Microsoft MFA bypass, cybercrime marketplace takedown, Sophos hacker charged - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines - Detailed Summary

Podcast Information:

Title: Cyber Security Headlines
Host: CISO Series (Steve Prentice)
Episode: Microsoft MFA Bypass, Cybercrime Marketplace Takedown, Sophos Hacker Charged
Release Date: December 13, 2024
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.

1. Microsoft MFA Bypassed in Authquake Attack

Overview: Steve Prentice opened the episode by discussing a significant security vulnerability discovered by Oasis Security researchers. This vulnerability, named Authquake, allowed threat actors to bypass Microsoft's Multi-Factor Authentication (MFA), potentially granting unauthorized access to various Microsoft services.

Key Points:

Attack Details: The Authquake attack targeted the Authenticator app process. By exploiting this process, attackers could obtain a six-digit MFA code without any user interaction or triggering notifications.
Execution Efficiency: On average, the attack required only one hour to execute. The researchers noted that while a single session allows up to 10 failed attempts to prevent brute force attacks, attackers could perform multiple attempts simultaneously, significantly speeding up the process.
Impact: Successful execution of Authquake could grant access to sensitive Outlook emails, OneDrive files, Teams chats, and Azure Cloud instances.
Mitigation: After reporting the vulnerability to Microsoft in late June, a temporary fix was deployed within days, followed by a permanent solution in October 2024.

Notable Quote:

Steve Prentice [00:00]: "This attack required no user interaction and would not trigger any notification to the victim."

2. Cybercrime Marketplace Ridocs Takedown

Overview: The podcast highlighted the Justice Department's recent success in dismantling the cybercrime marketplace Ridocs (spelled R-Y-D-O-X). This marketplace was notorious for selling sensitive data, including credit card information and login credentials.

Key Points:

International Cooperation: The FBI's Pittsburgh office collaborated with Albania's National Bureau of Investigation, Kosovo's Special Prosecution Office and police, and the Royal Malaysian Police to seize Ridocs.
Data Compromised: Ridocs was linked to the sale of Personally Identifiable Information (PII) stolen from thousands of U.S. residents.
Arrests: Two individuals were apprehended in Kosovo and are set to be extradited to Pennsylvania for charges. Additionally, another suspect detained in Albania will be prosecuted locally.

Notable Quote:

Steve Prentice [02:15]: "Ridocs was a significant player in the cybercrime ecosystem, and its takedown marks a crucial victory in combating online illicit activities."

3. US Charges Chinese National for Hacking Sophos Firewall Devices

Overview: A Chinese national, Guan Tianfang, employed by Sichuan Silence Information Technology, has been charged with hacking approximately 81,000 Sophos firewall devices using a zero-day exploit.

Key Points:

Methodology: Guan developed and tested an SQL zero-day vulnerability that allowed the deployment of malware. This malware not only stole and encrypted files but also hindered remediation efforts.
Discovery: Sophos was alerted to the attacks on April 22, 2020, by a customer who noticed unusual activities.
Vulnerability Exploited: The attackers targeted systems with either the administration HTTPS service or the user portal exposed on the WAN zone, exploiting the SQL Injection vulnerability to access exposed XG devices.

Notable Quote:

Steve Prentice [05:40]: "Guan Tianfang's actions compromised a vast number of firewall devices, highlighting the persistent threat posed by zero-day vulnerabilities."

4. Prometheus Instances Exposed: Leaking Credentials and API Keys

Overview: Researchers from Aqua raised alarms about the security vulnerabilities in thousands of servers hosting the Prometheus monitoring and alerting toolkit. These exposed instances could lead to information leakage and various cyberattacks.

Key Points:

Exposure Details: Approximately 296,000 Prometheus node exporter instances and over 40,000 Prometheus servers are publicly accessible on the Internet.
Risks: The lack of proper authentication on these servers allows attackers to gather sensitive information, including credentials and API keys. Additionally, exposed instances are vulnerable to denial of service and remote code execution attacks.
Attack Surface: The extensive number of exposed Prometheus instances creates a significant attack surface, potentially jeopardizing both data and services.

Notable Quote:

Steve Prentice [09:10]: "With nearly 340,000 Prometheus instances exposed, the potential for widespread data breaches and service disruptions is alarmingly high."

5. Texas Adds Allstate-Owned Data Broker to List of Alleged Privacy Law Violators

Overview: The Texas Attorney General has accused Arity, a data broker owned by Allstate, of sharing consumer information without adequate notice or consent. This follows recent allegations against six mobile apps associated with Arity.

