August was quiet on the cybersecurity front, yet still included some sophisticated phishing attacks, security vulnerabilities, and ransomware activity. Read on to find out what we are talking about this month.
Hackers steal session cookies to bypass multi-factor authentication
This article talks about the new method hackers are using to bypass MFA—stealing recent cookies to get access to credentials. Hackers use browsers that contain cookies to help you log in by saving passwords or credit card information usually stored in a file directory. The hacker then deploys an MFA phishing technique to access those cookies and run scripts to obtain login credentials and credit cards. The article recommends avoiding the built-in functionality to save user information or credit cards and that an expiration date be employed to minimize the malicious use of the cookie.
“Cookie stealing has been one of the most common ways for threat actors to move laterally. That’s why, since the beginning of our platform, we’ve had support for injecting cookies in the most common web browsers as a way to deploy breadcrumbs on endpoints.” — Fernando, Founder
Source: eSecuirty Planet, August 19
Phishers managed to breach Twillio and target Cloudflare
Twillio and Cloudflare, two security companies, suffered precise, coordinated phishing attacks recently. The advanced threat actor succeeded in phishing the credentials of an undisclosed number of employees and, from there, gained unauthorized access to the company’s internal systems, the company said. The threat actor then used that access to data in an undisclosed number of customer accounts. Two days after Twilio’s disclosure, content delivery network Cloudflare, also headquartered in San Francisco, revealed it had also been targeted in a similar manner. Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
“Any company is subject to fall to a phishing attack, and whenever someone manages to get access to customer data, this causes massive reputation damage. I found it interesting that Twilio’s two-factor authentication method still allowed hackers to access internal systems, but Cloudflare’s (using hardware-based MFA keys) stopped hackers in their tracks.” — Xabier Eizmendi, Lead Software Architect
Source: Arstechnica, August 9
Cisco hacked by Yanluowang ransomware gang
Cisco, the large North American tech company, was recently attacked by Yanluowang, a ransomware gang. Attackers used stolen credentials to get into the Cisco networks, which they got by using an MFA technique that spams users with multiple-factor authentication notifications to get the user to enter their credentials into a fake system. The attackers tried to gain admin privileges, but according to Cisco, they were unsuccessful.
“This news shows that even the most secure companies are not safe from threat actors and, as we have always stated, one of the benefits of cyber deception is that it can help with reducing the harm done by attackers by allowing companies to detect breaches sooner.” — A member of the development team
Source: Bleeping Computer, August 10
A breach in Intel’s latest generation of CPUs
The SGX enclave, a security feature that is part of Intel’s latest generation core processors, was supposedly impenetrable, but according to this article, SGX has not lived up to that standard. Multiple security holes have been found, with the main vulnerability residing in the APIC (Advanced Programmable Interrupt Controller). APIC is integrated into most modern CPUs, and its primary responsibility is to stop tasks to complete essential tasks. Only one up-to-date system must be breached to extract secrets from an enclave (e.g., bypassing Signal private contact discovery, leaking DRM secrets or attestation keys). Researchers determined that, if not mitigated, exploiting ÆPIC Leak is a significant threat to enclave security.
“This one interested our technical team quite a bit, and there was even talk about it at Black Hat USA. Researchers even created a Git repository with a PoC on how to exploit Intel’s SGX enclave: https://github.com/IAIK/AEPIC.” — Fernando, Founder
Source: Arstechnica, August 9
Gitlab vulnerability announced
Gitlab has announced a vulnerability that allows attackers to perform remote command execution via Github import. That means they could upload malware and even edit or delete source code. GitLab has said that an update is required to ensure users are not susceptible to this vulnerability. The vulnerability addressed by this security update is tracked as CVE-2022-2884 and assigned a CVSS v3 criticality score of 9.9. It impacts all versions starting from 11.3.4 and up to 15.1.4, those between 15.2 and 15.2.3, and 15.3.
“As soon as CVE-2022-2884 (a RCE vulnerability affecting GitLab) with a CVSS v3 scored 9.9 was published, we want to provide real threat intel to understand how threat actors are exploiting this vulnerability. In order to do so, we deployed different campaigns to get full details of involved TTPs of this vulnerability.” — Juan de La Fuente, Threat Intelligence Analyst
Source: Bleeping Computer, August 24