Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

Misconfiguration in Zero-Trust Solution Could Allow Threat Actors to Bypass 2FA

The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.

Background

The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.

Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.

Investigation Findings

The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.

According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1

This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.

With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.

When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.

In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2

Conclusion

To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.

Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.

Indicators of Compromise (IOCs)

Highlights from the New Threat Insights 2024 Volume I Report

Event details:

Thursday, April 18, 2024
1:00 PM ET

Presenters:

Mark Sangster, VP, Chief of Strategy, Adlumin
Kevin O’Connor, Director of Threat Research, Adlumin

About this Talk:

Explore the latest ransomware cyber-threat trends in this new research from the Adlumin Threat Research Team.

The Adlumin Threat Research Team has been dedicated to tracking and analyzing the most important cybersecurity trends, including ransomware. Keeping up to date with these threats can make the difference between a minor event and an operational shutdown.

Join Kevin O’Connor, Director of Threat Research, and our host, Mark Sangster, VP, Chief of Strategy at Adlumin as the pair reviews significant takeaways, trends, and vulnerabilities in the new Threat Insights 2024 Volume I report.

In this webinar, you’ll receive: • Exclusive Insights from Adlumin’s Threat Insights 2024 Volume I report • Detailed Analysis of Emerging threat trends in cybersecurity, including the latest in ransomware attacks • Strategies to implement Proactive Vulnerability Management in your cybersecurity strategy As a thank you for joining our webinar, we’ll send you our new Threat Insights 2024 Volume I report. Additionally, one lucky participant will receive a $200 Amazon gift card.

What you will learn:

  • Exclusive insights from Adlumin’s Threat Insights 2024 Volume I Report
  • Detailed analysis of emerging threat trends in cybersecurity, including the latest in ransomware attacks
  • Strategies to implement vulnerability management in your cybersecurity strategy
As a thank you for joining our webinar, we’ll send you our new Threat Insights 2024 Volume I report. Additionally, one lucky participant will receive a $200 Amazon gift card.


Additional Resources





Adlumin’s Threat Insights 2024: Volume I

Adlumin’s Threat Insights 2024 Volume I reveals significant trends and developments in threats, vulnerabilities, and cyberattacks faced by U.S. industries from December to February 2024. Discover three key threats, each presenting unique challenges to cybersecurity professionals.

Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.

Watch a Live EvilGinx Demonstration to See How Cybercriminals Bypass MFA

Event details:

Thursday, March 21, 2024
1:00 PM EST

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research

About this talk:

Cybersecurity professionals preach the power of multi-factor authentication (MFA), but what happens when a cybercriminal goes around it?

Join Adlumin’s Mark Sangster and Kevin O’Connor as they demonstrate MFA bypass techniques using EvilGinx 3. In this webinar, you’ll also see how attackers can leverage hijacked session cookies and EvilGinx phishlets to compromise user accounts and access. The pair will also dive into how to combat these attacks, along with the benefits of a fully visible network for cybersecurity.




Top 4 Cybersecurity Predictions to Be Aware of for 2024

The Adlumin Threat Research Team has peered into the future and unveiled their top predictions for the upcoming year.

With each passing year, hackers become more sophisticated and the consequences of a breach become more severe. To help organizations prepare for the challenges that lie ahead, we have compiled this list of the top four cybersecurity threats to be aware of.  

From the growing threat of Ransomware-as-a-Service (RaaS) to the increasing impact of AI tools, these predictions will arm IT Directors with the knowledge they need to protect their organization from potential risks. So, buckle up and prepare for the top four cybersecurity challenges in the new year. 

1. Increase in Ransomware-as-a-Service (RaaS) Attacks 

Ransomware attacks have become more sophisticated, causing financial, operational, and reputational damage to businesses and organizations. RaaS refers to the model where cybercriminals offer ransomware tools and infrastructure to other hackers, who then deploy the ransomware on their behalf. This has enabled malicious actors with less sophisticated technical skills to carry out ransomware attacks, and share the profits with the original creators.

The rise in RaaS actors is alarming because it lowers the barrier to entry, making ransomware attacks accessible to a broader range of cybercriminals. This means we can anticipate a surge in ransomware attacks as more individuals and groups access these tools. This trend threatens organizations of all sizes and sectors, as no one is immune to being targeted by ransomware attacks. 

2. Shift from Data Encryption to Data Extortion Ransomware 

Ransomware has been a long-standing top cybersecurity threat, but in the new year, a shift in its tactics is predicted. Traditionally, ransomware attacks involved encrypting victims’ data and demanding a ransom for release. However, cybercriminals are expected to focus on data extortion increasingly.

This shift means threat actors will also exfiltrate sensitive information from victims’ systems and encrypt data. They will then threaten to release or sell this data if the ransom is not paid. This new approach adds an extra layer of pressure on organizations to comply with the attackers’ demands, as the exposure of sensitive data can lead to severe consequences, including reputational damage, regulatory penalties, and legal liabilities. 

