Explore the latest cybersecurity emerging trends including advancements in artificial intelligence, cloud security, zero-trust, and IoT security.

Misconfiguration in Zero-Trust Solution Could Allow Threat Actors to Bypass 2FA

The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.

Background

The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.

Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.

Investigation Findings

The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.

According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1

This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.

With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.

When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.

In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2

Conclusion

To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.

Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.

Indicators of Compromise (IOCs)

Texas Technology Summit

Join Adlumin during the Texas Technology Summit caters to the Technology and Security community, drawing IT/IS Executives and Direct reports from various verticals across Texas. Whether you’re seeking networking opportunities, conducting research, advancing your career, or making strategic purchases, this summit is for you. Equip your company with the necessary tools and connections to navigate the dynamic landscape of evolving technology trends.

Date: March 19, 2024
Location: Houston, TX

Contactmarketingevents@adlumin.com

TAGITM 2024 Annual Education Conference

Don’t miss the TAGITM Annual Education Conference, happening from April 2-5, 2024, at the La Cantera Resort in San Antonio, Texas. Tailored specifically for county and city IT managers and staff, this event offers unparalleled technology education.

Whether you’re responsible for your county or city’s technical strategic direction or involved in technology decision-making, attending is a must. Benefit from over 45 years of leadership, insight, and innovation curated by the TAGITM Conference Committee. Explore cutting-edge technologies and services from industry leaders, participate in educational sessions, and network with business partners from across the state.

Dates: April 2-5, 2024
Location: San Antonio, TX
Booth: #14
Sponsorship Level: Platinum

Contactmarketingevents@adlumin.com

Arkansas IT Symposium

In today’s ever-evolving technological landscape, it’s imperative for IT executives to stay abreast of global trends to seamlessly integrate strategies into their operations, fostering agility and maintaining competitive edge. The Arkansas IT Symposium offers regional IT executives a platform to convene for networking, collaboration, and knowledge-sharing via peer-led keynotes, breakouts, panels, and networking sessions.

Tailored with the IT executive in mind, the Arkansas IT Symposium serves as a conduit for building a robust professional peer network and acquiring real-world insights on transformative technology and management solutions.

Date: May 9, 2024
Location: Little Rock, AR

Contactmarketingevents@adlumin.com

Watch a Live EvilGinx Demonstration to See How Cybercriminals Bypass MFA

Event details:

Thursday, March 21, 2024
1:00 PM EST

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research

About this talk:

Cybersecurity professionals preach the power of multi-factor authentication (MFA), but what happens when a cybercriminal goes around it?

Join Adlumin’s Mark Sangster and Kevin O’Connor as they demonstrate MFA bypass techniques using EvilGinx 3. In this webinar, you’ll also see how attackers can leverage hijacked session cookies and EvilGinx phishlets to compromise user accounts and access. The pair will also dive into how to combat these attacks, along with the benefits of a fully visible network for cybersecurity.




Cyber Tide Podcast Season 2, Episode 3: AI, IT Disruptions, Supply Chain Issues, and Other Cybersecurity Risks in 2024

In this episode, Adlumin’s Chief of Strategy, Mark Sangster, and Jessvin Thomas, Adlumin’s Chief Product Officer, who brings a decade of experience within MDR, discuss industry technology innovations and share insightful predictions for 2024. The episode offers valuable recommendations to safeguard organizations from potential risks.

Top 4 Cybersecurity Predictions to Be Aware of for 2024

The Adlumin Threat Research Team has peered into the future and unveiled their top predictions for the upcoming year.

With each passing year, hackers become more sophisticated and the consequences of a breach become more severe. To help organizations prepare for the challenges that lie ahead, we have compiled this list of the top four cybersecurity threats to be aware of.  

From the growing threat of Ransomware-as-a-Service (RaaS) to the increasing impact of AI tools, these predictions will arm IT Directors with the knowledge they need to protect their organization from potential risks. So, buckle up and prepare for the top four cybersecurity challenges in the new year. 

1. Increase in Ransomware-as-a-Service (RaaS) Attacks 

Ransomware attacks have become more sophisticated, causing financial, operational, and reputational damage to businesses and organizations. RaaS refers to the model where cybercriminals offer ransomware tools and infrastructure to other hackers, who then deploy the ransomware on their behalf. This has enabled malicious actors with less sophisticated technical skills to carry out ransomware attacks, and share the profits with the original creators.