Key Points:

Nature of Violations: Arity was accused of improperly sharing user data with third parties. The data collected includes driving behaviors, which were used to provide insurance pricing recommendations.
Mechanism of Data Collection: Arity gathers data through a software development kit (SDK) embedded within its partners' mobile apps.
Impact: Over the past six weeks, there have been multiple accusations against Arity's partner apps for unauthorized data sharing, raising significant privacy concerns.

Notable Quote:

Steve Prentice [12:30]: "Arity's practices underscore the ongoing challenges in ensuring consumer data is handled with transparency and consent in the evolving digital landscape."

6. Screen Actors Guild Health Plan Sued After September Data Breach

Overview: A class-action lawsuit has been filed against the Screen Actors Guild (SAG) AFTRA Health Plan following a data breach that exposed sensitive healthcare information of its members.

Key Points:

Breach Details: In September, hackers accessed an employee's email account via a phishing email. While the overall systems remained secure, the compromised email contained participant names, Social Security numbers, and potentially health insurance information.
Immediate Response: On December 2, SAG AFTRA Health Plan notified its members and California regulators about the breach.
Legal Action: The lawsuit claims negligence in safeguarding member data, highlighting the vulnerabilities posed by phishing attacks to organizational security.

Notable Quote:

Steve Prentice [15:45]: "The SAG AFTRA incident serves as a stark reminder of how phishing attacks can compromise sensitive information, even when broader systems remain intact."

7. Yahoo Cybersecurity Team Sees Layoffs and Outsourcing Under New CTO

Overview: Yahoo's renowned cybersecurity team, colloquially known as the Paranoids, has undergone significant restructuring, including a 25% reduction in staff and the complete elimination of the offensive security team.

Key Points:

Team Changes: The offensive security team, responsible for conducting cyberattack simulations to identify network weaknesses, has been entirely outsourced.
Leadership Statement: Valerie Liborsky, Yahoo's new Chief Technology Officer, communicated the layoffs and outsourcing decisions to staff, emphasizing the difficulty of these choices.
Implications: The downsizing and outsourcing could impact Yahoo's internal cybersecurity capabilities, potentially relying more on external partners for security assessments.

Notable Quote:

Steve Prentice [19:20]: "Valerie Liborsky described the decision to downsize the cybersecurity team as 'very difficult,' reflecting the challenges organizations face in balancing budgets with security needs."

Upcoming Events and Live Streams

Steve Prentice concluded the episode by announcing upcoming live streams:

Super Cyber Friday: Starting at 1 PM, focusing on "hacking technical debt" and strategic infrastructure modernization.
Week in Review Show: At 3:30 PM Eastern, featuring Jimmy Sanders, President of Issa International, who will provide expert commentary on the week's news.

Listeners are encouraged to join these events by visiting the events page.

Conclusion: The episode of Cyber Security Headlines delivered a comprehensive overview of critical security incidents and developments from December 13, 2024. From sophisticated MFA bypass attacks to significant law enforcement actions against cybercrime marketplaces, the episode underscored the evolving landscape of cybersecurity threats and responses. Additionally, organizational changes within major companies like Yahoo highlight the ongoing challenges in maintaining robust security infrastructures.

