Prescription orders across the United States are reportedly being delayed after a cyber attack impacted a healthcare technology firm that supplies services to pharmacies, including CVS Health.
Read more in my article on the Hot for Security blog.
The UK’s ICO has ruled Serco Leisure’s use facial recognition technology and fingerprint scanning to monitor employee attendance is in breach of data protection law
Check out my “live reaction” (isn’t that what all the kids post on social media these days?) to the much-hyped revelation of the identity of the LockBit ransomware’s administrator.
A vulnerability has been discovered in the Apache OFBiz, which could allow for remote code execution. Apache OFBiz is an open source product for the automation of enterprise processes. It includes framework components and business applications for ERP, CRM, E-Business/E-Commerce, Supply Chain Management and Manufacturing Resource Planning. Successful exploitation could allow for remote code execution in the context of the Server. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Businesses across multiple industries, regardless of size, are at risk of being targeted with Microsoft 365 phishing campaigns. These campaigns trick users into visiting fake Microsoft login page where threat actors capture the user’s credentials. Even accounts with MFA can be victim to these types of attacks. There are several ways in which MFA is being bypassed with these types of campaigns.
MFA Fatigue is one of the ways threat actors are bypassing MFA and this method attempts to exploit human error by repeatedly logging in with the stolen credentials causing an overwhelming number of MFA prompts in attempts to get the user to approve the login.
Another MFA bypass technique is SIM Swapping. A SIM card is a small chip that your mobile carrier uses to hold identification information to tie your phone to you and your mobile carrier. Threat actors have found a weakness in this because there are scenarios where a customer may need a new SIM card (for example, they lost their phone). Carriers can transfer your identification information from your old SIM card to new one. SIM Swapping is when a threat actor abuses this feature and impersonates you to convince your mobile carrier to switch your phone number to a SIM card that is in the threat actor’s possession. This then allows the threat actor to receive MFA codes sent to your number via phone call or SMS.
Man in the Middle Attacks are another notable MFA bypass technique. With this method, threat actors will wait for a user to enter credentials into a fake login page, then wait for you to allow the login with a push notification or steal the session or token after you enter in your code.
After gaining access to an O365 account, the threat actor typically does some reconnaissance on the user’s inbox and then will use the access to the user’s account to try to phish other users, typically with a financial motive. We commonly see inbox rules abused to try to hide the emails, so the user is unaware of the emails coming from their account.
24/7/365 Monitoring and Threat Detection such as Vertek’s Managed AlienVault Services
· AlienVault Unified Security Management uses a User Behavior Analytics platform to detect anomalous M365 logins by tracking user behaviors and login data.
· Enabling anomaly detection policies in Microsoft’s Defender for Cloud Apps. These alerts can be enabled in Defender, and then pulled into USM Anywhere where alerts can be investigated by Vertek’s SOC team when they occur.
· Custom alerts to alarm on suspicious logins and inbox rules.
· Monthly reporting to identify risky users and missing security controls.
· Implementing regular user training, so users can identify phishing attempts and understand the importance of good passwords and only approving logins if they know the sign-in is legit.
· Leveraging Microsoft tools to flag users that have been phished as risky users.
· Disabling legacy protocols as they are favored in credential attacks because they cannot enforce MFA.
· Utilize Microsoft Intune or other mobile device management (MDM) tools to block sign-ins from unregistered devices.
· Using a Managed Threat Intelligence service that helps your organization identify risky users by using Dark Web monitoring tools to identify leaked credentials.
Cybereason found that 78% of organizations who paid a ransom demand were hit by a second ransomware attack, often by the same threat actor
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-27325.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-27326.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-27327.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-1863.
