware-demands-decline), details of a new and different wave of attacks are emerging, this time based on a vulnerability in GoAnyware, a file transfer software used by thousands of organizations worldwide.
The malware campaign has been ongoing since January, with a growing list of companies and organizations listed as victims (Procter&Gamble, Rubrik, UK Pension Protection Fund, City of Toronto, to name a few).
It appears this is a massive data exfiltration incident due to a bug in GoAnyware application, allowing remote code ex*****on prior to authentication. It seems the attackers are using both encryption and extortion tactics against leaking sensitive data.
The developing story at Techcrunch: https://techcrunch.com/2023/03/24/fortra-goanywhere-clop-ransomware/

22/03/2023

Any vulnerability that does not require user interaction to exploit should be taken seriously and prioritized.
That is precisely the case with the novel CVE-2023-23397 affecting the Microsoft Outlook (Windows) client and already exploited in the wild by various threat actors, months before being publicly released within Microsoft Patch Tuesday.
A specially crafted email (calendar invite) can trigger the vulnerability automatically when it is retrieved and processed by the Outlook client. Such an email could lead to exploitation even without viewing or opening the email in the Preview Pane, which allows an attacker to steal NTLMv2 credential hashes that can then be reused to attack exposed services.
Important: on-prem Exchange servers and services are much more exposed to lateral movement attempts via the obtained NTLM hash. For ex. online services such as Microsoft 365 do not support NTLM authentication, thus reducing the attack surface.
Organizations relying on Active Directory on-prem will have a more exposed attack surface as the likelihood of running SMB or WebDav over HTTP services is much higher in such cases.

More info on Trend Micro's blog: https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do.html

We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale.

14/03/2023

Microsoft is gradually enforcing multifactor authentication (MFA) to the remaining customers who had been using Azure/MS365 services prior to October 2019. Administrators are being notified via e-mail and finally with a prompt during sign-in (as shown below).

Since late 2019, all new customer tenants have had MFA enabled by default. The "older" customers are now being enforced, which finally closes the gap.

Microsoft claims more than 99.9% of hacked accounts are found not having MFA, making them vulnerable to phishing.

MFA (a feature called "Security Defaults") is now enabled on more than 30 million organizations. According to Microsoft, these organizations experience 80 percent less compromise than the overall tenant population, so it's no wonder the company embarked on the road of making MFA mandatory for every customer.

Although MFA with out-of-band verification (such as push notification on the smartphone) is much more secure than passwords, the latest attack techniques show that even such MFA is prone to phishing. As a consequence, organizations should go further and rapidly consider phishing resistant authentication based on FIDO2 security keys (also supported on Microsoft Azure).

27/02/2023

Good news from the ransomware front. It appears ransom demands are decreasing, indicating the ransomware business model is becoming less successful.

Better security and law enforcement driving ransom demands lower and making ransomware less successful?

14/02/2023

Most are Microsoft related (Patch Tuesday!), but the Apple Webkit bug is a true novelty, perhaps implying iPhone spyware delivered via malicious web content.

Most are Microsoft related, but the Apple Webkit bug is a true novelty, perhaps implying iPhone spyware delivered via malicious web content.

01/02/2023

Microsoft is republishing an old Windows vulnerability from 2013 (CVE-2013-3900), apparently prompted by recent reports that it's being exploited by Zloader, a banking malware, among others. The vulnerability is potentially allowing malicious files to appear as having a valid signature, which makes it a convenient detection evasion technique for attackers.

Notable is that the patch is not enabled by default by Microsoft and needs manual registry modification to opt-in - an unusual move by Microsoft.

Microsoft is republishing an old Windows vulnerability from 2013, apparently now exploited.

31/01/2023

37 million customer records exposed in breach at T-mobile, highlighting the issues with API security.

37 million customer records exposed in breach at T-mobile, highlighting the issues with API security.

25/01/2023

Phishing again in the spotlight: after last August successful attack against MailChimp, the popular e-mail marketing SaaS provider, it appears something similar was executed early January. MailChimp says the attackers gained access to employee credentials after conducting a social engineering attack on Mailchimp employees and contractors.
The outcome: the hackers used compromised employee credentials to gain access to internal applications exposing data on 133 Mailchimp customers (including Woocommerce).
This translates into a vast amount of e-mails and other contact data now available for customized phishing campaigns down the line.

Generally, it's reasonable to assume any e-mail and contact data exposure to malicious users is inevitable (Mailchimp is certainly not the only and last SaaS provider being hacked), raising the risk of highly targeted phishing attacks in the future.

Preparing organizations for this inevitable outcome includes planning for phishing resistant MFA and security awareness campaigns (hopefully automated).

This is the second breach to hit Mailchimp in six months. It also appears to be almost identical to a previous incident.

25/01/2023

Not a good day for both Azure and Microsoft365 services today, as a worldwide outage impacted everything from Exchange to Azure IaaS services since early morning UTC time.
Outages are increasingly associated with security breaches nowadays (remember Rackspace Hosted Exchange? Still down after almost 2 months since the ransomware attack). Fortunately, today's outage appears to be caused by a networking configuration blunder (a wide-area networking (WAN) routing change impacted connectivity between clients on the internet and Azure/Ms365 servers).