For detailed stories behind these headlines, listeners are directed to visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Steve Prentice
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, December 13, 2024. I'm Steve Prentice. Microsoft MFA bypassed in Authquake attack Researchers at Oasis Security presented details of an attack technique that could have given threat actors access to Outlook emails, OneDrive files, Teams, chats and Azure Cloud instances. Needing only one hour on average to execute it required no user interaction and would not trigger any notification to the victim. This attack is based on exploitation of the Authenticator app process, in which a user obtains a six digit MFA code on their app. The researchers saw that one session supports up to 10 failed attempts to prevent brute force attacks, but they then saw that an attacker could execute multiple attempts simultaneously, enabling them to go through possible combinations relatively fast. Oasis named this attack method Authquake A U T H Q U A K E and reported it to Microsoft in late June. A temporary fix was deployed a few days later, followed by a permanent fix in October. Cybercrime marketplace Ridocs taken down the Justice Department announced yesterday that it had participated in a coordinated international mission to seize Rydox, spelled R Y D O X, an online marketplace that has been linked to sales of sensitive data such as credit card information, login credentials and other PII stolen from thousands of US residents. The FBI's Pittsburgh office worked alongside Albania's special anti corruption body, its National Bureau of Investigation, Kosovo's Special Prosecution Office and police, and the Royal Malaysian Police. Two individuals were apprehended in Kosovo and will be extradited to Pennsylvania to face charges, while another was detained in Albania will be prosecuted there. US Charges Chinese national for hacking thousands of Sophos firewall devices Guan Tianfang works at Sichuan Silence Information Technology company and now faces charges for developing and testing a zero day exploit used to compromise approximately 81,000 firewalls. He, along with some accomplices, exploited an SQL zero day vulnerability to deploy malware that stole and encrypted files to block remediation and attempts. Sophus was informed of the attacks by one of its customers on April 22, 2020. An investigation determined that hackers targeted systems configured with either the administration HTTPs service or the user portal exposed on the WAN zone. They then exploited an SQL Injection zero day vulnerability to gain access to exposed XG devices. Thanks to today's episode's sponsor, ThreatLocker Do Zero Day Exploits and Supply chain keep you up at night? Worry no more. You can harden your security with ThreatLocker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com Prometheus instances exposed Leaking creds and API keys Researchers at Aqua are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial of service as well as remote code execution attacks. End quote they continued, Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information such as credentials and API keys. According to the Hacker news, up to 296,000 Prometheus node exporter instances and over 40,000 Prometheus servers are estimated to be publicly accessible on the Internet, making them a huge attack surface that could put data and services at risk. End quote Texas adds all State Linked data broker to list of alleged privacy law violators the Attorney General of Texas has accused the data broker Arity of sharing consumers information without clear notice or consent. In the past six weeks, six of the mobile apps that Are says are partners have been accused by the state of improperly sharing user data with third parties. Arity is owned by the insurer Allstate. Its official description says it sells recommendations to insurers for how to price individual customers plans based on their driving behaviors. It gathers data through a software development kit embedded inside the mobile apps belonging to its partners. Screen Actors Guild Health Plan sued after September data breach this class action lawsuit follows an announcement last week that a data breach had exposed sensitive healthcare information of its union members. On December 2, the SAG AFTRA health plan informed its members as well as California regulators that hackers had broken into an employee's email account in September using a phishing email. While the union health plan's systems were not breached, the email account contained emails and attachments that included some participants names and Social Security numbers and in some cases may also have contain information associated with claims and health insurance information. Yahoo Cybersecurity team sees layoffs and outsourcing under new CTO Yahoo's famous cybersecurity team, known as the Paranoids, has lost 25% of its staff over the last year, according to TechCrunch. The Paranoid's offensive security team, which conducts cyberattack simulations to identify weaknesses in the company's network before external hackers can was completely eliminated this week and will now be out outsourced. Valerie Liborsky, Yahoo's new chief technology officer, announced these changes in an email to staff stating, this was a very difficult decision and one that I have not taken lightly. End quote. As usual, we've got a busy Friday of live streams today. It starts at 1pm with Super Cyber Friday, where the topic will be hacking technical debt, an hour of critical thinking about strategically modernizing your infrastructure. Then at 3:30pm Eastern, we have our Week in Review show. Jimmy Sanders, President, Issa International, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to the events page@cisoseries.com I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.

Cyber Security Headlines - Detailed Summary

Podcast Information:

Title: Cyber Security Headlines
Host: CISO Series (Steve Prentice)
Episode: Microsoft MFA Bypass, Cybercrime Marketplace Takedown, Sophos Hacker Charged
Release Date: December 13, 2024
Description: Daily stories from the world of information security. To delve into any daily story, head to CISOseries.com.

1. Microsoft MFA Bypassed in Authquake Attack

Key Points:

Attack Details: The Authquake attack targeted the Authenticator app process. By exploiting this process, attackers could obtain a six-digit MFA code without any user interaction or triggering notifications.
Execution Efficiency: On average, the attack required only one hour to execute. The researchers noted that while a single session allows up to 10 failed attempts to prevent brute force attacks, attackers could perform multiple attempts simultaneously, significantly speeding up the process.
Impact: Successful execution of Authquake could grant access to sensitive Outlook emails, OneDrive files, Teams chats, and Azure Cloud instances.
Mitigation: After reporting the vulnerability to Microsoft in late June, a temporary fix was deployed within days, followed by a permanent solution in October 2024.

Notable Quote:

Steve Prentice [00:00]: "This attack required no user interaction and would not trigger any notification to the victim."

2. Cybercrime Marketplace Ridocs Takedown

Key Points:

International Cooperation: The FBI's Pittsburgh office collaborated with Albania's National Bureau of Investigation, Kosovo's Special Prosecution Office and police, and the Royal Malaysian Police to seize Ridocs.
Data Compromised: Ridocs was linked to the sale of Personally Identifiable Information (PII) stolen from thousands of U.S. residents.
Arrests: Two individuals were apprehended in Kosovo and are set to be extradited to Pennsylvania for charges. Additionally, another suspect detained in Albania will be prosecuted locally.