The rise in RaaS actors is alarming because it lowers the barrier to entry, making ransomware attacks accessible to a broader range of cybercriminals. This means we can anticipate a surge in ransomware attacks as more individuals and groups access these tools. This trend threatens organizations of all sizes and sectors, as no one is immune to being targeted by ransomware attacks. 

2. Shift from Data Encryption to Data Extortion Ransomware 

Ransomware has been a long-standing top cybersecurity threat, but in the new year, a shift in its tactics is predicted. Traditionally, ransomware attacks involved encrypting victims’ data and demanding a ransom for release. However, cybercriminals are expected to focus on data extortion increasingly.

This shift means threat actors will also exfiltrate sensitive information from victims’ systems and encrypt data. They will then threaten to release or sell this data if the ransom is not paid. This new approach adds an extra layer of pressure on organizations to comply with the attackers’ demands, as the exposure of sensitive data can lead to severe consequences, including reputational damage, regulatory penalties, and legal liabilities. 

3. Increased Focus on Cyberattacks Against Hospitality   

This cybersecurity threat prediction for the new year highlights the potential increased focus on attacks targeting the hospitality industry and the expected rise in the sophistication of fraud schemes. As the hospitality sector relies heavily on technology and handles a vast amount of customer data, it has become an attractive target for cybercriminals. This prediction suggests that attackers will continue to exploit vulnerabilities in hotel networks, reservation systems, point of sale (POS) terminals, and other digital platforms to steal confidential information. 

For example, the Marriot Hotel has faced multiple cybersecurity breaches over the past couple of years. Their most recent breach resulted in losing 20 gigabytes of sensitive customer and employee data including credit card information in an extortion attempt.   

4. Increased Impact from Malicious AI Tools

The increased impact of malicious AI tools on both attackers and defenders is predicted to be a major cybersecurity threat. AI technology has evolved significantly, creating a new era in cyberattacks and defense strategies. Cybercriminals leverage AI tools to amplify the scale and sophistication of their attacks, making them harder to detect and mitigate. AI-powered malware can self-propagate, adapt, and evolve, posing immense challenges to traditional cybersecurity measures.

Organizations also protect themselves by using AI tools to enhance their security capabilities. AI can help identify and analyze threats in real-time, assist in incident response, and automate cybersecurity processes. However, these AI tools can generate false positives or negatives, leading to missed or misinterpreted threats and potentially unlocking vulnerabilities.

The use of AI on both sides creates a dynamic and rapidly evolving cybersecurity landscape. Attackers can leverage AI algorithms for advanced evasion techniques. On the other hand, defenders have the daunting task of keeping up with AI-powered attacks while navigating through potential inaccuracies or blind spots in their AI-enabled defense systems. 

Illuminate Threats and Eliminate Risks in 2024

The threat of data breaches and ransomware attacks loom over organizations of all sizes and sectors. It’s no longer a matter of if your organization will get breached or attacked with ransomware but rather when. The harsh reality is that no system is invincible, and cybercriminals are continually finding new ways to exploit vulnerabilities.

While it can be challenging for IT teams to keep pace with evolving threats, innovative technology solutions and security measures are available to alleviate the strain. Organizations can automate threat detection and prevention processes by leveraging advanced security solutions like a Security Operations Platform and pairing them with Managed Detection and Response (MDR) Services, effectively mitigating the risks associated with cyber attacks.

Through the use of AI and machine learning, these solutions analyze vast amounts of data, identify anomalies, and respond to potential threats in real-time, empowering organizations to defend against cyber threats proactively.  

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Adlumin’s Threat Insights: Latest Adversaries and Vulnerabilities

Adlumin’s quarterly threat insights focus on rising risks and vulnerabilities affecting businesses. With cyberattacks becoming increasingly prevalent, organizations of all sizes are at risk. Last year, around 76% of organizations were targeted by ransomware, emphasizing the urgent need for businesses to prioritize cybersecurity measures.

Adlumin’s latest report aims to provide insights by examining cyber threats, tactics, and procedures utilized by threat actors, identifying targeted industries and fresh avenues for infiltration, and offering an understanding of the methods employed by these malicious actors. Understanding the tactics and procedures employed by threat actors is crucial in mitigating these risks and safeguarding organizations.

By downloading  Adlumin’s Threat Insights 2023: Volume IV you will gain valuable insights into the latest trends and developments and actionable recommendations to enhance your proactive defense strategies and mitigate cyberattack risks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network.