With Actions Integrations, Okta is expanding its no-code offerings to help administrators manage and customize their identity workflow.

Every organization has its own set of identity requirements, which means very few identity platforms have everything right out of the box. Administrators have to customize the identity workflow to address their security, privacy, compliance needs while balancing ease-of-use. For many organizations, that means developers are writing custom code to secure and manage identity workflows.

Okta has introduced Actions Integrations, easily integrated third-party components that extend Okta Customer Identity Cloud with new features and capabilities. These components make third-party connections directly, without having to write any code, Okta said.

Actions Integrations "solve common identity needs that aren’t addressed out of the box by Okta Customer Identity Cloud," Okta said in a blog post announcing the general availability of Actions Integrations. This way, developers can focus on the core product features and less on building out code to manage authentication and identity.

The Marketplace already has a number of security- and privacy-focused components – such as for identity proofing (to verify the end user's identity), consent management (capture and tract consent through the customer lifecycle), and data collection (directly from users). Even as Okta provides more no-code options, it will continue to support developers and partners who want to build their own integrations.

"The Auth0 Marketplace hosts all available integrations where developers can find the pieces that are missing from their identity flow," Okta said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Okta Expands No-Code Offerings for Identity Cloud

A rapid increase in the number of operators in the space — the "locksmiths" of the cyber underground — has made it substantially cheaper for cybercriminals to buy access to target networks.

Names such as Novelli, orangecake, Pirat-Networks, SubComandanteVPN, and zirochka are unlikely to mean anything to a vast majority of enterprise security teams. But for ransomware operators and other cybercriminals looking for quick access to enterprise networks, these were _the_ brokers to approach for a major portion of last year.

Between them, the five entities accounted for some 25% of all access offers to enterprise networks that were available for sale on underground forums between the second half of 2021 and the first half of 2022. For an average price of around $2,800, these so-called initial access brokers (IABs) sold stolen VPN and remote desktop protocol (RDP) account details and other credentials that criminals could use to break into the networks of more than 2,300 organizations around the world, without breaking a sweat.

**A Vast & Growing Marketplace**

The five operators were the leaders in a much bigger and fast-growing market of hundreds of other similar IABs that security firm Group-IB discovered when conducting research for its 11th annual report on high-tech crime, released this week.

The company's research showed a sharp year-over-year growth in the number of IABs operating in underground forums and markets — from 262 in the immediately preceding 12-month period to 380 in the period between the second half of 2021 and the first half of 2022. Some 327 of the IABs that Group-IB observed operating during that period were new entries in the space.

Group-IB researchers also uncovered a 41% increase in the number of countries to which compromised entities belonged — from 68 a year earlier to 96 over the period of its study. Nearly a quarter — 24% — of all initial access offers involved the networks of US-based organizations. Other countries with a relatively high number of victims included Brazil, Canada, France, and the UK.

"As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023," warned Dmitry Volkov, CEO of Group-IB, in a statement accompanying the new report.

"Initial access brokers play the role of oil producers for the whole underground economy," he noted. "They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries."

**"Opportunistic Locksmiths of the Security World"**

The value proposition of IABs in the cybercrime economy is that they give other cybercriminals a way to gain an easy foothold on a target network without their having to do any legwork upfront. IABs do the technical work of breaking into a network and stealing credentials — such as those associated with VPNs, RDP services, Active Directory, and remote management panels — that provide subsequent access to it. Often, they can drop Web shells on a compromised network to ensure persistent future access to it and then sell the Web shells. In a report last year, researchers from Google's Threat Analysis Group described IABs as the "opportunistic locksmiths of the security world" who specialize in breaching a target and offering access to it to the highest bidder.

**Fueling the Ransomware Economy**

IABs offer their wares to anyone willing to purchase them, and the market for their services has grown rapidly over the past two years or so. But their biggest customers of late have been ransomware operators. 

A new study by threat intelligence firm KELA showed that several major ransomware attacks involving groups such as Hive, Sodinokibi, BlackByte, and Quantum started with network access from an IAB. In one instance, members of the Conti ransomware group joined an IAB to target organizations in Ukraine. 

"The most notable incident was related to the attack on Medibank, an Australian insurance provider, which was attacked after network access to the company was sold on a private Telegram channel," KELA said.

Group-IB's researchers found that 70% of the access types that IABs offered were RDP and VPN account details. Many of the offers — 47% — involved access with administrator rights on the compromised network. Twenty-eight percent of advertisements in which rights were specified involved domain administration rights, 23% had standard use rights, and a small fraction provided root account access. 

