Researchers say the specialized OT malware has similarities with Industroyer, which was used to take down power in Kiev, Ukraine, in 2016
Related Posts
Microsoft Azure MFA Vulnerability Allows Unauthorized User Account Access
Microsoft Azure MFA Vulnerability Allows Unauthorized User Account Access
A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) implementation has been uncovered by Oasis Security’s research team, potentially exposing over 400 million Office 365 accounts to unauthorized access.
The flaw, dubbed “AuthQuake,” allowed attackers to bypass MFA protections and gain access to user accounts, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud resources.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The AuthQuake flaw stemmed from two key issues in Microsoft’s MFA system:
- Lack of Rate Limiting: Attackers could rapidly create new sessions and attempt multiple code guesses simultaneously, quickly exhausting all possible 6-digit code combinations.
- Extended Code Validity: TOTP codes remained valid for approximately 3 minutes, significantly longer than the standard 30 seconds, increasing the window of opportunity for attackers.
These vulnerabilities allowed malicious actors to potentially breach MFA defenses within 70 minutes, achieving a success rate exceeding 50%. Alarmingly, the exploit required no user interaction and generated no alerts, leaving account holders oblivious to the ongoing attack.
AuthQuake Attack Method
The bypass technique exploited weaknesses in the time-based one-time password (TOTP) system:
- Attackers initiated multiple sessions using the same parameters.
- By rapidly creating new sessions and enumerating codes, they could attempt combinations at a high rate.
- The extended 3-minute validity window for codes increased the chances of a successful guess.
Upon notification by Oasis Security, Microsoft took swift action:
- June 24, 2024: Microsoft acknowledged the issue.
- July 4, 2024: A temporary fix was deployed.
- October 9, 2024: A permanent solution was implemented.
The permanent fix involved introducing stricter rate-limiting mechanisms that activate after a number of failed attempts, lasting for approximately half a day.
While this specific vulnerability has been addressed, the incident highlights the importance of robust MFA implementations. Security experts recommend:
- Implement Stricter Rate Limiting: Enforce limits on failed authentication attempts to prevent brute-force attacks.
- Monitor Failed MFA Attempts: Set up alerts for repeated second-factor authentication failures to detect suspicious activity.
- Regular Security Audits: Continuously review and update security configurations to identify and resolve vulnerabilities.
- User Education: Conduct regular training to help employees understand the importance of MFA and how to use it effectively.
Despite this setback, MFA remains a critical security measure. Organizations are advised to continue using MFA, preferably with authenticator apps or stronger passwordless methods while staying vigilant against potential vulnerabilities.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The post Microsoft Azure MFA Vulnerability Allows Unauthorized User Account Access appeared first on Cyber Security News.
Discord.io Hack Was Due to a Flaw in the Website’s Code
Discord.io Hack Was Due to a Flaw in the Website’s Code
Discord.io experienced a significant data breach on the 14th of August 2023 that risks the privacy of about 760K consumers’ data.
The platform revealed the massive data breach on August 15th, claiming it was “stopping all operations for the foreseeable future.”
The Discord.io breach had been caused by a flaw in the website’s coding, which allowed an attacker to obtain access to the database.
“We are still investigating the breach, but we believe that the breach was caused by a vulnerability in our website’s code, which allowed an attacker to gain access to our database,” Discord.io said in its notification.
“The attacker then proceeded to download the entire database and put it up for sale on a 3rd party site”.
Information Disclosed in the Breach
Non-sensitive information:
Internal user ID
Information about your avatar
Status (moderator/admin/has ads/banned/public/etc)
Coin balance, and current streak in our free minigame.
API key (this does not give access to your account, and was only available to less than a dozen users).
Registration date.
Last payment date and the expiration date of your premium membership.
Sensitive Information:
Username
Discord ID
Email address
Billing address
The salted and hashed password
All payments are handled by PayPal and Stripe, and Discord.io does not keep any payment information. Therefore, the payment information was not disclosed.