3. Increased Focus on Cyberattacks Against Hospitality   

This cybersecurity threat prediction for the new year highlights the potential increased focus on attacks targeting the hospitality industry and the expected rise in the sophistication of fraud schemes. As the hospitality sector relies heavily on technology and handles a vast amount of customer data, it has become an attractive target for cybercriminals. This prediction suggests that attackers will continue to exploit vulnerabilities in hotel networks, reservation systems, point of sale (POS) terminals, and other digital platforms to steal confidential information. 

For example, the Marriot Hotel has faced multiple cybersecurity breaches over the past couple of years. Their most recent breach resulted in losing 20 gigabytes of sensitive customer and employee data including credit card information in an extortion attempt.   

4. Increased Impact from Malicious AI Tools

The increased impact of malicious AI tools on both attackers and defenders is predicted to be a major cybersecurity threat. AI technology has evolved significantly, creating a new era in cyberattacks and defense strategies. Cybercriminals leverage AI tools to amplify the scale and sophistication of their attacks, making them harder to detect and mitigate. AI-powered malware can self-propagate, adapt, and evolve, posing immense challenges to traditional cybersecurity measures.

Organizations also protect themselves by using AI tools to enhance their security capabilities. AI can help identify and analyze threats in real-time, assist in incident response, and automate cybersecurity processes. However, these AI tools can generate false positives or negatives, leading to missed or misinterpreted threats and potentially unlocking vulnerabilities.

The use of AI on both sides creates a dynamic and rapidly evolving cybersecurity landscape. Attackers can leverage AI algorithms for advanced evasion techniques. On the other hand, defenders have the daunting task of keeping up with AI-powered attacks while navigating through potential inaccuracies or blind spots in their AI-enabled defense systems. 

Illuminate Threats and Eliminate Risks in 2024

The threat of data breaches and ransomware attacks loom over organizations of all sizes and sectors. It’s no longer a matter of if your organization will get breached or attacked with ransomware but rather when. The harsh reality is that no system is invincible, and cybercriminals are continually finding new ways to exploit vulnerabilities.

While it can be challenging for IT teams to keep pace with evolving threats, innovative technology solutions and security measures are available to alleviate the strain. Organizations can automate threat detection and prevention processes by leveraging advanced security solutions like a Security Operations Platform and pairing them with Managed Detection and Response (MDR) Services, effectively mitigating the risks associated with cyber attacks.

Through the use of AI and machine learning, these solutions analyze vast amounts of data, identify anomalies, and respond to potential threats in real-time, empowering organizations to defend against cyber threats proactively.  

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Unmasking the Top Ransomware Groups of 2023

Over the past year, the digital landscape has been a battleground for attacks cybersecurity threats, creating a sense of vulnerability and urgency for organizations. Adlumin’s dedicated threat research and Managed Detection and Response (MDR) teams have been at the forefront of detecting and combating these threats, witnessing firsthand the havoc they have wreaked across countless sectors.  

With ransomware groups and adversaries still on the rise and continually refining their techniques, organizations must remain vigilant and prepared for the malicious activities that lie ahead.  

As we enter the new year, we are shedding light on the top ransomware groups and emerging threats that demand our attention and resilience. 

Ransomware Group Spotlights 

BianLian   

BianLian is a versatile cybercriminal group that has expanded its tactics beyond ransomware attacks. They employ advanced techniques such as customized malware, targeted phishing, and zero-day exploit usage. The group’s expertise is in evading antivirus systems and exploiting unknown software vulnerabilities. 

The BianLian group is a serious threat and is an example of a ransomware group targeting organizations hoping to receive big payouts. 

Read Adlumin’s latest Threat Insights 2023: Volume IV to learn more about two emerging threat actors and three critical vulnerabilities.  

CL0p 

Cl0p, also known as Clop, TA505, and FIN11, is a notorious ransomware group that is known for its advanced tactics and operations. They employ a ransomware-as-a-service (RaaS) model and utilize the double-extortion data disclosure tactic. Their motivation is financial gain through extorting organizations by encrypting their data and demanding ransom payments in exchange for its release. 

Cl0p first emerged in 2019 as a variant of CryptoMix malware distributed through a large-scale phishing campaign. Over time, they have evolved into one of the most sophisticated and effective ransomware groups, frequently exploiting zero-day vulnerabilities to target and compromise numerous systems across the globe. 

Read more about the CL0P ransomware group, trends, and developments in Adlumin’s Threat Insights 2023: Volume II

LockBit 

LockBit is a ransomware group that operates as a Ransomware-as-a-Service (RaaS) model. They provide other cybercriminals, known as “affiliates,” with their ransomware tools to spread and infect victims’ systems. LockBit’s main motivation is financial gain through extortion. They target organizations, particularly in professional services like manufacturing, construction, and technology, by accessing their networks and encrypting their data.  

A ransom payment is demanded in exchange for the decryption key, threatening to leak the stolen data if the ransom is not paid. LockBit’s focus is mainly on small to medium-sized companies. However, they have also targeted larger organizations with victims in North and South America, with no clear regional pattern in targeting.  

Adlumin’s Threat Insights: Volume I give an in-depth analysis of the latest trends and an overview of the effects and recovery from recent ransomware attacks.  