Group-IB researchers also found IAB advertisements for access to Citrix environments, multiple Web panels for CMS and cloud servers, and Web shells on compromised systems. In some instances, IABs even offered to launch lateral-movement payloads such as Cobalt Strike Beacon or Metasploit sessions on behalf of the buyer. But offers for these credentials and services tended to be less common than those involving RDP and VPN credentials.

Organizations for which access offers were most commonly available in underground forums and marketplaces included manufacturing companies, financial services firms, real estate organizations, education, and information technology firms.

Group-IB found that the sharp increase in the number of entities operating in the IAB space during the period of its study had pushed prices down for most categories of initial access. 

The average price of $2,800 that the company observed was, in fact, less than half of the $6,500 that IABs used to charge on average for the same access a year previously.

Initial Access Broker Market Booms, Posing Growing Threat to Enterprises

Companies are being urged to update 0Auth, runner, and project API tokens, along with other secrets stashed with CircleCI.

The recently disclosed security incident at CicleCI has put customers in a pinch to update any secrets stowed inside their systems.

Customers of the the CI/CD DevOps platform need to update their protected data — ranging from tokens and keys of all sorts — stat, the company said in its Jan. 4 announcement and regular, subsequent updates.

However, the company assured its users it is still safe to build applications with CircleCI.

Besides sharing tools to help teams track down all of the potentially impacted secrets, CircleCI announced it is also working with AWS to notify those to have possible breached tokens. The company proactively updated GitHub and Bitbucket 0Auth tokens as well, CircleCI said. reported.

CircleCI also warned customers of a credential harvesting scam circulating, trying to get victims to enter their GitHub logins with a bogus Terms of Service update.

**CircleCI Security Incident Fallout**

Following the notification of the CircleCI security incident, researchers at Datadog discovered that a RPM GNU Privacy Guard (GPG) private signing key and its password were also vulnerable. Although the Datadog team found no evidence of exploitation, they have updated their RPM keys. The team also recommended key updates for those operating an RPM-based Linux distribution in which the system trusts the affected GPG key.

"The signing key, if actually leaked, could be used to construct an RPM package that looks like it's from Datadog, but it would not be enough to place such a package in our official package repositories," the alert from Datadog explained. "A hypothetical attacker with the affected key would need to be able upload the constructed RPM package to a repository used by the system."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Secrets Rotation Recommended After CircleCI Security Incident

VIPRE Endpoint Detection & Response (EDR) delivers streamlined, sophisticated, high-performing cloud-based EDR management in a single, easy-to-navigate console.

**NEW YORK****,** **Jan. 17, 2023** **/PRNewswire/ --** VIPRE Security Group, an industry-leader and award-winning global cybersecurity, privacy, data, and user protection company, announced today the launch of its latest cybersecurity solution – VIPRE Endpoint Detection & Response (EDR). VIPRE EDR is designed to help small- and medium-sized enterprises and the IT partners that serve them to navigate the complexities of EDR management from a single, easy-to-use console.

VIPRE EDR delivers the sophistication of a high-performing, cloud-based solution without the challenges that users might expect from an EDR solution. This advanced technology provides better detection and discovery of more anomalous behavior than users would receive from standalone antivirus file, process, and networking analysis solutions while also providing investigation and remediation tools to speed response times.

The VIPRE EDR solution revolves around the core tenets of Detection, Investigation, Containment and Remediation — turning threats into intelligence and recommending next steps for security professionals as simply identifying a threat is not enough.

**Benefits of VIPRE's Endpoint Detection and Response**

*   **EPP/Next-generation Antivirus:** With VIPRE Endpoint Cloud as its core, VIPRE EDR constantly scans files, processes, and network activity for known and unknown threats and instantly alerts you to suspicious behaviors.
*   **Exploit prevention:** Proactively blocks network threats with built in DNS protection, intrusion protection, and in-browser exploit prevention.
*   **Correlated Behavior Engine:** Peer deeper into endpoint behavior to track emerging or suspicious activity correlated across all engines. Potential threats are surfaced to the cloud console with full detailed telemetry of all related activity for further analysis.
*   **Endpoint Isolation:** Prevent threat spread by quickly isolating an affected device on the network. Only admins are able to manage and interact with the device remotely until the investigation is complete.
*   **Threat Incident Visualization:** Quickly view and address all threat behavior from a central location. Understand how and when a potential threat impacted systems, includes all aspects of endpoint activity related to the threat – all user, process, file, and network activity.
*   **Remote Shell:** For an even deeper look at what happened on the endpoint, VIPRE EDR allows click-button reporting that gives administrators instant access to the remote device – no special installation required.
*   **Suspicious file/link sandboxing:** Integrated ability to detonate files and links in a private cloud sandbox for deep analysis and forensic investigation.
*   **Integrated Vulnerability Management:** Close potential security holes with integrated app scanning and vulnerability management.