Notable Quote:

Steve Prentice [02:15]: "Ridocs was a significant player in the cybercrime ecosystem, and its takedown marks a crucial victory in combating online illicit activities."

3. US Charges Chinese National for Hacking Sophos Firewall Devices

Key Points:

Methodology: Guan developed and tested an SQL zero-day vulnerability that allowed the deployment of malware. This malware not only stole and encrypted files but also hindered remediation efforts.
Discovery: Sophos was alerted to the attacks on April 22, 2020, by a customer who noticed unusual activities.
Vulnerability Exploited: The attackers targeted systems with either the administration HTTPS service or the user portal exposed on the WAN zone, exploiting the SQL Injection vulnerability to access exposed XG devices.

Notable Quote:

Steve Prentice [05:40]: "Guan Tianfang's actions compromised a vast number of firewall devices, highlighting the persistent threat posed by zero-day vulnerabilities."

4. Prometheus Instances Exposed: Leaking Credentials and API Keys

Key Points:

Exposure Details: Approximately 296,000 Prometheus node exporter instances and over 40,000 Prometheus servers are publicly accessible on the Internet.
Risks: The lack of proper authentication on these servers allows attackers to gather sensitive information, including credentials and API keys. Additionally, exposed instances are vulnerable to denial of service and remote code execution attacks.
Attack Surface: The extensive number of exposed Prometheus instances creates a significant attack surface, potentially jeopardizing both data and services.

Notable Quote:

Steve Prentice [09:10]: "With nearly 340,000 Prometheus instances exposed, the potential for widespread data breaches and service disruptions is alarmingly high."

5. Texas Adds Allstate-Owned Data Broker to List of Alleged Privacy Law Violators

Key Points:

Nature of Violations: Arity was accused of improperly sharing user data with third parties. The data collected includes driving behaviors, which were used to provide insurance pricing recommendations.
Mechanism of Data Collection: Arity gathers data through a software development kit (SDK) embedded within its partners' mobile apps.
Impact: Over the past six weeks, there have been multiple accusations against Arity's partner apps for unauthorized data sharing, raising significant privacy concerns.

Notable Quote:

Steve Prentice [12:30]: "Arity's practices underscore the ongoing challenges in ensuring consumer data is handled with transparency and consent in the evolving digital landscape."

6. Screen Actors Guild Health Plan Sued After September Data Breach

Overview: A class-action lawsuit has been filed against the Screen Actors Guild (SAG) AFTRA Health Plan following a data breach that exposed sensitive healthcare information of its members.

Key Points:

Breach Details: In September, hackers accessed an employee's email account via a phishing email. While the overall systems remained secure, the compromised email contained participant names, Social Security numbers, and potentially health insurance information.
Immediate Response: On December 2, SAG AFTRA Health Plan notified its members and California regulators about the breach.
Legal Action: The lawsuit claims negligence in safeguarding member data, highlighting the vulnerabilities posed by phishing attacks to organizational security.

Notable Quote:

Steve Prentice [15:45]: "The SAG AFTRA incident serves as a stark reminder of how phishing attacks can compromise sensitive information, even when broader systems remain intact."

7. Yahoo Cybersecurity Team Sees Layoffs and Outsourcing Under New CTO

Key Points:

Team Changes: The offensive security team, responsible for conducting cyberattack simulations to identify network weaknesses, has been entirely outsourced.
Leadership Statement: Valerie Liborsky, Yahoo's new Chief Technology Officer, communicated the layoffs and outsourcing decisions to staff, emphasizing the difficulty of these choices.
Implications: The downsizing and outsourcing could impact Yahoo's internal cybersecurity capabilities, potentially relying more on external partners for security assessments.

Notable Quote:

Steve Prentice [19:20]: "Valerie Liborsky described the decision to downsize the cybersecurity team as 'very difficult,' reflecting the challenges organizations face in balancing budgets with security needs."

Upcoming Events and Live Streams

Steve Prentice concluded the episode by announcing upcoming live streams:

Super Cyber Friday: Starting at 1 PM, focusing on "hacking technical debt" and strategic infrastructure modernization.
Week in Review Show: At 3:30 PM Eastern, featuring Jimmy Sanders, President of Issa International, who will provide expert commentary on the week's news.

Listeners are encouraged to join these events by visiting the events page.

For detailed stories behind these headlines, listeners are directed to visit CISOseries.com.