Tag: SSO

Introduction

UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of “0ktapus,” “Octo Tempest,” “Scatter Swine,” and “Scattered Spider,” and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse.…

Read More

Summary: A proof-of-concept exploit for a Veeam Backup Enterprise Manager authentication bypass flaw has been publicly released, highlighting the need for immediate security updates.

Threat Actor: Remote unauthenticated attackers

Victim: Veeam Backup Enterprise Manager users

Key Point :

A proof-of-concept exploit for a Veeam Backup Enterprise Manager authentication bypass flaw has been publicly released.…
Read More

Summary: Microsoft has officially deprecated NTLM authentication on Windows and Windows servers, urging developers to transition to more secure alternatives like Kerberos or Negotiation authentication.

Threat Actor: N/A

Victim: N/A

Key Point :

Microsoft has deprecated NTLM authentication on Windows and Windows servers, recommending the use of Kerberos or Negotiation authentication instead.…
Read More

Summary: The content discusses the prevalence of account takeover attacks and their impact on organizations, based on a survey conducted by Abnormal Security.

Threat Actor: Account takeover attacks

Victim: Organizations

Key Point:

83% of organizations experienced at least one account takeover in the past year. 77% of security leaders rank account takeover attacks among their top four cyber-threats.…
Read More
tl;dr

Huntress uncovered the infrastructure of a mass phishing campaign including potentially novel tradecraft that combines HTML smuggling, injected iframes, and session theft via transparent proxy. This technique allows an attacker to steal credentials and bypass MFA if a victim logs into a transparently proxied, locally rendered iframe of the Outlook login portal.…

Read More

Summary: This content discusses an authentication bypass vulnerability (CVE-2024-4985) recently fixed by GitHub, which impacts GitHub Enterprise Server instances using SAML single sign-on authentication.

Threat Actor: N/A Victim: GitHub Enterprise Server instances

Key Point :

An authentication bypass vulnerability (CVE-2024-4985) was fixed by GitHub, impacting GitHub Enterprise Server instances using SAML single sign-on authentication.…
Read More

Summary: This content discusses the features and functionality of Authelia, an open-source authentication and authorization server that offers 2FA and SSO for applications through a web portal.

Threat Actor: N/A

Victim: N/A

Key Points:

Authelia is an open-source authentication and authorization server that provides 2FA and SSO for applications through a web portal.…
Read More

Summary: This content discusses the importance of having adequate identity access management (IAM) policies in place, specifically focusing on authentication and authorization, in order to ensure the security of applications during incidents.

Threat Actor: N/A

Victim: N/A

Key Point :

Adequate identity access management (IAM) policies, including authentication and authorization, are critical for incident management tooling.…
Read More

Threat Actor: Unknown | Unknown Victim: Department of International Trade Promotion (DITP) | Department of International Trade Promotion Price: Not specified Exfiltrated Data Type: Personally Identifiable Information (PII)

Additional Information :

The data breach occurred in June 2023. The compromised data includes first names, last names, usernames, national ID numbers, DITP IDs, Single Sign-On (SSO) IDs, phone numbers, email addresses, company names, exporter details, addresses, passwords, password salts, and other user information.…
Read More

Summary: This content discusses the risks associated with authentication tokens and their importance in cybersecurity.

Threat Actor: N/A

Victim: N/A

Key Point :

Authentication tokens, also known as session tokens, are crucial for secure logins and access to various systems and applications. If authentication tokens are not expired regularly or restricted to specific devices, they can be exploited by threat actors, providing unauthorized access to corporate systems without requiring multifactor authentication.…
Read More

Summary: Scattered Spider, a threat actor group, is targeting companies in the finance and insurance industries using convincing lookalike domains and login pages, as well as sim swapping attacks to gain access to sensitive corporate data and assets.

Threat Actor: Scattered Spider | Scattered Spider Victim: Multiple companies in the finance and insurance industries | finance and insurance companies

Key Point :

Scattered Spider is aggressively targeting companies in the finance and insurance industries using convincing lookalike domains and login pages.…
Read More

Summary: This article discusses the FIDO2 authentication method, its purpose, and how it protects against various attacks. It also explores the vulnerability of FIDO2 to man-in-the-middle attacks and provides mitigation strategies.

Threat Actor: N/A

Victim: N/A

Key Point:

FIDO2 is a modern authentication method designed to replace passwords and provide a secure way to authenticate using physical or embedded keys.…
Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. Organizations often store a variety of data in SaaS applications and use services from CSPs.…

Read More

Summary: This article discusses LSA Whisperer, an open-source tool designed to interact with authentication packages and recover credentials from the Local Security Authority Subsystem Service (LSASS) without accessing its memory.

Threat Actor: N/A Victim: N/A

Key Point :

LSA Whisperer is a tool developed by SpecterOps that allows users to recover various types of credentials from LSASS.…
Read More

Organizations are increasingly turning to cloud computing for IT agility, resilience and scalability. Amazon Web Services (AWS) stands at the forefront of this digital transformation, offering a robust, flexible and cost-effective platform that helps businesses drive growth and innovation. 

However, as organizations migrate to the cloud, they face a complex and growing threat landscape of sophisticated and cloud-conscious threat actors.…

Read More

Summary: The threat actor known as Muddled Libra is actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments to exfiltrate sensitive data, using sophisticated social engineering techniques and reconnaissance tactics.

Threat Actor: Muddled Libra | Muddled Libra Victim: Various organizations using SaaS applications and CSP environments | N/A

Key Points:

Muddled Libra targets SaaS applications and CSP environments to exfiltrate sensitive data.…
Read More

A proxy server is an intermediary system that sits between end users and the websites or services they access online. It provides functions like web filtering, enhanced security, and data caching to improve network performance. Proxies also help in masking user IP addresses, enabling anonymous web browsing and managing internet usage within an organization.…

Read More