**VIPRE EDR: Decoding EDR for SMEs**

"VIPRE Security Group understands that many of today's EDR solutions are far too complex for the average business without a large, experienced IT staff, which is why VIPRE EDR is easy to use and resource sensitive — keeping organizations protected yet not overwhelmed with alert fatigue," said VIPRE's chief product officer Usman Choudhary.

Built on the core of VIPRE's top-ranked Endpoint Security Cloud EPP platform, protection begins with comprehensive monitoring and automated blocking of malicious activity across all file, process, and network activity on the endpoint. This protection includes monitoring for DNS, web, and network exploits, plus AI-driven malicious process behavior detection.

The solution allows users to peer deeper into endpoint behavior to track emerging or suspicious activity correlated across all engines. Potential threats are surfaced to the VIPRE EDR cloud console with detailed telemetry of all related activity for further analysis for root cause, entry point, and remediation.

Additionally, the solution provides endpoint isolation to prevent any threat from spreading by quickly isolating an affected device on the network. Only role-based members can manage and interact with the device until an investigation is complete and impacted systems, including all aspects of endpoint activity related to the threat, are remediated.

The VIPRE EDR solution also includes a robust incident management portal that efficiently tracks all open threats. Once identified, threats can be investigated to determine root cause, spread, and indicators of compromise (IOC) so that mitigation, remediation, and hardening can be performed through integrated tooling.

"Most EDR solutions are massively complex and can be overwhelming for small and mid-sized businesses with limited IT resources," Choudhary said. "After taking stock of the market and seeing where other EDR solutions were not meeting the needs of our customers, we created VIPRE EDR to meet their unmet needs."

For nearly 30 years, VIPRE Security Group's primary goal has been providing simple solutions to protect against online threats, both existing and emerging, in an ever-expanding, digitally connected world. VIPRE protects more than 20 million endpoints, processes more than 1.2 billion emails, and serves more than 50,000 customers each month.

Learn more about VIPRE EDR by visiting the VIPRE website.

**About VIPRE Security Group**

VIPRE Security Group, part of Ziff Davis, Inc., is an award-winning global cybersecurity, privacy, and data protection company. Highly rated by our customers and partners, we protect millions of consumers and businesses worldwide. VIPRE specializes in emulating our namesake by swiftly striking down emerging threats.

With a rich history dating back nearly 30 years, VIPRE Security Group has defended consumers from online security threats since the internet was in its infancy. Today, VIPRE delivers unmatched protection against even the most aggressive online threats. We use cutting-edge machine learning, real-time behavior monitoring, and one of the world's largest threat intelligence clouds to protect what matters. Team members are located in 11 countries, with customers in nearly every nation worldwide.

VIPRE Security Group Launches New Endpoint Detection and Response (EDR) Technology Built for SMEs

The latest critical bug is exploitable in dozens of ManageEngine products and exposes systems to catastrophic risks, researchers warn.

Several Zoho ManageEngine IT management products require patching against a critical unauthenticated remote code execution (RCE) that researchers warn is under active attack by malicious threat actors.

On Jan. 10, ManageEngine released an update against the bug, tracked under CVE-2022-47966, blaming it on "... an outdated third party dependence, Apache Santuario."

The security advisory adds that any of the two dozen ManageEngine products impacted are vulnerable if single sign-on is, or has ever been, enabled.

By Jan. 13, researchers at Horizon.ai provided indicators of compromise (IoCs). Now GreyNoise has observed malicious actors attempting to exploit the RCE over the past three days.

"IP addresses with this tag have been observed attempting to exploit CVE-2022-47966, an unauthenticated remote command execution vulnerability in multiple Zoho ManageEngine products," the security team reported.

Once the RCE is used to breach a system, that access could be used to create all sorts of havoc by threat actors, Horizon.ai analysts explained.