Akira Ransomware 

Akira ransomware is a relatively new malware that emerged in March 2023. The threat actors behind Akira ransomware employ various tactics, such as phishing campaigns and exploiting vulnerabilities in remote monitoring and management software, remote desktop protocol, and other remote access tools. They have also been reported to exploit vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products. 

The motivation of Akira ransomware threat actors is believed to be financial gain. Like most ransomware groups, they encrypt the victim’s files and demand ransom. These ransom payments are typically made in cryptocurrencies, making tracing and identifying the perpetrators harder. 

Read more about Akira Ransomware and the examination from Adlumin’s threat research team in A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware

PlayCrypt 

Play ransomware has been a significant threat since its emergence in 2022, targeting numerous companies and government entities worldwide. This development of PlayCrypt being sold as a service means that PlayCrypt is now accessible to affiliates, essentially allowing a wider range of actors to launch highly effective attacks using this Russia-linked ransomware.  

Affiliates could include skilled cybercriminals, less experienced “script kiddies,” and individuals with varying levels of expertise. This expansion may lead to a substantial increase in the frequency of attacks using Play ransomware. 

Learn more about how Adlumin uncovered evidence that Play ransomware (PlayCrypt) is also being sold “as a service” in PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

Top Industry-Specific Threat Spotlights   

Legal Industry: Phishing 

Phishing attacks have emerged as one of the legal industry’s top cybersecurity threats. These attacks target lawyers and law firms by deceiving individuals into revealing sensitive information such as usernames, passwords, and financial details. Given the substantial amount of valuable and confidential data law firms handle, they have become prime targets for cybercriminals. 

Phishing attacks in the legal industry often take the form of scam emails, mimicking trusted sources like IT service providers, law enforcement agencies, or other professionals with whom lawyers regularly interact. These emails typically employ social engineering tactics to create urgency or manipulate emotions, tricking recipients into clicking on malicious links or downloading malware-infected attachments. 

Adlumin’s latest Threat Insights Legal Edition report details top threats and access methods the legal industry faces.  

Financial Industry: Credential Harvesting 

Financial institutions are particularly vulnerable to credential harvesting attacks because they deal with large volumes of sensitive customer information and transactions. If cybercriminals successfully harvest credentials from bank customers, they can gain direct access to their accounts, potentially leading to financial losses for the customers and the institution.  

These attacks typically start with creating fake websites that closely resemble legitimate banking or investment websites. These fake websites often utilize convincing branding, formatting, and domain names almost identical to the targeted companies. This mimicry is intended to deceive users into thinking they are logging into their actual financial accounts. 

Read more about top threats and access methods the financial industry faces in Adlumin’s latest Threat Insights Financial Edition report.  

 Education Industry: Double Extortion 

Double extortion ransomware has emerged as one of the biggest cybersecurity threats to the education sector. Cybercriminals employ this dangerous tactic to maximize their chances of profiting from malicious activities. Double extortion takes the already damaging effects of ransomware attacks to a whole new level. 

In a traditional ransomware attack, cybercriminals encrypt the victim’s data, rendering it inaccessible until a ransom is paid. However, double extortion ransomware goes a step further. Instead of relying solely on encryption to extort money, cybercriminals also threaten to publicly expose or release the stolen data unless the ransom is paid. 

Read more about how double extortion affects the education industry and mitigation strategies in Adlumin’s latest Threat Insights Education Edition report.  

How Can You Stay Protected? 

Organizations must prioritize their cybersecurity and take proactive measures to protect their sensitive data and networks. Adlumin’s Managed Detection and Response (MDR) service provides a solution to address the growing threat of ransomware and other cyber attacks.  

Here are a few recommendations from Adlumin’s Threat Research Team 

  • Third-party risk management programs should be implemented to assess and monitor the security of vendors and suppliers, and to ensure they are adhering to the same security standards as the financial institution. 
  • Implement application controls to manage and control the execution of software, including allowlisting access programs. 
  • Adopting Zero Trust Architecture, developing and implementing a Zero Trust security architecture and model for your organization can dramatically reduce the risk of unauthorized access and lateral movement within networks. This involves verifying every user and device, regardless of location.  
  • Multi-factor authentication should be implemented where possible to prevent unauthorized access if credentials are stolen. 
  • All employees should be regularly trained in essential cybersecurity best practices, including social engineering identification, phishing, password security, re-use threats, and good browsing hygiene.   

Adlumin’s Managed Detection and Response (MDR) Services combines advanced threat detection capabilities with a team of dedicated experts who monitor and respond to suspicious activities around-the-clock. By incorporating machine learning and AI, Adlumin can quickly detect and respond to potential threats before they cause significant damage. In addition to consistently monitoring ransomware groups’ latest trends and tactics, enabling organizations to stay ahead of their attackers. 

Take the Tour

Discover how Adlumin’s Security Operations Platform paired with MDR Services empowers your team to effectively detect and respond to threats and lightens your team’s workload. Take the platform tour and elevate your organization’s visibility to new heights.