For users who joined the site before 2018 using a previous username/password registration, Discord.io strongly advises you to change your password on any other site that may have used the same password.
Because Discord.io stopped all operations, they have also canceled all ongoing memberships to the site. As a result, those users will not be charged again.
Those who acquired a premium membership within the previous 30 days will be fully reimbursed.
“We will continue to investigate the possible causes of the breach, and we will take steps to ensure that this does not happen again,” Discord.io said.
“This will include a complete rewrite of our website’s code, as well as a complete overhaul of our security practices.”
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The post Discord.io Hack Was Due to a Flaw in the Website’s Code appeared first on Cyber Security News.
Cyber Security News
Rekoobe Malware Used by Chinese Hacker Group Attack Linux system
Rekoobe Malware Used by Chinese Hacker Group Attack Linux system
Rekoobe is a backdoor malware that targets vulnerable Linux servers known to be used by the Chinese APT31.
It’s been active since 2015, and in 2018 updated versions of Rekoobe were used to target Linux servers, as its architecture is x86, x64, and SPARC.
Emergency Response Center (ASEC) shares various Rekoobe variants and organizes Rekoobe malware used in attacks targeting domestic companies in its latest article.
Mostly targets obsolete Linux servers or are in service with inappropriate settings and also involved in supply chain attacks.
Analysis of the Rekoobe variant:
MD5: 8921942fb40a4d417700cfe37cce1ce7
C&C server: resolv.ctmailer[.]net:80 (103.140.186.32)
Download address: hxxp://103.140.186[.]32/mails
Rekoobe, built by open source code Tiny shell, utilizes strcpy() function to change the process name when running the program to make the users difficult to recognize.
It doesn’t have any command line option to receive the address or password of the C&C server.
Rekoobe generates an AES-128 key using the HMAC SHA1 algorithm and encrypts the communication data with the C&C server using the key.
Initially, data of size 0x28 is received from the C&C server, then it is divided into two 0x14 bytes and used as the IV when initializing the HMAC SHA1 context.
In the initialization process, a hard-coded password string “0p;/9ol.” is also used in addition to the IV, which is each 0x14 bytes received.
The generated HMAC SHA1 values are AES-128 keys, which are used to encrypt and decrypt data received from the C&C server when transmitting data to the C&C server, respectively.
Additionally, data for integrity verification of 0x10 bytes is received from the C&C which is decoded with the AES-128 key set above, and through the XOR process.
The data to be delivered thereafter is used for integrity verification, and it is 0x10 bytes and must have the same value.
Once the integrity verification process is finished, the same integrity data of 0x10 bytes is transmitted to the C&C server. When sending data, it is encrypted and transmitted using the AES128 key created with the HMAC SHA1 value created above.
Finally, simple commands which are in one byte are executed for file upload, file download, and reverse shell.
Another sample of Rekoobe opens a port in the form of a bind shell and waits for the connection of the C&C server. This is because Tiny SHell supports both.
Rekoobe is presumed to have a separate builder. Although a random password string was used, “replace with your password,” which seems to be the default string, is often seen.
The attacker employs different malicious code for each attack. Unlike passwords in which a different string is used every time, the data used for integrity verification is characterized by the fact that “58 90 AE 86 F1 B9 1C F6 29 83 95 71 1D DE 58 0D” is used for most of the source code.
Based on open source, Rekoobe could be utilized by other attackers besides the well-known Chinese attack group APT31 and cases of attacks against domestic systems are increased.
In order to prevent such security threats, always update the related systems to the latest versions to protect them from attacks.
Indicator of compromise
– 7851833a0cc3482993aac2692ff41635
– 03a87253a8fac6d91d19ea3b47e2ca6c
– 5f2e72ff741c4544f66fec16101aeaf0
– 8921942fb40a4d417700cfe37 cce1ce7
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
The post Rekoobe Malware Used by Chinese Hacker Group Attack Linux system appeared first on Cyber Security News.
Cyber Security News