"ManageEngine products are some of the most widely used across enterprises and perform business functions such as authentication, authorization, and identity management," the Horizon.ai researchers added. "Given the nature of these products, a vulnerability such as this poses critical risk to organizations allowing attackers initial access if exposed to the internet, and the ability for lateral movement with highly privileged credentials."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Unpatched Zoho MangeEngine Products Under Active Cyberattack

Open source AI is lowering the barrier of entry for cybercriminals. Security teams must consider the right way to apply defensive AI to counter this threat.

In the wake of increasing concern about threat actors using open source AI tools like ChatGPT to launch sophisticated cyberattacks at scale, it's time for us to reconsider how AI is being leveraged on the defensive side to fend off these threats.

Ten years ago, cybersecurity was a different ball game. Threat detection tools typically relied on "fingerprinting" and looking for exact matches with previously encountered attacks. This "rearview mirror" approach worked for a long time, when attacks were lower in volume and generally more predictable.

Over the last decade, attacks have become more sophisticated and ever-changing on the offensive side. On the defensive side, this challenge is coupled with complex supply chains, hybrid working patterns, multicloud environments, and IoT proliferation.

The industry recognized that basic fingerprinting could not keep up with the speed of these developments, and the need to be everywhere, at all times, pushed the adoption of AI technology to deal with the scale and complexity of securing the modern business. The AI defense market has since become crowded with vendors promising data analytics, looking for "fuzzy matches": near matches to previously encountered threats, and ultimately, using machine learning to catch similar attacks.

While an improvement to basic signatures, applying AI in this way does not escape the fact that it is still reactive. It may be able to detect attacks that are highly similar to previous incidents, but remains unable to stop new attack infrastructure and techniques that the system has never seen before.

Whatever label you give it, this system is still being fed that same historical attack data. It accepts that there must be a "patient zero" — or first victim — in order to succeed.

The "pretraining" of an AI on observed data is also known as supervised machine learning (ML). And indeed, there are smart applications of this method in cybersecurity. In threat investigation, for example, supervised ML has been used to learn and mimic how a human analyst conducts investigations — asking questions, forming and revising hypotheses, and reaching conclusions — and can now autonomously carry out these investigations at speed and scale.

But what about finding the initial breadcrumbs of an attack? What about finding the first sign that something is off?

The problem with using supervised ML in this area is that it's only as good as its historical training set — but not with things it's never seen before. So it needs to be constantly updated, and that update needs to be pushed to every customer. This approach also requires the customer's data to be sent off to a centralized data lake in the cloud, for it to be processed and analyzed. By the time an organization knows about a threat, often it's too late.

As a result, organizations suffer from a lack of tailored protection, large numbers of false positives, and missed detections because this approach is missing one crucial thing: the context of the unique organization it is tasked with protecting.

But there is hope for defenders in the war of algorithms. Thousands of organizations today use a different application of AI in cyber defense, taking a fundamentally different approach to defend against the entire attack spectrum — including indiscriminate and known attacks but also targeted and unknown attacks.

Rather than training a machine on what an _attack_ looks like, _unsupervised_ machine learning involves the AI learning the _organization_. In this scenario, the AI learns its surroundings, inside and out, down to the smallest digital details, understanding "normal" for the unique digital environment it's deployed in to identify what's _not_ normal.

This is AI that understands "you" in order to know your enemy. Once considered radical, today it defends over 8,000 organizations worldwide by detecting, responding, and even preventing the most sophisticated cyberattacks.

Take the widespread Hafnium attacks exploiting Microsoft Exchange Servers last year. These were a series of new, unattributed campaigns that were identified and disrupted by Darktrace's unsupervised ML in real time across many of its customer environments without any prior threat intelligence associated with these attacks. In contrast, other organizations were left unprepared and vulnerable to the threat until Microsoft disclosed the attacks a few months later.

This is where unsupervised ML works best — autonomously detecting, investigating, and responding to advanced and never-before-seen threats based on a bespoke understanding of the organization being targeted.

At Darktrace, we have tested this AI technology against offensive AI prototypes at our AI research center in Cambridge, UK. Similar to ChatGPT, these prototypes can craft hyperrealistic and contextualized phishing emails and even select a fitting sender to spoof and fire the emails away.

Our conclusions are clear: As we start to see attackers weaponizing AI for nefarious purposes, we can be certain that security teams will need AI to fight AI.

