OT network admins grant access to employees or contractors without sufficient security measures
Related Posts
ChatGPT: The ban chronicles.
ChatGPT: The ban chronicles.
Chris Denbigh-White from Next DLP sits down to reflect on with the EU banning ChatGPT and the U.S. looking to create rules around it, how will regulation likely land? This week, Ben discusses the police raid on a local Kansas newspaper, and its implications for digital privacy. Dave has got the story of the Supreme Court possibly taking on a social media moderation case and what that looks like. Read More
The CyberWire
Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication
Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication
A recently discovered vulnerability in Microsoft’s Windows Hello for Business (WHfB) authentication system allowed attackers to bypass the supposedly phishing-resistant login method, raising concerns about the security of this widely adopted passwordless solution.
This flaw allows attackers to bypass the system’s robust authentication mechanisms, posing a serious risk to organizations relying on this technology to protect sensitive data.
Security researcher Yehuda Smirnov uncovered a design flaw that enabled malicious actors to downgrade the authentication process from the more secure Windows Hello biometric or PIN-based login to less secure, phishable methods.
Windows Hello for Business is designed to enhance security by using biometric data or a PIN instead of traditional passwords. It leverages key-based or certificate-based authentication, which is inherently more secure than password-based systems because it eliminates the risk of password theft or phishing attacks.
However, a recent discovery by cybersecurity researchers has revealed a method to downgrade this secure authentication process to a less secure, phishable method.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Microsoft’s Windows Hello for Business Flaw
The attack involves intercepting and altering authentication requests. By modifying specific parameters in the POST request to the Microsoft online login service, attackers can force the system to revert to a traditional password-based authentication method.
potential attack flow
This is achieved by changing the isFidoSupported parameter to false or altering the User-Agent header to an unsupported value, thus bypassing the intended secure authentication mechanism of Windows Hello for Business.
Smirnov demonstrated the exploit using a modified version of the EvilGinx phishing framework, showcasing how an attacker could automate the process of bypassing Windows Hello authentication. The proof-of-concept highlighted the potential risks for organizations relying on WHfB as a primary means of secure authentication
Technical Details
The attack process is relatively straightforward for skilled attackers. It involves the following steps:
Intercepting the Authentication Request: Using tools like Burp Suite, attackers can intercept the POST request sent to https://login.microsoftonline.com/common/GetCredentialType.
Modifying Request Parameters: The intercepted request is then altered to set the isFidoSupported parameter to false or change the User-Agent header to a non-supported value.
Downgrading Authentication: These modifications trick the system into downgrading the authentication method from Windows Hello for Business to a less secure method, such as a simple password or a non-phishable method.
This vulnerability highlights a critical oversight in the authentication process, where the system consistently fails to enforce phishing-resistant methods.
The ability to bypass Windows Hello for Business authentication poses significant risks, particularly for enterprises that rely on this system to secure access to sensitive information and critical systems. This flaw could allow attackers to gain unauthorized access to corporate networks, exfiltrate data, and perform further malicious activities if successfully exploited.
Mitigation Strategies
To mitigate this vulnerability, Microsoft recommends several measures:
Implement Conditional Access Policies: Organizations should create conditional access policies that enforce the use of phishing-resistant authentication methods. This can be achieved by leveraging the newly added “authentication strength” feature in Microsoft Entra ID.
Enable Strong, Phishing-Resistant Authentication: Ensure that all cloud applications require strong, phishing-resistant multi-factor authentication (MFA) methods.
Audit and Monitor Authentication Requests: Regularly audit and monitor authentication requests to detect any anomalies or attempts to downgrade authentication methods.
The discovery of this vulnerability in Windows Hello for Business underscores the ongoing challenges in securing authentication systems. While Windows Hello for Business offers significant security advantages over traditional password-based systems, this flaw demonstrates the importance of continuous security assessments and the need for robust mitigation strategies to protect against evolving threats.
Organizations using Windows Hello for Business should promptly implement the recommended mitigation measures to safeguard their systems and data from potential exploitation.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
The post Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication appeared first on Cyber Security News.
Critical Zoom Clients Flaw Let Attackers Escalate Privileges
Critical Zoom Clients Flaw Let Attackers Escalate Privileges
[[{“value”:”
A vulnerability classified as improper input validation was found in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows that could potentially allow an authenticated attacker to gain access to sensitive information on the system through the network.
Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows contains a critical privilege escalation vulnerability (CVE-2024-24691) with a CVSS score of 9.6.
According to the findings of Zoom Offensive Security, the vulnerability is extremely serious and may be exploited with a relatively simple level of complexity.
The CVSS vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) provides more information about the vulnerability, including the fact that an unauthenticated attacker with low privileges can remotely exploit it and that it has a significant impact on the system’s confidentiality, integrity, and availability.
It stems from the application’s failure to validate user inputs, and malicious actors properly can exploit this weakness by sending specially crafted data packets over the network.
Suppose the application processes this data without proper validation. In that case, it can trigger unintended actions and potentially allow attackers to escalate their privileges, which could grant attackers complete control over the compromised system.
With this level of access, attackers could steal sensitive data, install malicious software, disrupt critical operations, or even use the compromised system as a launchpad for further attacks.
Affected Products:
Zoom warns users of a critical vulnerability (CVE-2024-24691) in Zoom Desktop Client and Zoom VDI Client for Windows. Versions prior to 5.16.5 for Desktop Client and those before 5.16.10 for VDI Client (excluding specific exceptions) are susceptible.
It allows unauthenticated attackers on the network to escalate privileges, potentially compromising the entire system, as an immediate upgrade to versions 5.16.5 (Desktop) or 5.16.10 (VDI, excluding the mentioned exceptions) is essential using the link.
Zoom also identified a critical vulnerability (CVE-2024-24691) in the Zoom Rooms Client for Windows versions older than 5.17.0 and the Zoom Meeting SDK for Windows versions before 5.16.5.
Vulnerability originates from search pathways that cannot be trusted, rendering it possible for malicious actors on the network to execute code that is not authorized.
It is severe because it grants attackers the ability to take complete control of affected systems, potentially leading to data breaches, malware installations, or disruptions to critical Zoom functionalities.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Critical Zoom Clients Flaw Let Attackers Escalate Privileges appeared first on Cyber Security News.
“}]] Read More
Cyber Security News