Unsupervised ML will be critical because it learns on the fly, building a complex, evolving understanding of every user and device across the organization. With this bird's-eye view of the digital business, unsupervised AI that understands "you" will spot offensive AI as soon as it starts to manipulate data and will make intelligent microdecisions to block that activity. Offensive AI may well be leveraged for its speed, but this is something that defensive AI will also bring to the arms race.

When it comes to the war of algorithms, taking the right approach to ML could be the difference between a robust security posture and disaster.

**About the Author**

    

Tony Jarvis is Director of Enterprise Security, Asia-Pacific and Japan, at Darktrace. Tony is a seasoned cybersecurity strategist who has advised Fortune 500 companies around the world on best practice for managing cyber-risk. He has counseled governments, major banks, and multinational companies, and his comments on cybersecurity and the rising threat to critical national infrastructure have been reported in local and international media, including CNBC, Channel News Asia, and The Straits Times. Tony holds a BA in Information Systems from the University of Melbourne.

A New Era Is Dawning in Cybersecurity, but Only the Best Algorithms Will Win

Security professionals must update their skill sets and be proactive to stay ahead of cybercriminals. It's time to learn to think and act like an attacker to cope with the cyber "new normal."

2022 was a turbulent year for cybersecurity teams. Through the pandemic, cybercriminals took advantage of misaligned networks as businesses moved to remote work environments. Attacks globally increased by 125% through 2021 and continued upward in 2022. 

It's clear old practices are no longer working. Defensive, reactive, and recovery postures aren't fit-for-purpose in the face of an ever-evolving wave of sophisticated attacks. Outmanned, underskilled, and overwhelmed security teams are at the breaking point as they struggle to cope with this cyber "new normal."

A new proactive offensive approach is needed to take the fight to cybercriminals rather than waiting to be hit. For security professionals, this means learning to think and act like a hacker.

Only by understanding the latest techniques and methods being used by bad actors, and continuously updating your skill set accordingly, can you hope to stay ahead of cybercriminals and find system vulnerabilities before they do.

The hacker mindset isn't _just_ for frontline security teams, though. It should be an organizational-wide shift in approach that's all about looking ahead, using out-of-the-box thinking, and responding to threats creatively.

So this could be the HR team "hacking" its recruitment process by removing restrictive hiring criteria to unlock a new pool of cyber talent, just as much as it could be the cybersecurity team hacking its own network to find flaws in the code.

I've identified several potential danger areas that I believe will present challenges to businesses this year.

**AI Algorithms**

AI has made it onto the front pages recently with the success of ChatGPT and social media users sharing their new Lensa avatars across platforms. It's safe to say that AI has reached consumers on all fronts and mass adoption isn't unrealistic. At the same time, AI adoption within businesses has skyrocketed and will continue to do so. The cyber-risk with AI is that it's an algorithm and, like any algorithm, it can be manipulated and hacked into.

Even a tiny change to AI can affect the output, and, generally, AI algorithms aren't able to provide the reasoning behind their conclusions. Therefore, any manipulation to AI can be very difficult to detect. On a small scale, this means tampered algorithms could overwhelm companies relying on AI-generated insights. On a larger, more dramatic scale, if cybercriminals learn how to hack into Facebook, Instagram, or Alexa algorithms, they could manipulate individuals.

**Targeting of On-Premises Data Centers**

2022 was a tough year for businesses, with the cost-of-living crisis crippling companies worldwide. One of the ways businesses are trying to cut costs is by moving back from cloud to on-premises storage. Cloud infrastructure on its own can be relatively affordable for businesses, but the cloud, configuration, architecture, and security skills required to run the infrastructure can be expensive.

However, for most smaller companies, the cloud can be more secure than on-premises data centers. But for these same companies, properly securing on-premises data centers can be overlooked, and if businesses are vulnerable, hackers will pounce. The reverse cloud migration means businesses will also need to dust off old security skills.

This year, I expect to see a growing demand for retro cybersecurity skills, as businesses revert to old, cheaper ways of working while cybercriminals use modern skills to hack into legacy technology.

**Internet of Things Devices: A Cybercriminal Playground**

This year, the number of IoT-connected devices is expected to increase to 43 billion worldwide, up by over 13% from 2022. This rate of growth is due to new sensors, more computing power, and reliable mobile connectivity across the world creating greater accessibility. In the UK alone, the average home has 10 connected IoT devices, and as adoption soars, security risks swell. This growth isn't only in the home with smart TVs, speakers, and cameras. Increasingly, business leaders are noting the power of IoT and embracing a number of new connected devices.

Yet, IoT devices are an easy target for cybercriminals, as they're vulnerable to network attacks. A threat actor could exploit an IoT device as an entry point, using it as a stepping-stone to launch a more sophisticated ransomware attack. More worryingly, cybercriminals could use IoT devices to inflict physical harm. For example, if solutions like smart locks or electronic doors are tampered with, this could represent a real risk to human life.

In short, if left unprotected, IoT devices could become a cybercriminal playground in 2023. That's why we'll see the emergence of IoT penetration testing and a greater effort to educate consumers on the vulnerability of their own devices.

**Cyberattacks Will Focus on Smaller Enterprises**

While high-profile ransomware attacks always make the headlines, I believe small to midsize enterprises (SMEs) will bear the brunt of cybercriminals' malice this year. The fact is many SMEs lack the budget for standard enterprise security practices. As recession looms, it's unlikely there will be further investment to resolve it this year, leaving businesses more vulnerable than ever.

SMEs are already an easy target for socially engineered phishing attacks, but this year cybercriminals will spot the weak links. This could cripple SMEs and lead to a domino effect among smaller businesses.

**Staff Training Is Key**

2023 has the potential to be a dark year for cybersecurity, which is why it's important for companies of all sizes to make sure their teams are trained with the latest skills (old and new) to fight cybercriminals. As the cyber-professional shortfall stands at 3.4 million, businesses must focus on reskilling and upskilling existing as well as new staff, and this training needs to be practical. Cybersecurity professionals must prevent and respond to attacks with real-life experience to be prompt and effective in their work. With hands-on training that goes beyond theory, they can evaluate attacks in real time, and know what needs to be done to prevent it.

Although budgets are tight, this isn't the time to cut back on security. Instead, more investment is desperately needed to prepare the cyber workforce of the future and protect businesses now.

Why Businesses Need to Think Like Hackers This Year

Standalone product provides permission insights for Active Directory security and compliance.

**MIAMI****,** **Jan. 17, 2023** **/PRNewswire-PRWeb/ --** Cygna Labs, a highly specialized software developer with a focus on serving enterprises worldwide and a leading provider of DDI, cloud security, and compliance technology, announced today the launch of a new standalone product Entitlement and Security for Active Directory, providing the ability to gather and report on the latest or historical point in time collections of Active Directory (AD) entitlements and group membership. Request a trial license key at https://cygnalabs.com/en/free-trial/ to evaluate the product.

Key benefits of Entitlement and Security for Active Directory include:

*   User and Group Access – Identify users or groups that have access rights in the environment and enable the verification of the appropriate permissions set for their role. Ensures permissions have been revoked for role changes or when someone leaves the organization.
*   Powerful Search Tools – Leverage the built-in Security Audit Reports to answer common inquiries or use the Entitlement Browser to search or create security audit reports interactively. The Security Permissions Search identifies permissions that are set too broad, such as everyone with full control permissions.
*   Permissions on AD Objects – Identifies the true effective permissions on AD objects and what has been set directly or expanded to all trustees.

Christian Ehrenthal, CEO, Cygna Labs, said, "Active Directory is the primary method to provide authentication and authorization at 90 percent of the Global Fortune 1000 companies and most organizations of all sizes. With Entitlement and Security for Active Directory, our customers worldwide can now take advantage of this critical insight to ensure continuous data protection and minimize the risk of business disruptions."

Morgan Holm, VP of security and compliance products, Cygna Labs, said: "AD security issues can result in costly service disruptions and potential data breaches or even non-compliance. Providing insight on entitlements, security and activities is key to our customers. Entitlement and Security for Active Directory provides complete visibility on access and activities to keep key on-prem and cloud systems operational and secure."

About Cygna Labs 

Cygna Labs is a software developer and one of the top three global DDI vendors. Many Fortune 100 customers rely on Cygna Labs' DDI products and services, in addition to its industry-leading security and compliance solutions, to detect and proactively mitigate data security threats, affordably pass compliance audits, and increase the productivity of their IT departments. For more information, visit https://cygnalabs.com.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cygna Labs Introduces Entitlement and Security for Active Directory

Two of the vulnerabilities — in Azure Functions and Azure Digital Twins — required no account authentication for an attacker to exploit them.

Microsoft has fixed vulnerabilities in four separate services of its Azure cloud platform, two of which could have allowed attackers to perform a server-side request forgery (SSRF) attack — and thus potentially execute remote code execution — even without authentication to a legitimate account, researchers have found.

Researchers from Orca Security identified four Azure services vulnerable to SSRF — Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, they revealed in a blog post published Jan. 17. Further, they were able to exploit the flaws in Azure Functions and Azure Digital Twins by sending requests in the server's name even without having to authenticate to an Azure account, they said.

An SSRF allows an attacker to abuse a server-side application by making requests to read or update internal resources as well as submit data to external sources. This can allow for a host of disruptive activity on the network, including for threat actors to launch various attacks.  

This type of attack can be particularly dangerous in a cloud environment if attackers can use it to access the host’s Cloud Instance Metadata Service, or IMDS, "which exposes detailed information on instances — including host name, security group, MAC address, and user-data," explained Lidor Ben Shitrit, cloud security researcher at Orca Security, in the blog post. This allows attackers to retrieve tokens, move to another host, and even execute code, he added.

**Built-In SSRF Mitigations**

Fortunately in the case of the SSRF vulnerabilities discovered in Azure, the researchers could not exploit them to reach IMDS endpoints thanks to various SSRF mitigations — including setting specific requirements for accessing the IMDS endpoint and requiring an "Identity Header" for the App Service and Azure Functions — that Microsoft already has put in place on their cloud environment, they said.

"By implementing these measures, Microsoft has significantly reduced the potential damage of SSRF attacks on its Azure platform," Shitrit wrote.

However, the flaws still could have been exploited to perform other threat activity, he said. This includes scanning local ports and finding new services, endpoints, and files, thus "providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of potential information to target," Shitrit wrote in the blog post.

"The biggest takeaway ... is that a cloud service, if not properly secured, could be exploited by malicious actors as a means to discover sensitive internal endpoints and other services," he tells Dark Reading. This can result in a significant cloud security breach, Shitrit says.

The researchers discovered the four flaws separately over a two month period between mid-October and mid-December, and disclosed each of them to Microsoft soon after they were discovered. In each case, the company responded quickly, taking between days or weeks to mitigate them individually. At this time, no further customer action is required, and researchers have seen no sign that the flaws were exploited in the wild, Shitrit said.

**Full SSRF Potential**

There are three types of SSRF flaws, the researchers said. Blind SSRF allow an attacker to manipulate a server to make requests but do not elicit a response from a server — making it difficult to determine the success of an attack. Semi-blind SSRF is similar in its ability to make server requests, but an attacker does receive some response from the server that allows for limited information-gathering on the target system.

The four Azure SSRF flaws identified by the researchers fall into the third category of SSRF, called non-blind or full SSRF — the most potent type of attack scenario for a threat actor, the researchers said.

This type of attack occurs when an attacker can manipulate a server to make requests and receive the full response from the server, allowing an attacker to gather more information about the target system to potentially launch further attacks, Shitrit said.

"To give you an idea of how exploitable these vulnerabilities are, non-blind SSRF flaws can be leveraged in many different ways — including SSRF via XXE, SSRF via SVG file, SSRF via proxy, SSRF via PDF rendering, SSRF via vulnerable query string in the URL — and many more," he wrote in the blog post.

**Protection and Mitigation**

No matter what type of SSRF vulnerability is present on a server, each must be treated seriously by organizations because any type can be used to gain unauthorized access to sensitive information or launch further attacks against a target, the researchers said.

"Therefore, it is important for organizations to properly secure their servers and networks to prevent these types of attacks," Shitrit wrote in the blog post.

Shitrit made two specific recommendations for security teams to mitigate risks from SSRF vulnerabilities. The first is to "never trust user input," he says, because it could be an attempt to commit SSRF, he said.

"In this case, I saw that the internal requests sent by the server could be manipulated by the user in order to reach the internal requests/endpoints so they could reach undesired locations," Shitrit tells Dark Reading.

The second mitigation is to set and define an allow list/whitelist of URLs that can join a server, he advises. This will ensure that if a user with nefarious intent is tapping an unauthenticated SSRF to manipulate a request, the endpoint will return a "not allowed" error, Shitrit says.

Microsoft Patches 4 SSRF Flaws in Separate Azure Cloud Services

Following these basic cybersecurity hygiene policies can help make data more secure and protect colleges and universities from becoming the next ransomware headline. The steps aren't complicated, and they won't break the bank.

Colleges and universities have recently seen a striking increase in cyberattacks, especially ransomware attacks. A study by Sophos (PDF) conducted in January and February 2022 found that 64% of higher education organizations had been hit by ransomware attacks during the previous year, a significant jump from 44% the year before. Why was there such an increase?

For starters, higher-ed institutions hold a lot of sensitive data, including personal and financial information on students and their parents. Many universities also work with government agencies on cutting-edge research, which draws the interest of nation-state actors. Part of the vulnerability problem also stems from the collegial nature of higher ed, where information is meant to be shared.

But one of the biggest reasons educational organizations have become such a popular mark is that they are easy targets. Institutions often struggle with cybersecurity basics in terms of weak policies, procedures, and defensive tools. Smaller colleges and universities often don't have dedicated information-security staff, security budgets are slim, and, in at least one institution, there was faculty resistance to endpoint detection and response (EDR) software due to privacy concerns. Higher ed also struggles with the IT talent-retention problem seen in other industries.

Weak security practices, a wide range of vulnerabilities, and slow remediation times combine to make higher education institutions a potentially profitable target for attackers. According to that same Sophos report, ransomware attacks against higher education organizations pay off attackers at a higher rate than targets in other sectors — with 74% of ransomware attacks succeeding in encrypting data, as opposed to less-successful attacks on sectors such as healthcare (61%) or financial services (57%).

**Five Steps to Improve Defenses**

Security budgets and the realities of academic life may not change for organizations anytime soon, but that doesn't mean institutions can't implement changes that will make their data more secure. Here are five solid steps schools can take now to improve their defenses.

**

**1\. Implement Multifactor Authentication**

One of the most important steps organizations can take is implementing multifactor authentication (MFA), particularly considering the increased use of remote access in the pandemic era. Widely available tools make it trivially easy for a criminal group to find soft targets that only require a username and password to gain entry to a network. By using stolen credentials, guessing commonly used passwords, or successfully phishing faculty and staff, they can look like an authorized user and bypass many controls.

**2\. Test and Protect Your Backups**

Reliable backup systems are essential these days, especially with the rise in ransomware attacks. Before ransomware operators let an organization know they've been attacked, they look to find and destroy backup data. By encrypting or corrupting backup data, they reduce the likelihood of the target successfully surviving the attack without paying the ransom.

Protected backup systems, maintained separately from the rest of the network, enable effective recovery strategies and can (in some scenarios) allow organizations to refuse to pay a ransom. Immutable storage is also available from the major cloud providers, which prevents data from being modified or destroyed — even by administrators — over a set period.

**3\. Prioritize Patch Management**

Applying updates and security patches in a timely manner is a basic step that organizations often overlook, leaving gaps in their network protection.

Bad patch management can be blamed on several factors, such as overburdened IT teams or a reluctance to deal with downtime ("we'll do it over the break"). But the biggest cause of bad patch management is that many teams simply don't have a routine process for patching. In many cases, teams apply and manage patches on an emergency basis, which is often too little, too late.

Establishing a patch management schedule — and sticking to it — can reduce security risk and provide greater stability for your environment.

**4\. Eliminate Local Admin Rights, Manage Global Admin Rights**

Giving administrator rights to users who don't need them is a widespread problem that makes life easier for attackers. Compromising super-users' credentials gives attackers free rein to move about the network, install applications, change configurations, and steal or encrypt data.

Maintain good management of user accounts with powerful permissions across the network (e.g., Domain Admins in a Microsoft domain). This includes monitoring membership of powerful groups and changing passwords of powerful accounts when someone who knows those passwords is terminated.

**5\. Know What Your Network Looks Like**

A good way to assess your security posture is to understand how your network looks to an attacker. They should only see websites — not file servers, admin consoles, databases, or anything else that might be on an internal network. Regularly scanning Internet-facing systems can help organizations know and limit their exposure. Universities can find myriad open source tools and commercial solutions that do an excellent job of assessing network risk factors. Vulnerability scanning is also freely available from some state governments and the US Cybersecurity & Infrastructure Security Agency.

****Good Cybersecurity Hygiene Isn't Expensive**

Higher-education institutions are a big target primarily because they have a lot of sensitive information and are usually underresourced. But colleges and universities can protect themselves by following basic cybersecurity hygiene. The five steps listed above aren't complicated or expensive, but they're often ignored. Following those steps can help schools avoid becoming the next ransomware headline.

Source

DARKReading